<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jun 6, 2014 at 10:39 AM, JD <span dir="ltr"><<a href="mailto:jdp@algoloma.com" target="_blank">jdp@algoloma.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">A presentation topic in the making?<br>
"Handling system logs for a site with fantastic query/deep dive facilities"<br></blockquote><div><br></div><div>on a budget. That's a key phrase!<br><br></div><div>I need to keep original log files for HIPAA for at least one year. So that's messages, secure, audit, maillog plus application logs from Oracle and the custom software used. It's only 8 physical and 5 virtual machines but it can mean up to 2G/day/system. And it _ALL_ has top be reviewed at least monthly. I'm looking at statistical analysis of various parts to point to anomalies for security issues.<br>
</div><div>Fred logs in daily around 9. Fred's account showed activity early one day around 5. Talk to Fred.<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5"><br>
On 06/06/2014 10:11 AM, Jeremy T. Bouse wrote:<br>
> On 06.06.2014 09:25, Beddingfield, Allen wrote:<br>
>> One of my co-workers set up Logstash, but it seems to take a lot of<br>
>> care and feeding, and a lot of servers. We are about to move that to<br>
>> Splunk.<br>
>> --<br>
>> Allen Beddingfield<br>
>> Systems Engineer<br>
>> The University of Alabama<br>
>><br>
><br>
> Not sure exactly what is meant by "care and feeding" but Logstash itself is<br>
> lightweight, the real storage and search is done via ElasticSearch. The more ES<br>
> servers the more distributed the searching power is and the more storage your ES<br>
> cluster has the more redundant and greater retention period you have. I've<br>
> actually written scripts that auto-snapshot off indexes daily and the close &<br>
> delete them after a specified retention period. Logstash stack pretty much runs<br>
> on auto-pilot at this point.<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr">-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i></div>
</div></div>