On Tue, 17 Aug 2004 20:27:32 -0400
"Marcus J. Ranum" <mjr@private> wrote:
> I'm trying to build a list of the "most popular reports" that
> people pull from their system logs. This is mostly for my curiousity,
Some 'most popular' reports I've found useful include:
- top DNS RR queries. In addition to see what your most popular
queries are, if logging recursive queries, you often find 'bot'
when you see suspicious looking host names trickle up to the top.
this is often because the name has been closed and client resolvers
are too dumb not to keep asking for it continuously.
- log message count per hour (or whatever time interval). for
many systems logs across a 24-hour period are very smooth, spikes
in any interval period indicates an anomaly.
- top 'unknown/uncategorized' messages. in a couple of the top N
summarization tools I've written, I also create a 'top N' unknown
or uncategorized section. Ideally N should be greater than the
total number of unknown/uncategorized types so you can spot strange
messages and investigate.
Jose made an excellent point about trending by the way. It's a little
bit more work to put that in some simple log parsing tools, which is
why a lot of people might not do it. A lot of people get trending from
their network via MRTG and flow data so it's not as if people don't do
trending, they just tend not to do it with logs yet.
John
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Aug 18 2004 - 13:52:31 PDT