SecurityFocus

[logs] regexless parsing, again? Sep 13 2007 06:56PM
Anton Chuvakin (anton chuvakin org) (3 replies)

Re: [logs] regexless parsing, again? Sep 17 2007 07:30PM
Daniel Cid (danielcid yahoo com br) (3 replies)

Re: [logs] regexless parsing, again? Sep 18 2007 10:27PM
Jason Haar (Jason Haar trimble co nz) (1 replies)

Re: [logs] regexless parsing, again? Sep 19 2007 01:01AM
Daniel Cid (dcid ossec net)

Re: [logs] regexless parsing, again? Sep 17 2007 09:44PM
Tom Le (dottom gmail com)

On 9/17/07, Daniel Cid <danielcid (at) yahoo.com (dot) br [email concealed]> wrote:
| First of all, I think most projects do log analysis
| wrong. They confuse log decoding with rule matching
| and end up with hundred of regexes that are checked on
| every log. Regexes can be used to extract some bits of
| patterns from the logs, but not as the main method to
| do the log analysis...

I think scale is an important factor to discuss when we talk about
performance. With advances in CPU speeds, even the worse case scenario of
looping through N regex rules is not that bad for most applications. You
mentioned OSSEC with 500 rules, which isn't that bad a problem even if you
had to try all of them.

Now if you had 5k, 50k, or 500k rules... then scale becomes a factor.
Similarly, you have to look at throughput as well... do you need to parse
100 messages per second or 10,000?
On 9/17/07, Daniel Cid <<a href="mailto:danielcid (at) yahoo.com (dot) br [email concealed]">danielcid (at) yahoo.com (dot) br [email concealed]</a>> wrote: <div>| First of all, I think most projects do log analysis
 | wrong. They confuse log decoding with rule matching | and end up with hundred of regexes that are checked on | every log. Regexes can be used to extract some bits of | patterns from the logs, but not as the main method to
 | do the log analysis... 
 
I think scale is an important factor to discuss when we talk about
performance. With advances in CPU speeds, even the worse case scenario
of looping through N regex rules is not that bad for most
applications. You mentioned OSSEC with 500 rules, which isn't that bad
a problem even if you had to try all of them. 
 
Now if you had 5k, 50k, or 500k rules... then scale becomes a factor. Similarly, you have to look at throughput as well... do you need to parse 100 messages per second or 10,000? 
 
</div>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]

Re: [logs] regexless parsing, again? Sep 17 2007 09:38PM
Tom Le (dottom gmail com)

Re: [logs] regexless parsing, again? Sep 14 2007 01:28AM
Raffael Marty (rmarty splunk com) (1 replies)

Re: [logs] regexless parsing, again? Sep 14 2007 04:11PM
Marcus J. Ranum (mjr ranum com)

RE: [logs] regexless parsing, again? Sep 14 2007 01:13AM
Desai, Ashish (Ashish Desai fmr com)