[logs] Re: Syslog and Windows

[Chris Brenton]

On Fri, 2007-06-22 at 11:27 -0700, Tina Bird wrote:
>
> If I make take the substantial liberty of interpreting what Chris said, I
> think that what he meant is that he wouldn't use a Windows box as a central
> loghost, *not* that the logs produced by Windows systems themselves are
> problematic (aside from any native support for syslog).
> 
> [If that's *not* what you meant, Chris, we may have to have it out with an
> arm-wrestling match or something.]

As always you are spot on but I'll still take you up on the arm
wrestling. ;-)

> It is, as far as I've seen, clear that syslog *server* implementations for
> UNIX variants offer far more features and robustness than the syslog servers
> for Windows, although I must confess to little experience with Windows
> syslog servers.

>From personal experience I would blame the IP stack. When it comes to
wire activity (IDS, firewall, etc.) for a given piece of hardware
Windows just comes up short when compared to Linux or UNIX variants.
Seeing as a logging server sees a lot of network I/O, I would guess the
problem lies here as well. 

> >From the point of view of the logs themselves, I strongly defend my radical
> opinion that there are many ways in which the Windows Event Log is easier to
> use and more reliable than stock syslog:

Ya, as convoluted as the Event ID system has been over the years it
blows away anything on the Linux/UNIX side. Then again your talking a
single vendor with a complete monopoly so one would hope so. ;-)

> That being said, I'm sticking with syslog-ng for my central repository ;-)

+2!

Cheers,
Chris