Tuesday, 4 December 2007

Logging

Some tools to consider in log agregation
Numerous tools exist in the commercial world, but you do not need to pay a fortune to enable logging in your organisation. I have included a few options in this port.

Syslog
This is an easy to configure too that is available by default with Unix and most network devices and also can be added to Windows as a third party product (some commercial, some free). It runs over UDP 514.

Modular Syslog
This is a replacement for Syslog. It can be configured to use TCP, encryption and also supports being sent to MySQL. This is a powerfully functional tool.

Syslog-ng
Syslog-ng accepts logs as either TCP or UDP. For TCP however, syslog-ng is required at both ends. It supports content based filtering to sort and organise logs with an extensible facility and severity. Encryption and authentication is supported and best of all it can be run on a "chroot"'d system.

What Next?
What do you do with your logs now that you have them? Here again there are a number of free tools.
SNARE
This will send your Windows event logs to syslog.

SPLUNK
This is a simple search tool for your logs. Think of "google" for your logs. In effect it will allow you to find log information on a search.

The best for last.
Distributed Aggregation for Data analysis (DAD)
DAD is a Windows event log and syslog management tool that allows you to aggregate logs from hundreds to thousands of systems in real time. DAD requires no agents on the servers or workstations. Correlation and analysis is driven through a web front end.

It is still early days for this product, but keep watching. This is a powerful tool!

No comments: