EventID.Net GFI
 
home| search| login| it admin tasks| tcp/ip ports| documents | contributors| about us 

Event Log Monitoring Made Easy with GFI EventsManager

If you have more servers than you can count without taking off your shoes, you are going to have a serious problem keeping up with all the event logs by hand. By the time you have to ask your coworkers to kick off their shoes, you are in a situation where logs are only looked at after something has happened, and you are trying to reconstruct events. Reactive log checking will never go away, but it’s the wrong approach to proper server management, and something that is very difficult to change, until now.

GFI EventsManager provides a simple server-based tool that can monitor event logs on all your Windows systems, servers and workstations, and can also incorporate syslog and SNMP feeds from your non-Windows servers and network infrastructure gear, giving you a one-stop shop for event logs, syslogs, and SNMP traps. Having a single place to look for logs from all your systems is nice, but that is only the least of GFI EventsManager’s capabilities.

GFI EventsManager can monitor, filter, report and alert on events it gathers from Windows systems, or that are sent to it from syslog or SNMP feeds. This takes the bulk of the heavy lifting off the admin’s shoulders, automating the parsing of logs and calling out interesting events, or those that require more interaction, before they become major problems for admins to deal with. We decided to take GFI EventsManager for a test drive, and share our impressions with you.

Installation

Installation is fairly straightforward, requiring a Windows server of modest capabilities. The minimum recommended hardware is a dual core box with 3GB of RAM, but you may want to go four cores and at least 4GB of RAM on a busy network with many devices to monitor, and don’t go cheap on disk either. GFI EventsManager will go out and pull events from Windows boxes, and will also have to deal with feeds from your network gear, and those can get quite intense, especially when firewalls are concerned. It’s hard to give good estimates since so many variables are involved, so I recommend you start with a VM that has at least 2 cores and 4GB of RAM on your tier 1 storage, and be ready to increase cores and RAM based on server performance. Expect disk requirements to grow as your logging retention period increases too.

You will also want to set up a service account that has admin rights on all Windows servers you wish to monitor. Rather than making you install an agent on your systems, GFI EventsManager will use this service account and existing Windows rights, like remote event log management and audit policy settings to remotely gather event logs, so it needs administrative rights to do this. With your account set up and your operating system ready, installation is a fast and simple process, installing any missing prerequisites automatically.

EventsManager

At the end of the installation process, GFI EventsManager will check for any updates to the application automatically, and then launch the admin console.

Initial configuration

GFI EventsManager will perform an automatic network discovery, finding and querying a domain controller for a list of all servers and workstations in your domain.

EventsManager

It will then go out and attempt to connect to each machine to confirm it can query logs. Any that are offline or firewalled completely from the network will be reported as unreachable. At the end of discover, it will list the systems it discovered.

You can further categorize your Windows systems into categories including Database Servers, Print Servers, Web Servers, File Servers, and Email Servers.

Syslog

Non-Windows servers and your networking gear are not left out, you just have to configure them to push their events to EventsManager. Linux hosts, Cisco gear, and other networking equipment can use syslog, which can be configured to use other ports if necessary.

SNMP

SNMP is another option available for systems to send their events to GFI EventsManager.

Getting down to business

You’re already too busy to look at logs on each and every system every day; that’s why you are reading about GFI EventsManager. So let’s look at what makes it useful immediately, and what can save you tons of time each day. “All critical and high importance events”. GFI EventsManager will take all the most important events, the ones you really don’t want to ignore, and list them all in a quick and easy to consult section.

A quick check of this console tells you at a glance what is going on, and what needs attention. From any of these events, or any other, you can easily create an action, such as an alert that goes to email or text message, to ensure it is acted upon promptly. Here’s an example taken from a low disk space alert (Application event id 3):

You can chain these, and also build in logic using dozens of other fields and conditionals.

No Chicken Little Syndrome

One of the best features in GFI EventsManager is what GFI calls Noise Reduction, but I like to call “the sky is falling”. We all know that too many alerts lead to admins creating delete rules in Outlook, or turning their phones off after hours, and GFI understands this. A large number of the noisiest Windows alerts are already categorized as noise, and by default will not alert on these. It does still log and archive them, but you won’t have deal with information overload in your alerts, or your reports.

Reporting

GFI EventsManager has some very useful reports built in, including security-related, performance-related, and more. SharePoint customers will really love the reports that can detail SharePoint usage in readable form, while your security team will love being able to quickly see all failed logon attempts, and any changes to user accounts, groups, or policy objects. The reports can be viewed in the console, printed, or exported to either HTML or PDF format. Reports can be scheduled or run on demand, and can be emailed to a user or distribution group as needed.

Conclusion

GFI EventsManager is a great tool for systems administrators who need to get a handle on their logging, whether for proactive maintenance, or compliance with regulations like PCI. While it is a great product and works well with other GFI products like GFI LanGuard and GFI EndPointSecurity, don’t think you can add this product to an existing server. It’s doing a lot of hard work, and needs the hardware (physical or virtual) to perform that job. I’m not saying it’s a resource hog, but I don’t want you to underestimate the hardware requirements either.

With support for SharePoint, IIS, SQL, Oracle, and even IBM iSeries, this is a tool that can really make a difference in your environment, simplifying and automating server log management, supporting forensic and other security initiatives, and enabling you to meet compliance requirements. Check out GFI EventsManager today with a free 30 day trial, downloadable from: http://www.gfi.com/downloads/register.aspx?pid=esm.
  • Subscription
    SubscribeSubscribe to EventID.Net now!
    Already a subscriber? Login here
GFI

 





 

 

Recommend Us


  • Quick Tip
    Connect to EventID.Net directly from the Microsoft Event Viewer!
    Instructions

Customer services

Contact us
Support
Terms of Use

Help & FAQ

Sales FAQ
EventID.Net FAQ

Articles

Managing logs
Recommended books

Links

Downloads
Firegen Log Analyzers
Link to us


© Copyright 2001 - 2012 EventID.Net