[logs] Eventlog to syslog

[tbird at precision-guesswork.com]

Quoting Rodney Thayer <rodney at canola-jones.com>:

> I'd like to just know why they don't support syslog.
> Heard rumors Longhorn would fix that bug ;-)

Hmm. I've apparently heard contradicting rumors. We should compare  
notes some time.

> Anyway, my point is, if that vendor (e.g. Microsoft)
> thinks they have a reason for not doing syslog to support
> external event management, I'd be interested in hearing that.
> I think not doing syslog is broken but what I think we all
> really see as a requirement is "externally available interoperable
> standards-based event output" so I try to have an open mind
> when this MS flaw is revisited...

Here's my 0.02, as politically correctly as I can put it: Microsoft  
has a corporate tradition of building closed systems, and even when  
they're forced to build a standards-based application (DNS? IPsec?)  
they have a tendency (that's polite) to add extensions that make their  
products less interoperable than one might like. Ahem. One with a  
truly heterogeneous network to run, anyhow.

On the specific beloved topic of syslog, I know (cos I've been part of  
it) that Microsoft has heard "support syslog" for years. The problem  
is that they're hearing it from UNIX experts and IETF folks and people  
on this list, very few (if any) of whom have enterprise-scale  
deployments of Microsoft products deployed, and even fewer of whom  
(out of that "any") who would *not* deploy an MS product because it  
did NOT support syslog.

Microsoft responds to its customers. Microsoft responds more swiftly  
to customer pressure than any other IT vendor I've ever dealt with.  
(Pressure from the press doesn't hurt, either, but I can't imagine how  
we could turn decades of lack of support for syslog into a slashdot  
worthy news event.)

If we *really* want to get MS' attention on this issue, we need to  
find some large Microsoft customers who are willing to apply pressure  
to their account managers about syslog support. That's certainly  
*possible*, but I suspect it's highly unlikely, cos' most of the large  
MS shops I've worked at/with are already using MS-provided or  
Windows-specific monitoring tools, and can't even *spell* syslog.

So the real question becomes: of those large MS customers, how many of  
them have or are planning to deploy a syslog-based monitoring  
infrastructure, and are they willing to apply pressure to Redmond?  
Anyone here an MS Premier customer?

It may be that finally, thanks to compliance regulations etc., there  
are enough large scale organizations worrying about log collection and  
archiving that this might work. There's clearly never been enough  
momentum to get the ball rolling in the past, or we wouldn't be having  
this conversation in *sigh* 2008...

cheers -- tbird