No idea - I think it just was struggling to keep up with what was probably hundreds and hundreds of events per second.
Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, June 04, 2010 2:23 PM To: NT System Admin Issues Subject: Re: GPO question I've never had an issue with it. Was theirs current? On Fri, Jun 4, 2010 at 11:59, Brian Desmond <br...@briandesmond.com> wrote: > I was on a customer box the other day and the snare agent was using more CPU > time than AD collecting the logs. > > Thanks, > Brian Desmond > br...@briandesmond.com > > c – 312.731.3132 > > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Friday, June 04, 2010 1:57 PM > To: NT System Admin Issues > Subject: Re: GPO question > > True - it uses UDP. But, for my smallish environment of about 40 servers and > about 200 users in this site, it's "good enough" - mostly because the price > is right. Essentially free. I use the open source Intersect Alliance Snare > and Epilog clients and purchased the Kiwisoft syslog server years ago for > about US$100 - the latter is installed on a spare workstation, and that's and > running an ancient copy of Servers Alive are its only jobs in life - I'm > working on implementing Nagios in FreeBSD in my copious free time at work, so > I'll probably get that implemented about the time the sun expires... > > Kurt > > On Fri, Jun 4, 2010 at 11:44, Ken Schaefer <k...@adopenstatic.com> wrote: >> The only issue with syslog is that can be unreliable. As you scale up, you >> may find things are missing from your central syslog store, unless you have >> a client on your servers that provides for guaranteed delivery of events. >> >> Cheers >> Ken >> >> -----Original Message----- >> From: Kurt Buff [mailto:kurt.b...@gmail.com] >> Sent: Saturday, 5 June 2010 2:32 AM >> To: NT System Admin Issues >> Subject: Re: GPO question >> >> A very key item: >> >> "Ideally, all specifically monitored events will be sent to a server by >> using Microsoft Operations Manager (MOM) or some other automated monitoring >> tool. This is particularly important because an attacker who successfully >> compromises a server could clear the security log. If all events are sent to >> a monitoring server, you will be able to gather post-incident forensic >> information about the attacker’s activities." >> >> I happen to use a syslogging setup, but something that collects logs >> centrally is incredibly useful. >> >> Kurt >> >> On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker <asbz...@gmail.com> wrote: >>> See: >>> http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx >>> >>> -ASB: http://XeeSM.com/AndrewBaker >>> >>> >>> On Fri, Jun 4, 2010 at 12:47 PM, David Lum <david....@nwea.org> wrote: >>>> >>>> I usually run 128MB on the sec logs. What happens if cumulative is >>>> over 300MB on a DC? >>>> >>>> >>>> >>>> Dave >>>> >>>> >>>> >>>> From: Brian Desmond [mailto:br...@briandesmond.com] >>>> Sent: Friday, June 04, 2010 9:25 AM >>>> To: NT System Admin Issues >>>> Subject: RE: GPO question >>>> >>>> >>>> >>>> I usually go with around 150MB. Keep in mind that on a 32bit box >>>> you want the cumulative size of all your event logs to be <=300MB. >>>> You should size your app and system logs accordingly as well. >>>> >>>> >>>> >>>> Also note that the policy will not shrink logs if you have them >>>> bigger than your new maximum. >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Brian Desmond >>>> >>>> br...@briandesmond.com >>>> >>>> >>>> >>>> c – 312.731.3132 >>>> >>>> >>>> >>>> From: Andrew S. Baker [mailto:asbz...@gmail.com] >>>> Sent: Friday, June 04, 2010 10:35 AM >>>> To: NT System Admin Issues >>>> Subject: Re: GPO question >>>> >>>> >>>> >>>> You're going to want to make it larger than 512K, btw. >>>> >>>> >>>> >>>> 8MB or 16MB will be more useful numbers. >>>> >>>> -ASB: http://XeeSM.com/AndrewBaker >>>> >>>> On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert >>>> <blamb...@concuity.com> >>>> wrote: >>>> >>>> All my domain pc’s are displaying a message on the login window >>>> that the security log is full and only an administrator can correct this. >>>> I’m trying to find where the properties of the Event Viewer >>>> security logs are set in GP. I think another admin has set this up >>>> but I can’t find it. Can someone direct me to where these settings are? >>>> I want to set it to 512kb and overwrite as necessary. >>>> >>>> >>>> >>>> Thanks in advance! >>>> >>>> >>>> >>>> Bill Lambert >>>> >>>> Windows System Administrator >>>> >>>> Concuity >>>> >>>> Phone 847-941-9206 >>>> >>>> Fax 847-465-9147 >>> >>> >>> >>> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~