JP Vossen on 27 Apr 2008 13:46:37 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] syslog - any easy way out?

> Date: Sat, 26 Apr 2008 21:14:52 -0400
> From: jeff <>
> Subject: [PLUG] syslog - any easy way out?
> I'm trying to get my Win servers' event logs together, as I've 
> mentioned, which is a PITA.  One of the suggestions was to port them to 
> syslog.

Well, to *get* Windows events to syslog, I kinda like Snare.  I say 
"kinda" because I used to really love it when it was called backlog 
because it was drop-dead simple.  One simple service, no reboot, about 3 
things that you could screw up, two of which basically never needed to 
be touched.


Then the name changed to Snare and it got bloated.  A lot (IMO).  Sure 
there are a lot more features, but that only means a lot more to screw 
up.  Sigh.  I haven't looked into this in a few years, so there may be 
other/better options.  Then again, Snare might have a slim option...

> By coincidence, my SonicWall outputs syslog and I need to start paying 
> attention to the logs, both for stats and troubleshooting current events.
> Is there any way to do this without learning programming, regex and 
> various other skills I will never have?  I just want a syslog collector 
> that will also display reasonable stats and help me to figure out where 
> all the bandwidth is going when it suddenly goes sluggish.  And I want 
> to be a rock star too, ok?

The way I do it doesn't answer your question.  I feed everything to a 
Debian server and use the built-in logcheck package to send me email 
alerts.  That requires grep regular expressions.  Logcheck is a simple 
yet great idea.  You have 3 pattern (regex) files:
	Known bad
	Looks bad but isn't
	Known good

Then it looks for "known bad" things but removes stuff that "looks bad 
but isn't" and outputs to "this is bad."  Then it removes the "known 
good" and stuff that "looks bad but isn't" and outputs to "this is 
unknown."  Over time, as you tune your files, you end up only being 
alerted to known bad or new (not yet classified) stuff.  Brilliant.  I 
even did a (cheesy) Windows port of it:

See also:

Since I do it that way, I haven't looked into pretty/GUI solutions in 
several years.  But I seem to recall there being some, usually 
Perl-based.  Maybe a Google and/or Sourceforge search for log analysis, 
log viewer or logcheck/log check?  Or maybe someone else on the list has 
more info?

Things that might be worth a look (list subject to linkrot):
* Getting old, but maybe a tools section:


Good luck, and let us know,
JP Vossen, CISSP            |:::======|        jp{at}jpsdomain{dot}org
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --