Educause Security Discussion mailing list archives

Re: Log Management

From: Justin Azoff <JAzoff () UAMAIL ALBANY EDU>
Date: Fri, 5 Mar 2010 10:51:33 -0500

On Fri, Mar 05, 2010 at 10:11:24AM -0500, Hammond, Stanley wrote:

The other option I tested was Splunk which I liked, but because it
access Windows systems using WMI it looked like the some of the Windows
virtual machines took a performance hit (according to our Technical
Director).


I have a feeling that the problem you ran into was that you had the "Windows"
app enabled which aggresively logs many things you probably don't care about,
like cpu or memory usage.  The "Unix" app does the same thing.

If disabling all of the extras in the Windows app doesn't help, or you really
don't want to run splunk on the servers, you could set it up using:

    Windows+snare -> syslog+splunk forwarder -> splunk indexer

instead of

    Windows+splunk forwarder -> splunk indexer

However, If you do that you use some of the benefits of having the forwarder
running on the box itself.


--
-- Justin Azoff
-- Network Security & Performance Analyst

Current thread:

Log Management Hammond, Stanley (Mar 05)
- <Possible follow-ups>
- Re: Log Management Bradley, Stephen W. Mr. (Mar 05)
- Re: Log Management Joe Vieira (Mar 05)
- Re: Log Management Pufahl, Jason (Mar 05)
- Re: Log Management Hart, Lee Anne (Mar 05)
- Re: Log Management Justin Azoff (Mar 05)
- Re: Log Management Hart, Lee Anne (Mar 05)
- Re: Log Management Wier, Timothy A. (Mar 05)
- Re: Log Management Christopher Jones (Mar 05)
- Re: Log Management King, Ronald A. (Mar 05)
- Re: Log Management Dexter Caldwell (Mar 05)
- Re: Log Management Ferris, Joe (Mar 10)