Stopping Syslog Flooding from Impacting Other Syslog Devices
I have an RFE ESE-503 submitted for this already but doesn't seem to be any update on it. I was wondering what the community did to prevent one syslog device from taking up 130% of the EPS if it has a misconfiguration issue or a DDoS is launched against it. The issue is logs from other syslog devices will not be collected.
I don't know of any way to stop this from happening except the possibility of creating an alert or report that tells you that you are getting flooded from one device and then you need to go and have that device either reconfigured or shutdown. Even if enVision could be made to ignore the device(s) from the EPS count, the device is still spewing syslog messages to the collector and that still takes bandwidth and resources. So, the best thing to do is to know about which devices are the "heavy hitters" and either stop sending messages or tune down the messages sent by changing the syslog configuration so that you don't collect *.debug.