Monitoring message and secure logs using regular expressions
My company is transitioning from being a traditional IT company to being a MSP/NOC.
The NOC software that we are using allows us to define regular expressions that logs will be monitored for. If the regular expression is not found, the status will be Ok/normal. If the regular expression is found, the status will show as warning and/or failed.
I'm looking for some suggestions for regular expressions that may be found in /var/log/messages and in /var/log/secure that should flag a warning or failed state for those logs in our NOC software.
The software shows failed if the expression if found at all, so I can't configure it to only show failed if, for example, there are 50 ssh login failures. It will show as failed if there is one failure, or 1000 failures, so I'm going to have to find a different way to deal with those, but any other message or secure log entries that can be used to flag warnings/failures will be very helpful.
|