I've been using MonitorWare (and WinSyslog) for a long time as well and it's
solid - never a problem when receiving logs from Windows, Unix, or
Firewalls. From experience it can handle a large load as well - 6,000+
event/sec sustained until I run out of disk :) It can route to file based on
IP address as well, so any syslog priority conflicts can be resolve by
routing based on IP. Also allows for alerting, SMTP e-mail, etc.. Support
for syslog-ng is stable too, not just traditional UDP. The previous version
had a bug with TCP sessions being re-established too frequently but this has
been fixed.
I can also echo the same experiences Johnny has had with Snare and restarts,
but it happens more frequently than I like.
I've also used NTSyslog (old), which Snare inherited it's code-base
from seems to have the same periodic problems under heavy load where it will
just slowdown and start skipping events. A restart resolves it, but is hard
to identify until well after the problem has occured (log loss).
I've started playing with Lasso (which is the only syslog-ng for windows I
know of), but haven't used it in production. In playing with it though, I've
found that some of the logs get wrapped to 2 lines under load when it caches
to disk. I have NOT investigated the cause for this, so it might just be
something in my implementation. One issue that CAN be a problem with Lasso
(especially with the new log format under Longhorn) is that they hard-code a
maximum log line length of 1024 bytes. Even with Windows 2003's object
auditing, an event can get longer than this.
On 6/22/07, jcalhoun (at) securityeventmonitoring (dot) com [email concealed] <
jcalhoun (at) securityeventmonitoring (dot) com [email concealed]> wrote:
>
>
> Snare - Free and easy to setup
>
> MonitorWare - small fee, but dependable and has ability to monitor flat
> files
>
> Lasso - Free and most scalable solution, doesn't require an agent on
> every machine you wish to retrieve logs from. Requires Domain Admin or
> Local Admin privs to pull logs.
>
> I have used both Snare and Monitorware extensively on thousands of
> devices. Sometimes Snare will have to be restarted, or it loses it's
> place in the log and suddenly sends you the entire queue from the
> beginning, but you get what you pay for :). We are beginning to look
> into Lasso more and more due to its agent-less design and ease of
> deployment and maintenance.
>
> Thanks,
> Johnny Calhoun
> jcalhoun (at) securityeventmonitoring (dot) com [email concealed]
>
>
> > -------- Original Message --------
> > Subject: [logs] Syslog and Windows
> > From: "Bill Scherr IV" <bschnzl (at) cotse (dot) net [email concealed]>
> > Date: Fri, June 22, 2007 12:35 am
> > To: loganalysis <loganalysis (at) loganalysis (dot) org [email concealed]>
> >
> > All...
> >
> > What do you suggest for sending windows logs to syslog
> >
> > B.
> >
> > On 18 Jun 2007, a message purporting to be from Chris Brenton appeared:
> >
> > Subject: Re: [logs] Facility 101 (was: Syslog and
> facilities)
> > From: Chris Brenton <cbrenton (at) chrisbrenton (dot) org [email concealed]>
> > To: loganalysis <loganalysis (at) loganalysis (dot) org [email concealed]>
> > Date sent: Mon, 18 Jun 2007 09:04:41 -0400
> >
> > > The other problem is some of the facilities are a bit dated. For
> > example
> > > there is a facility for FTP (11) but not HTTP. UUCP even has its own
> > > facility (8) but of course no one uses it anymore (I use it for my
> > Windows
> > > stuff. Keeps it from getting mixed in with other log entries ;-)
> > >
> >
> > Bill Scherr IV, GSEC, GCIA
> > Principal Security Engineer
> > EWA Information and Infrastructure Technologies
> > bscherr (at) iit-tek (dot) com [email concealed]
> > bscherr (at) ewa (dot) com [email concealed]
> > 703-478-7608
> >
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysis (at) loganalysis (dot) org [email concealed]
> > http://www.loganalysis.org/mailman/listinfo/loganalysis
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
<div>I've been using MonitorWare (and WinSyslog) for a long time as well and it's solid - never a problem when receiving logs from Windows, Unix, or Firewalls. From experience it can handle a large load as well - 6,000+ event/sec sustained until I run out of disk :) It can route to file based on IP address as well, so any syslog priority conflicts can be resolve by routing based on IP. Also allows for alerting, SMTP e-mail, etc.. Support for syslog-ng is stable too, not just traditional UDP. The previous version had a bug with TCP sessions being re-established too frequently but this has been fixed.
</div>
<div> </div>
<div>I can also echo the same experiences Johnny has had with Snare and restarts, but it happens more frequently than I like.</div>
<div> </div>
<div>I've also used NTSyslog (old), which Snare inherited it's code-base from seems to have the same periodic problems under heavy load where it will just slowdown and start skipping events. A restart resolves it, but is hard to identify until well after the problem has occured (log loss).
