[syslog-ng] Anyone got a well performing search interface for
syslog data?
Bill Nash
billn at billn.net
Thu Sep 8 18:53:06 CEST 2005
On Thu, 8 Sep 2005, Jason Haar wrote:
> I just want to thank everyone for their responses. Very interesting stuff!
>
> I think I can paraphrase that SQL-backends don't give much advantage
> with large data sets due to the lack of relationships within syslog
> data, and the "fastest" solutions are going to be those that basically
> have custom-written "hot searches" pre-defined so that the appropriate
> indexes/extra files are already created to speed things up.
You're correct in that syslog, by itself, doesn't offer any amount of
relationships.. by itself. This is what log analyzers are for.
mysql> select syslogRule.appSet, count(*) from syslog left join syslogRule
on (syslog.syslogRule = syslogRule.id) group by appSet;
+---------------------+----------+
| appSet | count(*) |
+---------------------+----------+
| NULL | 235 |
| Alteon | 2316 |
| Cisco IOS | 1552 |
| Cron | 6 |
| Linux Kernel | 214689 |
| Linux PAM | 13465 |
| logrotate | 6 |
| named | 157584 |
| PIX Firewall | 3868906 |
| proftpd | 112 |
| Snare Syslog Daemon | 91115 |
| Snort | 7559 |
| sshd | 103 |
| syslog-ng | 7 |
| tacacs | 95 |
+---------------------+----------+
The top 'null' set are entries I don't have rules for.
mysql> select eventDefinition.name, count(*) from syslog left join
syslogRule on (syslog.syslogRule = syslogRule.id) left join
eventDefinition on (eventDefinition.id = syslogRule.eventId) group by
eventDefinition.name;
+---------------------------------------+----------+
| name | count(*) |
+---------------------------------------+----------+
| NULL | 2933114 |
| ACL Violation | 1033 |
| Attack Detected | 4599 |
| Configuration Change | 1192107 |
| Device Shutdown | 214805 |
| Failed login attempt | 384 |
| Interface State Change | 332 |
| Load balanced device failure | 1152 |
| Load balanced device restored | 1143 |
| Promiscuous Network Interface | 2 |
| Software reported an error | 9 |
| Unexpected software termination | 72 |
| Use of super-user privileges detected | 36 |
| User Login | 13514 |
| User Logout | 2878 |
| VLAN State Change | 2 |
+---------------------------------------+----------+
There are very few (free) packages that offer panacea for syslog
management. The problem with a lot of packages is that they simply aren't
flexible enough to let you do what you want to do, and you still wind up
modifying them, or worse, scrapping them for that reason.
I need to go find the 11,000 users who haven't logged out now. ;)
- billn
More information about the syslog-ng
mailing list