Centralized Log Monitoring

I'm looking for some program or utility to create a centralized log monitoring server for a mixed Windows and Linux environment. Any suggestions? Essentially we want a place to look at the system and event logs for over 100 servers. Free is always better


Solution 1:

splunk

http://www.splunk.com

I think your overall best option is probably to go with Splunk since you're in a mixed environment. Depends on how much you want to log and if you can afford to pay. If you're selective about what you want to log you might just be able to get away with it for free.


OSSEC

http://www.ossec.net

While not EXACTLY what you're looking for, OSSEC will aggregate all of your logs to a single server with a fairly small amount of configuration. OSSEC can also integrate with Splunk which makes it even more interesting. Here's a snippet from their home page:

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.


Roll your own

This appears to be an older post but it might help anyway:

http://www.johnhsawyer.com/2006/03/centralized-logging-for-windows-using.html

You can also take a look at a previous question I answered here regarding sending log files securely to syslog-ng. (at least for the Linux side anyway):

How would you send syslog *securely* over the public Internet?

Hope this helps.

Solution 2:

If you're stupidly wealthy, splunk is pretty deadly. If you're not, it may be worth looking at some combination of syslog (-ng or rsyslog), Ossec-hids, and octopussy.

Since writing this, several interesting options have shown up for this. Logstash, graylog2. and ELSA all seem to replicate most of the features of Splunk, and are free/OSS.

Really though, you probably want splunk.