Re: [logs] Log Analysis

From: Tycho Fruru (tycho.fruruat_private)
Date: Wed Jan 09 2002 - 15:38:52 PST

  • Next message: James F. Hranicky: "Re: [logs] Log Analysis"

    On Wed, 9 Jan 2002, jamie rishaw wrote:
    
    >   I'd like to get some input from people who are currently running a
    > centralized logging environment with multiple (and theoretically multi-
    > platform) OS's logging to one (or multiple) syslog hosts.
    >
    >   Getting logging down, and getting hosts to log to a central server was
    > the easy part.  It's pretty nifty, one place to go, and no more /var
    > fill ups :-)   however, it's now time to go to the next step.
    It's not that simple if you
    
    1. want to make an effort that sent data does arrive (so no syslog over
    UDP...)
    2. don't want to open ports on your firewall from (say) your webservers to
    a central syslog-collecting machine - various reasons (problems with
    address translation, not 100 % sure about the internal syslog-listener,
    ...)
    3. want to be sure that logged messages are trustworthy (hostile network,
    replay attacks, selective network failure) or that there is an indicator
    to warn of potential problems.
    
    > >   What (presumedly freeware/opensource/open-dev) programs, home brew
    > perl madness, commercialware, etc, are people using for their log analysis?
    
    see http://www.freshmeat.net/projects/ipfc for some GPL perl madness.
    Disclaimer: I'm one of the authors so by definition not impartial.
    
    >   I think there will be two schools of solutions here, correct me if I'm
    > missing or off topic:
    
    >   1) Real-Time monitors to "tail" output and generate alerts/flags based
    >      on certain situations or checkpoints/markers, and
    >
    >   2) Daily log parsing for reports, trend analysis, and longer term
    >      watching
    
    3) Database-driven solution which can accomodate both batch and
    near-real-time needs.  Advantage : you can get the data ou the way you
    want to.
    
    Best regards,
    Tycho Fruru
    
    -- 
    Tycho Fruru			tycho.fruruat_private
    
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 16:30:58 PST