[syslog-ng] Trigger dynamic action in syslog-ng
laszlo.szemere at oneidentity.com
Fri Mar 8 11:58:43 UTC 2019
I think most of the things you mentioned, can be achieved with patterndb:
Keywords: correlating messages, triggering actions, external actions
(Mentioned in the Administration Guide) There is a collection of example
patterns on GitHub: https://github.com/balabit/syslog-ng-patterndb/ most
probably they will not suit your needs as is, but they are a good starting
point. (please feel free to share your final solution as PR)
I hope it was helpful!
On Thu, Mar 7, 2019 at 4:55 PM Evan Rempel <erempel at uvic.ca> wrote:
> We do this for all kinds of things.
> - monitor mailing list subscription rates and then add firewall block
> rules automatically for abusive users (usually spammers)
> - monitor failed login rates to block ip access
> - monitor failed login rates followed by successful login and lock
> On 3/6/19 10:44 AM, Jim Hendrick wrote:
> > I was wondering if anyone has used syslog-ng to trigger some dynamic
> action based on logs.
> > For example, if a certain threshold of messages happens in a time
> window, send an alert. LIke suppress () but more general actions.
> > Or if a specific event happens, send *.debug from that system for 5
> > Or run a program to collect system data and send it along based on some
> > Not thinking SIEM functionality here, but maybe allow the log servers to
> be more dynamic around what actions they take for basic things.
> > Thoughts?
> > Thanks.
> > Jim
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the syslog-ng