Rollout: Prism EventTracker Log Management System
We put version 6.0 of EventTracker to the test and found it on par with rivals in ease of use, and ahead in scalability.
May 28, 2008
Collect it. Mine it. Report on it. Those are the key functions of log data analysis, and Prism Microsystems eases them all with version 6.0 of its EventTracker log manager. New features include a distributed collection architecture to enable use in geographically dispersed organizations, advanced data mining and report generation, and support for XML and Windows 2003 event formats.
We tested EventTracker in our Syracuse University labs and came away impressed; Prism's entry is on par with log management and analysis products we've tested from LogLogic, Q1 Labs, and Splunk.
Some features are impressively simple. Take agent deployment on Windows servers--just find hosts, point, click, and shoot. The agent installs and starts sending events back to the collector. Adding syslog hosts is just as easy.
Distributed event log collectors, called collection points, are EventTracker servers that forward events to a master collection server on a schedule. Event files are compressed, reducing the data transmitted over a WAN. And because EventTracker is licensed by the number of reporting servers, not by collector or management station, you can build your log collection system as needed without worrying about increasing costs.
THE UPSHOT |
---|
CLAIM: Log management and analysisare underutilized because the onlything more complex than getting datainto the log manager is extractingmeaningful information for mining andreporting. Fortunately, EventTrackersimplifies both processes.CONTEXT: Log retention is requiredfor companies in regulated industries,and if you’re going to collect data, youmay as well mine it. In response, vendorsincluding LogLogic, LogRhythm,Prism, Q1 Labs, and Splunk are addingmining and reporting featuresCREDIBILITY: EventTracker lives upto its ease-of-use claims. Reporting,mining, and search refinement are simplerthan with other log managementproducts, though Splunk’s keywordsearching is still tops. Prism’s distributedarchitecture is a big plus. |
To filter the events sent to our master collector, we configured agents to send specific notifications, like Windows security events, to a designated collector, which would then forward select events to the master. We could also manage and data mine directly on EventTracker collection points.
With events streaming in, we started digging into the system's search and reporting capabilities. The new UI has a similar look and feel to the Microsoft Management Console, making it a familiar interface for Windows administrators. Clicking on hosts, groups, or event types narrowed events to just that selection. It's a great capability--if you know what you're looking for.
ADVANCED FORENSICS
Splunk set the bar for intuitive, free-form keyword searching, and LogLogic hasn't kept pace. EventTracker, like Q1 Labs' SLIM, is focused more on reporting and defined queries rather than intuitive searches. For example, to find a particular DHCP event, we needed to start a search for all DHCP events over a period of time and then refine our parameters. Prism calls this process "advanced forensics," digging within search results using regular expressions and keywords in a separate dialog box. However, we could refine only once. If we wanted to continue to narrow our search, we would have to re-enter the refinement each time.
One of the most useful features of EventTracker is Prism's integrated event knowledge base. For every event that it recognizes, EventTracker provides useful descriptions and other resources so you can understand what an event means. Prism's knowledge base is open to the public, but integration in EventTracker is a nice touch.
Reporting is useful to show that active monitoring is being performed. We could run reports on an on-demand or scheduled basis, and 6.0 ships with some predefined reports for operations, security events, and regulatory compliance. Simply select the type, add target hosts, create filters such as searching for particular users, and off you go. Administrators can be notified of reports via e-mail or RSS feed.
EventTracker 6.0 represents a strong balance between log aggregation and data mining. A setup with 50 monitored servers runs $15,000, including all modules.
Continue to the sidebar:
Facing The Monster: The Labors Of Log Management
About the Author
You May Also Like