Re: [logs] Logs & the great unification theory

From: Raistlin (raistlinat_private)
Date: Thu Jun 20 2002 - 07:09:17 PDT

Next message: Chip Seraphine: "Re: [logs] Logs & the great unification theory"

Previous message: Sweth Chandramouli: "Re: [logs] OT: 'Automated Log Analysis'"
Next in thread: Marcus J. Ranum: "Re: [logs] Logs & the great unification theory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I think you'll find that it is essential for you to scope
> the problem down to certain logs and certain situations;

This is obviously what I'm going to do, I'd like to meet my deadlines, and
in general to have a life -  sort of :-)

> My first instinct would be that you would want several conventional
> rule-based systems watching several logs, and feeding into a single
> "meta-log" that would serve as input to the NN.  The rule-based systems
> would be responsible with replacing strings with numbers in real time.

This seems pretty likely to me, since this approach distributes on various
machines a part of the computation, and also allows "extensions" (for
example, adding new kinds of logs and systems) -  up to a certain degree at
least. I also think that in this way I could treat the problem of network
sniffer logs - they could be analyzed by something like SNORT, and the logs
could then be normalized and sent over to the NN system.

> A crude example might be that you might decide you are interested in
> intrustion detection

This is exactly what started my interest in this problem :)

> so you might want an input row of normalized values
> corresponding to "log-value app-value msg-value server-value".

Your suggestions seem very logical. It is basically a trade off between
volume of information and amount of information. The more information I put
in this "normalized values" row, the more details are available for the
network to try and find correlations. Viceversa, more columns I use, less
rows I can present as an "input window" to the system. So I need to draw on
your experience to suggest me how detailed YOU would like this info to be -
to apply human intelligence and correlate events.

This would be invaluable to me, in order to calibrate correctly the system
and not to throw away the baby with the dirty water.

Stefano



---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Chip Seraphine: "Re: [logs] Logs & the great unification theory"
Previous message: Sweth Chandramouli: "Re: [logs] OT: 'Automated Log Analysis'"
Next in thread: Marcus J. Ranum: "Re: [logs] Logs & the great unification theory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 08:18:30 PDT