Administrators use the Log Manager Console, a Microsoft Management Console (MMC) GUI installable on other workstations, for remote management. To manage Log Manager's monitoring activities, administrators create Agent Categories, assign monitored systems to one or more Agent Categories, and create and assign Monitor Items to the categories. Because a monitored system can belong to several Agent Categories, administrators can create Agent Categories for each application or server function and assign Monitor Items to the Agent Category appropriate to the application. If a Monitor Item doesn’t apply to a system assigned to the category, the agent will ignore it with no extra processing. The ability to create a category with rules to collect all events from one or more event logs can help ensure the completeness of your event collection.
Log Manager supports five types of Monitor Items:
-
Server Monitors allow the assigned agents to monitor the ELM Server’s status and attempt to restart the ELM Server service if the server’s Windows registry indicates that it did not shut down normally.
-
Agent Monitors monitor the health of the agent running on monitored systems and might attempt to restart the service or perform notification when they detect failure or poor performance.
-
Event Collector Monitor Items evaluate all events occurring on assigned systems and deliver matching events to the Log Manager Server, where they are stored in the database.
-
Event Alarm Monitor Items watch for specific events or the lack of a specific event within a certain time period and trigger an action or notification in addition to writing the event to the database. Possible alarm actions are posting the event as an alert on consoles, issuing a Net Send message, creating a new application event log entry, and executing a program or script.
-
File Monitor Items monitor text files for word and strings, using bookmarks to avoid re-reading portions of the file previously processed.
Although you can enable a few kinds of notification actions when you create an Event Alarm Monitor item, an extensive set of notification alternatives is available to administrators through the Notification facility. Log Manager supports fifteen distinct notification methods, including marquee display, text-to-speech (using the Microsoft Voice engine), and posting a Web page. One of the options lets you post events to Log Manager Advisor consoles (specific consoles or all consoles), which are installable system tray–resident clients that notify the workstation user when new events post. Administrators define notification Rules, which make use of event Filters to describe which events the notification rule will apply to and also define named notification methods to define where notifications are sent. (Yes, TNT uses the same term to describe both the 15 kinds of notification you can employ and the named notification methods that you create to make use of TNT's supported notification methods).
Hands On
I installed Log Manager without incident on a Windows 2003 system with SQL Server 2005 Express Advanced Edition installed. Log Manager's basic requirements are .NET Framework 1.1 and IIS 5.0 (or later) with ASP.NET configured. I created a few new agent categories, deployed Service Agents to a couple of systems and Virtual Agents (for agentless monitoring) to two more. I created several types of Monitor Items and discovered that context menus are available when viewing alerts and events, Figure 6 shows. This made it easy to create an event filter to use elsewhere. Events Views, Personal Views (which are Events Views that show up only for your logon), and Notification Rules all make use of the same set of event filters. Notification Rules also turned out to be easy to configure.
Reporting is an area that TNT would do well to enhance in Log Manager, but because the data is in SQL Server, you can create your own reports using SSRS if you like. Selecting Reporting from the console quickly takes you to Log Manager's Web-based reporting interface, which lets you schedule and run predefined reports for the systems and date ranges you specify. There are only a few reports: I counted six security-related reports, plus an Alert Summary and an Event Summary. One of the reporting features is unique: When you first request a report, Log Manager asks you which systems you’d like to report on and creates the Event Collector Monitor Items needed to collect the necessary data.
I also configured the database pruning features. With pruning, I was able to specify retention periods for alerts and for events very flexibly by event filters.
The Web interface proved useful as well. It acts as a central repository for reports and also allows authorized people to search events and view alerts.
Summary
I’d like to see a few enhancements in Log Manager. When you click on a Category, it displays all the systems that are in the category but doesn’t show whether they use Service Agents or Virtual Agents. Sometimes it would be useful to have default event views for each category. For example, if I created a “SQL Server” category, it could be useful to see only the events captured by rules assigned to that category. You can create them in Event Views, but it seems like a natural default view. That you create alerting and notifications in two different areas seems a needless bit of complexity, and large installations may well end up creating a large number of event filters—a folder system to categorize and organize them would be better than having to scroll down a long alphabetized list, which is the current process.
I think most administrators will need to spend some time configuring Log Manager to their specific needs. The default collectors are pretty generic. Log Manager has some nice features, such as automating the collections configuration necessary for specific reports, and the large variety of notification methods. I liked the ability to configure multiple monitoring categories with assigned rule sets, and also the ability to assign systems to multiple categories. Overall, I found Log Manager's capabilities—aside from the reporting component—reasonably complete. Log Manager is one of the better products I tested.
TNT Software ELM Log Manager version 4.0
Pros: Flexible event collection and alert definition; more supported notification methods than any other product; local failover database provides fault tolerance if SQL Server is temporarily unavailable
Cons: Few reports and no ability within ELM Log Manager to create new reports
Rating: 4.0 stars
Price: Starts at $325 for 1–399 servers, $215 for 400 plus servers
Recommendation: ELM Log Manager was one of the better products I reviewed. Queuing events to the local failover database when the primary database is unavailable will help ensure the completeness of event collection, but you’ll need to spend some time customizing the configuration and creating additional reports.
Contact: TNT Software ? http://www.tntsoftware.com ? 877-546-0878 |
My Bottom Line
As with any comparative review, I found that the six products I reviewed here all have their benefits and drawbacks, as well as feature sets that will draw some of you to each of them. In the end I was most impressed with GFI’s EventsManager 7.1, and I've designated it my Editor’s Choice.
End of Article
