Tying Windows Events and Syslogs Together
In typical Microsoft fashion they had to go and create their own version of logging which in turn created a more convoluted IT ecosystem. As if IT didn’t have enough to do. When it comes to collecting logs from several disparate systems and then trying to glean insight from them; having multiple formats is not only inconvenient, it requires additional functionality in collectors. This is actually why Snare Open Source Agents became so popular. You could set up free Snare Agents and streamline collection at a central server.
With all the options out on the marketplace nowadays, merging syslog and windows event data tends to be far less of a concern. There are even those who still snag our open source agents to accomplish the task in a makeshift SIEM. Still, far too many companies are not centralizing their logs and they should remedy that immediately. Centralizing logs may seem obvious to some, but for others the benefits may be a bit obfuscated until they actually start profiting from the practice. By centralizing your log collection you not only save time but improve the reliability of your logging. You create a system of record, you streamline forensics, you keep logs secure and can quickly check on the health of your systems. While any centralizing system may seem sufficient there is one factor to keep in mind: cost.
Why? Because the data gets unwieldy as your logging needs increase in scope. When SIEM providers charge by data collected, that cost can easily increase exponentially with seemingly little you can do about it. So when you are shopping logging solutions you should not only make sure they can centralize your log collection but they should help you reduce the noise so you can efficiently manage cost.