Centralized logging in a hybrid environment (Windows/Linux) – Step 2

Friday, March 11th, 2011

Step 2 – Setting up the Windows Clients

Setting up the Windows Clients is rather easy. To do this, we only need to have EventReporter installed. EventReporter will be configured to pull the Windows Event Logs and forward them to our central syslog server via TCP syslog. Our example system will be Windows XP.

When you open the Configuration Client, you will see the configuration tree on the left. Most important are the part "Configured Services" and "Rulesets". Right now, both have no content. But we will change that now.

Step 2.1

As a first step, we will set up the ruleset again.

centralized_monitoring_2001

Right-click on RuleSets in the left hand list. A context menu will appear. Click on Add RuleSet

centralized_monitoring_2002

The RuleSet Wizard will appear now. You can give your ruleset a name of course. We will use TCP Forwarding for this example. After that, click on "Next".

centralized_monitoring_2003

On the second page of the wizard we can specify what actions we want. Since we only want the log messages to be forwarded via syslog, check the box next to "Forward Syslog". After that, click "Finish" to create the ruleset and action.

Step 2.2

centralized_monitoring_2004

When you expand the treeview now, you will find a rule named "Forward Syslog" with an attached action of the same name.

centralized_monitoring_2005

Now click on the action "Forward Syslog. You can see the default values now.

centralized_monitoring_2006

We need to change some of those settings now. First of all we need to enter the IP or hostname of our central server into the field "Syslog Server". After that, change the port to 10514, since our central server will listen to syslog on this port. And we need to change the protocol type. Change is to TCP (persistent connection). That is all for now. Click on the Save button on the top so we can go on configuring the Service itself.

Step 2.3

We need to configure our service now. Right-click on "Configured Services" in the configuration tree on the left to pop up a context menu.

centralized_monitoring_2007

When you go to "Add Service" you will see the list of available Services. The list is a lot smaller than in MonitorWare Agent. We need the regular Event Log Monitor in this case.

Note: If you are using Windows Vista, 7 or Server 2008 you might consider using the Event Log Monitor V2, since it is optimized for the new EventLog that has been introduced with Windows Vista.

centralized_monitoring_2008

When you have clicked on Event Log Monitor in the list, a wizard will open. Since we will not do any configuration now, just click on "Finish".

centralized_monitoring_2009

When clicking on Event Log Monitor in the configuration tree you will see the default options. We can leave these settings as they are. Probably you might want to change the preferred language or the sleep time. As you can see at the bottom, the service is already assigned to our ruleset we created earlier. Newly created services will automatically be assigned to the first ruleset in the list.

Step 2 is finished

Basically, that is it. Save the configuration and then start the service with the button that looks like the "Play" symbol. EventReporter will then start to pull Events from the Windows Event Log and forward them via TCP syslog to your central server.

<< Go back to the main page

Centralized logging in a hybrid environment (Windows/Linux) – Step 1

Thursday, March 10th, 2011

Step 1 – Setting up the central log server:

The central log server is the most important part of our central log storage and thus will be configured as the first part. And due to all the things it needs to do, it has the most work of course. When selecting your machine to install the central log server on, please keep in mind, that you need quite a good machine for larger networks. If you have a very large environment, it might be a good idea to use multiple servers for this scenario with a load balancer and a separate database server. But in this guide, we will have it all on one machine.

Prerequisites:

The following should be installed and working:

  • Windows Server operating system (Windows Server 2008)
  • Database Server (MSSQL)
  • IIS Webservice
  • MonitorWare Agent Professional Server (V7.2)

The list holds the things necessarily needed. In the brackets is schon which we will use in this example. Please note, that this will work with other versions as well, especially with MonitorWare Agent.

As mentioned before, MonitorWare Agent will have multiple purposes. It should receive syslog via TCP and UDP, monitor the local EventLog and textbased logfiles as well as writing everything into a database and sending email messages in case of error and critical messages occuring.

Step 1.1

First of all, we will set up the processing rules and actions. We will start this way due to the design of MonitorWare Agent. Since the Services need to be bound to a ruleset upon creation, we will start this way, so the ruleset is there already when creating the service.

centralized_monitoring_1001

When starting MonitorWare Agent the first time, you will see on the lefthand side our overview of "Configured Services" and "Rulesets". Right now, there shouldn’t be any entries here.

centralized_monitoring_1002

Right click on "Rulesets". A context-menu will open.

centralized_monitoring_1003

Choose "Add Ruleset". The ruleset wizard will open. On this first screen, we can choose the name of the ruleset.

centralized_monitoring_1004

After choosing a name (in this example "Storage & Alert"), click on "Next". Here we can set, what we will need. Leave the marker for "Create a Rule for each of the following actions" and choose "Send Email" and "Database Logging".

centralized_monitoring_1005

You can now click on Finish. You will now see a new ruleset in the treeview on the left hand side. If you expand this view completely, you can see the two rules that have been created and the actions that are in there. You should have a rule "Database Logging" and a rule "Send Email".

Step 1.2

We will now start with configuring the action for "Database Logging". Expand the branch called "Database Logging" completely. Under actions you will find the "Database Logging" action. When you click it, you will see the configuration window.

centralized_monitoring_1006

Click on the button "Data Source (ODBC)". This will open the ODBC Data Source Administrator.

centralized_monitoring_1007

Go to System DSN and click "Add…".

centralized_monitoring_1008

Select SQL Server from the list and click "Finish".

centralized_monitoring_1009

Choose a name for the datasource and a description. In this case we choose MyMWDB as name. As server choose the name of the server where the database is. In our example we use localhost. Now click on "Next".

centralized_monitoring_1031

Select “SQL Server Authentication” and type in your MSSQL Login ID and Password. If you have Windows NT authentication like in our case, leave it as is. Click on “Next”.

centralized_monitoring_1010

Select “Change the default Database to:” and choose your new created Database, in our example we use “MyMWDB” which we created beforehand. Click on “Next”.

centralized_monitoring_1011

Leave all at default settings and click “Finish”, a test Window will appear:

centralized_monitoring_1012

Click on “Test Data Source”, normally the following Window should be displayed:

centralized_monitoring_1013

If not, go back and check your Settings, if yes, Click “OK” and exit the System-DSN Wizard.

centralized_monitoring_1014

Now we are back in MonitorWare Agent. Insert the DSN for your database, User-ID and Password.

centralized_monitoring_1015

After that, click the "Create Database" button. We still need the tables that the log messages will be stored in. After clicking the button, a small window will open. Insert the DSN, User-ID, Password and choose the type of database you are using, in our case MS SQL. By clicking on the "Create" Button, the tables needed for the default database format of the MonitorWare Products will be created. After that, close the window.

Since we want to log all messages into the database, there is no need to set up any filters.

Step 1.3

In the next step, we want to set up the Send Email rule. But since we only want error log messages, we need to set some filters. Click on the Filter Conditions. You will see the overview over the filters for this rule.

centralized_monitoring_1016

Right now, the view is empty except for a AND operator. Double-click it to change it into a OR operator.

centralized_monitoring_1017

Right-click on the OR operator. A context menu will open. Go to Add Filter -> Syslog -> Priority.

centralized_monitoring_1018

Click on the filter setting and change the property value to "Error (3)".

centralized_monitoring_1019

Again click on Add Filter -> EventLog Monitor V2 -> Event Severity.

centralized_monitoring_1020

Click on the second filter setting and change the property value to "[ERR]".

We are now finished with the filter settings. The filter will accept all log messages that are either of syslog proiority error or critical or Windows Event severity error. The OR operator ensures, that every of these cases will be accepted. When the messages are approved of fitting into the filter, the action will process them.

centralized_monitoring_1021

Click on the "Send Email" action now. You will see the configuration window on the right pane. Currently, there are only the default values in there.

centralized_monitoring_1022

We need to change some settings here, like the Mailserver, Sender and Recipient, the subject and the Mail Priority. If necessary for your mail server, you need to change the authentification settings at the bottom as well. in our example we need SMTP Authentication for that. If you want, you could even enable the backup mail server.

Now we have all actions fully configured. It is now time to setup the configured services.

Step 1.4

Currently, when clicking on Configured Services you will not see a thing. But we will configure the services now. Without them, MonitorWare Agent is not able to get any log messages. We will setup 2 Syslog Receiver, 1 EventLog Monitor and 1 File Monitor.

centralized_monitoring_1030

When right clicking on Configured Services a context-menu will open. By moving your cursor to "Add Service" you can see a list of Services, that may be configured. The list seems pretty long, but we basically need 3 services of them.

centralized_monitoring_1024

Click on "Syslog Server" first. The Services Wizard will open. Simply click on Finish for now. Repeat this again for Syslog Server, EventLogMonitor V2 and File Monitor.

centralized_monitoring_1025

In the end, you should have a list with 4 Services. For our example I renamed the services by doing a right-click on the Service name I wanted to change and the choosing "Rename Service". This was mostly to distinct the two Syslog Servers.

Step 1.5

Settings for Syslog Server UDP

centralized_monitoring_1026

We can leave the "Syslog Server UDP" on default settings. It is already listening to UDP on port 514. The rest of the default settings is just fine.

Step 1.6

Settings for Syslog Server TCP

centralized_monitoring_1027

We will now go to the "Syslog Server TCP" now. Here we need to change several settings. Change the protocol type to TCP and the Listener Port to 10514. Further, we need to enable the option "Messages are separated by the following sequence" in the TCP options. It should look like this now:

Step 1.7

Settings for Event Log Monitor V2

centralized_monitoring_1028

The Event Log Monitor V2 needs no additional setup. Again the default values are ok. If you want specific Event categories not to be stored, you can disable the options. But the basic format is sufficient.

Step 1.8

Settings for File Monitor

centralized_monitoring_1029

The File Monitor needs some additional settings. First, enable the option "Allow Directories or read multiple files". You will see, that the use of wildcards will be automatically enabled and some other options completely being disabled.

Then we need to set the source files. For our example, we want to monitor the IIS logfiles. At the top of the File Monitor configuration you can see the option "File and path name". There is a Browse button right next to it. Click it.

A windows explorer window will open, where you can choose the file you want to monitor. Navigate to the path C:\inetpub\logs\LogFiles\W3SVC1\. This is the location where the log files are stored. Please note, that the file location could be different when using another version of IIS. Choose the first file in the list. (Note: Daily Internet Information Server log files are named “u_exyymmdd.log”, with yy being the 2 digit year, mm the month and dd the day of month. To generate the same name with file monitor, use the following name “u_ex%y%m%d.log”.)
Set the Logfile Type to “W3C WebServer Logfile”.

