[syslog-ng] pattern database : first feedback and thoughts

Robert Fekete frobert at balabit.com
Wed Jan 27 09:07:35 CET 2010 

Hi Christophe,

thank you very much for your mail and your thoughts, and sorry for being so slow 
to reply. Please find my comments below.

On Friday, January 22, 2010 03:03:58 PM CET, Christophe Brocas 
<christophe.brocas at cnamts.fr> wrote:

 > > Hello,
 > >
 > > I have start to play with pattern database. It is a very good starting
 > > point to do alerting when syslog-ng finds some logs belonging to (for
 > > example) security class.
 > >
 > > 1. Bug
 > > The current online pattern db snapshot provides the system-apache2.xml
 > > file. This file is not in a xml format but is just a set of log messages
 > > (it seems).
 > >
You're right, I'll ask the guys to correct it.

 > > 2. Class
 > > Can you tell us on what kind of criteria is used ti choose the class value (for
 > > example : system vs security class) of a particular log entry ?
AFAIK, there is no fixed rule: logins, access control messages and the like went 
to security, while more regular messages to the system class.
But with the introduction of tags, I think the classes will become less important.
 > >
 > > 3. Pattern database contribution / management / delivering
 > > Despite a big effort from Balabit (thanks for it !) to deliver an
 > > impressive first release (8000 log messages, 200 applications), I am
 > > sure that a community effort is the only way to maintain a good quality
 > > level of this database.
That's our opinion as well.
 > >
 > > You release the pattern database under the CC by-nc-sa licence. It is a very
 > > good way to start a community effort.
 > >
 > > In order to build a community around pattern database, I think some
 > > interesting points may be :
 > > - Having a dedicated DNS name and website (logpattern.org is available).
 > > Balabit can be of course the main sponsor of the website. But to be able
 > > to attract people and even more other companies for database
 > > contribution, I think all the communication / site management would have
 > > to rely on individuals and not on Balabit company.
 > > - Providing open log entry submission process through multi ways (web
 > > form, (D)VCS or bugreport system)
We are currently working on moving our website to a new portal engine, and also 
on creating a community site for patterndb where you can create, check and 
upload patterns, test your logs for patterndb coverage, interact with other 
users, etc., but that won't be ready for a few months. Whether this will be an 
individual site or part of the BalaBit site was not decided yet.

 > > - Providing a regular (each week, month or three months for ex.)
 > > database snapshot release cycle.
Snapshots will be available regularly once the site is up. Currently we did the 
initial snapshot so you can see what it will be like, and start using the new 
database format. Of course if we have some time to create some new patterns, or 
receive some from other users, we will release it ASAP.
 > >
 > > If you want some help for the website, I can be involved  :-)
Thanks a lot  :)

Regards,

Robert
 > >
 > > Thank you very much this pattern database effort  :-)
 > > Christophe

More information about the syslog-ng mailing list