Focus on Linux
important errors to control with swatch Nov 19 2007 03:06PM
Isaac Perez Moncho (suscripcions tsolucio com) (2 replies)
Re: important errors to control with swatch Nov 20 2007 09:35AM
Hari Sekhon (hpsekhon googlemail com) (2 replies)
RE: important errors to control with swatch Nov 20 2007 06:09PM
Reynold McGuire (rmcguire suffolk edu)
Re: important errors to control with swatch Nov 20 2007 05:48PM
Michael Robbert (mrobbert mines edu) (1 replies)
Maybe this is overkill (or maybe I'm missing the point completely), but
wouldn't Splunk ( http://www.splunk.com ) be a good solution, or tool
for creating a solution, for this problem?
For those that haven't heard of it, it collects data from many different
data sources, syslog being one of them, and provides you with a web
based interface to search through them. It allows for complex searches
and has the ability to alert on any of the searches. They also have
something called SplunkBase, which is a community driven database of
what many of these messages mean. It is a commercial product, but they
have a free version that will work with up to 500Mb per day of data.
I haven't implemented this myself yet, but I have played around with it
and look forward to finding the time to try to really implement it for
myself.

Mike Robbert

Hari Sekhon wrote:
> I'm also extremely interested in expanding my log watching to include
> a massive amount of comprehensive pattern matching alerting.
>
> I currently have some but need to expand it. The problem is that this
> is really a difficult thing to approach because it can only catch
> known patterns in this fashion. And whitelisting is really not
> practical in this context as the logs generated are practically
> infinite and not really able to whitelist them.
>
> I think that there should really be a well maintained project of
> regexs for this purpose, one official champion for us to build our
> baselines on... with frequent updates...
>
> Anyone got any ideas or regexs they want to share?
>
> Isaac, you would do well to have things like "I/O Error" for disk
> problems... "hardware hung"... etc etc, but this list is practically
> endless, you should look at your logs and decide which ones you'd like
> to be alerted on.
>
> -h
>
> Hari Sekhon
>
>
>
> Isaac Perez Moncho wrote:
>> Hello,
>> I just installed swatch, and used this configuration file for the
>> checks:
>> http://www.loganalysis.org/sections/signatures/log-swatch-skendrick.txt
>>
>> Anyone knows any other common phrase or word that I should find the logs
>> for hardware and system errors?
>> Or what you consider important to monitor in the logs?
>> Thanks
>>
>>

[ reply ]
Re: important errors to control with swatch Nov 21 2007 05:22PM
Hari Sekhon (hpsekhon googlemail com)
Re: important errors to control with swatch Nov 19 2007 11:54PM
Reynold McGuire (rmcguire suffolk edu)


 

Privacy Statement
Copyright 2010, SecurityFocus