nanog mailing list archives
Re: Enterprise syslog management and alert generation.
From: Bill Nash <billn () billn net>
Date: Tue, 7 Dec 2004 23:07:26 -0800 (PST)
On Tue, 7 Dec 2004, Alexei Roudnev wrote:
In such products, only 20% value is in engine; 80% are in rules, because I can not wrire rules myself - I have not event until it happen, and I can not filetr out noice until it happen. We use a few syslog analyzers (using syslog-ng as a transport), some with simple logcheck, other with database for rules and hosts; and every time problem is the same - writing rules is 90% of the problem. But... do you have rules, such as fort example _send alert if any system began to generate 10 times logs / hour more vs. average? Or saying _single PCI ERROR on Solaris - ignore, 10 in a straight line - send warning...
The X over time is a new one, it's been mentioned a couple times today, and I can certainly account for it. I've added it to my rapidly growing list.
- billn
Current thread:
- Enterprise syslog management and alert generation. Bill Nash (Dec 07)
- Re: Enterprise syslog management and alert generation. Alexei Roudnev (Dec 07)
- Re: Enterprise syslog management and alert generation. Bill Nash (Dec 07)
- <Possible follow-ups>
- RE: Enterprise syslog management and alert generation. Paul Jasa (Dec 07)
- RE: Enterprise syslog management and alert generation. Chad Skidmore (Dec 07)
- Re: Enterprise syslog management and alert generation. Alexei Roudnev (Dec 07)