Re: [logs] syslog & Win2k?

• Previous message: Rebecca Kastl: "Re: [logs] syslog & Win2k?"
• In reply to: Mike Blomgren: "[logs] syslog & Win2k?"
• Next in thread: Jason Lewis: "RE: [logs] syslog & Win2k?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  To the extent that I'm happy with syslog (and it does have some 
glaring deficiencies...), I've been very happy with a third-party 
utility called SL4NT ("SysLogd For NT").  I haven't deployed it to a 
2K box yet, but if that requires a newer version than I've used, I 
expect it's available by now.

  It doesn't do anything about lost or spoofed UDP packets, but it 
does let me route syslog entries into the NT Security Event log, 
which can at least be made fairly tamper-resistant.  I collect the 
data from there for archiving and analysis.

  As far as stability and availability, my experience is that an NT 
server that does little besides receive syslog and log-retrieval 
requests doesn't exhibit the kind of instability that is often 
claimed for servers hosting, say, IIS.  Nor has it raised issues of 
authenticity, especially if it is hidden from other domain users.  

  (SL4NT does include tools for triggering actions based on specific 
log entries, but I have so far preferred to simply have it commit the 
entries to the system log, and do all analysis on the back end of 
that.)

Dave Gillett


On 14 Dec 2001, at 14:56, Mike Blomgren wrote:

> I'm interested in hearing some 'real world' experience with running a
> syslog daemon on Win2k, and would like to hear your opinions.
> 
> We're a 'mixed' OS shop, with *nix and MS plattforms. We need to have
> the syslog from several (8-10) production webbservers, log to a
> dedicated syslogd host. For political reasons, the receiving syslogd
> host is a Win2k (something I'd like to change...). However, Win2k
> doesn't handle syslog by default. So, my questions is really; which
> syslog daemon for Win 2k would you suggest, and why?
> 
> Another concern is security. The syslog will contain sensitive
> information, and we need to be certain that the sylog contains correct
> information, and is not tampered with. Also, to perform the logging, the
> syslog has to pass a firewall situated between the webservers and the
> syslod host. Security implications? Should we trust syslogd, or would
> you recommand nsyslogd, or the such?...
> 
> I realise this is a lot to ask for, but I'd really appreciate some
> real-world experience. I know there are a lot of logical and practical
> issues in the above scenario, such as issues of stability, authenticity,
> availability, analysis of the syslog info, etc, etc...
> 
> TIA
> 
> Regards,
> 
> ~Mike


---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

• Next message: jamie rishaw: "Re: [logs] Data for Court"
• Previous message: Rebecca Kastl: "Re: [logs] syslog & Win2k?"
• In reply to: Mike Blomgren: "[logs] syslog & Win2k?"
• Next in thread: Jason Lewis: "RE: [logs] syslog & Win2k?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Dec 16 2001 - 15:41:31 PST