FAQ Archives - MonitorWare Agent

Performance Tests and Results

Determining the overall performance of a tool is not an easy task. Adiscon sometimes gets asked what the actual performance values for products like WinSyslog and MonitorWare Agent are, especially the processing rate of received syslog messages. This cannot be answered easily, because there are a lot of factors to be considered.

Here are the results:

	UDP	TCP
Messages per Second	33.000	128.000

The factor that mostly influences the performance of Adiscon’s tools is of course the hardware used. But, other factors like overall system load, network load and the size of the messages can influence how fast the messages are processed.

Thus, we decided to do some tests. The results do not reflect any real world examples though, but will show what is possible in a somehow ideal environment.

As a test environment we used the following hardware:

PC with a Intel i7-4790S @ 3.2GHz
32GB RAM
SSD Harddrive
Windows 10
MonitorWare Agent with the most default and basic configuration to receive and store syslog messages
Virtual machine with Ubtuntu running tcpflood from the rsyslog testbench to insert syslog messages

The system we tested on is a relatively common PC hardware with the above mentioned specifications. We used a virtual machine to run tcpflood (from the rsyslog testbench) to send bulks of syslog messages to MonitorWare Agent. MWAgent on the other hand was configured to just act as a syslog receiver and to store the messages into a text file on the SSD. No filters, no additional processing. The whole setup was running on the same machine. We tested with UDP and TCP transmission. The tested volumes were 1 million messages.

Questions about Queues

Is the queue limit applied to all services or per service?

The queue limit is for all services combined. Be it a syslog listener, eventlog or file monitor. It does not differ between services, the memory queue is for all. The queue is basically to buffer message bursts that are higher than what MonitorWare Agent can forward/store. The default is 200000 log messages which can be stored in the memory.

What is better for TCP syslog forwarding – Diskqueue or Queue Diskcache?

The Queue Manager Diskcache is useful depending on whether you need high security. Beware, when enabling this, the queued messages will always be written to disk before processing. This will slow down the system a lot, depending on the speed of the harddrive. When forwarding via TCP syslog, using the diskqueue will store the messages to disk to prevent message loss in case the peer or the connection fails. This queue will only be used as needed contrary to the Queue Manager Diskcache which will be used always.

What is the recommended Queue limit?

The Queue Limit determines the amount of unprocessed messages that can be stored in the memory to allow message bursts to occur without the system stalling. Though, this needs to be tested with a real use-case and is mainly depending on the messages that are received per second and the messages that can be forwarded/written per second.

MB5-705 exam ,
810-403 exam ,
102-400 exam ,
1z0-434 exam ,
CRISC exam ,
70-483 exam ,
1V0-601 exam ,
000-105 pdf ,
000-106 pdf ,
c2010-652 pdf ,
c2010-657 pdf ,
220-802 test   ,
JK0-022 test   ,
640-911 test   ,
810-403 test   ,
1V0-601 test   ,
300-101 test   ,
PR000041 test   ,
2V0-620 test   ,
700-501 test   ,
NSE4 test   ,
70-532 test   ,
PEGACPBA71V1 dumps ,
642-732 dumps ,
ADM-201 dumps ,
101 dumps ,
N10-006 dumps ,
70-177 dumps ,
70-533 dumps ,
1Y0-201 dumps ,
EX300 dumps ,
70-270 dumps ,
102-400 dumps ,

How to perform a mass rollout?

Last Update 2013-01-02 by Florian Riedl

A mass rollout in the scope of this topic is any case where the product is rolled out to more than 5 to 10 machines and this rollout is to be automated. This is described first in this article. A special case may also be where remote offices shall receive exact same copies of the product (and configuration settings) but where some minimal operator intervention is acceptable. This is described in the second half of this article.

The common thing among mass rollouts is that the effort required to set up the files for unattended distribution of the configuration file and product executable is less than doing the tasks manually. For less than 5 systems, it is often more economical to repeat the configuration on each machine – but this depends on the number of rules and their complexity. Please note that you can also export and re-import configuration settings, so a hybrid solution may be the best when a lower number of machines is to be installed (normal interactive setup plus import of pre-created configuration settings).

Before considering a mass rollout, be sure to read “The MonitorWare Agent“. This covers necessary background information and most importantly the command line switches.

Automated Rollout

The basic idea behind a mass rollout is to create the intended configuration on a master (or baseline) system. This system holds the complete configuration that is later to be applied to all other systems. Once that system is fully configured, the configuration will be transferred to all others.

The actual transfer is done with simple operating system tools. The complete configuration is stored in the the registry. Thus, it can be exported to a file. This can be done with the client. In the menu, select “Computer”, then select “Export Settings to Registry File”. A new dialog comes up where the file name can be specified. Once this is done, the specified file contains an exact snapshot of that machine’s configuration.

This snapshot can then be copied to all other machines and put into their registries with the help of regedit.exe.

An example batch file to install, configure and run the service on “other” servers might be:

copy \\server\share\mwagent.exe c:\some-local-dir
copy \\server\share\mwagent.pem c:\some-local-dir
cd \some-local-dir
mwagent -i
regedit /s \\server\share\configParms.reg
net start "AdisconMonitoreWareAgent"

Please note: These files are needed if you are using MonitorWare Agent 8.1 and above. If you are using a older version, you additionally need the files Microsoft.VC90.CRT.manifest, libeay32.dll, ssleay32.dll, msvcm90.dll, msvcp90.dll and msvcr90.dll.

The file “configParams.reg” would be the registry file that had been exported with the configuration client.

Of course, the batch file could also operate off a CD – a good example for DMZ systems which might not have Windows networking connectivity to a home server.

Please note that the above batch file fully installs the product – there is no need to run the setup program at all. All that is needed to distribute the service i.e. mwagent.exe and its helper dlls, which are the core service. For a locked-down environment, this also means there is no need to allow incoming connections over Windows RPC or NETBIOS for an engine only install.

Please note that, in the example above, “c:\some-local-dir” actually is the directory where the product is being installed. The “mwagent -i” does not copy any files – it assumes they are already at their final location. All “mwagent -i” does is to create the necessary entries in the system registry so that the MonitorWare Agent is a registered system service.

Branch Office Rollout with consistent Configuration

You can use engine-only install also if you would like to distribute a standardized installation to branch office administrators. Here, the goal is not to have everything done fully automatic, but to ensure that each local administrator can set up a consistent environment with minimal effort.

You can use the following procedure to do this:

Do a complete install on one machine.
Configure that installation the way you want it.
Create a .reg file of this configuration (via the client program).
Copy the mwagent.exe, mwagent.pem, libeay32.dll, ssleay32.dll, Microsoft.VC90.CRT.manifest, msvcm90.dll, msvcp90.dll, msvcr90.dll and .reg file that you created to a CD (for example). Take these executable files from the install directory of the complete install done in step 1 (there is no specfic engine-only download available).
Distribute the CD.
Have the users create a directory where they copy all the files. This directory is where the product is installed in – it may be advisable to require a consistent name (from an admin point of view – the product does not require this).
Have the users run “mwagent -i” from that directory. It will create the necessary registry entries so that the product becomes a registered service.
Have the users double-click on the .reg file to install the pre-configured parameters (step 3).
Either reboot the machine (neither required nor recommended) or start the service (via the Windows “Servcies” manager or the “net start” command).

Important: The directory created in step 6 actually is the program directory. Do not delete this directory or the files contained in it once you are finished. If you would do, this would disable the product (no program files would be left on the system).

If you need to update an engine-only installation, you will probably only upgrade the master installation and then distribute the new exe files and configuration in the same way you distributed the original version. Please note that it is not necessary to uninstall the application first for an upgrade – at least not as long as the local install directory remains the same. It is, however, vital to stop the service, as otherwise the files can not be overwritten.

350-001 pdf ,
350-018 pdf ,
350-029 pdf ,
350-030 pdf ,
350-050 pdf ,
350-060 pdf ,
70-177 pdf ,
70-178 pdf ,
70-243 pdf ,
70-246 pdf ,
70-270 pdf ,
300-070 certification ,
220-802 certification ,
3002 certification ,
000-106 certification ,
350-060 certification ,
300-101 certification ,
210-060 certification ,
70-483 certification ,
70-532 certification ,
210-260 certification ,
CRISC certification ,
74-678 exam ,
70-533 exam ,
C_TFIN52_66 exam ,
1Z0-804 exam ,
640-916 exam ,
1Z0-061 exam ,
<ahref=”http://www.passexamvce.com/1Z0-803.html”>1Z0-803 exam ,
300-070 exam ,
CISSP exam ,
101-400 exam ,
000-017 exam ,

How to perform a mass update rollout?

