Please Note: This article is valid for EventReporter 8.x and lower in addition to WinSyslog 7.x and lower!
Windows NT/2000/XP/2003 systems monitoring is really important for all small to large sized enviroments. MonitorWare line of products helps to accomplish this important task. This article is to help you establish a small setup to monitor your Windows NT/2000/XP and 2003 systems.
This article is strictly task focused. It does not describe why the systems should be monitor nor does it provide any further background. Please see the respective backgrounders or each of the products documentation on this. This article is a step-by-step description of what you need to do in order to centrally monitor your Windows NT/2000/XP and 2003 systems.
Centralized Windows Monitoring
In this step-by-step guide, EventReporter is configured to work together with Adiscon’s WinSysLog to store generated event summaries for the monitored servers and other devices into a central database.
This guide focuses on a typical small to medium business topography with a single geographical location and Five Windows clients and a central hub server. All systems are well connected via a local Ethernet. Event reports from all machines should be stored in a database.
What you need
In this guide, I am focusing on building a solution with Adiscon’s EventReporter and WinSyslog. This combination allows you to centralize all your event logs. Free 30 day trial versions are available at the respective product sites (links below), so you can try the system without the need to buy anything. You need to run the following products:
- One EventReporter for each system that is to be monitored. In our scenario, this means 6 copies, one for each client and one for the central hub server, if you want to monitor the hub server as well.
- One WinSyslog to receive and store event reports from the EventReporter monitoring agents.
Notes:
- You need administrative privileges on each of the machines. This is required both for installation and configuration. Make sure you log on with a sufficiently privileged user account.
Step 1 – Download Software
You should check the web sites for new versions if you downloaded your copies a while ago as security and monitoring is a short lived business, and new product versions can appear quickly. Please visit www.eventreporter.com/en/download, and www.winsyslog.com/en/download to download the latest versions of EventReporter and WinSyslog.
Step 2 – Install WinSyslog
Identify the system; WinSyslog should run on. Take a note of its IP address or host name. You’ll need this value when configuring the EventReporter clients. For our example, I assume this system has an IP address of 192.168.0.1.
Run the WinSyslog setup with default parameters. When setup has finished, WinSyslog automatically is configured to operate as a simple Syslog server. However, it does not yet use a database as we need it to. We’ll later setup WinSyslog to write data into the database.
Step 3 – Install EventReporter
Run the EventReporter setup program on all systems that should be monitored. This means you need to run it on all Five clients and the central hub server (as mentioned above that it is also to be monitored).
For larger installations (with many more servers) there are ways to set it up in a simpler fashion, but in a scenario like ours, it is faster to install it on each machine manually. You can install it with the default settings. When setup has finished, the program automatically is configured to operate as a simple event reporter. However, it does not yet create the log in our database we need. So we will go ahead and change this on each of the machines or by launching it on one machine and remotely connecting to the others. It is our choice. In this sample, I use the EventReporter on each machine (it is easier to follow).
Step 4 – Create a RuleSet for Forward by Syslog
The steps to configure the EventReporter on each machine are as follows (repeat this on each of the Five client machines). This step needs not to be done on the central hub server!:
1. Start EventReporter.
2. Select your language – in this example, I use English, so it might be a good idea to choose English even if that is not your preference. You can change it any time later, but using English makes it much easier to follow this guide here.
3. Then define a new rule set, right click “Rules”. A pop up menu will appear. Select “Add Rule Set” from this menu. On screen, it looks as follows:
4. Then, a wizard starts. Change the name of the rule to whatever name you like. We will use “Forward Syslog” in this example. The screen looks as follows:
Click “Next”. A new wizard page appears as shown below:
Select only Forward Syslog here. Do not select any other options for this example. Also, leave the “Create a Rule for each of the following actions” setting selected. Click “Next”. You will see a confirmation page as shown below and you have to click Finish here.
5. After above steps you will see that the new Rule Set “Forward Syslog” is present. Please expand it in the tree view until the action level of the “Forward Syslog” rule and select the “Forward by Syslog” action to configure.
6. Now, type the IP address or host name of our central hub server in the “Syslog Server” field:
7. Make sure you press the “Save” button – otherwise your changes will not be applied.
Step 5 – Create a RuleSet for database logging
This step needs only to be done on the central hub server!
1. Start WinSyslog
2. Again, you can select the language to use. And again, I suggest using English, as this makes the guide easier to follow.
