1. Our brilliant field engineer Dimitri McKay talks about the eternal topic of converting Windows event logs to syslog. Yes, Eric, we ALL know it is ugly, but that is the only way that actually works well across all systems ...
2. More on Windows and syslog: "Syslog ... 20 Years Later."  BTW, this is really not about syslog, but about Vista/2k8 finally getting an ability to natively centralize the event logs via event subscriptions ("It's only about twenty years behind schedule, if you're counting.")
3. Two fun pieces on correlation: 1 and 2. What often kills "a log correlation project"? "Whoever had worked on it had not had much time available to learn the way to properly configure the software" (from this)  and "correlation only really works when backed up by real data about what is the biggest problem in your environment, and how that problem manifests itself in the event logs." (from this) None of this is new, but a useful reminder nonetheless
4. Fun LogLogic podcast is here. The topic of this high-level discussion (CEO) is related to operational use for logs. I did one with them too; on logs and virtualization (will be up soon)
5. A couple of good posts on logging from Nemertes Research: "Sharpening Stones and Walking on Coals",  "Search or Destroy"
6. Reminder about a few useful Windows Vista and 2k8 events: 4802 (screensaver engaged) and 4803 (screensaver dismissed)
7. One person is wondering about the usefulness of logging after "experiencing" Linux auditd logging (kernel audit): "Logs are like a warm blanket; verbose logging means you can know what's happening on your systems if you keep up with the logs.  At the same time, logs become a burden very very easily, and they are easy to ignore." This post is a must read for us logging afficionados; producing too much log data is a sure way to make people hate you...
8. This also follows the same theme: people doubting the god-like power of logs :-) "So for an administrator to not care about logs was a shock." But would I argue that "log management is NOT a pain?" Now, would I? :-)
9. A classic about logging for application developers: "Building Secure Applications: Consistent Logging."  I am noticing a lot more discussions about logging in a developer community, e.g. see this and this (the latter, BTW, contains a lot of info on "why log" for developers). Overall, "getting logging right" is important (and will get more important in the future) and people need something NOW and cannot wait for the standards.  BTW, I am planning a mini-crusade on how to train application developers to include useful logging in their applications...
10. Finally, the "Is SIEM dead?" theme is continued in this fun post "Life after SIEM. Situational Awareness is next." Indeed, context is key for logs. BTW, if somebody mentions that I have "vendor bias", I will kick your ass! :-)

Enjoy!

Anybody remember that slick marketing line?  You are a winner if you picked OS/2. OK I will admit it, I was an OS/2 user. I liked it much better than Windows 3.1 and used it even after Windows 95 came out. I still think it was a superior product to anything that the guys from Redmond put out.  Why don't we all run OS/2 today instead of Windows?  Good question, I ask myself that all the time.  Some say it is because Microsoft used strong arm tactics to persuade ISV's from developing apps for OS/2.  That may be true, but for me the real problem was IBM's strategy was instead of fighting the fight to get OS/2 apps developed, they said go ahead and run Windows and DOS apps on OS/2, we can run them better.  They could, but at the end of the day they were still Windows and DOS apps and this gave Microsoft an inherent advantage that could not be overcome.

I was reminded of this today while reading an article in eWeek by Joe Wilcox on how Microsoft is in so much trouble and how nobody is using Vista (better not tell the 100 million or so users of Vista that). Joe points out the recent Gartner report that says Microsoft is headed for a train wreck around 2011 or so because Windows is vulnerable (to competition that is, not necessarily to vulnerabilities.  Well actually it is vulnerable to those too, but that is for another blog).  Not to be outdone by the G-men, straight off the shrimp boat the Forest-er Gump crew come out with a pair of reports (here and here), that detail Vista's adoption issues.  The net of one is that while tech folks see the benefit of upgrading to Vista, it is a tough sell to the CIOs and CFOs of the world.  Many according to the article are saying they will wait for Windows 7, whenever that comes out.  I don't buy this myself. I remember similar talk when XP came out. 

Where I really disagree with Wilcox though is his comments regarding Mac OSX replacing Windows in the enterprise:

I disagree that Mac OS X is no alternative, particularly when businesses must swap out hardware anyway and Exchange-supporting Office 2008 is available. Mac OS X nicely plugs into Active Directory. I don't expect massive conversions to Mac OS X, but I strongly disagree with contention that it's "simply not a viable option."

What will enable this Mac revolution? Virtualization according to Wilcox and those who believe as he does. This is where they step in the footsteps of OS/2 before them.  If OSX is a better OS, fine. But don't fool yourself. If you are going to rely on Microsoft Exchange, Microsoft AD and other Microsoft server products plus Microsoft applications and you are going to run your Mac hardware running Windows in a virtual hypervisor on top of it, you are just a "better Windows than Windows" but you still run Windows.  Microsoft will use its stranglehold on the applications to make sure that they run better, faster, cheaper on the real Windows.

