The GFI Events Manager Console, which can’t be installed at a workstation for remote management, is well designed and easy to navigate. As Figure 3 shows, the primary tabs Status, Configuration, Events Browser, and General are gateways to key functional areas. Status screens show collection counts, the status of monitored devices, and a log of recent collection activity. Configuration screens are where you configure rules, rule sets, and monitored systems and configure rule processing and archiving. Events Browser provides access to recent event information.
Display and reporting of collected events are the measure of the utility of log management products. I found the Events Browser to be easy to use for quick investigation of events. Facilitating real-time alert response, EventsManager displays a user-friendly interpretation of selected events, as Figure 4 shows. When browsing Windows event logs, each monitored event log displays along the left side of the display. Under each log type, a series of predefined folders and/or queries is presented. Each query filters the display of collected events. For example, within the security events log, Account Usage is a query category, with queries filtering for successful logons, failed logons, and account lockout events. One of the predefined event processing rules selects logon events occurring outside of normal working hours, and I was able to quickly create a custom filter displaying only events captured by that rule.
Reporting is supported by the EventsManager ReportPack, a separately purchased module that runs within the context of GFI’s Report Center 3.5, which manages reporting for many of GFI’s products. I downloaded and began the ReportPack install, and it in turn downloaded and installed Report Center. Like EventsManager Console, Report Center presents an Outlook 2003–like interface. It includes 34 default reports that you can customize and schedule by using easy-to-follow wizards. I found I could run any report from its right-click menu for any of several time periods relative to today. After manually running a report, I could email it in PDF, Word, Excel or RTF formats, or export it to a file in any of those formats in addition to HTML and a data-only Excel format. When scheduling reports, I could select any specific date or date range or one of the five relative date ranges: that is, today, yesterday, last seven days, this month, and last month. The reports I examined all included both graphic and tabular representations of selected data. This is a very well implemented reporting feature.
Summary
Overall, I was impressed by GFI’s EventsManager and ReportPack. It seems apparent to me that the product’s designers had both ease of implementation and ease of use in mind and accomplished those objectives in these products. The key area in which I felt EventsManager fell short is the lack of support for remote workstation installation of the GUI console. EventsManager is easy to recommend to anyone whose log management needs are limited to the three types EventsManager supports.
GFI Software EventsManager 7.0
Pros: Many predefined events to facilitate implementation; a well designed, easy to navigate GUI console; and many predefined display filters that can be easily augmented with custom display filters
Cons: The GUI console can’t be installed remotely, so you must use a remote desktop product for remote administration; has a facility to log all events to the database but not to archive raw EVT files
Rating: 4.5 stars
Price: Starts at $800 for three nodes
Recommendation: Events Manager is a well-designed, easy-to-use log management product for Windows event logs, W3C format log files, and syslog output, with an excellent report management option.
Contact: GFI Software ? http://www.gfi.com |
Prism Microsystems EventTracker 5.6
Prism Microsystems' EventTracker monitors and manages Windows event logs, several variants of syslog output and text-based log files. Version 5.6 is about to be supplanted by version 6.0 later this year, which will offer full support for Vista’s event channels. Another product, EventLogCentral, provides Web-based access to reporting and analysis using the data that EventTracker collects. Other optional components are available that support monitoring server health and receiving SNMP traps.
Architecture
The EventTracker server is recommended for installation on a Windows 2003 system and is supported under Win2K and XP as well. An agent installed on monitored Windows systems manages event logs, and EventTracker also supports agentless monitoring of Windows systems with a more limited capability, which I describe shortly. Functionally, EventTracker consists of a Console Server, which communicates with monitored systems; several services, which run on the console server; three Web sites for remote administration and reporting; and agent services. which run on monitored systems. Prism Microsystems offers two optional agents for use with EventTracker. A High Performance agent is designed for use on DCs, where event-generation rates can create performance problems. An agent for Solaris C-2 translates Basic Security Model data into EventTracker events.
Data storage is in Microsoft-style compressed cabinet format (CAB) files, rather than an ODBC-style database. Prism Microsystems determined that for log management, using a CAB data structure resulted in both disk space and performance advantages, as well as eliminated the need for database-management skills.
EventTracker uses Active Directory (AD) user-based authentication and defines access roles for each user that determine what the user can do and permissions that specify which systems a user can work with. By using the Web interface, you can safely grant appropriate access to the information EventTracker collects to various group in the organization—Help desk staff and auditors, for example.
The EventTracker Correlation engine, EventTracker's rule-processing component, works using Linux/UNIX style regular expressions for matching rules to events, which provides a powerful, flexible approach to rule correction. I didn’t count them, but Prism Microsystems advertises that they include more than 500 predefined rules in EventTracker to facilitate rapid implementation.
As an event log monitor, ET collects events from Windows Vista/XP/2003/2000/NT, syslog and syslog-ng, Solaris BSM, SNMP and any flat file log. In addition to log monitoring, agent-supported systems monitor CPU, memory, and disk utilization metrics; processes exceeding threshold; failing services; and network connections. When monitoring flat files, EventTracker matches text by using regular expressions and maintains a bookmark to the file so that it scans only new log information. Prism Microsystems includes knowledge modules to assist in monitoring flat file logs that IIS, SQL Server, and a few proprietary applications produce. EventTracker 6.0 will add support for Vista and for Checkpoint firewall logs.
