Types of Windows Server Event Logs
When installing a windows server there are several default event logs on the server. If the server is setup to perform other functions such as DNS or Active Directory it will include additional event logs.

The default event logs on a windows server are:

Application Event Logs: Tracks application related events (for example, some applications will generate informational events that get recorded. Applications also generate errors such as failing to install or execute).

System Event Logs: Records events related to the server operating system, such as starting up or a system reboot, services and hardware events.

Security Event Logs: Tracks events such as logon, logoff, bad password, and object access. By default not all security features are enabled you will need to enable auditing on the local system or Domain Controller to track certain security events. The auditing policy can be found in group policy under computer settings -> Windows Settings -> Security Settings -> Audit Policy.

Additional Event Logs that are included on a Windows Domain Controller:

DFS Replication – Includes events on the Distributed file system service.

Directory Services – Events related to Active Directory services. Sources include AD Domain Services, Online defragmentation of database, LDAP Interface.

DNS Server – Records activity on the DNS service.

File Replication Services – Tracks events on the file replication services on the Domain Controller.

Configuring Event Log options
It’s important to know the default logging options on your windows server. Depending on the system you may need to adjust these default settings to meet security or organizational needs. The event logs can provide critical information when troubleshooting server errors so the logging options need to be reviewed in the planning phase of your servers.

By default the logging options are set to:

• Stored in the %Windir%\system32\config folder
• Max size of log file 16MB
• Overwrite events more than 7 days old

The default settings should be reviewed before putting a new Windows Server into production. Below are some recommend settings for configuring the event logs on your servers:

1.Increase the size limit of each log file. The event logs can fill up fast so it is recommend to increase the default size limit to allow for storage of more events. I increase the application, security and system log files to 60MB

2. If you do not need to archive events set the retention method to overwrite events as needed.

3. Prevent local quests group from accessing the system log. You do not want unwanted users poking around in your log files so set this to enable for the application, system and security logs.

If you have a large amount of windows servers you can use group policy to configure these settings on all the servers. You must be running Active Directory and all the servers be a member of its domain in order to use group policy. These settings are found under Computer Configuration -> Windows Settings -> Security Settings -> Event Log in Group Policy Object Editor:

Searching events using the Event Viewer
The Event Viewer is a built in tool that allows you to view the event log entries. You open Event Viewer by clicking start -> control panel -> system and maintenance -> and double clicking event viewer. I take a short cut and click start -> run and type in eventvwr and hit enter.
When you open event viewer and select the log file it will display the most recent events at the top. Depending on which log file and what options you have chose to log there can be an overwhelming amount of log files to review. Event viewer includes a search and filter option. This allows you to quickly search for certain events or type in a particular event ID to filter on. This comes in handy when you have an idea of what you’re looking for. To use the search click on the log file type (for example the application log files) the go to view -> filter.  From here you have several options to choose from for filtering the search results.

You can also purchase software that will monitor the event logs on all your servers and analyze the logs. If you have many servers and have the budget for it I would invest in log management software. This will help automate the process of reviewing all the log files; provide automation and notification on defined events.

Incoming search terms:

• the types of event logs found in windows 7 include
• DC event logs
• track jpg in event viewer
• which folder to find windows server event logs
• windows logs 16mb how long
• windows server dc event log size
• windows server event viewer
• windows server event viewer analyzer
• windows server important event logs
• server event viewer - types of logs

Most all devices like a network firewall, a Cisco switch, windows server or a software application generate some kind of event log. The log data generated by each device provides valuable data that help to proactively identify the root cause of an incident. Some organizations implement Event Log Analysis as part of their IT security practices and some do not have a choice as they must be in compliance with industry standards (PCI compliance for example).

Some systems like Windows Server come with applications that allow the logs to be viewed. For example the Windows Event Logs can be viewed with an Event Log Explorer or Microsoft’s built in Event Viewer. Microsoft’s event viewer allows you to view the logs on a single system and manually analyze the data. This will work fine if you only have one or two servers in your network. Generally this is not the case. Most organizations have multiple servers, and several other devices that generate event logs. For these types of deployments you will need a centralized Event Log Analysis system to collect those logs and analyze the data.

In the rest of this article I describe the core components to Event Log Analysis.

Centralized Event Log Analysis
As mentioned in the beginning of this article some systems provide a built in event viewer to analyze event logs. If your network is small this may be sufficient for your needs. In most cases you will want a centralized server that will collect the logs from all the devices and store them in one central location. The event log analysis software can then begin analyzing the logs and monitoring for activity and providing alerting.

