Manage, monitor, and get more control over event logs
Hunting through yet another Windows event log is often a necessary but time-consuming chore. One tool that can simplify this task is a Windows event log manager. An event log manager can help you more easily monitor and manage your event logs, find specific events, and generate reports.
Taking 5 Log Managers for a Spin
For this log manager roundup, I looked at five different Windows log managers. Depending on your needs, any of these five products would be a good alternative to the standard Windows event viewer.
• FSPro Labs' Event Log Explorer
• Altair Technologies' Event Reader 2
• Dorian Software Creations' Event Analyst
• Technology Lighthouse's EventMeister
• Corner Bowl Software's Corner Bowl Log Manager 2009
All five products support the EVT format used by Windows Server 2003 and Windows XP to save event log files, but not all support the EVTX format, which Windows Vista and Windows Server 2008 use for event log files.
To test the log managers, I installed each one under Windows 2003 as my base OS. I also installed products compatible with Vista and Server 2008 under those two systems to confirm compatibility and make sure they could read EVTX files directly.
Of the five, the only program incompatible with Vista or Server 2008 was Event Reader 2. However, the company said that Event Reader 3 will support the newer OSs, though no release date was given.
Event Log Explorer, Event Analyst, Event Meister, and Corner Bowl Log Manager run on Windows Server 2008/Vista/2003/XP/2000/NT; Event Reader 2 runs under Windows 2003/XP/2000.
Event Log Explorer 3.1
Event Log Explorer 3.1
FSPro Labs’ Event Log Explorer (see Figure 1) provides a no-frills window with a treeview of the computer on which you installed the program. You drill down on your current machine to see branches for each separate log file and double-click each log to open a list of its events in a table.
Double-clicking a specific event opens a separate window consolidating information about the event type, date, time, and more. You can also find links to Microsoft’s Knowledge Base and to the Event ID database, a web-based repository of Windows event log information.
From the UI, you can add other computers to the treeview. A wizard automatically scans for other computers based on their role on the network.
If you want to see just one specific log from another computer rather than all logs, you can run the Open Log command instead, browse the network or domain, then choose the machine. That command also lets you open existing EVT or EVTX log files from your local computer or any networked machine. To manage the many logs from different computers, you create multiple workspaces, each one storing a different tree of logs.
To sort the events displayed in the main window, you can click on any column heading. To narrow the events displayed, you can apply filters by running the Filter command. The filtering system is very effective, offering a nicely-designed dialog box. You can save any filter and apply it to other logs.
A convenient Quick Filter option is also available to filter the log based on your current selection. To limit the number of events loaded, you can also prefilter events before they open. You can also search through all the displayed events using the Find command.
Event Log Explorer lets you save any log as an EVT or EVTX file, so you can keep a running archive. The software offers both manual and automated processes for backing up.
You can export any log from Event Log Explorer into HTML to generate a report, or save it as a text file or Excel spreadsheet to incorporate into a database. You can choose to export all events or only selected ones, and include or exclude event descriptions, but nothing more. However, it doesn’t include a scheduling feature, so you can’t automatically generate a report and have it emailed.
Event Reader 2
Event Reader 2
Event Reader 2 from Altair Technologies (see Figure 2) displays a treeview of your local computer, and you can drill down to see branches for each of the individual event logs. Clicking on a specific log displays its events and event properties. An Event Properties window displays a description of the event you select and its individual properties. Clicking the Event ID for a specific event brings you to the Event ID database, the web-based resource started by and still maintained by Altair Technologies.
By default, Event Reader displays the logs for the computer on which it’s installed. You can add additional computers to monitor. Event Reader 2 supports only EVT files, not EVTX.
You can easily sort the events in any list by clicking on the heading for each column. Event Reader offers several useful options to filter your data. A toolbar across the top displays buttons for each of the different event types, such as error, warning, and information. By default, each button is turned on, but you can also exclude that type from the display.
More advanced filtering options also are available, including filtering by event type, by date and time, and by event ID and source. The filter options were smoothly presented and simple to use. Event Reader offers no specific method to search for events. But in most cases, filtering provides a more efficient way of seeing events based on specific criteria.
To create a report, you can export an event log into HTML. Event Reader provides a few basic but helpful options to format your HTML report, letting you choose the font, point size, and colors. You can also save a log directly to an FTP server, which simply uploads it as an HTML report. And you can export event log data to a database.
The scheduling feature is impressive. You can schedule a report to be generated daily or at other intervals. You can set up the report to be saved in a specific location, emailed to you, uploaded to an FTP server, saved in a database, or all of those options. To limit the information in the report, you simply set up a filter.
Event Analyst 8.0
Event Analyst 8.0
Event Analyst from Dorian Software Creations (see Figure 3) opens by greeting you with a Quick Tips message, which you can enable or disable at startup. After that, a blank UI awaits your command. When opening logs, you can choose only one computer and one log at a time; there’s no option to tag multiple computers or logs to open in one shot.
