devialog is a behavior/anomaly/signature-based syslog intrusion detection system which detects new and unknown attacks via anomalies in syslog. It fits comfortably in heterogeneous Unix/Linux/BSD environments at the core of a central syslog server, with the capability to generate its own signatures and can alert on anomalies with included generated signatures to administrators to ignore future similar events.

I originally released devialog in the early 2000s. In 2019 and looking back, it’s interesting to now see phrasing used in the documentation that seems outdated. However, the overall concept of “alert us on what we don’t already know about” still very much applies and is what many security technologies that use machine learning are now based on and strive for. There appear to have been a number of derivative works since it’s release, and devialog will remain publicly available in order to inspire future works.

The primary devialog page with documentation is

The github repo is