Console | Device | Polling | Trapping | Logs | Trending


Logs

Count-IF-in-Syslog

Daily-Syslog-Extracts

Examine-IPS-Logs

Remove-Dup-Syslog-Lines

Report-on-Syslog-Lines

Troubled Interface Report


Log Analysis

Count-IF-in-Syslog parses a syslog extract for Cisco-style interface lines and produces a report summarizing how many times each interface appears. In addition, it produces three charts: calendar, day-of-week, and hour-of-day.

Daily-Syslog-Extracts consults a configuration file, pokes through yesterday's syslog, and mails whatever has survived to interested parties.

Examine-IPS-Logs pokes through yesterday's syslog, extracting Tipping Point messages and looking for *outbound* blocked events, i.e. internally infected hosts which are attempting to phone home to the mothership or are launching attacks. It sends mail to recipients according to subnets (i.e. a given recipient can register interest in infected hosts living on specific subnets).

Report-on-Syslog-Lines pokes through a syslog extract for a specified string and produces textual and graphical summaries of what it sees.

Remove-Dup-Syslog-lines examines a syslog file for duplicated lines using two criteria (a) identical time stamps (millisecond granularity),and (b) embedded Cisco IOS-style serial numbers. It produces a report and an output file from which the duplicates have been removed. I find this useful when I'm analyzing Layer 2 loop problems -- Layer 2 loops can sometimes result in huge numbers of duplicated messages landing on my loghost, gumming up my subsequent analysis.

Troubled-Interface-Report consults a configuration file, pokes through yesterday's syslog looking for Cisco Catalyst messages specific to interfaces, and mails the result to interested parties. Possible issues include: rogue DHCP servers, excessive link up/down events, invalid source MAC addresses, excessive MAC address movement between ports.


Last modified: 2017-04-28