Centralizing Event Viewer Logs

Hello List:

I was looking into options that will allow us to centralize Event Viewer
Logs in an Active Directory domain - can anyone recommend any software
for this? It would be great if we could find a piece of software that
does just this - not a full blown enterprise security solution that
cost$ and does many other things that we wouldn't use it for
necessarily.

Thanks!

Thanks for all the quick input folks. I will definitely look into each
solution.


-Ron

-----Original Message-----
From: Kurt Buff [mailto:kurt.buff@...]
Sent: Tuesday, January 29, 2008 12:24 PM
To: Ron Johnson - Adhost
Cc: focus-ms@...
Subject: Re: Centralizing Event Viewer Logs

There are several alternatives, but I've settled on the Kiwisoft
syslog server (the free version is fine, but the pay version is cheap
and does some very nice extra things) and the IntersectAlliance Snare
syslog client. The Snare client takes each event entry, formats it to
a single line, then sends it to the syslog server. Install it on each
of your machines for which you are monitoring event logs, and it works
nicely.

On Jan 29, 2008 11:51 AM, Ron  Johnson - Adhost <ron@...> wrote:
> Hello List:
>
> I was looking into options that will allow us to centralize Event
Viewer
> Logs in an Active Directory domain - can anyone recommend any software
> for this? It would be great if we could find a piece of software that
> does just this - not a full blown enterprise security solution that
> cost$ and does many other things that we wouldn't use it for
> necessarily.
>
> Thanks!
>

One free option I have heard of is KiwiSyslog Log Viewer - kinda played
with it a bit, but we have one of the $$ enterprise solutions here, so
there was no point for me.  Here are some questions you may want to ask
regarding log solutions:

1.  What am I looking to get out of my event logs?
2.  How many systems will I be collecting from and how many are windows
servers?
3.  Reporting and alerting options
4.  capacity (both number of systems as well as capacity in terms of
number of events collected)
5.  Am I doing this to be proactive or as a result of an audit finding?
6.  How much am I willing to spend on a product?

This may help determine what you really need.  Google yields the
following other results, which MAY be less expensive than those
*enterprise* products, depending on your answer to #2.  Keep in mind, I
do not know what the capacity of these solutions are.

EventSentry
AdventNet Eventlog Analyzer
Prism EventTracker
Dorian Total Event Log Management Suite
FSPro Event Log Explorer

Thanks,

James Winzenz
Infrastructure Engineer - Security
Pulte Homes Information Services


-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Ron Johnson - Adhost
Sent: Tuesday, January 29, 2008 12:51 PM
To: focus-ms@...
Subject: Centralizing Event Viewer Logs

Hello List:

I was looking into options that will allow us to centralize Event Viewer
Logs in an Active Directory domain - can anyone recommend any software
for this? It would be great if we could find a piece of software that
does just this - not a full blown enterprise security solution that
cost$ and does many other things that we wouldn't use it for
necessarily.

Thanks!

CONFIDENTIALITY NOTICE:  This email may contain confidential and privileged material for the sole use of the intended recipient(s).  Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer.  Thank you.

How does one then protect the syslog server from tampering?
The second part of the requirement (usually) is some sort of encryption or
hashing process that
protects the collected logs on the syslog server from even the admins.

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Ron Johnson - Adhost
Sent: Tuesday, January 29, 2008 3:27 PM
To: Kurt Buff
Cc: focus-ms@...
Subject: RE: Centralizing Event Viewer Logs

Thanks for all the quick input folks. I will definitely look into each
solution.


-Ron

-----Original Message-----
From: Kurt Buff [mailto:kurt.buff@...]
Sent: Tuesday, January 29, 2008 12:24 PM
To: Ron Johnson - Adhost
Cc: focus-ms@...
Subject: Re: Centralizing Event Viewer Logs

There are several alternatives, but I've settled on the Kiwisoft
syslog server (the free version is fine, but the pay version is cheap
and does some very nice extra things) and the IntersectAlliance Snare
syslog client. The Snare client takes each event entry, formats it to
a single line, then sends it to the syslog server. Install it on each
of your machines for which you are monitoring event logs, and it works
nicely.

