Re: Enterprise syslog management and alert generation.

[Bill Nash <billn () billn net>]

On Tue, 7 Dec 2004, Alexei Roudnev wrote:

> In such products, only 20% value is in engine; 80% are in rules, because I
> can not wrire rules myself - I have not event until it happen, and I can not
> filetr out noice until it happen.
>
> We use a few syslog analyzers (using syslog-ng as a transport), some with
> simple logcheck, other with database for rules and hosts; and every time
> problem is the same - writing rules is 90% of the problem.
>
> But... do you have rules, such as fort example _send alert if any system
> began to generate 10 times logs / hour more vs. average? Or saying _single
> PCI ERROR on Solaris - ignore, 10 in a straight line - send warning...

The X over time is a new one, it's been mentioned a couple times today, 
and I can certainly account for it. I've added it to my rapidly 
growing list.

- billn