A powerful way to monitor NT event logs

Administrators need a powerful way to monitor their Windows NT event logs. Mission Critical Software (MCS) offers SeNTry Enterprise Event Monitor (EEM) 2.5 as a solution. SeNTry EEM is a highly scalable, enterprise-enabled event-monitoring system that monitors event logs, application logs, services, and performance counters on NT systems.

The more NT systems you have on your network, the harder they are to monitor. NT's built-in event log doesn't manage remote system logs. You can access remote NT event logs, but you can't consolidate remote logs with local logs, filter or search remote logs, or send administrative alerts based on entries from remote logs. The NT event log is a primitive tool that hasn't evolved since its initial implementation, so monitoring NT event logs is a tedious task.

SeNTry EEM monitors information it collects from local and remote NT systems, classifies the information according to defined importance levels, and displays the information in configurable views. The software stores the information it collects in a central Open Database Connectivity (ODBC)-compliant database. SeNTry EEM sends alerts to the appropriate people via email and pager and automatically launches batch files in response to log entries.

SeNTry EEM uses three components--gatherers, senders, and monitors. The gatherer is an NT server that acts as a central hub for collecting events from the senders (i.e., all monitored servers or workstations). Each sender forwards event-log entries to the gatherer. Systems administrators use the monitors (i.e., the NT Event Monitor and the Web-based Event Monitor) to communicate with the gatherer and review and report collected events. You can use the monitors to display multiple-event data views concurrently. For example, you can use one monitor to view your enterprisewide security-related events and the other monitor to view your enterprisewide Remote Access Service (RAS) events.

Plenty of Functionality
SeNTry EEM provides plenty of functionality right out of the box. The software ships with a dozen Knowledge Packs and more than 30 built-in, customizable, Web-enabled (i.e., easily viewed in a Web browser) reports. Knowledge Packs are predefined sets of filters, perfor-mance counters, and alerts that monitor and control your operating system (OS), applications, and hardware automatically. SeNTry EEM ships with Microsoft Access 97 runtime software, which provides basic database functionality. You can use SeNTry EEM with SQL Server, which is the database MCS recommends for medium to large enterprises.

SeNTry EEM's Performance Monitor monitors performance counters, compares the counters to definable thresholds, and writes an event-log entry when a counter exceeds its threshold. For example, SeNTry EEM notifies you immediately when your Web server's processor exceeds acceptable usage levels or your mail server receives more inbound connections per second than it can handle. The software can also monitor installed services and write an event-log entry if a particular service stops.

SeNTry EEM provides scalability. You can easily create a hierarchy of senders and gatherers using the software. SeNTry EEM routes events to gatherers so that staff members can review them and determine appropriate action. For example, a security staff member can monitor security-related events and a database-administration staff member can monitor database events from different locations simultaneously.

Installation and Testing
I installed SeNTry EEM's sender component on four NT 4.0 servers: three local network servers and one remote server reachable via the Internet. All four servers were running Service Pack 3 (SP3) and the latest hotfixes. My monitoring system consisted of a 200MHz Pentium processor with 32MB of RAM running NT Workstation 4.0, SP3, and the latest hotfixes.

SeNTry EEM's setup wizard simplifies the detailed, multistep installation process. I installed the ODBC 3.0 drivers the software needs to store collected information and the three core SeNTry EEM components onto my NT workstation. I chose an installation directory and defined a user account for the service to run under. (The user account must be a member of the Domain Administrators group.) I don't typically run SQL Server on my network, so I used the bundled Microsoft Access 97 software as the database back end for my test.

Next, I installed the sender component on my NT servers. SeNTry EEM can push the sender component to remote computers if you have administrative access on those computers. I encountered a problem when I tried to push the sender component to my Alpha-platform NT server using an Intel-based NT workstation. The push operation failed, and I received a message stating that the remote server was not an Intel-based server. I assumed that because the push routine determined the remote processor platform, the routine would also send the correct software for that platform. I was wrong. Thus, I had to physically visit the Alpha-based computer to load the sender component. Pushing the sender component from one Intel-based server to another worked fine. (Editor's note: According to MCS, SeNTry EEM now supports remote Alpha installation.)

After I installed the senders, I used SeNTry EEM's administrative tools to configure the senders to send the information they collected to the gatherer. After the senders were operational and sending data to the gatherer, I wanted to view the collected information. Because I like using a Web browser, I installed SeNTry EEM's Web-based Event Monitor. (I also installed the Knowledge Packs.) When I tried to use the Web-based Event Monitor, I discovered I hadn't manually configured it yet. Configuring the Web-based Event Monitor isn't difficult, but it's tedious. I manually configured a virtual directory on my workstation's Internet Information Server (IIS) Web server, granted the directory script-execution permission, removed anonymous user access, and added administrative user access. Then I manually configured an ODBC data set name (DSN) so the Web-based Event Monitor could hook into the gatherer's central database.

Manually configuring the Web-based Event Monitor was worth the time and effort. The monitor's interface is well designed. As Screen 1 on page 109 shows, the Web-based Event Monitor displays information in the same way that NT's built-in event-log application does. Double-clicking an event produces a pop-up window that provides details about the event.

The SeNTry EEM's gatherer handled as many as 50 events per second from each sender on my system. The software supports as many as 10,000 senders. Thus, you can integrate SeNTry EEM into the largest NT networks.

All Things Considered
SeNTry EEM isn't flawless, but it can provide an easy and efficient way to monitor your NT system. The software's scalability and functionality are impressive too.

SeNTry Enterprise Event Manager 2.5
Contact: Mission Critical Software * 713-548-1700 or
800-814-9130
Web: http://www.missioncritical.com
Price: $995 for one server license, $50 for one workstation license
System Requirements: Intel processor (or Alpha processor for sender only), Windows NT 3.51 or later, 5MB of RAM, 5MB of hard disk space for sender and gatherer, 5GB of hard disk space for central event database, Internet Explorer 3.02 or Netscape 3.4 for Web-based Event Monitor