On Jan 29, 2008 11:51 AM, Ron  Johnson - Adhost <ron@...> wrote:
> Hello List:
>
> I was looking into options that will allow us to centralize Event
Viewer
> Logs in an Active Directory domain - can anyone recommend any software
> for this? It would be great if we could find a piece of software that
> does just this - not a full blown enterprise security solution that
> cost$ and does many other things that we wouldn't use it for
> necessarily.
>
> Thanks!
>

__________ NOD32 2232 (20070430) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

Windows Server 2008 specifically has these features in an Active Directory
environment, out of the box at no extra cost.

Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Ron Johnson - Adhost
Sent: Tuesday, January 29, 2008 12:51 PM
To: focus-ms@...
Subject: Centralizing Event Viewer Logs

Hello List:

I was looking into options that will allow us to centralize Event Viewer
Logs in an Active Directory domain - can anyone recommend any software
for this? It would be great if we could find a piece of software that
does just this - not a full blown enterprise security solution that
cost$ and does many other things that we wouldn't use it for
necessarily.

Thanks!

 Also try TNT Software's ELM Log Manager.

For those interested (as I have received a couple direct emails asking how
this works in 2008) here is a published article which hits more detail:
http://redmondmag.com/columns/article.asp?editorialsid=1868 

Want to work with the technology now and give it a test drive?  TechNet has
a free virtual lab available that focuses specifically on this featureset.
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=103234525
7&EventCategory=3&culture=en-US&CountryCode=US

I can tell you it's on the upgrade exam if you are interested in certifying
on windows server 2008.

Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Wayne S. Anderson
Sent: Tuesday, January 29, 2008 5:18 PM
To: 'Ron Johnson - Adhost'; focus-ms@...
Subject: RE: Centralizing Event Viewer Logs

Windows Server 2008 specifically has these features in an Active Directory
environment, out of the box at no extra cost.

Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Ron Johnson - Adhost
Sent: Tuesday, January 29, 2008 12:51 PM
To: focus-ms@...
Subject: Centralizing Event Viewer Logs

Hello List:

I was looking into options that will allow us to centralize Event Viewer
Logs in an Active Directory domain - can anyone recommend any software
for this? It would be great if we could find a piece of software that
does just this - not a full blown enterprise security solution that
cost$ and does many other things that we wouldn't use it for
necessarily.

Thanks!

Take a look at Event Tracker from Prism Microsystems. It's pretty
extensive as far as what it can do, so it may be more than you are
looking for, but it's worth a visit: http://www.prismmicrosys.com
Brad

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Ron Johnson - Adhost
Sent: Tuesday, January 29, 2008 12:27 PM
To: Kurt Buff
Cc: focus-ms@...
Subject: RE: Centralizing Event Viewer Logs

Thanks for all the quick input folks. I will definitely look into each
solution.


-Ron

-----Original Message-----
From: Kurt Buff [mailto:kurt.buff@...]
Sent: Tuesday, January 29, 2008 12:24 PM
To: Ron Johnson - Adhost
Cc: focus-ms@...
Subject: Re: Centralizing Event Viewer Logs

There are several alternatives, but I've settled on the Kiwisoft
syslog server (the free version is fine, but the pay version is cheap
and does some very nice extra things) and the IntersectAlliance Snare
syslog client. The Snare client takes each event entry, formats it to
a single line, then sends it to the syslog server. Install it on each
of your machines for which you are monitoring event logs, and it works
nicely.

On Jan 29, 2008 11:51 AM, Ron  Johnson - Adhost <ron@...> wrote:
> Hello List:
>
> I was looking into options that will allow us to centralize Event
Viewer
> Logs in an Active Directory domain - can anyone recommend any software
> for this? It would be great if we could find a piece of software that
> does just this - not a full blown enterprise security solution that
> cost$ and does many other things that we wouldn't use it for
> necessarily.
>
> Thanks!
>

Email Disclaimer: http://www.co.marin.ca.us/nav/misc/EmailDisclaimer.cfm

I use NTSyslog (http://ntsyslog.sourceforge.net) configured to forward all events to a Linux syslog server. On that server I then run swatch to filter away all uninteresting things. Works quite well.

