Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: parsing logs ultra-fast inline

From: Anton Chuvakin <anton () chuvakin org>
Date: Mon, 6 Feb 2006 17:05:06 -0500
All,

While I am preparing to enter this discussion in full force :-), I
figured I'd shoot a quick one on this:


meaning. Take Tina's VPN example - how many types of log entries you would
expect from a VPN concentrator? From my experience, not more than 20 but
let's assume there are 50. Give a sample from each entry to a Perl


He-he, no :-) I just looked at the old documentation bundle of Cisco
VPN 3000 messages and its nowhere near the above. How about 2049
unique messages documented by Cisco?

Parsing IS often a challenge, e.g. see this and the discussion that
ensued: http://airsnarf.shmoo.com/pipermail/loganalysis/2005-December/002906.html

Syslog is where it becomes just plain  extreme (50,000 message types
anybody?), as Marcus pointed out, but there are some other fun areas
where it is tough.

Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
     http://www.chuvakin.org
http://www.securitywarrior.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: