View a markdown version of this page

MSFTOPS01-BP02 Implement and collect logging for your Microsoft workload - Microsoft Workloads Lens - AWS Well-Architected Framework
Implementation guidanceResources

MSFTOPS01-BP02 Implement and collect logging for your Microsoft workload

Set up logs for your Microsoft workload infrastructure and applications. Windows Event Logs are natively generated by the Windows operating system and usually by the applications deployed. Products such as SQL Server and Internet Information Services (IIS) also provide text logs that can bring insights to observability. Both Windows Event Logs and custom logs can be collected by Amazon CloudWatch Agent and have them centralized in the Amazon CloudWatch console. For enhanced security monitoring and analysis, these logs can be forwarded to Security Information and Event Management (SIEM) solutions through built-in connectors or AWS service integrations, enabling real-time security event monitoring, automated threat detection, compliance reporting, and advanced security analytics.

Desired outcome: Establish comprehensive logging collection and centralization for your Microsoft workload, providing complete visibility into system events, application behavior, and security activities while enabling efficient log analysis, troubleshooting, and compliance reporting through integrated AWS services and SIEM solutions.

Common anti-patterns:

  • Relying only on local Windows Event Logs without centralized collection, making it difficult to correlate events across multiple systems and delaying incident response during critical situations.

  • Collecting logs without proper retention policies or analysis capabilities, leading to storage inefficiencies and missed opportunities to identify patterns or security threats in the log data.

  • Ignoring application-specific logs from Microsoft products like SQL Server and IIS, missing valuable insights into application performance, errors, and security events that could indicate potential issues.

Benefits of establishing this best practice:

  • Centralized visibility and faster troubleshooting through consolidated log collection from all Microsoft workload components, enabling rapid identification of issues across the entire infrastructure stack.

  • Enhanced security posture by forwarding logs to SIEM solutions for real-time threat detection, automated security analysis, and compliance reporting, improving overall security monitoring capabilities.

  • Improved operational efficiency through automated log analysis, pattern recognition, and alerting capabilities that help identify recurring issues and optimize system performance proactively.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Implementing comprehensive logging for Microsoft workloads requires a systematic approach to collect, centralize, and analyze logs from multiple sources. Begin by identifying all log sources in your Microsoft environment, configure the Amazon CloudWatch Agent for log collection, and establish proper log retention and analysis processes. This approach ensures you capture critical events and application behaviors while maintaining efficient log management and enabling effective troubleshooting and security monitoring.

Implementation steps

  1. Identify all log sources in your Microsoft workload including Windows Event Logs, SQL Server logs, IIS logs, and custom application logs.

  2. Install and configure the Amazon CloudWatch Agent on Windows instances to collect and forward logs to Amazon CloudWatch Logs.

  3. Configure log groups and streams in Amazon CloudWatch Logs with appropriate retention policies based on compliance and operational requirements.

  4. Set up log filtering and metric filters to identify critical events and create automated alerts for important log patterns.

  5. Implement log forwarding to SIEM solutions using AWS services like Amazon Data Firehose or AWS Lambda for enhanced security analysis.

  6. Create Amazon CloudWatch Insights queries for efficient log analysis and troubleshooting across your Microsoft workload components.

  7. Establish log monitoring dashboards and automated alerting for critical events and security incidents.

  8. Implement log archiving strategies using Amazon S3 for long-term retention and compliance requirements.

Resources

Related documents:

Related tools: