[logs] Analyzing tons of logs

[James Turnbull]

Bamm Visscher wrote:
> I am always interested in feedback on how Sguil scales (both good and
> bad).

I guess when he said trillions of log entries I wasn't sure how squil
would cope.  It is an interesting question - I've used it up to about the
20 million alert mark.  That chewed (from memory) a lot of disk and
memory.  Big quad box too.

> I wouldn't say Sguil is focused on Snort as much as it is on NSM. NSM
> a network centric way to do security monitoring and Snort is the Sguil
> supported way to gather event/alert data. I am getting ready to
> release a new version and it will have the ability to receive generic
> events from other data sources (it's not perfect, but should be
> usable).

That sounds well worth a look - still in tcl?  No Perl/Java/etc/etc
version? If you'd like beta-testers (and haven't already got them) then feel free to drop me an email.

> Always glad to hear there are fans :)

Thanks for the useful product! :)

Regards

James Turnbull

--
James Turnbull <james at lovedthanlost.net>
---
Author of Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)

Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)