On 2011 Jan 24, at 09:11, Leon Towns-von Stauber wrote: > > On Jan 24, 2011, at 6:51 AM, Jeremy Charles wrote: > >> Most of the log analysis/correlation threads in my E-mail archive seem to >> get a lot of "yeah we use Splunk for that." Allow me to ask the question >> this way and see what happens... >> >> I pressed my coworkers for some specific examples of what they'd like to >> have a log correlator do for them. Below is the non-trivial example that I >> received. Do any log correlation products have this sort of sophistication? >> >> >> The following sequence of events happen. Program sees the log entry for each >> event, makes the correlation, and sends us an email that [insert user here] >> is running bittorrent. >> Link comes up on switch port >> 802.1x authentication succeeds >> DHCP address issued >> User logs into domain >> Firewall starts logging the BitTorrent URL signature > > I would imagine most any log correlation tool could do that. I know > that SEC can, although you might have to use a series of contexts if > the sequence is important. (That is, see the first message, set the > first context. If the second message is seen while the first context > is active, set the second context. Etc.)
I reviewed a number of log analysis and storage appliances and products a few years back. While splunk was not on the list of products to evaluate thoroughly, only one product was capable of a context interpretation of a message. Multiple contexts seems to be readily supported by those few products I've found since then that support any context concept at all. ---- "The speed of communications is wondrous to behold. It is also true that speed can multiply the distribution of information that we know to be untrue." Edward R Murrow (1964) Mark McCullough [email protected] _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
