Possible to forward logs for microsoft products

Question

This may be a duplicate, as i'm fishing for information, as I'm not that au fait with logging on windows. I know on Unix you can ship syslogs via the relay and RFC 5424. I also know you forward windows event logs with event subscription within a domain.

But taking an example, for the following products.

Microsoft Biztalk, Microft Exchange, Microsft Host Integration Server, Sql Server, IIS and MS Forefront. They all log but i'm more interested in Audit informations.

What I think i'm asking, does every microsoft product log to event log, or can it be set up to do so. What's best practice regarding this.

Bob.

Answer 1

Most of Microsoft's products are not set up to automatically export their logs. I have spent a great deal of time dealing with this - server 2008 / Vista and above provide a way to forward windows event logs between servers. My preferred method is via Snare/ Epilog

Once properly configured these products will allow the vast majority of Microsoft products to write to a central Syslog server.

Note - many of Microsoft's products write to the event log but many more also write only to standard text based files. The Epilog picks up the text based logs. Snare picks up the windows event logs.

You other option is to script a periodic copy of these text based logs to a third party server.

I prefer a unified interface to a single server myself. In my environment we log all our events to Splunk using the free license. You could also look at Snare or a couple of the alternatives.