Re: improving signal to noise ratio from centralized network syslogs

[George William Herbert <george.herbert () gmail com>]

From the systems side we got HoneycombIO which shifts a bit to calling itself events rather than logs management.  I 
don't know anyone else who's tried using it for networks per se but that's on my "interesting tech tools explorations" 
medium length list.


-george 

Sent from my iPhone

> On Jan 31, 2018, at 7:17 AM, Rich Kulawiec <rsk () gsp org> wrote:
>
> > On Thu, Jan 25, 2018 at 11:10:02PM -0500, Joe Maimon wrote:
> > What I am interested in is an automated zoom-in zoom-out tool to mask the
> > repetition of "normal" events and allow the unusual to stand out.
>
> This is an approach outlined by Marcus Ranum years ago; he called it
> "artificial stupidity", and it works.  (Of course, an inverse check
> that makes sure routine boring things are still happening is also
> a good idea.)
>
> You could use any number of elaborate (and sometimes expensive) tools
> to do this, but I recommend rolling your own with Perl or similar.
> This is goodness for two reasons: first, it forces you to look at your
> own data, which is really helpful.  You'll be surprised at what you
> find if you've never done it before.  Second, it lets you customize for
> your environment at every step.
>
> I have written dozens of these, some as trivial as a few lines of code,
> some quite extensive.  None of them "solve" the problem per se, they just
> all take bites out of it.  But this admittedly-simplistic (and deliberately
> so) approach has flagged a lot of issues, and because it's simple,
> it's easy to connect to other monitoring/alerting plumbing.
>
> ---rsk