Care to elaborate on that a bit? What about the complication makes syslog a poor choice for you? Is it line length limitations, sheer volume, client software management or something else?
Kurt On Fri, Jul 30, 2010 at 13:40, Free, Bob <r...@pge.com> wrote: > Yea, we have a grid of LogLogic appliances, they are quite cool for pure > syslog from the *NIX boxes, IDS, routers, switches, firewalls etc. > > Managing agents on thousands of Windows systems is another story and a major > PITA on all the implementations I've seen. Syslog is cool for what it was > originally designed for but it is going to be hard to convince me it is an > enterprise solution for Windows security logs, the myriad auditing options > and the data they contain. Heck, it was unmanageable with the W2K* audit > framework, the new one in 2K8 is an order of magnitude more complicated. > > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Friday, July 30, 2010 12:08 PM > To: NT System Admin Issues > Subject: Re: Auditing in Windows 2008 and R2 what are folks doing? > > The systems I've seen described don't depend on a single syslog server > - it's usually a set of them, and the data is aggregated. to a central > repository. > > Mind you, I've not worked in a large scale environment, but discussion > on lists like the one at loganalysis.org has been interesting. > > On Fri, Jul 30, 2010 at 07:34, Free, Bob <r...@pge.com> wrote: >> They still don't scale.... >> >> -----Original Message----- >> From: Kurt Buff [mailto:kurt.b...@gmail.com] >> Sent: Thursday, July 29, 2010 9:26 AM >> To: NT System Admin Issues >> Subject: Re: Auditing in Windows 2008 and R2 what are folks doing? >> >> There are TCP syslog options. >> >> On Thu, Jul 29, 2010 at 01:50, Ken Schaefer <k...@adopenstatic.com> wrote: >>> We are implementing this in an even bigger environment. However syslog runs >>> over UDP (natively) and it’s not reliable. You’d need to use software that >>> gives you more reliability (e.g. by sending the traffic over TCP) if you >>> need this to produce reliable log files centrally. >>> >>> >>> >>> Cheers >>> >>> Ken >>> >>> >>> >>> From: Ziots, Edward [mailto:ezi...@lifespan.org] >>> Sent: Thursday, 29 July 2010 3:50 AM >>> To: NT System Admin Issues >>> Subject: RE: Auditing in Windows 2008 and R2 what are folks doing? >>> >>> >>> >>> 800+ servers to a syslog? Plus going to have to put agents on every single >>> server in the domain? Really haven’t used Syslog much for the windows event >>> logging >>> >>> >>> >>> Z >>> >>> >>> >>> Edward E. Ziots >>> >>> CISSP, Network +, Security + >>> >>> Network Engineer >>> >>> Lifespan Organization >>> >>> Email:ezi...@lifespan.org >>> >>> Cell:401-639-3505 >>> >>> >>> >>> From: Andrew S. Baker [mailto:asbz...@gmail.com] >>> Sent: Wednesday, July 28, 2010 3:48 PM >>> To: NT System Admin Issues >>> Subject: Re: Auditing in Windows 2008 and R2 what are folks doing? >>> >>> >>> >>> EventCombMT still works... :) >>> >>> >>> >>> Why not export all the logs to SysLog, and spend a few tiny dollars on >>> searching those logs? >>> >>> Syslog servers are cheap/free. >>> Syslog forwarders for Windows are cheap/free. >>> Tools to search consolidated logs range from free to exorbitant. See >>> Splunk on both accounts. :) >>> >>> >>> >>> Once you have established the value of log parsing and management, you'll >>> have a slightly better chance of procuring some funds. >>> >>> >>> >>> -ASB: http://XeeSM.com/AndrewBaker >>> >>> On Wed, Jul 28, 2010 at 3:38 PM, Ziots, Edward <ezi...@lifespan.org> wrote: >>> >>> Naa its far harder than that, I think someone said we can dump the event >>> logs via powershell, but using EventCombMT when I need to get something I >>> hope still works. Either that or I am going to have to bug MGMT again about >>> a dedicated eventlog management tool. >>> >>> >>> >>> Z >>> >>> >>> >>> Edward E. Ziots >>> >>> CISSP, Network +, Security + >>> >>> Network Engineer >>> >>> Lifespan Organization >>> >>> Email:ezi...