[syslog-ng] Trigger dynamic action in syslog-ng
Evan Rempel
erempel at uvic.ca
Thu Mar 7 15:55:41 UTC 2019
We do this for all kinds of things.
We
- monitor mailing list subscription rates and then add firewall block rules automatically for abusive users (usually spammers)
- monitor failed login rates to block ip access
- monitor failed login rates followed by successful login and lock accounts.
On 3/6/19 10:44 AM, Jim Hendrick wrote:
> I was wondering if anyone has used syslog-ng to trigger some dynamic action based on logs.
>
> For example, if a certain threshold of messages happens in a time window, send an alert. LIke suppress () but more general actions.
> Or if a specific event happens, send *.debug from that system for 5 minutes.
> Or run a program to collect system data and send it along based on some condition.
>
> Not thinking SIEM functionality here, but maybe allow the log servers to be more dynamic around what actions they take for basic things.
>
> Thoughts?
>
> Thanks.
> Jim
--
Evan
More information about the syslog-ng
mailing list