thanks for the nice words. Logger is still free, we just try to tell support - but it seems to work too well ;). It also supports TCP-based syslog (syslog-ng).
BTW: we have also an enhanced GPL'd syslogd für Linux, http://www.rsyslog.com. Of course it comes with all the goodies, including TCP based syslog and the ability to write to (currently just MySQL) databases. It supports, like MonitorWare, compressed syslog messages, which can be a real traffic saver for Windows events. I just thought I add this.
Rainer
> -----Original Message-----
> From: loganalysis-bounces (at) loganalysis (dot) org [email concealed] [mailto:loganalysis-
> bounces (at) loganalysis (dot) org [email concealed]] On Behalf Of Gord Taylor
> Sent: Friday, June 22, 2007 6:12 PM
> To: jcalhoun (at) securityeventmonitoring (dot) com [email concealed]
> Cc: Jason Pinkey; loganalysis
> Subject: Re: [logs] Syslog and Windows
>
> Should also mention that the same people who make Monitorware and
> Winsyslog also have a port of UNIX logger (www.monitorware.com/logger)
> that works wonderfully. Previous versions were free (google), but I
> don't think their free version supported syslog-ng (not sure about
> this, though).
>
> Gord T. (GCIH, CISSP, GEEK)
>
>
> On 6/22/07, Gord Taylor <taylorgo (at) gmail (dot) com [email concealed]> wrote:
>
> I've been using MonitorWare (and WinSyslog) for a long time as
> well and it's solid - never a problem when receiving logs from Windows,
> Unix, or Firewalls. From experience it can handle a large load as well
> - 6,000+ event/sec sustained until I run out of disk :) It can route to
> file based on IP address as well, so any syslog priority conflicts can
> be resolve by routing based on IP. Also allows for alerting, SMTP e-
> mail, etc.. Support for syslog-ng is stable too, not just traditional
> UDP. The previous version had a bug with TCP sessions being re-
> established too frequently but this has been fixed.
>
> I can also echo the same experiences Johnny has had with Snare
> and restarts, but it happens more frequently than I like.
>
> I've also used NTSyslog (old), which Snare inherited it's code-
> base from seems to have the same periodic problems under heavy load
> where it will just slowdown and start skipping events. A restart
> resolves it, but is hard to identify until well after the problem has
> occured (log loss).
>
> I've started playing with Lasso (which is the only syslog-ng for
> windows I know of), but haven't used it in production. In playing with
> it though, I've found that some of the logs get wrapped to 2 lines
> under load when it caches to disk. I have NOT investigated the cause
> for this, so it might just be something in my implementation. One issue
> that CAN be a problem with Lasso (especially with the new log format
> under Longhorn) is that they hard-code a maximum log line length of
> 1024 bytes. Even with Windows 2003's object auditing, an event can get
> longer than this.
>
>
>
> On 6/22/07, jcalhoun (at) securityeventmonitoring (dot) com [email concealed] <
> jcalhoun (at) securityeventmonitoring (dot) com [email concealed]
> <mailto:jcalhoun (at) securityeventmonitoring (dot) com [email concealed]> > wrote:
>
>
> Snare - Free and easy to setup
>
> MonitorWare - small fee, but dependable and has ability to
> monitor flat
> files
>
> Lasso - Free and most scalable solution, doesn't require an
> agent on
> every machine you wish to retrieve logs from. Requires
> Domain Admin or
> Local Admin privs to pull logs.
>
> I have used both Snare and Monitorware extensively on
> thousands of
> devices. Sometimes Snare will have to be restarted, or it
> loses it's
> place in the log and suddenly sends you the entire queue
> from the
> beginning, but you get what you pay for :). We are
> beginning to look
> into Lasso more and more due to its agent-less design and
> ease of
> deployment and maintenance.
