[syslog-ng]Log monitoring

Nicholas Bernstein syslog-ng@lists.balabit.hu
09 Jun 2003 10:56:57 -0700 

We have a similar circumstance, where we basically have our logs
filtered, and the events that we want put into a separate log file. Then
we grep the log based on time stamp & count the number of lines. The
counter runs from cron every minute, and sends out an email if the
number is higher than the threshold.

Hope that helps!
Nick

On Mon, 2003-06-09 at 10:42, netsec novice wrote:
> I am looking for a tool that would allow me to perform an action(send 
> e-mail) when a particular event meets a threshhold.  I have my IDS tuned to 
> the point where I have a good sense of how many alerts I receive in an hour. 
>   I know I can send an alert based on matching a particular alert but what I 
> would really like to do is send notification based on whether I receive more 
> than 10 alerts in less than an hour.  I hope my intention is clear here...  
> I know there are products out there such as Swatch or logwatch but I haven't 
> seen anything that alerts on thresholds rather than pattern matching only.  
> My idea here is to set up something that watches my logs continuously and if 
> I get more than 10 alerts within an hour or less during any part of the day 
> - I would be paged.  I am not a Perl guru so any help I can get in getting 
> started is appreciated.  My guess is that someone has already invented the 
> wheel - I just don't know where it is.
> 
> Thanks for any guidance...
> Nicole
> 
> _________________________________________________________________
> Add photos to your e-mail with MSN 8. Get 2 months FREE*.  
> http://join.msn.com/?page=features/featuredemail
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- 
+---------------------------------------------------------------+
| Nicholas Bernstein            | nick@docmagic.com             |
| UNIX Systems Administrator    | http://www.docmagic.com       |
| Document Systems Inc.         |                               |
+---------------------------------------------------------------+