Poll #7: What tools do you use for Windows Event Log collection?

My next fun logging poll is here - please vote! It is about tools for centralized collection of Windows Event Log from servers and other systems. One of the somewhat surprising discoveries from my previous poll was that few people look at Windows logs; this poll drills down into it.

And, don't forget that ProjectLASSO Windows event collector allows people to grab Windows event logs remotely without those hated agents...

Past logging polls and their analysis:

Poll #6 "Which Logs Do You LOOK At?" (analysis)

Poll #5 "What are your top challenges with logs?" (analysis)

Poll #4 "Who looks at logs in your organization?" (analysis)

Poll #3 "What do you do with Logs?" (analysis)

Poll #2 "Why collect logs?" (analysis)

Poll #1 "Which logs do you collect?" (analysis)

 

Posted by Anton Chuvakin on March 07, 2008 in Innovation , Log Management & Intelligence , Project Lasso | Permalink | TrackBack (0)

More Project LASSO Updates

Dimitri McKay, our network and systems engineer from the East Coast contributes this fun story: "When I first started at Loglogic, the only option for retrieving Windows logs was via an open source product called Snare. Snare was a simple concept. It would basically tail a Windows event viewer and whenever a new event was written, Snare would convert that to syslog, and send it over the wire (UDP or TCP) to its destination. Basic concept, basic execution. 

    Now, all of this was well and good, however, I couldn’t help but feel like an agent was not the greatest of solutions. As a former Windows Engineer, I was sort of put off with the idea of agents as a whole. It seemed like everyone was offering agents, and those agents were never happy on my systems in some form or another. So began Project Lasso. 

    Over some Thai food, Matt Foley, Andrew Morris and myself had a conversation about an agent-less Windows solution, and later that day I found myself writing a PRD for the “Windows Remote Event Collector” which was code named Project Lasso. 

    The name stuck, and with our 4.0 release I’m really happy with the ongoing development of the product. The concept is simple... Lasso is installed either as an agent to monitor itself, or on a “Project Lasso Server” where it uses WMI connections to connect to the other hosts it will be pulling logs from. There it pulls the string dll’s to a local repository, and then pulls the windows events themselves. Both the string dll’s and the events are then sent to the receiving syslog or Loglogic appliance where they are parsed and indexed. [Anton: they can also be sent to any other syslog receiver, such as a syslog-ng server]

    In 4.0 we added a few features I’m very excited about. 

The ability to use custom shares. In version 3.x we needed a Domain Admin account to pull the full Windows events. The Domain Admin account was the only account which had access to:

• The Event Viewer (for the header and events themselves)
• The Registry (to point to the string dll’s.) 
• The file system (via c$ to get the string dll’s.)

In Project Lasso 3 if you set some Active Directory policies, you could eliminate the need for a Domain Admin for the registry and event viewer, but not the C$ admin share. The only other account that had access to that was the Backup Administrator. Now, in Project Lasso 4 we don’t have that issue any longer because we can configure just a standard Lasso User account to have access to the registry, the event viewer, and a local drive via a custom share.

The ability to change the Hostlist.ini on the fly: In Project Lasso version 3.x when you added hosts to be monitored, you had to restart the Lasso service. Well, this process became somewhat onerous in that every time an Administrator needed to add new servers/clients to be monitored by Project Lasso he had to re-start the service which would take quite a bit of time to check those string .dll’s for changes or additions and then start pushing logs to the destination server. This could sometimes take more than a few minutes depending on the number of hosts. So much for real-time alerting or reporting. None of this is a problem anymore as the Project Lasso service will now grab the new hosts on the next pass.

Shared DLL Repository: Prior to Project Lasso version 4, when a dll Repository was created on the Lasso Server, it downloaded all .dll’s for all monitored hosts. This means there was a ton of the same .dll’s in the repository as each machine would most likely have the same .dll’s. These folders were about 120MB large in Lasso 3 times the number of hosts you were monitoring. That can be a big storage problem in a short amount of time. In Lasso 4, the dll’s are shared among hosts so it has a much smaller disk space requirement.

In closing, if you’re interested in routing Windows Events to a syslog or Loglogic appliance, you can do so via Project Lasso either in agent mode or in agent-less / remote collector mode.