</div>
<div> </div>
<div>I've started playing with Lasso (which is the only syslog-ng for windows I know of), but haven't used it in production. In playing with it though, I've found that some of the logs get wrapped to 2 lines under load when it caches to disk. I have NOT investigated the cause for this, so it might just be something in my implementation. One issue that CAN be a problem with Lasso (especially with the new log format under Longhorn) is that they hard-code a maximum log line length of 1024 bytes. Even with Windows 2003's object auditing, an event can get longer than this.
<br><br> </div>
<div><span class="gmail_quote">On 6/22/07, <b class="gmail_sendername"><a href="mailto:jcalhoun (at) securityeventmonitoring (dot) com [email concealed]">jcalhoun@securityeven
tmonitoring.com</a></b> <<a href="mailto:jcalhoun (at) securityeventmonitoring (dot) com [email concealed]">
jcalhoun (at) securityeventmonitoring (dot) com [email concealed]</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><br>Snare - Free and easy to setup<br><br>MonitorWare - small fee, but dependable and has ability to monitor flat
<br>files<br><br>Lasso - Free and most scalable solution, doesn't require an agent on<br>every machine you wish to retrieve logs from. Requires Domain Admin or<br>Local Admin privs to pull logs.<br><br>I have used both Snare and Monitorware extensively on thousands of
<br>devices. Sometimes Snare will have to be restarted, or it loses it's<br>place in the log and suddenly sends you the entire queue from the<br>beginning, but you get what you pay for :). We are beginning to look<br>
into Lasso more and more due to its agent-less design and ease of<br>deployment and maintenance.<br><br>Thanks,<br>Johnny Calhoun<br><a href="mailto:jcalhoun (at) securityeventmonitoring (dot) com [email concealed]">jcalhoun@securityeven
tmonitoring.com
</a><br><br><br>> -------- Original Message --------<br>> Subject: [logs] Syslog and Windows<br>> From: "Bill Scherr IV" <<a href="mailto:bschnzl (at) cotse (dot) net [email concealed]">bschnzl (at) cotse (dot) net [email concealed]</a>><br>> Date: Fri, June 22, 2007 12:35 am
<br>> To: loganalysis <<a href="mailto:loganalysis (at) loganalysis (dot) org [email concealed]">loganalysis (at) loganalysis (dot) org [email concealed]</a
>><br>><br>> All...<br>><br>> What do you suggest for sending windows logs to syslog<br>><br>> B.
<br>><br>> On 18 Jun 2007, a message purporting to be from Chris Brenton appeared:<br>><br>> Subject: &nbs
p; Re: [logs] Facility 101 (was: Syslog and facilities)<br>> From: &
nbsp; Chris Brenton <
<a href="mailto:cbrenton (at) chrisbrenton (dot) org [email concealed]">cbrenton (at) chrisbrenton (dot) org [email concealed]</a>>
;<br>> To: &nb
sp; loganalysis <<a href="mailto:loganalysis (at) loganalysis (dot) org [email concealed]">loganalysis (at) loganalysis (dot) org [email concealed]</a
>><br>> Date sent: &
nbsp;Mon, 18 Jun 2007 09:04:41 -0400
<br>><br>> > The other problem is some of the facilities are a bit dated. For<br>> example<br>> > there is a facility for FTP (11) but not HTTP. UUCP even has its own<br>> > facility (8) but of course no one uses it anymore (I use it for my
<br>> Windows<br>> > stuff. Keeps it from getting mixed in with other log entries ;-)<br>> ><br>><br>> Bill Scherr IV, GSEC, GCIA<br>> Principal Security Engineer<br>> EWA Information and Infrastructure Technologies
<br>> <a href="mailto:bscherr (at) iit-tek (dot) com [email concealed]">bscherr (at) iit-tek (dot) com [email concealed]</a><br>> <a href="mailto:bscherr (at) ewa (dot) com [email concealed]">bscherr (at) ewa (dot) com [email concealed]</a><br>> 703-478-7608<br>><br>> _______________________________________________<br>> LogAnalysis mailing list
<br>> <a href="mailto:LogAnalysis (at) loganalysis (dot) org [email concealed]">LogAnalysis (at) loganalysis (dot) org [email concealed]</a
><br>> <a href="http://www.loganalysis.org/mailman/listinfo/loganalysis">http://ww
w.loganalysis.org/mailman/listinfo/loganalysis</a><br>
<br>_______________________________________________<br>LogAnalysis mailing list<br><a href="mailto:LogAnalysis (at) loganalysis (dot) org [email concealed]">LogAnalysis (at) loganalysis (dot) org [email concealed]</a
><br><a href="http://www.loganalysis.org/mailman/listinfo/loganalysis">
http://www.loganalysis.org/mailman/listinfo/loganalysis</a><br></blockqu
ote></div><br>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis
solid - never a problem when receiving logs from Windows, Unix, or
Firewalls. From experience it can handle a large load as well - 6,000+
event/sec sustained until I run out of disk :) It can route to file based on
IP address as well, so any syslog priority conflicts can be resolve by
routing based on IP. Also allows for alerting, SMTP e-mail, etc.. Support
for syslog-ng is stable too, not just traditional UDP. The previous version
had a bug with TCP sessions being re-established too frequently but this has
been fixed.
I can also echo the same experiences Johnny has had with Snare and restarts,
but it happens more frequently than I like.
I've also used NTSyslog (old), which Snare inherited it's code-base
from seems to have the same periodic problems under heavy load where it will
just slowdown and start skipping events. A restart resolves it, but is hard
to identify until well after the problem has occured (log loss).
I've started playing with Lasso (which is the only syslog-ng for windows I
know of), but haven't used it in production. In playing with it though, I've
found that some of the logs get wrapped to 2 lines under load when it caches
to disk. I have NOT investigated the cause for this, so it might just be
something in my implementation. One issue that CAN be a problem with Lasso
(especially with the new log format under Longhorn) is that they hard-code a
maximum log line length of 1024 bytes. Even with Windows 2003's object
auditing, an event can get longer than this.
On 6/22/07, jcalhoun (at) securityeventmonitoring (dot) com [email concealed] <
jcalhoun (at) securityeventmonitoring (dot) com [email concealed]> wrote:
>
>
> Snare - Free and easy to setup
>
> MonitorWare - small fee, but dependable and has ability to monitor flat
> files
>
> Lasso - Free and most scalable solution, doesn't require an agent on
> every machine you wish to retrieve logs from. Requires Domain Admin or
> Local Admin privs to pull logs.
>
> I have used both Snare and Monitorware extensively on thousands of
> devices. Sometimes Snare will have to be restarted, or it loses it's
> place in the log and suddenly sends you the entire queue from the
> beginning, but you get what you pay for :). We are beginning to look
> into Lasso more and more due to its agent-less design and ease of
> deployment and maintenance.
>
> Thanks,
> Johnny Calhoun
> jcalhoun (at) securityeventmonitoring (dot) com [email concealed]
>
>
> > -------- Original Message --------
> > Subject: [logs] Syslog and Windows
> > From: "Bill Scherr IV" <bschnzl (at) cotse (dot) net [email concealed]>
> > Date: Fri, June 22, 2007 12:35 am
> > To: loganalysis <loganalysis (at) loganalysis (dot) org [email concealed]>
> >
> > All...
> >
> > What do you suggest for sending windows logs to syslog
> >
> > B.
> >
> > On 18 Jun 2007, a message purporting to be from Chris Brenton appeared:
> >
> > Subject: Re: [logs] Facility 101 (was: Syslog and
> facilities)
> > From: Chris Brenton <cbrenton (at) chrisbrenton (dot) org [email concealed]>
> > To: loganalysis <loganalysis (at) loganalysis (dot) org [email concealed]>
> > Date sent: Mon, 18 Jun 2007 09:04:41 -0400
> >
> > > The other problem is some of the facilities are a bit dated. For
> > example
> > > there is a facility for FTP (11) but not HTTP. UUCP even has its own
> > > facility (8) but of course no one uses it anymore (I use it for my
> > Windows
> > > stuff. Keeps it from getting mixed in with other log entries ;-)
> > >
> >
> > Bill Scherr IV, GSEC, GCIA
> > Principal Security Engineer
> > EWA Information and Infrastructure Technologies
> > bscherr (at) iit-tek (dot) com [email concealed]
> > bscherr (at) ewa (dot) com [email concealed]
> > 703-478-7608
> >
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysis (at) loganalysis (dot) org [email concealed]
> > http://www.loganalysis.org/mailman/listinfo/loganalysis
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
<div>I've been using MonitorWare (and WinSyslog) for a long time as well and it's solid - never a problem when receiving logs from Windows, Unix, or Firewalls. From experience it can handle a large load as well - 6,000+ event/sec sustained until I run out of disk :) It can route to file based on IP address as well, so any syslog priority conflicts can be resolve by routing based on IP. Also allows for alerting, SMTP e-mail, etc.. Support for syslog-ng is stable too, not just traditional UDP. The previous version had a bug with TCP sessions being re-established too frequently but this has been fixed.
</div>
<div> </div>
<div>I can also echo the same experiences Johnny has had with Snare and restarts, but it happens more frequently than I like.</div>
<div> </div>
<div>I've also used NTSyslog (old), which Snare inherited it's code-base from seems to have the same periodic problems under heavy load where it will just slowdown and start skipping events. A restart resolves it, but is hard to identify until well after the problem has occured (log loss).
