Overview:
A practical real-world application to aggregate logs would be Graylog. Its current incarnation is version 4, which retained the ‘free’ nature of open source at its core while adding a pay-model for ‘enterprise’ features. Here’s a quick list of these considerations:
– It’s free and open-source
– The open-source agent, winlogbeat, is able to ship to other vendors should we switch logging app (Logstash from Elasticsearch, Elkstack). “That is currently the best-known way to ingest windows event logs into Graylog.” (source:
– It’s focused on logging analytics; thus, it would be simple to use and administer
– The alternative of installing SCOM 2019 requires more licensing and resources than a single server instance
– The open source version appears to have all the core functionality to serve the purpose of aggregating Windows logs (source: https://graylog.org/pricing/.
– In the event that we need ‘correlation engine,’ ‘scheduled reports,’ and ‘search parameters’ features, the Enterprise upgrade is free as long as the engine ingests less than 5GB/day. This can mean 256MB of logging volume per server for 20 servers. winlogbeat can be configured to filter most noise to achieve this target utilization. (sources: https://community.graylog.org/t/implement-graylog-in-windows-enviroment/12801 and
Open-source logging limit calculation:
Since 5GB logging storage limit is stated by the vendor for the free open-source variant of Graylog, we’re looking at a simplified math to derive some estimates as illustrated below:
Storage limit for Graylog non-enterprise version: 5 GB or 5120 MiB / per day
Servers to be monitored: 20 Windows nodes
Average logging per server: 256 MiB
Average log size per event: 650 bytes
Aggregate event count per server: 403 events / per day