Event Archiver collects and consolidates Windows event logs locally or remotely by using the standard Windows event log API and shared folders. Event Archiver runs as a service, using an account with administrative access to monitored systems. Administrators specify how frequently Event Archiver will stage a copy of the event log in EVT file format and optionally clear event log files on the target system. Event Archiver will convert the file to a comma-delimited format or load the data into an Access, SQL Server, or Oracle database. (Access need not be installed on the server for Event Archiver to create an Access format database file.) As with Event Alarm, a pair of wizards supports setup and maintenance of archiving schedules for multiple systems. In the event of any kind of a failure during archiving, Event Archiver will retry the operation over a two-day interval and will send notifications that you can configure. Event Archiver will compress event files and move them to a network share or FTP sever for long-term retention. When you need to use historical data, Event Archiver will move a selected set of event files to the database of your choice. An option to include or exclude specified event types lets you reduce the database disk space used. An optional utility, Event Archiver Importer, which is free when you purchase the full Total Event Log Management Suite, will automatically consolidate event logs collected by several Event Archiver servers. Administrators would need to configure each Event Archiver server to send event files to a common network destination. Event Archiver Importer monitors that folder, automatically loading log files to your database.
Event Analyst reports on and exports event log information. It will use data from active event logs, event files, and text files that Event Archiver creates and database tables that Event Alarm or Event Archiver creates. When you use Event Analyst to open a file or database table, it displays some of the records in a View window. The records displayed depend on a maximum display count you configure and on event filters you apply before opening an event log source. You can filter the retrieval and display of EVT and text log files by using Basic filters, and you can use Advanced filters—which allow for advanced filtering, including matching text strings and time-of-day filtering—database tables. Event Analyst ships with many preconfigured Basic filters. From the View window, you can display event details and link to a Dorian Web site for more information about many event types. You can export filtered or unfiltered data in comma delimited, HTML, or Access database format, or send it to an ODBC database. Event Analyst ships with many predefined report formats and lets you create custom reports as well. When running or scheduling reports, you can request that they be written to network shares in either HTML format or comma-delimited text file format.
Hands On
Installation to a Windows 2003 system was fairly uneventful. Curiously, the documentation supplies lots of useful information relevant to various implementation scenarios but never describes the actual installation procedure. I needn’t have fretted. The first time I started up the Event Alarm Control Panel, it walked me through an initial configuration. After designating an administrative service account and setting some preferences, the Event Alarm Control Panel started the Rapid Configuration Tool, which allowed me to select systems, logs, and events to monitor and to create notification sets to use for alarms. I specified writing events to raise an alarm to a database. The tool walked me through creation of an ODBC DSN. Because I wanted to store events in a SQL Server 2005 system, I needed to first create the database (using SQL Server Management Studio) to specify in the ODBC DSN. Event Alarm took it from there, creating the table before adding event records.
I installed Event Archiver next. Like Event Alarm, it is preconfigured with events and event groups for easy startup. I created a new database to specify in the ODBC DSN and selected the option that had Event Archiver create separate tables for each event log type. I found I could group server configurations together or create a configuration unique to a particular server and event log. The ability to have Event Alarm and Event Archiver log events to different databases using different filtering criteria added both complexity and flexibility. For example, an administrator could use Event Alarm to log events for immediate follow-up, and create Event Archiver filters with compliance reporting in mind. I configured Event Archiver to manage event logs for several systems, requesting hourly processing and sending event log data to the database, and compressed event log files to a network share. It all happened easily. I also enabled the option to prune old records from the database—I set it to one day for the test—and let it run. I also had Event Archiver create a SQL Server table using some of the compressed EVT files for another reporting test. None of this was difficult.
Event Analyst was next. Again, the installation proceeded quickly, and using the Event Analyst GUI I was able to open and view events from the database tables I had created and from EVT files. Running a report was a three-step process: open an event log source, apply a filter to limit the events included in the report, and run the report. I ran quite a few reports against both database sources and EVT file sources. Event Analyst limits EVT file input to a single file but makes it easy to select many EVT files and load them into an Access, SQL Server, or Oracle database file. Creating custom reports in Event Analyst is as easy as I’ve seen. As Figure 2 shows, the Report Designer presents you with a grid of boxes. Each click on a box reveals the next available data field. A single field in one of the top rows defines a sort and grouping field. The last row defines the fields you want to appear in the detail line.
