Implementing a Central Log Collection System

July EventSource Newsletter
By Danielle Ruest and Nelson Ruest

Implement a Central Collection System 

Microsoft has made some considerable changes to event management in Windows Vista. But are these changes enough to help you control your entire infrastructure? This article is the last in a series that looks at Vista event management. 

Read the first article           Read the second article           
Read the third article
          Read the fourth article
Read the fifth article

As you have seen, Microsoft has made considerable changes to the Vista Event Log—changes that move it from a PC-based system to an enterprise level tool. Collecting events from remote systems is something that administrators of Windows systems have wanted to do for many years. Vista finally makes it possible. But, is the Vista event management and collection system enough in and of itself, even with its improvements? Let’s take a look.

Collecting Events with Vista Only

If you decide to run your event management strategy based on Vista’s new features, then you’ll need to configure your environment to meet the following guidelines:

  • All of the machines you will be managing must run Vista because only Vista supports the new features of the Event Log.
  • In addition, your collector system will not be a server because Windows Server 2008—the server operating system that supports the same event collection features as Vista—will not be available to the market until the end of this year. This means you will have to run this central service on a workstation, yet because it is a central service, it should really be located on a server.
  • Event automation is local to each system and must be configured as such. Of course, you could use Microsoft PowerShell to automate the collection and configuration process on each machine, but you’ll have to prepare this script yourself (see Resources).
  • There will be no centralized policy management console because each system sends information on its own to the collector. If you need to make a change to your collection policy for any reason, you will have to make it on each machine individually.
  • By default, updating each endpoint system is a manual task, unless you use the right tools such as Microsoft PowerShell to automate it.
  • It will be difficult to implement standards since each device in the collection is independent.

So, as you can see, you can do it with Vista alone, but it has some limitations.

Requirements for a Central Collection System

If you are interested in centrally collecting events and use it to gain complete control of your distributed environment, then look to these requirements:

  • When managing distributed systems, you must have some form of centralized control and distributed processing. Otherwise, you’ll end up having to interact with each specific endpoint. A good example is software distribution. Few if any organizations today would deploy applications manually on each machine. No, every organization automates the installation process and deploys application through a centralized systems management tool. The same should go for event management.
  • Managing events through a centralized event management is important. You need a centralized system to update policies on all systems from one single location and automate policy deployment. You do need to collect all critical events centrally because otherwise you cannot get a global view of your systems.
  • In addition, while Microsoft has gone a long way to document events as much as possible, it is really nice to have access to a Windows event ‘expert’ to guide you towards the most important events to watch for. And, it is convenient to have access to an advanced knowledge base to demystify any Windows event.

These requirements are just a few examples of what you’ll need to have to perform complete event management in your network.

A Professional Event Management Tool

Is Vista enough on its own? Not really. The changes Microsoft has implemented make the Vista Event Log a much more solid and robust event management environment. The fact that all events are stored in XML format, the fact that Windows Remote Management now lets you manage systems through common HTTP ports and the fact that the task scheduler is now linked with event management are excellent examples of how Microsoft can implement and design a standards-based operating system. These changes make it easier for third party software manufacturers to develop and integrate comprehensive management systems to the Vista OS.

Vendors such as Prism Microsystems have been supporting event management for years. That’s partly because like their customers, they know that event management is the best way to manage change in any Windows network. True event management requires a separate tool, one that is focused on event management and only on event management (see Figure 1). That’s what EventTracker does. It is Windows version agnostic in that it works with any Windows version. It supports the needs of multiple audiences such as auditors, CxOs, system administrators, security officers and Help Desk engineers. It automatically categorizes events so that you know what you’re looking at. It is linked to one of the largest databases of Windows events in the world so that you always understand what Windows is telling you. It is centrally controlled through a Web-based console so you can have access to it from any location in your network. And, it is policy-driven, letting you design a standard policy which can be applied to any node in the network from one central location. All you need is administrative access to each node.

Gamut

Figure 1. Event Tracker covers the entire gamut of Event Management needs

There is no doubt that if you want to manage your Windows network, whether it be Vista or not, then you need a proper event management tool—one that will support all of your needs and let you know what is going on in the network at any time. And, if you do the math right, you’ll find out that EventTracker quickly pays for itself. For example, in a network of 50 servers, implementing EventTracker could pay itself back within about four months (see Table 1)—even less if you deploy it in a virtualized operating system instead of on an actual physical server.

Costs

 

Software

 $24,000.00

Deployment Planning

 $2,019.23

Training & Consulting

 $3,211.54

Hardware

 $10,000.00

Total Costs

 $39,230.77

 

Savings
Productivity Savings

 $24,062.50

Availability Savings

 $11,682.69

Improved Support Savings

 $3,164.06

Security Savings

 $12,387.92

Usability Savings

 $65,625.00

Total Savings

 $116,922.18

Return on Investment

198.04

Savings per month

 $9,743.51

Payback in months

4.03

Table 1. Sample EventTracker Return on Investment Calculation

If you’re interested in making sure you know what is going on in your network, then look to tools such as EventTracker. If you’re moving to Vista, then do it right. Introduce complete network management and move to a managed network model. You won’t regret it. Not only will you have information at your fingertips once and for all, but you’ll also be able to take full advantage of all that Vista offers.

About the Authors

Danielle Ruest and Nelson Ruest, MCSE+Security, MCT, Microsoft MVP, are IT professionals specializing in systems administration, migration planning, software management and architecture design. They are authors of multiple books, and are currently working on the Definitive Guide to Vista Migration for Realtime Publishers as well as the Complete Reference to Windows Server 2008 for McGraw-Hill Osborne. They have extensive experience in systems management and operating system migration projects.

Resnet

Industry News

HIPAA Audit: 42 questions that the US Department of Health and Human Service (HHS) might ask.

Everything from security to employee status to internet use

Automating the HIPAA compliance process

 

Like many of the other Compliance standards in wide spread use today, HIPAA calls for a risk-based assessment by the Covered Entity to implement safeguards to meet HIPAA compliance. Can HIPAA compliance be achieved without a log management solution? The answer to that is “perhaps”, but especially at the larger CE’s, at a considerable increase of risk of information breach and audit failure. Achieving compliance also becomes an extremely labor intensive activity.

Data Loss and ID Theft Fears Altering Consumer Purchasing Behavior

With the headlines announcing almost on a weekly basis another data breach at businesses, educational institutions and medical facilities, a recent study shows consumers are modifying their purchasing behavior, including online buying, out of concern for the security of their personal information.

Audit your organization year-round for best results, experts say

Enterprise security managers and others who work with auditors would do well by taking a page out of the National Football League’s playbook, a CISO advised attendees at the Burton Group Catalyst Conference.