Ah, I thought it was storing the data. So the log/retention settings are purely for KNM generated data (monitor alarms, etc)?
And correct, I wouldn't expect splunk-like functionality out of KNM... but if the data is already making the trek from the device to my central server (and securely at that!), instead of throwing the data away, could we just forward it over to another system that's actually built to be a log server?
The biggest issue with centralized logging for MSPs is actually collecting and securely transmitting the logs back to a central server, while being easy to deploy and manage. Yes, there are solutions out there, but most of them are rather pricey, and I'm always looking at ways to better utilize our existing tools. KNM already has the pieces in place to securely collect, transport, and receive the data. We just want to capture and store it outside of KNM. All I would need is a checkbox on the Syslog log settings page that says "also forward received syslog data" that would tell KNM to forward the data instead of throwing it away. I guess this is more of a feature request. :)
Is the parsing of the syslog data done at the gateway, or at the server level? If the parsing is done at the gateway level (so the only syslog traffic that arrives at the server is data that should trigger an alert), then having this option wouldn't really help, since 99% of the data would never make it back up the pipe to us.