[syslog-ng] Trigger dynamic action in syslog-ng

Jim Hendrick james.r.hendrick at gmail.com
Fri Mar 8 15:49:06 UTC 2019 

Great! I'll check it out and see.

Thanks,
Jim


On Fri, Mar 8, 2019, 6:58 AM Szemere, László <laszlo.szemere at oneidentity.com>
wrote:

> Hello,
>  I think most of the things you mentioned, can be achieved with patterndb:
> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.20/administration-guide/71#TOPIC-1122052
>  Keywords: correlating messages, triggering actions, external actions
>
>  (Mentioned in the Administration Guide) There is a collection of example
> patterns on GitHub: https://github.com/balabit/syslog-ng-patterndb/  most
> probably they will not suit your needs as is, but they are a good starting
> point. (please feel free to share your final solution as PR)
>
> I hope it was helpful!
>
> Best Regards,
> Laci
>
>
> On Thu, Mar 7, 2019 at 4:55 PM Evan Rempel <erempel at uvic.ca> wrote:
>
>> We do this for all kinds of things.
>>
>> We
>> - monitor mailing list subscription rates and then add firewall block
>> rules automatically for abusive users (usually spammers)
>> - monitor failed login rates to block ip access
>> - monitor failed login rates followed by successful login and lock
>> accounts.
>>
>>
>> On 3/6/19 10:44 AM, Jim Hendrick wrote:
>> > I was wondering if anyone has used syslog-ng to trigger some dynamic
>> action based on logs.
>> >
>> > For example,  if a certain threshold of messages happens in a time
>> window,  send an alert. LIke suppress () but more general actions.
>> > Or if a specific event happens,  send *.debug from that system for 5
>> minutes.
>> > Or run a program to collect system data and send it along based on some
>> condition.
>> >
>> > Not thinking SIEM functionality here, but maybe allow the log servers
>> to be more dynamic around what actions they take for basic things.
>> >
>> > Thoughts?
>> >
>> > Thanks.
>> > Jim
>>
>> --
>> Evan
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190308/78528eef/attachment.html>

More information about the syslog-ng mailing list