So, here is the paper that I was involved in on Project LASSO.
"One of the recent open source solutions that enables a critical part of log management is Project LASSO, a Windows-based open source software designed to collect Windows event logs, including custom application logs [AC - that go into Event Log], and provide for the central collection and transport of Windows log data via TCP syslog to any syslog-NG compatible log receivers. Before Project LASSO incorporating Windows server and workstation logs in an overall log management process was extremely onerous."
The main thing that puzzles me about Project LASSO is that many people still don't know that "agentless" /remote Windows event log collection is actually easy and free (with LASSO). I continue to come across folks who are stuck in the 90s and think that "Windows logging = agents." No!!! Nooo!! Noooooo! :-)
5 comments:
Anton,
I was surprised, when reading the Lasso User Guide, that it needs administrator rights on the machines that will be monitored. Tools that access the event log usually only need the "Manage Auditing And Security Log" right. Did you try it only with that level of permissions?
>needs administrator rights on the machines
Well, LASSO needs admin for two tasks: access to security log (admin-only, no separate permission to allow this) and access to some DLLs to dereference a few of the IDs.
We did update LASSO (in version 4.0 - to come out in a few weeks) to only use admin access for a short time and then run without it.
Well, actually Lasso does not need admin rights per se.
Only reason it can be said to need those, is when it copies those resource DLLs.
Otherwise, there's separate right for giving access to security log, or you can change the ACL for giving read-only access to certain account for those versions of Windows which do not have the right on.
So, one way to handle this is to run Lasso for a while until it has collected those custom (extra) DLLs and then turn the account into normal user with above told way - this is what we did with it.
Installing an configuring Lasso is easy, however is there a howto somewhere that talks about configuring syslog-ng to receive messages from Lasso?
Well, no magic needed - just point LASSO to syslog-ng and watch the data flow....
Post a Comment