Hi guys,
more like a generic question: how do you make sense of events which are not necessarily linked by a common field? For example, one of our applications produces logs that generate many events/lines such as:
[08/Sep/2017:09:20:20 +0200] Logon request from 10.10.10.3
[08/Sep/2017:09:20:21 +0200] Object 662737354 deleted
[08/Sep/2017:09:20:21 +0200] User X77262 trying to connect ...
[08/Sep/2017:09:20:22 +0200] Logon Denied: Bad password
So lines 1, 3 and 4 represent a logon request but I cannot "transact" them as there is no common field. Or can I?
In a perfect world session IDs would be introduced in the logs OR more complete log entries, but changing code is a massive undertaking ... How do you guys deal with scenarios such this one?
Thanks.
↧