Please note, that this step can be easily adapted for other log files (e.g. DHCP log files) as well.

Step 1 Finished

We have now finished the configuration for our central server. It will now be able to receive syslog either via TCP (port 10514) or UDP (port 514), monitor the local Event Log as well as the IIS logfiles. Once more click the "Save" button to save the configuration (if not done already) and start the service. All log messages will now be stored into the database as they arrive/occur. Further, administrators will be alerted via email once an error occurs.

<< Go back to the main page

How To setup Windows centralized Monitoring

Friday, October 26th, 2007

How To setup Windows centralized Monitoring

Article created 2007-10-26 by Florian Riedl
Article updated 2011-05-23 by Tom Bergfeld

Please Note: This article is valid for EventReporter, WinSyslog and MonitorWare Agent in addition to MonitorWare Console!

Windows systems monitoring is really important for all small to large sized environments. The MonitorWare line of products helps to accomplish this important task. This article is to help you establish a small setup to monitor your Windows systems.

This article is strictly task focused. It does not describe why the systems should be monitored nor does it provide any further background. Please see the respective backgrounds or each of the products documentation on this. This article is a step-by-step description of what you need to do in order to centrally monitor your Windows systems.

Centralized Event Reports

In this step-by-step guide, we want to monitor the windows eventlog on all of our client machines (which can be done either with EventReporter or MonitorWare Agent) and then forward the logfiles to a central log server which writes the data into a database (can be done with WinSyslog or MonitorWare Agent). After this, MonitorWare Console should read the data from this database and automatically generate event summaries for the monitored servers.

This guide focuses on a typical small to medium business topography with a single geographical location and five windows clients and a central hub server. All systems are well connected via a local ethernet. Event reports from all machines should be stored in a database. The administrator shall receive daily consolidated event reports.

What you need

In this guide, I am focusing on building a solution with Adiscon’s EventReporter, WinSyslog and MonitorWare Console. (Please note that you can use and configure MonitorWare Agent in the same way like either WinSyslog or EventReporter because it is our main product which has all the features of the other two products too. Please also see our article on which product to choose if you are in doubt which one is right.)
This combination allows you to centralize all your event logs and reports on them. Free 30 day trial versions are available at the respective product sites (links below), so you can try our products without the need to buy anything. You need to run the following products:

  • One EventReporter (alternative: MWAgent) for each system that is to be monitored. In our scenario, this means 6 copies, one for each client and one for the central hub server, if you want to monitor the hub server as well.
  • One WinSyslog (alternative: MWAgent) to receive and store event reports from the EventReporter (alternative: MWAgent) monitoring agents.
  • One MonitorWare Console to automatically generate consolidated reports based on the gathered log data. MonitorWare Console is a very comprehensive tool that helps you to carry out sophisticated analysis of your system. For more information about MonitorWare Console, please refer to its manual.

Notes:

  • You need administrative privileges on each of the machines. This is required both for installation and configuration. Make sure you log on with a sufficiently privileged user account.
  • You need a database to store the events. Recommended are MySQL or MSSQL databases, but you could use a JET database as well.
  • To deliver MonitorWare Console reports, you need a mail server capable of talking SMTP (most modern servers support this)

Step 1 – Download Software

You should check the web sites for new versions if you downloaded your copies a while ago as security and monitoring is a short lived business, and new product versions can appear quickly. Please visit www.eventreporter.com/en/download, eventually www.mwagent.com/en/download, www.winsyslog.com/en/download and www.mwconsole.com/en/download/ to download the latest versions of EventReporter, MWAgent, WinSyslog and MonitorWare Console.

Step 2 – Installing WinSyslog/MWAgent

Identify the system; WinSyslog or MWAgent (and probably MonitorWare Console) should run on. Take a note of its IP address or host name. You’ll need this value when configuring the EventReporter clients. For our example, I assume this system has an IP address of 192.168.0.1.

Run the WinSyslog/MWAgent setup with default parameters. When setup has finished, it automatically is configured to operate as a simple Syslog server. However, it does not yet use a database as we need it to. We’ll later set it up to write data into the database.

Step 3 – Install EventReporter/MWAgent

Run the EventReporter/MWAgent setup program on all systems that should be monitored. This means you need to run it on all five clients and the central hub server (as mentioned above that it is also to be monitored).

For larger installations (with many more servers) there are ways to set it up in a simpler fashion, but in a scenario like ours, it is faster to install it on each machine manually. You can install it with the default settings. When setup has finished, the program automatically is configured to operate simply to report events. However, it does not yet create the log in our database we need. So we will go ahead and change this on each of the machines or by launching it on one machine and remotely connecting to the others. It is your choice. In this sample, I use the EventReporter/MWAgent on each machine (it is easier to follow).

Step 4 – Configuring the Central Agent

The steps described are for setting up your WinSyslog/MWAgent installation on your central hub server. Some steps will be described in a mini-guide, so be sure to follow the links:

1. Start WinSyslog/MWAgent.

2. Select your language – in this example, I use English, so it might be a good idea to choose English even if that is not your preference. You can change it any time later, but using English makes it much easier to follow this guide here.

3. We will now create a ruleset for logging into a database. You can see the detailed steps in the following guide. It describes setting up the action and the ODBC datasource. In this example, a JET database will be used, but you can adapt these steps to let the ODBC driver point to a different database. For setting up the database, please refer to the software producer. Immediate troubleshooting can be done with us, too.
How to create a ruleset for database logging?

4. Now that we have created our ruleset, we are ready to configure the receiving service. Again, follow the mini-guide for the specific steps. We will create a SETP server. With this, we will be able to receive the eventlog data from our agents on our central hub server. Why not using syslog? Because syslog will change the format of the log message and for creating reports we need the correct format.
How to create a SETP server service?

5. Make sure you press the "Save" button – otherwise your changes will not be applied. The only thing left is to start/restart the service with the Play button. Once done, your central agent is ready to receive the log data and store it into your database.

Step 5 – Configuring the Reporting Agents

The steps you will take now will show you how to setup your EventReporter/MWAgent to monitor your Windows Events and forward them via SETP to your central hub server from Step 4. The procedure is the same as above. Follow the links to the miniguides for a detailed description of the respective step.
Please Note: If you use MonitorWare Agent on your central hub server, then you do not need to install EventReporter. You can do these configuration parts in MWAgent, too. You just have to make sure, that the service uses the correct ruleset!

1. Start WinSyslog/MWAgent

2. Again, you can select the language to use. And again, I suggest using English, as this makes the guide easier to follow.

3. We will now setup a new ruleset for forwarding the log data to our central host. Please make sure, that you insert the IP 192.168.0.1 (respective the IP you noted and which belongs to your central hub server) into the forward SETP action. This is crucial or else your central hub server will not receive any data.
How to create a Forward vis SETP Action?

4. After creating the ruleset, we will now create the service which will poll the eventlog data for forwarding via SETP. The service we are going to create is the EventLog Monitor. It will check in set time intervals for new events and if some occurred, they will be processed by the ruleset. Here are the steps for this procedure:
How to create the EventLog Monitor Service?

5. Again, make sure you press the "Save" button – otherwise your changes will not be applied. The only thing left is to start/restart the service with the Play button. Once done, you reporting agent will begin to poll the log data from your eventlog and forward it via SETP to your central hub.

Step 6 – Installing and Configuring MonitorWare Console

Now we will turn to MonitorWare Console. To keep traffic low, you could set this up on your central hub server as well. This will give MonitorWare Console direct access to the database and helps to perform better. In the following guide, we show you how to install MonitorWare Console and do the basic configuration steps:
MonitorWare Console 3.x – Installation and Configuration Steps

Step 7 – Generating Reports with MonitorWare Console Manually

This section explains how the reports can be generated with MonitorWare Console manually. Since "System Status" Report is most comprehensive report that tells a detailed description about the network, in this section I will explain this report only. Please note, that the procedure for generating any report is almost the same.
How To Generate Reports with MonitorWare Console 3.x Manually

Step 8 – Scheduling the Generation of Reports with MonitorWare Console

This section explains how the reports can be generated with MonitorWare Console automatically using Job Manager. With Job Manager, you can generate all the reports based on a pre-defined schedule and ask it to either store it in some location on the hard disk or send it to specified recipient via email. Once again, I will explain the scheduling of System Status Report in this section. Please note that, the procedure for scheduling any report is the same.
How To Schedule Reports with MonitorWare Console 3.x

You are done!

Well, this is all you need to do to configure the basic operations. Once you are comfortable with the basic setup, you can enhance the system with local pre-filtering of event, enhanced logging and alerting (with MonitorWare Agent) and changing report options (with MonitorWare Console).

I hope this article is helpful. If you have any questions or remarks, please do not hesitate to contact us at support@adiscon.com.

Supported Windows Versions: Windows 7 / 2008 / Vista / 2003 / XP

How To setup Windows centralized Monitoring

Monday, June 19th, 2006

How To setup Windows centralized Monitoring

Article created 2006-02-13 by Timm Herget
Article updated 2006-06-19 by Timm Herget.

Please Note: This article is valid for EventReporter 8.x and lower, WinSyslog 7.x and lower and MonitorWare Agent 4.x and lower in addition to MonitorWare Console 2.1 !

Windows NT/2000/XP/2003 systems monitoring is really important for all small to large sized environments. MonitorWare line of products helps to accomplish this important task. This article is to help you establish a small setup to monitor your Windows NT/2000/XP and 2003 systems.

This article is strictly task focused. It does not describe why the systems should be monitored nor does it provide any further background. Please see the respective backgrounders or each of the products documentation on this. This article is a step-by-step description of what you need to do in order to centrally monitor your Windows NT/2000/XP and 2003 systems.

Centralized Event Reports

In this step-by-step guide, we want to monitor the windows eventlog on all of our client machines (which can be done either with EventReporter or MonitorWare Agent) and then forward the logfiles to a central logserver which writes the data into a database (can be done with WinSyslog or MonitorWare Agent). After this, MonitorWare Console should read the data from this database to automatically generate event summaries for the monitored servers and other devices.

