important errors to control with swatch
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
important errors to control with swatch
by Isaac Perez Moncho
::
Rate this Message:
Hello,
I just installed swatch, and used this configuration file for the checks: http://www.loganalysis.org/sections/signatures/log-swatch-skendrick.txt Anyone knows any other common phrase or word that I should find the logs for hardware and system errors? Or what you consider important to monitor in the logs? Thanks -- Isaac Perez Moncho GSEC, SSP-GHD, SSP-MPA, SSP-CNSA Microsoft MCP. JPL TSolucio S.L www.tsolucio.com |
|
|
Re: important errors to control with swatch
by Reynold McGuire
::
Rate this Message:
I moved away from SWATCH quite some time ago as it was always crashing. SEC, simple event correlator may be better, and it uses perl regular expressions. http://kodu.neti.ee/~risto/sec/ - Reynold Isaac Perez Moncho wrote: > Hello, > I just installed swatch, and used this configuration file for the > checks: > http://www.loganalysis.org/sections/signatures/log-swatch-skendrick.txt > > Anyone knows any other common phrase or word that I should find the logs > for hardware and system errors? > Or what you consider important to monitor in the logs? > Thanks > |
|
|
Re: important errors to control with swatch
by Hari Sekhon
::
Rate this Message:
I'm also extremely interested in expanding my log watching to include a
massive amount of comprehensive pattern matching alerting. I currently have some but need to expand it. The problem is that this is really a difficult thing to approach because it can only catch known patterns in this fashion. And whitelisting is really not practical in this context as the logs generated are practically infinite and not really able to whitelist them. I think that there should really be a well maintained project of regexs for this purpose, one official champion for us to build our baselines on... with frequent updates... Anyone got any ideas or regexs they want to share? Isaac, you would do well to have things like "I/O Error" for disk problems... "hardware hung"... etc etc, but this list is practically endless, you should look at your logs and decide which ones you'd like to be alerted on. -h Hari Sekhon Isaac Perez Moncho wrote: > Hello, > I just installed swatch, and used this configuration file for the > checks: > http://www.loganalysis.org/sections/signatures/log-swatch-skendrick.txt > > Anyone knows any other common phrase or word that I should find the logs > for hardware and system errors? > Or what you consider important to monitor in the logs? > Thanks > > |
|
|
Re: important errors to control with swatch
by Michael Robbert-2
::
Rate this Message:
Maybe this is overkill (or maybe I'm missing the point completely), but
wouldn't Splunk ( http://www.splunk.com ) be a good solution, or tool for creating a solution, for this problem? For those that haven't heard of it, it collects data from many different data sources, syslog being one of them, and provides you with a web based interface to search through them. It allows for complex searches and has the ability to alert on any of the searches. They also have something called SplunkBase, which is a community driven database of what many of these messages mean. It is a commercial product, but they have a free version that will work with up to 500Mb per day of data. I haven't implemented this myself yet, but I have played around with it and look forward to finding the time to try to really implement it for myself. Mike Robbert Hari Sekhon wrote: > I'm also extremely interested in expanding my log watching to include > a massive amount of comprehensive pattern matching alerting. > > I currently have some but need to expand it. The problem is that this > is really a difficult thing to approach because it can only catch > known patterns in this fashion. And whitelisting is really not > practical in this context as the logs generated are practically > infinite and not really able to whitelist them. > > I think that there should really be a well maintained project of > regexs for this purpose, one official champion for us to build our > baselines on... with frequent updates... > > Anyone got any ideas or regexs they want to share? > > Isaac, you would do well to have things like "I/O Error" for disk > problems... "hardware hung"... etc etc, but this list is practically > endless, you should look at your logs and decide which ones you'd like > to be alerted on. > > -h > > Hari Sekhon > > > > Isaac Perez Moncho wrote: >> Hello, >> I just installed swatch, and used this configuration file for the >> checks: >> http://www.loganalysis.org/sections/signatures/log-swatch-skendrick.txt >> >> Anyone knows any other common phrase or word that I should find the logs >> for hardware and system errors? >> Or what you consider important to monitor in the logs? >> Thanks >> >> |
|
|
RE: important errors to control with swatch
by Reynold McGuire
::
Rate this Message:
I agree... Not only is it very hard to find tools, but yes, you do have to create your own RegEx filters. I use SEC to monitor a "combined" log from my central syslog server and have to, at times, create new filters for it. The good thing is that there are some "generic" filters already available... For instance, Linux based failures or events such as: reboot su sshd accept / failure etc. Then you still would have to create custom filters for your specific devices and routers etc. I use SEC to pipe the output of the trap to a CLI email program which is very easy to use. I make the program email my account, and for serious issues, email my cell phone as a SMS Text Message. It's not hard... It just takes a little bit of time. People could create a repository of 'tested' RegEx filters for devices and make that publicly available... -- =----------------------------------------= Reynold McGuire Network Engineer Suffolk University, Information Technology Services Phone: 617.994.4277 Fax: 617.573.8747 =----------------------------------------= PGP Public Key: echo "send pgp key" | mail rmcguire@... =----------------------------------------= PGP Fingerprint: 5779 6011 FAC8 91EE FD93 B408 1296 F6FF CD7E -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Hari Sekhon Sent: Tuesday, November 20, 2007 4:36 AM To: Isaac Perez Moncho Cc: focus-linux@... Subject: Re: important errors to control with swatch I'm also extremely interested in expanding my log watching to include a massive amount of comprehensive pattern matching alerting. I currently have some but need to expand it. The problem is that this is really a difficult thing to approach because it can only catch known patterns in this fashion. And whitelisting is really not practical in this context as the logs generated are practically infinite and not really able to whitelist them. I think that there should really be a well maintained project of regexs for this purpose, one official champion for us to build our baselines on... with frequent updates... Anyone got any ideas or regexs they want to share? Isaac, you would do well to have things like "I/O Error" for disk problems... "hardware hung"... etc etc, but this list is practically endless, you should look at your logs and decide which ones you'd like to be alerted on. -h Hari Sekhon Isaac Perez Moncho wrote: > Hello, > I just installed swatch, and used this configuration file for the > checks: > http://www.loganalysis.org/sections/signatures/log-swatch-skendrick.txt > > Anyone knows any other common phrase or word that I should find the logs > for hardware and system errors? > Or what you consider important to monitor in the logs? > Thanks > > |
|
|
Re: important errors to control with swatch
by Hari Sekhon
::
Rate this Message:
Michael Robbert wrote:
> It is a commercial product, but they have a free version that will > work with up to 500Mb per day of data. Shame, adoption would be much better if this weren't the case. -h -- Hari Sekhon |
| Free embeddable forum powered by Nabble | Forum Help |
