|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Speaking of [Windows] monitoring
|
> Date: Mon, 31 Mar 2008 10:19:01 -0400
> From: jeff <jeffv@op.net>
> Subject: [PLUG] Speaking of network monitoring......
>
> I'm short one log viewer/analyzer. As the servers are Windows, I'm
> having a bit of difficulty finding acceptable solutions. I'm looking
> at either platform for the monitor, but prefer linux. The Win
> solutions start around $2k, which seems silly. The lin programs seem
> to want to convert to syslog and go from there.
It's a complex problem not only because Windows reports the same basic
thing in tens and sometimes hundreds of slightly different Event Log
messages, but those same messages change with every new version of
Windows. It's a ludicrous nightmare for anyone trying to keep up with,
which my company does, though fortunately I'm mostly on the periphery of it.
You can pay $$$ for someone else to do all the work, e.g. outsourced
monitoring from BT Counterpane (where I work) or some product that can
somewhat normalize, like ArcSight, LogLogic, Skybox, and many others.
Naturally I think outsourced monitoring is best [1], but none of that is
terribly cheap.
Or you can go a more do-it-yourself route in a number of ways. If you
are familiar with the excellent logcheck method/tool, I ported that to
Windows a number of years ago. It's an ugly, ugly hack, but:
http://www.jpsdomain.org/windows/winlogcheck.html
Or you can grab the free
http://www.intersectalliance.com/projects/SnareWindows/ and send
EventLogs to a central syslog server and do your logcheck there.
Windows Event Log messages are surpassingly ugly and verbose in
flat-text syslog though (as it sounds like you've already noticed). And
note that turning on too much Windows auditing can easily DoS the
Windows box or the network, or both.
Good luck; you'll need it, :-)
JP
[1] As Bruce says, you don't pay a firefighter to sit on your couch in
case you have a fire; you want someone who deals with the the problem
every day, not someone who shows up and says, "Oh a fire, I've read
about those..."
----------------------------|:::======|-------------------------------
JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org
My Account, My Opinions |=========| http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|