3 Replies Latest reply on Apr 21, 2015 10:50 AM by btkarp

    Windows Event Logs - Pros/cons and best practices

    clausonna

      Hi everyone

       

      I've just finished adding all of my Domain Controllers to ESM and definitely see the value there.  I was hoping the group here could comment on the following questions:

       

      • Is there value in adding ALL of your member servers into ESM, or do you have a different strategy? 
      • Have you seen value in collecting non-SECURITY windows event logs? (e.g. APPLICATION, SYSTEM) and if so what?  Are there other valuable Event log types (and can ESM even collect/parse them?)
      • We are doing pulls via WMI - any performance issues or gotcha's with the default 10-minute pull?  I'm considering a 30-min poll to lighten the load on the ERC as well as appease my SysAdmin's concerns.

       

      For the first question, if I added all of my servers I think I would be able to ask ESM "Tell me all of the servers that user XYZ has connected to" - maybe this is prior to a termination, if they are a contractor, and/or as part of a malware/worm investigation.  Granted, it doesn't tell me what they did by itself (I guess that's were the APPLICATION or other Device Type logs come into play)

       

      Thanks!

        • 1. Re: Windows Event Logs - Pros/cons and best practices
          rth67

          We pull logs from all Windows Servers, DC's, Member Servers, Workgroup Servers. We pull all 3 default log groups, Security, System, and Application. We have 2 environements, North America with over 1,000 data sources on an older X3, and UK with far fewer Data Sources running on a newer X4. NA we use the default 10 minute pull time (ESM from Receiver), and in the UK we are using 5 minutes. I believe the defualt pull time for WMI events from the Receiver is every 5 minutes. Most people are trying to make their SIEM's as close to "Real-Time" as possible, extending out your polling time to 30-minutes is not the norm for sure.

          • 2. Re: Windows Event Logs - Pros/cons and best practices
            artek

            Remember, that there is a lot of default correlation rules based on the 10 minutes time window. When you are looking for example for user logins from different systems, then you can lost some information because of delays in the delivering WMI logs.

             

            Other suggestion: create AD Servers variable in the servers section and use that variabe to filtering logs regarding AD servers in correlation like "the same user logon from different computers" an similar, to exclude false positives correlations.

             

            Regards,

            Artek

            • 3. Re: Windows Event Logs - Pros/cons and best practices
              btkarp

              rth67

              How did you deploy this? I am currently working with a customer with a 3,000+ workstation environment. They have stated that it would be impossible to provide host names for each of the workstations, however, they want Security, System and App logs from each of the hosts! I am trying to figure out a way to appease the customer but aside from just adding the domain controllers as data sources, I am at a loss as to how to implement inside of their "can't provide hostnames" limitation. Do you know of a way to collect Windows logs from each host without creating a data source for each host on the Event Receiver?