Анализ логов windows программа

Картинка с сайта: habr.com

Пора поговорить про удобную работу с логами, тем более что в Windows есть масса неочевидных инструментов для этого. Например, Log Parser, который порой просто незаменим.

В статье не будет про серьезные вещи вроде Splunk и ELK (Elasticsearch + Logstash + Kibana). Сфокусируемся на простом и бесплатном.

Журналы и командная строка

До появления PowerShell можно было использовать такие утилиты cmd как find и findstr. Они вполне подходят для простой автоматизации. Например, когда мне понадобилось отлавливать ошибки в обмене 1С 7.7 я использовал в скриптах обмена простую команду:

findstr "Fail" *.log >> fail.txt

Она позволяла получить в файле fail.txt все ошибки обмена. Но если было нужно что-то большее, вроде получения информации о предшествующей ошибке, то приходилось создавать монструозные скрипты с циклами for или использовать сторонние утилиты. По счастью, с появлением PowerShell эти проблемы ушли в прошлое.

Основным инструментом для работы с текстовыми журналами является командлет Get-Content, предназначенный для отображения содержимого текстового файла. Например, для вывода журнала сервиса WSUS в консоль можно использовать команду:

Get-Content -Path 'C:\Program Files\Update Services\LogFiles\SoftwareDistribution.log' | Out-Host -Paging

Для вывода последних строк журнала существует параметр Tail, который в паре с параметром Wait позволит смотреть за журналом в режиме онлайн. Посмотрим, как идет обновление системы командой:

>Get-Content -Path "C:\Windows\WindowsUpdate.log" -Tail 5 -Wait

Картинка с сайта: habr.com

Смотрим за ходом обновления Windows.

Если же нам нужно отловить в журналах определенные события, то поможет командлет Select-String, который позволяет отобразить только строки, подходящие под маску поиска. Посмотрим на последние блокировки Windows Firewall:

Select-String -Path "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" -Pattern 'Drop' | Select-Object -Last 20 | Format-Table Line

Картинка с сайта: habr.com

Смотрим, кто пытается пролезть на наш дедик.

При необходимости посмотреть в журнале строки перед и после нужной, можно использовать параметр Context. Например, для вывода трех строк после и трех строк перед ошибкой можно использовать команду:

Select-String 'C:\Windows\Cluster\Reports\Cluster.log' -Pattern ' err ' ‑Context 3

Оба полезных командлета можно объединить. Например, для вывода строк с 45 по 75 из netlogon.log поможет команда:

Get-Content 'C:\Windows\debug\netlogon.log' | Select-Object -First 30 -Skip 45

Журналы системы ведутся в формате .evtx, и для работы с ними существуют отдельные командлеты. Для работы с классическими журналами («Приложение», «Система», и т.д.) используется Get-Eventlog. Этот командлет удобен, но не позволяет работать с остальными журналами приложений и служб. Для работы с любыми журналами, включая классические, существует более универсальный вариант ― Get-WinEvent. Остановимся на нем подробнее.

Для получения списка доступных системных журналов можно выполнить следующую команду:

Get-WinEvent -ListLog *

Картинка с сайта: habr.com

Вывод доступных журналов и информации о них.

Для просмотра какого-то конкретного журнала нужно лишь добавить его имя. Для примера получим последние 20 записей из журнала System командой:

Get-WinEvent -LogName 'System' -MaxEvents 20

Картинка с сайта: habr.com

Последние записи в журнале System.

Для получения определенных событий удобнее всего использовать хэш-таблицы. Подробнее о работе с хэш-таблицами в PowerShell можно прочитать в материале Technet about_Hash_Tables.

Для примера получим все события из журнала System с кодом события 1 и 6013.

Get-WinEvent -FilterHashTable @{LogName='System';ID='1','6013'}

В случае если надо получить события определенного типа ― предупреждения или ошибки, ― нужно использовать фильтр по важности (Level). Возможны следующие значения:

• 0 ― всегда записывать;
• 1 ― критический;
• 2 ― ошибка;
• 3 ― предупреждение;
• 4 ― информация;
• 5 ― подробный (Verbose).

Собрать хэш-таблицу с несколькими значениями важности одной командой так просто не получится. Если мы хотим получить ошибки и предупреждения из системного журнала, можно воспользоваться дополнительной фильтрацией при помощи Where-Object:

Get-WinEvent -FilterHashtable @{LogName='system'} | Where-Object -FilterScript {($_.Level -eq 2) -or ($_.Level -eq 3)}

Картинка с сайта: habr.com

Ошибки и предупреждения журнала System.

Аналогичным образом можно собирать таблицу, фильтруя непосредственно по тексту события и по времени.

Подробнее почитать про работу обоих командлетов для работы с системными журналами можно в документации PowerShell:

• Get-EventLog.
• Get-WinEvent.

PowerShell ― механизм удобный и гибкий, но требует знания синтаксиса и для сложных условий и обработки большого количества файлов потребует написания полноценных скриптов. Но есть вариант обойтись всего-лишь SQL-запросами при помощи замечательного Log Parser.

Работаем с журналами посредством запросов SQL

Утилита Log Parser появилась на свет в начале «нулевых» и с тех пор успела обзавестись официальной графической оболочкой. Тем не менее актуальности своей она не потеряла и до сих пор остается для меня одним из самых любимых инструментов для анализа логов. Загрузить утилиту можно в Центре Загрузок Microsoft, графический интерфейс к ней ― в галерее Technet. О графическом интерфейсе чуть позже, начнем с самой утилиты.

О возможностях Log Parser уже рассказывалось в материале «LogParser — привычный взгляд на непривычные вещи», поэтому я начну с конкретных примеров.

Для начала разберемся с текстовыми файлами ― например, получим список подключений по RDP, заблокированных нашим фаерволом. Для получения такой информации вполне подойдет следующий SQL-запрос:

SELECT 
 extract_token(text, 0, ' ') as date, 
 extract_token(text, 1, ' ') as time,
 extract_token(text, 2, ' ') as action, 
 extract_token(text, 4, ' ') as src-ip,  
 extract_token(text, 7, ' ') as port 
FROM 'C:\Windows\System32\LogFiles\Firewall\pfirewall.log' 
WHERE action='DROP' AND port='3389'
ORDER BY date,time DESC

Посмотрим на результат:

Картинка с сайта: habr.com

Смотрим журнал Windows Firewall.

Разумеется, с полученной таблицей можно делать все что угодно ― сортировать, группировать. Насколько хватит фантазии и знания SQL.

Log Parser также прекрасно работает с множеством других источников. Например, посмотрим откуда пользователи подключались к нашему серверу по RDP.

Работать будем с журналом TerminalServices-LocalSessionManager\Operational.

Не со всеми журналами Log Parser работает просто так ― к некоторым он не может получить доступ. В нашем случае просто скопируем журнал из %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx в %temp%\test.evtx.

Данные будем получать таким запросом:

SELECT
 timegenerated as Date, 
 extract_token(strings, 0, '|') as user,
 extract_token(strings, 2, '|') as sourceip 
FROM '%temp%\test.evtx'
WHERE EventID = 21
ORDER BY Date DESC

Картинка с сайта: habr.com

Смотрим, кто и когда подключался к нашему серверу терминалов.

Особенно удобно использовать Log Parser для работы с большим количеством файлов журналов ― например, в IIS или Exchange. Благодаря возможностям SQL можно получать самую разную аналитическую информацию, вплоть до статистики версий IOS и Android, которые подключаются к вашему серверу.

В качестве примера посмотрим статистику количества писем по дням таким запросом:

SELECT
 TO_LOCALTIME(TO_TIMESTAMP(EXTRACT_PREFIX(TO_STRING([#Fields: date-time]),0,'T'), 'yyyy-MM-dd')) AS Date,
 COUNT(*) AS [Daily Email Traffic] 
FROM 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\*.LOG'
WHERE (event-id='RECEIVE') GROUP BY Date ORDER BY Date ASC

Если в системе установлены Office Web Components, загрузить которые можно в Центре загрузки Microsoft, то на выходе можно получить красивую диаграмму.

Картинка с сайта: habr.com

Выполняем запрос и открываем получившуюся картинку…

Картинка с сайта: habr.com

Любуемся результатом.

Следует отметить, что после установки Log Parser в системе регистрируется COM-компонент MSUtil.LogQuery. Он позволяет делать запросы к движку утилиты не только через вызов LogParser.exe, но и при помощи любого другого привычного языка. В качестве примера приведу простой скрипт PowerShell, который выведет 20 наиболее объемных файлов на диске С.

$LogQuery = New-Object -ComObject "MSUtil.LogQuery"
$InputFormat = New-Object -ComObject "MSUtil.LogQuery.FileSystemInputFormat"
$InputFormat.Recurse = -1
$OutputFormat = New-Object -ComObject "MSUtil.LogQuery.CSVOutputFormat"
$SQLQuery = "SELECT Top 20 Path, Size INTO '%temp%\output.csv' FROM 'C:\*.*' ORDER BY Size DESC"
$LogQuery.ExecuteBatch($SQLQuery, $InputFormat, $OutputFormat)
$CSV = Import-Csv  $env:TEMP'\output.csv'
$CSV | fl 
Remove-Item $env:TEMP'\output.csv'
$LogQuery=$null
$InputFormat=$null
$OutputFormat=$null

Ознакомиться с документацией о работе компонента можно в материале Log Parser COM API Overview на портале SystemManager.ru.

Благодаря этой возможности для облегчения работы существует несколько утилит, представляющих из себя графическую оболочку для Log Parser. Платные рассматривать не буду, а вот бесплатную Log Parser Studio покажу.

Картинка с сайта: habr.com

Интерфейс Log Parser Studio.

Основной особенностью здесь является библиотека, которая позволяет держать все запросы в одном месте, без россыпи по папкам. Также сходу представлено множество готовых примеров, которые помогут разобраться с запросами.

Вторая особенность ― возможность экспорта запроса в скрипт PowerShell.

В качестве примера посмотрим, как будет работать выборка ящиков, отправляющих больше всего писем:

Картинка с сайта: habr.com

Выборка наиболее активных ящиков.

При этом можно выбрать куда больше типов журналов. Например, в «чистом» Log Parser существуют ограничения по типам входных данных, и отдельного типа для Exchange нет ― нужно самостоятельно вводить описания полей и пропуск заголовков. В Log Parser Studio нужные форматы уже готовы к использованию.

Помимо Log Parser, с логами можно работать и при помощи возможностей MS Excel, которые упоминались в материале «Excel вместо PowerShell». Но максимального удобства можно достичь, подготавливая первичный материал при помощи Log Parser с последующей обработкой его через Power Query в Excel.

Приходилось ли вам использовать какие-либо инструменты для перелопачивания логов? Поделитесь в комментариях.

Need more power and insights than Windows Event Viewer can deliver? We show you some of the best tools to manage the Windows event log across your network.

Картинка с сайта: www.comparitech.com

Windows event log data is a goldmine of information that you can use to monitor network infrastructure and manage security events

While you can use Windows Event Viewer, log management tools are a superior alternative and enable you to manage Windows event log data with enhanced GUIs and visualizations.

Here is our list of the best tools to manage Windows Event Log / Event Viewer:

1. SolarWinds Log Analyzer EDITOR’S CHOICE This tool collects, centralizes, and analyzes log data from Windows systems. It provides real-time log monitoring, detailed event analysis, and manual and automated search capabilities, helping with troubleshooting, security monitoring, and compliance reporting. Runs on Windows Server. A 30-day free trial is available.
2. ManageEngine EventLog Analyzer (FREE TRIAL) Log management software with custom reports, a correlation engine, and more. Download the 30-day free trial.
3. Site24x7 Log Management (FREE TRIAL) A log server, consolidator, and processor that is available from several plans offered by a cloud-based system monitoring platform. 30-day free trial available.
4. ManageEngine Log360 (FREE TRIAL) A SIEM that collects Windows Event logs plus Syslog messages and data from more than 700 applications. Runs on Windows Server. Start a 30-day free trial.
5. Netwrix Event Log Manager Free event log management tool that centrally stores Windows event log data, and generates event alerts.
6. LogRhythm SIEM platform with analytics, machine intelligence, workflow automation, alarms, and more.
7. Sumo Logic Free log management software, available as a SaaS service with custom dashboards, real-time analytics, and machine learning.
8. Datadog Cloud monitoring tool with log management capabilities, dashboards, alerts, search, filtering, and more.
9. Syslog-NG Log management software with TLS encryption, log collection, storage, forwarding, and more.

The best tools to manage Windows Event Log / Event Viewer

The following reviews include some of the top log management tools, SIEM software, and other tools that provide network administrators with more visibility into logs.

1. SolarWinds Log Analyzer (FREE TRIAL)

Картинка с сайта: www.comparitech.com

SolarWinds Log Analyzer is an event log monitoring tool for Windows that collects event log data. You can monitor event log data in real-time through syslog, SNMP traps, and system event logs. Data can be collected and monitored through one user interface.

Key Features:

• Real-Time Log Monitoring: Tracks log data as it occurs for immediate insights.
• Log Tagging and Filtering: Simplifies log navigation and categorization.
• Customizable Alerts: Sets alerts based on specific log criteria.
• Centralized Log Collection: Collects Windows Event Logs, Syslog, and custom log formats, for centralized storage and analysis.
• Security Event Correlation: Combines log data from multiple sources to identify and respond to security incidents.

Why do we recommend it?

SolarWinds Log Analyzer runs on Windows Server and it will collect log messages from all around your network, covering all endpoints and the software that runs on them. The tool will collect Windows Events, Syslog messages, and logs from applications. The service can file or forward consolidated logs.

The software is very easy to use. Tagging and filtering enable the user to navigate through log data efficiently. There is also a search bar, and event logs are tagged with icons including warning, alert, error, emergency, and debug so that the user understands what’s happening more clearly.

A customizable alert system enables the user to set trigger conditions for alerts. Users can set alerts according to severity, and configure reset conditions to minimize false positives. Alerts can be sent from email and trigger external scripts to ensure you respond to performance events as they unfold.

Картинка с сайта: www.comparitech.com

Who is it recommended for?

This log analyzer shows log messages as they arrive, provides statistics on arrival rates by source, type, and severity, and it includes a data viewer for analysis. You can set up your own custom queries to perform on messages and link them through to custom alerts. However, this is not a full SIEM system.

SolarWinds Log Analyzer is an excellent tool for managing Windows event log data through a single pane of glass. The platform provides extensive visibility through an intuitive platform that makes it easy to find the information you need to. Prices start at $1,495 (£1,210). You can download the 30-day free trial.

Related post: Best Log Analysis Tools

2. ManageEngine EventLog Analyzer (FREE TRIAL)

Картинка с сайта: www.comparitech.com

ManageEngine EventLog Analyzer is a log management tool for Windows and Linux that can manage event logs and syslogs. You can process logs at 25,000 logs per second, which enables you to detect cyberattacks in real-time. The software can pull log data from services like WindowsServer, Linux, Oracle, Amazon Web Service, Apache, Cisco, HP, IIS, and more.

Key Features:

• High-Performance Log Processing: Handles up to 25,000 logs per second.
• Customizable Dashboard: Tailors log monitoring to specific needs.
• Compliance Reporting: Supports HIPAA, PCI DSS, ISO 27001, and more.

Why do we recommend it?

ManageEngine EventLog Analyzer is a compliance manager. It requires log messages for source data, so the package also includes a log collector and consolidator that can receive Windows Events, Syslog messages, and logs from applications – 750 sources in total. The tool provides a facility for manual analysis and also generates log message throughput statistics.

The correlation engine automatically processes event logs and compares them with other logs to detect the signs of a cyber attack. The automatic processing enables you to monitor log data more efficiently and stay on top of threats. However, you can use the search module to search manually as well.

Compliance reports enable you to create log reports and comply with a range of regulatory frameworks. The EventLog Analyzer creates reports that comply with PCI DSS, ISO 27001, GLBA, SOX, FISMA, and HIPAA regulations. Reports can also be customized and scheduled according to the preferences of the user.

Картинка с сайта: www.comparitech.com

Who is it recommended for?

ManageEngine provides a lot of deployment options for the EventLog Analyzer. It is available as a SaaS package and it can also be installed on Windows Server or Linux. The package provides log management and provides opportunities for manual analysis. It also implements security scanning. The Free edition would interest very small businesses.

ManageEngine EventLog Analyzer is one of the top free event log management tools. The free edition supports up to five log sources. Paid versions start at $595 (£481.78) with features like compliance reporting and log forensics. You can download the 30-day free trial.

ManageEngine EventLog Analyzer
Download 30-day FREE Trial

3. Site24x7 Log Management (FREE TRIAL)

Картинка с сайта: www.comparitech.com

Site24x7 Log Management is a module in a suite of monitoring services delivered from the Cloud by Site24x7. This log management tool isn’t available as a standalone product. Instead, it is integrated into all of the packages that Site24x7 offers. These are:

• Website Monitoring
• Site24x7 Infrastructure
• Application Performance Monitor
• All-in-one
• MSP

The Site24x7 system is mainly resident in the Cloud but it does need a data collector to be installed on the monitored system. This agent is available for the Windows Server and Linux operating system and it can collect statistics over a network.

Key Features:

• Diverse Log Collection: Gathers Windows Events, Syslog, and application logs.
• Unified Log Format Consolidation: Streamlines log management across different sources.
• Comprehensive Data Analysis Tools: Enhances log data examination.

Why do we recommend it?

Site24x7 Log Management is a cloud-based log collector and consolidator. This system is able to gather log messages from multiple sites and file them. It also shows live messages as they arrive and can provide throughput statistics. The package can handle Windows Events and Syslog messages as well as application logs.

The data collector also catches log messages as they circulate around the server and network. It collects Windows Event messages and also Syslog and application log messages. These are sent to the Site24x7 server over a secure connection for processing. The server consolidates all of the log messages that it receives and converts them into a common format. This enables a unified treatment of log messages from all sources.

The Log Management system includes a data viewer, which can be accessed from the Site24x7 system dashboard. This includes data analysis features such as the ability to sort, filter, group, and summarize records.

Картинка с сайта: www.comparitech.com

Who is it recommended for?

The Site24x7 system is affordable for any size of enterprise. The service also provides a 30-day window for the storage of log files. You can set up the system to forward logs immediately to another system or accumulate them in files and move them to another storage location.

All of the Site24x7 packages are subscription services and all are available on 30-day free trials. For example, you can get a free trial of the Site24x7 Infrastructure plan in order to try out the services’ Log Management tool.

Site24x7 Log Management
Start 30-day FREE Trial

4. ManageEngine Log360 (FREE TRIAL)

Картинка с сайта: www.comparitech.com

ManageEngine Log360 collects log messages and feeds them into a SIEM for threat detection. The collectors operating on Windows devices will pick up Windows Event logs and interact with software packages to extract operational data. The service can communicate with more than 700 applications. When operating on Linux, a Log360 agent will collect Syslog messages.

Key Features:

• Broad Application Integration: Works with over 700 applications for comprehensive coverage.
• Advanced Threat Intelligence Feed: Stays updated with current security threats.
• Regulatory Compliance Assistance: Meets HIPAA, PCI DSS, FISMA, SOX, GDPR, and GLBA standards.

Why do we recommend it?

ManageEngine Log360 is a megapack of log management and analysis systems and it provides a SIEM tool for security scanning. The EventLog Analyzer is included in the package along with five other log management tools for Windows Events, Syslog, application logs, and cloud platform reports. The system provides compliance reporting and data loss prevention.

The server component of Log360 installs on Windows Server but the collector system is available for a list of operating systems. The collectors send data to the log server, which converts their different formats into a common standard. The log server then files messages in a meaningful directory structure, rotating files daily or, for larger systems, more frequently. The log files need to be made available for investigation.

The dashboard for the system shows log throughput statistics and alerts. The console also includes a data viewer, which has manual analysis tools. Log messages are shown in the data viewer as they arrive and can also be loaded in from log files.

Картинка с сайта: www.comparitech.com

Who is it recommended for?

This is a very large package of system security tools and there is no Free edition, so it is unlikely to appeal to small businesses. As this tool is able to collect activity data from cloud platforms as well as on-premises assets, the system is ideal for use by businesses that operate a hybrid environment.

The SIEM system has many features, which include a threat intelligence feed to speed up threat detection. The system produces alerts that can be channeled through service desk systems. You can assess ManageEngine Log360 with a 30-day free trial.

ManageEngine Log360
Download 30-day FREE Trial

5. Netwrix Event Log Manager

Картинка с сайта: www.comparitech.com

Netwrix Event Log Manager is a free event log management software that can collect Windows event logs. It collects event logs and centrally stores them for the user to analyze. The tool allows you to monitor the event log data of multiple Windows devices from one centralized location.

Key Features:

• Centralized Event Log Storage: Aggregates logs for easier access and analysis.
• Real-Time Alerts: Notifies about important events as they occur.
• Event Summaries: Provides quick insights into log data trends.

Why do we recommend it?

Netwrix Event Log Manager is a free tool that collects Windows Events messages and provides a range of useful services, such as statistical analysis on message throughput and log forwarding or filing. Although this tool centralizes the collection of Windows Events, it doesn’t provide handling for Syslog messages.

Managing and configuring the Event Log Manager is simple for new users. The platform runs as a service so you don’t need to have it open at all times for monitoring. To configure the tool, all the user needs to do is add target computers to monitor the network and enter alert parameters to determine when notifications are generated.

The alerts system sends you email notifications whenever an important event happens to a connected device. You can control what alerts you’re notified about through a dialog box. For example, you can set the system to notify you about Application Errors and Systems Errors.

Who is it recommended for?

This is a nice free tool for viewing Windows Events and it also provides analysis features such as searching and sorting. You can also set up alerts that you can have sent to you by email. This offers an administrator with no budget a way to assemble a customized monitoring system.

Netwrix Event Log Manager is a reliable tool for enterprises looking to manage Windows Event Log and event viewer data for free. It’s available for Windows XP SP3 and above, Windows Server 2008, 2012, and 2016. You can download the software for free.

6. LogRhythm

Картинка с сайта: www.comparitech.com

LogRhythm is a SIEM platform that can be deployed on-premises or in the cloud with high-performance and speed. It uses ElasticSearch to maintain performance for users during indexing and searching. Log data captured by the program is searchable so that you can locate event log data fast and easily.

Key Features:

• Advanced SIEM Capabilities: Provides high-end security incident and event management.
• ElasticSearch Integration: Ensures performance during data indexing and searching.
• Machine Intelligence: Employs AI for more accurate threat detection.

Why do we recommend it?

LogRhythm is a top-of-the-line cloud-based SIEM system that has an option user behavior analytics module. This tool collects and consolidates log messages from many sources, which include Windows Events and Syslog messages. It also consolidates different log formats into a common layout and files them.

Through a web-based user interface, users can monitor security incidents throughout their entire network. Security analytics and visualizations provide you with an engaging presentation of log data. Log data is processed by Machine Data Intelligence to classify and structure log messages to produce over 800 different data sources.

Картинка с сайта: www.comparitech.com

When it comes time to respond to an issue, LogRhythm has an alarms system that notifies the users about security events. To lower the time to resolve the user can use SmartResponse to create automated response workflows. The SmartResponse feature allows you to automatically complete tasks such as running a vulnerability scan or disabling a user account.

Who is it recommended for?

There is a log manager at the heart of the LogRhythm system because logs are the source data for the SIEM, which is the key feature of the platform. However, if you are just looking for a log manager, this option is way more than you need.

It’s is an excellent log management solution for scalability. LogRhythm offers a flexible pricing model that supports up to an unlimited number of log sources and users. However, you need to request a quote from the company directly. You can watch the demo.

7. Sumo Logic

Картинка с сайта: www.comparitech.com

Sumo Logic is a free SaaS-based log management tool that collects and analyzes windows event logs. You can create custom dashboards and use real-time analytics to monitor security events throughout your network. The analytics system can identify performance anomalies by analyzing log patterns, which helps the user to make sense of log data.

Key Features:

• Custom Dashboards: Personalizes log data visualization.
• Real-Time Analytics: Delivers immediate insights into log patterns.
• Machine Learning-Driven Alerts: Provides intelligent notifications of anomalies.

Why do we recommend it?

Sumo Logic is a SaaS platform that provides system monitoring and log management. The Free edition provides the base plan for the system. If you are just looking for a log manager, this is as far as you need to go because the higher plans add on a SIEM and other security monitoring tools.

One of its advantages is the ability to share dashboards and reports with other users. Dashboards include a range of displays such as charts to help the user make sense of log data. Users also have the option to adjust the time frame they’re looking at to change the data they view.

