Adam,
(just) some comments...
> I'm a Newbie to logging, expecting to get into a
> centralization project in
> the future. We want to capture UNIX, Windows 2000, Windows
> NT and _Oracle_
^^^^^^^^
Are these text file or database bound logs? If they are in a text file,
you can use forwarding log watchers.
> logs. I'm not looking from a developer view point but a
> system integrator /
> customer needs list.
>
> One reason to centralize logging is to reduce the ability of
> local sysadmins
> being able to modify the log and cover tracks. That is also
> why I would
> want to make remote logging as real time as reasonable. Lost
> log records are
> naturally a big concern so I want to ask the following questions.
>
> - Can't Windows and UNIX logging be done over TCP? (The
> recent High Network
> Load discussion mentioned it once but focuses on UDP. Why in
> the world
> would you use UDP for critical data?)
Unfortunately, UDP is *the* most widely deployed method. Fortunately,
that doesn't mean it is the only one. To be honest, if you are talking
about devices logging, you are currently more or less limited to UDP.
But for *nix and Windows boxes, there are TCP alternatives.
TCP based syslog has only recently been standardized in RFC 3195, which
some find to be too complex. Anyhow, implementations have shown up the
past month. Other than that, there is non-standard TCP based syslog,
which will not be interoperable in all cases, but the track record is
quite good.
I know the following solutions do non-standard TCP syslogging and are
interoperable:
Cisco PIX (Firewall)
syslog-ng (*nix) http://www.balabit.com/products/syslog_ng/
Kiwi (Windows) http://www.kiwisyslog.com/
Adiscon's MonitorWare line of products (Windows)
http://www.monitorware.com/en/
The following solutions support RFC 3195 logging:
SDSC syslogd (*nix) http://security.sdsc.edu/software/sdsc-syslog/
Adiscon MonitorWare line of products (Windows)
http://www.monitorware.com/en/
Our (Adiscon) products are not only syslog collectors/relays, but they
also generate syslog messages, e.g. by dumping Windows event logs or log
file data to a syslogd.
syslog-ng, AFIK, is free & open source, the Windows solutions are
commercial (but I think moderately priced ;)) and closed source.
The products mentioned above are probably only a subset of those
available. At least I know they work and have been tested against each
other. That doesn't mean you won't encounter bugs or issues (no
guarantees) - but they haved worked at lest once... [<required sales
pitch>obviously, the Adiscon products will offer highest performance and
no bugs at all</required sales pitch> ;-)]
If you would like to roll some of the functionality yourself, you can
use our free, open source liblogging
(http://www.monitorware.com/liblogging/). It today enables you to create
RFC3195 compliant applictions with minimal effort. In the not so distant
future, it will also support UDP and hopefully non-standard TCP (& SELP,
for those who followed that old thread).
Hope this is helpful
Rainer
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Sep 26 2003 - 17:08:48 PDT