LogAnalysis
[logs] Eventlog to syslog Feb 29 2008 12:59PM
Marcelo de Souza (marcelo marcelosouza com) (3 replies)
Re: [logs] Eventlog to syslog Mar 06 2008 10:49PM
Anton Chuvakin (anton chuvakin org) (1 replies)
[logs] SYSLOG patent? Mar 12 2008 08:16AM
A Ananth (ananth802 yahoo com) (1 replies)
Re: [logs] SYSLOG patent? Mar 14 2008 11:18AM
Stefano Zanero (zanero elet polimi it) (1 replies)
Re: [logs] SYSLOG patent? Mar 14 2008 04:22PM
Balazs Scheidler (bazsi balabit hu) (4 replies)
Re: [logs] SYSLOG patent? Mar 15 2008 03:15AM
Bill Scherr IV (bschnzl cotse net) (1 replies)
Re: [logs] SYSLOG patent? Mar 15 2008 11:29PM
Marcus J. Ranum (mjr ranum com)
Re: [logs] SYSLOG patent? Mar 14 2008 08:13PM
Stephen John Smoogen (smooge gmail com)
RE: [logs] SYSLOG patent? Mar 14 2008 06:22PM
Rainer Gerhards (rgerhards hq adiscon com) (2 replies)
RE: [logs] SYSLOG patent? Mar 14 2008 06:46PM
Dee-Ann LeBlanc (dee splunk com)
Re: [logs] SYSLOG patent? Mar 14 2008 06:44PM
Ray Van Dolson (rvandolson esri com)
RE: [logs] SYSLOG patent? Mar 14 2008 06:15PM
Rainer Gerhards (rgerhards hq adiscon com)
Re: [logs] Eventlog to syslog Feb 29 2008 07:37PM
Anton Chuvakin (anton chuvakin org) (2 replies)
RE: [logs] Eventlog to syslog Feb 29 2008 09:06PM
Rainer Gerhards (rgerhards hq adiscon com)
Hi all,

Anton seems to have forgotten the product that invented that technology
and still, in my humble vendor opinion, is leading the pack ;)

Please have a look at EventReporter (http://www.eventreporter.com) for
pure Event Logs or MonitorWare Agent (http://www.mwagent.com) if you
want to monitor all the rest, too (for example files, databases, even
serial devices). These tools are not free, but are rock-solid, extremely
feature-rich and around for over 10 years now.

Back to the tech part: if you think about event log forwarding, there
are a couple of issues you should think about:

- can it process all event logs, including custom logs?
- can it work with the new event log system (e.g. Vista)?
- how large is the memory and CPU footprint?
- can it resolve object names and Active Directory GUIDs?
- can it work on any platform you need?
- what happens to log data during a restart?
- what happens if it needs to wrange with malformed message libraries
(one of the real joys on a third-party-extensible system ;))
- can it reliably handle everything that comes from a message source?

If you look at files, there are a couple of more questions:
- can IIS log files be correctly processed (they *are* special,
even if some vendors have yet to find out ;))?
- can it monitor multiple files inside a directory
- how about rollover processing?
- how about UTF-8, MBCS and Unicode in general?

For both (and potential other sources), you need to ask yourself
questions about the processing:
- is it multithreaded?
- how is a large message burst handled?
- what happens if a destination is down?
- is local pre-processing supported (this is *vitally* important on
Windows)?
- can you reformat the messages?
- is the output format fixed?

A quick rant on the agent vs. Agentless question. I know that agentless
has become popular. I have been a strong opposer of agentless solutions
for long, but marketing has forced me to make our solutions able to work
agentless. They are doing great in agentless mode. But believe me, this
is crap (as with all other agentless solutions too). If you'd like to
have reliable and performant (and network-friendly) event log
processing, forget about agentless mode. Everyone who tells you
agentless is great does not really know what happens when you run over
the network (or doesn't care about performance and reliability at all
;)).

I am sorry that I am a bit short on time (even for a vendor ;)), but I
hope these things get you started. If you'd like to have a look at "the
real thing" ;) you can visit http://www.monitorware.com for more
information and free trial downloads.

As a side-note, you may also want to have a look at rsyslog
(http://www.rsyslog.com), my GPLed extremely feature-rich Linux syslogd.

Rainer

> -----Original Message-----
> From: loganalysis-bounces (at) loganalysis (dot) org [email concealed]
> [mailto:loganalysis-bounces (at) loganalysis (dot) org [email concealed]] On Behalf Of
> Anton Chuvakin
> Sent: Friday, February 29, 2008 8:38 PM
> To: Marcelo de Souza
> Cc: loganalysis (at) loganalysis (dot) org [email concealed]
> Subject: Re: [logs] Eventlog to syslog
>
> Snare, Project LASSO (http://sourceforge.net/projects/lassolog), DAD
> (http://sourceforge.net/projects/lassie), ntsyslog (whereve), what
> else is out there?
>
> On Fri, Feb 29, 2008 at 4:59 AM, Marcelo de Souza
> <marcelo (at) marcelosouza (dot) com [email concealed]> wrote:
> > Loganalysis folks,
> >
> > Which tool do you really recommend for windows eventlog to unix
> > syslog translation?
> >
> > I've been thinking about Snare, but I'd like to hear your opinion.
> >
> > Thanks in advance.
> >
> > --
> > Marcelo de Souza
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysis (at) loganalysis (dot) org [email concealed]
> > http://www.loganalysis.org/mailman/listinfo/loganalysis
> >
>
>
>
> --
> Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
> http://www.chuvakin.org
> http://chuvakin.blogspot.com
> http://www.info-secure.org
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] Eventlog to syslog Feb 29 2008 08:33PM
Daniel Cid (dcid ossec net)
Re: [logs] Eventlog to syslog Feb 29 2008 07:27PM
tbird precision-guesswork com (2 replies)
Re: [logs] Eventlog to syslog Feb 29 2008 09:10PM
David Corlette (DCorlette novell com) (1 replies)
[logs] wny not syslog on microsoft platforms Feb 29 2008 11:13PM
Rodney Thayer (rodney canola-jones com)
Re: [logs] Eventlog to syslog Feb 29 2008 08:52PM
Rodney Thayer (rodney canola-jones com) (2 replies)
Re: [logs] Eventlog to syslog Feb 29 2008 11:02PM
Anton Chuvakin (anton chuvakin org) (1 replies)
Re: [logs] Eventlog to syslog Feb 29 2008 11:49PM
Marcus J. Ranum (mjr ranum com)
Re: [logs] Eventlog to syslog Feb 29 2008 10:17PM
tbird precision-guesswork com (4 replies)
RE: [logs] Eventlog to syslog Mar 03 2008 09:53PM
Desai, Ashish (Ashish Desai fmr com)
Re: [logs] Eventlog to syslog Mar 03 2008 07:08PM
Patrick Hull (nethead69 gmail com) (2 replies)
Re: [logs] Eventlog to syslog Mar 03 2008 08:47PM
David Corlette (DCorlette novell com) (1 replies)
Re: [logs] Eventlog to syslog Mar 03 2008 09:20PM
Patrick Hull (nethead69 gmail com)
Re: [logs] Eventlog to syslog Mar 03 2008 07:58PM
Mark Bagley (mbagley splunk com)
Re: [logs] Eventlog to syslog Feb 29 2008 11:56PM
David Corlette (DCorlette novell com)
Re: [logs] Eventlog to syslog Feb 29 2008 11:46PM
Andrew Hay (andrewsmhay gmail com) (2 replies)
Re: [logs] Eventlog to syslog Mar 01 2008 02:31AM
A Ananth (ananth802 yahoo com) (1 replies)
Re: [logs] Eventlog to syslog Mar 01 2008 02:55AM
Andrew Hay (andrewsmhay gmail com) (2 replies)
Re: [logs] Eventlog to syslog Mar 02 2008 08:34PM
Rodney Thayer (rodney canola-jones com)
Re: [logs] Eventlog to syslog Mar 01 2008 03:05AM
A Ananth (ananth802 yahoo com)
Re: [logs] Eventlog to syslog Mar 01 2008 02:17AM
Rodney Thayer (rodney canola-jones com)


 

Privacy Statement
Copyright 2010, SecurityFocus