[76361] in North American Network Operators' Group
RE: Enterprise syslog management and alert generation.
daemon@ATHENA.MIT.EDU (Paul Jasa)
Wed Dec 8 01:07:18 2004
Date: Wed, 8 Dec 2004 01:02:27 -0500
From: "Paul Jasa" <pjasa@univision.net>
To: "Alexei Roudnev" <alex@relcom.net>,
"Bill Nash" <billn@billn.net>, <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
This is a topic near and dear to my heart. I've been using SEC for a =
while now, been very happy with it. If you like Perl and its regular =
expressions, SEC will do the trick. It has a very complex log =
correlation capabilities, and multiple action methods, strongly =
recommend it especially if used with syslog-ng=20
http://sourceforge.net/projects/simple-evcorr=20
BTW, the README and instructions on how to set it up and all the options =
is extremely well-written and thorough, you'll like it.
pj
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Paul=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
Alexei Roudnev
Sent: Wednesday, December 08, 2004 12:52 AM
To: Bill Nash; nanog@merit.edu
Subject: Re: Enterprise syslog management and alert generation.
In such products, only 20% value is in engine; 80% are in rules, because =
I
can not wrire rules myself - I have not event until it happen, and I can =
not
filetr out noice until it happen.
We use a few syslog analyzers (using syslog-ng as a transport), some =
with
simple logcheck, other with database for rules and hosts; and every time
problem is the same - writing rules is 90% of the problem.
But... do you have rules, such as fort example _send alert if any system
began to generate 10 times logs / hour more vs. average? Or saying =
_single
PCI ERROR on Solaris - ignore, 10 in a straight line - send warning...
----- Original Message -----=20
From: "Bill Nash" <billn@billn.net>
To: <nanog@merit.edu>
Sent: Tuesday, December 07, 2004 12:48 PM
Subject: Enterprise syslog management and alert generation.
>
>
> Some people call this 'Netcool' or products of a similiar stripe. I'm
> ramping up a project to rebuild some previous work done on this front =
with
> an open source distribution in mind (those of you on the syslog-ng =
list
> have seen mention of it), so I'm fishing for requirements I may not =
have
> already covered.
>
> I currently have:
> Perl regexp engine for applied rules.
> Tokenization and extraction of data from inbound syslog data.
> Assigning (single|multiple) customized event handlers to rule matches
> Ability to run multiple analyzers concurrently
> Optional linear rule application versus weighted optimization
> SQL storage of rules for centralized management and redistribution.
> Fully customized alert generation.
>
> My current production implementation has handled over 20 gigs a day, =
at
> peak, on a single analyzer (dual amd 2800+), using syslog-ng as a
> transport mechanism (forked socket transport with local disk logging =
for
> backup).
>
> Every network is different, as are particular requirements. Who's got =
wish
> lists? I personally wouldn't mind an on-list discussion about this, as =
it
> applies to standard operations toolsets, but if that's not kosher, =
feel
> free to contact me off-list.
>
> - billn
The information contained in this e-mail and any attached documents
may be privileged, confidential and protected from disclosure. If you
are not the intended recipient you may not read, copy, distribute or
use this information. If you have received this communication in
error, please notify the sender immediately by replying to this
message and then delete it from your system.
