Determine which logs to monitor with SEM
Before you begin monitoring logs with SEM, SolarWinds recommends that you decide which logs to monitor. Avoid an everything, all at once approach, as it is easy to become overwhelmed when all log data is sent to SEM. To determine which logs to monitor, do the following.
Identify your goals by listing what you want to accomplish with your log data. Consider the business drivers that require you to monitor logs.
If you have a compliance-related goal, you could focus on your data center and monitor security events. If your goal is to monitor logs for outages, you could verify that your servers are sending logs, and that you are receiving events from Microsoft Windows event logs.
Identify the systems that have the log data you want to monitor. If your goal is to monitor logs so you are PCI-compliant, identify the systems and network devices that are in scope for compliance.
For each identified system and network device, identify which specific logs are in scope, and the level of logging, if applicable.
Begin with what you know. This can help you avoid learning about SEM and your logs at the same time.
Monitor the logs that are familiar, and then scale from there. For example, if you are most familiar with your Windows security, application, and system event logs, begin monitoring those logs first. SEM also provides connectors to read many other different types of logs.
Use the following table to identify the logs to collect:
|If You Need To Track...||Collect These Kinds Of Logs|
User/Groups: Windows security logs
Systems: Windows system and application logs
Network devices (firewalls, routers, switches, etc): syslogs
|Authentication failures and successes||
Windows security logs
Authentication logs on other platforms
|Internal and external unexpected network activity||
Proxy server logs
Network device logs (syslog)
|Service and system activity||
Windows systems logs
Core operating system logs