RE: parsing logs ultra-fast inline

["Tina Bird" <tbird () precision-guesswork com>]

Anton Chuvakin wrote:

> While I am preparing to enter this discussion in full force :-), I
> figured I'd shoot a quick one on this:
>
> > meaning. Take Tina's VPN example - how many types of log entries you
> > would expect from a VPN concentrator? From my experience, not more
> > than 20 but let's assume there are 50. Give a sample from each entry
> > to a Perl 
>
> He-he, no :-) I just looked at the old documentation bundle of Cisco
> VPN 3000 messages and its nowhere near the above. How about 2049
> unique messages documented by Cisco?

But don't miss my point! I don't have to parse all those 2k or more
messages, because I'm only after *one* thing: all I want to know (at least
starting out) is the source of an inbound remote access connection, because
my pick for lowest-hanging-fruit with regard to remote access abuse is
remote access coming from "unusual" locations.

In fact, the discussion is trying really hard to support the exact opposite
of what I was saying :-) If you start out trying to parse *everything*,
you're at best going to work really really hard for a long time. If you pick
one or two conditions that you or your local expert *know* are significant,
you get something up and running really quickly. That impresses management
:-)

cheers - tbird

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards