Program to monitor Event Logs on all servers and workstations?

Discussion in 'Windows Server' started by Paul Gibson, Jul 27, 2004.

  1. Paul Gibson

    Paul Gibson Guest

    I'm looking for a program to monitor and archive the Event Logs on all of my
    servers (5), and possibly my workstations (~150). Features I would like
    Monitor Windows NT/2000/XP/2003
    Save events in Microsoft SQL Server
    Summary of events (i.e. number of e-mails sent in the past 24 hours,
    number of failed logons, etc.)
    Notification of critical events (i.e. disk failure)
    Collect Syslog and SNMP events (not necessary, but nice)

    One of the concerns I have with the products I've found so far is how the
    events are collected. The products poll the network and pull the events
    rather than have an agent on each client which pushes the events to the
    server. There are two problems I see with this approach (although there may
    be more which I haven't considered):

    First, the server has to be able to find the computer. I have a number of
    computers which are rarely turned on (maybe once or twice a month), and I'm
    wondering what's going to happen if the server doesn't try to pull the
    events when the computers are turned on. This also applies to my traveling
    users who spend most of their time off-site; they may only be in the office
    once a week. I would think with an agent on the client computer, the client
    could push the events to the server at regular intervals, including just
    after Startup and at Shutdown, which seems like it would be more reliable.
    An agent could also compress and encrypt the data, which would be
    particularly useful over WAN or VPN. I suppose a server could be set to pull
    the events frequently so the rarely-used computers would be contacted when
    they're on, but that seems like it would waste resources the rest of the

    The second issue is the need for permissions to connect to the client. I
    assume the server would connect to IPC$, thus requiring an account on the
    computer or domain it's in. With a program which pulls the events, I
    potentially can see it trying to connect to a computer which it shouldn't be
    monitoring (say a visitor plugs a laptop into the network) and generating a
    whole bunch of audit failures--which could freak out another network admin.
    With an agent that pushes the events to the server, the agent would
    obviously have to be configured for the push, but I would think it would
    cause less errors.

    Any comments on these two concerns? Are these valid concerns?

    The products I've found so far which sound interesting (except they don't
    use an agent) are:
    GFiLANguard Security Event Log Monitor
    Dorian Software
    Event Archiver
    Event Alarm
    Event Analyst
    EMCO EventLog Audit Professional

    I haven't tested any of them yet, but GFI sounds best so far. What other
    products are available at a reasonable cost?

    Please reply to the newsgroup! Thanks.

    Paul Gibson
    Paul Gibson, Jul 27, 2004
    1. Advertisements

  2. Have you looked at MOM?

    You can configure collection rules, run reports and send alerts based on your event rules. It has admin packs for AD, SQL, Exchange etc. and uses agent based collection. It's a pretty good product and is used in some very large installations so it does scale out, although it has a few limitations when you get into hundreds of agents.

    Phillip Renouf, Jul 27, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.