events

PC paul4004 at gmail.com
Thu Oct 6 00:10:36 UTC 2011


I've tried quite a few solutions.  And the solution that works for engineers
who know linux and text parsing, is often ill-suited to many operations
folks.

I have to admit, Splunk is nice and I prefer it, but the price it
outrageous.  If I'm logging from 500 routers/switches, I can likely get away
with a reasonable 5gb/day license.  However, any firewall logging
per-connection statistics towards anything reasonably busy will quickly chew
through the 5gb in no time with a single device, and I don't like paying
more in software licensing to log than I did for the firewall itself.  This,
combined with the removal of e-mail alerts in the 4.0 version when upgrading
from 3.0 resulting in breakage without warning and no downgrade path, irked
me.  So that solution is out.

I've also heard of a coworker liking a solution called PHP-SYSLOG-NG.  It's
claim to fame was putting the events in a database so they are easily and
quickly searchable.  I didn't explore it further when I looked about a year
ago, as it was clear further development had ceased as the author had turned
it into a commercial solution called logzilla.  I haven't explored pricing.

I now use SEC/simple event coorelator linked by someone below.  It works
adequately well if you can write a REGEX which matches what you're watching
for and an output action.  Performance is acceptable, but there is some
hit.  However, it can keep the logs available in text file format which is
nice for data parsing with command line tools for certain cases, where many
of the database alternatives don't.  The one thing SEC is missing that I
would enjoy, is a community based rules database for common alerts in
network products.

I believe there are adequate open source solutions, but the best seem to be
the commercial products, IMHO.


On Tue, Oct 4, 2011 at 8:27 AM, Jason LeBlanc <jml at packetpimp.org> wrote:

> +1 for SEC, minimal hit on the cpu like most parsing tools, the regexp can
> be painful but it is fairly extensible.  Once you get used to it you'll love
> it.
>
>
> On 10/04/2011 05:58 AM, Ben Roeder wrote:
>
>> Hi Mike,
>> We have used octopussy ( http://www.8pussy.org/**
>> dokuwiki/doku.php?id=home<http://www.8pussy.org/dokuwiki/doku.php?id=home> yes it is work safe :-) ) with ok results.
>> Have used sec ( simple event correlator http://simple-evcorr.**
>> sourceforge.net/ <http://simple-evcorr.sourceforge.net/> ) to some
>> success in simple cases.
>>
>> Currently having another look at this myself and the following look
>> interesting, but have not deployed them yet
>> http://logstash.net/
>> http://graylog2.org/about
>>
>> Ben
>> On 30 Sep 2011, at 14:50, harbor235 wrote:
>>
>>  What is everyone using to collect, alert, and analyze syslog data?
>>> I am looking for something that can generate reports as well as support
>>> multiple vendors. We have done some home grown stuff in the past but
>>> would be interested in something  that incorprates all the best features.
>>>
>>> Soalrwinds, splunk, fwanalog, and others come to mind, any other good
>>> ones
>>> out there?
>>>
>>>
>>> Mike
>>>
>>
>>
>>
>>
>



More information about the NANOG mailing list