On Jan 24, 2011, at 6:51 AM, Jeremy Charles wrote: > Most of the log analysis/correlation threads in my E-mail archive seem to get > a lot of "yeah we use Splunk for that." Allow me to ask the question this > way and see what happens... > > I pressed my coworkers for some specific examples of what they'd like to have > a log correlator do for them. Below is the non-trivial example that I > received. Do any log correlation products have this sort of sophistication? > > > The following sequence of events happen. Program sees the log entry for each > event, makes the correlation, and sends us an email that [insert user here] > is running bittorrent. > Link comes up on switch port > 802.1x authentication succeeds > DHCP address issued > User logs into domain > Firewall starts logging the BitTorrent URL signature
I would imagine most any log correlation tool could do that. I know that SEC can, although you might have to use a series of contexts if the sequence is important. (That is, see the first message, set the first context. If the second message is seen while the first context is active, set the second context. Etc.) -------------------------------------------------------------------- Leon Towns-von Stauber http://www.occam.com/leonvs/ "We have not come to save you, but you will not die in vain!" _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
