Mike, I'm not sure that a University represents the "real world." It's more like a battlefield. Everyone seemed to think central logging was a good idea. But, for eight years we talked about it and no one wanted to "take on" the challenge. Technicians fought about the platform, committees fought about policy, administrators fought about who'd pay for it, and who'd look at it. Finally, I took the "Field of Dreams" approach, and decided to build one and see who came. Well, since September we've been testing what I built using a syslog daemon for Win2k as a central log server. Like Dave Gillett (on this list), we purchased SL4NT, it is relatively inexpensive and yet reliable. Centrally, we've got it running on a 350MHz Windows 2000 Server and storing the logs in a SQL Server 2000 database (the database license is relatively expensive, we considered MySQL, but we wanted XML capability and integration with Active Directory). On the basis of this test I got a small budget to purchase a production machine and software (should be here next year). So far, we're pleased with the syslogd part of the system. It seems to be able to keep up with the traffic, even when we poured the logs from one of our firewalls "full-bore" into it along with everything else: we eventually trimmed it down, but "that day" we logged about 7 GB of event data. I thought that was respectable for a test machine. We decided to achieve scalability by having "satellite" collection points that only "forward on" to our central log server the events of "central" interest (those that we chose not to ignore). SL4NT allows for this because one of the actions that you can associate with a rule is to forward events to another log server. We haven't fully tested the performance of this piece yet, but we're hopeful. One appealing thing is that you can manage the rule-sets on the "satellite" SL4NT daemons from a MMC plug-in. The windows machines are also an "easier sell" in the field than adding a Linux or FreeBSD box, but they could just as easily serve as "satellite" collection points. (Centrally, we have a lot of Unix experience, but that isn't universally true among the ~800 departments). Because we're new at this central log collection game, there are several problems that we haven't solved: Although we're storing the data in a database, which makes writing a web front-end relatively easy, we haven't achieved a "steady-state" where we're archiving as many log entries each day as we're adding. Our search for a suitable syslog client for NT, 2000 and XP ended when we examined Tina Bird's recommendation of "EventReporter" from Adiscon. (Thanks Tina.) EventReporter has a few rough points, but we noticed that it was also favorably reviewed at the last SANS Institute conference. We're continuing to struggle with what we're going to do about collecting logs from Novell servers, despite the great suggestions from this list. We've got the MVS syslog daemon sending relatively worthless events from our IBM mainframe to the test central log server; but we're not sure how we're going to get the important logs sent via that mechanism yet. Centralizing our Web logs and Mail logs and making those easier to search is also a problem that we're facing. These logs have special requirements that the plain-text syslog mechanism just doesn't address very well. These logs are also enormous, we probably won't be loading them into the same database where we store all the typical syslog data. However, I also know that "grep" is an inadequate tool with logs of this size and complexity. In a typical example of "the tail wagging the dog," it looks like the size of our logs, given the retention policy that our committees are considering, may well exceed the total size of all our administrative systems and data warehouse combined. (Is this the real world?) Meanwhile, we're listening to vendors, who all want to sell us a "solution." That might not be so bad, if they just understood the problem. It may be that we'll buy one of these solutions and they'll scrap what I've done, but until then, I'm having fun. (I guess that's a hint that this isn't the real world.) Sincerely, Frank At 02:56 PM 12/14/2001 +0100, Mike Blomgren wrote: >I'm interested in hearing some 'real world' experience with running a >syslog daemon on Win2k, and would like to hear your opinions. . . .snip. . . ***************************************** Frank Solomon University of Kentucky http://www.franksolomon.net The question is not whether machines think, but whether people do. . . --Paraphrased from B.F. Skinner ***************************************** --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 11:24:30 PST