Thanks so much for sharing. That should give me a good start. Cheers, Nicole
From: Nicholas Bernstein <nick@docmagic.com> Reply-To: syslog-ng@lists.balabit.hu To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]Log monitoring Date: 09 Jun 2003 11:54:53 -0700
there should probably be "" around the $(date ...) in the grep now that I think about it.
-Nick
On Mon, 2003-06-09 at 11:51, Nicholas Bernstein wrote:
Ok....
something like : grep "Jun 9 11" messages| grep ftpd will get you all of the messages containing ftpd on June 9th, during the 11th hour. if you wanted to be inexact you can get the date by doing: date | awk -F : '{ print $1 }' so to put it all together you could do : grep $(date | awk -F : '{ print $1 }') <file> | <grep whatever your looking for> | wc -l
or somesuch...
If I was going to really do it, I'd probably use perl. To be accurate, you would want to convert the date into minutes, and then do a grep based only look at the entries within "Now - (Minutes)" otherwise, it effectivly resets the counter every hour.
We aren't doing the exact same thing, otherwise I would try to be of more help, but I'm guessing that should be enough to get you started.
man sed man awk man wc man bash (of course) http://www.perldoc.com
On Mon, 2003-06-09 at 11:01, netsec novice wrote:
It sounds like what I'm looking for. Would you mind sending me more details? I am a relative newbie to syslog and linux. I appreciate anything you can share.
Nicole
From: Nicholas Bernstein <nick@docmagic.com> Reply-To: syslog-ng@lists.balabit.hu To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]Log monitoring Date: 09 Jun 2003 10:56:57 -0700
We have a similar circumstance, where we basically have our logs filtered, and the events that we want put into a separate log file. Then we grep the log based on time stamp & count the number of lines. The counter runs from cron every minute, and sends out an email if the number is higher than the threshold.
Hope that helps! Nick
On Mon, 2003-06-09 at 10:42, netsec novice wrote:
I am looking for a tool that would allow me to perform an action(send e-mail) when a particular event meets a threshhold. I have my IDS tuned to the point where I have a good sense of how many alerts I receive in an hour. I know I can send an alert based on matching a particular alert but what I would really like to do is send notification based on whether I receive more than 10 alerts in less than an hour. I hope my intention is clear here... I know there are products out there such as Swatch or logwatch but I haven't seen anything that alerts on thresholds rather than pattern matching only. My idea here is to set up something that watches my logs continuously and if I get more than 10 alerts within an hour or less during any part of the day - I would be paged. I am not a Perl guru so any help I can get in getting started is appreciated. My guess is that someone has already invented the wheel - I just don't know where it is.
Thanks for any guidance... Nicole
_________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html -- +---------------------------------------------------------------+ | Nicholas Bernstein | nick@docmagic.com | | UNIX Systems Administrator | http://www.docmagic.com | | Document Systems Inc. | | +---------------------------------------------------------------+
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_________________________________________________________________ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html -- +---------------------------------------------------------------+ | Nicholas Bernstein | nick@docmagic.com | | UNIX Systems Administrator | http://www.docmagic.com | | Document Systems Inc. | | +---------------------------------------------------------------+
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_________________________________________________________________ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail
participants (1)
-
netsec novice