I responded to a question about using agents for log collection on a mailing list (semi-public); I think this content also begs to be blogged. So:
Agents for log collection pros and cons:
- agents are unavoidable in some cases (nowadays such cases are few and far between...)
- deployed agent can secure the log data in transit from its source to a log management tool
- agent typically can bandwidth-throttle / -manage the log data from source to a log management tool
- agents use up CPU/RAM on each system (sometimes A LOT, sometimes - not so much)
- when such agent crashes, it can take the system down with it (or use up ALL CPU/RAM/disk resources)
- added risk: you run new - possibly vulnerable! - software on all systems (some agents will also allow people to control them remotely for management, thus opening another hole)
- added hassle: you need to install and manage them on a large number of your systems (this is THE biggest reason IT people hate agents with a passion!)
Agentless / remote collection pros and cons:
- such agentless, centralized log collection usually incurs less impact on the logging systems
- contrary to popular belief, one can collect logs securely without agents (e.g. via SCP, FTPS or SFTP)
- just as with agents, one can schedule log collection for off-hours
- one can choose to pull or push data (e.g. HTTP upload)
- added risk: new open ports (in case of log pull) or running services (in case of upload or log push) on all systems
- added risk: log management system might store credentials for remote access (sometimes admin) thus exposing them for compromise (especially if you don't use appliance)
- added hassle: you need to manage credentials for all the servers on the log management system
Finally, please don't use the combination "remote agent" as it is deeply confusing. When people say "remote agent", they really mean "agentless." So, remote agent = no agents. It is MUCH less confusing to say "remote (or centralized) log collector." For example, Project LASSO is a remote Windows log collector, while Snare is an agent.
Possible related posts:
No comments:
Post a Comment