Ganu Skop wrote:
>Couldn't find a correlation howto on the list.
That's because "correlation" is something everyone wants,
but nobody even knows what it _is_. It's like "liberty" or
"free beer" - everyone thinks it's a great idea and we should
all have it, but there's no roadmap for getting from here to
there.
You might want to take a look at the various literature for
network management event correlation and fault detection
or fault inference. A few google searches is all it takes.
But - here's a preview - most of what passes for "event
correlation" in the network management world consists
of simple stuff like:
- cluster events in time by IP source
- cluster events into counted groups
(i.e.: 1,000 alerts saying "route failed"
get turned into 1 alert saying
"route failed 1,000 times")
- given a codebook/rulebase when event X
occurs at the same time as event Y
call them event Z
So, there's no rocket science going on. It's a great
opportunity. :)
mjr.
---
Marcus J. Ranum http://www.ranum.com
Computer and Communications Security mjr@ranum.com
_______________________________________________
LogAnalysis mailing list
LogAnalysis@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue May 20 2003 - 10:15:52 PDT