Re: [logs] Most valueable log information

From: Ed Schmollinger (schmolli@private)
Date: Tue Aug 17 2004 - 08:34:10 PDT

On Mon, Aug 16, 2004 at 03:25:28PM +0200, Erik Norman wrote:
> People log for many different reasons. Many of you actively (and
> automatically) parses your logs, perhaps looking for security or
> availability issues. 
> What are your most valuable searches/queries/reg exps when digging your
> logs? Top five perhaps?

My site doesn't look for interesting things, we look for things that are
not uninteresting.  I think Mr. Ranum or somebody like that called it
"Artificial Ignorance."  We operate in a batch mode, though, where the
system rotates/parses the logs once a day and the systems staff review
the interesting messages.

If we were running the parser in realtime, then we'd be interested in:
memory/disk/cpu hardware errors  (eg, single-bit correctables)
root logins
failed login attempts
various su operations (non-admin user -> root, lots of fails, etc)

Really though, the things that can go wrong with systems are so many
and divers that if you look for specific things, you're going to miss
something important.  Sort of the same idea as a "default deny" rule on
a firewall.

If you're interested in availability, then you're probably better off
just running a real system/application monitor like nagios, openview,
bmc patrol, etc.

Ed Schmollinger - schmolli@private

LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Tue Aug 17 2004 - 08:39:11 PDT