[76360] in North American Network Operators' Group
Re: Enterprise syslog management and alert generation.
daemon@ATHENA.MIT.EDU (Bill Nash)
Wed Dec 8 01:04:13 2004
Date: Tue, 7 Dec 2004 23:07:26 -0800 (PST)
From: Bill Nash <billn@billn.net>
To: Alexei Roudnev <alex@relcom.net>
Cc: nanog@merit.edu
In-Reply-To: <143b01c4dcea$14e0eec0$6401a8c0@alexh>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 7 Dec 2004, Alexei Roudnev wrote:
> In such products, only 20% value is in engine; 80% are in rules, because I
> can not wrire rules myself - I have not event until it happen, and I can not
> filetr out noice until it happen.
>
> We use a few syslog analyzers (using syslog-ng as a transport), some with
> simple logcheck, other with database for rules and hosts; and every time
> problem is the same - writing rules is 90% of the problem.
>
> But... do you have rules, such as fort example _send alert if any system
> began to generate 10 times logs / hour more vs. average? Or saying _single
> PCI ERROR on Solaris - ignore, 10 in a straight line - send warning...
>
The X over time is a new one, it's been mentioned a couple times today,
and I can certainly account for it. I've added it to my rapidly
growing list.
- billn
