We have a similar circumstance, where we basically have our logs filtered, and the events that we want put into a separate log file. Then we grep the log based on time stamp & count the number of lines. The counter runs from cron every minute, and sends out an email if the number is higher than the threshold. Hope that helps! Nick On Mon, 2003-06-09 at 10:42, netsec novice wrote:

I am looking for a tool that would allow me to perform an action(send e-mail) when a particular event meets a threshhold. I have my IDS tuned to the point where I have a good sense of how many alerts I receive in an hour. I know I can send an alert based on matching a particular alert but what I would really like to do is send notification based on whether I receive more than 10 alerts in less than an hour. I hope my intention is clear here... I know there are products out there such as Swatch or logwatch but I haven't seen anything that alerts on thresholds rather than pattern matching only. My idea here is to set up something that watches my logs continuously and if I get more than 10 alerts within an hour or less during any part of the day - I would be paged. I am not a Perl guru so any help I can get in getting started is appreciated. My guess is that someone has already invented the wheel - I just don't know where it is.

Thanks for any guidance... Nicole

_________________________________________________________________ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail

_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html -- +---------------------------------------------------------------+ | Nicholas Bernstein | nick@docmagic.com | | UNIX Systems Administrator | http://www.docmagic.com | | Document Systems Inc. | | +---------------------------------------------------------------+