Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 4

Windows Event Logs - Pros/cons and best practices

Hi everyone

I've just finished adding all of my Domain Controllers to ESM and definitely see the value there.  I was hoping the group here could comment on the following questions:

  • Is there value in adding ALL of your member servers into ESM, or do you have a different strategy? 
  • Have you seen value in collecting non-SECURITY windows event logs? (e.g. APPLICATION, SYSTEM) and if so what?  Are there other valuable Event log types (and can ESM even collect/parse them?)
  • We are doing pulls via WMI - any performance issues or gotcha's with the default 10-minute pull?  I'm considering a 30-min poll to lighten the load on the ERC as well as appease my SysAdmin's concerns.

For the first question, if I added all of my servers I think I would be able to ask ESM "Tell me all of the servers that user XYZ has connected to" - maybe this is prior to a termination, if they are a contractor, and/or as part of a malware/worm investigation.  Granted, it doesn't tell me what they did by itself (I guess that's were the APPLICATION or other Device Type logs come into play)


3 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 4

Re: Windows Event Logs - Pros/cons and best practices

We pull logs from all Windows Servers, DC's, Member Servers, Workgroup Servers. We pull all 3 default log groups, Security, System, and Application. We have 2 environements, North America with over 1,000 data sources on an older X3, and UK with far fewer Data Sources running on a newer X4. NA we use the default 10 minute pull time (ESM from Receiver), and in the UK we are using 5 minutes. I believe the defualt pull time for WMI events from the Receiver is every 5 minutes. Most people are trying to make their SIEM's as close to "Real-Time" as possible, extending out your polling time to 30-minutes is not the norm for sure.

Level 9
Report Inappropriate Content
Message 3 of 4

Re: Windows Event Logs - Pros/cons and best practices

How did you deploy this? I am currently working with a customer with a 3,000+ workstation environment. They have stated that it would be impossible to provide host names for each of the workstations, however, they want Security, System and App logs from each of the hosts! I am trying to figure out a way to appease the customer but aside from just adding the domain controllers as data sources, I am at a loss as to how to implement inside of their "can't provide hostnames" limitation. Do you know of a way to collect Windows logs from each host without creating a data source for each host on the Event Receiver?

Level 11
Report Inappropriate Content
Message 4 of 4

Re: Windows Event Logs - Pros/cons and best practices

Remember, that there is a lot of default correlation rules based on the 10 minutes time window. When you are looking for example for user logins from different systems, then you can lost some information because of delays in the delivering WMI logs.

Other suggestion: create AD Servers variable in the servers section and use that variabe to filtering logs regarding AD servers in correlation like "the same user logon from different computers" an similar, to exclude false positives correlations.



You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community