Summary
Total Event Log Management Suite is an attractive event archiving and reporting solution. The modular approach mean you can purchase only the function you really need and didn’t seem to seriously complicate administration, except perhaps when it came to defining filters and alarms. Because both are based on the same sets of events, there is potential for some synergies by sharing the common elements and exposing across the three modules. Implementation is simplified by the lack of a need to install agent software on managed systems. Overall, I found it easy to use, with a useful set of predefined filters and reports and relatively easy procedures for creating custom filters and reports. It is strictly a log management solution and lacks the system-monitoring features found in some of the other products I tested. This isn’t a bad thing when log management is really all you need. The ability to collect from syslog sources without additional license requirements will appeal to administrators responsible for many network appliances and those who want to centralize syslog archives from Linux/UNIX systems.
Dorian Software Total Event Log Management Suite Pros: Relatively easy to implement; flexible archiving options; custom reports; reporting procedures are the same whether selecting active logs, an EVT or CSV file, or a database source; agentless Cons: If you purchase the full product suite, the modular design might add a few steps to your implementation Rating: 4 stars Price: Starts at $299 per server Recommendation: If you need only event log management without system monitoring features, this product is easy to implement. The modular approach and support for SQL Server 2005 Express Edition will appeal to SMBs wanting to reduce their costs. Contact: Dorian Software ? http://www.doriansoft.com/totalsolution ?1-866-682-3646
GFI Software EventsManager 7.1
GFI Software's EventsManager 7.1 monitors and archives Windows event logs, syslog output, and World Wide Web Consortium (W3C) log file information. It installs with a large number of predefined filters, facilitating a quick implementation. Event filters let you configure real-time notification for selected high-priority events, and EventsManager offers suggested remedial actions for many events. A new add-on of interest to larger organizations consolidates into a single database the event information collected by EventsManager servers at various company locations and incorporates facilities to help you manage database size and record retention. The separately installed GFI EventsManager ReportPack, included in the product license, includes a variety of predefined reports and enhances your ability to report on events that EventsManager collects.
Architecture
EventsManager is a server-based product and doesn't install an agent on monitored systems. To collect Windows EVT and W3C logs, an Event Retrieval Engine logs on to the remote system and retrieves event data by using standard Remote Procedure Calls (RPCs) and the ETW API at times determined by a schedule you set. An Event Receiving Engine on the server acts as a syslog host to collect syslog information directed to it. Once event data is received, EventsManager processes the events against a set of rules and optionally archives the events to a SQL Server database. Another option lets EventsManager unconditionally archive all events for all specified logs on selected servers without invoking rules. When you call for the use of rules, EventsManager will filter out uninteresting events and optionally alert you to selected events. Alerting actions may include notification via email, Short Message Service (SMS) and Network Messaging (Net Send), and you can run a script or program (typically to perform some remedial action).
Rules let you specify the criteria within an event that will cause EventsManager to select the event for further processing. Rules can be organized into named rule sets for ease of management and application. Monitored computers can also be organized within named groups. An Event Log Scanning Profile is a named set of rules and rule sets that you can apply along with other configuration settings to monitored computers or groups of computers. Administrators can apply several Scanning Profiles to a computer or a group. This lets administrators augment profiles that apply to many or all systems with Scanning Profiles that are customized for a particular application or server. Administrators can use predefined or custom queries and event filters to browse and report on collected events stored in the database.
Hands On
EventsManager is intended for installation on Windows Server systems configured with Microsoft Data Access Components (MDAC) and .NET Framework 2.0. Access to a system running MSDE or SQL Server 2000 (or later versions) is also required. I installed to a Windows 2003 system with SQL Server Express 2005 Advanced Edition also installed. Initial software installation was quick, and left me with the GFI EventsManager Management Console, a GUI-based program, displaying a Component Configuration Quick Start menu. It guided me through configuring the SQL Server database, configuring an Administrator account and alerting options, and finally designating systems to monitor. It took just a few minutes to complete the first three steps, and not much longer to designate a few systems to monitor. EventsManager installs with fourteen predefined groups, each configured to use a collection of rule sets appropriate to the group. Four other groups—for Windows domain controllers (DCs), other Windows systems, Microsoft IIS W3C collection, and syslog collection—are preconfigured to simply archive collected events without processing rules. I can’t imagine an easier way to get an initial configuration up and running.
By default, EventsManager connects to monitored systems by using the administrator account that the EventsManager service runs under, which I provided during installation. If necessary, you can provide alternate credentials by using a system or group Properties panel.
Order Your Fundamentals CD Today! Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
