On Mon, Aug 16, 2004 at 03:25:28PM +0200, Erik Norman wrote: > People log for many different reasons. Many of you actively (and > automatically) parses your logs, perhaps looking for security or > availability issues. > > What are your most valuable searches/queries/reg exps when digging your > logs? Top five perhaps? My site doesn't look for interesting things, we look for things that are not uninteresting. I think Mr. Ranum or somebody like that called it "Artificial Ignorance." We operate in a batch mode, though, where the system rotates/parses the logs once a day and the systems staff review the interesting messages. If we were running the parser in realtime, then we'd be interested in: memory/disk/cpu hardware errors (eg, single-bit correctables) root logins failed login attempts various su operations (non-admin user -> root, lots of fails, etc) Really though, the things that can go wrong with systems are so many and divers that if you look for specific things, you're going to miss something important. Sort of the same idea as a "default deny" rule on a firewall. If you're interested in availability, then you're probably better off just running a real system/application monitor like nagios, openview, bmc patrol, etc. -- Ed Schmollinger - schmolli@private
_______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Tue Aug 17 2004 - 08:39:11 PDT