In recent articles, I described various tools you can use to ease the pain of event log collection and management (see the Windows IT Pro Web-exclusive article "Collecting and Analyzing Event and System Logs," March 28, 2006, InstantDoc ID 49492, and the Windows IT Security article "Security Log Collection," November 2006, InstantDoc ID 93330). Small-to-midsized businesses (SMBs) have many free or inexpensive tools to choose from. However, SMBs with sophisticated needs might want to consider a log collection and management suite from one of the many vendors that provide tools designed for enterprises. Here are some enterprise-class tools you might want to explore.
GFI EventsManager 7.0
GFI EventsManager 7.0 (http://www.gfi.com/eventsmanager) boasts some impressive features and is a great improvement over its predecessor, GFI LANguard Security Event Log Monitor 5.0. EventsManager supports Windows event logs, syslog, and World Wide Web Consortium (W3C) log files such as Microsoft IIS logs, but not Internet Authentication Service (IAS) logs.
EventsManager provides rule-based event log management that can be quickly deployed to filter out unwanted events and concentrate on those events that are pertinent to your situation. The latest version has an optimized, multithreaded event-processing engine designed to improve event scanning performance and to support plug-ins. GFI claims the product can process an impressive 6 million events per hour.
You can establish scanning profiles, which are used to configure rules for categories of assets. For example, you can configure different sets of rules for servers and workstations and apply the rules quickly. A generic profile can be applied to all assets and then supplemented with targeted profiles.
EventsManager makes the often cryptic and nearly unreadable Windows event log entries more user friendly. It provides extensive reporting capabilities, including many predefined reports ranging from account usage and management reports to policy change and application management reports to trend reports. EventsManager can notify systems administrators and operators via a variety of real-time alerts, including email messages, network messages, and Short Message Service (SMS) alerts via a gateway. In addition, EventsManager has event-filtering capabilities that include preconfigured event queries as well as a query builder that lets you build your own queries to retrieve events of interest from consolidated logs. It also lets you color-code significant events. GFI EventsManager 7.0 requires Microsoft SQL Server 7.0 or later or Microsoft SQL Server Desktop Engine (MSDE) to store collected events.
Even if you've considered and discounted previous versions of EventsManager, I recommend you take another look, if you're in the market for an enterprise event manager. The product is priced from $800 for 3 nodes to $32,000 for 500 nodes. Custom pricing is available for more than 500 nodes and for consultant licenses.
Total Event Log Management Suite
Dorian Software Creations offers a set of tools under the name Total Event Log Management Suite (http://www.doriansoft.com/totalsolution/index.htm). One tool in the suite is Event Archiver 6.0, which collects Windows event logs and stores them in a central location or database; it doesn't support IIS or IAS text log files or syslog. Event Archiver uses an agentless technology; a central server pulls event logs from monitored systems. Event Archiver lets you group several computers together into administrative domains to which you can apply policy settings that can automatically archive specific and different types of events for each group of computers. Event Archiver predefines more than 100 events that you can choose for collection. Collected log files can be stored in ODBC-compliant databases, and Event Archiver supports the SQLOLEDB Provider for large database import operations.
You analyze stored logs by using another tool in the suite, Event Analyst 5.0. This tool lets you search for specific events in stored event-log files or databases. You can create HTML-based reports from consolidated logs by using prepackaged reports or dynamic, filter-based queries.
A third tool in the suite, Event Alarm 4.0, is a Windows service that runs in the background and monitors Windows event logs and syslog messages generated by network devices. It's agentless and can monitor remote systems. A feature called False Positive Reduction lets you choose to ignore certain events that are known to be irrelevant in your environment. Like Event Archiver, Event Alarm comes with more than 100 predefined events that administrators can easily select to monitor. When events of interest are logged to a database, Event Alarm can notify systems administrators and operators via a number of means, including an email message, a network message, forwarding details of the event to a syslog server, and broadcasting over the network to administrators running Dorian Software Creations’ proprietary notification utility.
The last tool in the suite is Event Rover. This tool lets you filter and sort Windows event log entries into a tree view for easier analysis. The tool can export log data to HTML-format reports. Event Rover links to Dorian Software Creations’ Web site, http://www.eventlogs.com, at which you can research the meaning behind individual entries in the Windows event log.
The Event Log Management Suite is priced at $1,499.99 for five servers, 25 workstations, and an unlimited number of syslog devices or for 10 servers and an unlimited number of syslog devices. The price rises to $2,199.99 for 15 servers and an unlimited number of syslog devices. For pricing of other combinations of servers and workstations, contact Dorian Software Creations directly.
Sentry II
Engagent’s Sentry II (http://www.engagent.com/newsite/products/product_sentryII.htm) is actually much more than simply a Windows event log, SNMP trap, and syslog management package. It can proactively monitor TCP/IP and Windows services, other running processes, and system performance. Sentry II monitors Windows systems from Windows 95 through Windows Server 2003, with support for both 32-bit and 64-bit OSs. Sentry II can also monitor UNIX and Linux servers and network devices by using SNMP traps and capturing syslog events, but it doesn't provide support for IIS and IAS text log files. It uses agents running on Windows 2003, Windows NT Server, or Windows 2000 Server to monitor systems.
Sentry II monitors events and can notify systems administrators and operators in real time via email, SMS, pager, SNMP, syslog, pop-up, and custom-program alerts when critical events are logged. Collected events can be stored in either a Microsoft Access or SQL Server database. Reports about archived events can be generated in PDF, HTML, Microsoft Excel, Microsoft Word, and other formats. Sentry II also lets you search consolidated event logs by such items as event identifier, username, event source, and description, and print, email, or export the results to a document. Contact Engagent directly for pricing information.
