Central syslog manager with whitelisting and ability to generate events from syslog entries
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
contrib fix CDDB connection failed, which was caused due to extensions not lo… Apr 12, 2017
docker change image name to lowercase, else docker will complain Feb 14, 2018
htdocs update logo with the new one Jan 2, 2018
schema also delete entries for hosts not currently on host table Mar 8, 2017
yii Update yii to latest version May 27, 2015
INSTALL.md Add mitigation for issue #70, under troubleshooting section of instal… Apr 27, 2017
README.md Update documentation to reflect the latest changes and the version 0.5 Jun 11, 2015
UPGRADE.md Update documentation to reflect the latest changes and the version 0.5 Jun 11, 2015


Echofish Syslog manager

Central syslog management console with whitelisting feature and ability to generate events from syslog entries.


Echofish is a web based real-time event log aggregation, monitoring and management system, developed in php and mysql, with functionality based on the excellent idea/paper of Marcus J. Ranum, "Artificial Ignorance".

Through a simple dashboard, Echofish provides a single view for the administrators to monitor system and application events. Echofish allows the creation of whitelists and filters to provide administrators with a unique and customized view of their systems' event messages. Through detailed reports, alerting and notifications, Echofish is able to deliver new levels of visibility and insight on your business IT infrastructure.

How Echofish differs

Echofish focuses around the fact that:

  • daily operators need to be able to see what happens on their network.
  • syslog messages are events that need to be addressed.
  • similar events don't need to be addressed separately.
  • there is no need to be worried about events that are known to be good (whitelisted).
  • once all the whitelisted entries are gone, we are left with mostly important messages that need our attention.

Beneath the hood

When a message is received by syslog it gets written into a specific table of the echofish database.

Upon INSERT on that table, special triggers and events take over, in order to inspect the message parameters and decide -based on your rules- whether the message is worthy of your attention or it needs to be discarded.

On top of that, you can create triggers that allow you to achieve certain explicit tasks such as:

  • After 10 failed ssh logins issue a syslog warning about brute force attempt and report the attacker's IP
  • If user@example.com usually logs from 1.2.3.x network and now he's appearing from Korea notify me
  • Issue an alert if the ssh logins on the servers are not from the admin's IP

You can find configuration samples, installation recipes and other usefull information in the contrib/ folder.