Centralized Log Monitoring

Question

I'm looking for some program or utility to create a centralized log monitoring server for a mixed Windows and Linux environment. Any suggestions? Essentially we want a place to look at the system and event logs for over 100 servers. Free is always better

score 3 · Accepted Answer · edited Apr 13 '17 at 12:14

splunk

http://www.splunk.com

I think your overall best option is probably to go with Splunk since you're in a mixed environment. Depends on how much you want to log and if you can afford to pay. If you're selective about what you want to log you might just be able to get away with it for free.

OSSEC

http://www.ossec.net

While not EXACTLY what you're looking for, OSSEC will aggregate all of your logs to a single server with a fairly small amount of configuration. OSSEC can also integrate with Splunk which makes it even more interesting. Here's a snippet from their home page:

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Roll your own

This appears to be an older post but it might help anyway:

http://www.johnhsawyer.com/2006/03/centralized-logging-for-windows-using.html

You can also take a look at a previous question I answered here regarding sending log files securely to syslog-ng. (at least for the Linux side anyway):

How would you send syslog *securely* over the public Internet?

Hope this helps.

Thanks for the answer. I'll definitely check out these products. — Fishwalker, Sep 14 '09 at 20:32

score 1 · Answer 2 · answered May 09 '13 at 17:14

1

I'd recommend EventSentry since I work at the company that makes it. I don't want to turn this into an advertisement so I'll leave it at that.

answered May 09 '13 at 17:14

Tamerz

412
3
6
14

Cian · Answer 3 · 2013-05-09T16:40:39.653

1

If you're stupidly wealthy, splunk is pretty deadly. If you're not, it may be worth looking at some combination of syslog (-ng or rsyslog), Ossec-hids, and octopussy.

Since writing this, several interesting options have shown up for this. Logstash, graylog2. and ELSA all seem to replicate most of the features of Splunk, and are free/OSS.

Really though, you probably want splunk.

edited May 09 '13 at 16:40

answered Sep 14 '09 at 16:39

Cian

5,777
1
27
40

score 0 · Answer 4 · answered Sep 14 '09 at 16:28

0

Splunk!!!! Splunk!!! Splunk!!!! I use it for a mix of Networking devices, Linux, Solaris, Windows. The only issue is to keep under the free level, you need to be very specific what logs you want to keep, but I found as long as I was diligent in cutting down on chatter, and really only logging the info I needed, I had no problem.

http://www.splunk.com/

answered Sep 14 '09 at 16:28

breadly

217
2
12

Excited much? – Dennis Williamson Sep 14 '09 at 16:45
For Splunk? Yeah. Love it... or rather more specifically, I loved the solution I was able to get to Pointy Haired bosses. "WOW!!! Pictures that move" – breadly Sep 14 '09 at 17:21
lol. pictures that move. My only issue with splunk is in my environment, the things i NEED to log, are way way over 500mb / day. – grufftech May 21 '10 at 13:26
Yeah... that is the issue. When I originally spec'd it out, I think the cost was 100k :-( I eventually scaled it down to just critical systems. – breadly Jun 04 '10 at 15:56

Centralized Log Monitoring

4 Answers4

Linked

Related