I'd forgotten about that one. I must evaluate it. Kurt
On Fri, Jun 4, 2010 at 13:23, Andrew S. Baker <asbz...@gmail.com> wrote: > I've seen that before. In fact, that's why I went with the EvtSys agent > instead. > http://code.google.com/p/eventlog-to-syslog/ > Formerly: https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/ > -ASB: http://XeeSM.com/AndrewBaker > > > On Fri, Jun 4, 2010 at 3:23 PM, Brian Desmond <br...@briandesmond.com> > wrote: >> >> No idea - I think it just was struggling to keep up with what was probably >> hundreds and hundreds of events per second. >> >> Thanks, >> Brian Desmond >> br...@briandesmond.com >> >> c – 312.731.3132 >> >> >> -----Original Message----- >> From: Kurt Buff [mailto:kurt.b...@gmail.com] >> Sent: Friday, June 04, 2010 2:23 PM >> To: NT System Admin Issues >> Subject: Re: GPO question >> >> I've never had an issue with it. >> >> Was theirs current? >> >> On Fri, Jun 4, 2010 at 11:59, Brian Desmond <br...@briandesmond.com> >> wrote: >> > I was on a customer box the other day and the snare agent was using more >> > CPU time than AD collecting the logs. >> > >> > Thanks, >> > Brian Desmond >> > br...@briandesmond.com >> > >> > c – 312.731.3132 >> > >> > -----Original Message----- >> > From: Kurt Buff [mailto:kurt.b...@gmail.com] >> > Sent: Friday, June 04, 2010 1:57 PM >> > To: NT System Admin Issues >> > Subject: Re: GPO question >> > >> > True - it uses UDP. But, for my smallish environment of about 40 servers >> > and about 200 users in this site, it's "good enough" - mostly because the >> > price is right. Essentially free. I use the open source Intersect Alliance >> > Snare and Epilog clients and purchased the Kiwisoft syslog server years ago >> > for about US$100 - the latter is installed on a spare workstation, and >> > that's and running an ancient copy of Servers Alive are its only jobs in >> > life - I'm working on implementing Nagios in FreeBSD in my copious free >> > time >> > at work, so I'll probably get that implemented about the time the sun >> > expires... >> > >> > Kurt >> > >> > On Fri, Jun 4, 2010 at 11:44, Ken Schaefer <k...@adopenstatic.com> wrote: >> >> The only issue with syslog is that can be unreliable. As you scale up, >> >> you may find things are missing from your central syslog store, unless you >> >> have a client on your servers that provides for guaranteed delivery of >> >> events. >> >> >> >> Cheers >> >> Ken >> >> >> >> -----Original Message----- >> >> From: Kurt Buff [mailto:kurt.b...@gmail.com] >> >> Sent: Saturday, 5 June 2010 2:32 AM >> >> To: NT System Admin Issues >> >> Subject: Re: GPO question >> >> >> >> A very key item: >> >> >> >> "Ideally, all specifically monitored events will be sent to a server by >> >> using Microsoft Operations Manager (MOM) or some other automated >> >> monitoring >> >> tool. This is particularly important because an attacker who successfully >> >> compromises a server could clear the security log. If all events are sent >> >> to >> >> a monitoring server, you will be able to gather post-incident forensic >> >> information about the attacker’s activities." >> >> >> >> I happen to use a syslogging setup, but something that collects logs >> >> centrally is incredibly useful. >> >> >> >> Kurt >> >> >> >> On Fri, Jun 4, 2010 at 10:58, Andrew S. Baker <asbz...@gmail.com> >> >> wrote: >> >>> See: >> >>> http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx >> >>> >> >>> -ASB: http://XeeSM.com/AndrewBaker >> >>> >> >>> >> >>> On Fri, Jun 4, 2010 at 12:47 PM, David Lum <david....@nwea.org> wrote: >> >>>> >> >>>> I usually run 128MB on the sec logs. What happens if cumulative is >> >>>> over 300MB on a DC? >> >>>> >> >>>> >> >>>> >> >>>> Dave >> >>>> >> >>>> >> >>>> >> >>>> From: Brian Desmond [mailto:br...@briandesmond.com] >> >>>> Sent: Friday, June 04, 2010 9:25 AM >> >>>> To: NT System Admin Issues >> >>>> Subject: RE: GPO question >> >>>> >> >>>> >> >>>> >> >>>> I usually go with around 150MB. Keep in mind that on a 32bit box >> >>>> you want the cumulative size of all your event logs to be <=300MB. >> >>>> You should size your app and system logs accordingly as well. >> >>>> >> >>>> >> >>>> >> >>>> Also note that the policy will not shrink logs if you have them >> >>>> bigger than your new maximum. >> >>>> >> >>>> >> >>>> >> >>>> Thanks, >> >>>> >> >>>> Brian Desmond >> >>>> >> >>>> br...@briandesmond.com >> >>>> >> >>>> >> >>>> >> >>>> c – 312.731.3132 >> >>>> >> >>>> >> >>>> >> >>>> From: Andrew S. Baker [mailto:asbz...@gmail.com] >> >>>> Sent: Friday, June 04, 2010 10:35 AM >> >>>> To: NT System Admin Issues >> >>>> Subject: Re: GPO question >> >>>> >> >>>> >> >>>> >> >>>> You're going to want to make it larger than 512K, btw. >> >>>> >> >>>> >> >>>> >> >>>> 8MB or 16MB will be more useful numbers. >> >>>> >> >>>> -ASB: http://XeeSM.com/AndrewBaker >> >>>> >> >>>> On Fri, Jun 4, 2010 at 10:45 AM, Bill Lambert >> >>>> <blamb...@concuity.com> >> >>>> wrote: >> >>>> >> >>>> All my domain pc’s are displaying a message on the login window >> >>>> that the security log is full and only an administrator can correct >> >>>> this. >> >>>> I’m trying to find where the properties of the Event Viewer >> >>>> security logs are set in GP. I think another admin has set this up >> >>>> but I can’t find it. Can someone direct me to where these settings >> >>>> are? >> >>>> I want to set it to 512kb and overwrite as necessary. >> >>>> >> >>>> >> >>>> >> >>>> Thanks in advance! >> >>>> >> >>>> >> >>>> >> >>>> Bill Lambert >> >>>> >> >>>> Windows System Administrator >> >>>> >> >>>> Concuity >> >>>> >> >>>> Phone 847-941-9206 >> >>>> >> >>>> Fax 847-465-9147 >> >>> >> >>> >> >>> >> >>> >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> > >> > >> > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
