RE: [logs] Newbie questions - remote logging integration

From: Rainer Gerhards (rgerhards@private)
Date: Fri Sep 26 2003 - 02:07:34 PDT

  • Next message: Tina Bird: "Re: [logs] RE: Newbie questions - remote logging integration"

    (just) some comments...
    > I'm a Newbie to logging, expecting to get into a 
    > centralization project in
    > the future.  We want to capture UNIX, Windows 2000, Windows 
    > NT and _Oracle_
    Are these text file or database bound logs? If they are in a text file,
    you can use forwarding log watchers.
    > logs.  I'm not looking from a developer view point but a 
    > system integrator /
    > customer needs list.
    > One reason to centralize logging is to reduce the ability of 
    > local sysadmins
    > being able to modify the log and cover tracks.  That is also 
    > why I would
    > want to make remote logging as real time as reasonable. Lost 
    > log records are
    > naturally a big concern so I want to ask the following questions.
    > - Can't Windows and UNIX logging be done over TCP?  (The 
    > recent High Network
    > Load discussion mentioned it once but focuses on UDP.  Why in 
    > the world
    > would you use UDP for critical data?)
    Unfortunately, UDP is *the* most widely deployed method. Fortunately,
    that doesn't mean it is the only one. To be honest, if you are talking
    about devices logging, you are currently more or less limited to UDP.
    But for *nix and Windows boxes, there are TCP alternatives.
    TCP based syslog has only recently been standardized in RFC 3195, which
    some find to be too complex. Anyhow, implementations have shown up the
    past month. Other than that, there is non-standard TCP based syslog,
    which will not be interoperable in all cases, but the track record is
    quite good.
    I know the following solutions do non-standard TCP syslogging and are
    Cisco PIX (Firewall)
    syslog-ng (*nix)
    Kiwi (Windows)
    Adiscon's MonitorWare line of products (Windows)
    The following solutions support RFC 3195 logging:
    SDSC syslogd (*nix)
    Adiscon MonitorWare line of products (Windows)
    Our (Adiscon) products are not only syslog collectors/relays, but they
    also generate syslog messages, e.g. by dumping Windows event logs or log
    file data to a syslogd.
    syslog-ng, AFIK, is free & open source, the Windows solutions are
    commercial (but I think moderately priced ;)) and closed source.
    The products mentioned above are probably only a subset of those
    available. At least I know they work and have been tested against each
    other. That doesn't mean you won't encounter bugs or issues (no
    guarantees) - but they haved worked at lest once... [<required sales
    pitch>obviously, the Adiscon products will offer highest performance and
    no bugs at all</required sales pitch> ;-)]
    If you would like to roll some of the functionality yourself, you can
    use our free, open source liblogging
    ( It today enables you to create
    RFC3195 compliant applictions with minimal effort. In the not so distant
    future, it will also support UDP and hopefully non-standard TCP (& SELP,
    for those who followed that old thread).
    Hope this is helpful
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Fri Sep 26 2003 - 17:08:48 PDT