Starting with Windows Vista, the Windows event logs appear to be inundated with thousands of messages, some pure clutter, informing the user about every little detail an application does. Amongst these useless messages, an error may be easily missed even by a watchful eye.
Even when the errors are noticed, in many cases they are rather cryptic, undocumented, and very often mislead about the actual source of the problem. In their effort to provide as much information as possible about how the application is performing, Microsoft and other leading developers have rendered the event logs almost useless. Gone are the XP days, when quite often, a single event clarified the issue.
In the same time, with the hardware becoming a commodity, more and more servers are thrown at the (already) overworked administrators, with the expectation to be monitored rigorously. Various monitoring solutions are available on the market, some quite complex, but many are trying to do too much or are reporting the wrong things. The cost of such solution may also become an issue even for smaller companies and add yet another burden to the administrators' shoulders.
With EvLog 3.0 we are trying to eliminate the clutter, allow the user to quickly look for troubleshooting information and provide a more graphical view of the events being recorded on a particular server.
Here are the main points about the philosophy behind EvLog:
1. In most cases, you only care about the events in the last 24 hours
2. The administrator should receive a daily report on what happened, event-wise, on each server.
3. It should be easy to look up troubleshooting information about a particular event
4. It should be easy to filter the type of events reported and ignore those deemed to be irrelevant
5. Anomalies should be detected and reported accordingly
6. Backup of event logs should be kept for future references, especially for security-related events such as logins and logouts.
So, how can EvLog assist with the issues mentioned above? Here it is how, point by point:
2015-01-18 13:11:13 System3.Warning 127.0.0.1 Jan 18 13:11:13 AGWIN7 1/18/2015 6:24 AM,1014,Warning,Microsoft-Windows-DNS-Client,System,Name resolution for the name 2015.ausopen.com timed out after none of the configured DNS servers responded.
2015-01-18 13:11:13 System3.Error 127.0.0.1 Jan 18 13:11:13 AGWIN7 1/17/2015 10:23 PM,36888,Error,Schannel,System,The following fatal alert was generated: 10. The internal error state is 10.
The text-based backups, being they EvLog backups or syslog logs are highly compressible and easy to store in a central location and kept according to the log retention policy.
Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.
Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.