What Is Event Log Monitoring?
Event Log monitoring is the process of automatically monitoring the windows event logs, and performing a variety of actions based on the event properties such as the event source, event message and so forth. It is good practice to install some sort of event log monitoring software on windows servers (and possibly workstations), so that critical events that require intervention are being forwarded to System Administrators immediately. Event Log Monitoring is of course a requirement with many government regulations such as Sarbanes Oxley, HIPAA and more. Many software companies offer event log monitoring solutions in various price ranges with a variety of features, though these products are most commonly used to email critical events and to consolidate security events into a central database.
NETIKUS.NET, the sponsor of myeventlog.com, has developed an affordable event log monitoring suite called EventSentry that includes a very flexible and advanced event log processing engine. The engine supports almost every imaginable monitoring scenario like thresholds, recurring events, timers, email summary and much more. EventSentry also has a free light edition called EventSentry Light that can be downloaded here. EventSentry also monitors any delimited (e.g. IIS, DHCP) and non-delimited (e.g. NTBackup) log files. Comprehensive System & Network monitoring features are also included, and Unix-based syslog logs can also be consolidated.
Is Event Log Monitoring Really Necessary?
Whether you administer one server or 500 servers, installing an event log monitoring solution is an effort that will pay off almost immediately. The event log is the central logging component in Windows where not only the Operating System, but also most hardware drivers and software applications log important information to. If you are manually reviewing these logs, then it is impossible to determine problems in time, even when you review these logs manually every morning. Event Log Monitoring can notify you immediately, for example through email or instant messaging, when an important ERROR, WARNING or AUDIT FAILURE event is written to the event log.
Some event log monitoring products will offer advanced features like notifying you if more than 10 audit failures have been recorded duringg a certain amount of time, send you summary emails with all VPN logins of the day or notify you when an expected event (e.g. tape backup) did not occur.
Hardware: If your server is running a RAID with redundant hard disks and one of the hard disks fails, then the RAID driver will most likely write an ERROR event to the SYSTEM or APPLICATION event log. With event log monitoring, you can receive an email almost immediately after this failure has been detected and take appropriate action. Without monitoring, the hardware failure would go unnoticed for several days and the crash of a 2nd hard disk can be fatal and require you to rebuild the server.
Software: It occasionally happens that an important system service, e.g. your anti-virus engine, spam engine etc. will crash due to an error. With event log and system monitoring you can be notified of this error immediately and take corrective action such as download the latest version of restart the service. Without monitoring, your anti-virus service could be stopped for hours or days and stop protecting your network.
Security: It is only a matter of time until somebody, whether a temporary employee, cracker, script kiddie or other individual with malicious intentions will attempt to gain unauthorized access to your network or resources. Without monitoring, you will have to manually review the security logs of the affected computer(s), most likely after the harm has already been done. With event log monitoring, you can be notified of invalid authorization attempts immediately and take the appropriate actions. EventSentry can also notify you if a large amount of AUDIT FAILURES has occurred during a certain time period, e.g. more than 20 audit failures in 30 minutes. This will help reduce the number of emails you receive from the monitoring applications.
Agent-based versus Network-based Event Log Monitoring
Event log monitoring applications come in two flavors: Agent-based or network-based (agentless).
Agent-based means that you will need to install some sort of agent (service) on all computers that are to be monitored. The advantage of agent-based monitoring systems is that they can monitor the event logs in real time, with a minimum amount of CPU time and network bandwidth used. Agent-based systems usually don't impact the system noticably and don't require a central computer designated to event log monitoring. Agents also continue monitoring when the network connection temporarily goes down or when the management server is rebooted. The disadvantage of agent-based systems is that you will need to roll-out, install and maintain agents on all the monitored machines. This is usually not a problem since the respective management application usually takes care or helps installing the agents on the remote machines. Agent-based systems also don't have a central point of failure, since every hosts literally monitors itself. We recommend agent-based monitoring solutions over network-based monitoring solutions for these reasons.
Network-based , also referred to as agentless, means that you will designate one or more servers or workstations (depending on how many hosts you monitor) in your local area network to monitor the event logs of your servers and/or workstations. The advantage of this approach is that you won't have to install or maintain agents on the machines to be monitored. Network-based systems have a significant drawback however: They require that the event logs of the monitored computers are constantly polled from the monitoring computer (requiring both significant amounts of bandwidth and CPU time on the monitored computer) and cannot notify you as quickly. This is because agents only become active when the event log changes (events are written), whereas a network-based solution will periodically have to poll the event logs to detect changes. As such, an agent can notify you almost immediately of an important event, when the network-based solution can only notify you as soon as the next monitoring cycle occurs. Network-based solutions also result in increased bandwidth, since events will always have to be transferred to the monitoring server, even when they are not relevant.
Things To Consider
In addition to real-time monitoring, an ideal (event log) monitoring solution will give you the ability to consolidate and backup event logs into a database and native event log files (.evt). This features is especially important when you are working with more than just a few machines since it gives you the ability to query all event logs from one central location, and have a save backup at the same time. Plus, many organizations now require that the security event logs are stored in some sort of data repository for a certain amount of days.
Some event log monitoring solutions also include other, more general, monitoring features, such as system and network monitoring. This means that the installation and setup of an event log monitoring application will offer additional benefits at no additional cost. EventSentry for example, offers log file, system health and network monitoring in addition to event log monitoring.