On 11/13/2014 11:11 PM, Jason Long wrote:
Hello Folks. How are you? I have a question and Please accept my apology if it is silly. I forward Windows Log via Snare into my Linux box, But Can I ask why a network admin do it? Why some people don't use Windows Log program? I received all Windows Logs in Linux with Windows Audit and I don't know how can I analysis it easily!!!
These questions depend on your environment an which programs you are using to process/analyse them. If your environment is 100% windows, then you probably don't want to introduce a Linux system just to collect your logs. If you have purchased a log analysis solution then you will use whatever collection toolkit that the solution requires. I can tell you the reasons that WE forward all of our windows logs to a central PAIR of Linux syslog-ng systems. 1. Have all of the logs in one stream to see what is happening across the environment. We have Windows based applications that might be fouling up, but they are using Oracle databases on Linux hosts. Seeing the logs from both of these systems in one stream makes trouble shooting much easier. 2. Having logs off-system in near real time. When a host crashes, we can review what happened BEFORE brining the system back on-line. In some cases, this has changed the way we bring the system back. This also provides authoritative logs in the event that a host is compromised. 3. Logging to two central syslog-ng servers provides for redundant loggin (and alerting - see #5). 4. One stream of logs to archive. We keep our logs for many years in case some kind of legal audit or challenge comes our way. All logs in one place makes archiving and auditing much easier. 5. With syslog-ng we have written a monitoring and alerting system that process every syslog event and creates incidents/alerts etc. Being able to leverage this across linux, UPSs, Generators, PDUs, storage systems, temperature sensors, AND Windows systems is very powerful. 6. Log mining. There are far better tools under Linux to store and search syslog messages. Elastic Search, kibana, Graylog, squert, ELSA, Zabbix and lots of others. -- Evan Rempel Senior Systems Administrator Data Centre Services, University Systems, University of Victoria