Event logs are a valuable tool to monitor network security and performance that are often underutilized due to their complexity and volume. As organizations grow in size, they require a more structured approach towards event log management and retention. A recent survey carried out by SANS Institute found that 44% of system administrators do not keep logs more than a month.

Proper event log management helps you to meet several objectives including:

Information system and network security System health monitoring Legal and regulatory compliance (SOX, PCI DSS, HIPAA) Forensic investigations

Purpose of the event log in today’s network security environment. This topic came about to solve an every day business problem. Simply,there is not enough time in the day to perform all security analyst tasks and adequately monitor all network security devices. However, expectations were that monitoring all components of network security is essential. It’s the way things had been done and anything short of that may render a device or component of network security as ‘insecure’. It was clear that something must be done.
The event log was chosen because the event log with proper auditing turned on was once the staple of detecting entry into a computer system. A failed logon attempt may indicate an attempt to gain unauthorized access. A successful logon may reveal the identity of a wrong doer in the event an unauthorized activity occurs. In addition, time was already being spent monitoring the newer technologies including the intrusion detection systems, but the event logs were no longer being reviewed. They were just put on a shelf.
This topic is also relevant because more and more companies are implementing additional network security systems such as intrusion detection systems, network monitoring tools, host based intrusion detection systems, firewalls, and the list could go on and on. We are a very security conscious corporation that incorporated network security products aggressively. If we are struggling with monitoring, other smaller and newer companies must be as well. If the result
of this research helps others make sense of monitoring and put it into perspective, it has been worth it.
I would like to begin by providing a brief overview of the event log - its function and limitations.
From there, I would like to discuss some of the components of network security focusing on server monitoring. Finally, I will provide discuss network security, and then end with identified issues and solutions and finally a conclusion.

The event log consists of the system log, the security log, and the application log. They are called Sys.Event.Evt, SecEvent.Evt, and AppEvent.Evt respectively. They reside in the %systemroot%\system32\config folder. The purpose of the logs is to store information about problems, performance, and most importantly security as defined in the account and audit
policies. In a 4/4/99 article entitled ‘The Event Logs’, the logs were described as follows:
“System Log: The System Log contains events pertaining to NT’s services and drivers. If a
service hangs upon starting, it will be recorded in this log. In a networked setting, there will
often be “browser” events in this log, as the machines on the network vote on who will maintain
the browse list.
Security Log: When auditing is enabled, security events will be logged to the Security Log.
Auditing is enabled via User Manager, printer properties, or file/folder properties. Administrator
privileges are required to view the Security Log.
Application Log: The Application Log is used for events generated by applications. This log can
grow quite large when certain applications such as SQL Server or Exchange are running.
Events will always be one of five types: Error, Warning, Information, Success Audit and Failure
Audit (the last two in the Security Log)” [1]
Reviewing these event logs without a third party tool is a lengthy and cumbersome process. It entails pulling up the event viewer and manually looking through each of the three logs for each server. This becomes repeated several times or hundreds of times depending upon the number of servers in your company and also based on the frequency of reviews. In addition, the events that you want to see are scattered in amongst many other events. This requires an additional search to find the events that you want to see. It is easy to see how this process may get put aside for more rewarding tasks to be completed.

Article source: http://www.extralan.co.uk/products/Network-Security/GFI/Gfi-selm.htm
Article source: http://www.sans.org/reading_room/whitepapers/windows/event-logs-defining-purpose-todays-network-security-environment_279