• 05/28/2008
    6:45 PM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Rollout: Prism EventTracker Log Management System

We put version 6.0 of EventTracker to the test and found it on par with rivals in ease of use, and ahead in scalability.
Collect it. Mine it. Report on it. Those are the key functions of log data analysis, and Prism Microsystems eases them all with version 6.0 of its EventTracker log manager. New features include a distributed collection architecture to enable use in geographically dispersed organizations, advanced data mining and report generation, and support for XML and Windows 2003 event formats.

We tested EventTracker in our Syracuse University labs and came away impressed; Prism's entry is on par with log management and analysis products we've tested from LogLogic, Q1 Labs, and Splunk.

Some features are impressively simple. Take agent deployment on Windows servers--just find hosts, point, click, and shoot. The agent installs and starts sending events back to the collector. Adding syslog hosts is just as easy.

InformationWeek Reports

Distributed event log collectors, called collection points, are EventTracker servers that forward events to a master collection server on a schedule. Event files are compressed, reducing the data transmitted over a WAN. And because EventTracker is licensed by the number of reporting servers, not by collector or management station, you can build your log collection system as needed without worrying about increasing costs.

CLAIM:  Log management and analysis are underutilized because the only thing more complex than getting data into the log manager is extracting meaningful information for mining and reporting. Fortunately, EventTracker simplifies both processes.

CONTEXT:  Log retention is required for companies in regulated industries, and if you’re going to collect data, you may as well mine it. In response, vendors including LogLogic, LogRhythm, Prism, Q1 Labs, and Splunk are adding mining and reporting features

CREDIBILITY:  EventTracker lives up to its ease-of-use claims. Reporting, mining, and search refinement are simpler than with other log management products, though Splunk’s keyword searching is still tops. Prism’s distributed architecture is a big plus.
To filter the events sent to our master collector, we configured agents to send specific notifications, like Windows security events, to a designated collector, which would then forward select events to the master. We could also manage and data mine directly on EventTracker collection points.

With events streaming in, we started digging into the system's search and reporting capabilities. The new UI has a similar look and feel to the Microsoft Management Console, making it a familiar interface for Windows administrators. Clicking on hosts, groups, or event types narrowed events to just that selection. It's a great capability--if you know what you're looking for.


Splunk set the bar for intuitive, free-form keyword searching, and LogLogic hasn't kept pace. EventTracker, like Q1 Labs' SLIM, is focused more on reporting and defined queries rather than intuitive searches. For example, to find a particular DHCP event, we needed to start a search for all DHCP events over a period of time and then refine our parameters. Prism calls this process "advanced forensics," digging within search results using regular expressions and keywords in a separate dialog box. However, we could refine only once. If we wanted to continue to narrow our search, we would have to re-enter the refinement each time.

One of the most useful features of EventTracker is Prism's integrated event knowledge base. For every event that it recognizes, EventTracker provides useful descriptions and other resources so you can understand what an event means. Prism's knowledge base is open to the public, but integration in EventTracker is a nice touch.

Reporting is useful to show that active monitoring is being performed. We could run reports on an on-demand or scheduled basis, and 6.0 ships with some predefined reports for operations, security events, and regulatory compliance. Simply select the type, add target hosts, create filters such as searching for particular users, and off you go. Administrators can be notified of reports via e-mail or RSS feed.

EventTracker 6.0 represents a strong balance between log aggregation and data mining. A setup with 50 monitored servers runs $15,000, including all modules.

Continue to the sidebar:
Facing The Monster: The Labors Of Log Management

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.

Log in or Register to post comments