[logs] Eventlog to syslog

Fri Feb 29 15:56:44 PST 2008

Hi all,

Not to put too fine a point on it, but if MS were to implement syslog I would consider that quite a step back.

Why not have them implement a modern, secure auditing standard?  The CEE and XDAS work is promising, and is getting analysts attention (Burton, for one).  They aren't complete yet, but if you look at the requirements they embody you will see why insecure syslog really isn't the way to go.  In fact, *nix OSs are moving away from syslog - witness LAF on Linux, BSM on Solaris, etc.... Anything that might have security-relevance needs to be treated a little more carefully.

And yeah, I know that there are all sorts of more secure extensions to syslog, but they aren't "standards," at least not yet.

My 2c - anyway....

>>> On Fri, Feb 29, 2008 at  5:17 PM, in message
<20080229161739.kggbed6kmecwo0o0 at www.precision-guesswork.com>,
<tbird at precision-guesswork.com> wrote: 
> Quoting Rodney Thayer <rodney at canola-jones.com>:
> 
>> I'd like to just know why they don't support syslog.
>> Heard rumors Longhorn would fix that bug ;-)
> 
> Hmm. I've apparently heard contradicting rumors. We should compare  
> notes some time.
> 
>> Anyway, my point is, if that vendor (e.g. Microsoft)
>> thinks they have a reason for not doing syslog to support
>> external event management, I'd be interested in hearing that.
>> I think not doing syslog is broken but what I think we all
>> really see as a requirement is "externally available interoperable
>> standards-based event output" so I try to have an open mind
>> when this MS flaw is revisited...
> 
> Here's my 0.02, as politically correctly as I can put it: Microsoft  
> has a corporate tradition of building closed systems, and even when  
> they're forced to build a standards-based application (DNS? IPsec?)  
> they have a tendency (that's polite) to add extensions that make their  
> products less interoperable than one might like. Ahem. One with a  
> truly heterogeneous network to run, anyhow.
> 
> On the specific beloved topic of syslog, I know (cos I've been part of  
> it) that Microsoft has heard "support syslog" for years. The problem  
> is that they're hearing it from UNIX experts and IETF folks and people  
> on this list, very few (if any) of whom have enterprise-scale  
> deployments of Microsoft products deployed, and even fewer of whom  
> (out of that "any") who would *not* deploy an MS product because it  
> did NOT support syslog.
> 
> Microsoft responds to its customers. Microsoft responds more swiftly  
> to customer pressure than any other IT vendor I've ever dealt with.  
> (Pressure from the press doesn't hurt, either, but I can't imagine how  
> we could turn decades of lack of support for syslog into a slashdot  
> worthy news event.)
> 
> If we *really* want to get MS' attention on this issue, we need to  
> find some large Microsoft customers who are willing to apply pressure  
> to their account managers about syslog support. That's certainly  
> *possible*, but I suspect it's highly unlikely, cos' most of the large  
> MS shops I've worked at/with are already using MS-provided or  
> Windows-specific monitoring tools, and can't even *spell* syslog.
> 
> So the real question becomes: of those large MS customers, how many of  
> them have or are planning to deploy a syslog-based monitoring  
> infrastructure, and are they willing to apply pressure to Redmond?  
> Anyone here an MS Premier customer?
> 
> It may be that finally, thanks to compliance regulations etc., there  
> are enough large scale organizations worrying about log collection and  
> archiving that this might work. There's clearly never been enough  
> momentum to get the ball rolling in the past, or we wouldn't be having  
> this conversation in *sigh* 2008...
> 
> cheers -- tbird
> 
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis