Event Log Management and Maintenance Strategies
eventlogs.com
home | research | strategies | solutions | tools

Research
The Event Log Defined
The Syslog Defined
The Event Log and
Today's Enterprise
Event IDs

Strategies
Event Log Management
and the Secure Network
Monitoring Event Logs
Auditing Event Logs
Event Correlation

Solutions
Monitoring Log Files
Collecting Log Files
Auditing Log Files
A Concept for
Total Log Management

Tools
Auditing Volume Analyzer


Auditing Event Logs
Increasingly, companies and other organizations are being required by law to maintain vast volumes of log information, in anticipation of an audit many weeks or months after down the road. When auditors come knocking at the door, IT staff need to be in a position to quickly recall certain types of data from a certain date range rapidly, and also be able to present the auditors with a copy of that data in various formats.

Collecting event log entries into databases

If the speed of recalling log entries is of concern to an organization in the face of an audit, a database system should be employed in the storage and organization of event log entries. By default, most event log entries are stored in flat files located throughout an organization's many servers. Attempting to traverse many different flat files in search of certain types of events is cumbersome for an administrator facing an audit. When event log data is routinely collected into a database, that same data can be indexed and optimized for fast retrieval. Moreover, when event log entries are stored this way, cross-computer analysis is made much easier, allowing administrators to produce a top-down view of all of their servers when preparing data for an audit, or even for general trend analysis.

Retaining event log entries in native formats

While placing event log entries into a database server has many benefits, in many cases it is also important to hold on to logs in their original format, as to provide compelling forensic data if necessary in a court of law. Furthermore, database storage of event logs often requires significantly more space than the original files themselves, so it is much more costly and labor-intensive to maintain many years worth of entries in a database. Many organizations have opted to keep event log data in both formats to satisfy both analysis and long-term auditing needs.

Routine reporting on trends and activity

Once a data storage format is chosen (database, flat files, or both), it is important to routinely mine the data for trends and different sorts of activity. Since many network administrators do not have the time to be full-time database administrators, it is important that whatever system is used to generate reports is flexible, reliable, and automated. Preferably, a reporting solution will shield administrators from the finer points of database administration, but will remain flexible enough to provide customized reporting and filtering capabilities, if very specific types of data are sought during an audit.

Other resources:

Event Archiver
Software capable of routine collection of event logs into a variety of different data formats.

Event Analyst
Software capable of advanced event log reporting, data mining, and data exporting.
 
Copyright © 2004-2006 Dorian Software Creations, Inc. All rights reserved. Dorian, Event Archiver, Event Analyst, Event Rover and Event Alarm are registered trademarks of Dorian Software Creations, Inc. Windows, Windows NT, Windows XP, Windows 2000, Windows 2003, Microsoft SQL, and Microsoft Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Oracle is a registered trademark, and Oracle9i is a trademark or registered trademark of Oracle Corporation. All other trademarks are the trademarks of their respective companies.