Feel free to check out the always free Lasso 4 on Logforge"

Indeed, Project Lasso  is in wide use among LogLogic customers as well as in the broader world. Deal with Windows logs? Grab Project Lasso!

Posted by Anton Chuvakin on September 17, 2007 in Log Management & Intelligence , LogEd , LogMatters , Project Lasso | Permalink | TrackBack (0)

Open Source Enterprise & Log Management

At Open Source Enterprice, Jon Walker covers open source log mangement technologies. From the article ...

" . . . the open source community has been pretty effective in building pieces of log management infrastructure. Syslog-NG enables log collection from Unix servers and network devices, serving as a better replacement for standard syslog daemons than is typically provided by operating system vendors as a primary example of open source excellence., There are also a huge number of simple scripts and small programs such as logwatch, logsentry, and fwanalog that were written by the open source community over the years to handle specific logs or a particular slice of a log puzzle. At times it seems that it was easier for some people to create their own script instead of looking for one online. However, most of these tools focused on Unix and Linux platforms and largely ignored Windows-based systems."

LogLogic's open source efforts and community-related project, LASSO.

One of the recent open source solutions that enables a critical part of log management is Project LASSO, a Windows-based open source software designed to collect Windows event logs, including custom application logs, and provide for the central collection and transport of Windows log data via TCP syslog to any syslog-NG compatible log receivers. Before Project LASSO incorporating Windows server and workstation logs in an overall log management process was extremely onerous.

Available under the Gnu license, Project Lasso is a LogLogic-sponsored and community-supported open source project that promotes rapid development of innovative technologies for monitoring any kind of Windows-based event. It is hosted at SourceForge.

Check out the entire article here.

Technorati : Event Management, Log Management, LogLogic

Posted by Jill Ratkevic on June 07, 2007 in Project Lasso | Permalink | TrackBack (0)

Project Lasso Momentum Continues

It has been a month since the open sourcing of Project Lasso. It has been extremely exciting and rewarding to see the community supporting and embracing the project.

A few quick updates on Project Lasso. First, the official repository for Project Lasso has finally been established on SourceForge. All project releases as well as the source code are now available there. LogLogic is committed to the ongoing development and support of Project Lasso. However, if you would like to contribute, in any form (development, testing, documentation), please do not hesitate to contact us. We are always looking for enthusiastic volunteers.

Second, since the release of Project Lasso, there were close to a thousand downloads of the Project Lasso binary and over 1500 viewings of the documentation. The activity level on lassolog.sourceforge.net remains extremely high and the community has been extremely supportive. We are starting to see Project Lasso used in many IT to centrally collect Windows events.

Third, in collaboration with our partner EMC, we have successfully collected audit logs from EMC's Celerra file server using Project Lasso. EMC's Celerra system is a high performance, and highly secured, Windows 2003 file server. Because of the hardened security settings, no agent solutions can be installed on the Celerra server. However, with Project Lasso's remote collection mechanism, we were able to collect the extensive file system audit logs provided by Celerra. These audit logs are essential to many companies security and compliance projects.

Many more exciting updates to come, stay tuned...

- Jian

Posted by Andrew Lark on June 01, 2006 in Log Management & Intelligence , LogLogic News , Project Lasso | Permalink

Visit loglogic.com

Subscribe to this blog’s feed

• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005

Blogroll

• CynergisTek
• Bruce Schneier
• InfoSecDaily

Compliance

• Continuity Central
• Compliance Pipeline
• SOX Compliance Journal
• Sarbanes-Oxley 101

Good Reading

• Log Management ROI
• Log Management Best Practices
• SANS Institute Log Management White Paper

LogLogic

• O’Reilly
• Anton Chuvakin
• LogLogic.Com
• Jian Zhen

LogLogic Partners

• Juniper Networks
• ONStor
• Counterpane
• Bluecoat

Sites We Watch

• The Merc
• CRN
• IT Architect
• The Reg
• Security Focus
• Slashdot
• TechWeb
• SANS
• C/Net
• CIO Insight
• InformationWeek
• Jamie Lewis - Burton Group
• eWeek
• IT Manager's Journal
• MIT Magazine
• VNU