Back a few years ago I put together an event log and general log aggregation and management system.  Almost a year ago, our internal development server for this system died and work halted.  Yesterday we finally pulled the system out of the rack to see what had gone wrong and put a new server up in its place.  Finally, work has started up again!

I mention this project here on this blog because just about every company that I talk to is struggling with log management and correlation.  The fact that Microsoft went and changed just about every Event ID in the found in the event logs hasn’t made life much better.  While it’s certainly true that managing events on a Windows system (particularly Vista and above) has become much easier with event subscriptions and significantly improved reporting, many of us are still using XP and 2003 in many installations.  How are we to manage these logs?

Microsoft has a solution (Audit Collection Services) as a part of the Microsoft Operations Manager tool, but there are still a few gaps.  For instance, how do I get my syslogs, weblogs, firewall logs, IDS information, etc. into it?  Solving this problem is why DAD was originally created.

If you’re planning to come to the SANS conference in New Orleans starting on January 10, please be sure to come by and say hello.  I’ll be bringing our development DAD server with us if you’d like to see a quick demo!  We look at this free open source tool as another way that we can give back to the community!

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, “Advanced System & Network Auditing“.  David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.