News

06:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Rollout: Prism EventTracker Log Management System

We put version 6.0 of EventTracker to the test and found it on par with rivals in ease of use, and ahead in scalability.

Collect it. Mine it. Report on it. Those are the key functions of log data analysis, and Prism Microsystems eases them all with version 6.0 of its EventTracker log manager. New features include a distributed collection architecture to enable use in geographically dispersed organizations, advanced data mining and report generation, and support for XML and Windows 2003 event formats.

We tested EventTracker in our Syracuse University labs and came away impressed; Prism's entry is on par with log management and analysis products we've tested from LogLogic, Q1 Labs, and Splunk.

Some features are impressively simple. Take agent deployment on Windows servers--just find hosts, point, click, and shoot. The agent installs and starts sending events back to the collector. Adding syslog hosts is just as easy.

InformationWeek Reports

Distributed event log collectors, called collection points, are EventTracker servers that forward events to a master collection server on a schedule. Event files are compressed, reducing the data transmitted over a WAN. And because EventTracker is licensed by the number of reporting servers, not by collector or management station, you can build your log collection system as needed without worrying about increasing costs.

THE UPSHOT
CLAIM:  Log management and analysis are underutilized because the only thing more complex than getting data into the log manager is extracting meaningful information for mining and reporting. Fortunately, EventTracker simplifies both processes.

CONTEXT:  Log retention is required for companies in regulated industries, and if you’re going to collect data, you may as well mine it. In response, vendors including LogLogic, LogRhythm, Prism, Q1 Labs, and Splunk are adding mining and reporting features

CREDIBILITY:  EventTracker lives up to its ease-of-use claims. Reporting, mining, and search refinement are simpler than with other log management products, though Splunk’s keyword searching is still tops. Prism’s distributed architecture is a big plus.
To filter the events sent to our master collector, we configured agents to send specific notifications, like Windows security events, to a designated collector, which would then forward select events to the master. We could also manage and data mine directly on EventTracker collection points.

With events streaming in, we started digging into the system's search and reporting capabilities. The new UI has a similar look and feel to the Microsoft Management Console, making it a familiar interface for Windows administrators. Clicking on hosts, groups, or event types narrowed events to just that selection. It's a great capability--if you know what you're looking for.

ADVANCED FORENSICS

Splunk set the bar for intuitive, free-form keyword searching, and LogLogic hasn't kept pace. EventTracker, like Q1 Labs' SLIM, is focused more on reporting and defined queries rather than intuitive searches. For example, to find a particular DHCP event, we needed to start a search for all DHCP events over a period of time and then refine our parameters. Prism calls this process "advanced forensics," digging within search results using regular expressions and keywords in a separate dialog box. However, we could refine only once. If we wanted to continue to narrow our search, we would have to re-enter the refinement each time.

One of the most useful features of EventTracker is Prism's integrated event knowledge base. For every event that it recognizes, EventTracker provides useful descriptions and other resources so you can understand what an event means. Prism's knowledge base is open to the public, but integration in EventTracker is a nice touch.

Reporting is useful to show that active monitoring is being performed. We could run reports on an on-demand or scheduled basis, and 6.0 ships with some predefined reports for operations, security events, and regulatory compliance. Simply select the type, add target hosts, create filters such as searching for particular users, and off you go. Administrators can be notified of reports via e-mail or RSS feed.

EventTracker 6.0 represents a strong balance between log aggregation and data mining. A setup with 50 monitored servers runs $15,000, including all modules.

Continue to the sidebar:
Facing The Monster: The Labors Of Log Management

Comment  | 
Print  | 
More Insights
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 State of Unified Communications
2014 State of Unified Communications
If you thought consumerization killed UC, think again: 70% of our 488 respondents have or plan to put systems in place. Of those, 34% will roll UC out to 76% or more of their user base. And there’s some good news for UCaaS providers.
Video
Twitter Feed