[logs] Eventlog to syslog

[Patrick Hull]

David,

Thanks for the reply, and the info about Sentinel.  I will take a
closer look at it.

Yeah, MOM as a SIEM tool is not my desire, but I am dealing with an
8th OSI layer that seems to like/believe a great deal that MS tells
them.  I am just looking for other experiences or suggestions that
might negate such a proposed solution...
This thread seemed the perfect opportunity to ask ;)
thanks,
-pat.

On 3/3/08, David Corlette <DCorlette at novell.com> wrote:
>
>  Hi Patrick,
>
>  MOM as a SIEM tool?  Ouch.
>
>  There are a bunch of real SIEM tools out there; MOM's not one of them. Disclaimer here, I work on Sentinel, where our approach is that we accept whatever you throw at us: syslog, WMI, JDBC, OPSEC LEA, really anything.  But we also apply some intelligence to the inbound data, integrate identity data and asset data, correlate IDS and vulnerability information, so on and so forth.  Any other real SIEM tool will do the same, but not MOM.
>
>  Incidentally, it would be perfectly possible to use our tool to accept WMI (or JDBC, or any other format data) and spit it back out as syslog.  This wouldn't be a very good way to do it, as of course what you want to provide on the backend is a nice query-able datastore which is what we offer, but we've done it for some customers that already have a SIEM tool in place and are just using Sentinel to monitor Novell apps.
>
>
>
>  > I realize I am diverging a bit from the original discussion of MS support of
>  > the
>  > syslog transport, but given the existence of MOM and it's apparent support
>  > of
>  > syslog, it seems inevitable that the discussion (at least with my employer)
>  > will
>  > eventually lead down the path of MOM's abilities as a heterogeneous event
>  > analysis (i.e. SEM) tool.
>  >
>  > thx,
>  > -pat.
>
>
>