>
> Thanks,
> Johnny Calhoun
> jcalhoun (at) securityeventmonitoring (dot) com [email concealed]
> <mailto:jcalhoun (at) securityeventmonitoring (dot) com [email concealed]>
>
>
> > -------- Original Message --------
> > Subject: [logs] Syslog and Windows
> > From: "Bill Scherr IV" < bschnzl (at) cotse (dot) net [email concealed]
> <mailto:bschnzl (at) cotse (dot) net [email concealed]> >
> > Date: Fri, June 22, 2007 12:35 am
> > To: loganalysis <loganalysis (at) loganalysis (dot) org [email concealed] >
> >
> > All...
> >
> > What do you suggest for sending windows logs to syslog
> >
> > B.
> >
> > On 18 Jun 2007, a message purporting to be from Chris
> Brenton appeared:
> >
> > Subject: Re: [logs] Facility 101 (was:
> Syslog and facilities)
> > From: Chris Brenton <
> cbrenton (at) chrisbrenton (dot) org [email concealed] <mailto:cbrenton (at) chrisbrenton (dot) org [email concealed]> >
> > To: loganalysis
> <loganalysis (at) loganalysis (dot) org [email concealed] >
> > Date sent: Mon, 18 Jun 2007 09:04:41 -0400
> >
> > > The other problem is some of the facilities are a bit
> dated. For
> > example
> > > there is a facility for FTP (11) but not HTTP. UUCP
> even has its own
> > > facility (8) but of course no one uses it anymore (I
> use it for my
> > Windows
> > > stuff. Keeps it from getting mixed in with other log
> entries ;-)
> > >
> >
> > Bill Scherr IV, GSEC, GCIA
> > Principal Security Engineer
> > EWA Information and Infrastructure Technologies
> > bscherr (at) iit-tek (dot) com [email concealed]
> > bscherr (at) ewa (dot) com [email concealed]
> > 703-478-7608
> >
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysis (at) loganalysis (dot) org [email concealed]
> > http://www.loganalysis.org/mailman/listinfo/loganalysis
> <http://www.loganalysis.org/mailman/listinfo/loganalysis>
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> <mailto:LogAnalysis (at) loganalysis (dot) org [email concealed]>
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
>
>
thanks for the nice words. Logger is still free, we just try to tell support - but it seems to work too well ;). It also supports TCP-based syslog (syslog-ng).
BTW: we have also an enhanced GPL'd syslogd für Linux, http://www.rsyslog.com. Of course it comes with all the goodies, including TCP based syslog and the ability to write to (currently just MySQL) databases. It supports, like MonitorWare, compressed syslog messages, which can be a real traffic saver for Windows events. I just thought I add this.
Rainer
> -----Original Message-----
> From: loganalysis-bounces (at) loganalysis (dot) org [email concealed] [mailto:loganalysis-
> bounces (at) loganalysis (dot) org [email concealed]] On Behalf Of Gord Taylor
> Sent: Friday, June 22, 2007 6:12 PM
> To: jcalhoun (at) securityeventmonitoring (dot) com [email concealed]
> Cc: Jason Pinkey; loganalysis
> Subject: Re: [logs] Syslog and Windows
>
> Should also mention that the same people who make Monitorware and
> Winsyslog also have a port of UNIX logger (www.monitorware.com/logger)
> that works wonderfully. Previous versions were free (google), but I
> don't think their free version supported syslog-ng (not sure about
> this, though).
>
> Gord T. (GCIH, CISSP, GEEK)
>
>
> On 6/22/07, Gord Taylor <taylorgo (at) gmail (dot) com [email concealed]> wrote:
>
> I've been using MonitorWare (and WinSyslog) for a long time as
> well and it's solid - never a problem when receiving logs from Windows,
> Unix, or Firewalls. From experience it can handle a large load as well
> - 6,000+ event/sec sustained until I run out of disk :) It can route to
> file based on IP address as well, so any syslog priority conflicts can
> be resolve by routing based on IP. Also allows for alerting, SMTP e-
> mail, etc.. Support for syslog-ng is stable too, not just traditional
> UDP. The previous version had a bug with TCP sessions being re-
> established too frequently but this has been fixed.
>
> I can also echo the same experiences Johnny has had with Snare
> and restarts, but it happens more frequently than I like.
