Also, when you're anonymizing, make sure you map the same fields to the same random outputs. I was experimenting with a correlation engine way back in the day and used some anonymized logs -- then I discovered that it was always mapping user@private -> xxxx@private user3@private -> xxxx@private message-ids were also getting "crushed down" - so my tool was trying to build sequence-trees of events and concluded that one person was REALLY busy. ;) So just keep a table of randomly generated IDs and always map the same input to the matching randomly-generated output wherever you see it. mjr. _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Tue Jan 23 2007 - 09:56:29 PST