[logs] writing syslog parsers

From: Tina Bird (tbird@precision-guesswork.com)
Date: Tue Dec 03 2002 - 20:35:12 PST

  • Next message: Jason Royes: "Re: [logs] Secure Central Log Host"

    i'm doing a bit of web surfing looking for new useful tools, and i think
    i've hit gold on the DShield web site.  for those of you who aren't
    familiar with it, DShield is a collaborative intrusion detection system
    sponsored in part by the SANS Institute.  they've got a >>huge<< number of
    what they call client programs, that parse logs from routers and firewall
    devices into the format required by their database:
    
    http://www.dshield.org/howto.html#clients
    
    and even better, they've got >>documentation<< on how to write your own
    parser:
    
    http://www.dshield.org/specs.html
    
    since one of the long-term goals of this list is to build a database of
    message dictionaries (syntaxes, if you like, for parsing different sorts
    of logs) as well as to build a database of log message samples, it seems
    to me that we can leverage all this work.  i have included a couple of my
    contacts at SANS and DSHIELD to introduce them to the idea.
    
    anyone worked with these systems before?
    
    thanks -- tbird
    
    "Our duty, as living things, is to be sure that pain is not our whole
    story, for we can choose to be otherwise....we can choose to dance."
                                 -- from "Six Moon Dance," by Sheri Tepper
    
    http://www.shmoo.com/~tbird
    Log Analysis http://www.counterpane.com/log-analysis.html
    VPN http://vpn.shmoo.com
    
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Tue Dec 03 2002 - 20:46:18 PST