North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Enterprise syslog management and alert generation.

  • From: Bill Nash
  • Date: Wed Dec 08 01:04:57 2004

On Tue, 7 Dec 2004, Alexei Roudnev wrote:

In such products, only 20% value is in engine; 80% are in rules, because I
can not wrire rules myself - I have not event until it happen, and I can not
filetr out noice until it happen.

We use a few syslog analyzers (using syslog-ng as a transport), some with
simple logcheck, other with database for rules and hosts; and every time
problem is the same - writing rules is 90% of the problem.

But... do you have rules, such as fort example _send alert if any system
began to generate 10 times logs / hour more vs. average? Or saying _single
PCI ERROR on Solaris - ignore, 10 in a straight line - send warning...

The X over time is a new one, it's been mentioned a couple times today, and I can certainly account for it. I've added it to my rapidly growing list.

- billn