[syslog-ng] Trigger dynamic action in syslog-ng
erempel at uvic.ca
Thu Mar 7 15:55:41 UTC 2019
We do this for all kinds of things.
- monitor mailing list subscription rates and then add firewall block rules automatically for abusive users (usually spammers)
- monitor failed login rates to block ip access
- monitor failed login rates followed by successful login and lock accounts.
On 3/6/19 10:44 AM, Jim Hendrick wrote:
> I was wondering if anyone has used syslog-ng to trigger some dynamic action based on logs.
> For example, if a certain threshold of messages happens in a time window, send an alert. LIke suppress () but more general actions.
> Or if a specific event happens, send *.debug from that system for 5 minutes.
> Or run a program to collect system data and send it along based on some condition.
> Not thinking SIEM functionality here, but maybe allow the log servers to be more dynamic around what actions they take for basic things.
More information about the syslog-ng