[Discuss] Log management options?
Scott Ehrlich
Linux hosts on an isolated network.
I need tcp communication (vs udp) to ensure messages successfully get
passed from client to log server.
Encryption of the message, too, between client to server would be
great. TCP alone would just provide plain-text.
I've been in touch with Intersect Alliance, and they've been extremely
helpful with a myriad of questions I've posed, but I just learned that
their server product requires its own Linux OS, provided by them. A
bit of a bummer.
Solarwinds, owner of Kiwi, won't return my emails.
Corner Bowl is Windows-centric.
Envision is just way too expensive.
What other products are out there?
Thanks.
Scott
_______________________________________________
Discuss mailing list
Dis...@blu.org
http://lists.blu.org/mailman/listinfo/discuss
Jerry Feldman
> I need tcp communication (vs udp) to ensure messages successfully get
> passed from client to log server.
UDP. At one point I was part of a team to write SNMP agents for various
Unix hosts so Digital could manage a large network. One of the reasons
for NOT using TCP was very simple: If a remote host failed, the TCP
process could hang or at least wait for a timeout. While UDP does not
guarantee delivery and the sending host is not notified of a failure,
the application can implement a reliably system using UDP. In the case
of SNMP, the server would send messages to the clients, and expect the
clients to respond. But because of the different networks and speeds,
the responses can come back in many different times. The application
handles this very well. If one of the clients fails to respond in a
given window SNMP will mark that client as offline. So, basically your
requirement is a reliable network.
There are many logging solutions available. Here is one that might
require some work: Enhance Security with a Linux Logging Server:
http://goo.gl/gb0tU
--
Jerry Feldman <g...@blu.org>
Boston Linux and Unix
PGP key id:3BC1EB90
PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66 C0AF 7CEA 30FC 3BC1 EB90
Scott Ehrlich
> I'm looking for log management options for a network of Windows and
> Linux hosts on an isolated network.
>
> I need tcp communication (vs udp) to ensure messages successfully get
> passed from client to log server.
>
> Encryption of the message, too, between client to server would be
> great. TCP alone would just provide plain-text.
>
> I've been in touch with Intersect Alliance, and they've been extremely
> helpful with a myriad of questions I've posed, but I just learned that
> their server product requires its own Linux OS, provided by them. A
> bit of a bummer.
>
> Solarwinds, owner of Kiwi, won't return my emails.
>
> Corner Bowl is Windows-centric.
>
> Envision is just way too expensive.
>
> What other products are out there?
>
> Thanks.
>
> Scott
Someone asked me what my goal was -
I want to have a central location (database/file on a server) where
successful and failed login attempts, objects accessed, system events
such as discs inserted and data copied, are stored, machine powered
up/down, media added/removed (usb devices, etc) along with machine
name/ip and user, and an easy way to sort by user, date, time, status
(success/failure), etc, for a given period of time, that period
defined by the auditor.
All events in the central database should mirror the events stored on
the respective local machine they are sent from - thus the log server
would have just a copy of what the local machine has.
The above should be for both Linux and Windows systems.
Jerry Feldman
Rajiv gave a talk on Splunk in 2007 at the BLU. I've had a few requests
on it.
As I mentioned, before, UDP is tends to be more widely used for network
monitoring because it is connectionless. Today, with
multi-core/multi-thread systems, the timeout associated with the use of
TCP for network monitoring is less of an issue, but it still adds some
overhead you don't have with UDP. For instance, with TCP, for each host,
you have to establish a connection. This takes time. Once you have
established the connection, if the host dies, there will be a timeout
before your application gets a disconnect. With UDP, you send out
messages to all your hosts being monitored. Those that respond are good.
Those that don't are bad. Everything is dependent upon the network
monitoring software. If you want to encrypt, it is up to the
application. You can use UDP to measure latency as well as TCP, or your
app can use ICMP. In any case, based on my experience, connectionless is
better for network monitoring. Additionally, TCP requires takes up 1
port for each connection. It is a dynamically assigned port, but when
you are monitoring thousands of hosts, it becomes significant where UDP
requires 1 port to listen on. All of what you want is available to
monitor systems. Maybe we could have someone talk about Splunk in April,
July or August.
Tom Metro
> I'm looking for log management options for a network of Windows and
> Linux hosts on an isolated network.
>
> I need tcp communication (vs udp) to ensure messages successfully get
> passed from client to log server.
>
> Encryption of the message, too, between client to server would be
> great. TCP alone would just provide plain-text.
rsyslog comes to mind:
http://www.rsyslog.com/
It's a jazzed up syslogd (drop-in replacement) that provides reliable[1]
and encrypted[2] transport options between the client and server. It
supports a bunch of back-ends (files, databases). Filtering rules. And
you can extend it with plugins.
Debian has chosen it as their default logging process.
Looks like they have a Windows client.
-Tom
1. http://www.rsyslog.com/doc/rsyslog_reliable_forwarding.html
2. http://www.rsyslog.com/doc/rsyslog_secure_tls.html
--
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/