[logs] Syslog and Windows

Gord Taylor taylorgo at gmail.com
Fri Jun 22 09:12:11 PDT 2007 

Should also mention that the same people who make Monitorware and Winsyslog
also have a port of UNIX logger (www.monitorware.com/logger) that works
wonderfully. Previous versions were free (google), but I don't think their
free version supported syslog-ng (not sure about this, though).

Gord T. (GCIH, CISSP, GEEK)


On 6/22/07, Gord Taylor <taylorgo at gmail.com> wrote:
>
> I've been using MonitorWare (and WinSyslog) for a long time as well and
> it's solid - never a problem when receiving logs from Windows, Unix, or
> Firewalls. From experience it can handle a large load as well - 6,000+
> event/sec sustained until I run out of disk :) It can route to file based on
> IP address as well, so any syslog priority conflicts can be resolve by
> routing based on IP. Also allows for alerting, SMTP e-mail, etc.. Support
> for syslog-ng is stable too, not just traditional UDP. The previous version
> had a bug with TCP sessions being re-established too frequently but this has
> been fixed.
>
> I can also echo the same experiences Johnny has had with Snare and
> restarts, but it happens more frequently than I like.
>
> I've also used NTSyslog (old), which Snare inherited it's code-base
> from seems to have the same periodic problems under heavy load where it will
> just slowdown and start skipping events. A restart resolves it, but is hard
> to identify until well after the problem has occured (log loss).
>
> I've started playing with Lasso (which is the only syslog-ng for windows I
> know of), but haven't used it in production. In playing with it though, I've
> found that some of the logs get wrapped to 2 lines under load when it caches
> to disk. I have NOT investigated the cause for this, so it might just be
> something in my implementation. One issue that CAN be a problem with Lasso
> (especially with the new log format under Longhorn) is that they hard-code a
> maximum log line length of 1024 bytes. Even with Windows 2003's object
> auditing, an event can get longer than this.
>
>
>  On 6/22/07, jcalhoun at securityeventmonitoring.com <jcalhoun at securityeventmonitoring.com>
> wrote:
> >
> >
> > Snare - Free and easy to setup
> >
> > MonitorWare - small fee, but dependable and has ability to monitor flat
> > files
> >
> > Lasso - Free and most scalable solution, doesn't require an agent on
> > every machine you wish to retrieve logs from.  Requires Domain Admin or
> > Local Admin privs to pull logs.
> >
> > I have used both Snare and Monitorware extensively on thousands of
> > devices.  Sometimes Snare will have to be restarted, or it loses it's
> > place in the log and suddenly sends you the entire queue from the
> > beginning, but you get what you pay for :).  We are beginning to look
> > into Lasso more and more due to its agent-less design and ease of
> > deployment and maintenance.
> >
> > Thanks,
> > Johnny Calhoun
> > jcalhoun at securityeventmonitoring.com
> >
> >
> > > -------- Original Message --------
> > > Subject: [logs] Syslog and Windows
> > > From: "Bill Scherr IV" <bschnzl at cotse.net>
> > > Date: Fri, June 22, 2007 12:35 am
> > > To: loganalysis <loganalysis at loganalysis.org>
> > >
> > > All...
> > >
> > >    What do you suggest for sending windows logs to syslog
> > >
> > > B.
> > >
> > > On 18 Jun 2007, a message purporting to be from Chris Brenton
> > appeared:
> > >
> > > Subject:              Re: [logs] Facility 101 (was: Syslog and
> > facilities)
> > > From:                 Chris Brenton < cbrenton at chrisbrenton.org>
> > > To:                   loganalysis <loganalysis at loganalysis.org>
> > > Date sent:            Mon, 18 Jun 2007 09:04:41 -0400
> > >
> > > > The other problem is some of the facilities are a bit dated. For
> > > example
> > > > there is a facility for FTP (11) but not HTTP. UUCP even has its own
> > > > facility (8) but of course no one uses it anymore (I use it for my
> > > Windows
> > > > stuff. Keeps it from getting mixed in with other log entries ;-)
> > > >
> > >
> > > Bill Scherr IV, GSEC, GCIA
> > > Principal Security Engineer
> > > EWA Information and Infrastructure Technologies
> > > bscherr at iit-tek.com
> > > bscherr at ewa.com
> > > 703-478-7608
> > >
> > > _______________________________________________
> > > LogAnalysis mailing list
> > > LogAnalysis at loganalysis.org
> > > http://www.loganalysis.org/mailman/listinfo/loganalysis
> >
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysis at loganalysis.org
> > http://www.loganalysis.org/mailman/listinfo/loganalysis
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20070622/d68ddb28/attachment.html

More information about the LogAnalysis mailing list