Re: [logs] msyslog, mysql and real time alerts

From: Jacques Thomas (jacktomat_private)
Date: Wed Apr 24 2002 - 08:27:11 PDT

  • Next message: Tina Bird: "Re: [logs] [ESA-20020423-009] webalizer contains a potentially exploitable buffer overflow (fwd)"

    Hi,
    
    Sorry for catching up quite late with the thread.
    
    I think (IMHO) that you will probably end up reinventing the wheel if
    you don't use something like swatch, logcheck, or logsurfer for
    real-time alert. They do the work and do it well.
    
    You could maybe duplicate the log flow and send one copy to the
    real-time alert program, while sending the other copy to your database.
    This way you would have real-time alerts on one hand, and your nice
    reports extracted from the database on the other hand.
    
    If the growing size of the log file used to feed swatch (or the like) is
    a problem, I think swatch can be configured to read on named pipes,
    which would avoid the need for temporary log files to feed it. Maybe
    Nate Campi will correct me on this, since I saw some posts from him on
    the swatch users mailing list, on this topic.
    
    
    Best Regards,
    
    	Jacques THOMAS.
    
    
    Jason Lewis wrote:
    > 
    > > My page at www.campin.net/newlogcheck.html shows how I did all this
    > > stuff, using open source tools. Well, one part I ended up having to
    > > write myself, and haven't released the code. Nobody else should need
    > > that code, though (unless they're running shitty Vignette Storyserver
    > > on Solaris).
    > >
    > I should have mentioned I checked that out.  I set things up and had it
    > running.  The design works, but I wanted more and things didn't seem to
    > mesh with what I was trying to do. I am attempting to not use programs like
    > swatch or logcheck.  The other things that turn me off are patching syslogd
    > and rewriting log files.
    > 
    > msyslog will log directly to mysql, so I could eliminate syslog-ng and
    > syslogd.
    > 
    > Some of what I want to do starts spreading into event correlation.  I do
    > like your reports though.  A quick view like that is handy.
    > 
    > I may go back to your setup and see if I can modify it to reach my goal.
    > 
    > I misspoke when I said I haven't found anything.  Your setup is along the
    > same lines. ;)
    > 
    > Jason Lewis
    > http://www.packetnexus.com
    > 
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    > For additional commands, e-mail: loganalysis-helpat_private
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Wed Apr 24 2002 - 10:05:24 PDT