
Sysmon – Log system activity to the Windows event log - ingve
http://technet.microsoft.com/en-us/sysinternals/dn798348
======
allegory
I do everything to keep stuff out of the Windows event log because it's slow,
impossible to query large swathes of data, noisy and difficult to get things
to talk to it due to NT permissions and sources being stateful. Not only that
you have to pay piles of cash for anything even slightly reliable for
forwarding of logs (built in service for this is terrible) and the tooling is
foul.

Now to the original problem, what about a MAC framework for NT (other than the
heap of crap known as MIC). Lets just log shit that the MAC framework didn't
allow then.

SELinux, trusted solaris, OSX Mach, FreeBSD POSIX MAC for example.

Nope stuck in the dark ages because of win32...

(Yes i know NT can do this on its own but NT is just the runtime environment
for win32 these days rather than the technical achievement it was).

~~~
mrweasel
No only is the Windows Event Log impossible to query, it's also pretty rare to
see a software actually log anything useful on Windows. I'm not trying to bash
Microsoft, it just seems more common for software developed for Windows to
have bad/missing/useless logging.

I think this might be a culture thing, because it's not actually impossible to
do, it's just really rare to see. On Unix-like systems we're all use to be
able to find text files with logging information for pretty much any system we
deploy, on Windows we're accustomed to may programs and systems to be black
boxes. If you as a Windows developer hasn't been exposed to having easily
parsed text files with logging information, then changes are you don't know
how to do good logging.

Also XML is pretty crappy for logging, either you have a million documents, or
you have one large document that won't easily fit into Logstash, Splunk and
similar tools.

~~~
wslh
> it's also pretty rare to see a software actually log anything useful on
> Windows.

Indeed there is a whole huge market doing that (logging and correlating useful
information) APM (Application Performance Monitoring). You can take a look at:
Compuware, Riverbed, and New Relic.

Currently this market is fragmenting in analytics products such as Splunk +
agents distributed by different vendors.

~~~
dozzie
How does New Relic make IIS log useful things?

~~~
wslh
New Relic and other monitoring tools can intercept .NET and look at issues
there beyond the ones appearing on the event log. There is plenty of
information about this on their sites.

------
michh
The `<Data Name="key">value</data>` in there makes me sad. It's better than
the `<field name="key" value="value"/>` one of our partners uses at work but
still...

If there's a good reason for it, it's just as much of a good reason XML isn't
suitable for what you're trying to do.

~~~
pestaa
It's not a deal-breaker, but <key>value</key> would indeed be nicer.

~~~
LoneWolf
For a human to read maybe, but for some generic parsing where there are many
diferent keys, I would say <data Name="key">value</data> is indeed better,
also makes an XSD easier to create, if needed.

~~~
michh
That definitely goes towards the "good reason not to use XML" part of what I
said, imo ;)

------
616c
I am confused. Is this in fact new or has there been a new release. Sysmon has
been around for a while, no?

~~~
skymt
This is the first release of Sysmon. Perhaps you're thinking of Process
Monitor?

~~~
616c
I guess so. Strange sense of deja vu, but I will take your word for it.

~~~
readerrrr
Same here, they have a lot of tools called x-monitor, or xmon for short. I
think we are subconsciously substituting the generic names like: file,
process, disk.

~~~
Ecio78
before Process Monitor (procmon), those features where split between File
Monitor and Registry Monitor (filemon and regmon). And they also have tcpmon
for network connections, so maybe that why you think that it was already
around before. I'll also add that I am a big fan of Russinovich and his tools
(including of course Process Explorer, Autoruns and Pstools like psexec pslist
pskill etc..) so if he releases something new, it should be interesting for
sure!

