I too am building out a new WinEvent logging design, and have considered the three solutions discussed above by fdarrigo.
For me, option 1, UF's everywhere, was not an option; I felt monitoring each one would only add more complexity, and potential single point of failure. Besides, I would have to verify a UF install was properly done for each new server, a major pain.
Option 2, centralized WinEvent server is thus far my favorite choice, and requires UF installed on the least number of nodes as compared to option 1.
As discussed in option 3, I've used WinEvent to syslog converters in the past with great success, however I wasn't as concerned then with log fidelity as I am now.
My goal is to deploy option 2, centralized WinEvent log server, and have the central server retain it's own logs for whatever my disk limitations will allow, most likely 4-6 months. Since the data will be delivered into Splunk, I can retain there even longer. The only issue I see here is validating each sender to my central WinEvent store is actually sending, however this is off-topic; but would love to hear if others have any good ideas.
With regards to woodcock's reply, does converting to XML raise any questions to log fidelity? Also, are their any current dashboards that can consume XML to render reports for nefarious login activity, and/or changes to AD accounts and groups?
Another option might be to deploy a central WinEvent logging server, and deploy a WinEvent to syslog converter on that versus installing a UF; not sure what added benefit, if any, this offers.
Kind regards,
-mi
... View more