Hi
Log collectors or SIEM tools are useful because the native Windows Event Viewer is slow, can search a limited number of logs only (around 4GB = 24h Security Log on DC), does not work across systems and cannot perform analysis or send alerts.
"Overwrite events as needed", is the best windows event log configuration for the collector to fetch as many events as possible. By design log collector tools can query the Windows event log by interval only. But an attacker can cover his tracks by creating many events to overwrite the relevant events. Even if the log is 4GB and the log collector fetches every minute, it is not guaranteed that the events are collected seamlessly.
"Archive the log when full", is the best configuration to seamlessly archive all events to file, even if an attacker penetrates the system. But the log collector has a cap between the last fetching and the time of archiving. E.g. 08:00 collector fetsches events, 08:05 Windows Event Log is archived to file, 08:10 collector fetsches again but the events between 08:00 and 08:05 are not collected because they are in the archive file.
How do I design a solution that allows events to be collected seamlessly without an attacker covering his tracks?
How does Microsoft's ATP?