[syslog-ng]Log monitoring
netsec novice
syslog-ng@lists.balabit.hu
Mon, 09 Jun 2003 18:57:22 +0000
Thanks so much for sharing. That should give me a good start.
Cheers,
Nicole
>From: Nicholas Bernstein <nick@docmagic.com>
>Reply-To: syslog-ng@lists.balabit.hu
>To: syslog-ng@lists.balabit.hu
>Subject: Re: [syslog-ng]Log monitoring
>Date: 09 Jun 2003 11:54:53 -0700
>
>there should probably be "" around the $(date ...) in the grep now that
>I think about it.
>
>-Nick
>
>On Mon, 2003-06-09 at 11:51, Nicholas Bernstein wrote:
> > Ok....
> >
> > something like :
> > grep "Jun 9 11" messages| grep ftpd
> > will get you all of the messages containing ftpd on June 9th, during the
> > 11th hour. if you wanted to be inexact you can get the date by doing:
> > date | awk -F : '{ print $1 }'
> > so to put it all together you could do :
> > grep $(date | awk -F : '{ print $1 }') <file> | <grep whatever your
> > looking for> | wc -l
> >
> > or somesuch...
> >
> > If I was going to really do it, I'd probably use perl. To be accurate,
> > you would want to convert the date into minutes, and then do a grep
> > based only look at the entries within "Now - (Minutes)" otherwise, it
> > effectivly resets the counter every hour.
> >
> > We aren't doing the exact same thing, otherwise I would try to be of
> > more help, but I'm guessing that should be enough to get you started.
> >
> >
> > man sed
> > man awk
> > man wc
> > man bash (of course)
> > http://www.perldoc.com
> >
> >
> >
> > On Mon, 2003-06-09 at 11:01, netsec novice wrote:
> > > It sounds like what I'm looking for. Would you mind sending me more
> > > details? I am a relative newbie to syslog and linux. I appreciate
>anything
> > > you can share.
> > >
> > > Nicole
> > >
> > >
> > > >From: Nicholas Bernstein <nick@docmagic.com>
> > > >Reply-To: syslog-ng@lists.balabit.hu
> > > >To: syslog-ng@lists.balabit.hu
> > > >Subject: Re: [syslog-ng]Log monitoring
> > > >Date: 09 Jun 2003 10:56:57 -0700
> > > >
> > > >We have a similar circumstance, where we basically have our logs
> > > >filtered, and the events that we want put into a separate log file.
>Then
> > > >we grep the log based on time stamp & count the number of lines. The
> > > >counter runs from cron every minute, and sends out an email if the
> > > >number is higher than the threshold.
> > > >
> > > >Hope that helps!
> > > >Nick
> > > >
> > > >On Mon, 2003-06-09 at 10:42, netsec novice wrote:
> > > > > I am looking for a tool that would allow me to perform an
>action(send
> > > > > e-mail) when a particular event meets a threshhold. I have my IDS
>tuned
> > > >to
> > > > > the point where I have a good sense of how many alerts I receive
>in an
> > > >hour.
> > > > > I know I can send an alert based on matching a particular alert
>but
> > > >what I
> > > > > would really like to do is send notification based on whether I
>receive
> > > >more
> > > > > than 10 alerts in less than an hour. I hope my intention is clear
> > > >here...
> > > > > I know there are products out there such as Swatch or logwatch but
>I
> > > >haven't
> > > > > seen anything that alerts on thresholds rather than pattern
>matching
> > > >only.
> > > > > My idea here is to set up something that watches my logs
>continuously
> > > >and if
> > > > > I get more than 10 alerts within an hour or less during any part
>of the
> > > >day
> > > > > - I would be paged. I am not a Perl guru so any help I can get in
> > > >getting
> > > > > started is appreciated. My guess is that someone has already
>invented
> > > >the
> > > > > wheel - I just don't know where it is.
> > > > >
> > > > > Thanks for any guidance...
> > > > > Nicole
> > > > >
> > > > > _________________________________________________________________
> > > > > Add photos to your e-mail with MSN 8. Get 2 months FREE*.
> > > > > http://join.msn.com/?page=features/featuredemail
> > > > >
> > > > > _______________________________________________
> > > > > syslog-ng maillist - syslog-ng@lists.balabit.hu
> > > > > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > > > Frequently asked questions at
>http://www.campin.net/syslog-ng/faq.html
> > > >--
> > > >+---------------------------------------------------------------+
> > > >| Nicholas Bernstein | nick@docmagic.com |
> > > >| UNIX Systems Administrator | http://www.docmagic.com |
> > > >| Document Systems Inc. | |
> > > >+---------------------------------------------------------------+
> > > >
> > > >_______________________________________________
> > > >syslog-ng maillist - syslog-ng@lists.balabit.hu
> > > >https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > >Frequently asked questions at
>http://www.campin.net/syslog-ng/faq.html
> > > >
> > >
> > > _________________________________________________________________
> > > Add photos to your messages with MSN 8. Get 2 months FREE*.
> > > http://join.msn.com/?page=features/featuredemail
> > >
> > > _______________________________________________
> > > syslog-ng maillist - syslog-ng@lists.balabit.hu
> > > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>--
>+---------------------------------------------------------------+
>| Nicholas Bernstein | nick@docmagic.com |
>| UNIX Systems Administrator | http://www.docmagic.com |
>| Document Systems Inc. | |
>+---------------------------------------------------------------+
>
>_______________________________________________
>syslog-ng maillist - syslog-ng@lists.balabit.hu
>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8.
http://join.msn.com/?page=features/junkmail