When it comes to choosing a log analyzer you will find there are lots of options. Some are specific to a device or log type and some will handle all different types of log files such as: syslog, web server logs, windows event logs, SMTP traps, text log files and SQL server messages. Most all vendors will provide a demo and this is the best way to determine which one will fit your needs. Some features to look for are, real time alerts, archiving, ease of use, granular control of events and report scheduling.

Configuring devices and servers for Event Logging
Before you can start collecting and analyzing event logs you will have to configure the device’s logging options. Some devices such as a Cisco switch or ASA firewall output there log data to a syslog file. There is not much configuration on these devices, you just enable logging and the level you wish to monitor for and finally tell the device where to send its log files. This is usually a centralized syslog server. On a Windows Operating System it’s not that simple, as a server performs many functions it can log a wide variety of activities. With that being said Windows Event Logs produce multiple logs. The most important ones are; system, application and security event logs. If you’re going to analyze Windows Servers, which I highly recommend you do auditing for security is not enabled by default. If you have several servers that you want to monitor the best way to set up the event logs is to use group policy. You can create one policy and apply it to all your servers. This allows for easy control of the log files on all servers from one central location.

In the Windows Audit Policy you have several different polices that you can set for logging. You can choose to log for success, failure or both attempts. If you choose to log only successfully attempts the logs will not show activity like failed logon attempts. If you choose to only log failed activity the logs will not show activity like when a file was accessed or when a user successfully logged on. So as you can see it is very important to take the time to configure the Event Logs correctly so that the Event Log Analysis process is effective.

You might think the best option would be to just enable all logging options for the different policies. Monitoring, logging and analysis of log files puts a load on the server processing. This process also takes up other system resources such as disk space to store all the log files and memory. You need to fully understand the logging policies and options and choose what best fits your organizations needs.

Create an Infrastructure to handle all Event Logs

As part of the Event Log Analysis design you will need a secure and robust infrastructure to handle all the event logs. You will need to have enough storage space to not only collect the logs but to archive them if needed. Redundancy should also be considered so the system will always be available. Things to consider for redundancy are running a storage array, multiple power supplies and CPU’s, server should be located in a secure data center and backups should be run a regular basis.  If your organization has implemented vitalization then I would deploy the centralized logging server as a virtual server. Depending on storage size you may also need a lot of SAN space to allocate to the virtual server. If you have lots of remote locations you have to consider bandwidth usage as well. Since the remote locations will be sending its logs over the network to central location considerable amounts of bandwidth could be used.

Summary
There are several components to Event Log Analysis.  The core components to this system are the analysis software, log management, and the centralized infrastructure that will be handling all of the data. Event log analysis is the process of analyzing system and devices log files to provide security, error detection and policy misuse to an organizations infrastructure. No matter what size organization Event Log Analysis provides many beneficial services.

Incoming search terms:

• windows audit log analyzer
• analyse event viewer audit trought sql
• centralized windows event logs in sql
• centralize collect windows event log
• audit log analysis
• software for analyze event viewer
• sending audid logfiles central server
• ms windows centralized log server sql
• logging and auditing windows server activity
• windows log analyzer file audit

Below are the components that make up Security Event Management.

Log Management
A log is a record containing information on the events and actions that have occurred on a computer system or network. Whether it be a server, firewall or an application most all devices generate some type of log, that record information on events to the system or network. Log files where originally used only for troubleshooting, but have evolved to serve many functions within an organization. Other functions of a log file include: network and system performance, monitoring user activity, recording security events (bad password attempts), malicious activity, and monitoring for errors or device failures. Logs have matured over the years to record activity on a vast amount of infrastructure devices. Some devices even generate multiple log files one being a security event log. The security logs should not be overlooked and is the primary reason for Security Event Management.

Log management provides a solution for storing computer security events, in detail for a specific time period. Reviewing the log files is an important step for identifying security incidents, violations of company policy, malicious activity and to provide detailed information for resolving such problems. Log management can also be used for auditing, compliance analysis, creating system baselines, and identifying trends in your assets,

Log Management can be an overwhelming and challenging task but by following a few simple rules these challenges can be avoided. Below is a brief explanation of some simple steps to take when implementing Security Event Management.

Identify and prioritize log management needs: An organization should define its goals and requirements for monitoring log files. Resources can then be allocated accordingly to help meet those goals and reduce the risk of critical steps being overlooked.

