Showing results for 
Search instead for 
Did you mean: 

Windows Event Logs - Pros/cons and best practices

Hi everyone

I've just finished adding all of my Domain Controllers to ESM and definitely see the value there.  I was hoping the group here could comment on the following questions:

  • Is there value in adding ALL of your member servers into ESM, or do you have a different strategy? 
  • Have you seen value in collecting non-SECURITY windows event logs? (e.g. APPLICATION, SYSTEM) and if so what?  Are there other valuable Event log types (and can ESM even collect/parse them?)
  • We are doing pulls via WMI - any performance issues or gotcha's with the default 10-minute pull?  I'm considering a 30-min poll to lighten the load on the ERC as well as appease my SysAdmin's concerns.

For the first question, if I added all of my servers I think I would be able to ask ESM "Tell me all of the servers that user XYZ has connected to" - maybe this is prior to a termination, if they are a contractor, and/or as part of a malware/worm investigation.  Granted, it doesn't tell me what they did by itself (I guess that's were the APPLICATION or other Device Type logs come into play)


3 Replies
Level 12
Report Inappropriate Content
Message 2 of 4

Re: Windows Event Logs - Pros/cons and best practices

We pull logs from all Windows Servers, DC's, Member Servers, Workgroup Servers. We pull all 3 default log groups, Security, System, and Application. We have 2 environements, North America with over 1,000 data sources on an older X3, and UK with far fewer Data Sources running on a newer X4. NA we use the default 10 minute pull time (ESM from Receiver), and in the UK we are using 5 minutes. I believe the defualt pull time for WMI events from the Receiver is every 5 minutes. Most people are trying to make their SIEM's as close to "Real-Time" as possible, extending out your polling time to 30-minutes is not the norm for sure.

Level 9
Report Inappropriate Content
Message 3 of 4

Re: Windows Event Logs - Pros/cons and best practices

How did you deploy this? I am currently working with a customer with a 3,000+ workstation environment. They have stated that it would be impossible to provide host names for each of the workstations, however, they want Security, System and App logs from each of the hosts! I am trying to figure out a way to appease the customer but aside from just adding the domain controllers as data sources, I am at a loss as to how to implement inside of their "can't provide hostnames" limitation. Do you know of a way to collect Windows logs from each host without creating a data source for each host on the Event Receiver?

Level 11
Report Inappropriate Content
Message 4 of 4

Re: Windows Event Logs - Pros/cons and best practices

Remember, that there is a lot of default correlation rules based on the 10 minutes time window. When you are looking for example for user logins from different systems, then you can lost some information because of delays in the delivering WMI logs.

Other suggestion: create AD Servers variable in the servers section and use that variabe to filtering logs regarding AD servers in correlation like "the same user logon from different computers" an similar, to exclude false positives correlations.



More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community