[logs] Syslog and Windows

[Rainer Gerhards]

Hi Eric,

Thanks for the explanation, really appreciated. But I need to comment on
the syslog issue ;) 

> If you have a solution which does all these lookups and 
> translations and
> combines the event message text with the raw event data prior to
> transmission, the average event length will likely increase 
> up to 4x, to
> the vicinity of 2k-3k per event record in the security event log.
> 
> Syslog only supports 1k per message per RFC 3164.

RFC 3164 is informational and NOT realy describing what can be seen in
practice. The typical (unpatched) syslogd on Linux does indeed have the
2K limit, but there are many other syslog-based solutions out (including
on *nix) which support for larger sizes.

> 
> Any syslog-based solution for gathering Windows logs is likely either
> truncating a large percentage of Windows events, or not collecting
> Windows events in a way that they can be analyzed by human beings (in
> that case don't blame Windows; blame your SEM).

Or it ignores the artificial limit in old-day syslog.

> In summary, syslog is probably a poor solution for Windows security
> events for the reasons described above.  Other logs on 
> Windows typically
> have shorter events but you might still have many of the same
> shortcomings with syslog.

The good thing about syslog is that it is universally available and thus
can be used to build cross-platfomr solutions.

Rainer