Event Response

Three event-log monitoring tools that keep your reaction time to a minimum

Windows event logs are a crucial source of information for Windows IT pros. They can warn you of impending problems and alert you to security incidents—but only if you keep on top of them so that you can react to problems quickly. Unfortunately, that's easier said than done. Each Windows system has at least three event logs: System, Application, and Security. Domain controllers (DCs) have even more: Directory Service, File Replication Service, and sometimes DNS. Additionally, various Windows components (e.g., IIS, RRAS, DHCP, Internet Authentication Service—IAS) create other text-based logs. With all your administrative and support tasks, you can't hope to effectively respond to those logs' valuable activity without a tool to monitor them and provide immediate alerts. And alerting is only part of the event-log management problem. For the sake of security, capacity-planning trend analysis, and other reasons, many administrators need reporting and event-correlation functionality. Others need to archive their security logs to meet information-security policy requirements or to adhere to recent healthcare legislation for publicly traded companies. Before I share my findings about the three products in this comparative review, I want to take a good look at the functionality you should look for in such a tool.

Agent-Based vs. Agentless
The Windows API that all event-log managers use lets you access event logs on other computers on the network the same as you would logs on the local computer. Therefore, installing an agent component on each system that needs to be monitored isn't strictly necessary. A single process can monitor multiple systems' event logs over the network. Agentless solutions reduce rollout work and don't require that you install software on the servers whose logs you need to manage, which might be especially important if other administrators own the servers and are resistant to installing software with which they're unfamiliar.

However, agent-based systems offer distinct advantages. When monitoring local event logs, the log manager doesn't need to periodically poll the log for new events—it can wait for the OS to wake it up whenever a new event gets logged. Therefore, agents can be more CPU-efficient, depending on how frequently you want to remotely poll a server. Also, local event-log monitoring enables immediate notification, sending you alerts more quickly than is possible with a remote solution. Network traffic is also heavier when you monitor logs from across the network. Although traffic isn't typically a problem when you're monitoring computers on the same LAN, it can create a problem when you need to monitor servers on the other side of a WAN connection.

A common capability among event-log management tools is the ability to specify filter criteria based on the standard fields of event-log records, including event type (i.e., informational, warning, error, and audit success or failure), user, event source, category, and so on. You can also filter events according to the contents of the event's description, which can be crucial if you want to generate alerts triggered by specific error codes or other strings in an event's description. To simplify administration, most products (including the three in this review) let you group filters and treat them as a unit. You also typically have more than one way to configure the product to notify you of important events. Email is the most common alert method, but some organizations might prefer to have the product directly page the operator. For such organizations, the event-log manager needs a modem for delivering alerts to numeric or alphanumeric pagers. Most pager services provide speedy delivery of email-based messages, but one of the benefits of modem/dialing paging is that it's out-of-band from an email/IP network−based solution. Therefore, if a page is signaling that your network is down, the out-of-band solution would be resilient and the message would get through.

A more valuable alert method is the ability to specify a command to execute upon the detection of certain events. This option gives you the flexibility to write a script that does whatever you want—for example, restarting a service or taking some other type of automatic corrective action. Although running a static command when certain events are detected is useful, it's more powerful if you can feed details about the event (e.g., event ID, username) to the command so that it can react dynamically. This capability also lets you insert incidents in your Help desk management system.

Speaking of integration, SNMP integration is often valuable for larger organizations because they might already have a systems management infrastructure in place that lacks the ability to monitor Windows event logs. Such companies have been successful implementing a product that monitors Windows event logs and feeds alerts up to the main management infrastructure through widely supported SNMP traps. Similarly, organizations that are UNIX- or Linux-centric appreciate the ability to feed alerts to the already-in-place Syslog server.

Just about every event-log management solution I've seen implements some kind of pop-up alert method, ranging from features that use Windows' built-in Messenger service (aka Net Send or NetBIOS messages) to special client programs that monitor for alerts and pop up appropriate messages. Pop-ups assume that you're in front of your computer—but, of course, we all know that whenever something bad happens, you aren't there.

Another alert method that's closely related to pop-ups is the alert console, which gives you a central view of recent alerts. Sometimes you have errors flooding in from different servers simultaneously, and you don't want to deal with them from a pager. It's better to have a nice, tidy console from which to tackle each event and, as appropriate, acknowledge them and get them "off the scope." A cool feature that I like to see in alert consoles is the ability to enter free-form notes about the resolution of the event.

Three other alert-management features that are important to consider are what I call false-positive suppression, flood prevention, and threshold alerts. You can configure alert criteria for a log manager in two ways. You can configure it to look for specific event IDs, in which case you won't get a lot of needless alerts about unimportant errors and warnings. Or you can use a broader criterion: "Alert me to any warning or error except for those that I specifically say to ignore." I recommend the latter method because you can't foresee every possible situation that deserves attention. However, after you implement broad alert criteria, you'll likely receive false-positive alerts about nonessential errors and warnings. When these alerts occur, you need a way to prevent them from bothering you in the future. Ideally, you could open the log manager's console, select the alert, and suppress the associated event. However, none of the products in this review offer such a turnkey suppress feature—although with some effort and imagination, you can configure them to suppress unimportant events.

By flood prevention, I refer to a situation that sometimes occurs during log monitoring. You've probably witnessed system problems that generate a lot of duplicate events in a short time period. This scenario occurs when a program repeatedly attempts a task but fails consistently and reports the problem to the event log. Flood prevention is a feature that says, "Don't notify me about the same event more than once every 5 minutes"—or whatever time period you specify.

Threshold alerts let you configure the log monitor so that it alerts you only when a specific event gets reported a certain number of times within a certain time frame. This capability is useful for an event that occurs regularly but doesn't indicate a problem unless the system starts logging it very frequently.

Event logs are useful both for catching problems in real time and for long-term analysis and investigation. Windows doesn't provide any built-in capability for collecting event logs in a secure location and archiving them for long-term storage. An event-log management tool makes it easy to collect scattered event logs from around your network and store them in a secure location. An added benefit that some tools offer is the ability to provide, through the use of digital signatures, assurance that the event-log data wasn't tampered with since its collection.

Windows does a does a good job of collecting data in its event logs, but data is only data. Event-log records are famous for being cryptic and undocumented. Windows has no native functionality for massaging that data into useful information such as a failed logon report, a system uptime report, or reports for new user accounts or group member changes. A good event-log management system provides prebuilt reports for commonly needed queries and offers the user the ability to design reports with custom filtering and formatting.

The Contenders
There are about two dozen offerings on the market that provide some event-log management functionality, so I used four criteria in selecting products for this comparative review: First, the product must be designed with event-log monitoring as a core feature. All Windows event logs—including Application, System, and Security, as well as Directory Service, DNS, and File Replication Service—must be supported. Second, the product must support monitoring of multiple computers. Third, the product must support real-time email alerting. And fourth, the product must be priced between $60 and $250 per server (with a five-server network in mind).

The three event-log management products in this review—Dorian Software Creations' Event Log Management Suite; Prism Microsystems' EventTracker, Protector Edition; and Omnitrend Software's ServScan—all meet these minimum criteria. (Two other products—Infopulse's Sentry Pro and Engagent's Sentry II—met my criteria but were unavailable for review.) Dorian's offering takes an imaginatively modular approach to event-log management by offering three separate products for alerting, reporting, and archiving, so you can implement and pay for only the functionality you require. EventTracker implements alerting, reporting, and archival services for Windows event logs, as well as some additional monitoring features outside the event log. ServScan provides event-log monitoring and alert services but offers no reporting or log-archival features. Table 1 compares these products' features.

Event Log Management Suite
Dorian's Event Alarm, Event Archiver, and Event Analyst can function individually or integrated with one another. Each of the products provides a solid, clean, no-frills approach to the separate functions of event management. Event Alarm provides monitoring, Event Archiver provides archiving, and Event Analyst gives you reporting.

Dorian's products can manage remote event logs from one software installation. The suite has an agent-optional architecture that—combined with the company's exclusive focus on Windows event logs—gives you many of the advantages of both agentless and agent-based solutions. With Dorian, you can install as many copies of Event Alarm as you want, so you can keep monitoring traffic on the local LAN instead of dragging it over the WAN each time Event Alarm needs to poll a server for new events. But to keep a unified view of alerts, you can configure all copies of Event Archiver to insert alerts into the same database table. Likewise, you can deploy Event Archiver on as many servers and LANs as necessary, but you can funnel all the archived logs to one or more central log-archive servers. Then, you can use Event Analyst to perform centralized reporting on the data collected by Event Archiver, as Figure 1 shows.

The only agent-based advantage missing from the Dorian products is the elimination of polling. Event Alarm must periodically query the event log for new events, whereas an agent running locally on a server can efficiently suspend execution until Windows informs it that a new event has been logged.

As far as alert functionality, Dorian's suite supports email, pager, and pop-up messages, using NetBIOS messages for pop-ups. Dorian's solution doesn't include an alert console, but the company has built a cool option into Event Alarm that inserts alerts into a Microsoft Access or SQL Server database. You can create your own console with acknowledgement and resolution-notes features in about 5 minutes by using Access and creating a form and a report. Event Alarm doesn't permit alerting via command execution.

For archive functionality, Event Archiver deploys on one server, collects EVT files from each server that you specify, and places the files on a central file server. Dorian offers a utility (available by request) that streamlines the installation of Event Archiver in agent-style deployments. Another tool lets you import events into a central database by first having the Event Archiver agent compress EVT files on the local system and then send them via FTP or file sharing to a central server, on which the Event Archiver Importer utility collects the imported files in the central database. Support for FTP and compression lets you push event files through network boundaries (e.g., firewalls) and across bandwidth-limited connections (e.g., WAN links to other offices). From the central Access, Oracle, or SQL Server database table, you can use Event Analyst or your own reporting tool to perform centralized reporting.

Event Analyst provides prebuilt reports for common events such as logon failures and errors and warning reports. The tool lets you create detailed reports or summaries and doesn't require you to write SQL. It also provides links to extra details about specific event IDs through its Web-based event-log knowledge base. Event Analyst offers many prebuilt reports

Event Analyst is exclusively an event-log reporting tool, and I was impressed by the way Dorian followed through with its modular approach. At first, I wrongly assumed that Event Analyst wouldn't work as a centralized reporting tool unless I also deployed Event Archiver to create a centralized database from which Event Analyst could query. Although Event Analyst is certainly faster when it's running against an Access or SQL Server database, it doesn't require one. You can run the very same reports against a group of EVT files or a group of computers' live event logs. This capability affords you much flexibility, letting you easily report on any number of archived logs, report on computers not covered by Event Archiver, or perform ad hoc event-log reporting. Finally, Dorian lets you schedule reports for regular execution, followed by automatic email delivery to specified recipients.

Event Log Management Suite
Contact: Dorian Software Creations * 678-222-3443 or 866-682-3646
Web: http://www.doriansoftware.com
Price: $999 for a five-server license
Pros: Innovative architecture isolates archiving, reporting, and alerting into optional modules; you can buy only the functionality you need, then integrate other functions as necessary in the future; agent deployment is optional
Cons: Lacks EventTracker's peripheral features (e.g., SNMP support)
Rating: 4.5 out of 5
Recommendation: A best-of-breed, focused event-log manager.

EventTracker uses a fully agent-based architecture, perhaps because it provides other monitoring functionality.

EventTracker supports a wide range of alerting options, including email, command execution, SNMP generation, and pop-ups. EventTracker requires you to have its RemoteViewer component open to receive pop-up alerts. Of the three products, only EventTracker includes an alert console that offers acknowledgement and resolution-notes capability. EventTracker is also the only product that provides threshold alerts.

EventTracker's agent pushes the server's event logs in EVT format to a central file server. Alternatively, it will archive them on each server and provide MD5 hashes of the event logs so that you can prove they haven't been modified after they're archived. Using a proprietary application protocol, EventTracker's agent also sends events to the central console, from which you can run reports. You can configure the console to use UDP or TCP, depending on whether you want less burden on your network (UDP) or guaranteed delivery of events (TCP). The ports are documented, so you can pass data through firewalls if necessary.

EventTracker provides some prebuilt reports for common events. The product lets you create detailed reports or summaries and doesn't require you to write SQL. Also, EventTracker provides links to extra details about specific event IDs through its Web-based event-log knowledge base.

In addition to its event-log monitoring functionality—which you can see in Figure 2—EventTracker has many other built-in monitoring features, providing reports on disk and CPU utilization, disk space, software installation, services, Web site availability, system uptime and downtime. Also, EventTracker provides two-way SNMP support for both monitoring for SNMP messages and generating SNMP messages as an optional alert method. Finally, EventTracker lets you schedule reports for regular execution, followed by automatic email delivery to specified recipients.

EventTracker, Protector Edition
Contact: Prism Microsystems * 410-953-6776
Web: http://www.eventlogmanager.com
Price: $999 for a five-server license
Pros: EventTracker packs a lot of additional functionality beyond the three core event-log management functions of alerting, archiving, and reporting
Cons: Along with the extra functionality comes a mandatory agent for each server you monitor
Rating: 4 out of 5
Recommendation: Good value for the money, especially if you need to monitor other Windows components besides the Security log and don't mind installing agents on each server.

ServScan provides barebones event-log monitoring and alert services but no reporting or log archival features. It's a completely agentless product that can manage remote event logs from one software installation. You can create groups of servers and alert rules so that you don't have to repeatedly redefine your alert logic.

ServScan supports NetBIOS pop-up messages, and, interestingly, ServScan is the only product of the three featured in this comparative review to offer any type of flood prevention. ServScan's only other distinguishing feature is its comprehensive support for sending pages directly via modem. ServScan lets you send alphanumeric pages or numeric-only pages, as Figure 3 shows. Unfortunately, I experienced frequent crashes with the ServScan GUI. However, I had no problems with the service that performs the actual monitoring.

Contact: Omnitrend Software * 860-673-8910
Web: http://www.omnitrend.com
Price: $299 for a five-server license
Pros: If your email infrastructure is down and you need out-of-band paging, ServScan is an option with its healthy pager support
Cons: Among alerting, archiving, and reporting features, ServScan provides only alerting
Rating: 2 out of 5
Recommendation: At $60 a server, ServScan might have you opting for the more substantial functionality of a product such as Event Alarm.

At about $60 a server, ServScan is difficult to recommend even strictly as a monitoring and alert solution. You can spend just a little bit more and get much more functionality, such as Syslog monitoring and the ability to send alerts to a database, with Event Alarm. So the choice essentially comes down to EventTracker and Dorian's suite. But making a recommendation between those two products is difficult because both companies have put a lot of impressive work into their respective products and EventTracker's cost is similar to that of Dorian's suite. Both tools are easy to install and manage. Each product offers unique features that I appreciate. Dorian's modular architecture makes agents optional and lets you report on multiple event logs without requiring a central database. EventTracker packs a lot of functionality above and beyond event-log management—including monitoring text-based log files, performance counters, network ports, and system services—but those features are beyond the scope of this comparative.

If you need to integrate your event-log management solution with other monitoring solutions (or UNIX- or Linux-based systems), or you need to monitor routers and other devices, EventTracker's support of SNMP and Syslog will be important to you. But if you're looking for any combination of best-of-breed event log alerting, reporting, and archiving, Dorian's suite takes the cake. I didn't look at products that focus mainly on the Security log. If you're looking for event-management tools in that arena, check out the tools that Table 2 lists.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.