I have lately had a couple projects where we wanted to collect Security events into a central repository. This is a good idea in production environments, especially those that are exposed to the Internet or a partner network. Some beneficial things to consider about rolling up security events:
Note: Wherever and however you collect this information, make sure you have very good security on the collection and reporting systems, limit access to a small set of users. The information collected in this type of scenario is gold to someone that wants to penetrate your platform.
The interesting thing is that Microsoft doesn't currently offer a solution for security event rollup. The most logical place is probably MOM (Microsoft Operations Manager), but MOM is geared towards collecting event information, alerting and resolving issues. It is not intended for archiving everything in a security log. For small infrastructures (10 boxes or less) you can probably get away with setting up an event rule that looks for events 529 and 532 from the security logs, but if these are web servers they will generate a lot of logon/logoff events even if they are anonymous. Not to mention you won't audit other security events.
NetIQ offers a MOM security management pack, but it logs everything (which is what you want). If you have 100 boxes or more, the 30 GB limit on your MOM database is going to be reached pretty quick and you will have to setup constant pruning. So, this is not a good solution either.
Microsoft actually has a solution, but you probably can't get it, yet. ACS (Audit Collection Services) is currently available to limited beta customers. ACS deploys a very small client called a Forwarder to each server which is directed to rollup security events to a Collector, which is a server running service. The Collector archives and prunes a SQL database where all security events are stored. ACS is intended for high volume collection, and there is apparently no limit as to how much security data you can store. The real limit is how long you want wait for a report to run, which of course is based on the volumes of data you have. Reporting is accomplished by a couple example reports that are offered with ACS, but because the database schema is exposed you can write any report you wish.
Here is the bad news: ACS is only provided in Beta form to a limited number of customers right now. It is still to be determined where ACS will land as a product or if it might be a free download. Oh, and there is no timeline for when it might be available.