AS I understand it Windows Domain Controllers each keep their own log of security events, which means a specific security incident (log on, and log off events are the specific point of interest at the moment, I'm sure there will be more later). could be on whichever Domain controller got the request first, responded the quickest (Comparing security Logs from two domain controllers certainly seems to confirm this, but If I am misunderstanding it, please let me know what I am missing).
We have not required long-term archival of these logs in the past, but that is changing. So my question, to make these logs useful...
1) What things do you recommend logging/not logging and more importantly 2) What methods do you recommend using to consolidate these logs. My leaning is to use one of the myriad solutions I have seen that allows you to dump to syslog. Has anyone used any of these? and if so, ,can you offer any pointers/recommendations?
long winded question, sorry, maybe I should have made it a discussion instead...
Keep Up with TechRepublic