LogAnalysis
[logs] Eventlog to syslog Feb 29 2008 12:59PM
Marcelo de Souza (marcelo marcelosouza com) (3 replies)
Re: [logs] Eventlog to syslog Mar 06 2008 10:49PM
Anton Chuvakin (anton chuvakin org) (1 replies)
[logs] SYSLOG patent? Mar 12 2008 08:16AM
A Ananth (ananth802 yahoo com) (1 replies)
Re: [logs] SYSLOG patent? Mar 14 2008 11:18AM
Stefano Zanero (zanero elet polimi it) (1 replies)
Re: [logs] SYSLOG patent? Mar 14 2008 04:22PM
Balazs Scheidler (bazsi balabit hu) (4 replies)
Re: [logs] SYSLOG patent? Mar 15 2008 03:15AM
Bill Scherr IV (bschnzl cotse net) (1 replies)
Re: [logs] SYSLOG patent? Mar 15 2008 11:29PM
Marcus J. Ranum (mjr ranum com)
Re: [logs] SYSLOG patent? Mar 14 2008 08:13PM
Stephen John Smoogen (smooge gmail com)
RE: [logs] SYSLOG patent? Mar 14 2008 06:22PM
Rainer Gerhards (rgerhards hq adiscon com) (2 replies)
RE: [logs] SYSLOG patent? Mar 14 2008 06:46PM
Dee-Ann LeBlanc (dee splunk com)
Re: [logs] SYSLOG patent? Mar 14 2008 06:44PM
Ray Van Dolson (rvandolson esri com)
RE: [logs] SYSLOG patent? Mar 14 2008 06:15PM
Rainer Gerhards (rgerhards hq adiscon com)
Re: [logs] Eventlog to syslog Feb 29 2008 07:37PM
Anton Chuvakin (anton chuvakin org) (2 replies)
RE: [logs] Eventlog to syslog Feb 29 2008 09:06PM
Rainer Gerhards (rgerhards hq adiscon com)
Re: [logs] Eventlog to syslog Feb 29 2008 08:33PM
Daniel Cid (dcid ossec net)
Re: [logs] Eventlog to syslog Feb 29 2008 07:27PM
tbird precision-guesswork com (2 replies)
Re: [logs] Eventlog to syslog Feb 29 2008 09:10PM
David Corlette (DCorlette novell com) (1 replies)
[logs] wny not syslog on microsoft platforms Feb 29 2008 11:13PM
Rodney Thayer (rodney canola-jones com)
Re: [logs] Eventlog to syslog Feb 29 2008 08:52PM
Rodney Thayer (rodney canola-jones com) (2 replies)
Re: [logs] Eventlog to syslog Feb 29 2008 11:02PM
Anton Chuvakin (anton chuvakin org) (1 replies)
Re: [logs] Eventlog to syslog Feb 29 2008 11:49PM
Marcus J. Ranum (mjr ranum com)
Re: [logs] Eventlog to syslog Feb 29 2008 10:17PM
tbird precision-guesswork com (4 replies)
RE: [logs] Eventlog to syslog Mar 03 2008 09:53PM
Desai, Ashish (Ashish Desai fmr com)
Re: [logs] Eventlog to syslog Mar 03 2008 07:08PM
Patrick Hull (nethead69 gmail com) (2 replies)
Re: [logs] Eventlog to syslog Mar 03 2008 08:47PM
David Corlette (DCorlette novell com) (1 replies)
Re: [logs] Eventlog to syslog Mar 03 2008 09:20PM
Patrick Hull (nethead69 gmail com)
Re: [logs] Eventlog to syslog Mar 03 2008 07:58PM
Mark Bagley (mbagley splunk com)
Re: [logs] Eventlog to syslog Feb 29 2008 11:56PM
David Corlette (DCorlette novell com)
Re: [logs] Eventlog to syslog Feb 29 2008 11:46PM
Andrew Hay (andrewsmhay gmail com) (2 replies)
Re: [logs] Eventlog to syslog Mar 01 2008 02:31AM
A Ananth (ananth802 yahoo com) (1 replies)
Re: [logs] Eventlog to syslog Mar 01 2008 02:55AM
Andrew Hay (andrewsmhay gmail com) (2 replies)
If Microsoft feels that the 'cross-log query' feature nails the SIEM problem
-- we disagree.

Count me in your 'we' group.

It opens up some possibilities for very small shops but by itself has
limited value in even a medium size install.

Yep, sure does.

Limitations

1) All machines must run Vista

You sure? It reads like Windows 2008 Servers will also have this capability.

6) Its an MS-standard

Honestly, is that a bad thing? So what if it's a Microsoft standard, a Cisco
standard, or a some other standard as long as it's implemented correctly.

On 29/02/2008, A Ananth <ananth802 (at) yahoo (dot) com [email concealed]> wrote:
>
>
> --- Andrew Hay <andrewsmhay (at) gmail (dot) com [email concealed]> wrote:
>
> > I suspect that, with the (future) adoption of
> > Windows 2008 and the new
> > cross-log query feature in the event log (that
> > allows you to correlate logs
> > from multiple systems), Microsoft may finally have
> > put the nail in the
> > coffin that is this issue (at least in their eyes).
> > I'll be honest, I
> > haven't dug into the new event log due to other
> > things on my plate, but I
> > have a feeling that this new event log rewrite is
> > going to be positioned as
> > a SIEM replacement for Windows based events.
>
>
>
> If Microsoft feels that the 'cross-log query' feature
> nails the SIEM problem -- we disagree. It opens up
> some possibilities for very small shops but by itself
> has limited value in even a medium size install.
>
> Limitations
> 1) All machines must run Vista
> 2) Collector is a workstation
> 3) Event automation is local to each system
> 4) No central policy mgt console
> 5) Updating each endpoint system is manual effort
> 6) Its an MS-standard
>
> We explored the Vista event log in a webinar last year
> with Nelson Ruest. Its online (registration required)
> at
> http://www.prismmicrosys.com/webinarDetails.php?id=10&a=view
>
> Disclaimer: I'm with Prism, a SIEM vendor
>
> --
> A Ananth
> ananth802 (at) yahoo (dot) com [email concealed]
>
>
> --
> A N Ananth
> ananth802 (at) yahoo (dot) com [email concealed]
>

--
Andrew Hay
blog: http://www.andrewhay.ca
email: andrewsmhay || at || gmail.com
LinkedIn Profile: http://www.linkedin.com/in/andrewhay
OSSEC Book: http://preview.tinyurl.com/2oy63f
<blockquote>If Microsoft feels that the 'cross-log query' feature nails the SIEM problem -- we disagree. </blockquote><div>Count me in your 'we' group.</div><blockquote>It opens up some possibilities for very small shops but by itself has limited value in even a medium size install.</blockquote>
<div>Yep, sure does.</div><div><blockquote>Limitations</blockquote><blockquote>1) All machines must run Vista</blockquote><div>You sure? It reads like Windows 2008 Servers will also have this capability.</div></div><blockquote>
6) Its an MS-standard</blockquote><div>Honestly, is that a bad thing? So what if it's a Microsoft standard, a Cisco standard, or a some other standard as long as it's implemented correctly.<br><br><div><span class="gmail_quote">On 29/02/2008, <b class="gmail_sendername">A Ananth</b> <<a href="mailto:ananth802 (at) yahoo (dot) com [email concealed]">ananth802 (at) yahoo (dot) com [email concealed]</a>> wrote:</span><blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br> --- Andrew Hay <<a href="mailto:andrewsmhay (at) gmail (dot) com [email concealed]">andrewsmhay (at) gmail (dot) com [email concealed]</a>> wrote:<br> <br> > I suspect that, with the (future) adoption of<br> > Windows 2008 and the new<br> > cross-log query feature in the event log (that<br>
> allows you to correlate logs<br> > from multiple systems), Microsoft may finally have<br> > put the nail in the<br> > coffin that is this issue (at least in their eyes).<br> > I'll be honest, I<br> > haven't dug into the new event log due to other<br>
> things on my plate, but I<br> > have a feeling that this new event log rewrite is<br> > going to be positioned as<br> > a SIEM replacement for Windows based events.<br> <br> <br> <br>If Microsoft feels that the 'cross-log query' feature<br>
nails the SIEM problem -- we disagree. It opens up<br> some possibilities for very small shops but by itself<br> has limited value in even a medium size install.<br> <br> Limitations<br> 1) All machines must run Vista<br>
2) Collector is a workstation<br> 3) Event automation is local to each system<br> 4) No central policy mgt console<br> 5) Updating each endpoint system is manual effort<br> 6) Its an MS-standard<br> <br> We explored the Vista event log in a webinar last year<br>
with Nelson Ruest. Its online (registration required)<br> at<br> <a href="http://www.prismmicrosys.com/webinarDetails.php?id=10&a=view">
http://www.prismmicrosys.com/webinarDetails.php?id=10&a=view</a><br>
<br> Disclaimer: I'm with Prism, a SIEM vendor<br>
<br> --<br> A Ananth<br> <a href="mailto:ananth802 (at) yahoo (dot) com [email concealed]">ananth802 (at) yahoo (dot) com [email concealed]</a><br> <br><br> --<br> A N Ananth<br> <a href="mailto:ananth802 (at) yahoo (dot) com [email concealed]">ananth802 (at) yahoo (dot) com [email concealed]</a><br> </blockquote></div><br><br clear="all">
<br>-- <br>Andrew Hay<br>blog: <a href="http://www.andrewhay.ca">http://www.andrewhay.ca</a><br>email: andrewsmhay || at || <a href="http://gmail.com">gmail.com</a><br>LinkedIn Profile: <a href="http://www.linkedin.com/in/andrewhay">http://www.linkedin.com/in/a
ndrewhay</a><br>
OSSEC Book: <a href="http://preview.tinyurl.com/2oy63f">http://preview.tinyurl.com/2oy6
3f</a>
</div>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] Eventlog to syslog Mar 02 2008 08:34PM
Rodney Thayer (rodney canola-jones com)
Re: [logs] Eventlog to syslog Mar 01 2008 03:05AM
A Ananth (ananth802 yahoo com)
Re: [logs] Eventlog to syslog Mar 01 2008 02:17AM
Rodney Thayer (rodney canola-jones com)


 

Privacy Statement
Copyright 2010, SecurityFocus