It's important not to write off all common events as noise. For example, in the typical network, log-on attempts will be among the most commonly recorded events. Even failed log-ons using incorrect names or passwords are normal. But don't filter them out. You need to collect and analyze them as they are often the first signs of an unauthorized intruder or malware worm going ape on your network.
For every recorded event ID, you need to establish a baseline measurement over three weeks to three months. Find out what is normal on a daily basis, by the hour, and over the long term. Then set triggers that generate critical alerts when these thresholds have been exceeded.
Continuing my log-on example, a few failed log-ons an hour can be expected, but if you were to see 50 failed log-ons in a second or 50 failed log-ons between client workstations that have no reason to communicate, then you have an event that needs investigating. Behavior thresholds are a little more art than science, but you have to start somewhere.
A log with no noise
Two other points: One, consider setting up one or more honeypot systems. I've covered honeypots more than a handful of times in this column. Take a computer you're getting ready to throw away and turn it into your secret honeypot. Don't even let most of the people in IT know about it (this helps catch more trusted insiders doing things they shouldn't). A honeypot is a fake asset, and nothing should ever touch it after you tune out the normal broadcast traffic. Its only job is to create an actionable alert if something tries to connect. A honeypot is low cost, low risk, low noise, and high value -- I wish I could say the same for other security software. My longtime favorite honeypot software product is KFSensor.
Lastly, consider outsourcing the whole thing if you don't have the time, equipment, expertise, or software. There are dozens of excellent companies that can take you from no log analysis to top-notch log analysis in a short time, but I can recommend no better company than my friend Bruce Schneier's BT Counterpane. There are other excellent competitors, but Counterpane is always on my short list of recommendations.
The idea is to create a nearly self-managing event log system, where only aberrant events get turned into action items to be investigated. Sure, plenty of those investigated items will turn out to be legitimate or technically misbehaving events, but you'll have another great tool in your arsenal next to your intrusion detection systems, firewalls, and antimalware software. And we need all the help we can get.