Hi folks
I'm running PRTG ver 21.1 on a Windows platform at the moment. I'm trying to retrieve syslog messages from earlier in the year on a specific syslog sensor and I'm finding that PRTG seems to really be struggling to pull this data. This happens across all the other sensors as well.
Most times is just times out (even though I have increased the time out value from default).
Is there a way to optimize these searches or some other trick I can perform to make PRTG perform better? The server itself is not struggling in terms of memory, CPU, threads or HDD I/O etc.
I haven't checked but I'm sure the volume of historical syslog messages stored is very high.
Thanks.
Article Comments
Thanks for your message.
I'm only running about 5 or 6 syslog sensors with 180 days retention on each. Across all the sensors, I'm probably getting around 2500 to 3000 syslogs per second. Each sensor has specific filters to only grab syslogs from specific sources. All of that works fine.
The problem comes in when I want to go and view (look for specific entries in the syslog on one sensor). I would search using a specific filter (a MAC address in the "message" field for example) but most times the search times out before any data is returned.
This makes PRTG non-functional as a syslog server in my opinion because if I can't go back and search through syslogs then why bother keeping the syslogs.
As mentioned in my original post - I've tried extending the timeout values etc but still no joy so I'm looking for any other tips or tricks to help PRTG return the historical data in my syslogs.
Jun, 2023 - Permalink
The PRTG Syslog Receiver Sensor is not to be used as a syslog server. The main purpose of this sensor is to recieve messages and generate alerts from PRTG based on filters that you add to the settings.
This way you can set the sensor as Warning or Down based on what messages it receives. It is not a syslog server because the amount of logs it can store is quite limited. And there is no way to export, filter or search on these messages, you can only see the messages on the PRTG interface. Therefore we don't recommend to use it as your primary syslogger.
Jun, 2023 - Permalink
Thanks for your reply. I agree with your summary. I have expected a little too much from the Syslog sensor, I suspect. It just works so well but you are right, it's just not a dedicated syslog server and that is where my needs have evolved to. I have since, spun up a Graylog Open server and I must say I can highly recommend it for anyone needing a dedicated syslog server platform. Anyway, thanks again for your inputs. I appreciate your time.
Jun, 2023 - Permalink
The Syslog Receiver Sensor is a passive sensor, PRTG doesnt actively go and poll the SNMP device for syslogs, it listens on a port. Make sure to have less than 50 syslogs sensors, more than that will cause performance issues. Also, you can check in the sensors settings if there are filters, some message can be discarded if they dont meet that filter. There is also a setting to purge old syslog messages after a certain amount of days, to avoid having too much syslog data on the server.
Jun, 2023 - Permalink