[syslog-ng] Trigger dynamic action in syslog-ng

Evan Rempel erempel at uvic.ca
Thu Mar 7 15:55:41 UTC 2019


We do this for all kinds of things.

We
- monitor mailing list subscription rates and then add firewall block rules automatically for abusive users (usually spammers)
- monitor failed login rates to block ip access
- monitor failed login rates followed by successful login and lock accounts.


On 3/6/19 10:44 AM, Jim Hendrick wrote:
> I was wondering if anyone has used syslog-ng to trigger some dynamic action based on logs.
>
> For example,  if a certain threshold of messages happens in a time window,  send an alert. LIke suppress () but more general actions.
> Or if a specific event happens,  send *.debug from that system for 5 minutes.
> Or run a program to collect system data and send it along based on some condition.
>
> Not thinking SIEM functionality here, but maybe allow the log servers to be more dynamic around what actions they take for basic things.
>
> Thoughts?
>
> Thanks.
> Jim

-- 
Evan



More information about the syslog-ng mailing list