Manual Creation of Log Rules Is So 1999

SolarWinds just came out with a contest called Rule Your Log Data. In this contest, they are encouraging the community to build rules using their log management tool (Log & Event Manager) and submit it for review.

SolarWinds, much like Splunk, Sumo Logic, Loggly and dozens of other log server providers, have built a great product for storing logs and analyzing them. You can easily query the logs, build rules and alerts and sift through the data when you need to.

The challenge is – you don’t have the time to do it. Every single engineer I’ve ever asked, says they do not actively watch the logs flowing into their log management system. Instead, they wait for an outage to occur, then they do the root cause analysis using the logs. Once the issue is found, they create a rule to alert when a similar log (or set of logs) occurs in the future.

That is not scalable:

  1. It takes too long to query the log database and build these rules.
  2. Sharing the rules you’ve created is sometimes really difficult (see an example for SolarWinds Log & Event Manager) and in all cases not straightforward.
  3. Most importantly – as a user – you’d want someone else to create those rules for you.

This last point drove us at indeni to build an automated mechanism for generating log analysis rules. indeni today starts with pulling the logs out of the devices we analyze (such as Check Point firewalls, Cisco routers, switches and firewalls, F5 load balancers and Palo Alto Networks firewall). Then, it compares those logs to the knowledge that exists online pertaining to what logs require special attention. For example, if there is a knowledge article on the manufacturer’s website describing a certain issue, indeni will use that information to determine if certain logs indicate the issue described in the article. Yes, you read that correctly – indeni automatically generates log analysis rules based on data available on the Internet.

So – if your network management system asks you to create rules for alerting about certain logs, you should think long and hard if that system is built for the challenges of 2015. Then, go to try.indeni.com and give indeni a spin. 

Leave a Reply