An Executives Guide to

Event Log Management Strategy

By Ipswitch, Inc.
Network Managment Division

www.whatsupgold.com
October 2010

Table of Contents
Executive Summary

Introduction

........................................................................................................................................1

....................................................................................................................................................1

An Overwhelming Amount of Data

....................................................................................................................1

Identifying the Problems and Solutions

Todays Standards and Challenges

.........................................................................................................2

................................................................................................................3

Collecting Log Files

....................................................................................................................................3

Monitoring Log Files

.............................................................................................................................4

Analyzing Log Files

....................................................................................................................................4

Routine and On-the-Fly Log Review

Fire It Up and Forget It

A Real-World Scenario

....................................................................................................................... 5

.....................................................................................................................................5

A Better Scenario, A Better Solution

Conclusion

.........................................................................................................4

......................................................................................................................5

.......................................................................................................................................................6

WhatsUp Event Log Management Summary

An Executives Guide to Event Log Management Strategy

............................................................................................6

ii

Executive Summary
Event log managementthe monitoring, collection, consolidation, and analysis of log fileshas become a necessary and expanding
burden for network security professionals and IT administrators.
Having multiple servers running different operating systems with several log types on each machine generates a vast amount of
log data. When routers, firewalls, and other devices such as VPN concentrators are added, the volume of data to be readily kept
accessible is staggering. In fact, a single Microsoft Windows Server event log is capable of generating over one gigabyte of log data
in just one 24-hour period. Multiply this by the number of servers in an organization, then by the amount of time log files are to be
stored, and the event maintenance task becomes seemingly unmanageable. Add to this equation firewalls, VPNs, routers, web based
applications, the new EVTX log format, and a growing presence of telecommuters in public space; in theory, the system appears
unbalanced to the point of failure.

Introduction
Event logs allow administrators to look back at the recent history of a server or network device and see trends, failures, successes,
and other vital information to the organization. In real time, they can also provide indicators of Trojan and malware infections across
machines and networks. Event logs also hold potentially valuable forensic evidence. In the aftermath of a network security breach,
event logs hold all of the information about the breach. How it happened, when it happened, and in the end, the keys to preventing
another breach.
Because it can provide both frontline defense as well as the pieces to put together in a forensic investigation, the event log is now a
central component in network security. Many organizations have no choice but to develop a log management strategy as compliance
with regulatory acts and standards such as Sarbanes-Oxley or HIPAA hinges on it.

An Overwhelming Amount of Data

The amount of log data that a server or network of machines generates fluctuates in relation to configurations, network traffic, and
topology. Therefore, it is difficult to confidently estimate average log data output. In an organization with 20 servers (lets assume
five log types per server), routers, switches, a VPN, and firewalls, the amount of data collected on a daily basis would be staggering.
If we estimate the amount of data given these parameters:
(Number of Servers x Logs) + (Number of Syslog Devices x Logs)
x (Average of 2 Megabytes per Log per Hour)
x 24 Hours
it will give us an approximate estimate of the amount of data that a typical Windows Server Environment can generate daily.
In a typical Microsoft Windows environment, each server has at the very minimum three logs. These logs receive information from
running processes and applications being used on the servers. From print spoolers to Exchange services, each log gets filled with
events both malicious and benign. As you can see, when an IT administrator explores why a particular incident is happening or has
happened, she will most likely wade through thousands of unrelated events looking for that needle in the haystack.
An Executives Guide to Event Log Management Strategy

Regardless of whether it has been determined that log management is necessary because of internal security policies or because of
compliance with an external standard, manual management of log files is obviously not an optionthe task is simply overwhelming
and the results are unreliable. Who honestly could accept the liability of tracking each and every event generated on a network?
Automation of routine log management tasks is now a necessity both because of the resource requirements and the burden of
responsibility.

Identifying the Problems and Solutions

Being able to monitor event logs gives an administrator a substantial advantage in identifying threats early on, rather than investigating
them after the fact. A sound event logging strategy is the centerpiece in any organizations big picture network security plan. The
presence of event monitoring within its log strategy helps distinguish a proactive plan from a reactive plan.
It is well established among network security professionals that the greatest threats to network security are in fact internal; they often
originate in the same building, the same floor perhaps, and often right down the hall. The source may be a disgruntled employee, a
curious staff member in the payroll department, or a bored sales representative.
When external, they are likely to be the same worm or virus that is ravishing your PCs at home. Make no mistake though, the
hardware devices that combat malware threats are still helpful. However, easier, less expensive event log management software can
be just as effective or more effective in defending networks. In fact, an event management strategy is most effective at combating
the internal threat. Tracking failed password attempts, file and folder access, and successful versus failed log-ons and log-offs are
easily handled with a comprehensive log maintenance strategy.
But, many fail to see how effective event management can be when managing todays high profile external threats. For example, one
solid security scenario might include the presence of a screening router. Access Control Lists (ACLs) on screening routers allow
certain IP traffic to pass onto a firewall where packets are inspected and run against more ACLs and rules. Once traffic has passed
through these layers, it is passed onto the servers holding the application or service that is in use. The activity is then logged into
one of the event logs on the server.
In addition to the events being logged from the application or service, while passing through the routers and firewalls, logs are
also being generated. You can easily see how the ability to view, search, and be remotely alerted to certain events generated from
these devices, applications, and services is invaluable. Still, there is a great deal of non-threatening event noise generated during
the routine network traffic, repeated countless times daily. Therefore, discriminating event log monitoring capability is a must. The
automation of event monitoringsetting the parameters for events of interestenables administrators to act quickly and more
importantly, early.
In todays malware-of-the-month environment, the ability to automatically sift through events in real-time may very well determine
which networks survive.

An Executives Guide to Event Log Management Strategy

Todays Standards and Challenges

Collecting Log Files
This is where the auditing rounds out an organizations log maintenance strategy: First, the collection and consolidation of log files
for future reference and second, the ability to quickly and easily sift through and report on collected log data. Some choose to bypass
the collection and long-term storage of log files. But, for a truly comprehensive approach to log management that could even support
a law enforcement investigation if it were necessary, collection and retention are required.
Standards set forth by regulatory acts, government agencies, and network security industry bodies require that vast amounts of log
data must be archived and readily accessible for auditing at a moments notice. In many circumstances, the United States Armed
Forces require that event logs be stored for five or even seven years, for example. A manual solution to this is simply not possible.
Often, in dealing with these requirements, administrators have been forced for one reason or another to create homegrown
scripted solutions. The problems with these makeshift solutions have been numerous: not only

...vast amounts of log

data must be archived
eventually leaves for greener pastures. The undocumented event collection script however, stays
and readily accessible
with the organization for years. Furthermore, consistency and reliability with a scripted collection
for auditing at a
is continually an issue as the scripts are rarely tested the way that enterprise software packages
moments notice.
is the scripted work a proprietary one, but it is often tied to a member of the organization who

are. Add to the mix the recent log format shift from EVT to EVTX, and the homegrown route is a
minefield of IT headaches and resource drain.

More and more, the WhatsUp Event Archiver log consolidation and collection software is becoming the solution of choice for IT
groups stuck between tighter resources and expanding requirements. The ability to automate reliable and consistent collection
and consolidation of log data enables fewer resources to be devoted to the project from day one. In addition, network security
professionals who are facing requirements for data storage of months or more should seriously consider compression capability
something that WhatsUp Event Archiver includes. Otherwise, the costs associated with storage and absorbed in the manual collection
and compression will add up surprisingly over time.
Finally, flexibility in log collection and storage type are important both in terms of how the solution fits into an organizations network
infrastructure and in terms of reliability when the data is called upon. It is important to keep in mind that event collection in a database
provides for easy searching and filtering and that compressed storage of the logs provides the most reliable resource for future use
of the log file in an investigation. For these reasons, WhatsUp Event Archiver supports a wide variety of storage types and formats.
Monitoring Log Files
Operational issues can come up directly from your infrastructure or from the actions of rogue users or external threats that can

With advance warning

from WhatsUp Event
Alarm, network personnel
can initiate investigation
and triage processes as per
their established security
policies and compliance
requirements.

potentially harm your business. For the latter, there is no better strategy than to actively
monitor the event logs across your infrastructure. Whether it involves multiple attempts on a
login screen that look suspicious, an unexpected change in user rights, or unauthorized data
access that can lead to an information breachthese and other network security threats can
happen any time. Running behind the scenes as a set of Windows services, WhatsUp Event
Alarm constantly watches over log files, immediately sending out alert notifications at the
first sign of trouble. With advance warning from WhatsUp Event Alarm, network personnel
can initiate investigation and triage processes as per their established security policies and
compliance requirements.

An Executives Guide to Event Log Management Strategy

With WhatsUp Golds Event Alarm you can:

Monitor your Windows Event logs (EVT and EVTX) and Syslog files for specific event occurrences
Send notification to stakeholder groups via multiple modes of communication
Choose from more than 100 different pre-packaged alarms covering commonly tracked events
Allow flexible grouping and customization for highly contextual alarming
Initiate rapid response processes for operations triage and resolution
Analyzing Log Files
Though most understand the importance of the EVT format as the preferable format of record, internal requirements are often not
specific on how log files are to be kept, read, or filtered through when called upon. Therefore, many IT teams are just one request
from upper management away from a wild goose chase that could drain administrator resourcesnot to mention test their sanity
for several days. Well written event log strategy requirements should state that not only are log files to be kept for a certain period
of time, they are also to be stored in a certain type of database readily accessible to administrators via a specific method. This still
leaves administrators with the burden of how and in what format to report the findings from filtering through log stores.
Even more so than with the task of collection, event filtering, reporting, and analysis requires a level of stability, flexibility, consistency,
and reliability that can only be found in a tested enterprise tool built for this specific need. There are a number of ways in which log
data may be stored, and these even vary within the same IT organization.
WhatsUp Event Analyst supports the same databases and formats that WhatsUp Event Archiver supportsfrom Access to SQL
and support for Oracle when used in conjunction with WhatsUp Event Archiver. The reporting capability is just as flexible, with the
options including an HTML report e-mailed to a particular mailbox at a specified time.
The benefits of easier and faster event log filtering and reporting are not just recognized that one or two times when evidence is
required for an investigation of a security breach on your network. Automated event analysis also gives IT teams a distinct advantage
when showing current hardware loads and qualitative hard data as evidence of certain trendsinvaluable when budget time rolls
around again.
On-The-Fly Log Review
Often, routine incidents simply require a quick review of the related events on the computer at the scene. A report isnt necessary
and management doesnt need to be bothered.
In the past, administrators relied on the tried and true Windows event viewer. However, even the latest versions of this native tool are
cumbersome. They display events in a linear view for example, and the limited capabilities make the most basic of trending between
events difficult.
WhatsUp Event Rover provides a convenient option when WhatsUp Event Analysts more robust reporting capabilities would be
overkill for the job. WhatsUp Event Rover is a tool for ad-hoc log viewing and mining, providing a tree-view interface for event
review. This is a major improvement from the limited scanning capabilities of event viewer.
In addition, WhatsUp Event Rover provides exclusive technology that assists in special handling that can be required with later EVTX
format events. For more information on Ipswitchs EVTX capabilities, contact a sales specialist or consult one of Ipswitchs white
papers concerning the EVT to EVTX format shift.
An Executives Guide to Event Log Management Strategy

Fire It Up and Forget It

Even though your organizations primary interest in a log management strategy may be for compliance or automation of routine
IT administrative tasks, a comprehensive event log management strategy can be a centerpiece of any bigger picture network
security plan. Event log tools have a unique ability to assist in real-time at the frontline as well as in the aftermath of network security
incidents.
In a system with so many operational parts further complicated by expanding demands and diminishing human and financial
resources, minimizing operational overhead for servers, people, uptime, and budget is paramount. Ipswitchs WhatsUp Event Alarm,
WhatsUp Event Analyst , and WhatsUp Event Archiver are efficient and effective automated solutions to this central piece of an
overall security plan. Concentrated control of all server event logs and past archives of event logs has been a significant advantage
for those IT administrators who have implemented a log strategy, and it is rapidly becoming a necessity for all networks. For more
information on how these modules can work together to act as the only patented Total Event Log Management Solution, visit the
event log management section at www.whatsupgold.com.
And, though this guides scope is limited to the Windows event log, dont forget that Ipswitchs log management solutions include
support for syslog generating machines and devices. Syslog support is provided via WhatsUp Event Alarm. More information on
these capabilities are provided in WhatsUp Event Alarm documentation online and accompanying the software.

A Real-World Scenario
The latest vulnerability announced by Microsoft is announced on the security lists, and within 12 hours, a new and dangerous trojan is sweeping the Internet. A large organization with a typical IT staff is busy applying the patch to their Windows
based servers. All goes well and time passes.
After several days, the Help Desk begins getting reports of domain account lockouts. When the calls become incessant,
the IT administrators begin to see their system accountssuch as Exchange and SQL Server and administrative service
accountsgetting locked out with alarming frequency.
Administrators check their log files on the servers and are distressed to see that no one unique account is being
used to cause lockouts. Also, IP addresses and machine names are not showing up as they should in the logs.
In fact, the logs are so full they have been overwriting themselves for several hours and all the events contained
in them are virtually useless. The administrators are now faced with a mountain of log information that will take
many hours to pour through manually and in the end, their work might very well serve as an exercise in futility.

