[logs] Syslog and Windows

Gord Taylor taylorgo at gmail.com
Fri Jun 22 09:08:59 PDT 2007 

I've been using MonitorWare (and WinSyslog) for a long time as well and it's
solid - never a problem when receiving logs from Windows, Unix, or
Firewalls. From experience it can handle a large load as well - 6,000+
event/sec sustained until I run out of disk :) It can route to file based on
IP address as well, so any syslog priority conflicts can be resolve by
routing based on IP. Also allows for alerting, SMTP e-mail, etc.. Support
for syslog-ng is stable too, not just traditional UDP. The previous version
had a bug with TCP sessions being re-established too frequently but this has
been fixed.

I can also echo the same experiences Johnny has had with Snare and restarts,
but it happens more frequently than I like.

I've also used NTSyslog (old), which Snare inherited it's code-base
from seems to have the same periodic problems under heavy load where it will
just slowdown and start skipping events. A restart resolves it, but is hard
to identify until well after the problem has occured (log loss).

I've started playing with Lasso (which is the only syslog-ng for windows I
know of), but haven't used it in production. In playing with it though, I've
found that some of the logs get wrapped to 2 lines under load when it caches
to disk. I have NOT investigated the cause for this, so it might just be
something in my implementation. One issue that CAN be a problem with Lasso
(especially with the new log format under Longhorn) is that they hard-code a
maximum log line length of 1024 bytes. Even with Windows 2003's object
auditing, an event can get longer than this.


On 6/22/07, jcalhoun at securityeventmonitoring.com <
jcalhoun at securityeventmonitoring.com> wrote:
>
>
> Snare - Free and easy to setup
>
> MonitorWare - small fee, but dependable and has ability to monitor flat
> files
>
> Lasso - Free and most scalable solution, doesn't require an agent on
> every machine you wish to retrieve logs from.  Requires Domain Admin or
> Local Admin privs to pull logs.
>
> I have used both Snare and Monitorware extensively on thousands of
> devices.  Sometimes Snare will have to be restarted, or it loses it's
> place in the log and suddenly sends you the entire queue from the
> beginning, but you get what you pay for :).  We are beginning to look
> into Lasso more and more due to its agent-less design and ease of
> deployment and maintenance.
>
> Thanks,
> Johnny Calhoun
> jcalhoun at securityeventmonitoring.com
>
>
> > -------- Original Message --------
> > Subject: [logs] Syslog and Windows
> > From: "Bill Scherr IV" <bschnzl at cotse.net>
> > Date: Fri, June 22, 2007 12:35 am
> > To: loganalysis <loganalysis at loganalysis.org>
> >
> > All...
> >
> >    What do you suggest for sending windows logs to syslog
> >
> > B.
> >
> > On 18 Jun 2007, a message purporting to be from Chris Brenton appeared:
> >
> > Subject:              Re: [logs] Facility 101 (was: Syslog and
> facilities)
> > From:                 Chris Brenton <cbrenton at chrisbrenton.org>
> > To:                   loganalysis <loganalysis at loganalysis.org>
> > Date sent:            Mon, 18 Jun 2007 09:04:41 -0400
> >
> > > The other problem is some of the facilities are a bit dated. For
> > example
> > > there is a facility for FTP (11) but not HTTP. UUCP even has its own
> > > facility (8) but of course no one uses it anymore (I use it for my
> > Windows
> > > stuff. Keeps it from getting mixed in with other log entries ;-)
> > >
> >
> > Bill Scherr IV, GSEC, GCIA
> > Principal Security Engineer
> > EWA Information and Infrastructure Technologies
> > bscherr at iit-tek.com
> > bscherr at ewa.com
> > 703-478-7608
> >
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysis at loganalysis.org
> > http://www.loganalysis.org/mailman/listinfo/loganalysis
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20070622/fb32945b/attachment.html

More information about the LogAnalysis mailing list