Event Analyst’s main means for processing and sorting information are defined events and filters. You can use the Define Event feature to quickly find particular events in any size log file. To define an event, simply click the Define Event button in the Event Analyst GUI, add an event source name and event ID, and select which log file (i.e., System, Application, or Security) to scan. For example, I wanted to see the time that a particular server had restarted. I entered the EventLog source and event ID 6005 (which appears in the System log when the event log service starts) and selected the System log. You can give the event a meaningful name and save it for reuse. I named this event Server Restarts.
To use my Server Restarts defined event, I simply clicked the Find Event button in the Event Analyst GUI, and a box appeared that listed Server Restarts and other events I had defined. I selected Server Restarts, and Event Analyst quickly highlighted the first matched entry in the open log file. I clicked Find Next Event to parse the next instance of the defined event from the file. The Define Events feature is great for retrieving information quickly—even from large log files.
Event Analyst also offers extensive and powerful filtering capabilities that pull information from log files. Creating filters is easy: I clicked the Define Filters button in the Event Analyst GUI, then set filtering options, which mirror Event Viewer’s capabilities for filtering by date, source, event ID, and type (e.g., Information, Warning, Success Audit), as Figure 4 shows.
Events in event logs include Description fields. The Description filter lets you enter keywords and search for event descriptions that contain those words. I’ve desired such a troubleshooting function in the past when searching for clues to difficult problems. I used the Description field to filter out events that pertained to a specific media access control (MAC) address.
After you apply a filter or search for defined events, you can then export the retrieved information in database, text, or HTML report formats. Filtering can be especially useful for creating long-term system analysis reports. I also found Event Analyst’s predefined reports useful, with the only downside being that Event Analyst processes these reports only to a printer and can’t export them to a file. According to the vendor, a later release will include export functions for predefined reports.
Dorian Software Delivers
I reviewed an early version of Event Archiver more than two years ago (see "Event Archiver Professional 2.0," http://www.win2000mag.com, InstantDoc ID 4766) and found it well designed for gathering and storing Event Viewer files but lacking in enterprise functionality. Dorian Software had promised to create an enterprise version with functionality for configuring and managing the event logs in a network with a large number of systems; Event Archiver 3.2.25 delivers on that promise in a big way. The product offers capabilities―such as centralized log-file storage, configurable archival parameters for remote systems, and the ability to append event logs to a database so that you can track systems’ long-term event histories―that are much-needed by administrators. Event Archiver is a great product for managing multiple Win2K and NT systems’ event logs.
Although Event Archiver’s companion product is new, Event Analyst has a lot going for it. The product’s clean GUI is easy to navigate, and the useful searching and filtering functions are easy to configure. Those who want to minimize paper consumption (myself included) will find the fact that Event Analyst can only print and not export preconfigured summary reports a minor shortcoming. However, this limitation didn’t greatly detract from the overall good impression that Event Analyst made on me. Event Analyst isn’t a required add-on to Event Archiver, but Event Analyst certainly simplifies and enhances event-log processing reporting.
Although you can use the products to archive and analyze event logs from each Win2K and NT system on your network, you probably can’t afford that many licenses; the products’ are pretty pricey when compared with some competing products. I recommend implementing both products, but I also recommend using them on only your network’s most crucial servers and workstations. The products’ unique features, such as Event Archiver’s ability to export to a database, help justify the cost.