This guide focuses on a typical small to medium business topography with a single geographical location and five windows clients and a central hub server. All systems are well connected via a local ethernet. Event reports from all machines should be stored in a database. The administrator shall receive daily consolidated event reports.

What you need

In this guide, I am focusing on building a solution with Adiscon’s EventReporter, WinSyslog and MonitorWare Console. (Please note that you can use and configure MonitorWare Agent in the same way like either WinSyslog or EventReporter because it is our main product which has all the features of the other two products too. Please also see our article on which product to choose when in doubt which one is right.)
This combination allows you to centralize all your event logs and reports on them. Free 30 day trial versions are available at the respective product sites (links below), so you can try the system without the need to buy anything. You need to run the following products:

  • One EventReporter (alternative: MWAgent) for each system that is to be monitored. In our scenario, this means 6 copies, one for each client and one for the central hub server, if you want to monitor the hub server as well.
  • One WinSyslog (alternative: MWAgent) to receive and store event reports from the EventReporter (alternative: MWAgent) monitoring agents.
  • One MonitorWare Console to automatically generate consolidated reports based on the gathered log data. MonitorWare Console is a very comprehensive tool that helps you to carry out sophisticated analysis of your system. For more information about MonitorWare Console, please refer to its manual.

Notes:

  • To deliver MonitorWare Console reports, you need a local web server (for example Microsoft’s IIS or Apache) and a mail server capable of talking SMTP (most modern servers support this)
  • You need administrative privileges on each of the machines. This is required both for installation and configuration. Make sure you log on with a sufficiently privileged user account.

Step 1 – Download Software

You should check the web sites for new versions if you downloaded your copies a while ago as security and monitoring is a short lived business, and new product versions can appear quickly. Please visit www.eventreporter.com/en/download, eventually www.mwagent.com/download, www.winsyslog.com/en/download and www.mwconsole.com/en/download/ to download the latest versions of EventReporter, MWAgent, WinSyslog and MonitorWare Console.

Step 2 – Installing WinSyslog/MWAgent

Identify the system; WinSyslog or MWAgent (and probably MonitorWare Console) should run on. Take a note of its IP address or host name. You’ll need this value when configuring the EventReporter clients. For our example, I assume this system has an IP address of 192.168.0.1.

Run the WinSyslog/MWAgent setup with default parameters. When setup has finished, it automatically is configured to operate as a simple Syslog server. However, it does not yet use a database as we need it to. We’ll later set it up to write data into the database.

Step 3 – Install EventReporter/MWAgent

Run the EventReporter/MWAgent setup program on all systems that should be monitored. This means you need to run it on all five clients and the central hub server (as mentioned above that it is also to be monitored).

For larger installations (with many more servers) there are ways to set it up in a simpler fashion, but in a scenario like ours, it is faster to install it on each machine manually. You can install it with the default settings. When setup has finished, the program automatically is configured to operate as a simple event reporter. However, it does not yet create the log in our database we need. So we will go ahead and change this on each of the machines or by launching it on one machine and remotely connecting to the others. It is our choice. In this sample, I use the EventReporter/MWAgent on each machine (it is easier to follow).

Step 4 – Create a RuleSet for sending via SETP

The steps to configure the EventReporter/MWAgent on each machine are as follows (repeat this on each of the 5 client machines). This step needs not to be done on the central hub server!:

1. Start EventReporter/MWAgent.

2. Select your language – in this example, I use English, so it might be a good idea to choose English even if that is not your preference. You can change it any time later, but using English makes it much easier to follow this guide here.

3. Then define a new rule set, right click "Rules". A pop up menu will appear. Select "Add Rule Set" from this menu. On screen, it looks as follows:

4. Then, a wizard starts. Change the name of the rule to whatever name you like. We will use "Sending SETP" in this example and click on Finish. The screen looks as follows:

Now rightclick on the newly created RuleSet and select "Rules", then "Add Rule" in the upcoming DropDownMenu. The Screen should look as follows:

Expand the new Rule and rightclick on "Actions", then select "Add Action" and "Send SETP":

5. After above steps the Action Wizard will come up. Change the name of the rule to whatever name you like. In our case we will name the Action "Send SETP 1″. Click on Finish.

6. Now, type the IP address or host name of our central hub server in the "Servername" field of the newly created Send SETP Action configuration:

7. Make sure you press the "Save" button – otherwise your changes will not be applied.

Step 5 – Create a RuleSet for database logging

This step needs only to be done on the central hub server!

1. Start WinSyslog/MWAgent

2. Again, you can select the language to use. And again, I suggest using english, as this makes the guide easier to follow.

3. Then define a new rule set, right click "Rules". A pop up menu will appear. Select "Add Rule Set" from this menu. On screen, it looks as follows:

4. Then, a wizard starts. Change the name of the rule to whatever name you like. We will use "Database Logging" in this example. The screen looks as follow:

Click "Next". A new wizard page appears as appeared in the case of EventReporter/MWAgent. Select only Database Logging here. Do not select any other options for this example. Also, leave the "Create a Rule for each of the following actions" setting selected. Click "Next". You will see a confirmation page as showned in the case of EventReporter/MWAgent and there you have to click Finish.

5. After above steps you will see that the new Rule Set "Database Logging" is present. Please expand it in the tree view until the action level of the "Database Logging" Rule and select the "Database Logging" action to configure.

