Collect it. Mine it. Report on it. Those are the key functions of log data analysis, and Prism Microsystems eases them all with version 6.0 of its EventTracker log manager. New features include a distributed collection architecture to enable use in geographically dispersed organizations, advanced data mining and report generation, and support for XML and Windows 2003 event formats.
We tested EventTracker in our Syracuse University labs and came away impressed; Prism's entry is on par with log management and analysis products we've tested from LogLogic, Q1 Labs, and Splunk.
Some features are impressively simple. Take agent deployment on Windows servers--just find hosts, point, click, and shoot. The agent installs and starts sending events back to the collector. Adding syslog hosts is just as easy.
Distributed event log collectors, called collection points, are EventTracker servers that forward events to a master collection server on a schedule. Event files are compressed, reducing the data transmitted over a WAN. And because EventTracker is licensed by the number of reporting servers, not by collector or management station, you can build your log collection system as needed without worrying about increasing costs.
With events streaming in, we started digging into the system's search and reporting capabilities. The new UI has a similar look and feel to the Microsoft Management Console, making it a familiar interface for Windows administrators. Clicking on hosts, groups, or event types narrowed events to just that selection. It's a great capability--if you know what you're looking for.
Splunk set the bar for intuitive, free-form keyword searching, and LogLogic hasn't kept pace. EventTracker, like Q1 Labs' SLIM, is focused more on reporting and defined queries rather than intuitive searches. For example, to find a particular DHCP event, we needed to start a search for all DHCP events over a period of time and then refine our parameters. Prism calls this process "advanced forensics," digging within search results using regular expressions and keywords in a separate dialog box. However, we could refine only once. If we wanted to continue to narrow our search, we would have to re-enter the refinement each time.
One of the most useful features of EventTracker is Prism's integrated event knowledge base. For every event that it recognizes, EventTracker provides useful descriptions and other resources so you can understand what an event means. Prism's knowledge base is open to the public, but integration in EventTracker is a nice touch.
Reporting is useful to show that active monitoring is being performed. We could run reports on an on-demand or scheduled basis, and 6.0 ships with some predefined reports for operations, security events, and regulatory compliance. Simply select the type, add target hosts, create filters such as searching for particular users, and off you go. Administrators can be notified of reports via e-mail or RSS feed.
EventTracker 6.0 represents a strong balance between log aggregation and data mining. A setup with 50 monitored servers runs $15,000, including all modules.
Facing The Monster: The Labors Of Log Management