JP Vossen on 31 Mar 2008 12:25:56 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Speaking of [Windows] monitoring


 > Date: Mon, 31 Mar 2008 10:19:01 -0400
 > From: jeff <jeffv@op.net>
 > Subject: [PLUG] Speaking of network monitoring......
 >
> I'm short one log viewer/analyzer. As the servers are Windows, I'm
 > having a bit of difficulty finding acceptable solutions. I'm looking
 > at either platform for the monitor, but prefer linux. The Win
 > solutions start around $2k, which seems silly. The lin programs seem
 > to want to convert to syslog and go from there.

It's a complex problem not only because Windows reports the same basic 
thing in tens and sometimes hundreds of slightly different Event Log 
messages, but those same messages change with every new version of 
Windows.  It's a ludicrous nightmare for anyone trying to keep up with, 
which my company does, though fortunately I'm mostly on the periphery of it.

You can pay $$$ for someone else to do all the work, e.g. outsourced 
monitoring from BT Counterpane (where I work) or some product that can 
somewhat normalize, like ArcSight, LogLogic, Skybox, and many others. 
Naturally I think outsourced monitoring is best [1], but none of that is 
terribly cheap.

Or you can go a more do-it-yourself route in a number of ways.  If you 
are familiar with the excellent logcheck method/tool, I ported that to 
Windows a number of years ago.  It's an ugly, ugly hack, but: 
http://www.jpsdomain.org/windows/winlogcheck.html

Or you can grab the free 
http://www.intersectalliance.com/projects/SnareWindows/ and send 
EventLogs to a central syslog server and do your logcheck there. 
Windows Event Log messages are surpassingly ugly and verbose in 
flat-text syslog though (as it sounds like you've already noticed).  And 
note that turning on too much Windows auditing can easily DoS the 
Windows box or the network, or both.

Good luck; you'll need it, :-)
JP

[1] As Bruce says, you don't pay a firefighter to sit on your couch in 
case you have a fire; you want someone who deals with the the problem 
every day, not someone who shows up and says, "Oh a fire, I've read 
about those..."
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|        jp{at}jpsdomain{dot}org
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug