I recently decided that we needed something here to monitor the events on our Windows servers. A long time ago we used to use Logcaster but that got too pricey for us and we dumped it, the idea being to go to Microsoft MOM, see (http://www.microsoft.com/mom/default.mspx for Microsoft Operations Manager Home). At that stage I tried MOM 2000, but gave up after I could never get it to work right. I waited and I waited, in the meantime we had nothing for Event logs, and I knew we were missing out on some precious stuff. Well, I sort of had something, I was using OpManager (http://manageengine.adventnet.com/products/opmanager/ – Network Monitoring Software – ManageEngine OpManager ) to monitor our network routers and servers, this has some limited event log capability but nothing like what MOM does.
So, one day I got my Technet and there was a MOM 2005 Beta, of course I just had to try it. To cut a long story short, I went down the beta route, then the first release and stuck with it right up to SP1. I remember the first few times I installed it saying to people that this was the single most useful piece of software I have ever seen (this view was to dramatically change 🙂 The management packs are great, and you start finding all sorts of things wrong with your servers that you didn’t know about, this is MOM’s strong point, it does a lot more than just handle events logs.
But, and there is always a but. When I install software I accept all defaults, especially with Microsoft software as this is what usually works best. However, I am damned if I could ever get MOM to work properly, the issues are numerous, but the main one is the size of the databases it creates, I gave up when they maxed out at 30gb, yes 30gb after just a couple of weeks of collecting data. I just kept having to make the databases bigger all the time, I am stuffed if I know what it was saving that was 30gb, but I gave up, I could find no way around this. Of course also, once your databases go past 2gb you can’t use MSDE, so you have to use SQL Server.
OK, before you think I am a MS basher, I am not, I like their products a lot but I give this one a big minus, I spent days trying to fine tune and got nowhere, the way it is set up it is just way too complex, if you are going to use this software be prepared to put in some time. Now I know there are going to be other that will disagree with me, that’s cool, maybe the way they set this product up makes sense to you, but I just find the architecture way too complex. I simply wanted something that would
1) Collect all events into one central database.
2) Allow me to easily filter events I had no interest in, but leave that choice to me.
3) Send me an Email for important events.
So, one day I was looking around for something for one of my remote servers to let me know what was going on there, and I came across EventSentry, I had this in and working and doing valuable stuff in under an hour. From their web site at http://www.eventsentry.com/ EventSentry – Real-Time Event Log Monitoring & Consolidation, System Health and Environment Monitoring.
“When it comes to monitoring your servers and workstations with one easy-to use product that covers all the bases, you can count on NETIKUS.NET’s EventSentry. You will be surprised to learn how easy and affordable monitoring with EventSentry can be, even with the wealth of features included!”
I have to tell you that is not far from the truth at all. This product does everything I wanted, in one very small footprint, easy to deploy package, it also does things MOM cannot do, one of the neat ones being that each agent emails it’s alerts from the server it is monitoring, that means that if the central configuration / database server goes down everything still keeps working and events will go back into the database when the box comes back up, each agent also talks direct to the database server, the main role of the central server is to change the configuration and deploy to the agents.
You can also choose between using MySQL and SQL Server as your database, based on what I have seen so far MSDE would be a good enough fit, I strongly recommend using either MSDE or SQL server with this product, it just works better, if you want to use MySQL you have to deploy the MYSQL ODBC driver to each server, no big deal but I had heaps of trouble with high CPU usage with MySQL 5.x and went back to MSDE.
You can also attach a temperature and humidity sensor to the servers with agents, this works really well and logs both of these to the event log, which in turn it processes, mine sends me an email if my server room goes over 26 degrees C. Apart from that, setting up filters is a snap, they are just very basic include or exclude filters, that can be based on any part of an event, i.e., just the event number, or very fine grained, like event number, log, and with a certain word in them etc etc.
Other high points :
A very clean and easy to understand web interface
A really fast and search of historical events
Inbuilt heartbeat monitor
Heartbeat data can be logged to a database.
Really cool looking flash driven dashboard for your favorite servers
Process tracking and reports
Service monitoring and reports
Disk space charts and reports
In short this did everything I wanted with a very low price, first class support, a super easy to understand administration program and the list goes on. If you are looking at event log consolidation at least give this a try, you have very little to lose, you don’t need to log to a database if you don’t want to, but it is highly recommended that you do (for the web interface you need this)
So, database space. OK, I am not logging information event messages, warning event messages, or audit success just yet, but I am logging all errors and audit failures from all logs on all 18 servers , I wanted to first see how much space this was using up, over a 2 month period my log file has not grown at all and the database file is 90Mb 🙂 I will next turn on audit successes then so I can use the logon tracking, which I don’t really need but it would be nice (I have been told that this is not necessary, ie you don’t have to log audit success to the database for this to work)
OK, the best part, CPU use, I have this installed on one of mini-ITX boxes, I usually use these for monitoring software etc so they don’t generate a lot of heat and have low power requirements, this was a bit of an experiment, so I have Window Server 2003 SP1, MSDE and Event Sentry plus IIS with Event Sentry Web interface (good old asp) all running on the same little box which has a VIA Nehemiah 800Mhz fanless motherboard with 512Mb RAM, this thing never goes above 3% CPU, 4% with an open RDP session and runs on 12 volts using about 4 amps. (Via EPIA Mini-ITX M/B SP8000E with Fanless 800MHz CPU)
Please note, I have no ties with Netikus 🙂