Hello, I think most of the things you mentioned, can be achieved with patterndb: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edit... Keywords: correlating messages, triggering actions, external actions (Mentioned in the Administration Guide) There is a collection of example patterns on GitHub: https://github.com/balabit/syslog-ng-patterndb/ most probably they will not suit your needs as is, but they are a good starting point. (please feel free to share your final solution as PR) I hope it was helpful! Best Regards, Laci On Thu, Mar 7, 2019 at 4:55 PM Evan Rempel <erempel@uvic.ca> wrote:
We do this for all kinds of things.
We - monitor mailing list subscription rates and then add firewall block rules automatically for abusive users (usually spammers) - monitor failed login rates to block ip access - monitor failed login rates followed by successful login and lock accounts.
On 3/6/19 10:44 AM, Jim Hendrick wrote:
I was wondering if anyone has used syslog-ng to trigger some dynamic action based on logs.
For example, if a certain threshold of messages happens in a time window, send an alert. LIke suppress () but more general actions. Or if a specific event happens, send *.debug from that system for 5 minutes. Or run a program to collect system data and send it along based on some condition.
Not thinking SIEM functionality here, but maybe allow the log servers to be more dynamic around what actions they take for basic things.
Thoughts?
Thanks. Jim
-- Evan
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq