What are the best tools for enterprise Windows security logs analysis?

Expert Mike Cobb provides some of the best Windows security log tools available for the enterprise.

What program or tool would you recommend for analysis of Windows security logs? For example, I want Windows security...

log tools that enable me to see all successful and unsuccessful logins.

Ask a question

SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: [email protected].

Microsoft Windows security log analysis records an audit event whenever users perform certain specified actions, such as login and logout activity, and other security-related events specified by the system's audit policy. For example, the modification of a file or a policy can trigger an event that shows the action that was performed, the associated user account, and the date and time of the action. Recording and monitoring the creation or modification of system objects offers a way to track potential security problems, ensures user accountability and provides important information in the event of a security breach as to how it occurred and what systems were affected.

This makes the security log one of the primary means of detecting both attempted and successful unauthorized activity as well as being an essential aid in investigating and troubleshooting various system problems. An organization should identify those actions in its audit policy that need to be logged in order to hold users accountable for their actions when using organizational resources. In many cases, setting an organization’s policy to record failure events is more informative than recording successful events, because failures typically indicate errors or problems. It also reduces the number of log entries which, even on a small network, mount surprisingly quickly. Although the security log can be viewed using the Windows Event Viewer, organizations need a more specialized tool for in-depth analysis. There is little value in large volumes of audit data if there is no means of using it.

While Windows can capture a wide range of security events, it provides little in the way of analysis, and the often-cryptic event descriptions do not help matters. Microsoft does offer a Active Directory services. Depending on organizational preferences, another available option is the free Log Parser Lizard, which is a GUI interface to Microsoft’s log parser that provides an easier way to query logs and export the results to Excel.

For real-time log-based intrusion detection and analysis, an organization should look at products that can track audited events across all its networked machines, with GFI EventsManager being one option. If an organization prefers open source tools, OSSEC is a host-based intrusion detection system providing log analysis, file-integrity checking, policy monitoring, rootkit detection and real-time alerting. Another tool that can handle different operating systems is EventLog Analyzer, which offers real-time log file analysis for Windows, Linux and Unix systems, along with routers and switches.

This was last published in April 2012

Dig Deeper on Real-time network monitoring and forensics