nanog mailing list archives

Re: log parsing tool?

From: Matthew Palmer <mpalmer () hezmatt org>
Date: Wed, 24 Feb 2010 16:43:38 +1100

On Mon, Feb 22, 2010 at 04:15:22PM -0600, fedora fedora wrote:

Anyone has good recommendations for an open-sourced log parsing and
analyzing application? It will be used to work with syslog-ng and other
general syslog and application logs.

I have been looking at swatch and logwatch, but would like to find out if
there are other good choices, thanks


SEC does seem to be the "gold standard" in advanced log correlation beyond
that available in "grep | mail" type systems such as logwatch.  However it
is incredibly arcane, and despite reading a lot of documentation for it I've
never really been able to wrap my head around it.

A colleague has started to write a SEC-like tool with (I hope) a more
approachable mental model; take a look at http://github.com/rodjek/grok.  I
must (embarrasedly) admit I haven't looked at it yet, but he claims that he
reimplemented sshd_sentry (the fail2ban equivalent we use) in two lines of
rules, which seems like a nice (basic) demonstration.

- Matt

Current thread:

log parsing tool? fedora fedora (Feb 22)
- Re: log parsing tool? Steven J. Hutchison (Feb 22)
- Re: log parsing tool? Darren Bolding (Feb 22)
- Re: log parsing tool? Jeff Rooney (Feb 22)
  - Re: log parsing tool? fedora fedora (Feb 22)
    - Re: log parsing tool? Dale W. Carder (Feb 22)
    - Re: log parsing tool? gordon b slater (Feb 22)
- Re: log parsing tool? Matthew Palmer (Feb 23)