Re: [logs] High Network Load

• Previous message: Tina Bird: "Re: [logs] What happened to portsentry/hostsentry"
• In reply to: Florin Andrei: "Re: [logs] High Network Load"
• Next in thread: Brown, James (Jim): "RE: [logs] High Network Load"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There are lots of hidden tricks that one can do with SNMP and syslog.  The 
trick is to craft code that utilizes SNMP and syslog efficiently and 
effectively.  I agree with MJR, syslog was poorly designed, but it the 
lowest common denominator program that is available on most Unix O/Ses.  As 
the same with SNMP.  Configuring SNMP and syslog can be very tricky in 
order to obtain the data one wishes to utilize.

A while back, I cooked up some scripts ot use SNMP as a basic Intrusion 
Detection System, but had to do some ugly regular expression programming to 
parse out the useless data.

Syslog data lot easier to sift through, and there are some off the shelf 
programs that help one correlate the data in a very efficient manner.

Really depends on what one wants to design, as many PERL programmers will 
state, there is always more than one way to produce output.. :)



/mark

At 01:04 PM 9/22/2003, Florin Andrei wrote:

>On Fri, 2003-09-19 at 06:32, Paul Robertson wrote:
> >
> > Don't put all your logs in one basket.
> >
> > I can't imagine what design criteria fed into "Log everything over the
> > network to a single server," but you should re-evaluate it fairly
> > critically. Disk is slow, everyting going to one logging daemon, logging
> > to one filesystem (probably through one route) is going to be
> > not-the-best-architectural-idea-anyone's-ever-had.
>
>It depends on what are you trying to accomplish.
>
>I can see the truth in your rebuttal, but there is a fair amount of
>truth in the original message too.
>Centralising syslog is good if you must analyse the information that
>syslog provides in a centralised fashion. Sure, there are lots of things
>you could do with SNMP, but i don't think the areas covered by syslog
>and SNMP are mutually inclusive (i.e. the same).
>
>--
>Florin Andrei
>
>http://florin.myip.org/
>
>_______________________________________________
>LogAnalysis mailing list
>LogAnalysis@private
>http://lists.shmoo.com/mailman/listinfo/loganalysis

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Mark Teicher: "Re: [logs] Newbie questions - remote logging integration"
• Previous message: Tina Bird: "Re: [logs] What happened to portsentry/hostsentry"
• In reply to: Florin Andrei: "Re: [logs] High Network Load"
• Next in thread: Brown, James (Jim): "RE: [logs] High Network Load"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 29 2003 - 12:53:02 PDT