Does syslog-ng support triggers?
Hello everyone, I was wondering if syslog-ng supports triggers (based on keywords OR time events). Ie: i want to be able to call an application if syslog-ng detects the same log message came from the same host x times in y minutes. We are suffering a lot of attacks against our webmail servers and would like to use this to try and trigger an alarm against brute force connections. Thanks in advance, -- Luís Miguel Ferreira da Silva Qualidade e Segurança CICA - FEUP GSM: +351 912671471
On Fri, Oct 10, 2008 at 06:02:51PM +0100, Lu�s Miguel Silva wrote:
We are suffering a lot of attacks against our webmail servers and would like to use this to try and trigger an alarm against brute force connections.
syslog-ng is a great program, but it's not a IDS or IPS. try swatch, fail2ban, simple event correlator, snort, or some other program that is designed to work in the event monitor / trigger action space.
you should look at something like swatch to setup triggers on X events in Y time causing something to happen. syslog-ng is not meant to do things based on thresholds (however if there are specific *individual* messages, you can certainly write filters and have them sent to different destinations (giving you some flexibility in scripting a basic response) ---- "Luís Miguel Silva" <lms@fe.up.pt> wrote:
Hello everyone,
I was wondering if syslog-ng supports triggers (based on keywords OR time events).
Ie: i want to be able to call an application if syslog-ng detects the same log message came from the same host x times in y minutes.
We are suffering a lot of attacks against our webmail servers and would like to use this to try and trigger an alarm against brute force connections.
Thanks in advance,
-- Luís Miguel Ferreira da Silva Qualidade e Segurança CICA - FEUP GSM: +351 912671471
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hello, I know there are other options, i just wanted to know if syslog-ng also did that! ;o) Thank you for your help! Luís Silva jrhendri@maine.rr.com escreveu:
you should look at something like swatch to setup triggers on X events in Y time causing something to happen.
syslog-ng is not meant to do things based on thresholds (however if there are specific *individual* messages, you can certainly write filters and have them sent to different destinations (giving you some flexibility in scripting a basic response)
---- "Luís Miguel Silva" <lms@fe.up.pt> wrote:
Hello everyone,
I was wondering if syslog-ng supports triggers (based on keywords OR time events).
Ie: i want to be able to call an application if syslog-ng detects the same log message came from the same host x times in y minutes.
We are suffering a lot of attacks against our webmail servers and would like to use this to try and trigger an alarm against brute force connections.
Thanks in advance,
-- Luís Miguel Ferreira da Silva Qualidade e Segurança CICA - FEUP GSM: +351 912671471
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Luís Miguel Ferreira da Silva Qualidade e Segurança CICA - FEUP GSM: +351 912671471
participants (3)
-
Ed Ravin
-
jrhendri@maine.rr.com
-
Luís Miguel Silva