[logs] Syslog and Windows

David Corlette dcorlette at novell.com
Fri Jun 22 10:20:21 PDT 2007 

Putting on my "vendor" hat here...

Novell produces a product called Sentinel which pulls the logs via WMI (well, that's one option).  We don't require Domain Admin privs, it's agentless, and it doesn't use unreliable protocols. 

Sentinel's an enterprise solution so if you're only looking to get Windows logs it's probably overkill, but there you go.

>>> On Fri, Jun 22, 2007 at 10:31 AM, in message
<20070622073158.65dca91a8789c7cc515f67df5ff52c3b.b768d64105.wbe at email.secureserv
r.net>, <jcalhoun at securityeventmonitoring.com> wrote: 

> Snare - Free and easy to setup
> 
> MonitorWare - small fee, but dependable and has ability to monitor flat
> files
> 
> Lasso - Free and most scalable solution, doesn't require an agent on
> every machine you wish to retrieve logs from.  Requires Domain Admin or
> Local Admin privs to pull logs.
> 
> I have used both Snare and Monitorware extensively on thousands of
> devices.  Sometimes Snare will have to be restarted, or it loses it's
> place in the log and suddenly sends you the entire queue from the
> beginning, but you get what you pay for :).  We are beginning to look
> into Lasso more and more due to its agent-less design and ease of
> deployment and maintenance.
> 
> Thanks,
> Johnny Calhoun
> jcalhoun at securityeventmonitoring.com
> 
> 
>> -------- Original Message --------
>> Subject: [logs] Syslog and Windows
>> From: "Bill Scherr IV" <bschnzl at cotse.net>
>> Date: Fri, June 22, 2007 12:35 am
>> To: loganalysis <loganalysis at loganalysis.org>
>> 
>> All...
>> 
>>    What do you suggest for sending windows logs to syslog
>> 
>> B.
>> 
>> On 18 Jun 2007, a message purporting to be from Chris Brenton appeared:
>> 
>> Subject:        	Re: [logs] Facility 101 (was: Syslog and facilities)
>> From:           	Chris Brenton <cbrenton at chrisbrenton.org>
>> To:             	loganalysis <loganalysis at loganalysis.org>
>> Date sent:      	Mon, 18 Jun 2007 09:04:41 -0400
>> 
>> > The other problem is some of the facilities are a bit dated. For
>> example
>> > there is a facility for FTP (11) but not HTTP. UUCP even has its own
>> > facility (8) but of course no one uses it anymore (I use it for my
>> Windows
>> > stuff. Keeps it from getting mixed in with other log entries ;-)
>> > 
>> 
>> Bill Scherr IV, GSEC, GCIA
>> Principal Security Engineer
>> EWA Information and Infrastructure Technologies
>> bscherr at iit-tek.com
>> bscherr at ewa.com
>> 703-478-7608
>> 
>> _______________________________________________
>> LogAnalysis mailing list
>> LogAnalysis at loganalysis.org
>> http://www.loganalysis.org/mailman/listinfo/loganalysis
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis

More information about the LogAnalysis mailing list