[logs] Eventlog to syslog

[A Ananth]

--- Andrew Hay <andrewsmhay at gmail.com> wrote:

> I suspect that, with the (future) adoption of
> Windows 2008 and the new
> cross-log query feature in the event log (that
> allows you to correlate logs
> from multiple systems), Microsoft may finally have
> put the nail in the
> coffin that is this issue (at least in their eyes).
> I'll be honest, I
> haven't dug into the new event log due to other
> things on my plate, but I
> have a feeling that this new event log rewrite is
> going to be positioned as
> a SIEM replacement for Windows based events.


If Microsoft feels that the 'cross-log query' feature
nails the SIEM problem -- we disagree. It opens up
some possibilities for very small shops but by itself
has limited value in even a medium size install.

Limitations
1) All machines must run Vista
2) Collector is a workstation
3) Event automation is local to each system
4) No central policy mgt console
5) Updating each endpoint system is manual effort
6) Its an MS-standard

We explored the Vista event log in a webinar last year
with Nelson Ruest. Its online (registration required)
at
http://www.prismmicrosys.com/webinarDetails.php?id=10&a=view

Disclaimer: I'm with Prism, a SIEM vendor

--
A Ananth
ananth802 at yahoo.com

--
A N Ananth
ananth802 at yahoo.com