RE: [fw-wiz] parsing logs ultra-fast inline

Anton Chuvakin wrote:

While I am preparing to enter this discussion in full force :-), I
figured I'd shoot a quick one on this:

meaning. Take Tina's VPN example - how many types of log entries you
would expect from a VPN concentrator? From my experience, not more
than 20 but let's assume there are 50. Give a sample from each entry
to a Perl

He-he, no :-) I just looked at the old documentation bundle of Cisco
VPN 3000 messages and its nowhere near the above. How about 2049
unique messages documented by Cisco?

But don't miss my point! I don't have to parse all those 2k or more
messages, because I'm only after *one* thing: all I want to know (at least
starting out) is the source of an inbound remote access connection, because
my pick for lowest-hanging-fruit with regard to remote access abuse is
remote access coming from "unusual" locations.

In fact, the discussion is trying really hard to support the exact opposite
of what I was saying :-) If you start out trying to parse *everything*,
you're at best going to work really really hard for a long time. If you pick
one or two conditions that you or your local expert *know* are significant,
you get something up and running really quickly. That impresses management

cheers - tbird

firewall-wizards mailing list