</div>
<div> </div>
<div>I've started playing with Lasso (which is the only syslog-ng for windows I know of), but haven't used it in production. In playing with it though, I've found that some of the logs get wrapped to 2 lines under load when it caches to disk. I have NOT investigated the cause for this, so it might just be something in my implementation. One issue that CAN be a problem with Lasso (especially with the new log format under Longhorn) is that they hard-code a maximum log line length of 1024 bytes. Even with Windows 2003's object auditing, an event can get longer than this.
<br><br> </div>
<div><span class="gmail_quote">On 6/22/07, <b class="gmail_sendername"><a href="mailto:jcalhoun (at) securityeventmonitoring (dot) com [email concealed]">jcalhoun@securityeven
tmonitoring.com</a></b> <<a href="mailto:jcalhoun (at) securityeventmonitoring (dot) com [email concealed]">
jcalhoun (at) securityeventmonitoring (dot) com [email concealed]</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><br>Snare - Free and easy to setup<br><br>MonitorWare - small fee, but dependable and has ability to monitor flat
<br>files<br><br>Lasso - Free and most scalable solution, doesn't require an agent on<br>every machine you wish to retrieve logs from. Requires Domain Admin or<br>Local Admin privs to pull logs.<br><br>I have used both Snare and Monitorware extensively on thousands of
<br>devices. Sometimes Snare will have to be restarted, or it loses it's<br>place in the log and suddenly sends you the entire queue from the<br>beginning, but you get what you pay for :). We are beginning to look<br>
into Lasso more and more due to its agent-less design and ease of<br>deployment and maintenance.<br><br>Thanks,<br>Johnny Calhoun<br><a href="mailto:jcalhoun (at) securityeventmonitoring (dot) com [email concealed]">jcalhoun@securityeven
tmonitoring.com
</a><br><br><br>> -------- Original Message --------<br>> Subject: [logs] Syslog and Windows<br>> From: "Bill Scherr IV" <<a href="mailto:bschnzl (at) cotse (dot) net [email concealed]">bschnzl (at) cotse (dot) net [email concealed]</a>><br>> Date: Fri, June 22, 2007 12:35 am
<br>> To: loganalysis <<a href="mailto:loganalysis (at) loganalysis (dot) org [email concealed]">loganalysis (at) loganalysis (dot) org [email concealed]</a
>><br>><br>> All...<br>><br>> What do you suggest for sending windows logs to syslog<br>><br>> B.
<br>><br>> On 18 Jun 2007, a message purporting to be from Chris Brenton appeared:<br>><br>> Subject: &nbs
p; Re: [logs] Facility 101 (was: Syslog and facilities)<br>> From: &
nbsp; Chris Brenton <
<a href="mailto:cbrenton (at) chrisbrenton (dot) org [email concealed]">cbrenton (at) chrisbrenton (dot) org [email concealed]</a>>
;<br>> To: &nb
sp; loganalysis <<a href="mailto:loganalysis (at) loganalysis (dot) org [email concealed]">loganalysis (at) loganalysis (dot) org [email concealed]</a
>><br>> Date sent: &
nbsp;Mon, 18 Jun 2007 09:04:41 -0400
<br>><br>> > The other problem is some of the facilities are a bit dated. For<br>> example<br>> > there is a facility for FTP (11) but not HTTP. UUCP even has its own<br>> > facility (8) but of course no one uses it anymore (I use it for my
<br>> Windows<br>> > stuff. Keeps it from getting mixed in with other log entries ;-)<br>> ><br>><br>> Bill Scherr IV, GSEC, GCIA<br>> Principal Security Engineer<br>> EWA Information and Infrastructure Technologies
<br>> <a href="mailto:bscherr (at) iit-tek (dot) com [email concealed]">bscherr (at) iit-tek (dot) com [email concealed]</a><br>> <a href="mailto:bscherr (at) ewa (dot) com [email concealed]">bscherr (at) ewa (dot) com [email concealed]</a><br>> 703-478-7608<br>><br>> _______________________________________________<br>> LogAnalysis mailing list
<br>> <a href="mailto:LogAnalysis (at) loganalysis (dot) org [email concealed]">LogAnalysis (at) loganalysis (dot) org [email concealed]</a
><br>> <a href="http://www.loganalysis.org/mailman/listinfo/loganalysis">http://ww
w.loganalysis.org/mailman/listinfo/loganalysis</a><br>
<br>_______________________________________________<br>LogAnalysis mailing list<br><a href="mailto:LogAnalysis (at) loganalysis (dot) org [email concealed]">LogAnalysis (at) loganalysis (dot) org [email concealed]</a
><br><a href="http://www.loganalysis.org/mailman/listinfo/loganalysis">
http://www.loganalysis.org/mailman/listinfo/loganalysis</a><br></blockqu
ote></div><br>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis
[ reply ]