[c-nsp] Any good filters for syslog output

Eric Cables ecables at gmail.com
Thu Dec 18 11:11:15 EST 2008


I've been using swatch for a couple of years now, and have been pretty happy
with it (I used CiscoWorks' built-in syslog analyzer before, yuck!).  I have
had ambitions to test out SEC (Simple Event Correlator), which appears to
still be developed (not sure if I've seen a swatch update since I started
using it), but I just haven't had the time to do so.

For those who have used both swatch & SEC, do you have any arguments for
switching to SEC?

-- Eric Cables


On Thu, Dec 18, 2008 at 4:02 AM, William <willay at gmail.com> wrote:

> We use a combo of syslog-ng+swatch for our filtering which can do
> quite a lot for free, any more tips on what messages people are
> looking for on Cisco networks would be appreciated.
>
> Cheers,
>
> W
>
> 2008/12/18 Eric Van Tol <eric at atlantech.net>:
> >> -----Original Message-----
> >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> >> bounces at puck.nether.net] On Behalf Of Tuc at T-B-O-H
> >> Sent: Wednesday, December 17, 2008 3:54 PM
> >> To: cisco-nsp at puck.nether.net
> >> Subject: [c-nsp] Any good filters for syslog output
> >>
> >> Hi,
> >>
> >>       We are going to be monitoring the syslog output (We already have
> >> a product (Zenoss)). Does anyone know of a repository of the "Watch
> >> for these regular expressions" to decide what is worth looking into, and
> >> whats worth ignoring.
> >>
> >>               Thanks, Tuc
> >
> > If you're looking for a supported, proprietary product, check out
> Solarwinds Orion - much more than just a syslog repository, though.  You are
> able to store syslogs in a SQL database, create rules for syslogs based upon
> source IP, source hostname, message type (%LINK-4-ERROR, etc.), and message
> contents.  You can also do fancy things like forward the syslog to another
> syslog server, send an email/page, modify the message, and do time-of-day
> rules.  On the downside, if all you need is a syslog server, you have to pay
> for the entire Orion suite, which is pretty expensive.
> >
> > -evt
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list