Nuhe is
a rule based log monitoring system, which is capable of action when
rules are matched againsts log(s) activity.
Default Nuhe mode is to run on background (daemon), but it can also be
used in foreground and log analyzer mode. Log analyzer mode just analyzes given
logs and prints results to stdout; no action is taken when Nuhe is in analyzer mode.
Motive for
Nuhe development started from security point of view and one
purpose is to use it as a intrusion protection system that can react
against certain kind of log activity. You can also use Nuhe as a vanilla
"log filtering" system, that detects events from logs, logs them, but does
not react against them.
One example
of Nuhe usage is to use rule that detects multiple SSH connection
attemps and drops IP address (e.g. with Linux iptables) where connections are
coming. Nuhe is very handy in this situation, because user can configure it to
ignore important IP addresses, so they're not blocked by firewall and specify
events to be indentified only by IP address information.
With that rule and action handler user can paralyze brute force attacks.
However Nuhe
can be described as a general rule based monitoring system
which can run system commands in phases based on time and event criteria
and hopefully this gives many areas of use for it.
