[logs] log analysis survey

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
I'm working on a log analysis application and am looking for some guidance 
in terms of development prioritization.  I've written the following survey 
to help me to understand what people are looking for in an app.

I would really appreciate any responses to this survey.  Also, if you see 
a question that is glaringly not present, I'd love to know that as well.

Thanks in advance,
Jim

----------------------------------------------------------------------
Log Analysis Survey:
(please note that I use the term "message" to indicate a single line of 
information from a log file or whatever).

How do you want to match messages?
1. regexps
2. string equality (or sub-string equality)
3. length
4. all of the above
5. others (please specify)

Do you need to analyze message that are:
1. character data such as ASCII strings (that stuff syslogd spits out :)
2. Binary data
3. both
4. neither (do tell! :)

What do you want to do with messages once matched?
1. print them to the screen
2. email them to an administrator
3. store them in a database
4. run a program (potentially with the message as input either on the 
command line or via a pipe)
5. more than one of the above
6. others (please specify)

How do you want to analyze your logs?
1. in real-time
2. off-line
3. a mixture of the above

Do you want to generate reports?
1. for an administrator
2. for management
3. both
4. neither

How many log messages do you recieve for a "big machine" or a larger 
network (whatever those mean to your shop)?
1. less than 100,000 per day
2. 100,000 / day - 999,999 / day
3. 1,000,000 / day - 9,999,999 /day
4. 10,000,000 or more per day

How many machines are on this network (reporting to a single log host)?
1. less than 256
2. 256 - 1024
3. multiple class C networks
4. class B network or larger

What do you use for a log analysis machine for this "big machine" or 
network?
How fast is the processor/are the processors?
1. less than 1Ghz
2. 1 - 2 Ghz
3. more than 2 Ghz
How many processors are there?
1. 1
2. 2
3. more than 2
How much RAM is there?
1. 0 - 256M
2. 256 - 1024 M
3. 1024 - 4096M
4. more than 4096M

(OPTIONAL) What application do you use for log analysis on this network?
1. Logsurfer
2. SEC
3. Swatch/Wots
4. custom perl
5. grep/awk
6. vendor supplied
7. other (please specify)

Do you currently attempt to correlate log events?
1. yes
2. no

Is this machine dedicated to log analysis?
1. yes
2. no (please specify other applications this machine is used for)

Does this machine feel:
1. overloaded
2. about right
3. under-utilized

This machine will be upgraded:
1. as soon as I have a compelling reason
2. a year or two
3. when this one goes south
4. We don't have any money, so when pigs fly... :)

How important is a dynamic ruleset (a configuration that can be modified 
at run-time)?
1. not very important
2. moderately important
3. very important

How important is a GUI configuration tool?
1. not very important
2. moderately important
3. very important

How important is a web-based GUI configuration tool?
1. not very important
2. moderately important
3. very important

How important is a command line interface?
1. not very important
2. moderately important
3. very important

How important is a powerful configuration language (such as Perl or Lisp)?
1. not very important
2. moderately important
3. very important

What should that configuration language be?:
1. Perl
2. Lisp/Scheme
3. a custom log analysis language
4. fortran
5. others (please specify)

Is using Common Lisp as a configuration language a hurdle to you?
1. I love hacking lisp
2. no problem
3. a moderate hurdle
4. a significant hurdle
5. NO WAY! (eeew!)  Not gonna do it!

How important are pre-made rulesets (that will only need minor tweaking to 
customize for your network)?
1. not very important
2. moderately important
3. very important

How important is it to you to be able to correlate events from multiple 
log files?
1. not very important
2. moderately important
3. very important

How important is it to you to be able to correlate events across log 
servers (an event is logged to syslog host A, another is logged to syslog 
host B, do you need to be able to correlate them?)?
1. not very important  
2. moderately important
3. very important

What sorts of things do you need to be able to do with a log analysis 
tool (things that are hard requirements for you)?

What sorts of things do you want to be able to do with a log analysis 
tool (things that would be nice, but are not necessarily REQUIRED!)?

Thanks for any feedback you can provide.

Jim

-- 
James Prewett
Systems Team Leader			Designated Security Officer
HPC Systems Engineer III @ HPC@UNM -- download@private Jim@private





_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Vandana Chopra: "[logs] Newbie Query"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 02 2004 - 16:33:20 PST