Hands On
I installed EventTracker on a Windows 2003 SP1 system configured with IIS. The installation process required that I install three components, followed by some post-installation configuration. First, I installed EventTracker core components, followed by the EventTracker Correlation engine. During installation of the EventTracker components, I was able to specify where to place the database files that EventTracker installs. Next, I installed EventLogCentral 2.0, the Web-based management interface. A readme file that displayed at the completion of the latter step had me configure IIS, the .NET Framework, and an EventTracker report directory. Console access is governed by membership in two AD user groups. All users must belong to an EventTracker group, and administrative use is restricted to those who are also members of an EventTracker Admin group.
When I started preparations for this review, one of the first things I noticed was the 968-page User’s Guide, including the 280-page chapter on reporting. Although that may sound daunting, the manual isn’t as onerous as it might be: It makes liberal use of screen images to illustrate the points it makes.
EventTracker has three primary user interfaces. A GUI interface runs on the EventTracker server and is used to manage monitoring, analysis, and reporting. When you are working on the console, an EventTracker Control Panel provides shortcuts to many of the control and analysis functions within the GUI console.
I started in the System Manager console, where you create groups to organize monitored computers. You can choose to have EventTracker assign systems to a group based on IP subnet membership or server/workstation OS classification, and you can create a group for simple manual assignment of systems. When you want more information about a particular event, EventTracker provides it with a link to Prism Microsystems' kb.eventlogmanager.com Web site. Alerts actions include running a script executed on the console server, as will as notifications.
EventLogCentral is the Web-based interface used for reporting and user management. EventTracker makes use of a Crystal Reports–based reporting facility and supplies more than 500 report templates, including sets of compliance reports for the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley (SOX) Act, the Federal Information Security Management Act (FISMA), the Gramm-Leach-Bliley (GLB) Act, and PCI Security Standards.
Within the console, administrators can restrict user rights at a granular level by creating and assigning EventTracker Roles to individual users. Role granularity includes 45 separate viewing options, with fewer add, modify, delete, and report options. Further, you can restrict a user’s access to specific groups of computers.
Using Event Log Central to view recent events, I found it easy to home in on specific types of events on specific systems. EventTracker offers a wide variety of successive views to narrow the scope of event display and lets you sort events by clicking on a column header. I experienced good response time when using this part of Event Log Central.
The screens you use to select and configure one of the predefined reports are easy to complete, and you can save reports in either .pdf or .doc file format. However, when I attempted to run a report, it started cranking away and I lost patience waiting for it.
Summary
EventTracker has a lot of power and flexibility. For example, it supports role-based user access with permissions to specific server information. At the same time, I found the user interfaces less intuitive to navigate than other systems. The 21 shortcuts into the EventTracker GUI console found on the Event Tracker Control Panel illustrate my point. For example, if you want to add new monitored computers or groups, you must use the System Manager applet, when access to the function from a right-click menu in the navigation pane would have been more convenient. I created new system groups, yet they didn’t show up in the auto refresh–designated navigation pane unit I selected Refresh from the view menu—selecting Refresh from the high-level All Computers container didn’t do it. In terms of response time, the console didn’t feel very fast. I found myself waiting not only for event filters to take effect but even when closing management applets. Overall, although EventTracker boasts an impressive list of capabilities, I found the organization and responsiveness of the user interfaces lacking.
Prism Microsystems EventTracker
Pros: Designed with a broad scope of capabilities; supports both agented and agentless monitoring; includes a Solaris agent; monitors some server health–related metrics; provides very flexible role-based access to the reporting and viewing console
Cons: Management UIs were a bit cumbersome, and the response time wasn’t always good
Rating: 3.5 stars
Price: Starts at $9,000 for 20 Windows servers and 50 workstations. Contact vendor for more information.
Recommendation: This product’s definable role-based authentication and Web console are attractive for Help desk use. If you need some of its unique features, I recommend that you install it for evaluation and see how it works for you.
Contact: Prism Microsystems ? http://www.prismmicrosys.com ? 443-539-3766 |
RippleTech LogCaster
RippleTech’s LogCaster monitors, reports on, and alerts to activity in Windows event logs, device syslog output, and text-file-based event logs. It stores logged events, which are configurable, in a SQL Server database and makes use of SQL Server 2005 Reporting Services (SSRS) to create and save reports in a variety of formats, including PDF, HTML, or CSV file format. LogCaster’s monitoring extends beyond event log–style data to include an ability to monitor Windows performance counters, to run Windows services, and to run network-based IP services such as mail and Web servers throughout your network. In addition to Windows event log data, LogCaster will monitor and report on syslog data from Linux/UNIX systems and network devices, and from IBM mainframe Resource Access Control Facility (RACF) data.
Architecture
LogCaster installs on Windows 2003, XP, and Win2K systems and requires a SQL Server 2005 or SQL Server 2000 system. It also supports MSDE, and SQL Server 2005 is the preferred database platform, due to its associated SSRS features.
The LogCaster service running on the LogCaster server communicates with agents to collect Windows event logs, manages the database, receives syslog data, and monitors performance counters and IP-based system health monitors. The LogCaster agent on monitored Windows systems receives event log filters from the server that have been configured for the system, communicates with the event log service on the monitored system, processes and filters event log entries, and forwards selected events to the LogCaster server. The agent also monitors any text files configured for Text File Watcher, and manages native event log file backups. The LogCaster console GUI, which you may install on workstations for remote access, is the tool you use to configure all aspects of LogCaster and to view events and generate reports.
On monitored Windows systems, the agent continually monitors the system for new events. New events are evaluated against event rules; when there is no match, no further processing occurs. When matches occur, the agent writes the event to a data cache on the local system (which it never allows to exceed 20MB in size) and sends it to the LogCaster server. The server writes the event to the SQL Server database and performs any notification processing that has been configured for the event.
