[unisog] reporting on a central syslog server
r.fulton at auckland.ac.nz
Mon Apr 4 21:06:34 GMT 2005
On Mon, 2005-04-04 at 10:53 -0400, Harry Hoffman wrote:
> Hi Michael,
> We are using SL3 to a great degree of success for the central logging
> and use NTSyslog for the Windows to Unix logflow:
I wrote this with Harry when he was with us. It has some features that
are not (or weren't a couple of years ago) in other log watches.
From rom memory:
* uses perl REs for matching (it sucks in all the patterns and
then compiles them in a single matching routine so you get all
the optimisation that perl can throw at it.
* has thresholding (i.e. will report if more that x matches on a
rule) -- useful for those things that normally produce a trickle
of messages but which you want to know about if there are
* count matches against a pattern
* you can pass records matching a pattern to a user supplied
subroutine. I use this to do hourly reports on viruses from the
sophie logs (the routine gets called after processing finishes
with a special parameter so you can produce summaries etc).
* assumes that there are lots of different admins for different
machines -- you have a config file that specifies who gets
notified about what.
* the config file has named bunches of rules (these usually relate
to applications or OS) and then for each machine you list the
rulesets you need.
Main limitation is that it will currently only do email reports although
it should be easy to extent it to use pagers or whatever. Hmmmm... you
could do this with a user supplied reporter routine.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050405/94d29acd/smime.bin
More information about the unisog