Log Management Products for SMBs

Hands On
Initial installation of MonitorIT took only a few minutes. I chose to use the included Access database rather than a SQL server. Upon starting the console, I was presented with some basic startup steps to guide me through the initial configuration of systems, watches, and alerts. I started by using MonitorIT’s Discovery feature to display a list of available systems. I selected one and had MonitorIT push an agent out to one system, which it did with no problem. I also installed the agent to another server using the “pull” method, initiated by using IE to browse to an InstallAgent.asp file on the MonitorIT server Web site. In both cases, MonitorIT then displayed the system as a valid target I could assign watches to.

I’ve worked with quite a few products that made use of Web-based management consoles and have noticed large differences in their look, feel, and overall utility. Some consoles seem to respond slowly and have a design that isn’t particularly efficient for the task at hand. MonitorIT’s console was usually responsive—I didn’t often sit and wonder when the screen would respond. Relatively slow reporting tasks were a notable exception. The console’s organization made it easy to find the function I wanted. As Figure 1 shows, an Outlook style menu is along the left side, and a pull-down menu supporting the task in a new window is available on the right—a convenient option.

I assigned watches to systems from the Server’s Agents and Devices screen by displaying the server name, clicking the Eligible Watches button, and selecting the watches I wanted to apply from the screen that displayed.

MonitorIT archives event log data by saving and compressing event log files and copying them to a central storage location. The Archive menu provides options to create archive schedules and assign them to servers. A schedule designates how often event logs will be copied to the archive location and allows administrators to have logs archived on the basis of how full the logs are.

The Web console includes extensive Help information, which I found useful whether I wanted a general understanding of some aspect of the program or of what a specific configuration option would do.

MonitorIT seemed to use a lot of CPU cycles. Running in a virtualized Windows Server 2003 system, the Task Manager display for the host system showed one of the two CPU usage history displays at 100 percent utilization, and the utilization stayed at that level. Stopping the MonitorIT server service in the virtual server returned CPU utilization to less than 10 percent on both processors. After I restarted the MonitorIT Server service, one CPU ran again at a consistent 100 percent. This could have been a result of using the Access database on the same server, because I used a version of SQL Server in my testing of other products.

MonitorIT is supplied with only a few standard reports. It does let you view current and archived event logs subject to a specified date range and event filters you can create and save, with an option to report from either archived EVT files or events captured in the database via watches. Once MonitorIT generated a filtered view of event log data, it gave me the option to print, email, or export the report data to a comma-separated value (CSV) file on the server.

Summary
If event log reporting is your primary need, MonitorIT doesn’t provide an ideal solution. Its strengths lie more in the area of system and application monitoring. It had fewer predefined event log alerts and filters than the other products I reviewed and didn’t have a facility to create a new watch from an existing event log entry. It does a good job copying native Windows event log files to a central location for archiving but doesn’t provide tools for archiving metrics written only to the database. It is an effective, value-priced application--just expect to spend some time customizing your implementation.

Dorian Software Total Event Log Management Suite
Dorian Software's Total Event Log Management Suite comprises four separately available and installable components. Event Alarm 5 monitors servers and performs notification. Event Archiver 6 collects events and manages event retention in files and a database. Event Analyst 5 supports reporting against archived events in Total Event Log Management Suite–created databases and saved event log files. Event Rover 1.1 retrieves and displays events remotely from active and saved event log files, primarily for rapid ad hoc analysis. The first three components make use of a database—SQL Server, Oracle 9i, or Access—to record and work with monitored events. Together, the components of Total Event Log Management Suite monitor and manage Windows event logs and syslog output. Dorian licenses the suite on a per-monitored-server basis, and lets administrators choose whether to install a software component locally or to monitor the server remotely. Syslog sources don’t require a license.

Architecture
Each of the three key components is supported by services running on the server on which they're installed. Windows event log monitoring is performed by the Event Alarm service without an agent installed on a monitored system. A single Event Alarm server monitors systems throughout the local network, although Dorian recommends that administrators install additional Event Alarm servers at remote sites and in isolated or protected network segments. The Event Alarm Syslog Bridge service receives syslog output from network appliances and Linux/UNIX systems and places the messages into the Windows application log, where the Event Alarm server processes them. The priority of the syslog message becomes the event category in the application log, and the Syslog Bridge service places the source IP address and message text in the Description field.

Within Event Alarm, administrators configure alarms and associated notifications based on log events, and Event Alarm installs with many preconfigured alarms. Administrators may create alarm groups, which are named collections of alarms. Assigning alarm groups to servers with similar monitoring requirements reduces your administrative effort.

Event Alarm allows you to create named sets of notification options, resulting in one or more of the following notification actions: email and pager messages, Windows console pop-up messages, messages to Event Alarm Listener Consoles and syslog host consoles, and insertion of the event into a database. The ability to consolidate both syslog messages and Windows event log messages and to forward selected messages to a syslog host server supports a unified event notification option for organizations that have a Linux/UNIX orientation. Similarly, the Event Alarm Listener Console, intended for use on administrative workstations, provides unified event notification for Windows-oriented administrators. Minimizing to the system tray, the Listener Console alerts the workstation user to the presence of new alarms.

To begin monitoring, you assign alarms, alarm groups, and notification sets to event logs on individual servers. Event Alarm allows you to designate alarms and alarm groups as "Events to Ignore," which takes precedence over monitoring specifications. As a result, you can create broadly inclusive monitoring groups and filter out specific events you know are of no interest. Event Alarm offers several tools that ease the configuration of multiple monitored servers. Rapid Configuration Setup is a check-box approach to selecting monitored servers and alarms by which Event Alarm creates alarm groups for the alarms you select and assigns them to the appropriate event logs on the servers you specify. A pair of wizards lets you create or modify a monitoring configuration with greater granular control, including the ability to specify "ignore" events. Other wizards let you set uniform event logging and event log file management policies across monitored servers.