Enterprise Monitoring and Logging

[fusi0n]

I was using Splunk for a while, and it's a very powerful system.. However, I would like to see what all is out there, you can do a google search, but you get 1000000s of different ones and wanted to see what you guys are using..

 

I'd like the software to do,

Log all Active Directory Changes

Log all Shared folders (who accessed, what files, ect)

Log all internet data, such as websites, blocked attacks (works with a Flow Monitor)

 

Alerts when server is down

Alerts when a circuit is down, along with VPN. 

 

Any ideas on what I can use for this?

 

Thanks!

[+BudMan MVC]

Take a look at https://www.graylog2.org/

[fusi0n]

Take a look at https://www.graylog2.org/

Thanks.. Setting it up now.. I'll give it a shot

[Sikh]

Ive been wondering this too. I finally got the "OK" to deploy nagios (don't even ask) but I was going to look at other possible options too. Looks like ill be trying graylog2. Thanks budman

[+BudMan MVC]

I like graylog2, its fairly straight forward to get up and running.  The trick is getting everything sent to it   But once its in there you can find stuff pretty easy.  Your other option is a ELK stack which is just a combo of (Elasticsearch, Logstash and Kibana)

 

While splunk is pretty slick - once you send data to it is pretty useless to pull data out without some serious backend work.  And its not cheap   While something like graylog is FREE

 

You could also look into http://www.fluentd.org/

[+John Teacake MVC]

I wonder if anyone has got Greylog to log Active Directory events that would be amazing. 

[+BudMan MVC]

graylog is a syslog server - what are using on windows to send eventlogs?  nxlog works just fine http://nxlog-ce.sourceforge.net/

 

it supports GELF, so your good to go with structure, etc..

[remixedcat]

I use PRTG and it's awesome. Very very easy to setup, less than 5 minutes and you're monitoring a few systems!

[+BudMan MVC]

^ while prtg is great.. That is not the type of monitoring he was looking for to replace splunk - even though some of the items he mentions on monitoring our outside the scope of something like splunk or other syslog and yes something like prtg would work for that.  Or observium is another option..

 

Its kind of difficult to get all your eggs in 1 basket for your network monitoring needs.  You want to log events, but also need to check if service is up and working - but those are rarely in the same system, etc.

[remixedcat]

There's tons of sensors for it though...

 

http://i.imgur.com/KF6mYQB.png <<click for the sensor list and that is even only the default sensor batches you can add more types with SNMP and custom OIDs, etc.

[+BudMan MVC]

But its NOT a syslog server   While I see that it has syslog receiver - it sure and the hell is not going to scale to the enterprise for monitoring syslog.. Which could be 1000's of events per minute easy.  You should see the nonsense 1 esxi box can send if not tweaked after setting up syslog..

 

From just my pfsense firewall at home I had 1000's of events in a few hours..  There is lots of noise out there, if you log it it can get overwhelming very quickly!!  PRTG again while a great product is not designed for that sort of traffic..  Graylog on very min hardware can easy scale to 1000's of events in a sec without really breaking a sweat..

[Depicus]

Another vote for Graylog2 - using it at a clients for monitoring and alerts for web sites and logging events in hundreds of java applications. I'm still not up to speed on the querys yet but getting there.

 

My greatest accomplishment is setting up an alert if a job doesn't run once a day