Mailing List Archive

Log watch software
I have a cenltralized repository usng rsyslogm and syslog to mirror
/var/log/messages, /var/log/secure ,and information messages from
cfengine. In the near future I hope to get auditd reporting to a
central server. My immedate taks is to add some log analysis software
on teh central server. I've started modifiying LogWatch to work with
MySQL -- thats pretty straightforward -- but I'm curious what other
solutions there may be out there. FOSS is preferred but a I'm not
against a reasonably priced commercial product. So far everything
Google has returned are commercial products for Windows sytems.

--
Stephen Carville
Log watch software [ In reply to ]
I am not so involved with logwatch. Let me ask feature-wise: what
capabilities do you need to do the job?

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Stephen Carville
> Sent: Thursday, March 06, 2008 6:54 PM
> To: rsyslog-users
> Subject: [rsyslog] Log watch software
>
> I have a cenltralized repository usng rsyslogm and syslog to mirror
> /var/log/messages, /var/log/secure ,and information messages from
> cfengine. In the near future I hope to get auditd reporting to a
> central server. My immedate taks is to add some log analysis software
> on teh central server. I've started modifiying LogWatch to work with
> MySQL -- thats pretty straightforward -- but I'm curious what other
> solutions there may be out there. FOSS is preferred but a I'm not
> against a reasonably priced commercial product. So far everything
> Google has returned are commercial products for Windows sytems.
>
> --
> Stephen Carville
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
Log watch software [ In reply to ]
Hi Stephen,
Did you mean to ask a question...

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Stephen Carville
> Sent: 06 March 2008 17:54
> To: rsyslog-users
> Subject: [rsyslog] Log watch software
>
> I have a cenltralized repository usng rsyslogm and syslog to mirror
> /var/log/messages, /var/log/secure ,and information messages from
> cfengine. In the near future I hope to get auditd reporting to a
> central server. My immedate taks is to add some log analysis software
> on teh central server. I've started modifiying LogWatch to work with
> MySQL -- thats pretty straightforward -- but I'm curious what other
> solutions there may be out there. FOSS is preferred but a I'm not
> against a reasonably priced commercial product. So far everything
> Google has returned are commercial products for Windows sytems.
>
> --
> Stephen Carville
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
Log watch software [ In reply to ]
On Thu, Mar 6, 2008 at 9:55 AM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> I am not so involved with logwatch. Let me ask feature-wise: what
> capabilities do you need to do the job?

About 99% of what's in messages or secure is trivia. JoeBob logged
in, ran a sudo command and logged off. An authenticated mount request
was received from ip.add.re.ss. That sort of thing. What I'm looking
for is a parser that can pick out the (hopefully) rare messages that
indicates a problem like a disk drive is reporting errors.

I can modify big brother and logwatch to do this but I am curious if
anyone has a favorite package I haven't heard of yet.

> Rainer
>
>
>
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Stephen Carville
> > Sent: Thursday, March 06, 2008 6:54 PM
> > To: rsyslog-users
> > Subject: [rsyslog] Log watch software
> >
> > I have a cenltralized repository usng rsyslogm and syslog to mirror
> > /var/log/messages, /var/log/secure ,and information messages from
> > cfengine. In the near future I hope to get auditd reporting to a
> > central server. My immedate taks is to add some log analysis software
> > on teh central server. I've started modifiying LogWatch to work with
> > MySQL -- thats pretty straightforward -- but I'm curious what other
> > solutions there may be out there. FOSS is preferred but a I'm not
> > against a reasonably priced commercial product. So far everything
> > Google has returned are commercial products for Windows sytems.
> >
> > --
> > Stephen Carville
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>



--
Stephen Carville
Log watch software [ In reply to ]
Hi,

I am seeing where you come from. That's the million-dollar question ;) I
suggest you also post to the loganalysis list, that's probably a better
place than over here:

http://www.loganalysis.org/mailman/listinfo/loganalysis

Let me hijack this thread to share an idea. Rsyslog has a lot of
infrastructure in place. Once I am finished with the essentials (which
will of course be in a few month...), I'd like to put that
infrastructure to better use than just drive the simple outputs we
currently have. One thing I have on my mind is an output plugin which
stores (hashes) of all message within a timeframe (e.g. last 7 days).
Then, when a new message comes in, it compares it to all previous
messages and emits a special message itself if the message occured less
than "n" times in the past. I think this goes into the direction of what
you are looking for.

But would it generally be considered to be a useful idea? Even though we
are months away from an implementation, feedack would be very valuable
to me as it helps me shape my mid- to long-term direction.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com
> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of
> Stephen Carville
> Sent: Thursday, March 06, 2008 8:44 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Log watch software
>
> On Thu, Mar 6, 2008 at 9:55 AM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> > I am not so involved with logwatch. Let me ask feature-wise: what
> > capabilities do you need to do the job?
>
> About 99% of what's in messages or secure is trivia. JoeBob logged
> in, ran a sudo command and logged off. An authenticated mount request
> was received from ip.add.re.ss. That sort of thing. What I'm looking
> for is a parser that can pick out the (hopefully) rare messages that
> indicates a problem like a disk drive is reporting errors.
>
> I can modify big brother and logwatch to do this but I am curious if
> anyone has a favorite package I haven't heard of yet.
>
> > Rainer
> >
> >
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > bounces at lists.adiscon.com] On Behalf Of Stephen Carville
> > > Sent: Thursday, March 06, 2008 6:54 PM
> > > To: rsyslog-users
> > > Subject: [rsyslog] Log watch software
> > >
> > > I have a cenltralized repository usng rsyslogm and
> syslog to mirror
> > > /var/log/messages, /var/log/secure ,and information messages from
> > > cfengine. In the near future I hope to get auditd reporting to a
> > > central server. My immedate taks is to add some log
> analysis software
> > > on teh central server. I've started modifiying LogWatch
> to work with
> > > MySQL -- thats pretty straightforward -- but I'm curious
> what other
> > > solutions there may be out there. FOSS is preferred but a I'm not
> > > against a reasonably priced commercial product. So far
> everything
> > > Google has returned are commercial products for Windows sytems.
> > >
> > > --
> > > Stephen Carville
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
>
>
>
> --
> Stephen Carville
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>
Log watch software [ In reply to ]
> Let me hijack this thread to share an idea. Rsyslog has a lot of
> infrastructure in place. Once I am finished with the essentials (which
> will of course be in a few month...), I'd like to put that
> infrastructure to better use than just drive the simple outputs we
> currently have. One thing I have on my mind is an output plugin which
> stores (hashes) of all message within a timeframe (e.g. last 7 days).
> Then, when a new message comes in, it compares it to all previous
> messages and emits a special message itself if the message occured
less
> than "n" times in the past. I think this goes into the direction of
what
> you are looking for.
>
> But would it generally be considered to be a useful idea? Even though
we
> are months away from an implementation, feedack would be very valuable
> to me as it helps me shape my mid- to long-term direction.
>
> Rainer

Just thinking out loud... it would be very cool if one could build in
some AI in such a plugin. You could then spend time "training" the
plugin and buying "trained" AI's to regonize certain patterns in the
logs etc.

Regards