Log Management Products for SMBs

Hands On
I tested LogCaster 5.5 and installed it during a scheduled Web conferencing session with a RippleTech technician, a service RippleTech offers to all customers. Before the call, I had prepared two Windows Server 2003 SP1 systems, one of which was configured with IIS, SQL Server 2005, and SSRS. We started by installing LogCaster on its server, followed by installing Log Caster Reporting and Risk Assessment reporting modules on the SQL Server.

Administrators use the LogCaster console GUI to configure all aspects of LogCaster’s data collection, to remotely install the LogCaster Agent to Windows systems, and to display priority events. The GUI has three main areas of activity: Setup, Configuration, and Dashboards.

I started by using Setup to deploy the LogCaster agent to several system-created folders (called Business Groups within LogCaster) that are used to organize and group monitored systems. LogCaster displayed discovered domains and systems, allowing me to drag them to the desired folder, which initiates remote installation of the agent. Administrators also use Setup to create and configure user IDs for console access and to manage scripts they might want to execute on monitored systems in response to certain events.

Configuration screens are used to configure the "watchers": Event, Service, Performance, TCP/IP, Text file, Syslog, and Plugin. As an example, within Event Watcher Configuration you configure Event Watcher rules to designate how the LogCaster agent running on a monitored system will respond to specific events: forward it to the LogCaster server or not, run a script, require that the event be acknowledged by a console operator, and configure notification via email or dial-up paging, display on a LogCaster console at an assigned priority level, and/or send an SNMP trap. Event Watcher rules are evaluated in priority order and evaluation stops at the first rule the event matches. Rules assigned to the <All Groups> business group are evaluated first, followed by rules assigned to the system’s business group. I found it fairly easy to create new rules, alter the configuration of existing rules, and assign rules to a business group. From the Live Events display, I selected an event and chose “Create event watcher rule from event.” Doing so allowed me to select a business group as a destination, and created the rule. Over on the Event Watcher Configuration display, I selected the Business Group and found the rule. I renamed it and adjusted notification settings. The ability to direct events to different LogCaster console systems allows you to support a distributed critical event management system, with judicious configuration of rules.

Syslog monitoring is supported in two ways. First, you can write all syslog information from a source to a text file. You can also configure LogCaster to write syslog events to a Windows event log on the LogCaster server, where they can be processed by rules as any other Windows event. This structure occurs to me as less than ideal. I would prefer direct processing of event log data without the extra write to a Windows event log.

Dashboards display current information forwarded from the watchers. A dashboard displays events in the order received. You can choose which columns to display and sort the display at the column heading. Doing so makes it easy to locate events of interest and display the full event information.

LogCaster uses SSRS and its Web-based interface for reporting. RippleTech provides a large set of customizable reports, as Figure 5 indicates. The Executive Dashboard is a particularly interesting report. It analyzes the information collected from all monitored systems and displays its assessment of system log policies that affect the integrity of Windows event log data. The Log Management chart displays a red segment for Windows managed systems and a green segment for LogCaster-managed systems, in which LogCaster backs up and consolidates event logs. The Log Collection report displays red to represent managed systems with agents that are not reporting to the LogCaster server. The Security Risk Assessment report displays red for systems that allow events in Windows event logs to be overwritten, potentially compromising the completeness of event collection. Other charts portray security alerts and log backup and archive status. All charts are active: You can click on a segment to display the names of the systems the segment represents, then click on a system name to see the relevant system configuration settings. LogCaster has a scheduling option, but the facility is pretty generic—it wasn’t clear how to schedule reports, and I found no examples in either the user manual or in the Help information.

For reporting on the performance data you use LogCaster to collect, RippleTech provides an Excel-based reporting tool, the Performance Reporting and Analysis Suite. You modify a copy of the provided macro-driven Excel spreadsheet to create a performance data report.

Summary
For the most part, LogCaster was easy to use, and it certainly has a good set of facilities. The set of predefined reports is impressive, and because they are built around SSRS, they are relatively easy to modify. LogCaster supports many types of watches, monitoring much more than event logs. Rules are relatively easy to configure, although it seems to me that the priority-based system might be a little hard to troubleshoot, since nothing tells you which rule processed the event. Performance counter reporting isn’t integrated with event reporting and is accomplished with an Excel spreadsheet–based system. All said, LogCaster has a nice set of features, but the ease of use suffers somewhat due to LogCaster’s way of implementing them.

TNT Software ELM Log Manager 4.0
ELM Log Manager is part of TNT Software’s ELM product line. The other products include ELM Event Log Monitor, an agentless Windows event log collection and alerting application, and ELM Enterprise Manager, which adds a variety of application and IP port– monitoring options to Log Manager’s feature set. Log Manager collects user-selected events from Windows event logs and file-based logs. Log Manager also receives syslog output directed to it from other systems and devices, and receives SNMP traps. Events are written to a SQL Server database for archiving and reporting.

Architecture
The Log Manager Server receives events from monitored systems and supports three styles of monitoring. Windows systems have the option to run a Service Agent, which provides the greatest functional level. Virtual Agents monitor Windows-based systems without installing agent software on the system through the use of RPC connections to the monitored system. IP Virtual Agents monitor non-Windows systems for syslog output and SNMP traps. Monitor Items define what Log Manager will look for in the stream of events generated on monitored systems. Log Manager will send Monitor Items to systems running Service Agents. The agent will evaluate events against the criteria set in the Monitor Item, sending only selected events back to the Log Manager Server, and, when configured to do so, executing a program or script on the monitored system.

Log Manager Server uses three SQL Server databases. The Primary database, often on a dedicated SQL Server system, is the repository for event information. The Failover database, typically on the Log Manager Server, queues event information should the Primary database be temporarily unavailable. To keep the Primary database to a manageable size, Log Manager allows you to configure periodic movement of older events to an Archive database.

   Previous  1  2  3  4  5  [6]  7  Next