Hello,I think most of the things you mentioned, can be achieved with patterndb: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.20/administration-guide/71#TOPIC-1122052Keywords: correlating messages, triggering actions, external actions(Mentioned in the Administration Guide) There is a collection of example patterns on GitHub: https://github.com/balabit/syslog-ng-patterndb/ most probably they will not suit your needs as is, but they are a good starting point. (please feel free to share your final solution as PR)I hope it was helpful!Best Regards,Laci______________________________________________________________________________On Thu, Mar 7, 2019 at 4:55 PM Evan Rempel <erempel@uvic.ca> wrote:We do this for all kinds of things.
We
- monitor mailing list subscription rates and then add firewall block rules automatically for abusive users (usually spammers)
- monitor failed login rates to block ip access
- monitor failed login rates followed by successful login and lock accounts.
On 3/6/19 10:44 AM, Jim Hendrick wrote:
> I was wondering if anyone has used syslog-ng to trigger some dynamic action based on logs.
>
> For example, if a certain threshold of messages happens in a time window, send an alert. LIke suppress () but more general actions.
> Or if a specific event happens, send *.debug from that system for 5 minutes.
> Or run a program to collect system data and send it along based on some condition.
>
> Not thinking SIEM functionality here, but maybe allow the log servers to be more dynamic around what actions they take for basic things.
>
> Thoughts?
>
> Thanks.
> Jim
--
Evan
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq