True - it uses UDP. But, for my smallish environment of about 40 servers and about 200 users in this site, it's "good enough" - mostly because the price is right. Essentially free. I use the open source Intersect Alliance Snare and Epilog clients and purchased the Kiwisoft syslog server years ago for about US$100 - the latter is installed on a spare workstation, and that's and running an ancient copy of Servers Alive are its only jobs in life - I'm working on implementing Nagios in FreeBSD in my copious free time at work, so I'll probably get that implemented about the time the sun expires...
Kurt On Fri, Jun 4, 2010 at 11:44, Ken Schaefer <k...@adopenstatic.com> wrote: > The only issue with syslog is that can be unreliable. As you scale up, you > may find things are missing from your central syslog store, unless you have a > client on your servers that provides for guaranteed delivery of events. > > Cheers > Ken > > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Saturday, 5 June 2010 2:32 AM > To: NT System Admin Issues > Subject: Re: GPO question > > A very key item: > > "Ideally, all specifically monitored events will be sent to a server by using > Microsoft Operations Manager (MOM) or some other automated monitoring tool. > This is particularly important because an attacker who successfully > compromises a server could clear the security log. If all events are sent to > a monitoring server, you will be able to gather post-incident forensic > information about the attacker’s activities." > > I happen to use a syslogging setup, but something that collects logs > centrally is incredibly useful. > > Kurt > > On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker <asbz...@gmail.com> wrote: >> See: http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx >> >> -ASB: http://XeeSM.com/AndrewBaker >> >> >> On Fri, Jun 4, 2010 at 12:47 PM, David Lum <david....@nwea.org> wrote: >>> >>> I usually run 128MB on the sec logs. What happens if cumulative is >>> over 300MB on a DC? >>> >>> >>> >>> Dave >>> >>> >>> >>> From: Brian Desmond [mailto:br...@briandesmond.com] >>> Sent: Friday, June 04, 2010 9:25 AM >>> To: NT System Admin Issues >>> Subject: RE: GPO question >>> >>> >>> >>> I usually go with around 150MB. Keep in mind that on a 32bit box you >>> want the cumulative size of all your event logs to be <=300MB. You >>> should size your app and system logs accordingly as well. >>> >>> >>> >>> Also note that the policy will not shrink logs if you have them >>> bigger than your new maximum. >>> >>> >>> >>> Thanks, >>> >>> Brian Desmond >>> >>> br...@briandesmond.com >>> >>> >>> >>> c – 312.731.3132 >>> >>> >>> >>> From: Andrew S. Baker [mailto:asbz...@gmail.com] >>> Sent: Friday, June 04, 2010 10:35 AM >>> To: NT System Admin Issues >>> Subject: Re: GPO question >>> >>> >>> >>> You're going to want to make it larger than 512K, btw. >>> >>> >>> >>> 8MB or 16MB will be more useful numbers. >>> >>> -ASB: http://XeeSM.com/AndrewBaker >>> >>> On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert <blamb...@concuity.com> >>> wrote: >>> >>> All my domain pc’s are displaying a message on the login window that >>> the security log is full and only an administrator can correct this. >>> I’m trying to find where the properties of the Event Viewer security >>> logs are set in GP. I think another admin has set this up but I >>> can’t find it. Can someone direct me to where these settings are? I >>> want to set it to 512kb and overwrite as necessary. >>> >>> >>> >>> Thanks in advance! >>> >>> >>> >>> Bill Lambert >>> >>> Windows System Administrator >>> >>> Concuity >>> >>> Phone 847-941-9206 >>> >>> Fax 847-465-9147 >> >> >> >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
