On Mon, Feb 22, 2010 at 04:15:22PM -0600, fedora fedora wrote: > Anyone has good recommendations for an open-sourced log parsing and > analyzing application? It will be used to work with syslog-ng and other > general syslog and application logs. > > I have been looking at swatch and logwatch, but would like to find out if > there are other good choices, thanks
SEC does seem to be the "gold standard" in advanced log correlation beyond that available in "grep | mail" type systems such as logwatch. However it is incredibly arcane, and despite reading a lot of documentation for it I've never really been able to wrap my head around it. A colleague has started to write a SEC-like tool with (I hope) a more approachable mental model; take a look at http://github.com/rodjek/grok. I must (embarrasedly) admit I haven't looked at it yet, but he claims that he reimplemented sshd_sentry (the fail2ban equivalent we use) in two lines of rules, which seems like a nice (basic) demonstration. - Matt