Re: improving signal to noise ratio from centralized network syslogs

On Mon, Feb 5, 2018 at 9:27 PM, James Bensley wrote: > On 5 February 2018 at 18:57, wrote: > > On Mon, 05 Feb 2018 10:49:42 -0800, "Scott Weeks" said: > >> I have no knowledge of syslog-ng. Does it do the > >> real time scrolling like I mention? >

Re: improving signal to noise ratio from centralized network syslogs

On 2018-02-03 15:49, Scott Weeks wrote: Then, you can watch your network in real time like so (below is all one line): tail -f /var/log/router.log /var/log/switch.log | egrep -vi 'term1|term2|termN' 'egrep -v' takes out all the lines you don't want to see while the syslog messages scroll

Re: improving signal to noise ratio from centralized network syslogs

On Mon, 05 Feb 2018 20:27:13 +, James Bensley said: > On 5 February 2018 at 18:57, wrote: > > On Mon, 05 Feb 2018 10:49:42 -0800, "Scott Weeks" said: > >> I have no knowledge of syslog-ng. Does it do the > >> real time scrolling like I mention? > > > > Use 'tail -f'

Re: improving signal to noise ratio from centralized network syslogs

On 5 February 2018 at 18:57, wrote: > On Mon, 05 Feb 2018 10:49:42 -0800, "Scott Weeks" said: >> I have no knowledge of syslog-ng. Does it do the >> real time scrolling like I mention? > > Use 'tail -f' or similar. The only problem is that with BASH based solutions is

Re: improving signal to noise ratio from centralized network syslogs

On Mon, 05 Feb 2018 10:49:42 -0800, "Scott Weeks" said: > I have no knowledge of syslog-ng. Does it do the > real time scrolling like I mention? Use 'tail -f' or similar. pgppqrj2ic42P.pgp Description: PGP signature

Re: improving signal to noise ratio from centralized network syslogs

--- sh...@short.id.au wrote: In addition to that, you can use some fancy awk colour coding, so you can make it highlight certain lines based on content.. I use this for my e-mail logs, but I’m sure it could be adapted: tail -n 1000 -f /var/log/mail-submission.log | grep smtp.*relay | awk '

Re: improving signal to noise ratio from centralized network syslogs

--- ta...@lanparty.ee wrote: > This is done with the 'logging facility' > command on the devices: > > After defining your syslog server's IP > address and the level of messaging you want > (I set it to debug because I want to see > everything): > > on the routers: logging facility local0 > on

Re: improving signal to noise ratio from centralized network syslogs

In addition to that, you can use some fancy awk colour coding, so you can make it highlight certain lines based on content.. I use this for my e-mail logs, but I’m sure it could be adapted: tail -n 1000 -f /var/log/mail-submission.log | grep smtp.*relay | awk ' /sent/ {print "\033[32m" $0

Re: improving signal to noise ratio from centralized network syslogs

I really recommend setting up fluentd, and then routing logging from there - it makes it very easy to keep auditor-appeasing logs, while also having important stuff sending pages. Log aggregation, organization, and search is a hard problem, other people have already done it and provided it as a

Re: improving signal to noise ratio from centralized network syslogs

hey, This is done with the 'logging facility' command on the devices: After defining your syslog server's IP address and the level of messaging you want (I set it to debug because I want to see everything): on the routers: logging facility local0 on the switches: logging facility local1

Re: improving signal to noise ratio from centralized network syslogs

--- jmai...@jmaimon.com wrote: Centralized logging is a good thing. However, what happens is that every repetitive, annoying but not (usually) important thing fills up the log with reams of what you are not looking for. --- Apologies, I'm late to the party.

Re: improving signal to noise ratio from centralized network syslogs

From the systems side we got HoneycombIO which shifts a bit to calling itself events rather than logs management. I don't know anyone else who's tried using it for networks per se but that's on my "interesting tech tools explorations" medium length list. -george Sent from my iPhone > On

Re: improving signal to noise ratio from centralized network syslogs

On Thu, Jan 25, 2018 at 11:10:02PM -0500, Joe Maimon wrote: > What I am interested in is an automated zoom-in zoom-out tool to mask the > repetition of "normal" events and allow the unusual to stand out. This is an approach outlined by Marcus Ranum years ago; he called it "artificial stupidity",

Re: improving signal to noise ratio from centralized network syslogs

+1 for Graylog, you can pour ALL your syslog data into it, and then configure what are called streams. Streams are a way to whittle down the incoming log flows and see something LESS than everything. You can create a stream that only shows these 6 devices, or one that only shows log info

Re: improving signal to noise ratio from centralized network syslogs

    ELK stack.     Java RAM devoring monster but Kibana makes indexing easy. - Alain Hebertaheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443 On

RE: improving signal to noise ratio from centralized network syslogs

On Fri, Jan 26, 2018 at 6:30 AM, Steven Miano wrote: >either ELK (or any derivative there of such as: Elasticache, Fluentd, Kibana) I'm partial to graylog - it does some of the heavy lifting of getting a logging-centric ELK stack up and running -Ed

Re: improving signal to noise ratio from centralized network syslogs

Splunk is the obvious solution that most organizations with a mature security group will likely already have in their portfolio. Going a step further, and with an abundance of skill, ability, and forethought: either ELK (or any derivative there of such as: Elasticache, Fluentd, Kibana), or

Re: improving signal to noise ratio from centralized network syslogs

On Thu, Jan 25, 2018 at 8:11 PM Joe Maimon wrote: > Hey All, > > Centralized logging is a good thing. However, what happens is that every > repetitive, annoying but not (usually) important thing fills up the log > with reams of what you are not looking for. > > Networks are

improving signal to noise ratio from centralized network syslogs

Hey All, Centralized logging is a good thing. However, what happens is that every repetitive, annoying but not (usually) important thing fills up the log with reams of what you are not looking for. Networks are a noisy place and silencing every logged condition is impractical and sometimes