[syslog-ng]Log monitoring

Nicholas Bernstein syslog-ng@lists.balabit.hu
09 Jun 2003 11:54:53 -0700 

there should probably be "" around the $(date ...) in the grep now that
I think about it. 

-Nick

On Mon, 2003-06-09 at 11:51, Nicholas Bernstein wrote:
> Ok.... 
> 
> something like : 
> 	grep "Jun  9 11" messages| grep ftpd
> will get you all of the messages containing ftpd on June 9th, during the
> 11th hour. if you wanted to be inexact you can get the date by doing: 
> date | awk -F : '{ print $1 }'
> so to put it all together you could do :
> grep $(date | awk -F : '{ print $1 }') <file> | <grep whatever your
> looking for> | wc -l 
> 
> or somesuch... 
> 
> If I was going to really do it, I'd probably use perl. To be accurate,
> you would want to convert the date into minutes, and then do a grep
> based only look at the entries within "Now - (Minutes)" otherwise, it
> effectivly resets the counter every hour. 
> 
> We aren't doing the exact same thing, otherwise I would try to be of
> more help, but I'm guessing that should be enough to get you started. 
> 
> 
> man sed
> man awk
> man wc
> man bash (of course)
> http://www.perldoc.com
> 
> 
> 
> On Mon, 2003-06-09 at 11:01, netsec novice wrote:
> > It sounds like what I'm looking for.  Would you mind sending me more 
> > details?  I am a relative newbie to syslog and linux.  I appreciate anything 
> > you can share.
> > 
> > Nicole
> > 
> > 
> > >From: Nicholas Bernstein <nick@docmagic.com>
> > >Reply-To: syslog-ng@lists.balabit.hu
> > >To: syslog-ng@lists.balabit.hu
> > >Subject: Re: [syslog-ng]Log monitoring
> > >Date: 09 Jun 2003 10:56:57 -0700
> > >
> > >We have a similar circumstance, where we basically have our logs
> > >filtered, and the events that we want put into a separate log file. Then
> > >we grep the log based on time stamp & count the number of lines. The
> > >counter runs from cron every minute, and sends out an email if the
> > >number is higher than the threshold.
> > >
> > >Hope that helps!
> > >Nick
> > >
> > >On Mon, 2003-06-09 at 10:42, netsec novice wrote:
> > > > I am looking for a tool that would allow me to perform an action(send
> > > > e-mail) when a particular event meets a threshhold.  I have my IDS tuned 
> > >to
> > > > the point where I have a good sense of how many alerts I receive in an 
> > >hour.
> > > >   I know I can send an alert based on matching a particular alert but 
> > >what I
> > > > would really like to do is send notification based on whether I receive 
> > >more
> > > > than 10 alerts in less than an hour.  I hope my intention is clear 
> > >here...
> > > > I know there are products out there such as Swatch or logwatch but I 
> > >haven't
> > > > seen anything that alerts on thresholds rather than pattern matching 
> > >only.
> > > > My idea here is to set up something that watches my logs continuously 
> > >and if
> > > > I get more than 10 alerts within an hour or less during any part of the 
> > >day
> > > > - I would be paged.  I am not a Perl guru so any help I can get in 
> > >getting
> > > > started is appreciated.  My guess is that someone has already invented 
> > >the
> > > > wheel - I just don't know where it is.
> > > >
> > > > Thanks for any guidance...
> > > > Nicole
> > > >
> > > > _________________________________________________________________
> > > > Add photos to your e-mail with MSN 8. Get 2 months FREE*.
> > > > http://join.msn.com/?page=features/featuredemail
> > > >
> > > > _______________________________________________
> > > > syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> > > > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> > >--
> > >+---------------------------------------------------------------+
> > >| Nicholas Bernstein            | nick@docmagic.com             |
> > >| UNIX Systems Administrator    | http://www.docmagic.com       |
> > >| Document Systems Inc.         |                               |
> > >+---------------------------------------------------------------+
> > >
> > >_______________________________________________
> > >syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> > >https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > >Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> > >
> > 
> > _________________________________________________________________
> > Add photos to your messages with MSN 8. Get 2 months FREE*.  
> > http://join.msn.com/?page=features/featuredemail
> > 
> > _______________________________________________
> > syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- 
+---------------------------------------------------------------+
| Nicholas Bernstein            | nick@docmagic.com             |
| UNIX Systems Administrator    | http://www.docmagic.com       |
| Document Systems Inc.         |                               |
+---------------------------------------------------------------+