A Better Scenario, A Better Solution

The same organization with the same amount of staff spends the same amount of time busily applying the latest Windows
patch. Several days later one of their server event logs trips their Event Alarm notification, letting them know that successive
account lockouts have occurred. An administrator is paged, and he looks into the problem.
The administrator finds indeed that accounts are being locked out rapidly and discovers that a specific machine is causing the
problem. That machine is quickly located and disconnected from the network. Administrators and other IT staff then turn to
the log stores that were collected with WhatsUp Event Archiver. Then, rapidly with WhatsUp Event Analyst, they filter network
data and find exactly when the machine became infected. In this case, the infected machine was a subsidiarys that was
physically brought into the building for an on-site meeting. It had not been patched and updated, because it was not on the
corporate domain. When checking through the logs, Administrators are able to see the Windows machine name (NetBIOS)
and the user accounts with which it was attempting to conduct the breach.
Instead of spending hours trying in vain to troubleshoot the problem, find the infected machine, and squash the bug, IT staff
was able, because of a sound and comprehensive event log management solution, to diagnose and repair the problem before
major damage and downtime occurred.
An Executives Guide to Event Log Management Strategy

Conclusion
Perimeter defense with firewalls and screening routers are the first line of defense in network securitys big picture, but a sound and
thorough event log management solution gives IT administrators and network security staff an essential tool for troubleshooting,
diagnosing and fixing potential problems as well as more serious immediate challenges like trojans, malicious code, and viruses.
As organizational infrastructures continue to grow and evolve in complexity, the need for rational data analysis is becoming a
fundamental issue to daily operations. IT staff are notoriously bombarded with information and demands from every source in the
organization, and the problems are not going away on their own. Giving IT staff a tool that will allow them to diagnose, troubleshoot,
and solve problems is essential.
It is also beneficial to upper management, on whom more demands of auditability and accountability are being placed. And, if the
past is an indicator of future trends, these demands will only intensify.

WhatsUp Event Log Management Summary

The WhatsUp Event Log Management Suite is a modular set of applications that can automatically collect store, analyze and report
on both Windows Event and Syslog files for real-time security event detection and response, and historical compliance assurance
and forensics.
Event Archiver: Automate log collection, storing, backup and consolidation. It supports auditing, regulatory compliance and
log forensics activities.
Event Alarm: Monitor log files and receive real-time alerts and notifications. Quickly react and initiate rapid response processes
to network outages or security threats.
Event Analyst: Analyze and report on log data and trends. Automatically distribute reports to management, security officers,
auditors and other key stakeholders.
Event Rover: Single console to view and mine log all data across all servers and workstations. Supports ad-hoc forensics
relying on patented Log Healer Technology, for handling and repairing potentially corrupt Microsoft EVTX log files.
Did you know that Ipswitchs WhatsUp Event Archiver was awarded USs Army Certificate of Networthiness # 201004611? You
can find out more about the WhatsUp Gold Event Log Management Suite at: http://www.whatsupgold.com/products/event-logmanagement/

About the Network Management Division of Ipswitch, Inc.

The Network Management Division of Ipswitch, Inc. is the developer of the WhatsUp Gold suite of innovative IT management software. WhatsUp Gold delivers comprehensive
network, system, application and event log monitoring and management solutions for small and medium businesses and enterprises. Built on a modular, yet integrated
architecture, the affordable and easy-to-use solutions scale with the size and complexity of any physical or virtual IT infrastructure. From a single console, WhatsUp Gold supports
standard IT management tasks including automated discovery, mapping, real-time monitoring, alerting, troubleshooting and reporting. More than 100,000 networks worldwide
use WhatsUp Gold solutions to assure the availability, health and security of their critical business infrastructure today.
Ipswitch, Inc.s Network Management Division recently added to its product line complete, easy-to-use solutions for Windows Security Event Management (SEM) and
Log Management for small businesses and enterprise-level organizations suite with the acquisition of Dorian Software Creations, Inc. WhatsUp Gold was named Network
Management Product of 2010 by Network Computing Magazine and earned the Network Products Guide 2010 Product Innovation Award in Network Management. To learn
more about WhatsUp Gold the best value in IT Management software, download a free trial or to make a purchase, please visit: http://www.whatsupgold.com/products/
download/.
*All mentioned trademarks, product and company names cited herein are the property of their respective owners.*
An Executives Guide to Event Log Management Strategy