Thursday, October 25, 2007

Poll Results: Which Logs Do You Collect?

So, my log collection poll results are in. Here is the link to the running total; the picture as of today is on the right.

I admit this poll was fun!

Let's review and discuss the findings after running it for slightly over a week.

First, which of my expectations were NOT met? Well, I did expect that firewalls will be #1, not Linux/Unix servers. Admittedly, the difference is not so big, but I am impressed: Unix syslog still rocks the logging world :-)

Second, the top source of collected logs is also the hardest to analyze due to its lack of structure. Nowadays I treat syslog from Unix/Linux as "broken English" and not as "data." It is a dog to parse (that is why we try to find something novel)

Third, I was amazed that database logs were THAT high on the list. Wow! All the evangelizing seems to have worked out :-)

Fourth, Windows server log collection is still in the dumps - but we need it! Go grab LASSO and dump those event logs into syslog without pesky agents. Easy!

Firth, other Unix logs - what are those? We might never know what the respondents meant: still, I think that these are binary audit logs and other fine-grained audit logging. Indeed, many people starting to look at BSM audits and other "ugly ducklings" of logging.

Sixth, web server logs are gold - everybody knows it. The poll confirms this as well: they are #2. Some fun analysis tips from me are coming soon.

Next poll coming soon! Thanks a lot for responding!

Possibly related posts:

Dr Anton Chuvakin