Define log management policies and procedures: Policies and procedures need to be put in place to ensure that there is consistency throughout the organization. Another reason is some organizations are audited to ensure they meet certain standards and or laws, without having policies and procedures in place these expectations would be hard to meet.

Plan for a robust secure log management infrastructure: A log management system will be handling a large amount of data which will contain sensitive and confidential data. When planning for a log management infrastructure, security and redundancy needs to be considered, for preserving data integrity and loss of data.

Provide enough resources to handle the responsibilities of log management: A log management system is no good unless you have the properly trained staff to handle the work load. Staff needs to understand the concepts, tools, technical details, analysis and other responsibilities that go along with log management.

Log Analysis
The next component of Security Event Management is log analysis. Log analysis can be one of the most challenging components to event management, but it is also the most important. Log analysis is often viewed as a dreadful task as it usually is thought of as manually reviewing data in log files. With the right infrastructure in place most of the analysis of log files can be automated. Thus taking less staff time and allocating resources to produce more valuable results.

Data within the log file can contain a vast amount of information. Along with that each device monitored may produce a different log file format. This makes it impossible to gain a full understanding of log files. It is important to understand as much as possible about log data but certainly not expected to understand all details. The best way to gain knowledge of log files is to review and analyze small amounts on a daily basis. This will get the administrator familiar with all the different log entries and help to establish a baseline of what typical entries are being logged.

The beginning phase of log analysis is the most challenging. This is because it can be very time consuming to understand the importance of the log entries. Once the process has matured you will be able to establish a baseline of your log activity.  This baseline will also help streamline the analysis phase. When the administrator identifies which log entries are most important, the log files can then be filtered. Filtering allows certain events to be flagged and actions can be carried out on those flagged events. Filtering also saves system resources such as disk space and cuts down on the manual review process of log files.

Monitor and responding to Security Log Events
The last component to Security Event Management involves monitoring and alerting of the log files. Administrators can monitor for certain events and have the system generate an alert when that event occurs. Alerts are usually sent through email or directly to a cell phone by text messaging. Once an alert has been received the administrator should follow the organizations security response procedures to address the security incident. Some common examples of events to monitor include: virus activity, large number of bad password attempt, port scanning, ping sweeps, unauthorized access and high bandwidth usage.

It is recommended that security related incidents be reported and logged. This allows for management to run reports, address staff of events and identify security holes within the organization. Over a course of time the log configuration may need to be changed due to response to security events.

Summary
In summary Security Event Management provides a solution for log management, log analysis and monitoring of logs to identify security events.  Combining these components IT staff can provide the tools necessary to monitor and protect physical and logical assets. There is no out of the box solution for securing assets. Each organizations implementation of Security Event Management will be different. This is because organizations have different environments, assets and needs for protecting against security threats.

Incoming search terms:

• event management security
• log management policy
• prioritize event log errors monitoring
• security event log review process definition
• security event monitoring policy
• security log monitoring plan

Below is a list of some common uses, benefits and features of a log analyzer software.

Web Log Analysis Software – Tracking Website Traffic Stats
Competing in the online market has become very competitive due to anyone being able to spin up a website. Those competing websites can sell similar products and can be taking from your business. Having the ability to analyze visitors to your site to your site and track patterns, trends in those visitors is a must have. You must analyze your website traffic and integrate this knowledge into your business process. Things to consider: are you paying for traffic and is it converting, how long are visitors staying on your site, where are the visitors coming from, browser types, screen resolution and much much more, all in which a Web log analyzer will do.

Most Important Web Site Traffic Stats

Most Web Log Analysis software will log and report on all kinds of information here is a list of some of the most important stats you want out of a log analyzer software.

Unique Visitors: Refers to how many unique individuals visit your site, this stat separates returning visitors from first time visitors.

Return Visitors: This is a visitor who has already been to your website at some point. A return visitor is a good lead and indicates the user is interested in what your site has to offer.

Bounce Rate: Refers to a visitor that only went to one page on your website then left your site. The lower the bounce rate the better, because it means they like what they saw on one page so they decided to browse other pages of your website.

Average Time on Site: Is just what it says, it’s the average time a visitor spends on your website.

Average Pages Viewed: This is the average pages viewed by a visitor. A higher number indicates more interests from readers.

Most Viewed Pages: Will provide you with a list of pages that have been viewed the most. This provides you with very important information and gives you an idea what is most valuable to your visitors. You can use these web site traffic stats to identify new on demand products.

Web Traffic Sources: This is also one of the top uses for log analysis. You can see where your traffic is originating from, such as a search engine, other websites or direct visitors.
Top Keywords: Log analyzer will keep stats on what keywords visitors are typing into search engines to find your site. This will give you a good idea on where you stand for specific keywords in your site.

Centralized Management of Windows Event Logs
Windows event logs record critical events on computers and servers. It records activity such as when a user logs on to the computer or when an application generates an error. When these types of events occur, Windows will record detailed information about the event in an event log that can be read by Microsoft Event Viewer or a 3rd party log analyzer. The details in the logs are helpful for troubleshooting and for monitoring performance and activity on the system.

An event log can contain error codes, the data and time when it occurred, the computer and user who was logged on, and other information like the event ID, source of the event and category.

If you only have a couple of systems that you need to monitor the event logs on the built in event viewer may be all you need. If you need to manage a large amount of system then you will need a centralized event log management system.

Features of Centralized Event Log Monitoring

• Get fast and cost-effective monitoring and management of the entire network
• Increase network up-time and identify problems through real-time alerts and dashboard
• Real-time alerts, SNMPv2 traps alerting included
• Create custom reports
• Centralized event logging
• Auto-archive all events into files
• Create rules and actions on certain events
• Detection of Windows Events that Refer to Administrators

Firewall Logs Analysis and Monitoring
Just deploying a firewall to protect the network is not enough to keep it secure. You must also implement a log analyzer to monitor the firewall logs. The firewall logs need to be analyzed, monitored, reported and alerts need to be setup. So firewall log analysis is an important task to ensure network security. Firewall logs reveal a lot of information about what kind of traffic is attempting to access your internal network or servers in the DMZ (demilitarized zone). Analyzing firewall logs, provide real time information to network administrators on the attempted attacks and can swiftly initiate remediation action. Typically firewall logs are sent to a syslog server. A syslog server can provide basic alerting and reporting. To provide detailed reporting, and customize alerting in addition to a syslog server you will need a log analyzer for the syslog files. A syslog analyzer can provide the following.

• Quick view on what an event is
• Report what protocols are being used
• Display IP address information such as domain names, location
• Perform complex searches in log files (regular expressions)
• Send alerts on events (email, text)
• Perform an action on certain events (run a task)

Incoming search terms:

• loganalyzer alerts
• alert the events from event viewer
• best log viewer
• event log analyzer monitor for a server on dmz
• system log analizer alert monitoring
• server event log analyzer that emails alerts
• loganalyzer send alerts
• log scanner and alert
• log analyzer and alerting
• log analyzer and alert

The large volume of events generated by network devices is of great importance to companies who need to record information for compliance and to maintain a healthy IS infrastructure. Real time monitoring of the network is a growing demand that requires the ability to analyze and report on event log data. Having an event log monitoring system will allow you to address any incident or security concerns that may arise.

Monitoring the event logs can be an overwhelming task for system administrators. However there are applications that can help meet legal and regulatory event log requirements. Event log monitoring software will help automatically process and archive logs, rules and alerts can also be setup so administrators can be notified of the most important events occurring in the network.

Most systems will support a wide range of log files including; Syslog, W3C, Windows event logs, SNMP traps, firewall,router and switch logs.

Centralized Even Logging

Event Logs are constantly being generated by system events or by users. Logs are often stored locally on the device and can be located in several different locations. A Log Management System will capture event logs from multiple devices and store them centrally in one SQL database. Having event logs in one location makes them easier to manage and backup.

Auto Archive Event Logs

For compliance and responding to an incident, a large number of events may be needed for troubleshooting. A database can reach its capacity rather quickly with these types of requirements. To help with this issue Event Log Monitoring Systems will allow administrators to auto archive all events. Rules and filters can be put into place to help filter out all the junk that may not need to be saved and help save disk space.

Event Log Monitoring Alerts

Alerting is an importing feature of a log management system. Triggering actions such as a script or an email alert to one or more people is a must have in today’s growing need for a healthy IT environment. The ability to generate SNMP alerts will allow a system administrator to integrate with existing monitoring mechanisms such as a Syslog server.

Granular Control of Events Logs

Event Log Monitoring helps you manage a wide range of systems and devices by enabling you to see all event logs in one central location. Administrators can obtain information from different network devices and Windows Machines with a better level of granular control. Information can be processed by tagging log files and deciding what to do with that information based on certain rules defined by the administrator. These features help stream line the management of event logs.