What would be the best way to correlate logs and events on several hosts?

Posted by user220746 on Server Fault See other posts from Server Fault or by user220746
Published on 2014-06-03T08:14:54Z Indexed on 2014/06/03 9:27 UTC
Read the original article Hit count: 265

Filed under:

linux

|

log-files

I'm trying to build a log correlation system on multiple hosts.

SEC seems interesting but I don't know if it will cover my needs.

How could I correlate system events, logs, network events, etc. on multiple hosts at the same time, in real time?

Examples:

If 5 failed logins happened on host A the last minute and if firewall B has denied lots of access on differents ports on A, then we assume there is a potential attack in progress on A.

If the Apache service on host A didn't receive any request for the last N minutes and Apache service on host B did, then the load balancing could be faulty.

© Server Fault or respective owner

Related posts about linux

apt-get install and update fail

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I've got a problem with apt-get update and apt-get install ... commands . every time update or installing fails and errors are : Get:1 http://dl.google.com stable Release.gpg [198B] Ign http://dl.google.com/linux/chrome/deb/ stable/main Translation-en_US Get:2 http://dl… >>> More
kernel module compiling error

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
sh@ubuntu:/home/ccpp/helloworld$ make gcc-4.6 -O2 -DMODULE -D_KERNEL_ -W -Wall -Wstrict-prototypes -Wmissing-prototypes -isystem /lib/modules/`uname -r`/build/include -c -o hello-1.o hello-1.c hello-1.c:4:0: warning: "MODULE" redefined [enabled by default] <command-line>:0:0: note: this is… >>> More
Build-Essentials installation failing

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I am having trouble accessing the several critical header files that show to be a part of the build process. The "Ubuntu Software Center" shows "Build Essentials" as installed: Next I did the following two commands, which did not improve the problem: ~$ sudo apt-get install build-essential [sudo]… >>> More
Updating Debian kernel

as seen on Super User - Search for 'Super User'
I'm trying to update my Debian machine to 2.6.32-46 (which is the new stable). However, after doing apt-get update my apt-cache search linux-image shows me: linux-headers-2.6.32-5-486 - Header files for Linux 2.6.32-5-486 linux-headers-2.6.32-5-686-bigmem - Header files for Linux 2.6.32-5-686-bigmem linux-headers-2… >>> More
Serial connection over a single USB cable (Windows to linux, or linux to linux)

as seen on Server Fault - Search for 'Server Fault'
I'm helping out with a project for an embedded device that only has USB and no serial. This device is running Linux. These days, when we need to connect to a serial port on a device we typically use a USB to serial adapter (on something like a phone system or a load balancing device, etc). I would… >>> More

Related posts about log-files

Problem with squid log files

as seen on Server Fault - Search for 'Server Fault'
I am using SARG to get a report on the squid log files, I get this result /usr/local/Sarg/bin/sarg -l /usr/local/squid/var/logs/access.log SARG: Records in file: 0, reading: 0.00% SARG: Records in file: 0, reading: 0.00% SARG: Records in file: 0, reading: 0.00% SARG: Records in file: 0, reading:… >>> More
Safe to enable compression C:\WINDOWS\system32\LogFiles

as seen on Server Fault - Search for 'Server Fault'
Will it slow down my website if I enable compression on the C:\WINDOWS\system32\LogFiles directory? These files are slowly but surely chewing away drive space and I'd like to slow the expansion. I'm worried however that this will also slow my websites. >>> More
My linux server time and log files are not the same

as seen on Server Fault - Search for 'Server Fault'
Hi i have installed NTP on my linux server and i am getting my clock from a 6500 core switch, everything is working fine. When i ssh to a switch i have it all sent to a log file on the linux server, this log file does not time stamp with the same time as i have on the server. the date and hwclock… >>> More
Minimizing SQL transaction log file size on developer box running simple recovery model

as seen on Server Fault - Search for 'Server Fault'
We have alot of SQL servers on development environment where we never take backup of the databases (TFS for code is enough). The (SharePoint) databases are all set to simple recovery model, but the log files, especially for the SharePoint configuration database is growing quite large and filling… >>> More
How to write to Tomcat log files

as seen on Stack Overflow - Search for 'Stack Overflow'
What is the easiest way to print out something in a Tomcat Log file. I was under the impression that System.out.println() would print to one of the log files. I just want to print out the value of a string, so the simplest solution would be best. If there is no simple/trivial solution I guess I… >>> More