Event Log data a gold mine, or a coal mine?

HI All -

As you all know ChangeAuditor is a product that foregoes the need for native logging to gather real time events and avoid all the pitfalls that comes with native logging. I think we all know the benefits we get and can discuss this freely with customers (and we should all be touting this as a big "win" for ChangeAuditor, right!). But regulatory compliance asks our customers to also collect and store Windows Event Logs (and other logs) and ensure they are tamper proof. Mind you, almost all of these regulations never define exactly what you're supposed to discern from the data (hedging my bets here because I don't know of ANY that define this, but I'm always willing to learn!). So it's basically - store the Windows Events Logs for 1 year, 3 years, 7 years and prove that you can store them without anyone making changes to anything.

Now, from a regulatory perspective it's also supposed to be "All Event Logs" - and as you all know, starting back in Windows 2008, Microsoft introduced a technology that was code named Crimson - new event log architecture, that allowed other Microsoft products (and even 3rd party products) to create their own Event logs (prior to Win2008 it was just System, Security and Application). To me, that means not only is there more data in event logs, but you have to search many more places to find the data you're looking for, right? I mean, do you expect to see Exchange account security violation events in the Application log, Security Log, Directory Service Log, or one of the many logs that Exchange creates - or is it some combination of these logs? Where do you go??

Is it piece of mind? Is it strictly following orders? What is it under the surface - if there were a solution to gather all these logs, what would you use the data for?

I'd love to hear about anything and everything you do with log data - and if you have a tool that doesn't require native logs to pass an audit (or comply with internal policy) - do you still collect the logs?

Tim Sedlack

Product Manager - ChangeAuditor