Q: I'm looking for a Windows event log analysis tool that lets me easily search the security-related events that are written to the event logs of our Windows Server 2003 machines. Can you give us some advice on what tool we should use? What solutions does Microsoft offer in this space?
A: Microsoft provides the following solutions for central event log analysis: the EvenCombMT tool, the System Center Operations Manager Audit Collection Services (ACS), and the event forwarding feature that is bundled with Windows Vista and Windows Server 2008.
EventCombMT is a Resource Kit tool that Microsoft first made available as part of the Security Operations Guide for Windows 2000 (that can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=f0b7b4ee-201a-4b40-a0d2-cdd9775aeff8&displaylang=en). EventCombMT can parse event logs from many Windows machines at the same time. The tool allows you to define either a single event ID, multiple event IDs, or a range of event IDs to search for; limit the search to specific event logs, to specific event message types, to specific event sources, or search for specific text within an event description; and define specific time intervals to search the logs again from the current date and time.
System Center Operations Manager (SCOM) is Microsoft’s most complete and enterprise-level solution for event and performance management. It offers tools that allow enterprises to analyze the built-in event reporting and performance monitoring of Windows and its applications. An interesting addition in SCOM 2007 is the Audit Collection Services (ACS). ACS allows events written to the security log on Windows systems to be collected and consolidated in a central database. ACS is made up of three components:
• The Audit Forwarder, which securely forwards events from Windows systems to the central ACS Audit Collector
• The Audit Collector, which consolidates the events received from the forwarders
• The Audit Database--a SQL Server-based database that houses the collected events for reporting and analysis.
SCOM core features such as reporting and event alerting can be leveraged to enhance the visibility into the audit data that ACS collects. SCOM’s and ACS’ reporting is built on SQL Reporting Services. SCOM 2007 includes several reports that have been specifically built for ACS.
The last and most recent addition to Microsoft’s centralized log analysis solution set is the event-forwarding feature that Microsoft includes in the new eventing architecture and the associated event log and viewer, that are commonly referred to as Windows Eventing 6.0. The new eventing architecture is integrated in Windows Vista and Windows Server 2008 and allows you to automatically forward and collect events from different Windows machines to a central Server 2008 or Vista computer.
To set up event forwarding, you must enable the Windows Remote Management (WinRM) service on the source computers. WinRM implements the Web Services for Management (WS-Management) protocol standards specification for remote management. For more information about WS-Management, go to http://www.dmtf.org/standards/wsman.
Microsoft also has created a WS-Management 1.1 client for down-level Windows clients. This client enables Windows XP SP2, Windows Server 2003 SP1, Windows 2003 SP2, Windows 2003 R2 machines to forward events to a Vista machine or a Server 2008 server. You can download WS-Man 1.1 from this URL:
http://www.microsoft.com/downloads/details.aspx?familyid=845289ca-16cc-4c73-8934-dd46b5ed1d33&displaylang=en.
There are also several third-party products available for centralized collection and inspection of Windows event logs. Examples of such products are TNT Software’s Event Log Monitor (ELM) and RippleTech’s LogCaster.
And lastly, you can also write scripts to collect event log information from remote computers and store it in a central location. The Windows 2000 Resource Kit, Supplement One includes an interesting Perl scripting language-based example called Eventquery.pl that can display the events from the Event Viewer logs on local and remote computers. It also offers filters to help administrators find specific events.