You can tell the software to either open the logs in the UI or build a report. You can add additional logs, either from the same computer or from other networked computers. You can also open files saved as EVT, EVTX, CSV, or text to display within Event Analyst.
The Research this Event Online command opens a Dorian Software webpage with links to information on the event. You can also link to the Microsoft knowledge base.
You can sort the event list by any of the column headings. However, there was no heading for event type, so I wasn’t able to sort the list to see all errors or all warnings grouped together.
Event Analyst includes several predefined filters to limit the event data on display. I created and saved a filter and was able to use it on any log by running the Apply Filter command. I could also create a basic filter on the spot without having to save it.
You can run an advanced filter that works against a database—Access, SQL Server, or Oracle. This method provides a wide range of options using Boolean logic to filter by computer, user, event ID, and other criteria.
Logs can be exported to any one of four formats: HTML, comma delimited text file, Access MDB file, or as ODBC source to a database. You can run a report based on specific criteria of your choice or choose a built-in report. Some of the built-in reports were extremely clever and useful, such as the top 10 most frequently occurring events. Each report contained the source of the event and other details, along with the start and end dates.
Event Analyst's custom report designer proved quick and easy to use, and I was able to preview it as an HTML or CSV file. You can schedule a report to run on a regular basis and be saved or emailed. You can also apply a filter to the scheduled report to limit the amount of data it contains.
Technology Lighthouse's EventMeister (see Figure 4) lets you set up a service to collect data when no user is logged in. Before viewing any log file data, you set up an Event Log Feed, which gathers events from the computers you want to monitor into one ongoing feed. You choose which event logs to include, how you want event information to be gathered, and how often to poll and update the feed with new data.
EventMeister uses either a “Read from log” option, which generates the feed by capturing all events from the log, including those stored before the application was installed; or it uses a “Catch events” option to capture new events, omitting older events. You can add new feeds from other computers to an existing group or create a new group and populate that with new feeds.
After the feed is created, the event log you chose is automatically downloaded. You can see a list of each event including such fields as type, date, and category.
You can also create a feed by opening a CSV file. This is a useful option if you already have several feeds exported and saved into one single CSV file. However, there’s no way to open an EVT or EVTX file directly. For this option to work, you’d have to save your event logs as CSV files directly from Windows’ Event Viewer.
You can sort by clicking on any heading, and and you can show or hide any column to limit the information displayed. You filter the data in a feed by adding a field on which to filter the data and manually typing in a value. You can also apply conditions such as equal, greater than, or begin or end with a particular value, offering you a great deal of flexibility. Searching for an event is simple: You enter a text string or numeric ID to find a specific event or event type.
Export options are plentiful. You can export a feed to an HTML document, choosing from among six different template formats. You can also export a feed to other formats, including CSV and XML. I found the custom report creation was smooth and easy to use.
EventMeister can notify you via email or PC if a certain event is triggered. You can set criteria so that a notification is sent under specific conditions.
Corner Bowl Log Manager 2009
Corner Bowl Log Manager 2009
Corner Bowl Log Manager 2009 (see Figure 5) offers both event log and text log management. A dashboard alerts you to the status of the CBLM service, shows which log events were last polled, and displays pie charts of computer logs. I found the Dashboard cluttered with information that I didn’t yet need, especially when opening the program the first time.
The Network Explorer panel displays a treeview of your local machine with branches for each log. To see the events, you access a pane at the bottom of the main screen. You can also trigger a manual download by selecting the Download Events command. This process felt awkward at first, but it worked successfully.
Each event appeared in a separate row in the center pane. Clicking a specific event revealed all its details crowded into a small window. Overall, I found the event window poorly designed and difficult to work with.
To add new computer logs to manage, you can run a wizard or you can open the Event Log Explorer pane, browse your local network, then select the computers and logs to download. I found this a smooth process. A creative option lets you automate the adding of new computers through Active Directory.
Before opening your event logs, CBLM gives you a quick filtering window, so you can open all events or only specific ones. To organize your various log files, you create groups, a convenient way to manage them.
You can quickly sort the event list by clicking a specific header or you can group events by dragging column headings. To do quick filtering, you use the event type’s toolbar button or configure more advanced filtering. As for search, you can run a simple search on your list of events by running the Find command and entering a text string to locate.
You can back up and save a log in CSV, EVT, text, HTML, or XML. You can also directly open an EVT (but not EVTX) file.
I found the report generation tool confusing. Before you set up a report, you create an Action, which specifies the output or destination of the report. Then you can generate a report by running a wizard. You specify the type of report, the name, its frequency, the computer or computers and logs to include, filters to use, and finally the action to apply.
Easy Log Management
Even with the newer event filtering and search options available in Server 2008, event log managers offer many benefits over Windows’ Event Viewer. Whether you choose one of the above or an equally worthy solution, log managers offer flexibility and time-saving features that will simplify your job.