Created 2008-10-10 by Florian Riedl

A mass rollout in the scope of this topic is any case where the product is rolled out to more than 5 to 10 machines and this rollout is to be automated. This is described in detail in the Article How to perform a mass rollout?. We now want to take a look at the procedure that needs to be done after you have done a mass rollout before and now want to update MonitorWare Agent to the current version.

Automated Rollout

This snapshot can then be copied to all other machines and put into their registries with the help of regedit.exe.

An example batch file to update, configure and run the service on “other” servers might be:

net stop "AdisconMonitoreWareAgent"

copy /Y \\server\share\mwagent.exe c:\some-local-dir
copy /Y \\server\share\mwagent.pem c:\some-local-dir
regedit /s \\server\share\update.reg
net start "AdisconMonitoreWareAgent"

The file “update.reg” would be the registry file that had been exported with the configuration client. Copying this file is optional, but recommended. In this configuration file, the new license key could be included as well as configuration changes.

Of course, the batch file could also operate off a CD – a good example for DMZ systems which might not have Windows networking connectivity to a home server.

Please note that, in the example above, “c:\some-local-dir” actually is the directory where the product is being installed. The commands “net stop” and “net start” do first STOP the service before copying the new files and then START it again after everything is finished.

How to get MonitorWare Agent 4.4 working on Windows NT4?

Created 2008-02-28 by Andre Lorbach

The last official version of MWAgent which is supported on Windows NT4 is version 3.1 Build 292.

Due to customer requests, we have created a special build of MonitorWare Agent version 4.4a which will also work on Windows NT4. However this will definitely be the last official build which will work on NT4. The newer versions of MWAgent are using features which are only available on Windows 2000 or higher. Please note that the installer used for MonitorWare Agent 4.4 can not be run under NT4. As such, the setup procedure is a bit clumpsy.

Follow these instructions to get MWAgent 4.4 build 333 working on Windows NT4.

Download and install MonitorWare Agent 3.1 from here:
http://www.mwagent.com/download
Download and unpack the special NT4 Version of MonitorWare Agent 4.4 build 333 from here:
http://download.adiscon.com/mwagent4.4-nt4build.zip
If you haven’t yet, install the Active Directory Extension for Windows NT 4.0, either by download or using the dclient.exe from the package.
Copy the unpacked files over your existing Installation.
Configure and start the MonitorWare Agent.

If any problems occur, feel free to send us an email to support@adiscon.com.

Is SMS-alerting possible with a GSM modem and the Send to Communications Port-Action?

Created 2008-02-13 by Florian Riedl.

Which tools to use …

Every of our products (EventReporter, MonitorWare Agent and WinSyslog) contain a action which is able to send messages to the communications port of the PC. The question is, if it is possible, to use a GSM modem connected to this port for realtime SMS alerting.

The “Send to communication port”-action allows you to directly send data to the com-port of a PC. If you have a modem connected, the device will receive the message and interpret it’s content and acts as programmed. In most cases, you would possibly connect a serial audit printer or for example a separate display for showing recent log data. For this, in most cases, the pure message and a line feed will be sufficient.

Sending SMS

For sending to a modem device, in this case a GSM modem, you would need to know, how the message must look like for the GSM modem to send a SMS with the message to a specific recipient. So in general, this is quite likely to work, but we have no information on stock how to setup a specific message.

The easiest way to achieve SMS alerting is by using a E-Mail2SMS service. There are several service providers on the web who provide the possibility to send a E-Mail to a gateway host, which will then send a SMS with the log message to a specified mobile phone number. This is a idea, which is most likely to work.

Anyway, both ideas are likely to get cost-intensive. Once a large number of errors occur, which should be forwarded, this could get out of control. We recommend to use filter settings in order to get only emergency alerts via sms. In any case, this kind of alerting is connected with extra costs.

Different providers are listed here:

Default Timevalues Setting in EventReporter/MonitorWare Agent/WinSyslog explained.

Created 2008-01-24 by Andre Lorbach.

The general options of each product (EventReporter, MonitorWare Agent and WinSyslog) contain a setting for the “Default Timevalues”. This setting can be set to Localtime and UTC (Universal Coordinated Time) which is default.

If you switch this setting to Localtime, you may wounder why output timevalues still are in UTC.

Internally we need to calculate with UTC time. This is needed in order to maintain the time values if they are send via Syslog or SETP. If we wouldn’t do this, this could result to unexpected time differences.

So where does this setting have an effect?

Send Email Action: The date in the email header is affected.
Start Program Action: Time parameters in the command line are affected.
Write File Action: Time properties in the file name are affected.
Filter Engine: If you filter by weekday or time fields, localtime does affect the filter result.

But how can I get localtime output?

We added two additional options into the property engine which can be applied on time based values for this purpose.

Property Option: localtime = converts the output of the timestamp into localtime
Sample: %variable:::localtime%

Property Option: uxLocalTimeStamp = same output as uxTimeStamp, but localtime is used
Sample: %variable:::uxLocalTimeStamp%

How to use Stored Procedures with ‘write database’?

Created 2007-05-08 by Rainer Gerhards.

EventReporter,
MonitorWare Agent and
WinSyslog support stored procedures in
their ‘write database’ actions. This option is supported for Microsoft SQL
Server only. With other database systems, it might work, but Adiscon does not
guarantee it.

Stored procedures are used just like database tables. The main difference is
that instead of the table name, the stored procedure name is provided and
instead of field names, parameters are provided. An example configuration looks
like this:

Using stored procedures with WinSyslog, MonitorWare Agent and EventReporter

The field order is relevant. Fields will be passed in that order as stored
procedure arguments. In the sample above, “Message” becomes sp argument 1 and “Priority”
argument 2. Of course, users need to supply the actual stored procedure. The
configuration above could be used with a stored procedure like this:

CREATE PROCEDURE sp_AdisconTestMulti @msg TEXT, @priority INT AS INSERT INTO SystemEvents (Message, Priority) Values (@msg,@priority) RETURN 0 GO

Please note that processing within the stored procedure is the user’s
responsibility. Most importantly, a stored procedure should not take too long to
execute, because this might affect overall product performance.

Can I use the old EventLog Monitor with Vista?

Created 2007-04-18 by Florian Riedl.

Windows Vista available since early 2007. Due to the changes Microsoft introduced with Vista, the procedure for monitoring event logs with the non-Vista event log monitor has changed. Adiscon introduced the native Vista EventLog Monitor V2 which requires no specific prerequisites. Some customers still prefer to use the previous EventLog Monitor. We recommend against this. However, there may be some reasons for doing so. If so, you have to go to “Control Panel -> Administrative Tools -> Services”. In the list of Windows internal services you have to find the service named “Remote Registry” and start it.

Remote Registry Service

Once the Service is started, you are able to fully use the old EventLog Monitor again, just like if you use Windows XP. Please keep in mind that only the XP-like subset of event logging is available via that monitor. To fully process Vista event logs, you need to switch to the V2 event log monitor.

Customers with further questions should kindly contact Adiscon support at support@adiscon.com.

I get format message errors (code 317). What does this mean?

Created 2007-04-10 by Florian Riedl.

You can come across this specific error, by reviewing your EventLog data. The EventLog Monitor writes an entry to the EventLog and then retries. If debug is activated, a entry will be created there, too, looking like this:

“2212 | 1175784330 | Error | Error FormatMessage return 0, GetLastError = ‘317’”

The reason for this error is, that there is something wrong with the source of the message. Mostly this could happen if the EventLog Monitor reads events for applications, which are no longer installed. Another cause could be, that the source simply is corrupted. In these cases this error occurs. Basically spoken, this is not a problem of the EventLog Monitor, but a problem of the system itself having inaccurate sources.

In general, there is no real problem. The EventLog Monitor will continue to work just fine. It will simply go on with its run. Therefore you shouldn’t panic if this error occurs. It will be very helpful to first think about which application caused the entry and then check if it is proper installed. If it doesn’t occur too often, it isn’t even worthy bothering.

If you need further information about format message errors or have questions and ideas concerning our products, send a mail to our Support Team.