Event Log Analysis is the process of monitoring log files from various devices to help detect security threats (viruses, attacks on the network, password cracking) to ensure systems are performing without errors and applications are functioning correctly. It is also used for forensic analysis, and to ensure organizations are in compliance with security audits.
Most all devices like a network firewall, a Cisco switch, windows server or a software application generate some kind of event log. The log data generated by each device provides valuable data that help to proactively identify the root cause of an incident. Some organizations implement Event Log Analysis as part of their IT security practices and some do not have a choice as they must be in compliance with industry standards (PCI compliance for example).
Some systems like Windows Server come with applications that allow the logs to be viewed. For example the Windows Event Logs can be viewed with an Event Log Explorer or Microsoft’s built in Event Viewer. Microsoft’s event viewer allows you to view the logs on a single system and manually analyze the data. This will work fine if you only have one or two servers in your network. Generally this is not the case. Most organizations have multiple servers, and several other devices that generate event logs. For these types of deployments you will need a centralized Event Log Analysis system to collect those logs and analyze the data.
In the rest of this article I describe the core components to Event Log Analysis.
Centralized Event Log Analysis
As mentioned in the beginning of this article some systems provide a built in event viewer to analyze event logs. If your network is small this may be sufficient for your needs. In most cases you will want a centralized server that will collect the logs from all the devices and store them in one central location. The event log analysis software can then begin analyzing the logs and monitoring for activity and providing alerting.
When it comes to choosing a log analyzer you will find there are lots of options. Some are specific to a device or log type and some will handle all different types of log files such as: syslog, web server logs, windows event logs, SMTP traps, text log files and SQL server messages. Most all vendors will provide a demo and this is the best way to determine which one will fit your needs. Some features to look for are, real time alerts, archiving, ease of use, granular control of events and report scheduling.
Configuring devices and servers for Event Logging
Before you can start collecting and analyzing event logs you will have to configure the device’s logging options. Some devices such as a Cisco switch or ASA firewall output there log data to a syslog file. There is not much configuration on these devices, you just enable logging and the level you wish to monitor for and finally tell the device where to send its log files. This is usually a centralized syslog server. On a Windows Operating System it’s not that simple, as a server performs many functions it can log a wide variety of activities. With that being said Windows Event Logs produce multiple logs. The most important ones are; system, application and security event logs. If you’re going to analyze Windows Servers, which I highly recommend you do auditing for security is not enabled by default. If you have several servers that you want to monitor the best way to set up the event logs is to use group policy. You can create one policy and apply it to all your servers. This allows for easy control of the log files on all servers from one central location.
In the Windows Audit Policy you have several different polices that you can set for logging. You can choose to log for success, failure or both attempts. If you choose to log only successfully attempts the logs will not show activity like failed logon attempts. If you choose to only log failed activity the logs will not show activity like when a file was accessed or when a user successfully logged on. So as you can see it is very important to take the time to configure the Event Logs correctly so that the Event Log Analysis process is effective.
You might think the best option would be to just enable all logging options for the different policies. Monitoring, logging and analysis of log files puts a load on the server processing. This process also takes up other system resources such as disk space to store all the log files and memory. You need to fully understand the logging policies and options and choose what best fits your organizations needs.
Create an Infrastructure to handle all Event Logs
As part of the Event Log Analysis design you will need a secure and robust infrastructure to handle all the event logs. You will need to have enough storage space to not only collect the logs but to archive them if needed. Redundancy should also be considered so the system will always be available. Things to consider for redundancy are running a storage array, multiple power supplies and CPU’s, server should be located in a secure data center and backups should be run a regular basis. If your organization has implemented vitalization then I would deploy the centralized logging server as a virtual server. Depending on storage size you may also need a lot of SAN space to allocate to the virtual server. If you have lots of remote locations you have to consider bandwidth usage as well. Since the remote locations will be sending its logs over the network to central location considerable amounts of bandwidth could be used.
Summary
There are several components to Event Log Analysis. The core components to this system are the analysis software, log management, and the centralized infrastructure that will be handling all of the data. Event log analysis is the process of analyzing system and devices log files to provide security, error detection and policy misuse to an organizations infrastructure. No matter what size organization Event Log Analysis provides many beneficial services.
Incoming search terms:
- windows audit log analyzer
- analyse event viewer audit trought sql
- centralized windows event logs in sql
- centralize collect windows event log
- audit log analysis
- software for analyze event viewer
- sending audid logfiles central server
- ms windows centralized log server sql
- logging and auditing windows server activity
- windows log analyzer file audit