Wednesday, April 02, 2008

Windows Log Collection Poll Analysis

Now, my latest poll ("What tools do you use for Windows Event Log Collection and Analysis") was pretty popular (157 responses) and controversial as well; let's analyze it. The results are here and below as well.


So, what catches your eye first? Despite the fact that I was trying hard to list most of the tools that collect Windows logs known to humankind (and certainly, I thought I included ALL of the popular ones), response 'Other' is #1 by popularity. Now, the 'Other' option had a write-in field that is not visible online, but accessible to poll owner (i.e. me). What  dark and mysterious tool hides in there under the guise of 'Other'?  Well, this is where the controversy lies: out of 37 people who chose 'Other', 15 wrote in 'sp1unk.' Now, given that the Windows version was released only a couple of days before my poll, I refuse to believe that.

Second, as one can guess, using Snare agent for converting Windows event logs into syslog is the next popular (after 'Other'). This is definitely what I expected. Snare is a safe choice that everybody knows (but it is an agent)

Third, 'voting "no"' (i.e. 'We don't collect windows logs centrally') is next; in fact, it is not statistically different from the previous choice: Snare. This reflects the sad reality of Windows logging: people just do not collect them and then, when needed , they try to desperately reach for the logs stored on each server (and, obviously, often not finding them there). Will Windows 2008 (which does have its own WS-based log centralization system) change that? Probably!

Fourth, despite the fact that everybody hates agents, remote Windows collectors, such as ProjectLASSO, are less popular. In fact, most people who use a remote collector, use a commercial (WMI- or RPC-based) remote collector from their SIEM or log management vendor.

Fifth, OSSEC rises above the crowd of other remaining tools. This is definitely an interesting discovery as well.

Finally, on a somewhat humorous note, if one combines "We don't collect Windows logs centrally", "We ignore Windows logs" and "We are waiting for Windows to support syslog natively", the total count will reach 35% times and will exceed any other option, including 'Other', Snare, etc.

So, this poll reflects a sad state of affairs with Windows logging; let's hope that W2k8 will change that...

Technorati tags: , , ,

Dr Anton Chuvakin