[syslog-ng] pattern database : first feedback and thoughts

Christophe Brocas christophe.brocas at cnamts.fr
Fri Jan 22 15:03:58 CET 2010 

Hello,

I have start to play with pattern database. It is a very good starting
point to do alerting when syslog-ng finds some logs belonging to (for
example) security class.

1. Bug
The current online pattern db snapshot provides the system-apache2.xml
file. This file is not in a xml format but is just a set of log messages
(it seems).

2. Class
Can you tell us on what kind of criteria is used ti choose the class value (for
example : system vs security class) of a particular log entry ?

3. Pattern database contribution / management / delivering
Despite a big effort from Balabit (thanks for it !) to deliver an
impressive first release (8000 log messages, 200 applications), I am
sure that a community effort is the only way to maintain a good quality
level of this database.

You release the pattern database under the CC by-nc-sa licence. It is a very
good way to start a community effort.

In order to build a community around pattern database, I think some
interesting points may be :
- Having a dedicated DNS name and website (logpattern.org is available).
Balabit can be of course the main sponsor of the website. But to be able
to attract people and even more other companies for database
contribution, I think all the communication / site management would have
to rely on individuals and not on Balabit company.
- Providing open log entry submission process through multi ways (web
form, (D)VCS or bugreport system)
- Providing a regular (each week, month or three months for ex.)
database snapshot release cycle.

If you want some help for the website, I can be involved :-)

Thank you very much this pattern database effort :-)
Christophe

-- 
Christophe Brocas
CNAMTS/DDSI/DSEC
12, allées Haussmann 33300 Bordeaux
fixe   : +33 (0)5.57.85.53.55
mobile : +33 (0)6.77.05.19.01
fax    : +33 (0)5.56.39.84.48
keyid  : 0x237E9DB2





*****************************************************
"Le contenu de ce courriel et ses eventuelles pièces jointes sont confidentiels. Ils s'adressent exclusivement à la personne destinataire. Si cet envoi ne vous est pas destiné, ou si vous l'avez reçu par erreur, et afin de ne pas violer le secret des correspondances, vous ne devez pas le transmettre à d'autres personnes ni le reproduire. Merci de le renvoyer à l'émetteur et de le détruire.

Attention : L'Organisme de l'émetteur du message ne pourra être tenu responsable de l'altération du présent courriel. Il appartient au destinataire de vérifier que les messages et pièces jointes reçus ne contiennent pas de virus. Les opinions contenues dans ce courriel et ses éventuelles pièces jointes sont celles de l'émetteur. Elles ne reflètent pas la position de l'Organisme sauf s'il en est disposé autrement dans le présent courriel."
******************************************************

More information about the syslog-ng mailing list