Hi : there are about 140 windows servers in our datacenter and We're using Snare Epilog and Snare Agent for window to collcect event log and other txt-based log to central server via syslog. And We're also using logpp to normalization the events and using SEC to correlate events. after that the events which are correlate by sec are forwarded to our ticket system, remedy system, to open a new ticket. At the beginning, becase of lack of sec rules, we received huge number of tickets. So we changed our way. Everyday we review the event log and collect the events which are important to us and should be handled manually. then we wrote rules for these events. It seems OK now However we did encouter some problems which are not resolved : 1. There are always some servers which are under maintenance in our datacenter. So in the maintenance windows, server guys do not want to receive the tickets. at first , we change our rule with calendar and context, then restart SEC to meet this requirement. later we found this is job seems impossible because the hosts under maintenance are always changed day by day and the maintenace windows could be random and overlap. for examples, A,B under maintain during 00:00am-2:00:am, C,D under maintian during 01:00am-3:00am. so I shoud write about 140 maintain context for each servers. 2. how to manage the logpp's and sec rules. we've got more and more rules over the time and would like to put them into some catagory, easy to find and etc. 3. the next plan to add syslog of our cisco deviced into this system, As I found, SEC will correlate the event rule by rule until matched on rules. That means a cisco event would be passed by all windows rulIs before it was correclated. think it would lead performance problem when rules for cisco have been added. My simple solution is to run some separate process to handle different events.
Please give some advice if you have experience. And also thanks risto for developing such a good tool. Rgds LY ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
