Try this... http://www.estpak.ee/~risto/sec/ Marc Mamane GuardedNet, Inc. -----Original Message----- From: netsec novice [mailto:netsec9@hotmail.com] Sent: Monday, June 09, 2003 1:42 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]Log monitoring I am looking for a tool that would allow me to perform an action(send e-mail) when a particular event meets a threshhold. I have my IDS tuned to the point where I have a good sense of how many alerts I receive in an hour. I know I can send an alert based on matching a particular alert but what I would really like to do is send notification based on whether I receive more than 10 alerts in less than an hour. I hope my intention is clear here... I know there are products out there such as Swatch or logwatch but I haven't seen anything that alerts on thresholds rather than pattern matching only. My idea here is to set up something that watches my logs continuously and if I get more than 10 alerts within an hour or less during any part of the day - I would be paged. I am not a Perl guru so any help I can get in getting started is appreciated. My guess is that someone has already invented the wheel - I just don't know where it is. Thanks for any guidance... Nicole _________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html