The life of a Windows administrator could be quite a hectic one. Things are always happening, the phones ring, the emails pour, everything is urgent and yes, the servers have be monitored so nothing bad happens to them at any point in time. If it does happen, everyone would like to know how come that hasn't been prevented by monitoring all the vital statistics in a server and action taken before it happened.

For important servers such as domain controllers, ideally, one would have to check the logs every 5 minutes and see if there was any error such as applications crashing or communication failures, any attempt to use restricted accounts or files, passwords guessing, logins outside the working hours and so on. The typical approach on this is to let things happen and react when the problem becomes visible or some users start to complain (and yes, they will be in the middle of a very important project that now is being held by these servers that have not been monitored properly). In many cases this would be true, but in all of them, money will be lost through lack of productivity or allocation of resources to firefight this type of problems.

Monitoring can be a tedious, thankless job, and it is just a matter of time before it becomes neglected.  For larger environments, a manual monitoring is practically impossible and the human resources required to even attempt the implementation of such monitoring policy prohibitively expensive. The logical solution is to outsource this task to software that can perform the monitoring and only alert the human admins when something worth of attention happens.

There are many software packages available on the market that claim to perform Windows servers monitoring. Some simply dump all the event logs in a common repository and they let the administrator to decide what’s important and what not.  While this is better than nothing, it’s far from perfect. So, what would be the ideal tool? Well, a well-designed monitoring tool would mimic the actions of a senior Windows administrator by accessing all the logs on a regular schedule (based on how important the monitored resources are), parse the events, identify the ones that are worth reporting and raise alarms if necessary.  One such package is the GFI EventsManager 2011, the latest version from an established line of network monitoring solutions. We have recently upgraded our monitoring system to EventsManager 2011 and we would like to share the pro and cons of this product.

PROS:

Very simple installation process – The software would create its own database,  configure all the monitoring rules for covering a typical Windows infrastructure, check for updates, and start working right away. An upgrade works the same as a new install. Servers and workstations can be added to different monitoring groups and if desired, EventsManager can scan the local domain and add the computers that it finds to default groups.

Quick view dashboard – The management interface features a dashboard where one can have a quick view of very important events such as failed logins, administrator logins, services being stopped or started and others. In matters of days, the administrators are able to see the “normal” patterns of such events and identify very quickly unusual spikes in this of events, always a sign that something happened that may require investigation.

Agentless – There is no software to be installed on the monitored servers. EventsManager will simply poll the monitoring computers at intervals corresponding to their importance and store all the collected data in its database. This may not seem that important but from our experience, there are always complications with agents installed on remote servers (such as updates, crashes, resources used, and compatibility with various versions of Windows and service pack combinations).

Preconfigured Rules – This is one of the best features of EventsManager. It includes events processing rules for hundreds of types of events, categorizing them in typical groups as a senior Windows engineer would do, such as Noise Reduction, Unexpected Shutdowns, Applications crashing or hanging and many, many others. Various actions can be applied selectively to the events that match one rule or the other. One can have EventsManager up and ready to use in a matter of minutes and these rules may save hundreds of hours of senior-level resources.

Compliance Reports – Most IT security policies require the implementation of reporting compliant with various legislations such as the Sarbanes–Oxley Act (or SOX). Example of SOX reports are user logons and logoffs, failed logins, password policy changes and several others. Creating these reports from scratch could be a lengthy process. Fortunately, EventsManager contains the templates for all the reports required for various compliance acts: SOX, HIPAA, PCI DSS and others.

Real-time Alerts – Need to know when someone logs in with the Administrator user (even when the IT Security Policy does not allow that account to be used without special approval)? Why not get notified for all the critical events? EventsManager allows the creation of customized alerting options (if the default one is not enough) and it includes emailing, SMS, SNMP, running scripts or sending network messages.

Event browsing and filtering – We used this feature the most, looking for “interesting” events, quickly viewing all Critical-level events with just one click of the mouse. In some cases, we used the filtering option to narrow down the list of events. This can be easily used as a replacement for the Event Viewer shipped with Windows and it will include all the events captured by EventsManager (from remote servers as well). Many events, the ones related to security especially, have their normal “Microsoft” cryptic description enhanced with a detailed explanation of that event. There are also direct links to www.eventid.netdatabase of events.

Here is an example of high importance event, a failure to install an application:

An administrator can create his own query through a very intuitive interface. All the queries (built in and custom) can be used to export the matching events to an HTML report. Even more than that, by right-clicking on one event, an administrator can create a custom rule from it prefilled with event id, category, log and type. We used this to “silence” some of the application that were logging more information than necessary. In a similar fashion, one can create a query that will be prefilled with the computer name and the source of that event. Of course, the query can be customized with additional information.

Fast Scanning – We investigated the “inner” workings of EventsManager and we can see that it optimizes the network traffic, retrieving only the information that is required, nothing else. Local cache mechanisms are used to avoid retrieving redundant information. According to GFI, it can scan and store up to 6 million events per hour.

Windows Audit – EventsManager automatically performs a few critical checks on all the applicable systems.  Amongst these critical checks:
- Detection of inactive users (users who haven’t logged on during the last 30 days)
- Detection of inactive machine members in a domain (machines not used during the last 30 days)
- Slow responses to ping (this may be a sign of congested network or other network-related issues)
- Disk volumes running out of space (always a potential issue and one the can affect a large number of users and applications)

Support for syslog and SNMP traps – This feature enables EventsManager to collect logs from a wide variety of network devices such as routers, switches, firewalls, and VPN devices.

SQL Server and Oracle Auditing – EventsManager is capable of auditing the important events taking place in a database server such as logon/logoffs, execution of stored procedures or statements, error messages and other records deemed as important for a Microsoft SQL or Oracle database server.

Ability to run in virtual environments – This feature becomes more and more important for many organizations as they start to recognize the advantage of virtualization. We are in fact running EventsManager on a Windows 2008 guest OS running on VMWare and we have not encountered any type of problem.  According to GFI, EventsManager can also run on Microsoft Virtual Server,  and Microsoft Hyper-V.

Events Archiving – Even a medium size organization can record on daily basis millions of events that have to be kept for investigation and compliance purposes. This is not an easy task and keeping them all in a database is not practical unless substantial investments are made in the database servers. EventsManager implements an auto-archiving algorithm that dumps the events archives on flat files that can be queried on demand.

Polling status – Wondered if a computer has been checked? The Job Status interface shows in real time what is being polled and a history of what logs have been processed and from what machines.

Integration with other GFI products – For those that own several GFI products such as GFI EndPointSecurity or LANguard, EventsManager provides integration of their reporting capabilities and compliance monitoring.

CONS

Resource Intensive – The server running EventsManager has to have the capabilities to support both the scanning engine and the database used to store the events.  The program is CPU intensive but it will only use the processor’s idle cycles. Depending on how many computers have to be scanned and processed, it may be necessary to use a separate SQL server for data storage. This is especially true when using the companion product GFI ReportCenter at its full capabilities.  However, if there are only a few servers to monitor, even SQL Express (the free version of SQL) can be used.

Scheduled HTML Reports – This could be a matter of preference, but we would’ve liked to receive the scheduled reports in HTML format rather than PDF.

Collection of Syslog and W3C Events – For devices that do not generate a large amount of logging traffic, the ability of EventsManager to collect their logs is quite useful. However, if a device such as a large firewall or a heavily used website send their logs (syslog and W3C) to EventsManager, the stats generated from it are not as detailed as the one provided for Windows events.