GFI EventsManager review
By Roger A Grimes | InfoWorld | Published: 16:37, 04 August 2010
EventsManager comes as a single installable executable. (You can download a time-limited trial version of GFI EventsManager for free.) As with all GFI products, the install is almost as simple as Next, Next and Enter. GFI will install Microsoft SQL Server 2005 Express, if it doesn't detect an existing SQL Server instance, although you might need to apply the latest SQL Server service pack afterward.
During the install, you'll need to provide domain admin credentials, which EventsManager uses to access remote Windows computers. You can provide separate credentials for each client (the hosts from which you're collecting events) at a later time. I'll give GFI kudos for this small touch, which allows great security protection. You'll also need to install EventsManager on a Windows Vista, Windows 7, or Windows Server 2008 computer if you want to collect events from Microsoft's newest operating systems. Lastly, for the best reporting you'll need to download and install GFI's free Report Pack.
EventsManager is able to collect and process various event log types, including Windows event logs, Internet Information Service (IIS) W3C logs, SQL Server, syslog, and SNMP trap messages. For Windows event log collection, the Remote Registry service must be enabled on the clients. For IIS W3C log collection, an accessible NetBIOS share must be assigned to the log folder. Syslog and SNMP hosts should forward their events to the computer hosting the EventsManager service. GFI has done an excellent job of coding EventsManager to work with various popular SNMP MIB databases beyond the simple generic trap messages.
After EventsManager is installed, event source hosts can be added to one or more Event Sources Groups to ease management. Each Event Sources Group (and event source host) can be configured from various attributes, including logon credentials, collection interval, and operational time. The time option allows EventsManager to adjust the priority of a particular event based on when it occurs. For example, a logon event that occurs during the weekend should be a higher priority than one that occurs during a normal workday.
Incoming events are matched against a collection of event processing rules that filter, prioritise, and classify events and generate additional actions. Rules can be grouped into rule sets, or "scanning profiles," to broaden or narrow the information you collect. EventsManager ships with a healthy collection of preconfigured event processing rules and rule sets (for Windows, IIS, SQL Server, Syslog clients, SNMP, and so on). While not a comprehensive set, they number in the hundreds and are a nice starting baseline for new deployments.
GFI provides a handy list of event log sources that can be processed by GFI EventsManager out of the box on its website. You can edit these rules or create your own. Incoming event messages can be compared against all rules or applied only to particular rule sets (scanning profiles) to speed up the process. After all, there's no need to compare IIS or SQL Server event rules against Linux hosts, for example.