Regards, Lars

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Ron Johnson - Adhost
Sent: Tuesday, January 29, 2008 12:51 PM
To: focus-ms@...
Subject: Centralizing Event Viewer Logs

Hello List:

I was looking into options that will allow us to centralize Event Viewer
Logs in an Active Directory domain - can anyone recommend any software
for this? It would be great if we could find a piece of software that
does just this - not a full blown enterprise security solution that
cost$ and does many other things that we wouldn't use it for
necessarily.

Thanks!

Earlier in my search for an event management solution I found one that
seemed to meet my requirements so I downloaded a 30 day eval.  It worked
great on my local servers so after a while I tried it on a server at my
remote site.  It promptly saturated the line (256k) with traffic and kept
it saturated (over a weekend) when nobody was working.  The moral of the
story is don't buy without doing a thorough test of product configured as
you plan to use it (Many companies have optional modules and features to
enhance their offerings (and their bottom line)) and you test it on a
representative sample of the equipment you're going to use.

Also consider ease of deployment.  Is there an agent, how configurable is
it,  How tricky to install, will I kill my lines when copying the agent to
remote servers.

William M. Ryan
Information Technology Specialist 4
Bureau of Information Technology Services
NYS DOH Division of Nutrition



                                                                           
             "Starks, Brad"                                                
             <BStarks@...                                            
             .ca.us>                                                    To
             Sent by:                  "Ron  Johnson - Adhost"            
             listbounce@securi         <ron@...>, "Kurt Buff"      
             tyfocus.com               <kurt.buff@...>              
                                                                        cc
                                       <focus-ms@...>        
             01/30/2008 06:50                                      Subject
             PM                        RE: Centralizing Event Viewer Logs  
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Take a look at Event Tracker from Prism Microsystems. It's pretty
extensive as far as what it can do, so it may be more than you are
looking for, but it's worth a visit: http://www.prismmicrosys.com
Brad

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Ron Johnson - Adhost
Sent: Tuesday, January 29, 2008 12:27 PM
To: Kurt Buff
Cc: focus-ms@...
Subject: RE: Centralizing Event Viewer Logs

Thanks for all the quick input folks. I will definitely look into each
solution.


-Ron

-----Original Message-----
From: Kurt Buff [mailto:kurt.buff@...]
Sent: Tuesday, January 29, 2008 12:24 PM
To: Ron Johnson - Adhost
Cc: focus-ms@...
Subject: Re: Centralizing Event Viewer Logs

There are several alternatives, but I've settled on the Kiwisoft
syslog server (the free version is fine, but the pay version is cheap
and does some very nice extra things) and the IntersectAlliance Snare
syslog client. The Snare client takes each event entry, formats it to
a single line, then sends it to the syslog server. Install it on each
of your machines for which you are monitoring event logs, and it works
nicely.

On Jan 29, 2008 11:51 AM, Ron  Johnson - Adhost <ron@...> wrote:
> Hello List:
>
> I was looking into options that will allow us to centralize Event
Viewer
> Logs in an Active Directory domain - can anyone recommend any software
> for this? It would be great if we could find a piece of software that
> does just this - not a full blown enterprise security solution that
> cost$ and does many other things that we wouldn't use it for
> necessarily.
>
> Thanks!
>

Email Disclaimer: http://www.co.marin.ca.us/nav/misc/EmailDisclaimer.cfm




IMPORTANT NOTICE:  This e-mail and any attachments may contain confidential or sensitive information which is, or may be, legally privileged or otherwise protected by law from further disclosure.  It is intended only for the addressee.  If you received this in error or from someone who was not authorized to send it to you, please do not distribute, copy or use it or any attachments.  Please notify the sender immediately by reply e-mail and delete this from your system. Thank you for your cooperation.

