JP Vossen on 31 Mar 2008 12:25:56 -0700 |
> Date: Mon, 31 Mar 2008 10:19:01 -0400 > From: jeff <jeffv@op.net> > Subject: [PLUG] Speaking of network monitoring...... > > I'm short one log viewer/analyzer. As the servers are Windows, I'm > having a bit of difficulty finding acceptable solutions. I'm looking > at either platform for the monitor, but prefer linux. The Win > solutions start around $2k, which seems silly. The lin programs seem > to want to convert to syslog and go from there. It's a complex problem not only because Windows reports the same basic thing in tens and sometimes hundreds of slightly different Event Log messages, but those same messages change with every new version of Windows. It's a ludicrous nightmare for anyone trying to keep up with, which my company does, though fortunately I'm mostly on the periphery of it. You can pay $$$ for someone else to do all the work, e.g. outsourced monitoring from BT Counterpane (where I work) or some product that can somewhat normalize, like ArcSight, LogLogic, Skybox, and many others. Naturally I think outsourced monitoring is best [1], but none of that is terribly cheap. Or you can go a more do-it-yourself route in a number of ways. If you are familiar with the excellent logcheck method/tool, I ported that to Windows a number of years ago. It's an ugly, ugly hack, but: http://www.jpsdomain.org/windows/winlogcheck.html Or you can grab the free http://www.intersectalliance.com/projects/SnareWindows/ and send EventLogs to a central syslog server and do your logcheck there. Windows Event Log messages are surpassingly ugly and verbose in flat-text syslog though (as it sounds like you've already noticed). And note that turning on too much Windows auditing can easily DoS the Windows box or the network, or both. Good luck; you'll need it, :-) JP [1] As Bruce says, you don't pay a firefighter to sit on your couch in case you have a fire; you want someone who deals with the the problem every day, not someone who shows up and says, "Oh a fire, I've read about those..." ----------------------------|:::======|------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ----------------------------|=========|------------------------------- "Microsoft Tax" = the additional hardware & yearly fees for the add-on software required to protect Windows from its own poorly designed and implemented self, while the overhead incidentally flattens Moore's Law. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|