Troubled Interface Report
Count-IF-in-Syslog parses a syslog extract for Cisco-style interface lines and produces a report summarizing how many times each interface appears. In addition, it produces three charts: calendar, day-of-week, and hour-of-day.
Examine-IPS-Logs pokes through yesterday's syslog, extracting Tipping Point messages and looking for *outbound* blocked events, i.e. internally infected hosts which are attempting to phone home to the mothership or are launching attacks. It sends mail to recipients according to subnets (i.e. a given recipient can register interest in infected hosts living on specific subnets).
Remove-Dup-Syslog-lines examines a syslog file for duplicated lines using two criteria (a) identical time stamps (millisecond granularity),and (b) embedded Cisco IOS-style serial numbers. It produces a report and an output file from which the duplicates have been removed. I find this useful when I'm analyzing Layer 2 loop problems -- Layer 2 loops can sometimes result in huge numbers of duplicated messages landing on my loghost, gumming up my subsequent analysis.
Troubled-Interface-Report consults a configuration file, pokes through yesterday's syslog looking for Cisco Catalyst messages specific to interfaces, and mails the result to interested parties. Possible issues include: rogue DHCP servers, excessive link up/down events, invalid source MAC addresses, excessive MAC address movement between ports.
|Last modified: 2017-04-28|