The best tool for to capturing Windows Event Logs centrally

loggingwindows-event-logwindows-server-2003windows-server-2008

We have a collection of about 100 Windows 2003 and Windows 2008 R2 domain controllers that I would like to start capturing Event Log data from. Many of the servers are very busy and generate large volumes of events, particularly security events that we also want to capture.

We're currently using a enterprise/expensive monitoring solution that we're reasonably happy with for system uptime and performance statistics, but the event log monitoring component is not so good.

I'm hoping to find something quick and dirty for this purpose if possible.

Best Answer

Legacy Answer; Updates from the future below

If already have some Linux/Unix machines in your environment and are comfortable with that format, I'd recommend using Syslog. There are a number of products that will forward your logs to a syslog server for you.

If you're just looking for log collection for legal/compliance reasons, anything will do, really.

Splunk is fairly popular log tool (I think it's based on syslog) that can do a lot of reporting for you. If you want analytics built in, it's a good place to start evaluating. It has a limited free version, but can pay to break out of those limitations.

You can also use Nagios to assist you with your Log Management, especially with some of the plugins and sidecar applications, but I'll warn that it's not trivial to set up.

UPDATE: If you're not afraid of scripting, there are a lot of examples of Logging Scripts at the Microsoft Script Center Repository. (Fulfilling the down-n-dirty requirement...)

UPDATE 2015: If you're not using Splunk, you should use ELK (ElasticSearch, Logstash, & Kibana) as your logging mechanism. While F/OSS like Syslog, it gives you so much more feature-wise. As far as shipping logs, you should use NXLog. It handles Windows Event Logs, and ships them as objects (viewable as JSON, which is how they're stored in ElasticSearch). While each log is slightly larger over the wire, you don't need to write long, painful, and brittle RegEx statements to parse the fields (like you do in order to make use of Syslog, or syslog-formatted logs sent to ELK).

Related Solutions

Windows – Where/how does Windows store the data in the event logs

With Windows 2000/Server2003/Windows XP, the logs are stored in the %SystemRoot%\System32\Config directory, with an .evt extension.

With Server 2008/Vista and up, the log are stored in the %SystemRoot%\system32\winevt\logs directory, and have an .evtx extension. It's possible to convert old .evt files to the newer .evtx format

Within the Computer Manager you can also export them to a .txt or .csv file.

Windows – Relocating event logs in Windows Server 2008 R2

You can do this from the GUI or command line.

Start the Server Manager Diagnostics
Event Viewer
Windows Logs
Right click the event log of your choosing
Change the “Log Path” variable to an existing dir / file name

The registry key that sets the value is HKLM\SYSTEM\ControlSet001\Services\eventlog\$LogName

You can modify it as well by using the following commands (modify to fit your environment)

reg add “HKLM\SYSTEM\CurrentControlSet\Services\eventlog\Application” /f /v File /t REG_SZ /d 
   G:\Logs\Application.evtx

reg add ”HKLM\SYSTEM\CurrentControlSet\Services\eventlog\Application”/f /v Flags /t REG_DWORD 
  /d 0x00000001

Source : Change Log file location in Windows Server 2008 R2 via registry

Best Answer

Related Solutions

Windows – Where/how does Windows store the data in the event logs

Windows – Relocating event logs in Windows Server 2008 R2

Related Topic