Thursday, October 25, 2007
So, my log collection poll results are in. Here is the link to the running total; the picture as of today is on the right.
I admit this poll was fun!
Let's review and discuss the findings after running it for slightly over a week.
First, which of my expectations were NOT met? Well, I did expect that firewalls will be #1, not Linux/Unix servers. Admittedly, the difference is not so big, but I am impressed: Unix syslog still rocks the logging world :-)
Second, the top source of collected logs is also the hardest to analyze due to its lack of structure. Nowadays I treat syslog from Unix/Linux as "broken English" and not as "data." It is a dog to parse (that is why we try to find something novel)
Third, I was amazed that database logs were THAT high on the list. Wow! All the evangelizing seems to have worked out :-)
Fourth, Windows server log collection is still in the dumps - but we need it! Go grab LASSO and dump those event logs into syslog without pesky agents. Easy!
Firth, other Unix logs - what are those? We might never know what the respondents meant: still, I think that these are binary audit logs and other fine-grained audit logging. Indeed, many people starting to look at BSM audits and other "ugly ducklings" of logging.
Sixth, web server logs are gold - everybody knows it. The poll confirms this as well: they are #2. Some fun analysis tips from me are coming soon.
Next poll coming soon! Thanks a lot for responding!
Possibly related posts:
Poll Results: Which Logs Do You Collect?