[syslog-ng]Log monitoring
netsec novice
syslog-ng@lists.balabit.hu
Mon, 09 Jun 2003 17:42:25 +0000
I am looking for a tool that would allow me to perform an action(send
e-mail) when a particular event meets a threshhold. I have my IDS tuned to
the point where I have a good sense of how many alerts I receive in an hour.
I know I can send an alert based on matching a particular alert but what I
would really like to do is send notification based on whether I receive more
than 10 alerts in less than an hour. I hope my intention is clear here...
I know there are products out there such as Swatch or logwatch but I haven't
seen anything that alerts on thresholds rather than pattern matching only.
My idea here is to set up something that watches my logs continuously and if
I get more than 10 alerts within an hour or less during any part of the day
- I would be paged. I am not a Perl guru so any help I can get in getting
started is appreciated. My guess is that someone has already invented the
wheel - I just don't know where it is.
Thanks for any guidance...
Nicole
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail