3:33 PM -- In my previous blog, I extolled the virtues of centralizing your logs for reasons such as security and compliance. It's definitely not a new concept -- *nix (Linux, Unix, BSD, etc.) sysadmins have been doing it for years. (See Log Central.) But only a fraction of the Windows sysadmins I've spoken with over the years do it. Those who don't must check critical servers manually, or run a tool like LogParser to grab events of interest from a couple of servers as they drink their morning coffee.
All that wasted time can be directly attributed to a failure on Microsoft's part to provide the proper tools for centralizing logs. In 2003, Microsoft announced a beta version of its Audit Collection Services (ACS or MACS), with a proposed release in early 2004. I was very excited at the time because I was responsible for the security of a large number of Windows machines, and the tool was going to be free, which fit our small IT budget well. But it was never released.
Fast forward to today. There's a great feature called Audit Collection Services within Microsoft System Center Operations Manager 2007. (I haven't looked at the pricing but I'm guessing it might be "free" with the purchase of System Center.) There are three pieces to ACS: the forwarder (or agent), collector, and database. The database is, of course, a Microsoft SQL Server that uses Reporting Services to analyze the audited events.
But if Systems Center is out of your price range, there are several free and inexpensive solutions available as well. There are a couple of freeware tools currently under active development that get event logs to a central location -- Intersect Alliance's Snare Agent and LogLogic's Project Lasso. And it's no coincidence that both are being developed by commercial log vendors who hope that if their free tool meets your needs, you may decide to invest in their centralized logging and monitoring products.
Both Snare and Lasso work by sending Windows Event Logs to a central syslog server. The primary differences are that Snare provides a GUI for configuration and can filter events to send only the ones you want. Lasso's configuration is through a text file and there are no filtering capabilities. Some may see this as a serious drawback for Lasso, but it does make it a little less resource-intensive than Snare. So Lasso is a better choice for heavily loaded servers or for organizations that want to capture everything.
These tools send logs to a syslog server, so you'll need to choose one. If you've got a *nix sysadmin on staff, utilize her skills to set up and administer a central *nix-based syslog server. For Windows-only IT shops, there's the Kiwi Syslog Daemon, a free and highly capable syslog server. There's also a commercial version for less than $200 that has some enterprise-friendly features such as logging to an ODBC database, advanced filtering, and larger buffer to prevent dropped events when under heavy load.
Intersect Alliance and LogLogic also sell more expensive, commercial solutions, but testing the low-cost alternatives may help you demonstrate the value of these solutions to your CIO. Look for features such as event correlation to identify attacks or possible hardware failure, compliance-oriented reporting, and multi-user access based on roles and central directories (LDAP, AD, etc.).
Just because Microsoft doesn't make it easy or cheap, don't let that keep your organization from meeting compliance requirements, nor from missing compromised hosts or insider attacks. Now go forth and centralize those Windows Event Logs.
John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading