[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Logs-devel] philisophical question
|
From: |
Jim Prewett |
|
Subject: |
[Logs-devel] philisophical question |
|
Date: |
Sat, 19 Nov 2005 08:10:31 -0700 (MST) |
Hi guys,
I've got a tough question for you all :)
What /should/ a (rule-based) log analysis tool, such as SEC or LoGS or
Logsurfer do with an un-matched message?
Most (all?) AFAICT currently silently ignore the message. LoGS is in this
category too (because I copied Logsurfer :)
I see four possibilities for what the tool could do:
1. silently ignore
2. print to the screen (so a rule-less config would essentialy give you
tail -f)
3. write to a special (or user-defined) file
4. some other user-defined thing
Now, common practice is for the tool itself to do #1 and the ruleset
designer is responsible for doing #4 (which, commonly, will end up doing
#2 or #3).
Should this be a configurable thing? What would you sent the default to?
I've just been thinking about it and maybe #1 isn't the right way for the
tool to behave; In many cases the *most* interesting messages are those
that aren't handled by your ruleset.
My only concern with /not/ doing #1 is that a flood of messages could
severly impact the system with any other option (ask me about my IBM E1350
cluster and its Serial Over LAN sometime; just know that I can get 150
messages/second/blade (I have 96 blades, so ~14,0000 messages/second)
worth of bogus messages when SOL goes south).
What do you think? :)
Thanks,
Jim
James E. Prewett address@hidden address@hidden
Systems Team Leader LoGS: http://www.hpc.unm.edu/~download/LoGS/
Designated Security Officer OpenPGP key: pub 1024D/31816D93
HPC Systems Engineer III UNM HPC 505.277.8210
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Logs-devel] philisophical question,
Jim Prewett <=