[syslog-ng] What is the main reason for forward Windows Logs to Linux Box?

Evan Rempel erempel at uvic.ca
Fri Nov 14 17:16:56 CET 2014 

On 11/13/2014 11:11 PM, Jason Long wrote:
> Hello Folks.
> How are you?
> I have a question and Please accept my apology if it is silly.
 > I forward Windows Log via Snare into my Linux box, But Can I ask why a network admin do it?
 > Why some people don't use Windows Log program?
 > I received all Windows Logs in Linux with Windows Audit and I don't know how can I analysis it easily!!!

These questions depend on your environment an which programs you are using to process/analyse them.
If your environment is 100% windows, then you probably don't want to introduce a Linux system just
to collect your logs. If you have purchased a log analysis solution then you will use whatever
collection toolkit that the solution requires.

I can tell you the reasons that WE forward all of our windows logs to a central PAIR of
Linux syslog-ng systems.

1. Have all of the logs in one stream to see what is happening across the environment.
    We have Windows based applications that might be fouling up, but they are using
    Oracle databases on Linux hosts. Seeing the logs from both of these systems in
    one stream makes trouble shooting much easier.

2. Having logs off-system in near real time. When a host crashes, we can review what happened
    BEFORE brining the system back on-line. In some cases, this has changed the way we bring the
    system back. This also provides authoritative logs in the event that a host is compromised.

3. Logging to two central syslog-ng servers provides for redundant loggin (and alerting - see #5).

4. One stream of logs to archive. We keep our logs for many years in case some kind of
    legal audit or challenge comes our way. All logs in one place makes archiving and auditing
    much easier.

5. With syslog-ng we have written a monitoring and alerting system that process every syslog event
    and creates incidents/alerts etc. Being able to leverage this across linux, UPSs, Generators, PDUs,
    storage systems, temperature sensors, AND Windows systems is very powerful.

6. Log mining. There are far better tools under Linux to store and search syslog messages.
    Elastic Search, kibana, Graylog, squert, ELSA, Zabbix and lots of others.


-- 
Evan Rempel
Senior Systems Administrator
Data Centre Services, University Systems, University of Victoria

More information about the syslog-ng mailing list