devialog - Syslog Anomaly Detection

Main · Quick Start · F.A.Q · Download · GitHub Project Page

What kind of performance can I expect?

On an 800mhz intel system, with a signature base of roughly 1500, expect the ability to parse over 200 syslog lines per second. Some of the larger syslog servers I've come across do not come close to this capacity. If your syslog server does, please let me know.

Why does the file containing signatures have an extension of .pl? Do I need execute this file?

The signatures file contains the .pl extension to help out editors with proper syntax highlighting. Since the signatures are in perl hash format, syntax highlighting will help out those unfamiliar with perl and ensure there are no errors within the format. You do not need to execute the signatures file.

How do I verify the signatures are in the proper format?

Aside from a manual inspection with a text editor that has a syntax highlighting function, the following command ensures they are in the proper format:

$ perl -c signatures.pl
signatures.pl syntax OK

You should receive this result provided there are no errors within the signature file.

What does it mean when signatures.pl does not return a true value?

signatures.pl did not return a true value at ./devialog.pl line 66, <CONF> line 96.

This is a result of a blank or nonexistent signatures.pl file. This must be created per the quick start guide.

For any questions/comments, contact the devialog author: Jeff Yestrumskas (OSCP, CISM, CISSP) - jeff@yestrumskas.com
devialog - Copyright 2002-2008 Jeff Yestrumskas