Logging and monitoring network server events has always been important for troubleshooting, trending, and long-term systems management. Although Windows NT Event Viewer can be useful for managing one system’s logs, Windows 2000 and NT don’t include extensive functionality for managing logs across multiple systems. Dorian Software Creations’ Event Archiver 3.2.25 and Event Analyst 1.3.52 work together to simplify enterprisewide collection, storage, and analysis of your network systems’ System, Application, and Security logs.
Event Archiver and Event Analyst are complementary but independent of each other. Event Archiver runs as a service to gather and archive event-log files from multiple Win2K and NT systems. Dorian Software designed Event Analyst to use predefined and custom configurations to process and create reports on Event Archiver’s saved event-log files. However, you can also use Event Analyst with a system’s live logs. Although you need to install the products on only one Win2K or NT workstation or server, you must purchase a license for each server and workstation you want to archive and analyze.
Event Archiver
Event Archiver consists of the Event Archiver control panel, which Figure 1 shows, and the Win2K or NT service. Installation on a Win2K Server machine on my small office/home office (SOHO) network proceeded without problems. Toward the end of the setup procedure, a pop-up box appeared that let me elect to install Microsoft Active Directory Service Interfaces (ADSI), which supports the use of Event Archiver on Win2K machines. To enable archival of remote systems’ logs, I opened the Event Archiver control panel and simply entered the highest-level trusted domain name for the systems whose logs I wanted to archive. I also needed to enter the account name and password for the Event Archiver service.
To test the product’s capabilities, I then needed to select the event logs that I wanted to archive and configure archival options for them. The Event Archiver control panel makes this process easy. When I clicked the Add a New Log button, an options box with two tabs appeared. On the Scheduling and Archiving Path tab, I selected the remote system and its log files that I wanted to archive. I also configured archival intervals (options include daily, weekly, and when the log is full). From this tab, I also specified the remote folder and share to which Event Archiver would write the archive files.
On the second tab, Data Collection, I configured the archive file’s format. Format options include an event (EVT) file, a Comma Separated Value (CSV) file, a Microsoft Access database, and an ODBC database (both database formats appear as simple tables). I found the Access database format useful because it lets you append successive archives to one database; you can then use Event Analyst to analyze log files for an extended period of time. I had set a daily archive interval but didn’t want to wait 24 hours between tests of the various archive file formats. To initiate instant archivals, I selected the logs I wanted to archive, then clicked the Event Archiver control panel’s Archive Now button.
To simplify management, I selected Data Collection’s option to move the completed archive files to the network share file I had specified on the Scheduling and Archiving Path tab. Because all Event Archiver archive files, regardless of format, use the same <machine name><log type><date><time> file-naming convention, I could store all archive files in a centralized network folder without confusing them.
To enhance the product’s usefulness in enterprise environments, Event Archiver’s toolbar buttons let you access several wizards that easily unify multiple systems’ archival settings. For example, the Batch Log Registration Wizard let me select systems, then configure several of the standard archiving options that the Scheduling and Archiving Path tab and the Data Collection tab offer. The Unify Audit Policies Wizard is also useful. As Figure 2 shows, this wizard let me specify which Security log audit events I wanted to record. Finally, I used the Unify Log Setting Wizard to select which event logs to archive, the maximum log size for the When Full archival interval, and the retention period for the selected systems’ archived logs. Each wizard worked without problems to standardize all my test systems’ archival settings.
Event Analyst
Although you can use Event Archiver to view and export log files, Event Analyst, the recently released companion product to Event Archiver, processes these logs into more meaningful formats. Dorian Software designed Event Analyst to let you define filters or search for specific events, thereby culling this information from the archived files. Event Analyst also offers predefined summary reports that inform you about common events such as errors or user activity.
Event Analyst’s installation and setup on my SOHO’s Win2K Server machine was simple. Each time you start Event Analyst, you need to choose the Event Archiver files and live logs from which you want to retrieve information. If you use Event Analyst without Event Archiver, you can only retrieve information from live logs. If you run both products, you can retrieve information from both active logs and saved files. The Event Analyst GUI, which Figure 3 shows, lets you click toolbar buttons to execute the most common functions against the selected files and live logs. (When you open the Event Analyst GUI, a helpful dialog box appears that contains frequently asked questions about the product.) I found the GUI’s Event Log Record Position feature particularly useful for quickly looking through large files. The window includes a scroll bar, and its Seek to Date function lets you search for events by time frames.
Previous
Register
