|
|
LogAnalysis
[logs] Syslog and facilities Jun 06 2007 10:55AM saudi sans (saudisans gmail com) (4 replies) Re: [logs] Facility 101 (was: Syslog and facilities) Jun 18 2007 01:04PM Chris Brenton (cbrenton chrisbrenton org) (1 replies) [logs] Syslog and Windows Jun 22 2007 04:35AM Bill Scherr IV (bschnzl cotse net) (5 replies) RE: [logs] Syslog and Windows Jun 25 2007 06:54PM Eric Fitzgerald (Eric Fitzgerald microsoft com) (2 replies) RE: [logs] Syslog and Windows Jun 25 2007 08:02PM Rainer Gerhards (rgerhards hq adiscon com) (1 replies) Re: [logs] Syslog and Windows Jun 25 2007 07:59PM Vincent Bernat (bernat luffy cx) (1 replies) RE: [logs] Syslog and Windows Jun 26 2007 07:05PM Eric Fitzgerald (Eric Fitzgerald microsoft com) (1 replies) [logs] Re: Syslog and Windows Jun 22 2007 05:11AM Chris Brenton (cbrenton chrisbrenton org) (1 replies) [logs] Re: Syslog and Windows Jun 22 2007 10:23AM Bill Scherr IV (bschnzl cotse net) (1 replies) RE: [logs] Re: Syslog and Windows Jun 22 2007 06:27PM Tina Bird (tbird precision-guesswork com) (3 replies) Re: [logs] Re: Syslog and Windows Jun 22 2007 07:15PM Gord Taylor (taylorgo gmail com) (1 replies) RE: [logs] Re: Syslog and Windows Jun 22 2007 08:24PM Rainer Gerhards (rgerhards hq adiscon com) (1 replies) Re: [logs] Syslog and Windows Jun 22 2007 05:04AM John Kinsella (jlk thrashyour com) (2 replies) Re: [logs] Syslog and Windows Jun 22 2007 08:43AM Russell Fulton (r fulton auckland ac nz) (1 replies) |
|
Privacy Statement |
I just wanted to make sure everyone was aware of idiosyncrasies of
Windows events. There has been discussion elsewhere on this thread of
several different syslog solutions for Windows; it would be in the best
interest of those choosing to implement any of those to find out the
limitations of each of those solutions.
Best regards,
Eric
-----Original Message-----
From: Rainer Gerhards [mailto:rgerhards (at) hq.adiscon (dot) com [email concealed]]
Sent: Monday, June 25, 2007 1:03 PM
To: Eric Fitzgerald; loganalysis
Subject: RE: [logs] Syslog and Windows
Hi Eric,
Thanks for the explanation, really appreciated. But I need to comment on
the syslog issue ;)
> If you have a solution which does all these lookups and
> translations and
> combines the event message text with the raw event data prior to
> transmission, the average event length will likely increase
> up to 4x, to
> the vicinity of 2k-3k per event record in the security event log.
>
> Syslog only supports 1k per message per RFC 3164.
RFC 3164 is informational and NOT realy describing what can be seen in
practice. The typical (unpatched) syslogd on Linux does indeed have the
2K limit, but there are many other syslog-based solutions out (including
on *nix) which support for larger sizes.
>
> Any syslog-based solution for gathering Windows logs is likely either
> truncating a large percentage of Windows events, or not collecting
> Windows events in a way that they can be analyzed by human beings (in
> that case don't blame Windows; blame your SEM).
Or it ignores the artificial limit in old-day syslog.
> In summary, syslog is probably a poor solution for Windows security
> events for the reasons described above. Other logs on
> Windows typically
> have shorter events but you might still have many of the same
> shortcomings with syslog.
The good thing about syslog is that it is universally available and thus
can be used to build cross-platfomr solutions.
Rainer
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis
[ reply ]