[syslog-ng]Log monitoring
Hamilton, Andrew
syslog-ng@lists.balabit.hu
Mon, 9 Jun 2003 13:47:40 -0400
This is really out of the scope of the syslog process so you'd probably want
an external package. You can look at Big Brother. http://www.bb4.com. It
is a very useful monitoring tool. And will monitor all kinds of things. It
would be fairly simple to have it do this.
Regards,
Drew
-----Original Message-----
From: netsec novice [mailto:netsec9@hotmail.com]
Sent: Monday, June 09, 2003 1:42 PM
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng]Log monitoring
I am looking for a tool that would allow me to perform an action(send
e-mail) when a particular event meets a threshhold. I have my IDS tuned to
the point where I have a good sense of how many alerts I receive in an hour.
I know I can send an alert based on matching a particular alert but what I
would really like to do is send notification based on whether I receive more
than 10 alerts in less than an hour. I hope my intention is clear here...
I know there are products out there such as Swatch or logwatch but I haven't
seen anything that alerts on thresholds rather than pattern matching only.
My idea here is to set up something that watches my logs continuously and if
I get more than 10 alerts within an hour or less during any part of the day
- I would be paged. I am not a Perl guru so any help I can get in getting
started is appreciated. My guess is that someone has already invented the
wheel - I just don't know where it is.
Thanks for any guidance...
Nicole
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html