>
> I've also used NTSyslog (old), which Snare inherited it's code-
> base from seems to have the same periodic problems under heavy load
> where it will just slowdown and start skipping events. A restart
> resolves it, but is hard to identify until well after the problem has
> occured (log loss).
>
> I've started playing with Lasso (which is the only syslog-ng for
> windows I know of), but haven't used it in production. In playing with
> it though, I've found that some of the logs get wrapped to 2 lines
> under load when it caches to disk. I have NOT investigated the cause
> for this, so it might just be something in my implementation. One issue
> that CAN be a problem with Lasso (especially with the new log format
> under Longhorn) is that they hard-code a maximum log line length of
> 1024 bytes. Even with Windows 2003's object auditing, an event can get
> longer than this.
>
>
>
> On 6/22/07, jcalhoun (at) securityeventmonitoring (dot) com [email concealed] <
> jcalhoun (at) securityeventmonitoring (dot) com [email concealed]
> <mailto:jcalhoun (at) securityeventmonitoring (dot) com [email concealed]> > wrote:
>
>
> Snare - Free and easy to setup
>
> MonitorWare - small fee, but dependable and has ability to
> monitor flat
> files
>
> Lasso - Free and most scalable solution, doesn't require an
> agent on
> every machine you wish to retrieve logs from. Requires
> Domain Admin or
> Local Admin privs to pull logs.
>
> I have used both Snare and Monitorware extensively on
> thousands of
> devices. Sometimes Snare will have to be restarted, or it
> loses it's
> place in the log and suddenly sends you the entire queue
> from the
> beginning, but you get what you pay for :). We are
> beginning to look
> into Lasso more and more due to its agent-less design and
> ease of
> deployment and maintenance.
>
> Thanks,
> Johnny Calhoun
> jcalhoun (at) securityeventmonitoring (dot) com [email concealed]
> <mailto:jcalhoun (at) securityeventmonitoring (dot) com [email concealed]>
>
>
> > -------- Original Message --------
> > Subject: [logs] Syslog and Windows
> > From: "Bill Scherr IV" < bschnzl (at) cotse (dot) net [email concealed]
> <mailto:bschnzl (at) cotse (dot) net [email concealed]> >
> > Date: Fri, June 22, 2007 12:35 am
> > To: loganalysis <loganalysis (at) loganalysis (dot) org [email concealed] >
> >
> > All...
> >
> > What do you suggest for sending windows logs to syslog
> >
> > B.
> >
> > On 18 Jun 2007, a message purporting to be from Chris
> Brenton appeared:
> >
> > Subject: Re: [logs] Facility 101 (was:
> Syslog and facilities)
> > From: Chris Brenton <
> cbrenton (at) chrisbrenton (dot) org [email concealed] <mailto:cbrenton (at) chrisbrenton (dot) org [email concealed]> >
> > To: loganalysis
> <loganalysis (at) loganalysis (dot) org [email concealed] >
> > Date sent: Mon, 18 Jun 2007 09:04:41 -0400
> >
> > > The other problem is some of the facilities are a bit
> dated. For
> > example
> > > there is a facility for FTP (11) but not HTTP. UUCP
> even has its own
> > > facility (8) but of course no one uses it anymore (I
> use it for my
> > Windows
> > > stuff. Keeps it from getting mixed in with other log
> entries ;-)
> > >
> >
> > Bill Scherr IV, GSEC, GCIA
> > Principal Security Engineer
> > EWA Information and Infrastructure Technologies
> > bscherr (at) iit-tek (dot) com [email concealed]
> > bscherr (at) ewa (dot) com [email concealed]
> > 703-478-7608
> >
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysis (at) loganalysis (dot) org [email concealed]
> > http://www.loganalysis.org/mailman/listinfo/loganalysis
> <http://www.loganalysis.org/mailman/listinfo/loganalysis>
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> <mailto:LogAnalysis (at) loganalysis (dot) org [email concealed]>
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
>
>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis
[ reply ]