[logs] Cross-Platform Log Analysis and Microsoft

[David Corlette]

I have to disagree a bit here - I personally think syslog is pretty lame, and really should die as quickly as possible.  It's based on an unreliable protocol, after all.  And latter-day attempts to send it over SSL or whatever are, to my mind, a band-aid solution.

There are other auditing standards out there, here at Novell we're espousing an open standard called XDAS, and I know that COAST is putting something together as is MITRE/Arcsight - we're working on trying to get all these groups to coordinate.  I'm hoping that all vendors will start to move to those standards and treat security event auditing as a real discipline, not something you throw out over syslog or along with your debug events.  One thought, for example: shouldn't the event record format and the transport be independent?

My 2c, anyway...

Oh, and I've been told, by the way, that Windows can send out its event logs via SNMP.  Haven't tested it, myself, so I have no idea what that looks like.

>>> On Thu, Jun 28, 2007 at  9:57 PM, in message
<6.2.0.14.2.20070628215505.0ef21060 at ranum.com>, "Marcus J. Ranum"
<mjr at ranum.com> wrote: 
> Eric Fitzgerald wrote:
>>I am always willing to listen to feedback and deliver it to the appropriate 
> people.
> 
> The fact that it hasn't occurred to Microsoft to support something like
> syslog _yet_ - in spite of the plethora of other devices that support it,
> and technologies that consume it... speaks volumes.
> 
> I'm not trying to bash you, and I'm sure your heart is in the right place,
> but the fact that it's 2007 and you even need to say something as naive
> as "willing to listen to feedback..." is enough. Maybe you're willing to
> listen, but it's pretty clear that the decision-makers aren't.
> 
> mjr. 
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis