I recently did some graduate work with handling syslog messages with a program called SHARP (Syslog Heuristic Analysis and Response Program). Basically it's a library interface to receiving syslog messages in real-time. The big win is you can is that each module is resident and can maintain state. You could also do things when messages are _not_ received (ie "mark" messages). Unfortunately the program isn't exactly ready for prime-time, (it really needs to be rewritten in Perl). But those interested in the concept can check out: http://www.csis.gvsu.edu/sharp/ I also review problems with the syslog architecture, many of which are addressed by the IETF working group. -- Matt Bing NFR Security Rapid Response Team --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 08:39:16 PDT