Gartner, Forester and Joe Wilcox miss the point here.  Windows will not be in serious danger of losing its preeminent position on the desktop until there are enough applications that run natively on another OS and don't run on Windows.  I don't see many application developers willing to walk away from the Windows market for that to be a reality.  That makes desktop Linux, Mac OS and the rest just more OS/2s.

Anybody remember that slick marketing line?  You are a winner if you picked OS/2. OK I will admit it, I was an OS/2 user. I liked it much better than Windows 3.1 and used it even after Windows 95 came out. I still think it was a superior product to anything that the guys from Redmond put out.  Why don't we all run OS/2 today instead of Windows?  Good question, I ask myself that all the time.  Some say it is because Microsoft used strong arm tactics to persuade ISV's from developing apps for OS/2.  That may be true, but for me the real problem was IBM's strategy was instead of fighting the fight to get OS/2 apps developed, they said go ahead and run Windows and DOS apps on OS/2, we can run them better.  They could, but at the end of the day they were still Windows and DOS apps and this gave Microsoft an inherent advantage that could not be overcome.

I was reminded of this today while reading an article in eWeek by Joe Wilcox on how Microsoft is in so much trouble and how no body is using Vista (better not tell the 100 million or so users of Vista that). Joe points out the recent Gartner report that says Microsoft is headed for a train wreck around 2011 or so because Windows is vulnerable (to competition that is, not necessarily to vulnerabilities.  Well actually is vulnerable to those too, but that is for another blog).  Not to be outdone by the G-men, straight off the shrimp boat the Forest-er Gump crew come out with a pair of reports (here and here), that detail Vista's adoption issues.  The net of one is that while tech folks see the benefit of upgrading to Vista, it is a tough sell to the CIOs and CFOs of the world.  Many according to the article are saying they will wait for Windows 7, whenever that comes out.  I don't buy this myself. I remember similar talk when XP came out. 

Where I really disagree with Wilcox though is his comments regarding Mac OSX replacing Windows in the enterprise:

I disagree that Mac OS X is no alternative, particularly when businesses must swap out hardware anyway and Exchange-supporting Office 2008 is available. Mac OS X nicely plugs into Active Directory. I don't expect massive conversions to Mac OS X, but I strongly disagree with contention that it's "simply not a viable option."

What will enable this Mac revolution? Virtualization according to Wilcox and those who believe as he does. This is where they step in the footsteps of OS2 before them.  If OSX is a better OS, fine. But don't fool yourself. If you are going to rely on Microsoft Exchange, Microsoft AD and other Microsoft server products plus Microsoft applications and you are going to run your Mac hardware running Windows in a virtual hypervisor on top of it, you are just a "better Windows than Windows" but you still run Windows.  Microsoft will use its stranglehold on the applications to make sure that they run better, faster, cheaper on the real Windows.

Gartner, Forester and Joe Wilcox miss the point here.  Windows will not be in serious danger of losing its preeminent position on the desktop until there are enough applications that run natively on another OS and don't run on Windows.  I don't see many application developers willing to walk away from the Windows market for that to be a reality.  That makes desktop Linux, Mac OS and the rest just more OS/2s.

So, what catches your eye first? Despite the fact that I was trying hard to list most of the tools that collect Windows logs known to humankind (and certainly, I thought I included ALL of the popular ones), response 'Other' is #1 by popularity. Now, the 'Other' option had a write-in field that is not visible online, but accessible to poll owner (i.e. me). What  dark and mysterious tool hides in there under the guise of 'Other'?  Well, this is where the controversy lies: out of 37 people who chose 'Other', 15 wrote in 'sp1unk.' Now, given that the Windows version was released only a couple of days before my poll, I refuse to believe that.

Second, as one can guess, using Snare agent for converting Windows event logs into syslog is the next popular (after 'Other'). This is definitely what I expected. Snare is a safe choice that everybody knows (but it is an agent)

Third, 'voting "no"' (i.e. 'We don't collect windows logs centrally') is next; in fact, it is not statistically different from the previous choice: Snare. This reflects the sad reality of Windows logging: people just do not collect them and then, when needed , they try to desperately reach for the logs stored on each server (and, obviously, often not finding them there). Will Windows 2008 (which does have its own WS-based log centralization system) change that? Probably!

Fourth, despite the fact that everybody hates agents, remote Windows collectors, such as ProjectLASSO, are less popular. In fact, most people who use a remote collector, use a commercial (WMI- or RPC-based) remote collector from their SIEM or log management vendor.

Fifth, OSSEC rises above the crowd of other remaining tools. This is definitely an interesting discovery as well.

Finally, on a somewhat humorous note, if one combines "We don't collect Windows logs centrally", "We ignore Windows logs" and "We are waiting for Windows to support syslog natively", the total count will reach 35% times and will exceed any other option, including 'Other', Snare, etc.

So, this poll reflects a sad state of affairs with Windows logging; let's hope that W2k8 will change that...