Editor's Note: In the October 2007 Table of Contents, John Green's "VPN Firewalls for SMBs" was mistakenly printed with InstantDoc ID 95955. To read this October comparative review, please see InstantDoc ID 97173.
Our servers, applications, and network appliances are, at least from one perspective, black boxes that provide few external indications of what each is actually doing. Event information they produce is one of the few views we have on their activity. As anyone who has used event log information knows, it can be arcane and voluminous. Turning all that raw data into actionable information is as much an art as a skill. Common motivations for using event log information include:
-
Looking for clues to understand why something didn’t work as expected
-
Security monitoring—that is, detecting unauthorized activity
-
Monitoring the health of systems and applications so you can respond quickly to issues
-
Archiving and reporting information in support of regulatory compliance
Event Log monitoring and archiving is the common thread linking the six products I review here. All support Windows event log and syslog monitoring and archiving, and several offer additional monitoring functions.
Vista adds another wrinkle to event log management. Its new Windows Eventing 6.0 infrastructure significantly extends the capabilities of Event Tracing for Windows (ETW), the APIs and interfaces in use since Windows 2000. Microsoft reports that “enhancements are provided while preserving full compatibility with the existing Event Log and ETW APIs, which means that all existing applications will continue to work without change." In the course of my testing, I learned that in some aspects, this is not strictly true. For all of these products, specific Vista support is forthcoming and not available in current product releases.
Breakout Software MonitorIT 8.0.19
Breakout Software’s MonitorIT version 8.0.19 is more than an event log management tool. MonitorIT monitors not only Windows event logs but also syslog output; IP-based services such as SNMP, HTTP, FTP, SMTP, POP3, DNS, and Telnet; and SQL Server and Oracle database servers. In addition, this product lets you create custom monitors for any IP port. Systems running the MonitorIT agent can also monitor services, processes, files, and performance counters.
MonitorIT requires a license for each monitored system, including the number of monitored IP addresses. Breakout Software also licenses the application to Engagent, which markets the application under the name Sentry II.
Architecture
MonitorIT is a server-based application that communicates with an agent service installed on each monitored system. Although, you use the MonitorIT Configuration File Utility to set a very few server-oriented settings, administrators perform most setup and administration tasks using an Internet Explorer (IE)–based console. Agents initiate all communication with the server with encrypted data via a proprietary protocol, including a periodic heartbeat packet that the server reflects back to the agent. Although the IE-based console initiates communication by default via port 81, console ActiveX Controls encrypt and transmit data between the console and the server via the agent port.
Using the IE console, Administrators create monitoring rules, called "watches." You can configure several kinds of watches. Server Watches monitor IP service ports, such as mail and Web. SNMP watches monitor SNMP traps sent to the MonitorIT server from authorized devices, whereas SNMP Counter watches poll SNMP MIBs on remote devices. Syslog watches receive syslog output from appliances and Linux/UNIX devices, with options to log all output to a text file, and some events to the database. Windows systems running the MonitorIT agent can load Event Log Watches, Process Watches, Windows Services watches, File Watches and Windows Performance Counter watches. For each watch assigned to a monitored device, MonitorIT writes the related information to its database. Each watch type offers a variety of capabilities. For example, Process watches will alert you to high levels of CPU and memory utilization in addition to the simple presence or absence of specific processes. MonitorIT lets you configure watches and alerts for custom Windows event logs in addition to its set of predefined standard event logs—you simply provide MonitorIT with the name of the associated EVT file.
When you create a watch, you can configure associated actions, called "alerts." Most alert actions notify you of the presence or absence of specific conditions. Notification may occur via email pager, beeper, and syslog and SNMP trap. You can also execute a program or script, either initiated on the remote system by the MonitorIT agent, or executed on the MonitorIT server.
Monitor IT will make use of an ODBC database such as SQL Server, and defaults to using an Access format database. Breakout Software also supplies a MonitorIT.mdf file, which you can copy to your SQL Server system and attach when you create the MonitorIT ODBC Data Source Name (DSN).