Educause Security Discussion mailing list archives

Re: logging windows text-based files to central logging server

From: "Havens, Ben" <benh () BF UMICH EDU>
Date: Mon, 30 Jul 2007 15:56:39 -0400

You don't say whether you are considering non-free options.  The syslog-ng Premium Edition offers a Windows agent that 
interprets text logs as well as event logs.

-----Original Message-----
From: Michael Bayne [mailto:baynema () JMU EDU] 
Sent: Monday, July 30, 2007 3:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] logging windows text-based files to central logging server

Thanks to the people who've responded. So far, I've heard of three tools:

1. Kiwi Secure Tunnel: unless I'm misunderstanding the product, it only provides an encrypted tunneling for messages 
it's received from the network to another syslog server.  Handy, but not what I'm needing (If I am misunderstanding 
what it does, let me know and I'll dig into it more).

2. Snare from Intersect Alliance: we use this currently on our Windows servers and it does a good job.  It's limited, 
however, to only sending Windows Event logs to a syslog server.  We're looking for something that'll handle all the 
other logs on our Windows boxes.

3. Epilog from Intersect Alliance: this is Intersect Alliance's solution for those other logs on Windows boxes.  We 
evaluated this for several weeks and found problems with it.  Our Windows application servers are configured to rotate 
their log files when they reach a certain size. 
Epilog prevented this rotation, resulting in the application group yelling at me when the log file filled up a hard 
drive.

Any body else have any solutions they'd care to share?  I'm trying desperately to avoid trying to write my own since my 
C is terribly rusty.

Thanks.

Michael Bayne wrote:

We have a number of windows applications logging to text-based log 
files (IIS, apache, app servers, etc).  We'd like to get these logs 
off of the windows servers and onto our central syslog server and 
CS-MARS device in a (near) real-time manner. So far, I haven't been 
able to find a tool to do this reliably.  Intersect Alliance's Epilog 
Agent for Windows is the best I've seen so far, but I've found it prevents log rotation.

So, I'm curious as to what you are doing.  Are you logging these 
text-based logs to a central location (syslog or otherwise)?  What 
tools are you using to do so?

Thanks.


-- 

Mike Bayne
Security Engineer
baynema () jmu edu
1.540.568.1684

Current thread:

logging windows text-based files to central logging server Michael Bayne (Jul 27)
- <Possible follow-ups>
- Re: logging windows text-based files to central logging server Anthony Maszeroski (Jul 27)
- Re: logging windows text-based files to central logging server Deepak J. Mathew (Jul 27)
- Re: logging windows text-based files to central logging server Joel Rosenblatt (Jul 27)
- Re: logging windows text-based files to central logging server Aaron Wade (Jul 27)
- Re: logging windows text-based files to central logging server Edgmand, Craig (Jul 27)
- Re: logging windows text-based files to central logging server Nathan W. Labadie (Jul 27)
- Re: logging windows text-based files to central logging server Michael Bayne (Jul 27)
- Re: logging windows text-based files to central logging server Michael Bayne (Jul 30)
- Re: logging windows text-based files to central logging server Havens, Ben (Jul 30)
- Re: logging windows text-based files to central logging server Michael Bayne (Jul 30)
- Re: logging windows text-based files to central logging server Julian J Thompson (jthmpsn2) (Jul 31)