ELM Log Manager
Another tool is TNT Software’s ELM Log Manager 4.0 (http://www.tntsoftware.com/products/elmlogmanager.aspx), which can monitor Windows event logs, Microsoft ISA Server log files, IIS log files, SQL Server error log files, and a number of other application log files, including custom log files, backup-software log files, antivirus log files, and static HTML files. ELM Log Manager also supports syslog and SNMP traps. ELM Log Manager uses an agent to collect logs and stores them in a SQL Server 7.0 or later database, or MSDE. You can manage default retention periods to optimize database usage. You can configure ELM Log Manager to fire off an alarm if a specific event is detected a certain number of times within a user-defined period, but you can also send an alarm if an event is not detected a certain number of times in a user-defined period—a unique feature.
A central console lets administrators view and search collected logs for events of interest. The tool ships with predefined reports that let administrators quickly identify computer and user account creation and management activities, privilege elevation by users, logon and logoff activity, object access to files and registry subkeys, and Group Policy activity. ELM Log Manager can also notify systems administrators and operators in real time via email, executed command scripts, network alerts, IM, syslog, SNMP, SMS, and several other methods.
TNT Software offers other tools that SMBs might find interesting, including ELM Event Log Monitor 4.0 and ELM Enterprise Manager 4.0. ELM Event Log Monitor provides a subset of ELM Event Log Manager's features for businesses that don't require all the features that ELM Event Log Manager provides. ELM Enterprise Manager contains all the features of ELM Log Manager and many more, including real-time monitoring of applications and services. Contact TNT Software directly for pricing information.
EventTracker
Prism Microsystems’ EventTracker (http://www.eventlogmanager.com) uses an agent-based architecture for log management and claims to be able to handle as many as 700 events per minute with its standard agent and 7,000 events per minute with its high-performance agent. EventTracker also supports an agentless architecture for Windows systems, which is useful when performance isn't a concern. EventTracker supports Windows event logs, IIS, and syslog, and with additional tools, Linux and Sun Solaris systems. EventTracker doesn't support IAS or SNMP traps.
In addition to monitoring for security-related events, EventTracker can report the starting and stopping of applications (useful for license tracking), memory usage, disk space, CPU utilization, and services. EventTracker can notify systems administrators and operators in real time of critical events via email, pager, and custom command script. EventTracker is integrated with Prism’s EventTracker Knowledge Base, which contains information about events that can be generated by various devices and event sources. EventTracker also supports plug-ins to monitor Web sites and networks for such things as unauthorized intrusion by looking for unusual or unexpected traffic patterns. Unusual traffic patterns could include network traffic associated with a hacker attempting to port-scan remote systems, browse the network for unsecured shares, or log on to local accounts. EventTracker relies on a trusted configuration profile—in other words, permitted or legitimate traffic—to identify potential attacks. EventTracker provides rich reporting capabilities with standard report templates and support for customized reports. One strong feature of EventTracker is its ability to warehouse encrypted and signed events in a centralized location. Contact Prism Microsystems directly for pricing information.
LogCaster for Security Auditing & Systems Management
RippleTech’s LogCaster for Security Auditing & Systems Management (http://www.rippletech.com/products/logcaster.htm) uses an agent-based architecture. The agent collects important system information, filters it, and passes it back to the LogCaster Server, where it is stored in a SQL Server 2005, SQL Server 2000, or MSDE database. The LogCaster Server can also collect syslog events. The LogCaster agent collects Windows event logs and processes each entry based on predetermined event rules to filter out unwanted events. The agent can process text files, including tab-delimited and comma-separated-values (CSV) files, using rules similar to those used to filter the event logs. The ability to process text files lets you configure LogCaster to monitor IIS, IAS, and other log files.
You use the LogCaster Management Console to configure LogCaster agents deployed on monitored systems and to view filtered events in real time. One nice feature is LogCaster Server's ability to deploy the agent to remote systems. The LogCaster agent can report changes in status to running services and applications as well as monitor system performance. You can use the included templates to quickly configure monitoring rules. LogCaster can notify administrators by email, pager, SMS, broadcast message, and other means. It also provides strong reporting features and has a wizard that helps you quickly create custom report templates. This tool goes one step further by providing rich logs of its own activities, which let you verify that LogCaster is working correctly and diagnose problems. Contact RippleTech directly for pricing information.
Still More to Choose From
Each tool I've described can be downloaded for evaluation before purchase. The list is not exhaustive, however—other solutions are available that might interest you. For example, you might want to consider Microsoft Operations Manager (MOM) 2005, or the forthcoming Microsoft System Center Operations Manager 2007, which comes with a new tool called Audit Collection Services (ACS). For more information about MOM 2005 Workgroup Edition, see the Windows IT Security article "MOM for SMBs," January 2007, InstantDoc ID 94361, and "MOM Management Packs," January 18, 2007, InstantDoc ID 94671. I will describe Ops Manager 2007 and ACS in a future article. Secure Vantage Technologies (http://www.securevantage.com) provides management packs and reporting solutions for MOM 2005 and Ops Manager 2007's ACS.
Editor's Note: NETIKUS.NET EventSentry 2.8 wasn't included in this comparison, but a stand-alone review of this product is now available. Please refer to our "NETIKUS.NET EventSentry 2.8 Review" (InstantDoc ID 96770) for more information.
End of Article
Register
