From the systems side we got HoneycombIO which shifts a bit to calling itself events rather than logs management. I don't know anyone else who's tried using it for networks per se but that's on my "interesting tech tools explorations" medium length list.
-george Sent from my iPhone > On Jan 31, 2018, at 7:17 AM, Rich Kulawiec <r...@gsp.org> wrote: > >> On Thu, Jan 25, 2018 at 11:10:02PM -0500, Joe Maimon wrote: >> What I am interested in is an automated zoom-in zoom-out tool to mask the >> repetition of "normal" events and allow the unusual to stand out. > > This is an approach outlined by Marcus Ranum years ago; he called it > "artificial stupidity", and it works. (Of course, an inverse check > that makes sure routine boring things are still happening is also > a good idea.) > > You could use any number of elaborate (and sometimes expensive) tools > to do this, but I recommend rolling your own with Perl or similar. > This is goodness for two reasons: first, it forces you to look at your > own data, which is really helpful. You'll be surprised at what you > find if you've never done it before. Second, it lets you customize for > your environment at every step. > > I have written dozens of these, some as trivial as a few lines of code, > some quite extensive. None of them "solve" the problem per se, they just > all take bites out of it. But this admittedly-simplistic (and deliberately > so) approach has flagged a lot of issues, and because it's simple, > it's easy to connect to other monitoring/alerting plumbing. > > ---rsk
