Auditing Log Files

The one portion of event log management that is perhaps the most intimidating is how to mine the log files that are archived. The intimidation of course comes first and foremost from the amount of data through which one must sift.

If careful steps have been taken in the planning of the actual log archival, this makes auditing event logs much easier. Event Viewer is hardly the tool to use in finding that "needle in a haystack" event or group of events. The ability to filter through or quickly scan large groups of events is limited.

Usually when planning on event log auditing, report contents and report formats are the greatest concern. However, ease of use, report flexibility, and reliability in event log report generation should be the greatest concern; all of these will impact the return on investment in your auditing solution.

Some factors to keep in mind then when evaluating event log reporting software solutions include:

• What report formats are available?
  
  
• How much of your work is already done for you in prepackaged event log reports that ship with the event management software?
  
  
• Are you tied to a particular format? Will HTML and the availability of that HTML report to multiple users play a role?
  
  
• Can customized filters be easily recalled for repeat use?
  
  
• From what data sources can reports be generated? Does it include EVT, text, Microsoft Access, and ODBC?
  
  
• Will the solution be compatible with your event archiving solution?
  
  
• Will it require very much input from in-house report and/or database specialists? If so, do you have those resources and how much will that add to your investment?

Other resources:

Event Analyst
Event Analyst is a tool for mining, filtering, and sifting through event log files. The software also provides automatic event log reporting with already prepared and customized reports.