Please Note: This article is valid for EventReporter 6.3 and above in addition to WinSyslog 5.2 and above!
Monitoring Windows NT/2000/XP/2003 is important even for small environments. After writing an article on this issue, we had lots of calls on how to exactly set up such a system. So we finally decided to write a small article on how to accomplish this.
Thus, this article is strictly task focused. It does not describe why the systems should be monitor nor does it provide any further background. Please see the respective backgrounds or product documentation on this. This article is a step-by-step description of what you need to do in order to centrally monitor your Windows NT/2000/XP and 2003 systems.
This article has been extracted from the EventReporter documentation. Please be sure to check the EventReporter online help if a newer version is available.
Centralized Event Reports
In this step-by-step guide, EventReporter is configured to work together with Adiscon’s WinSyslog and MoniLog to automatically generate event summaries for the monitored servers and other devices.
This guide focuses on a typical small to medium business topography with a single geographical location and 5 Windows clients and a central hub server. All systems are well connected via a local Ether net. Event reports from all machines should be stored in a database. The administrator shall receive daily consolidated event reports.
What you need
In this guide, I am focusing on building a solution with Adiscon’s EventReporter, WinSyslog and MoniLog. This combination allows you to centralize all your event logs and report events from them. Free 30 day trial versions are available at the respective product sites (links below), so you can try the system without the need to buy anything.
You need to run the following products:
- 1 EventReporter for each system that is to be monitored. In our scenario, this means 6 copies, one for each client and one for the central hub server to be monitored. (if you want to monitor the hub server as well.)
- 1 WinSyslog to receive and store event reports from the EventReporter monitoring agents.
- 1 MoniLog to automatically generate consolidated reports based on the gathered log data.
- To deliver MoniLog reports, you need a local web server (for example Microsoft’s IIS or Apache) and a mail server capable of talking SMTP (most modern servers support this)
You need administrative privileges on each of the machines. This is required both for installation and configuration. Make sure you log on with a sufficiently privileged user account.
Our new product called, MonitorWare Console can also be used with EventReporter. MonitorWare Console is a very strong and comprehensive tool that will help you out in carrying out sophisticated analysis of your system. For more information about MonitorWare Console, please refer to its manual.
Step 0 – Download Software
Ok, maybe a bit to basic… But I wanted it to be a complete step by step guide. So I can place a reminder that you should check the web sites for new versions if you downloaded your copies a while ago. Security and monitoring is a short lived business, and new product versions can appear quickly.
Please visit www.EventReporter.Com/en/download and www.WinSyslog.Com/en/download to do download the latest versions of EventReporter and WinSyslog. In addition to these, you need also the MoniLog product. A free, full-featured 30 day trial is available at www.MoniLog.Com/en/download/.
Step 1 – Install WinSyslog
Identify the system WinSyslog (and probably MoniLog) should run on. Take a note of its IP address or host name. You’ll need this value when configuring the EventReporter clients. For our example, I assume this system has an IP address of 192.168.0.1.
Run the WinSyslog setup with default parameters. When setup has finished, WinSyslog automatically is configured to operate as a simple Syslog server. However, it does not yet use a database as we need it to. We’ll later setup WinSyslog to write data into a database.
Step 2 – Install EventReporter
Run the EventReporter setup program on all systems that should be monitored. This means you need to run it on all 5 clients and the central hub server.
For larger installations (with many more servers) there are ways to set it up in a simpler fashion, but in a scenario like ours, it is faster to install it on each machine manually. You can install it with the default settings. When setup has finished, the program automatically is configured to operate as a simple event reporter. However, it does not yet create the log in our database we need. So we will go ahead and change this on each of the machines or by launching it on one machine and remotely connecting to the others. It is your choice. In this sample, I use the EventReporter on each machine (it is easier to follow).
Step 3 – Create a Rule set for Forward by Syslog
The steps to configure the EventReporter are as follows (repeat this on each of the 5 client machines). This step needs not to be done on the central hub server!:
1. Start EventReporter.
2. Select your language – in this example, I use English, so it might be a good idea to choose English even if that is not your preference. You can change it any time later, but using English makes it much easier to follow this guide here.
3. Then define a new rule set, right click “Rule set”. A pop up menu will appear. Select “Add Rule set” from this menu. On screen, it looks as follows:
4. Then, a wizard starts. Change the name of the rule to whatever name you like. We will use “Forward Syslog” in this example. The screen looks as follows:
Click “Next”. A new wizard page appears.
5. Select only Forward Syslog. Do not select any other options for this example. Also, leave the “Create a Rule for each of the following actions” setting selected. Click “Next”. You will see a confirmation page. Click “Finish” to create the Rule set.
6. As you can see, the new Rule set “Forward Syslog” is present. Please expand it in the tree view until the action level of the “Forward Syslog” Rule and select the “Forward Syslog” action to configure.
7. Now, type the IP address or host name of our central hub server in the “Syslog Server” field. In order to be able to generate the reports with MoniLog there are certain changes to be made. You would have to uncheck the “Add Syslog Source when forwarding to other Syslog servers” and replace the message format with MoniLog Format (click on Insert and choose Replace with MoniLog format). In the end your screen shot would look like as above.
Note: Click to see the expected MoniLog Format if you are using SETP Protocol.
8. Make sure you press the “Save” button – otherwise your changes will not be applied.
Step 4 – Create a Rule set for database logging
This step needs only to be done on the central hub server!
1. Start WinSyslog
2. Again, you can select the language to use. And again, I suggest using English, as this makes the guide easier to follow.
3. Then define a new Rule set, right click “Rule set”. A pop up menu will appear. Select “Add Rule set” from this menu. On screen, it looks as follows:
4. Then, a wizard starts. Change the name of the rule to whatever name you like. We will use “Database Logging” in this example. The screen looks as follow:
Click “Next”. A new wizard page appears.
5. Select only Database Logging. Do not select any other options for this sample. Also, leave the “Create a Rule for each of the following actions” setting selected. Click “Next”. You will see a confirmation page. Click “Finish” to create the Rule set.
6. As you can see, the new Rule set “Database Logging” is present. Please expand it in the tree view until the action level of the “Database Logging” Rule and select the “Database Logging” action to configure.
7. Now click on the Data Sources (ODBC) button to open the ODBC Data Source Administrator. Then choose the “System DSN” tab and click the “Add” button to add a new System-DSN (Select the Microsoft Access driver like in the screen shot below).
8. In the next step, click the “Select button” and go to the WinSyslog installation directory (Usually C:\program files\WinSyslog\) and choose the sample database called sample97.mdb. After that name the new DSN with “MyDatabaseDSN” like in the following screen shot and press OK.
9. Now close the ODBC Data Source Administrator and switch back to the MonitorWare Agent Client and insert “MyDatabaseDSN” in the DSN field. Leave all other settings in their default and save the changes.
Step 5 – Create an Event Log Monitor Service
The steps to configure the EventReporters are as follows. Repeat this step on each of the 5 client machines and the central hub server, if you want to log events from there as well.
You can use that or create a new one by following these instructions:
1. First, right-click on “Running Services”, then select “Add Service” and the “Event Log Monitor”.
Once you have done so, a new wizard starts.
2. Again, you can use either the default name or any one you like. We will use “My Event Log Monitor” in this sample. Leave the “Use default settings” selected and press “Next”.
3. As we have used the default, the wizard will immediately proceed with step 3, the confirmation page. Press “Finish” to create the service. The wizard completes and returns to the configuration client.
4. Now, you will see the newly created service beneath the “Services” part of the tree view. To check its parameters, select it:
As you can see, the service has been created with the default parameters.
Please Note: that the “Forward Syslog” has been automatically assigned as the Rule set to use. By default, the wizard will always assign the first Rule set visible in the tree view to new services.
5. Use the default format of the Event Log Monitor’s. Your settings should be like this:
6. Finally, save the changes and start the EventReporter Service. This procedure completes the configuration of the event log forwarder.
EventReporter is not able to dynamically read changed configurations. As such, it needs to be restarted after such changes. In our sample, the service was not yet started, so we simply need to start it. If it already runs, you need to restart it.
With step 5 the client machines configuration has finished. All the next steps are only concerned with the central hub server.
Step 6 – Create a Syslog Server Service
The steps to configure the central WinSyslog are as follows (only central hub server!):
1. First, right click on “Services”, then select “Add Service” and the “Syslog Server”.
Once you have done so, a new wizard starts.
2. Again, you can use either the default name or any one you like. We will use “My Syslog Server” in this sample. Leave the “Use default settings” selected and press “Next”.
3. As we have used the default, the wizard will immediately proceed with step 3, the confirmation page. Press “Finish” to create the service. The wizard completes and returns to the configuration client.
4. Now, you will see the newly created service beneath the “Services” part of the tree view. To check its parameters, select it:
As you can see, the service has been created with the default parameters.
5. To use the “Database Logging” Rule set we have created in Step 4, select it as Rule set to use. Please note that the “Enable RFC 3164 Parsing” should be checked for generating reports with MoniLog.
6. Last, save the change and then restart the WinSyslog service. This procedure completes the configuration of the Syslog server.
WinSyslog cannot dynamically read changed configurations. As such, it needs to be restarted after such changes.
Step 7 – Preparing Web Server for MoniLog
MoniLog publishes its reports through the local web server (central hub server).
To avoid confusion, we recommend creating a separate directory on the web server for MoniLog. Let us assume you use Microsoft Internet Information Server and run it in the default configuration. Then, you web pages are stored in the c:\inetpub\wwwroot directory. Create a subdirectory “MoniLog” directly beneath this directory.
Step 8 – Installing and Configuring MoniLog
Log on interactively to the web server. Then, run the MoniLog setup with default parameters. When setup has finished, start MoniLog, select your language and perform the following steps:
1. First, switch to the “general” tab.
2. Select MonitorWare Database in “Select Syslog server type”.
3. “Logs Location” expects the DSN from the database in our scenario. Type in “MyDatabaseDSN”.
4. Next is to check the “Process Non-Windows Syslog messages” box. Leave all other options by default. Now it should look as follow:
Click “Apply” after making your changes!
5. This has already enabled MoniLog reporting. Now, we can verify the installation. To do so, switch back to the “Profiles” tab. Click the “New Profile” button and enter a name. In this example I use the name “Profile 1”.
Click “OK” button to create a new profile.
6. Under “Reports Location”, enter the directory where MoniLog reports should be stored. In our sample, we use “c:\inetpub\wwwroot\monilog”. Leave all other settings as default. The tab should look like this one:
Click “Apply” to save your changes!
7. Next step is to set your report options. To do so, click “Report Options”. A new window opens. Check Success Audit and Information. Now it should look like this one:
Click on “OK” to close the windows by using default options.
8. Click “Analyze now” to test it. After a short while, a browser window with a MoniLog report will appear. The actual content of this report varies greatly. It depends on which events have been forwarded while setting up the agents. Probably, your report will be empty. This simply indicates that there was not yet any data to be analyzed. Immediately after setup, this is OK. If you don’t receive any data after some hours then of course there is something wrong. If that is the case, check the steps done before. A typical report looks like follows:
9. Now we have verified the system is working. Next, we can schedule the automatic report. To do so, we need to check “Enable Schedule” and also “Enable E-mail delivery”. A quick reminder: we would like to receive a pointer to the report via e-mail each working day. We first need to set the web directory the reports are to be stored to and enable e-mail delivery. It is all done in the following screen shot:
Note that the buttons “E-mail Options” and “Scheduled Options” become colored and are now available.
10. Now we need to configure the e-mail options. Click “Em ail Options…”. We assume the web server (192.168.0.1) is also acting as a mail server. The em ails should be sent to “admins@sample.adiscon.com”. With that, the dialog looks like follows:
Important: make sure the values match your configuration! This is vitally important because otherwise MoniLog is incapable of sending e-mail correctly. Click “OK” to apply the new settings.
11. Next, click the “Report Options…” button. As we schedule reports only on working days, we need to tell MoniLog that it should include all those events occurred since its last run into the reports. We cannot leave the default of 24 hours, as this would exclude the weekend’s events. So change the “Report Type” option to “From last run till now” as seen below.
Click “OK” to apply the setting.
12. Lastly, click on “Schedule Options” to set a schedule. As long as no schedule is set, no reports will be generated automatically. In our sample, we let MoniLog generate reports each working day at 8:00 in the morning. Weekends are not enabled. The dialog looks like this:
13. Click on “OK” to apply the settings. The MoniLog service has not yet been started. It generates the scheduled reports (so you don’t need to run the client in foreground).
14. To conclude your configuration of MoniLog, start the service. To do so, select “Service”, then “Start Service” from the menu. This will start the service. During setup, the service is set to start automatically with system startup. So there is no need to manually restart the service after a reboot.
MoniLog is now completely configured. You will not immediately receive reports, because they will only be generated at 8am each working day. So you need to wait for the next morning. If you would like to change the schedule to have an immediate feedback, please go to “Schedule” and change the time to be a few minutes in the future. Then click “OK” and restart the service. This can be done via the “Service” menu. A restart is necessary because the service reads changed parameters at startup, only.
You are done!
Well, this is all you need to do to configure the basic operations. Once you are comfortable with the basic setup, you can enhance the system with local pre-filtering of event, enhanced logging and alerting (with MonitorWare Agent) and changing report options (with MoniLog / MonitorWare Console).
What is recommended setting for MoniLog and Why?
Let’s quote Rainer Gerhards, design lead for the overall MonitorWare line of products, here:
Typically, MoniLog should work with Log Files, and not with the database. As using files is the recommended way with MoniLog. Why is it recommended? Because it is much faster! Why do we support database, too? Because this allows easier integration e.g. with the Web Interface! Would I recommend MoniLog and database if a customer also needs to run the Web Interface? In most cases: No! From a performance point of view its better to create both text files and database content.
Please Note: This article provides instruction on configuring MoniLog with Database. Click here if you want to Configure MoniLog to work with Log Files.