On Thu, Aug 19, 2004 at 02:49:23PM -0600, Jim Prewett wrote: > > I agree! I used to consider my hourly cron job messages to be "not > interesting" until I realized that I could use them to find NTP problems! > (if the hourly cron job fires at an odd time, there is most likely an NTP > problem on that host or on the syslog host, or a serious load on the host > thats preventing it from running the cron job on time). Now i'm very > interested in my regular cron job messages. Right. See my previous response. You never *delete* log entries! > I basically look for uninteresting messages in the set of messages that > have no interesting variables. Eg. if the time is not something I find > interesting (eg. a message that could happen at any time of the day), then > that field can be ignored for that message type. If you can say that none > of the fields could be interesting, then the message is uninteresting. Regex hell, but it can be done. > I also like to tell myself that my log analysis configs represent what I > am currently interested in. I expect that the set of interesting messages > will change depending on what problem i'm trying to solve. So, i'm not > filtering because there is no value in the message, but rather because I > don't need any of the potential value of that message to solve the problem > i'm working on. Right! Which would be why ploping all logs into a DB would be optimal from a slice-n-dice datamining POV. The same dataset, and all entities that are curious about the data can look at it the way they want. Tim -- Tim Sailer <sailer@private> Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Aug 19 2004 - 22:03:43 PDT