LogAnalysis
[logs] Eventlog to syslog Feb 29 2008 12:59PM
Marcelo de Souza (marcelo marcelosouza com) (3 replies)
Re: [logs] Eventlog to syslog Mar 06 2008 10:49PM
Anton Chuvakin (anton chuvakin org) (1 replies)
[logs] SYSLOG patent? Mar 12 2008 08:16AM
A Ananth (ananth802 yahoo com) (1 replies)
Re: [logs] SYSLOG patent? Mar 14 2008 11:18AM
Stefano Zanero (zanero elet polimi it) (1 replies)
Re: [logs] SYSLOG patent? Mar 14 2008 04:22PM
Balazs Scheidler (bazsi balabit hu) (4 replies)
Re: [logs] SYSLOG patent? Mar 15 2008 03:15AM
Bill Scherr IV (bschnzl cotse net) (1 replies)
Re: [logs] SYSLOG patent? Mar 15 2008 11:29PM
Marcus J. Ranum (mjr ranum com)
Re: [logs] SYSLOG patent? Mar 14 2008 08:13PM
Stephen John Smoogen (smooge gmail com)
RE: [logs] SYSLOG patent? Mar 14 2008 06:22PM
Rainer Gerhards (rgerhards hq adiscon com) (2 replies)
RE: [logs] SYSLOG patent? Mar 14 2008 06:46PM
Dee-Ann LeBlanc (dee splunk com)
Re: [logs] SYSLOG patent? Mar 14 2008 06:44PM
Ray Van Dolson (rvandolson esri com)
RE: [logs] SYSLOG patent? Mar 14 2008 06:15PM
Rainer Gerhards (rgerhards hq adiscon com)
Re: [logs] Eventlog to syslog Feb 29 2008 07:37PM
Anton Chuvakin (anton chuvakin org) (2 replies)
RE: [logs] Eventlog to syslog Feb 29 2008 09:06PM
Rainer Gerhards (rgerhards hq adiscon com)
Re: [logs] Eventlog to syslog Feb 29 2008 08:33PM
Daniel Cid (dcid ossec net)
Re: [logs] Eventlog to syslog Feb 29 2008 07:27PM
tbird precision-guesswork com (2 replies)
Re: [logs] Eventlog to syslog Feb 29 2008 09:10PM
David Corlette (DCorlette novell com) (1 replies)
[logs] wny not syslog on microsoft platforms Feb 29 2008 11:13PM
Rodney Thayer (rodney canola-jones com)
Re: [logs] Eventlog to syslog Feb 29 2008 08:52PM
Rodney Thayer (rodney canola-jones com) (2 replies)
Re: [logs] Eventlog to syslog Feb 29 2008 11:02PM
Anton Chuvakin (anton chuvakin org) (1 replies)
Re: [logs] Eventlog to syslog Feb 29 2008 11:49PM
Marcus J. Ranum (mjr ranum com)
Re: [logs] Eventlog to syslog Feb 29 2008 10:17PM
tbird precision-guesswork com (4 replies)
RE: [logs] Eventlog to syslog Mar 03 2008 09:53PM
Desai, Ashish (Ashish Desai fmr com)
Re: [logs] Eventlog to syslog Mar 03 2008 07:08PM
Patrick Hull (nethead69 gmail com) (2 replies)
Re: [logs] Eventlog to syslog Mar 03 2008 08:47PM
David Corlette (DCorlette novell com) (1 replies)
Re: [logs] Eventlog to syslog Mar 03 2008 09:20PM
Patrick Hull (nethead69 gmail com)
Re: [logs] Eventlog to syslog Mar 03 2008 07:58PM
Mark Bagley (mbagley splunk com)
Re: [logs] Eventlog to syslog Feb 29 2008 11:56PM
David Corlette (DCorlette novell com)
Re: [logs] Eventlog to syslog Feb 29 2008 11:46PM
Andrew Hay (andrewsmhay gmail com) (2 replies)
So the real question becomes: of those large MS customers, how many of them
have or are planning to deploy a syslog-based monitoring infrastructure, and
are they willing to apply pressure to Redmond?

I suspect that, with the (future) adoption of Windows 2008 and the new
cross-log query feature in the event log (that allows you to correlate logs
from multiple systems), Microsoft may finally have put the nail in the
coffin that is this issue (at least in their eyes). I'll be honest, I
haven't dug into the new event log due to other things on my plate, but I
have a feeling that this new event log rewrite is going to be positioned as
a SIEM replacement for Windows based events. I was telling Anton yesterday
that Beth Quinlan, in her Information Security article entitled "3d
Security", touches on the new event log features a bit.

