Thank you all who replied.

I have found a combo that is reasonably priced and works within our limited Microsnot world. All in all we got what we need for $4K as opposed to the $20K+++ for things like Symantec Enterprise security, CA's e-Trust IDS solution or Cisco Works or HP Openview.

PS - will get a linux box up and running. I'm so lame I dont even know that. Always learning.

Insideout - http://www.stonylakesolutions.com - reads native PIX format logs, ports them to MSSQL, gives nice graphicail displays and ability to drill down. Cumbersome but nice as an app for a limited number of machines (the customer in question only uses five of our servers). Also allows for manual report creation on the full PIX log - we have an expert team of programmers and MSSQL experts for this. They are reportedly creating a fulll IDS solution for this product.

$900

GFI Network Solutions LanGuard - Besides the security events logs, GFI LANguard S.E.L.M can also retrieve the application and system event logs, as well as the DNS server, Directory services and File replication event logs. Sends alerts via emial and text messaging on cell phones. Client is most concerned with attacks and activity from utside and this proggie grabs ALL win32 logfiles , the Collector Agent stores these events in a Microsoft SQL Server.

$2895 for 25 servers

KIWI syslog Daemon and Cat-Tools will log and archive router logs as well as backup device configs. Hopefully we can poke around and get useful info into MSSQL from here.

$195


Snort for win32 - all are very familiar with this one. This we will use internally as a forensic tool. We won't use it for customer reports at this time. They won't go for Snort - the client is too big and they will expect IDS to be done more with an industry standard (expensive) apps. We currently have it logging to file but plan to port it to MSSQL as well.

$free

We feel that with this combination we can produce reports on all server activity directly related to the client's servers. We also have several real-time packe sniffers that can easily be filtered to monitor and log only activity to their devices. Output in format such that it can easily be imported into a custom MSSQL dtabase and queried for real-time activity.

With our extensive MSSQL and programming experience in-house, we feel we can get their security audit team off our backs with this and it will give a good overall picture of potential malicious activity on their network devices.

We'll be able to write our own MSSQL queries and reports on everything going on and with a little hunting, Snort's signatures on exploit activity can easily be converted into MSSQL query strings and easily track and report on potential exploit activity in real-time using the PIX Logs and sniffer logs.

We also plan on evaluating Stonylakes IDS offering when it comes available.