Friday, June 08, 2007

On LASSO and Windows Logging

So, here is the paper that I was involved in on Project LASSO.

"One of the recent open source solutions that enables a critical part of log management is Project LASSO, a Windows-based open source software designed to collect Windows event logs, including custom application logs [AC - that go into Event Log], and provide for the central collection and transport of Windows log data via TCP syslog to any syslog-NG compatible log receivers. Before Project LASSO incorporating Windows server and workstation logs in an overall log management process was extremely onerous."

The main thing that puzzles me about Project LASSO is that many people still don't know that "agentless" /remote Windows event log collection is actually easy and free (with LASSO). I continue to come across folks who are stuck in the 90s and think that "Windows logging = agents." No!!! Nooo!! Noooooo! :-)

5 comments:

Augusto Barros said...

Anton,

I was surprised, when reading the Lasso User Guide, that it needs administrator rights on the machines that will be monitored. Tools that access the event log usually only need the "Manage Auditing And Security Log" right. Did you try it only with that level of permissions?

Anton Chuvakin said...

>needs administrator rights on the machines

Well, LASSO needs admin for two tasks: access to security log (admin-only, no separate permission to allow this) and access to some DLLs to dereference a few of the IDs.

We did update LASSO (in version 4.0 - to come out in a few weeks) to only use admin access for a short time and then run without it.

Anonymous said...

Well, actually Lasso does not need admin rights per se.

Only reason it can be said to need those, is when it copies those resource DLLs.

Otherwise, there's separate right for giving access to security log, or you can change the ACL for giving read-only access to certain account for those versions of Windows which do not have the right on.

So, one way to handle this is to run Lasso for a while until it has collected those custom (extra) DLLs and then turn the account into normal user with above told way - this is what we did with it.

Anonymous said...

Installing an configuring Lasso is easy, however is there a howto somewhere that talks about configuring syslog-ng to receive messages from Lasso?

Anton Chuvakin said...

Well, no magic needed - just point LASSO to syslog-ng and watch the data flow....

Dr Anton Chuvakin