On 29/02/2008, tbird (at) precision-guesswork (dot) com [email concealed] <tbird (at) precision-guesswork (dot) com [email concealed]>
wrote:
>
> Quoting Rodney Thayer <rodney (at) canola-jones (dot) com [email concealed]>:
>
> > I'd like to just know why they don't support syslog.
> > Heard rumors Longhorn would fix that bug ;-)
>
>
> Hmm. I've apparently heard contradicting rumors. We should compare
> notes some time.
>
>
> > Anyway, my point is, if that vendor (e.g. Microsoft)
> > thinks they have a reason for not doing syslog to support
> > external event management, I'd be interested in hearing that.
> > I think not doing syslog is broken but what I think we all
> > really see as a requirement is "externally available interoperable
> > standards-based event output" so I try to have an open mind
> > when this MS flaw is revisited...
>
>
> Here's my 0.02, as politically correctly as I can put it: Microsoft
> has a corporate tradition of building closed systems, and even when
> they're forced to build a standards-based application (DNS? IPsec?)
> they have a tendency (that's polite) to add extensions that make their
> products less interoperable than one might like. Ahem. One with a
> truly heterogeneous network to run, anyhow.
>
> On the specific beloved topic of syslog, I know (cos I've been part of
> it) that Microsoft has heard "support syslog" for years. The problem
> is that they're hearing it from UNIX experts and IETF folks and people
> on this list, very few (if any) of whom have enterprise-scale
> deployments of Microsoft products deployed, and even fewer of whom
> (out of that "any") who would *not* deploy an MS product because it
> did NOT support syslog.
>
> Microsoft responds to its customers. Microsoft responds more swiftly
> to customer pressure than any other IT vendor I've ever dealt with.
> (Pressure from the press doesn't hurt, either, but I can't imagine how
> we could turn decades of lack of support for syslog into a slashdot
> worthy news event.)
>
> If we *really* want to get MS' attention on this issue, we need to
> find some large Microsoft customers who are willing to apply pressure
> to their account managers about syslog support. That's certainly
> *possible*, but I suspect it's highly unlikely, cos' most of the large
> MS shops I've worked at/with are already using MS-provided or
> Windows-specific monitoring tools, and can't even *spell* syslog.
>
> So the real question becomes: of those large MS customers, how many of
> them have or are planning to deploy a syslog-based monitoring
> infrastructure, and are they willing to apply pressure to Redmond?
> Anyone here an MS Premier customer?
>
> It may be that finally, thanks to compliance regulations etc., there
> are enough large scale organizations worrying about log collection and
> archiving that this might work. There's clearly never been enough
> momentum to get the ball rolling in the past, or we wouldn't be having
> this conversation in *sigh* 2008...
>
> cheers -- tbird
>
>
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>

--
Andrew Hay
blog: http://www.andrewhay.ca
email: andrewsmhay || at || gmail.com
LinkedIn Profile: http://www.linkedin.com/in/andrewhay
OSSEC Book: http://preview.tinyurl.com/2oy63f
<blockquote>So the real question becomes: of those large MS customers, how many of them have or are planning to deploy a syslog-based monitoring infrastructure, and are they willing to apply pressure to Redmond?</blockquote>
<div>I suspect that, with the (future) adoption of Windows 2008 and the new cross-log query feature in the event log (that allows you to correlate logs from multiple systems), Microsoft may finally have put the nail in the coffin that is this issue (at least in their eyes). I'll be honest, I haven't dug into the new event log due to other things on my plate, but I have a feeling that this new event log rewrite is going to be positioned as a SIEM replacement for Windows based events. I was telling Anton yesterday that Beth Quinlan, in her Information Security article entitled "3d Security", touches on the new event log features a bit.</div>
<div><br><br><div><span class="gmail_quote">On 29/02/2008, <b class="gmail_sendername"><a href="mailto:tbird (at) precision-guesswork (dot) com [email concealed]">tbird (at) precision-guesswork (dot) co [email concealed]
m</a></b> <<a href="mailto:tbird (at) precision-guesswork (dot) com [email concealed]">tbird (at) precision-guesswork (dot) co [email concealed]
m</a>> wrote:</span><blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">
Quoting Rodney Thayer <<a href="mailto:rodney (at) canola-jones (dot) com [email concealed]">rodney (at) canola-jones (dot) com [email concealed]</a>>:<b
r> <br> > I'd like to just know why they don't support syslog.<br> > Heard rumors Longhorn would fix that bug ;-)<br>
<br> <br>Hmm. I've apparently heard contradicting rumors. We should compare<br> notes some time.<br> <br><br> > Anyway, my point is, if that vendor (e.g. Microsoft)<br> > thinks they have a reason for not doing syslog to support<br>
> external event management, I'd be interested in hearing that.<br> > I think not doing syslog is broken but what I think we all<br> > really see as a requirement is "externally available interoperable<br>
> standards-based event output" so I try to have an open mind<br> > when this MS flaw is revisited...<br> <br> <br>Here's my 0.02, as politically correctly as I can put it: Microsoft<br> has a corporate tradition of building closed systems, and even when<br>
they're forced to build a standards-based application (DNS? IPsec?)<br> they have a tendency (that's polite) to add extensions that make their<br> products less interoperable than one might like. Ahem. One with a<br>
truly heterogeneous network to run, anyhow.<br> <br> On the specific beloved topic of syslog, I know (cos I've been part of<br> it) that Microsoft has heard "support syslog" for years. The problem<br> is that they're hearing it from UNIX experts and IETF folks and people<br>
on this list, very few (if any) of whom have enterprise-scale<br> deployments of Microsoft products deployed, and even fewer of whom<br> (out of that "any") who would *not* deploy an MS product because it<br> did NOT support syslog.<br>
<br> Microsoft responds to its customers. Microsoft responds more swiftly<br> to customer pressure than any other IT vendor I've ever dealt with.<br> (Pressure from the press doesn't hurt, either, but I can't imagine how<br>
we could turn decades of lack of support for syslog into a slashdot<br> worthy news event.)<br> <br> If we *really* want to get MS' attention on this issue, we need to<br> find some large Microsoft customers who are willing to apply pressure<br>
to their account managers about syslog support. That's certainly<br> *possible*, but I suspect it's highly unlikely, cos' most of the large<br> MS shops I've worked at/with are already using MS-provided or<br>
Windows-specific monitoring tools, and can't even *spell* syslog.<br> <br> So the real question becomes: of those large MS customers, how many of<br> them have or are planning to deploy a syslog-based monitoring<br> infrastructure, and are they willing to apply pressure to Redmond?<br>
Anyone here an MS Premier customer?<br> <br> It may be that finally, thanks to compliance regulations etc., there<br> are enough large scale organizations worrying about log collection and<br> archiving that this might work. There's clearly never been enough<br>
momentum to get the ball rolling in the past, or we wouldn't be having<br> this conversation in *sigh* 2008...<br> <br> cheers -- tbird<br> <br><br> <br> _______________________________________________<br> LogAnalysis mailing list<br>
<a href="mailto:LogAnalysis (at) loganalysis (dot) org [email concealed]">LogAnalysis (at) loganalysis (dot) org [email concealed]</a
><br> <a href="http://www.loganalysis.org/mailman/listinfo/loganalysis">http://ww
w.loganalysis.org/mailman/listinfo/loganalysis</a><br> </blockquote>
</div><br><br clear="all"><br>-- <br>Andrew Hay<br>blog: <a href="http://www.andrewhay.ca">http://www.andrewhay.ca</a><br>email: andrewsmhay || at || <a href="http://gmail.com">gmail.com</a><br>LinkedIn Profile: <a href="http://www.linkedin.com/in/andrewhay">http://www.linkedin.com/in/a
ndrewhay</a><br>
OSSEC Book: <a href="http://preview.tinyurl.com/2oy63f">http://preview.tinyurl.com/2oy6
3f</a>
</div>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] Eventlog to syslog Mar 01 2008 02:31AM
A Ananth (ananth802 yahoo com) (1 replies)
Re: [logs] Eventlog to syslog Mar 01 2008 02:55AM
Andrew Hay (andrewsmhay gmail com) (2 replies)
Re: [logs] Eventlog to syslog Mar 02 2008 08:34PM
Rodney Thayer (rodney canola-jones com)
Re: [logs] Eventlog to syslog Mar 01 2008 03:05AM
A Ananth (ananth802 yahoo com)
Re: [logs] Eventlog to syslog Mar 01 2008 02:17AM
Rodney Thayer (rodney canola-jones com)


 

Privacy Statement
Copyright 2010, SecurityFocus