6. Now click on the Data Sources (ODBC) button to open the ODBC Data Source Administrator. Then choose the "System DSN" tab and click the "Add" button to add a new System-DSN (Select the Microsoft Access driver like in the screenshot below).

8. In the next step, click the "Select button" and go to the WinSyslog/MWAgent installation directory (Usually C:\program files\*productname*\) and choose the sample database called sample97.mdb. After that name the new DSN with "MyDatabaseDSN" like in the following screenshot and press OK.

9. Now close the ODBC Data Source Administrator and switch back to the WinSyslog/MWAgent Client and insert "MyDatabaseDSN" in the DSN field. Leave all other settings in their default and save the changes.

Step 6 – Create an Event Log Monitor Service

The steps to configure the EventReporter’s/MWAgent’s are as follows. Repeat this step on each of the 5 client machines and the central hub server, if you want to log events from there as well.

Also make sure that there is only one Event Log monitor at a time activated. EventReporter 7.1/MWAgent 3.1 is installed with a default Event Log monitor service. You can use that or create a new one by following these instructions:

1. First, right-click on "Running Services", then select "Add Service" and the "Event Log Monitor".

Once you have done so, a new wizard starts.

2. Again, you can use either the default name or any one you like. We will use "My Event Log Monitor" in this sample. Leave the "Use default settings" selected and press "Next".

3. As we have used the default, the wizard will immediately proceed with step 3, the confirmation page. Press "Finish" to create the service. The wizard completes and returns to the configuration client.

4. Now, you will see the newly created service beneath the "Services" part of the tree view. To check its parameters, select it:

As you can see, the service has been created with the default parameters.

Please note that the "Default RuleSet" has been automatically assigned as the rule set to use. By default, the wizard will always assign the first rule set visible in the tree view to new services. In our case, this is not correct and will be corrected later.

5. Click Advanced Options button in General Options group box. You will be shown a pop up as shown below:

Here check Use Legacy Format and as soon as you check this box, check boxes disabled right now will be enabled and you have to uncheck; Add Username and Syslog Message Numbers.

6. Now we have to make sure that the EventReporter’s/MWAgent’s use the configured "Forward Syslog" Ruleset we created in Step 3. Select that as the rule set to use.

7. Finally, save the changes and  start the EventReporter/MWAgent service. This procedure completes the configuration of the event log forwarder.

EventReporter/MWAgent is not able to dynamically read changed configurations. As such, it needs to be restarted after such changes. In our sample, the service was not yet started, so we simply need to start it. If it already runs, you need to restart it.

With step 5 the client machines configuration has finished. All the next steps are only concerned with the central hub server.

Step 7 – Create a SETP Server Service

The steps to configure the central WinSyslog/MWAgent are as follows (only on central hub server!):

1. First, right click on "Services", then select "Add Service" and the "SETP Server".

Once you have done so, a new wizard starts.

2. Again, you can use either the default name or any one you like. We will use "My SETP Server" in this sample. Leave the "Use default settings" selected and press "Next".

3. As we have used the default, the wizard will immediately proceed with step 3, the confirmation page. Press "Finish" to create the service. The wizard completes and returns to the configuration client.

4. Now, you will see the newly created service beneath the "Services" part of the tree view. To check its parameters, select it:

As you can see, the service has been created with the default parameters.

5. To use the "Database Logging" RuleSet we have created in Step 4, select it as rule set to use.

6. Last, save the change and then restart the WinSyslog/MWAgent service. This procedure completes the configuration of the SETP server.

WinSyslog/MWAgent cannot dynamically read changed configurations. As such, it needs to be restarted after such changes.

Step 8 – Preparing Web Server for MonitorWare Console

MonitorWare Console publishes its reports through the local web server (central hub server). To avoid confusion, we recommend creating a separate directory on the web server for MonitorWare Console. Let us assume that you use Microsoft Internet Information Server and run it with the default configuration. Then, your web pages are stored in the c:\inetpub\wwwroot directory. Create a subdirectory "MonitorWare Console" directly under this directory.

Step 9 – Installing and Configuring MonitorWare Console

Step 10 – Generating Reports with MonitorWare Console Manually

This section explains how the reports can be generated with MonitorWare Console manually. Since "System Status" Report is most comprehensive report that tells a detailed description about the network, in this section I will explain this report only. Please note, that the procedure for generating any report is almost the same.

Step 11 – Scheduling the Generation of Reports with MonitorWare Console

This section explains how the reports can be generated with MonitorWare Console automatically using Job Manager. With Job Manager, you can generate all the reports based on a pre-defined schedule and ask it to either store it in some location on the hard disk or send it to specified recipient via email. Once again, I will explain the scheduling of System Status Report in this section. Please note that, the procedure for scheduling any report is the same.

You are done!

Well, this is all you need to do to configure the basic operations. Once you are comfortable with the basic setup, you can enhance the system with local pre-filtering of event, enhanced logging and alerting (with MonitorWare Agent) and changing report options (with MonitorWare Console).

I hope this article is helpful. If you have any questions or remarks, please do not hesitate to contact me at therget@hq.adiscon.com.

How To setup PIX centralized Monitoring

Friday, June 9th, 2006

How To setup PIX centralized Monitoring

Article created 2005-05-17 by Hamid Ali Raja
Last Updated 2006-06-19 by Timm Herget.

Adiscon Products can be used to efficiently analyze PIX traffic as well. This article is strictly task focused. It does not describe why the systems should be monitored nor does it provide any further background. Please see the respective backgrounders or product documentation on this. This article is a step-by-step description of what you need to do in order to centrally monitor your PIX Logs.

Centralized Event Reports

In this step-by-step guide, MonitorWare Agent / WinSyslog is configured to work together with Adiscon’s MonitorWare Console to generate summaries for the traffic passing to and from PIX.

What you need

In this guide, I am focusing on building a solution with Adiscon’s MonitorWare Agent / WinSyslog and MonitorWare Console. This guide will be equally good for you if you want to configure MonitorWare Console with MonitorWare Agent or to configure MonitorWare Console with WinSyslog. The reason is that in this configuration we need to have a Syslog Daemon that will be listening for Syslog messages. Since both MonitorWare Agent and WinSyslog can act as  Syslog Daemons and since the setup procedure for both of them as a Syslog Daemon is exactly the same, this guide can be used for both the cases.

This combination allows you to centralize all your logs and generate reports on them. Free 30 day trial versions are available at the respective product sites (links below), so you can try the system without the need to buy anything.

You need to run the following products:

  • 1 MonitorWare Agent / WinSyslog for the system that will act as the Syslog Daemon.
  • 1 MonitorWare Console to generate consolidated reports based on the gathered log data. This will also be installed on the same machine where you have installed MonitorWare Agent / WinSyslog
  • To deliver MonitorWare Console’s reports, you need a local web server (for example Microsoft’s IIS or Apache) and a mail server capable of talking SMTP (most modern servers support this)

You need administrative privileges on each of the machines. This is required both for installation and configuration. Make sure you log on with a sufficiently privileged user account.

Step 1 – Download Software

You need to download the following software to follow this step by step guide:

1. www.mwagent.com/download or www.winsyslog.com/en/download
2. www.mwconsole.com/en/download

Step 2 – Install MonitorWare Agent / WinSyslog

Run the MonitorWare Agent / Winsyslog setup program on the system that is to act as the central server. Take a note of this server’s IP address or host name. You’ll need this value when configuring PIX to forward the messages to it.

Step 3 – Configure a Syslog Server

The steps to configure the MonitorWare Agent / WinSyslog as a Syslog Server are as follows:

Configuring a Syslog Server

Step 4 – Create a RuleSet for Database Logging

In this section, you will create an action to write the messages that are coming from PIX to a database. Please note that these steps would be exactly the same for both MonitorWare Agent and WinSyslog.

Database Logging Steps

After configuring this RuleSet, make sure that

  • This rule set is associated with the Syslog Server Service that you created in Step 3. You can do this by clicking on the Syslog Server Service that you created in Step 3 on the left hand side and by selecting the name of the rule set that you created in Step 4 in "Rule Set to Use" combo box on the right hand side.
  • The service is running. You can do this by clicking on the Play button at the top of the Client.

Step 5 – Configure PIX

In this step, you will need to configure PIX in such a way so that it sends the messages to the Syslog Server that you created in the above step. You would need to give the IP address or the hostname in PIX

PIX Configuration Steps

Step 6 – Preparing Web Server for MonitorWare Console

MonitorWare Console publishes its reports through the local web server (central hub server).

To avoid confusion, we recommend creating a separate directory on the web server for MonitorWare Console. Let us assume you use Microsoft Internet Information Server and run it in the default configuration. Then, you web pages are stored in the c:\inetpub\wwwroot directory. Create a subdirectory "MonitorWareConsole" directly beneath this directory.

Step 7 – Installing and Configuring MonitorWare Console

MWConsole- Installation and Configuration Steps

Step 8 – Generating PIX Reports with MonitorWare Console Manually

Following are the reports in MonitorWare Console that can be generated for PIX logs.

  • Accessed Web Sites Report
  • Blocked Ports Activity Report
  • Possible Attacks Report
  • Traffic By Hour Report
  • Traffic By Port Report
  • Outbound Traffic By IP
  • Traffic by Target IP
  • Who is Attacking Me Report

This section explains how the PIX reports can be generated with MonitorWare Console manually. In this section I will explain the generation of "Who is Attacking Me" report only. Please note that, the procedure for generating any report is almost the same.
Generating PIX Reports with Console 2.1 Manually

Step 9 – Scheduling the Generation of Reports with MonitorWare Console

This section explains how the reports can be generated with MonitorWare Console automatically using Job Manager. With Job Manager, you can generate all the reports based on a pre-defined schedule and ask it to either store it in some location on the hard disk or send it to specified recipient via email. The following section explains the scheduling of System Status Report. You can use exactly the same method to generate any of the PIX reports that are mentioned above.

Scheduling Reports with Console 2.1

You are done!

Well, this is all you need to do to configure the basic operations. We hope this article is helpful. If you have any questions or remarks, please do not hesitate to contact us at support@adiscon.com

How To setup Windows centralized Monitoring

Tuesday, April 5th, 2005

How To setup Windows centralized Monitoring

Article created 2005-04-05 by Hamid Ali Raja.

Monitoring Windows NT/2000/XP/2003 is important even for small environments. This article is strictly task focused. It does not describe why the systems should be monitored nor does it provide any further background. Please see the respective backgrounders or product documentation on this. This article is a step-by-step description of what you need to do in order to centrally monitor your Windows NT/2000/XP and 2003 systems.

This article has been extracted from the MonitorWare Agent documentation. Please be sure to check the MonitorWare Agent online help if a newer version is available.

Centralized Event Reports

In this step-by-step guide, MonitorWare Agent is configured to work together with Adiscon’s MonitorWare Console to automatically generate event summaries for the monitored servers and other devices.

This guide focuses on a typical small to medium business topography with a single geographical location and 5 Windows clients and a central hub server. All systems are well connected via a local Ethernet. Event reports from all machines should be stored in a database. The administrator shall receive daily consolidated event reports.

What you need

In this guide, I am focusing on building a solution with Adiscon’s MonitorWare Agent and MonitorWare Console. This combination allows you to centralize all your event logs and report events from them. Free 30 day trial versions are available at the respective product sites (links below), so you can try the system without the need to buy anything.

You need to run the following products:

  • 1 MonitorWare Agent for each system that is to be monitored. In our scenario, this means 6 copies, one for each client and one for the central hub server to be monitored.
  • 1 MonitorWare Console to generate consolidated reports based on the gathered log data.
  • To deliver MonitorWare Console’s reports, you need a local web server (for example Microsoft’s IIS or Apache) and a mail server capable of talking SMTP (most modern servers support this)

You need administrative privileges on each of the machines. This is required both for installation and configuration. Make sure you log on with a sufficiently privileged user account.

Step 1 – Download Software

As you read the MonitorWare Agent manual, you most probably downloaded the MonitorWare Agent. If you haven’t, please visit www.mwagent.com/en/download to do so. In addition to the agent, you also need MonitorWare Console. A free, full-featured 30 day trial is available at http://www.mwconsole.com/en/download/.

Step 2 – Install MonitorWare Agent

Run the MonitorWare Agent setup program on all systems that should be monitored. This means you need to run it on all 5 clients and the central hub server. Take a note of the central hub server IP address or host name. You’ll need this value when configuring the agents on the client machine. For our example, we assume this system has an IP address of 192.168.0.1.

For larger installations (with many more servers) there are ways to set it up in a simpler fashion, but in a scenario like ours, it is faster to install it on each machine manually. You can install it with the default settings. When setup has finished, the program automatically is configured to operate as a simple syslog server. However, it does not yet create the log in our database we need. So we will go ahead and change this on each of the machines or by launching it on one machine and remotely connecting to the others. It is your choice. In this sample, I use the MonitorWare Agent on each machine (it is easier to follow).

Step 3 – Create a RuleSet for Forward by SETP

The steps to configure the agents are as follows (repeat this on each of the 5 client machines). This step needs not to be done on the central hub server!:

Forward via SETP Steps

Step 4 – Create a RuleSet for database logging

This step needs only to be done on the central hub server!

Database Logging Steps

Step 5 – Create an Event Log Monitor Service

The steps to configure the MonitorWare Agents are as follows (repeat this step on each of the 5 client machines and the central hub server!):

Event Log Monitor Service Steps

Step 6 – Create a SETP Server Service

The steps to configure the agents are as follows (only central hub server!):

SETP Server Service Steps

Step 7 – Preparing Web Server for MonitorWare Console

MonitorWare Console publishes its reports through the local web server (central hub server).

To avoid confusion, we recommend creating a separate directory on the web server for MonitorWare Console. Let us assume you use Microsoft Internet Information Server and run it in the default configuration. Then, you web pages are stored in the c:\inetpub\wwwroot directory. Create a subdirectory "MonitorWareConsole" directly beneath this directory.

Step 8 – Installing and Configuring MonitorWare Console

MWConsole- Installation and Configuration Steps (1.1)
MWConsole- Installation and Configuration Steps (2.0)
MWConsole- Installation and Configuration Steps (3.0)

Step 9 – Generating Reports with MonitorWare Console Manually

This section explains how the reports can be generated with MonitorWare Console manually. Since "System Status" Report is most comprehensive report that tells a detailed description about the network, in this section I will explain this report only. Please note that, the procedure for generating any report is almost the same.

Generating Windows Reports with Console 1.1 Manually
Generating Windows Reports with Console 2.0 Manually
Generating Windows Reports with Console 3.0 Manually

Step 10 – Scheduling the Generation of Reports with MonitorWare Console

This section explains how the reports can be generated with MonitorWare Console automatically using Job Manager. With Job Manager, you can generate all the reports based on a pre-defined schedule and ask it to either store it in some location on the hard disk or send it to specified recipient via email. Once again, I will explain the scheduling of System Status Report in this section. Please note that, the procedure for scheduling any report is the same.

Scheduling Reports with Console 1.1
Scheduling Reports with Console 2.0
Scheduling Reports with Console 3.0

You are done!

Well, this is all you need to do to configure the basic operations. Once you are comfortable with the basic setup, you can enhance the system with local pre-filtering of event, enhanced logging and alerting (with MonitorWare Agent) and changing report options (with MonitorWare Console).

We hope this article is helpful. If you have any questions or remarks, please do not hesitate to contact us at support@adiscon.com