nanog mailing list archives
Re: improving signal to noise ratio from centralized network syslogs
From: George William Herbert <george.herbert () gmail com>
Date: Wed, 31 Jan 2018 11:59:52 -0800
From the systems side we got HoneycombIO which shifts a bit to calling itself events rather than logs management. I don't know anyone else who's tried using it for networks per se but that's on my "interesting tech tools explorations" medium length list. -george Sent from my iPhone
On Jan 31, 2018, at 7:17 AM, Rich Kulawiec <rsk () gsp org> wrote:On Thu, Jan 25, 2018 at 11:10:02PM -0500, Joe Maimon wrote: What I am interested in is an automated zoom-in zoom-out tool to mask the repetition of "normal" events and allow the unusual to stand out.This is an approach outlined by Marcus Ranum years ago; he called it "artificial stupidity", and it works. (Of course, an inverse check that makes sure routine boring things are still happening is also a good idea.) You could use any number of elaborate (and sometimes expensive) tools to do this, but I recommend rolling your own with Perl or similar. This is goodness for two reasons: first, it forces you to look at your own data, which is really helpful. You'll be surprised at what you find if you've never done it before. Second, it lets you customize for your environment at every step. I have written dozens of these, some as trivial as a few lines of code, some quite extensive. None of them "solve" the problem per se, they just all take bites out of it. But this admittedly-simplistic (and deliberately so) approach has flagged a lot of issues, and because it's simple, it's easy to connect to other monitoring/alerting plumbing. ---rsk
Current thread:
- improving signal to noise ratio from centralized network syslogs Joe Maimon (Jan 25)
- Re: improving signal to noise ratio from centralized network syslogs Michael Loftis (Jan 25)
- Re: improving signal to noise ratio from centralized network syslogs Steven Miano (Jan 26)
- RE: improving signal to noise ratio from centralized network syslogs Edwin Pers (Jan 26)
- Re: improving signal to noise ratio from centralized network syslogs Alain Hebert (Jan 26)
- Re: improving signal to noise ratio from centralized network syslogs Casey Russell (Jan 26)
- Re: improving signal to noise ratio from centralized network syslogs Steven Miano (Jan 26)
- Re: improving signal to noise ratio from centralized network syslogs Rich Kulawiec (Jan 31)
- Re: improving signal to noise ratio from centralized network syslogs George William Herbert (Jan 31)
- Re: improving signal to noise ratio from centralized network syslogs Michael Loftis (Jan 25)