Chuck Swiger wrote:
>Without fighting too hard, many log analysis tools for
>things like webserver or squid or firewall rules seem to process ~10K lines or
>events per second, which works out to a gigabyte every ten minutes or so,
>whereas other tools seem hopelessly incapable of handling large data sets.
I think it's because a lot of webserver analysis tools are designed to
rip through the data and provide statistical summaries and sorted
hit-lists, whereas the security-oriented log processing tools are
aimed at audit functions. Since the security problem is less well-bounded
than "show me the top 50 pages on my site!" the designers of those
systems often reach for the biggest hammer in their toolbox and
stuff everything into a SQL database, which promptly falls over,
leading them to conclude "it can't be done."
As we discussed last week; if you put some thought into figuring out
what you want to get from your log analysis, you can do it at extremely
high speeds, pre-compute all the running totals you need, cache
views into the data-sets as necessary, etc. But I used that evil
phrase "put some thought into..." and we know that most IT managers
would rather buy a $20,000 thingamajig than "put some thought into..."
anything.
mjr.
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 07 2006
Intro
