|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] syslog - any easy way out?
|
> Date: Sat, 26 Apr 2008 21:14:52 -0400
> From: jeff <jeffv@op.net>
> Subject: [PLUG] syslog - any easy way out?
>
> I'm trying to get my Win servers' event logs together, as I've
> mentioned, which is a PITA. One of the suggestions was to port them to
> syslog.
Well, to *get* Windows events to syslog, I kinda like Snare. I say
"kinda" because I used to really love it when it was called backlog
because it was drop-dead simple. One simple service, no reboot, about 3
things that you could screw up, two of which basically never needed to
be touched.
Related:
* http://www.intersectalliance.com/projects/SnareWindows/
* http://ntsyslog.sourceforge.net/
* http://www.speakeasy.net/~vossenjp/BackLog-1.9b.exe
Then the name changed to Snare and it got bloated. A lot (IMO). Sure
there are a lot more features, but that only means a lot more to screw
up. Sigh. I haven't looked into this in a few years, so there may be
other/better options. Then again, Snare might have a slim option...
> By coincidence, my SonicWall outputs syslog and I need to start paying
> attention to the logs, both for stats and troubleshooting current events.
[...]
> Is there any way to do this without learning programming, regex and
> various other skills I will never have? I just want a syslog collector
> that will also display reasonable stats and help me to figure out where
> all the bandwidth is going when it suddenly goes sluggish. And I want
> to be a rock star too, ok?
The way I do it doesn't answer your question. I feed everything to a
Debian server and use the built-in logcheck package to send me email
alerts. That requires grep regular expressions. Logcheck is a simple
yet great idea. You have 3 pattern (regex) files:
Known bad
Looks bad but isn't
Known good
Then it looks for "known bad" things but removes stuff that "looks bad
but isn't" and outputs to "this is bad." Then it removes the "known
good" and stuff that "looks bad but isn't" and outputs to "this is
unknown." Over time, as you tune your files, you end up only being
alerted to known bad or new (not yet classified) stuff. Brilliant. I
even did a (cheesy) Windows port of it:
* http://www.jpsdomain.org/windows/winlogcheck.html
See also:
*
http://edseek.com/archives/2006/03/18/the-magic-of-syslog-ng-and-logcheck/.
Since I do it that way, I haven't looked into pretty/GUI solutions in
several years. But I seem to recall there being some, usually
Perl-based. Maybe a Google and/or Sourceforge search for log analysis,
log viewer or logcheck/log check? Or maybe someone else on the list has
more info?
Things that might be worth a look (list subject to linkrot):
* http://sourceforge.net/projects/swatch/
* http://www.ossim.net/whatis.php
* http://strobe.weeg.uiowa.edu/~edhill/public/
* Getting old, but maybe a tools section: http://www.loganalysis.org/
Maybe:
* http://www.btc.gatech.edu/net/management/linux/monitoring.html
* http://www.nwc.com/1406/1406ws1.html
* http://cebu.mozcom.com/riker/iptraf/
Good luck, and let us know,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org
My Account, My Opinions |=========| http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|