[76355] in North American Network Operators' Group
Enterprise syslog management and alert generation.
daemon@ATHENA.MIT.EDU (Bill Nash)
Tue Dec 7 14:46:10 2004
Date: Tue, 7 Dec 2004 12:48:51 -0800 (PST)
From: Bill Nash <billn@billn.net>
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
Some people call this 'Netcool' or products of a similiar stripe. I'm
ramping up a project to rebuild some previous work done on this front with
an open source distribution in mind (those of you on the syslog-ng list
have seen mention of it), so I'm fishing for requirements I may not have
already covered.
I currently have:
Perl regexp engine for applied rules.
Tokenization and extraction of data from inbound syslog data.
Assigning (single|multiple) customized event handlers to rule matches
Ability to run multiple analyzers concurrently
Optional linear rule application versus weighted optimization
SQL storage of rules for centralized management and redistribution.
Fully customized alert generation.
My current production implementation has handled over 20 gigs a day, at
peak, on a single analyzer (dual amd 2800+), using syslog-ng as a
transport mechanism (forked socket transport with local disk logging for
backup).
Every network is different, as are particular requirements. Who's got wish
lists? I personally wouldn't mind an on-list discussion about this, as it
applies to standard operations toolsets, but if that's not kosher, feel
free to contact me off-list.
- billn
