Adam, (just) some comments... > I'm a Newbie to logging, expecting to get into a > centralization project in > the future. We want to capture UNIX, Windows 2000, Windows > NT and _Oracle_ ^^^^^^^^ Are these text file or database bound logs? If they are in a text file, you can use forwarding log watchers. > logs. I'm not looking from a developer view point but a > system integrator / > customer needs list. > > One reason to centralize logging is to reduce the ability of > local sysadmins > being able to modify the log and cover tracks. That is also > why I would > want to make remote logging as real time as reasonable. Lost > log records are > naturally a big concern so I want to ask the following questions. > > - Can't Windows and UNIX logging be done over TCP? (The > recent High Network > Load discussion mentioned it once but focuses on UDP. Why in > the world > would you use UDP for critical data?) Unfortunately, UDP is *the* most widely deployed method. Fortunately, that doesn't mean it is the only one. To be honest, if you are talking about devices logging, you are currently more or less limited to UDP. But for *nix and Windows boxes, there are TCP alternatives. TCP based syslog has only recently been standardized in RFC 3195, which some find to be too complex. Anyhow, implementations have shown up the past month. Other than that, there is non-standard TCP based syslog, which will not be interoperable in all cases, but the track record is quite good. I know the following solutions do non-standard TCP syslogging and are interoperable: Cisco PIX (Firewall) syslog-ng (*nix) http://www.balabit.com/products/syslog_ng/ Kiwi (Windows) http://www.kiwisyslog.com/ Adiscon's MonitorWare line of products (Windows) http://www.monitorware.com/en/ The following solutions support RFC 3195 logging: SDSC syslogd (*nix) http://security.sdsc.edu/software/sdsc-syslog/ Adiscon MonitorWare line of products (Windows) http://www.monitorware.com/en/ Our (Adiscon) products are not only syslog collectors/relays, but they also generate syslog messages, e.g. by dumping Windows event logs or log file data to a syslogd. syslog-ng, AFIK, is free & open source, the Windows solutions are commercial (but I think moderately priced ;)) and closed source. The products mentioned above are probably only a subset of those available. At least I know they work and have been tested against each other. That doesn't mean you won't encounter bugs or issues (no guarantees) - but they haved worked at lest once... [<required sales pitch>obviously, the Adiscon products will offer highest performance and no bugs at all</required sales pitch> ;-)] If you would like to roll some of the functionality yourself, you can use our free, open source liblogging (http://www.monitorware.com/liblogging/). It today enables you to create RFC3195 compliant applictions with minimal effort. In the not so distant future, it will also support UDP and hopefully non-standard TCP (& SELP, for those who followed that old thread). Hope this is helpful Rainer _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Sep 26 2003 - 17:08:48 PDT