Hi,

Try http://eventlog-monitor.info



2008/1/31, William M. Ryan <wmr02@...>:

Is there someone who already tried the product SB Eventlog Monitor?
I´m thinking about starting some tests in my network (all windows, 2000 machines) centralizing all the logs in one server, but I would like to hear from you any kind of experience with this product.
I would like to know how the product behaves concerning network traffic, manageability and event correlation.

IMHO, you get what you pay for.  

Are you referring to this product?  http://sourceforge.net/projects/eventlogmonitor/ 

If so, it looks like it can only deal with windows logs.  That is not going to get you very far.  If you want to know what is going on within your network, you really need something that can handle syslog messages as well (routers, firewalls, etc.).

Although not pertinent to the product you mentioned, I remembered reading on GFI's website about their event log management product.  They were *boasting* that their collector could handle up to 6 million events per hour.  That boils down to a paltry 1667 events per second, which is absolutely pathetic.  A couple of core routers/firewalls could easily overwhelm this.

James Winzenz
Infrastructure Engineer - Security
Pulte Homes Information Services


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of ottobeli82@...
Sent: Friday, February 01, 2008 9:08 AM
To: focus-ms@...
Subject: Re: Fwd: Centralizing Event Viewer Logs

Is there someone who already tried the product SB Eventlog Monitor?

I´m thinking about starting some tests in my network (all windows, 2000 machines) centralizing all the logs in one server, but I would like to hear from you any kind of experience with this product.

I would like to know how the product behaves concerning network traffic, manageability and event correlation.

CONFIDENTIALITY NOTICE:  This email may contain confidential and privileged material for the sole use of the intended recipient(s).  Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer.  Thank you.

Check out Loglogic  http://www.loglogic.com

It will handle up to 4000 mps sustained and can handle spikes up to 30000 mps.



-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of James Winzenz
Sent: Friday, February 01, 2008 12:28 PM
To: focus-ms@...
Subject: RE: Fwd: Centralizing Event Viewer Logs

IMHO, you get what you pay for.  

Are you referring to this product?  http://sourceforge.net/projects/eventlogmonitor/ 

If so, it looks like it can only deal with windows logs.  That is not going to get you very far.  If you want to know what is going on within your network, you really need something that can handle syslog messages as well (routers, firewalls, etc.).

Although not pertinent to the product you mentioned, I remembered reading on GFI's website about their event log management product.  They were *boasting* that their collector could handle up to 6 million events per hour.  That boils down to a paltry 1667 events per second, which is absolutely pathetic.  A couple of core routers/firewalls could easily overwhelm this.

James Winzenz
Infrastructure Engineer - Security
Pulte Homes Information Services


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of ottobeli82@...
Sent: Friday, February 01, 2008 9:08 AM
To: focus-ms@...
Subject: Re: Fwd: Centralizing Event Viewer Logs

Is there someone who already tried the product SB Eventlog Monitor?

I´m thinking about starting some tests in my network (all windows, 2000 machines) centralizing all the logs in one server, but I would like to hear from you any kind of experience with this product.

I would like to know how the product behaves concerning network traffic, manageability and event correlation.

CONFIDENTIALITY NOTICE:  This email may contain confidential and privileged material for the sole use of the intended recipient(s).  Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer.  Thank you.

Hi,

If you get it on a Linux or a certain Unix boxes where there are file
system level access controls to prevent modifications, that'll be
enough.

For Example: Linux ext2 FS has the acl to allow logfiles only to opens
with append only, you can search for lsattr, chattr commands. This
feature I have used with Linux and AIX (JFS2).

Theoratically there is no way you can hide things from the sysadmin (I
mean real sysadmins). Even if you encrypt it, still the sysadmin will
have the private key to decrypt it.

Cheers,

Kosala

On Jan 30, 2008 1:28 AM, S D Fisher <fuzzlecat@...> wrote:


--
Kosala
--------------------------------------------
Disclaimer: Views expressed in this mail are my personal views and
they would not reflect views of the employer.
--------------------------------------------
blog.kosala.net
www.linux.lk/~kosala/
www.kosala.net