Re: Log monitoring from Alex Kirhenshtein on 2005-09-13 (NetXMS-dev)

From: Alex Kirhenshtein <alk_at_DOMAIN_REMOVED>
Date: Tue, 13 Sep 2005 19:23:17 +0300

for syslog:

"event host" should be added
"event source" - application name

example:
Sep 13 21:11:01 kenny sshd(pam_unix)[5605]: check pass; user unknown
Sep 13 21:11:01 kenny sshd(pam_unix)[5605]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=**.**.**.**
Sep 13 21:11:03 kenny sshd[5605]: Failed password for invalid user lpd
from **.**.**.** port 53713 ssh2
Sep 13 19:04:32 cartman su(pam_unix)[7774]: session closed for user root
Sep 13 19:04:33 cartman su(pam_unix)[8244]: authentication failure;
logname= uid=1000 euid=0 tty=pts/0 ruser=alk rhost= user=root
Sep 13 19:04:35 cartman su[8244]: pam_authenticate: Authentication failure

Victor Kirhenshtein wrote:
> Hi all!
>
> Below is a proposed scheme for log monitoring.
>
> I. Key points
>
> 1. Logs should be processed by agents.
> 2. Agent should check each log record against log processing policy, and
> geberate appropriate event if match detected.
> 3. Agent can have more than one log processing policy installed.
> 4. Log processing policies should be created and distributed from
> administrator's console, allowing centralized management of log
> processing.
>
>
> II. Log processing policy
>
> Log processing policy is a set of matching rules with the following
> attributes:
>
> Matching criterias:
> * Event id range (integer range)
> * Event source (regexp)
> * Log message (regexp)
>
> Action data:
> * NetXMS event id
>
> Event ID range and event source matching used only for Windows Event
> Log. All text log files should be matched only by message text.
> Also, log processing policy should have version attribute, so agent
> after restart could determine if he has latest policy installed and
> request latest one from server if needed.
>
>
> III. Additional questions to discuss
>
> 1. Should we implement log processing as a separate subagent or as part
> of core agent?
> 2. How we can guarantee event delivery from agent to server?
> 3. What to do on agent startup - parse already existing log records or
> just wait for new records?
>
> Any comments?
>
> Best regards,
> Victor
>

-- 
Alex Kirhenshtein
C.T.Co
Cellular: +371-9145688

Received on Tue Sep 13 2005 - 19:23:17 EEST

This archive was generated by hypermail 2.2.0 : Tue Sep 13 2005 - 19:31:58 EEST