syslog-ng and log analyzers
Hi All, I would like to see what you'd suggest as a log analyzer tool(s) on a centralized log server running syslog-ng. I also need to use a specific tool as PF log analyzer. What do you suggest for that purpose? Rami Sik
Re: syslog-ng and log analyzers
On Wed, Feb 20 2008 at 32:08, Rami Sik wrote: Hi All, Hi alone, I would like to see what you'd suggest as a log analyzer tool(s) on a centralized log server running syslog-ng. In our network, I decided to analyse the logs received by syslog-ng with Prelude-LML. In fact, all logs are retransmitted to Prelude-LML syslog daemon binding on localhost. Prelude-LML can find security threats in logs of numerous products. It's easy to see them with the Prelude console (Prewikka). The fact that only a copy is sent to prelude-lml permits to store the logs as you want. This way you can analyse mail or web logs with your favorite log analyser. We intend to use awstats for this purpose. I also need to use a specific tool as PF log analyzer. What do you suggest for that purpose? For the moment, I didn't choose any product to analyse pf logs. I haven't found yet a firewall log analyser that emphase the important alerts and not summarise in a beautiful graph all the connections. Claer
Re: syslog-ng and log analyzers
On Wed, Feb 20, 2008 at 08:32:31AM -0800, Rami Sik wrote: | I would like to see what you'd suggest as a log analyzer tool(s) on a | centralized log server running syslog-ng. | | I also need to use a specific tool as PF log analyzer. What do you | suggest for that purpose? I prefer to use a log notification tool instead of relying on a tool to figure out what is going on. Since I pretty much know what I'm looking out for, I can define certain things to watch for and then set up appropriate notifications. Check out tenshi -- written for Gentoo Linux, but is just Perl. http://www.gentoo.org/proj/en/infrastructure/tenshi/ later. ryanc
Re: syslog-ng and log analyzers
On Feb 20, 2008 10:51 AM, Ryan Corder [EMAIL PROTECTED] wrote: On Wed, Feb 20, 2008 at 08:32:31AM -0800, Rami Sik wrote: | I would like to see what you'd suggest as a log analyzer tool(s) on a | centralized log server running syslog-ng. | | I also need to use a specific tool as PF log analyzer. What do you | suggest for that purpose? I prefer to use a log notification tool instead of relying on a tool to figure out what is going on. Since I pretty much know what I'm looking out for, I can define certain things to watch for and then set up appropriate notifications. Check out tenshi -- written for Gentoo Linux, but is just Perl. Another vote for Tenshi. Probably the best way to do it with syslog-ng is to have syslog-ng forward logs to Tenshi (listening on loopback) because otherwise Tenshi won't be able to follow the logs (if you organize them by date, etc.). -Kian
Re: syslog-ng and log analyzers
* Rami Sik [EMAIL PROTECTED] [2008-02-20 17:47]: I would like to see what you'd suggest as a log analyzer tool(s) on a centralized log server there's a very nice way to do that with the trustworthy syslogd (yeah, the one without that -ng suffix) we ship. just put the following line in your syslog.conf: *.* |/usr/local/sbin/logsurfer -d /picksomething -s the very nice part of the story is that syslogd will take care of forking logsurfer, and start a new one if it should die for whatever reason. it'll take you a while to write sensible logsurfer rules, but after a while of spamming you it'll nicely report anomalies. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: syslog-ng and log analyzers
On Wed, Feb 20, 2008 at 11:12:06AM -0800, Kian Mohageri wrote: | Another vote for Tenshi. Probably the best way to do it with | syslog-ng is to have syslog-ng forward logs to Tenshi (listening on | loopback) because otherwise Tenshi won't be able to follow the logs | (if you organize them by date, etc.). I have syslog-ng keep an additional 'catchall' log that only the tenshi user has access to. It is then rotated every 24 hours via logrotate. This method is no more or less secure, but in my mind it is one less process listening on a socket.