Archiving
Event logs are useful both for catching problems in real time and for long-term analysis and investigation. Windows doesn't provide any built-in capability for collecting event logs in a secure location and archiving them for long-term storage. An event-log management tool makes it easy to collect scattered event logs from around your network and store them in a secure location. An added benefit that some tools offer is the ability to provide, through the use of digital signatures, assurance that the event-log data wasn't tampered with since its collection.
Reporting
Windows does a does a good job of collecting data in its event logs, but data is only data. Event-log records are famous for being cryptic and undocumented. Windows has no native functionality for massaging that data into useful information such as a failed logon report, a system uptime report, or reports for new user accounts or group member changes. A good event-log management system provides prebuilt reports for commonly needed queries and offers the user the ability to design reports with custom filtering and formatting.
The Contenders
There are about two dozen offerings on the market that provide some event-log management functionality, so I used four criteria in selecting products for this comparative review: First, the product must be designed with event-log monitoring as a core feature. All Windows event logs—including Application, System, and Security, as well as Directory Service, DNS, and File Replication Service—must be supported. Second, the product must support monitoring of multiple computers. Third, the product must support real-time email alerting. And fourth, the product must be priced between $60 and $250 per server (with a five-server network in mind).
The three event-log management products in this review—Dorian Software Creations' Event Log Management Suite; Prism Microsystems' EventTracker, Protector Edition; and Omnitrend Software's ServScan—all meet these minimum criteria. (Two other products—Infopulse's Sentry Pro and Engagent's Sentry II—met my criteria but were unavailable for review.) Dorian's offering takes an imaginatively modular approach to event-log management by offering three separate products for alerting, reporting, and archiving, so you can implement and pay for only the functionality you require. EventTracker implements alerting, reporting, and archival services for Windows event logs, as well as some additional monitoring features outside the event log. ServScan provides event-log monitoring and alert services but offers no reporting or log-archival features. Table 1 compares these products' features.
Event Log Management Suite
Dorian's Event Alarm, Event Archiver, and Event Analyst can function individually or integrated with one another. Each of the products provides a solid, clean, no-frills approach to the separate functions of event management. Event Alarm provides monitoring, Event Archiver provides archiving, and Event Analyst gives you reporting.
Dorian's products can manage remote event logs from one software installation. The suite has an agent-optional architecture that—combined with the company's exclusive focus on Windows event logs—gives you many of the advantages of both agentless and agent-based solutions. With Dorian, you can install as many copies of Event Alarm as you want, so you can keep monitoring traffic on the local LAN instead of dragging it over the WAN each time Event Alarm needs to poll a server for new events. But to keep a unified view of alerts, you can configure all copies of Event Archiver to insert alerts into the same database table. Likewise, you can deploy Event Archiver on as many servers and LANs as necessary, but you can funnel all the archived logs to one or more central log-archive servers. Then, you can use Event Analyst to perform centralized reporting on the data collected by Event Archiver, as Figure 1 shows.
The only agent-based advantage missing from the Dorian products is the elimination of polling. Event Alarm must periodically query the event log for new events, whereas an agent running locally on a server can efficiently suspend execution until Windows informs it that a new event has been logged.
As far as alert functionality, Dorian's suite supports email, pager, and pop-up messages, using NetBIOS messages for pop-ups. Dorian's solution doesn't include an alert console, but the company has built a cool option into Event Alarm that inserts alerts into a Microsoft Access or SQL Server database. You can create your own console with acknowledgement and resolution-notes features in about 5 minutes by using Access and creating a form and a report. Event Alarm doesn't permit alerting via command execution.
For archive functionality, Event Archiver deploys on one server, collects EVT files from each server that you specify, and places the files on a central file server. Dorian offers a utility (available by request) that streamlines the installation of Event Archiver in agent-style deployments. Another tool lets you import events into a central database by first having the Event Archiver agent compress EVT files on the local system and then send them via FTP or file sharing to a central server, on which the Event Archiver Importer utility collects the imported files in the central database. Support for FTP and compression lets you push event files through network boundaries (e.g., firewalls) and across bandwidth-limited connections (e.g., WAN links to other offices). From the central Access, Oracle, or SQL Server database table, you can use Event Analyst or your own reporting tool to perform centralized reporting.
Event Analyst provides prebuilt reports for common events such as logon failures and errors and warning reports. The tool lets you create detailed reports or summaries and doesn't require you to write SQL. It also provides links to extra details about specific event IDs through its Web-based event-log knowledge base. Event Analyst offers many prebuilt reports
Event Analyst is exclusively an event-log reporting tool, and I was impressed by the way Dorian followed through with its modular approach. At first, I wrongly assumed that Event Analyst wouldn't work as a centralized reporting tool unless I also deployed Event Archiver to create a centralized database from which Event Analyst could query. Although Event Analyst is certainly faster when it's running against an Access or SQL Server database, it doesn't require one. You can run the very same reports against a group of EVT files or a group of computers' live event logs. This capability affords you much flexibility, letting you easily report on any number of archived logs, report on computers not covered by Event Archiver, or perform ad hoc event-log reporting. Finally, Dorian lets you schedule reports for regular execution, followed by automatic email delivery to specified recipients.
)
)
Register
harry-o October 26, 2004 (Article Rating: