[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Logs-devel] philisophical question

From: Jim Prewett
Subject: [Logs-devel] philisophical question
Date: Sat, 19 Nov 2005 08:10:31 -0700 (MST)

Hi guys,

I've got a tough question for you all :)

What /should/ a (rule-based) log analysis tool, such as SEC or LoGS or
Logsurfer do with an un-matched message?

Most (all?) AFAICT currently silently ignore the message.  LoGS is in this
category too (because I copied Logsurfer :)

I see four possibilities for what the tool could do:
1. silently ignore
2. print to the screen (so a rule-less config would essentialy give you
tail -f)
3. write to a special (or user-defined) file
4. some other user-defined thing

Now, common practice is for the tool itself to do #1 and the ruleset
designer is responsible for doing #4 (which, commonly, will end up doing
#2 or #3).

Should this be a configurable thing?  What would you sent the default to?

I've just been thinking about it and maybe #1 isn't the right way for the
tool to behave; In many cases the *most* interesting messages are those
that aren't handled by your ruleset.

My only concern with /not/ doing #1 is that a flood of messages could
severly impact the system with any other option (ask me about my IBM E1350
cluster and its Serial Over LAN sometime; just know that I can get 150
messages/second/blade (I have 96 blades, so ~14,0000 messages/second)
worth of bogus messages when SOL goes south).

What do you think? :)


James E. Prewett                    address@hidden address@hidden
Systems Team Leader           LoGS: http://www.hpc.unm.edu/~download/LoGS/
Designated Security Officer         OpenPGP key: pub 1024D/31816D93
HPC Systems Engineer III   UNM HPC  505.277.8210

reply via email to

[Prev in Thread] Current Thread [Next in Thread]