@lifespan.org >>> >>> Cell:401-639-3505 >>> >>> >>> >>> From: James Rankin [mailto:kz2...@googlemail.com] >>> Sent: Wednesday, July 28, 2010 3:36 PM >>> >>> To: NT System Admin Issues >>> >>> Subject: Re: Auditing in Windows 2008 and R2 what are folks doing? >>> >>> >>> >>> Tough gig then. Looks like you're going to be doing a lot of creative stuff >>> with dumpel.exe and the findstr command :-) >>> >>> On 28 July 2010 13:06, Ziots, Edward <ezi...@lifespan.org> wrote: >>> >>> I don’t have SCOM, I wish I had some event log auditing solution, been >>> asking for 5+ yrs, and all it ever falls on is deaf ears…. >>> >>> >>> >>> Z >>> >>> >>> >>> Edward E. Ziots >>> >>> CISSP, Network +, Security + >>> >>> Network Engineer >>> >>> Lifespan Organization >>> >>> Email:ezi...@lifespan.org >>> >>> Cell:401-639-3505 >>> >>> >>> >>> From: Malcolm Reitz [mailto:malcolm.re...@live.com] >>> Sent: Tuesday, July 27, 2010 6:29 PM >>> >>> To: NT System Admin Issues >>> >>> Subject: RE: Auditing in Windows 2008 and R2 what are folks doing? >>> >>> >>> >>> Have you looked in to using the Audit Collection Services piece of SCOM? I >>> think ACS could be valuable for security event reporting and forensics use. >>> >>> >>> >>> -Malcolm >>> >>> >>> >>> From: James Rankin [mailto:kz2...@googlemail.com] >>> Sent: Tuesday, July 27, 2010 15:41 >>> To: NT System Admin Issues >>> Subject: Re: Auditing in Windows 2008 and R2 what are folks doing? >>> >>> >>> >>> I'm mainly interested in account lockouts, logons attempted under things >>> like built-in administrator accounts, high numbers of logon failures, and >>> any attempts to modify security policies and/or protected groups (such as >>> local admins, domain admins, server ops, and the like). We've also got >>> certain areas where file access is audited. >>> >>> I use SCOM to try and aggregate the events for me. This is quite handy, as >>> it also monitors things like failed su to root on our ESX servers and other >>> stuff outside of the Windows event logging arena. >>> >>> On 27 July 2010 20:15, Ziots, Edward <ezi...@lifespan.org> wrote: >>> >>> Hey gang, well I wanted to ask the group, what is everyone doing about their >>> audit policies on Windows 2008 R2 for domain controllers or member servers. >>> >>> >>> >>> I have mapped out all the audit categories and sub-categories, and events, >>> but I don’t want the logs to turn into soup, so kinda wanted to see what >>> others were doing for which categories and subcategories they turned on >>> auditing for. Would be nice to bounce some ideas off about certain events. ( >>> Already plowed through M$ site descriptions, the Microsoft Security Resource >>> Kit and Randy Franklin Smith’s Eventlog site) >>> >>> >>> >>> Feel free to post here, or if you like catch me offline, love to hear the >>> feedback. After this its on to Firewall rules accordingly for the servers >>> and either scripting or GPOing that out for a baseline. >>> >>> >>> >>> Z >>> >>> >>> >>> Edward E. Ziots >>> >>> CISSP, Network +, Security + >>> >>> Network Engineer >>> >>> Lifespan Organization >>> >>> Email:ezi...@lifespan.org >>> >>> Cell:401-639-3505 >>> >>> >>> >>> >>> >>> >>> -- >>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >>> the machine wrong figures, will the right answers come out?' I am not able >>> rightly to apprehend the kind of confusion of ideas that could provoke such >>> a question." >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >>> the machine wrong figures, will the right answers come out?' I am not able >>> rightly to apprehend the kind of confusion of ideas that could provoke such >>> a question." >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~