As a security administrator, you may be inclined to focus on the Windows Security log within Windows Event Log.
You might even go as far as filtering for specific event IDs, such as
EventID 4625 (failed logon request), while forgetting there is much more to security logging on Windows than this single log source.
The consequence of this narrow field of view is that you are not benefitting from the valuable information that other Event IDs used for security audit policies can offer.
On Windows there are so many other sources of security-related events such as:
Other event IDs on the same channel
Events from other channels
Events from ETW Providers
Windows Event Forwarding (WEF)
One of the biggest challenges with security logging on Windows is that the log sources containing security events are spread across multiple channels and not always available in the same format.
Although these security events often follow a schema, data normalization across all log sources would require additional processing.
Also, the security events contained in Windows Event Log pertain only to the local machine collecting them.
All these challenges combined create a nightmare for security administrators who need to provide an aggregate of all security-related Windows events from all monitored Windows systems within a business unit or the entire enterprise.
In this post, we will look at the primary sources of Windows logs related to security and how NXLog can come to the rescue with its log aggregation capabilities on Windows.