nanog mailing list archives

Re: Parsing Syslog and Acting on it, using other input too

From: Blake Dunlap <ikiris () gmail com>
Date: Thu, 29 Aug 2013 09:29:24 -0500

Since you said you are willing to entertain home grown as well. I would
recommend looking at simple event correlator which is a perl script
designed to do the kind of thing you are talking about. I've used it in the
past to trigger bgp black holing and mail blacklists for example.


On Thu, Aug 29, 2013 at 8:25 AM, Sam Moats <sam () circlenet us> wrote:

My view on splunk,
+1 if you intend to have a human act on the reports, it does an excellent
job of reducing huge amounts of audit data into the valuable bits.
-1 Seemed to be a pita to integrate with my scripting enviroment. I ended
up kludging wget,awk and telnet together in a totally undignified way to
make it reach out and act on something.

+2 Customizable ingestion/parsing, I'm feeding everything from linux audit
data to weird proprietary serial output from a multiplexer into it.
-1 Proprietary database I would have liked to see an sql plugin for data
storage, I would like the data in Mysql/Oracle but no-joy from splunk so
that I can use other tools on it easily.

+1 Free demo. You can download an eval version that is rate limited and
cripples itself after a fixed time.
-1 because The license costs are a bit high if your moving lots of data
through it


Sam Moats

On 2013-08-29 09:10, Jason Biel wrote:

You should look into SPLUNK (http://www.splunk.com/), it will
collect/store
your syslog data and you can run customized reports and then act on them.


On Thu, Aug 29, 2013 at 8:03 AM, Kasper Adel <karim.adel () gmail com>
wrote:

 Hello.


I am looking for a way to do proactive monitoring of my network, what I
am
specifically thinking about is receiving syslog msgs from the routers and
the backend engine would correlate certain msgs with output/data that i
am
receiving through SSH/telnet sessions. What i am after is not exposed to
SNMP so i need to do it on my own.


I am sure there are many tools that can do parsing of syslog and acting
upon it but i wonder if there is something more flexible out there that I
can just re-use to do the above ? Please point me to known public or
home-grown scripts in use to achieve this.

Regards,

Sam

Current thread:

Parsing Syslog and Acting on it, using other input too Kasper Adel (Aug 29)
- Re: Parsing Syslog and Acting on it, using other input too Jason Biel (Aug 29)
  - Re: Parsing Syslog and Acting on it, using other input too Kevin Stone (Aug 29)
    - Re: Parsing Syslog and Acting on it, using other input too Charles N Wyble (Aug 29)
  - Re: Parsing Syslog and Acting on it, using other input too Sam Moats (Aug 29)
    - Re: Parsing Syslog and Acting on it, using other input too Blake Dunlap (Aug 29)
- Re: Parsing Syslog and Acting on it, using other input too Dobbins, Roland (Aug 29)
- RE: Parsing Syslog and Acting on it, using other input too Thijs Stuurman (Aug 29)
- Re: Parsing Syslog and Acting on it, using other input too Mike Tancsa (Aug 29)
  - Re: Parsing Syslog and Acting on it, using other input too Don Wilder (Aug 29)
    - Re: Parsing Syslog and Acting on it, using other input too Christopher Morrow (Aug 29)
    - Re: Parsing Syslog and Acting on it, using other input too Shawn Wilson (Aug 30)
    - Re: Parsing Syslog and Acting on it, using other input too Christopher Morrow (Aug 30)
    - Re: Parsing Syslog and Acting on it, using other input too shawn wilson (Aug 30)
- Re: Parsing Syslog and Acting on it, using other input too Gino O'Donnell (Aug 29)
- Re: Parsing Syslog and Acting on it, using other input too Carlos Alcantar (Aug 29)

(Thread continues...)