Картинка с сайта: www.comparitech.com

Who is it recommended for?

The Sumo Logic free package is limited to processing 1 GB of data per day. That’s great for small businesses but larger enterprises will have to upgrade to one of the paid plans. The higher plans provide security scanning, which you might not want if you are just looking for a log management package.

Sumo Logic is a platform that’s recommended for those users who want a log management platform with top-notch analytics capabilities. The free version supports up to 4GB of log storage. Users that require more can purchase a paid version. Paid versions start at $90 (£72.97) per month per 1GB daily ingest. You can start the free trial.

8. Datadog

Картинка с сайта: www.comparitech.com

Datadog is a cloud monitoring tool that can monitor applications, services, and log data. You can take Windows Event Log data and use it to generate events in your Event Stream. The Event Stream displays a list of recent events that have occurred throughout your network.

Key Features:

• Integrated Log Management: Collects and analyzes logs within a unified platform.
• Advanced Filtering: Tailors log data analysis to specific needs.
• Machine Learning Alerts: Intelligent alerting based on log data trends.

Why do we recommend it?

Datadog Log Management is a cloud-based system that is able to collect and consolidate Windows Events, Syslog messages, and application logs. The tool calculates statistics on log message arrival and also displays messages in a data viewer. The data viewer can also load in messages from files.

The software enables you to search and filter log data in one place. All data can be archived centrally so that it’s accessible when you need it. Log data can be viewed through the dashboard, which is packed with visualization options like charts and diagrams to give you a more sophisticated perspective of what’s going on.

Machine learning-driven alerts notify you the moment there’s a problem. Alert notifications can be sent directly to external services like Slack, Hangouts Chat, and Microsoft Teams. You can also use Webhooks to follow up with custom code to deliver an automated response to the problem.

Картинка с сайта: www.comparitech.com

Who is it recommended for?

This tool is very affordable because all of its services are priced by data throughput. Another factor that enters into pricing is a data retention period for archiving. However, you could choose to file messages in this tool and then move those files elsewhere for archiving and save money.

There is a range of pricing options available for Datadog depending on your use case. For log management, prices start at $1.27 (£1.03) per million log events, per month with 7-day data retention or $0.10 (£0.081) per ingested or scanned GB, per month. You can start the 14-day free trial.

9. Syslog-NG

Картинка с сайта: www.comparitech.com

Syslog-NG is a log management solution that can collect and store Windows event logs. It can collect data from over 10,000 log sources and uses TLS encryption to protect important messages from unauthorized access. The platform offers users filtering to assist with navigation and store data in binary files.

Key Features:

• Log Data Storage: Safely archives log data for later analysis.
• Log Filtering and Forwarding: Organizes and redirects log data as needed.
• TLS Encryption: Secures log data during transmission and storage.

Why do we recommend it?

Syslog-NG is a free tool and it is able to process and forward Syslog messages, Windows Events, and many application log sources. It gives you the option of storing log messages to file or inserting them into a database. You can get the software and run it on your own server.

The software enables the user to forward log data to external tools. Users can send logs to SQL databases, MongoDB, and Hadoop Distributed File System nodes. The user can also send logs via SNMP or SMTP. Forwarding log data makes it easier for organizations to manage logs in the format that’s most convenient.

Who is it recommended for?

The free community edition is a good choice for those who just want to collect, consolidate, and file log messages. The paid options provide more options because they provide professional support, include a GUI interface, and can be run as software or bought as a network appliance.

Syslog-NG is recommended for enterprises that want a simple but comprehensive log management solution that supports a range of log sources. You can request a custom price quote from the sales team on the company website. Download the 30-day free trial.

Choosing the right tool for your organization

Managing Windows event logs is something that every enterprise should be doing. Having the visibility to detect failed services and availability issues early reduces the chance of the network is disrupted. The log management tools we’ve listed can all manage Windows event log data effectively, and give you the best chance of catching performance problems quickly.

Our editor’s choice for this article is SolarWinds Log Analyzer as it offers Windows users a comprehensive Windows event log monitoring experience for a competitive price tag. ManageEngine EventLog Analyzer also offers users a high-quality alternative and is recommended for companies looking for a free log management solution.

Windows Event Log Management FAQs