Thursday, March 16, 2006

Centralized Logging for Windows Using Syslog

I posted the following information on a couple of different blogs several months ago. Since it has a link that I reference regularly, I decided to add it here to keep handy next time I mention it.

Syslog Server: If you choose not to implement a syslog server on a *nix platform, I highly recommend Kiwi Syslog Daemon. There is a free version that should fit most shop's needs and a commercial version for more advanced setups.

Event Log to Syslog: The Snare Agent is hands-down the best event log to syslog tool out there. It is FREE and supports all Event Logs including Security, Application, System, DNS and AD.

Microsoft Solutions: Microsoft Operations Management (MOM) includes that ability to collect all the logs from servers it monitors but is quite expensive if thats all you want to do. The vaporware Microsoft Audit Collecton System (MACS) is supposed to have an agent on each server that forwards all the logs back to a cenitral MACS server and stores everything in SQL. Keep holding your breath for that one.

Microsoft Security Monitoring and Attack Detection Planning Guide is a superb guide for learning what and what not to monitor in a Windows environment. The most useful part of the guide is Appendix A - Exclude Unnecessary Events to help trim down to the events that deserve a monkey's precious attention.

No comments: