Logging and monitoring network server events has always been important for troubleshooting, trending, and long-term systems management. Although Windows NT Event Viewer can be useful for managing one system’s logs, Windows 2000 and NT don’t include extensive functionality for managing logs across multiple systems. Dorian Software Creations’ Event Archiver 3.2.25 and Event Analyst 1.3.52 work together to simplify enterprisewide collection, storage, and analysis of your network systems’ System, Application, and Security logs.
Event Archiver and Event Analyst are complementary but independent of each other. Event Archiver runs as a service to gather and archive event-log files from multiple Win2K and NT systems. Dorian Software designed Event Analyst to use predefined and custom configurations to process and create reports on Event Archiver’s saved event-log files. However, you can also use Event Analyst with a system’s live logs. Although you need to install the products on only one Win2K or NT workstation or server, you must purchase a license for each server and workstation you want to archive and analyze.
Event Archiver consists of the Event Archiver control panel, which Figure 1 shows, and the Win2K or NT service. Installation on a Win2K Server machine on my small office/home office (SOHO) network proceeded without problems. Toward the end of the setup procedure, a pop-up box appeared that let me elect to install Microsoft Active Directory Service Interfaces (ADSI), which supports the use of Event Archiver on Win2K machines. To enable archival of remote systems’ logs, I opened the Event Archiver control panel and simply entered the highest-level trusted domain name for the systems whose logs I wanted to archive. I also needed to enter the account name and password for the Event Archiver service.
To test the product’s capabilities, I then needed to select the event logs that I wanted to archive and configure archival options for them. The Event Archiver control panel makes this process easy. When I clicked the Add a New Log button, an options box with two tabs appeared. On the Scheduling and Archiving Path tab, I selected the remote system and its log files that I wanted to archive. I also configured archival intervals (options include daily, weekly, and when the log is full). From this tab, I also specified the remote folder and share to which Event Archiver would write the archive files.
On the second tab, Data Collection, I configured the archive file’s format. Format options include an event (EVT) file, a Comma Separated Value (CSV) file, a Microsoft Access database, and an ODBC database (both database formats appear as simple tables). I found the Access database format useful because it lets you append successive archives to one database; you can then use Event Analyst to analyze log files for an extended period of time. I had set a daily archive interval but didn’t want to wait 24 hours between tests of the various archive file formats. To initiate instant archivals, I selected the logs I wanted to archive, then clicked the Event Archiver control panel’s Archive Now button.
To simplify management, I selected Data Collection’s option to move the completed archive files to the network share file I had specified on the Scheduling and Archiving Path tab. Because all Event Archiver archive files, regardless of format, use the same <machine name><log type><date><time> file-naming convention, I could store all archive files in a centralized network folder without confusing them.
To enhance the product’s usefulness in enterprise environments, Event Archiver’s toolbar buttons let you access several wizards that easily unify multiple systems’ archival settings. For example, the Batch Log Registration Wizard let me select systems, then configure several of the standard archiving options that the Scheduling and Archiving Path tab and the Data Collection tab offer. The Unify Audit Policies Wizard is also useful. As Figure 2 shows, this wizard let me specify which Security log audit events I wanted to record. Finally, I used the Unify Log Setting Wizard to select which event logs to archive, the maximum log size for the When Full archival interval, and the retention period for the selected systems’ archived logs. Each wizard worked without problems to standardize all my test systems’ archival settings.
Although you can use Event Archiver to view and export log files, Event Analyst, the recently released companion product to Event Archiver, processes these logs into more meaningful formats. Dorian Software designed Event Analyst to let you define filters or search for specific events, thereby culling this information from the archived files. Event Analyst also offers predefined summary reports that inform you about common events such as errors or user activity.
Event Analyst’s installation and setup on my SOHO’s Win2K Server machine was simple. Each time you start Event Analyst, you need to choose the Event Archiver files and live logs from which you want to retrieve information. If you use Event Analyst without Event Archiver, you can only retrieve information from live logs. If you run both products, you can retrieve information from both active logs and saved files. The Event Analyst GUI, which Figure 3 shows, lets you click toolbar buttons to execute the most common functions against the selected files and live logs. (When you open the Event Analyst GUI, a helpful dialog box appears that contains frequently asked questions about the product.) I found the GUI’s Event Log Record Position feature particularly useful for quickly looking through large files. The window includes a scroll bar, and its Seek to Date function lets you search for events by time frames.
Event Analyst’s main means for processing and sorting information are defined events and filters. You can use the Define Event feature to quickly find particular events in any size log file. To define an event, simply click the Define Event button in the Event Analyst GUI, add an event source name and event ID, and select which log file (i.e., System, Application, or Security) to scan. For example, I wanted to see the time that a particular server had restarted. I entered the EventLog source and event ID 6005 (which appears in the System log when the event log service starts) and selected the System log. You can give the event a meaningful name and save it for reuse. I named this event Server Restarts.
To use my Server Restarts defined event, I simply clicked the Find Event button in the Event Analyst GUI, and a box appeared that listed Server Restarts and other events I had defined. I selected Server Restarts, and Event Analyst quickly highlighted the first matched entry in the open log file. I clicked Find Next Event to parse the next instance of the defined event from the file. The Define Events feature is great for retrieving information quickly—even from large log files.
Event Analyst also offers extensive and powerful filtering capabilities that pull information from log files. Creating filters is easy: I clicked the Define Filters button in the Event Analyst GUI, then set filtering options, which mirror Event Viewer’s capabilities for filtering by date, source, event ID, and type (e.g., Information, Warning, Success Audit), as Figure 4 shows.
Events in event logs include Description fields. The Description filter lets you enter keywords and search for event descriptions that contain those words. I’ve desired such a troubleshooting function in the past when searching for clues to difficult problems. I used the Description field to filter out events that pertained to a specific media access control (MAC) address.
After you apply a filter or search for defined events, you can then export the retrieved information in database, text, or HTML report formats. Filtering can be especially useful for creating long-term system analysis reports. I also found Event Analyst’s predefined reports useful, with the only downside being that Event Analyst processes these reports only to a printer and can’t export them to a file. According to the vendor, a later release will include export functions for predefined reports.
Dorian Software Delivers
I reviewed an early version of Event Archiver more than two years ago (see "Event Archiver Professional 2.0," http://www.win2000mag.com, InstantDoc ID 4766) and found it well designed for gathering and storing Event Viewer files but lacking in enterprise functionality. Dorian Software had promised to create an enterprise version with functionality for configuring and managing the event logs in a network with a large number of systems; Event Archiver 3.2.25 delivers on that promise in a big way. The product offers capabilities―such as centralized log-file storage, configurable archival parameters for remote systems, and the ability to append event logs to a database so that you can track systems’ long-term event histories―that are much-needed by administrators. Event Archiver is a great product for managing multiple Win2K and NT systems’ event logs.
Although Event Archiver’s companion product is new, Event Analyst has a lot going for it. The product’s clean GUI is easy to navigate, and the useful searching and filtering functions are easy to configure. Those who want to minimize paper consumption (myself included) will find the fact that Event Analyst can only print and not export preconfigured summary reports a minor shortcoming. However, this limitation didn’t greatly detract from the overall good impression that Event Analyst made on me. Event Analyst isn’t a required add-on to Event Archiver, but Event Analyst certainly simplifies and enhances event-log processing reporting.
Although you can use the products to archive and analyze event logs from each Win2K and NT system on your network, you probably can’t afford that many licenses; the products’ are pretty pricey when compared with some competing products. I recommend implementing both products, but I also recommend using them on only your network’s most crucial servers and workstations. The products’ unique features, such as Event Archiver’s ability to export to a database, help justify the cost.
|Event Archiver 3.2.25 and Event Analyst 1.3.52|
Contact: Dorian Software Creations * 678-838-8281 or 866-682-3646
Price: Event Archiver: server licenses start at $89.99, workstation licenses start at $59.99; Event Analyst: server licenses start at $79.99, workstation licenses start at $69.99; volume discounts available
Pros: Effective partnership for event-log management; easy to configure and operate
Cons: Event Analyst only prints predefined summary reports and can’t export them to files