3. Then define a new rule set, right click “Rules”. A pop up menu will appear. Select “Add Rule Set” from this menu. On screen, it looks as follows:
4. Then, a wizard starts. Change the name of the rule to whatever name you like. We will use “Database Logging” in this example. The screen looks as follow:
Click “Next”. A new wizard page appears as appeared in the case of EventReporter. Select only Database Logging here. Do not select any other options for this example. Also, leave the “Create a Rule for each of the following actions” setting selected. Click “Next”. You will see a confirmation page as showned in the case of EventReporter and there you have to click Finish.
5. After above steps you will see that the new Rule Set “Database Logging” is present. Please expand it in the tree view until the action level of the “Database Logging” Rule and select the “Database Logging” action to configure.
6. Now click on the Data Sources (ODBC) button to open the ODBC Data Source Administrator. Then choose the “System DSN” tab and click the “Add” button to add a new System-DSN (Select the Microsoft Access driver like in the screenshot below).
8. In the next step, click the “Select button” and go to the WinSyslog installation directory (Usually C:\program files\WinSyslog\) and choose the sample database called sample97.mdb. After that name the new DSN with “MyDatabaseDSN” like in the following screenshot and press OK.
9. Now close the ODBC Data Source Administrator and switch back to the MonitorWare Agent Client and insert “MyDatabaseDSN” in the DSN field. Leave all other settings in their default and save the changes.
Step 6 – Create an Event Log Monitor Service
The steps to configure the EventReporters are as follows. Repeat this step on each of the 5 client machines and the central hub server, if you want to log events from there as well.
Also make sure that there is only one Event Log monitor at a time activated. EventReporter 7.0 is installed with a default Event Log monitor service. You can use that or create a new one by following these instructions:
1. First, right-click on “Running Services”, then select “Add Service” and the “Event Log Monitor”.
Once you have done so, a new wizard starts.
2. Again, you can use either the default name or any one you like. We will use “My Event Log Monitor” in this sample. Leave the “Use default settings” selected and press “Next”.
3. As we have used the default, the wizard will immediately proceed with step 3, the confirmation page. Press “Finish” to create the service. The wizard completes and returns to the configuration client.
4. Now, you will see the newly created service beneath the “Services” part of the tree view. To check its parameters, select it:
As you can see, the service has been created with the default parameters.
Please note that the “Default RuleSet” has been automatically assigned as the rule set to use. By default, the wizard will always assign the first rule set visible in the tree view to new services. In our case, this is not correct and will be corrected later.
5. Click Advanced Options button in General Options group box. You will be shown a pop up as shown below:
Here check Use Legacy Format and as soon as you check this box, check boxes disabled right now will be enabled and you have to uncheck; Add Username and Syslog Message Numbers.
6. Now we have to make sure that the EventReporters use the configured “Forward Syslog” Ruleset we created in Step 3. Select that as the rule set to use.
7. Finally, save the changes and start the EventReporter service. This procedure completes the configuration of the event log forwarder.
EventReporter is not able to dynamically read changed configurations. As such, it needs to be restarted after such changes. In our sample, the service was not yet started, so we simply need to start it. If it already runs, you need to restart it.
With step 5 the client machines configuration has finished. All the next steps are only concerned with the central hub server.
Step 7 – Create a Syslog Server Service
The steps to configure the central WinSyslog are as follows (only on central hub server!):
1. First, right click on “Services”, then select “Add Service” and the “Syslog Server”.
Once you have done so, a new wizard starts.
2. Again, you can use either the default name or any one you like. We will use “My Syslog Server” in this sample. Leave the “Use default settings” selected and press “Next”.
3. As we have used the default, the wizard will immediately proceed with step 3, the confirmation page. Press “Finish” to create the service. The wizard completes and returns to the configuration client.
4. Now, you will see the newly created service beneath the “Services” part of the tree view. To check its parameters, select it:
As you can see, the service has been created with the default parameters.
5. To use the “Database Logging” RuleSet we have created in Step 4, select it as rule set to use.
6. Last, save the change and then restart the WinSyslog service. This procedure completes the configuration of the syslog server.
WinSyslog cannot dynamically read changed configurations. As such, it needs to be restarted after such changes.
You are done!
Well, this is all you need to do to configure the basic operations. Once you are comfortable with the basic setup, you can enhance the system with local pre-filtering of event, enhanced logging and alerting.
I hope this article is helpful. If you have any questions or remarks, please do not hesitate to contact Adiscon Support.