Re: [Simple-evcorr-users] Scanning the logs using SEC
Brought to you by:
ristov
Menu
▾
▴
Re: [Simple-evcorr-users] Scanning the logs using SEC
|
From: Risto V. <ris...@se...> - 2012-02-03 08:34:57
|
On 02/02/2012 10:24 PM, Ash...@em... wrote: > Thanks Risto. > > We do have few perl scripts that scans for specific pattern in log files. Do you have any tool that converts those scipts to sec's ruleset? > > -Ashok It would be very hard to write such a tool, since Perl and SEC rule languages are fairly different. There could be many constructs in your scripts that do not convert to SEC rules. However, if you are mostly relying on regular expressions for pattern detection, you can first identify all these expressions in your scripts, and then create Single rules from them. hope this helps, risto > > -----Original Message----- > From: Risto Vaarandi [mailto:ris...@se...] > Sent: Thursday, February 02, 2012 2:43 AM > To: sim...@li... > Subject: Re: [Simple-evcorr-users] Scanning the logs using SEC > > On 02/01/2012 11:22 PM, Ash...@em... wrote: >> Hello Team, >> >> We are planning to use this tool to triage and debug in our product. But >> we do have few queries. Can you please clarify it? >> >> 1. Is it possible to use SEC to scan for specific pattern from a group >> of log files? I do noticed that is used as an pre-emptive tool, I just >> want to know whether it can be used as after-the-fact tool? > > If you mean finding patterns from log files that have already been > created, the answer is yes -- you have to use --notail option for this. > Note, however, that a number of SEC's advanced event correlation > features would not make sense in this particular context, since they > work for real-time events only. > >> >> 2. Does it listens to only one file or group of files? Can it monitor >> bunch of files? > > yes, you can monitor arbitrary number of files. > >> >> 3. If there are umpteen number of logfiles? What would be the >> performance bootleneck? > > If you would be processing already created log files with --notail > option, then there wouldn't be much CPU time spent for needless > overhead. However, if you are monitoring a very large number of files in > real time, file status polling can consume quite some resources. > Fortunately, if many of the files do not change frequently (e.g., new > data are added once a minute or even less frequently), you can employ > the --check-timeout option for reducing resource consumption. For > example, using --check-timeout=10 will skip a status poll for a file for > 10 seconds, if it has not been modified. > > kind regards, > risto > >> >> Thanks, >> >> Ashok >> >> >> >> ------------------------------------------------------------------------------ >> Keep Your Developer Skills Current with LearnDevNow! >> The most comprehensive online learning library for Microsoft developers >> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, >> Metro Style Apps, more. Free future releases when you subscribe now! >> http://p.sf.net/sfu/learndevnow-d2d >> >> >> >> _______________________________________________ >> Simple-evcorr-users mailing list >> Sim...@li... >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > Simple-evcorr-users mailing list > Sim...@li... > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > |