A complete step by step guide on setting up centralized Windows event monitoring. It contains screenshots of all important dialogs as well as links to the necessary free downloads.

Monday, April 12th, 2010

How To setup Windows centralized Monitoring

Article created 2003-11-24 by
Wajih-ur Rehman.

Article updated 2004-04-22 by
Tamsila-Q-Siddique.

Monitoring Windows NT/2000/XP/2003 is important even for small environments.
This article is strictly task focused. It does not describe why the
systems should be monitored nor does it provide any further background. Please see
the respective backgrounders or product documentation on this. This article is a
step-by-step description of what you need to do in order to centrally monitor
your Windows NT/2000/XP and 2003 systems.

This article has been extracted from the
MonitorWare Agent documentation. Please be sure to check the MonitorWare Agent online help
if a newer version is available.

Centralized Event Reports

In this step-by-step guide, MonitorWare Agent is configured to work together with
Adiscon’s MonitorWare Console to automatically
generate event summaries for the monitored servers and other devices.

This
guide focuses on a typical small to medium business topography with a single
geographical location and 5 Windows clients and a central hub server. All
systems are well connected via a local Ethernet. Event reports from all machines
should be stored in a database. The administrator shall receive daily
consolidated event reports.

What you need

In
this guide, I am focusing on building a solution with Adiscon’s MonitorWare
Agent and MonitorWare Console. This combination allows you to centralize all your event logs
and report events from them. Free 30 day trial versions are available at the
respective product sites (links below), so you can try the system without the
need to buy anything.

You
need to run the following products:

  • 1 MonitorWare
    Agent for each system that is to be monitored. In our scenario, this means 6
    copies, one for each client and one for the central hub server to be monitored.
  • 1 MonitorWare Console togenerate consolidated reports based on the gathered log data.
  • To deliver
    MonitorWare Console’s reports, you need a local web server (for example Microsoft’s IIS or
    Apache) and a mail server capable of talking SMTP (most modern servers support
    this)

You
need administrative privileges on each of the machines. This is required both
for installation and configuration. Make sure you log on with a sufficiently
privileged user account.

Step 1 – Download Software

As you read the MonitorWare Agent
manual, you most probably downloaded the MonitorWare Agent. If you haven’t,
please visit www.mwagent.com/download
to do so. In addition to the agent, you also need MonitorWare Console. A free,
full-featured 30 day trial is available at

http://www.mwconsole.com/en/download/
.

Step 2 – Install MonitorWare Agent

Run the MonitorWare Agent setup
program on all systems that should be monitored. This means you need to run it
on all 5 clients and the central hub server. Take a note of the central hub
server IP address or host name. You’ll need this value when configuring the
agents on the client machine. For our example, we assume this system has an IP
address of 192.168.0.1.

For larger installations (with many
more servers) there are ways to set it up in a simpler fashion, but in a
scenario like ours, it is faster to install it on each machine manually. You can
install it with the default settings. When setup has finished, the program
automatically is configured to operate as a simple syslog server. However, it
does not yet create the log in our database we need. So we will go ahead and
change this on each of the machines or by launching it on one machine and
remotely connecting to the others. It is your choice. In this sample, I use the
MonitorWare Agent on each machine (it is easier to follow).

Step 3 – Create a RuleSet for Forward by SETP

The steps to configure the agents are
as follows (repeat this on each of the 5 client machines). This step needs not
to be done on the central hub server!:

Forward via SETP Steps

Step 4 – Create a RuleSet for database logging

This
step needs only to be done on the central hub server!

Database Logging Steps

Step 5 – Create an Event Log Monitor Service

The steps to configure the MonitorWare Agents are as follows (repeat this
step on each of the 5 client machines and the central hub server!
):

EventLogMonitor Service Steps

Step 6 – Create a SETP Server Service

The
steps to configure the agents are as follows (only central hub server!):

SETP Server Service Steps

Step 7 – Preparing Web Server for MonitorWare Console

MonitorWare Console publishes its reports through
the local web server (central hub server).

To avoid confusion, we recommend
creating a separate directory on the web server for MonitorWare Console. Let us assume you
use Microsoft Internet Information Server and run it in the default
configuration. Then, you web pages are stored in the c:\inetpub\wwwroot
directory. Create a subdirectory "MonitorWareConsole" directly beneath this
directory.

Step 8 – Installing and Configuring MonitorWare Console

MWConsole- Installation and Configuration Steps (1.1)

MWConsole- Installation and Configuration Steps (2.0)

Step 9 – Generating Reports with MonitorWare Console Manually

This section explains how the reports can be generated with MonitorWare
Console manually. Since "System Status" Report is most comprehensive report that
tells a detailed description about the network, in this section I will explain
this report only. Please note that, the procedure for generating any report is
almost the same.

Generating Windows Reports with Console 1.1 Manually

Generating
Windows Reports with Console 2.0 Manually

Step 10 – Scheduling the Generation of Reports with MonitorWare Console

This section explains how the reports can be generated with MonitorWare
Console automatically using Job Manager. With Job Manager, you can generate all
the reports based on a pre-defined schedule and ask it to either store it in
some location on the hard disk or send it to specified recipient via email. Once
again, I will explain the scheduling of System Status Report in this section.
Please note that, the procedure for scheduling any report is the same.

Scheduling Reports with Console 1.1

Scheduling Reports with Console 2.0

You are done!

Well, this is all you need to do to
configure the basic operations. Once you are comfortable with the basic setup,
you can enhance the system with local pre-filtering of event, enhanced logging
and alerting (with MonitorWare Agent) and changing report options (with
MonitorWare Console).

We hope this article is helpful. If you have any questions or remarks,
please do not hesitate to contact us at
support@adiscon.com

"This is a step-by-step guide which describes how to Windows Update Log

Wednesday, June 13th, 2007

How To Monitor the Windows Update Log

Article created 2007-06-13 by Florian Riedl

This Article describes you how you can monitor the Windows Update log file. This helps you to keep track of when Windows Update starts and stops working or what it does. The Windows Update log stores much more information than Windows Update writes into the EventLog.

The Article is applicable to MonitorWare Agent only.

Download MonitorWare Agent configuration file.

A complete step by step guide on setting up SETP action

Thursday, May 5th, 2005

How To setup an SETP Action

Article created 2005-05-05 by Hamid Ali raja.

1.
Start the Application.

2.
Select your language – in this example, I use English, so it might be a good idea to
choose English even if that is not your preference. You can change it any time
later, but using English makes it much easier to follow this guide here.

3.
Then define a new rule set, right click
"Rules". A pop up menu will appear. Select "Add Rule Set" from this
menu. On screen, it looks as follows:

4.
Then, a wizard starts. Change the name of the
rule to whatever name you like. We will use "Forward SETP" in this example.
The screen looks as follow:


Click "Next". A new wizard page appears.

5.
Select only Forward by SETP. Do not select any
other options for this sample. Also, leave the "Create a Rule for each of the
following actions" setting selected. Click "Next". You will see a
confirmation page. Click "Finish" to create the rule set.

6.
As you can see, the new Rule Set "Forward
SETP" is present. Please expand it in the tree view until the action level of
the "Forward SETP" Rule and select the "Forward by SETP" action to
configure.

7.
Now, type the IP address or host name of our
central hub server in the "Servername" field:

8.
Make sure you
press the "Save" button – otherwise your changes will not be applied.

How to setup MonitorWare Agent, WinSyslog and EventReporter?

Wednesday, May 4th, 2005

How to setup MonitorWare Agent, WinSyslog and EventReporter?

Article created 2004-02-27 by Tamsila-Q-Siddique.
Article updated 2004-04-28 by Tamsila-Q-Siddique.
Article updated 2005-05-04 by Hamid Ali Raja.

WinSyslog and EventReporter are subset of MonitorWare Agent. This means that there would be no difference in the set up creation.You need administrative privileges on each of the machines. This is required both for installation and configuration. Make sure you log on with a sufficiently privileged user account.

  1. Download your desired software from: http://www.monitorware.com/download/
  2. After downloading the software start the client application.
  3. Select your language from English, Deutsch, French, Spanish or Japanese.
  4. Switch to the "License" tab.
  5. Enter the License Name and License Key into the respective fields.
  6. Click "OK".

This process will switch the product from the trial version to the licensed one. Be sure to enter the license name and license key exactly as provided by us. Remember that the license key information is case-sensitive. Documentation on how to enter the license key is in the manual. If you still encounter problems, please go throught this License Information FAQ.

Note: If you aren’t licensed user, a free, full-featured 30-days trial period is available for evaluation purposes.

Related Material – MonitorWare Agent, WinSyslog and EventReporter are installed as a "System Service" during setup. So the service operates in the background while your computer is running.

You can also opt for "Engine Only" installation of MonitorWare Agent, WinSyslog and EventReporter. The following URL’s will guide you through the "Engine Only" installation.

For MonitorWare Agent:
http://www.monitorware.com/common/en/References/mwagent-service30.php

For WinSyslog:
http://www.monitorware.com/common/en/References/ws-service60.php

For EventReporter:
http://www.monitorware.com/common/en/References/er-service-70.php

A complete step by step guide on setting up SETP Server Service

Thursday, April 14th, 2005

How To setup SETP Server Service

Article created 2005-04-04 by Hamid Ali Raja.

1.
First, right
click on "Services", then select "Add Service" and the "SETP
Server".

Once you have done so, a new wizard starts.

2.
Again, you can use either the default name or any one you like. We will use "My SETP
Server" in this sample. Leave the "Use default settings" selected and
press "Next".

3.
As we have used the default, the wizard will
immediately proceed with step 3, the confirmation page. Press "Finish" to
create the service. The wizard completes and returns to the configuration
client.

4.
Now, you will
see the newly created service beneath the "Services" part of the tree view.
To check its parameters, select it:

As you can see, the service has been created with the default parameters.

5.
To use the
"Database Logging" RuleSet we have created in Step 4, select it as rule set
to use.

6.
Last, save the
change and then restart the application. This procedure completes the
configuration of the SETP server.

Application cannot dynamically read changed configurations. As such, it
needs to be restarted after such changes.

A complete step by step guide that explains how the reports can be generated with MonitorWare Console

Wednesday, March 10th, 2004

How To Generate Reports with MonitorWare Console Manually (For Windows
Reporting Module – applicable for 2.0)

Article created 2004-03-10 by
Tamsila-Q-Siddique
.

1. You would need Base Product Key and Window Reporting Module Key for this
scenario.

2. Once MonitorWare Console 2.0 is opened, on the left hand side, you can see a
tree view with a node called "Reports". Click on that node. It will show you
the list of available reports under it as well as on the right hand side. You
will see something similar to the following figure:

You can now click on any of the displayed reports. For the purpose of this
article, I have selected "System Status Report" because it is a very
comprehensive report and summarizes the overall network activity very well.
Once you click on the System Status Report, you will see something similar to
the figure shown below.

Note: Windows Reports are displayed in a band of Lilac whereas the PIX
Reports are displayed in a band of Blue.

3. Once you click on System Status Report, the following form will be displayed

4. This form displays the report options. If you double clicked on any "Report",
then in that case, this form will open up with default options that you had
set. (For details about defining global settings, please refer to MonitorWare
Console’s Manual which can be accessed by pressing the Help button in
MonitorWare Console’s tool bar). These settings help you out if you want to
generate many reports with almost the same settings.


Of course, you have the liberty to overwrite these settings. You can generate
reports on the data using the underlying database (even from an another
database) or from a log file.


You have the option of generating the reports on the fly. Even if MonitorWare
Console is connected to some other database, still you can give any DSN, its
user name and its password and the report will be generated on that
particular
database to which the DSN is pointing to. The same approach can be used with
the log files. You can override the default log file settings and MonitorWare
Console can generate reports using some other log file, still you can give Log
File Configurations in the above fields and the report will be generated on
that particular log file.


If "Generate Reports on data coming from database" is checked then all of the
controls on "Log File Reports" tab will be disabled. If "Generate Reports on
data coming from a log file " is checked then then all of the controls on
"Database Reports" tab will be disabled. It means that these are mutually
exclusive.


You can select various templates for the HTML reports that will be generated
from the general tab and this tab also allows you to pick images from web or
from the local disk


5. MonitorWare Console provides a powerful feature of letting users define and
apply filters on any report. Using this form is further explained in the
upcoming steps, you can apply the filters of your own choice on the underlying
database or on the log files. (For details about the filters, please refer to
MonitorWare Console’s Manual which can be accessed by pressing the Help button
in MonitorWare Console’s tool bar).

Case 1:

6. Lets assume in this scenario that, I am interested in getting a report for
the records that were logged (into the underlying database) after March 12, 2004
and were from the machine computer01.

7. For this scenario select the "Generate Reports on data coming from database"
option from the general tab. Switch to the Database Reports tab and setup the
filter in the following way:

8. At the bottom left of the screen shot above, you can see there is a button
which is called "Advanced Filters". The settings made in this form applies on
the form as a whole. If you click on this button, a form similar to the one
shown below will pop up:

With this Advanced Filters’ Form, you can specify some additional filters for
the System Status Report. This Advanced Filter form provides an opportunity to
consolidate the records to a great extent. I will give one example to clarify
this. Some events that are generated in the Windows Event Log have the same
message but sometimes contain different Microsoft links. If you select the
check box "Remove Microsoft links" above, it will remove the Microsoft links
before consolidating them and hence a number of different events with count 1
could be consolidated to just a single line. Please note that it doesn’t remove
the information permanently from the database. It just removes this information
for generating this report. Similarly other check boxes can be checked to
provide a greater level of consolidation.

9. Once you define the advanced filters in the form shown above, press the "Set"
button. You will be taken back to the previous Filter From.

10. Once you have defined all the filters, you can actually save all of your
settings by pressing the "Save Report" Button in the Filter Form so that you
don’t have to define these filters daily if you are interested in seeing this
report daily.

11. You can now press the "Generate Report" button. It will open up a report in
HTML format according to your defined filters as shown below: (Please note that
some information has been removed purposely for security reasons)

System
Status Report

In this report, you also have the option of expanding and contracting the node
of From Host, Event Log Type, Event Source and Event Id.

Case 2:


12. Lets assume in this scenario that, I am interested in getting a report on
all the records that were logged (into the log file).


13. For this scenario select the "Generate Reports on data coming from a log
file" option from the general tab. Switch to the Log File Reports tab and setup
the filter in the following way:

14. Once you have defined the filters, you can actually save all of your
settings by pressing the "Save Report" Button in the Filter Form so that you
don’t have to define these filters daily if you are interested in seeing this
report daily.


15. You can now press the "Generate Report" button. It will open up a report in
HTML format according to your defined filters as shown below:

System
Status Report

In this report, you also have the option of expanding and contracting the node
of From Host, Event Log Type, Event Source and Event Id.

Note: You can have a look at other available
Windows Reports
.

A complete step by step guide that explains how the reports can be generated with MonitorWare Console

Wednesday, November 19th, 2003

How To Generate Reports with MonitorWare Console Manually

Article created 2003-11-19 by
Wajih-ur-Rehman.

1. Once MonitorWare Console is opened, on the left hand
side, you can see a tree view with a node called "Reports". Click on that node.
It will show you the list of avaiable reports under it as well as on the right
hand side. You will see something similar to the following figure.

 

You can now click on any of the displayed reports.
For the purpose of this article, I have selected "System Status Report"
because it is a very comprehensive report and summarizes the overall network
activity very well. Once you click on the System Status Report, you will see
something similar to the figure shown below

2. Once you click on System Status Report, the
following form will be displayed

3. MonitorWare Console provides a powerful
feature of letting users define and apply filters on any report. Using this
form, you can apply the filters of your own choice. (For details about the
filters, please refer to MonitorWare Console’s Manual which can be accessed by
pressing the Help button in MonitorWare Console’s tool bar)

4. Lets say, I am interested in getting a
report for the records that were logged after July 16, 2003 and were not from
the machine 192.11.12.13. I can setup my filter in the following way:

5. At the bottom left of the screen shot
above, you can see there is a button which is called "Advanced Filters". If you
click on this button, a form similar to the one shown below will pop up:

With this Advanced Filters’ Form, you can
specify some additional filters for the System Status Report. This Advanced
Filter form provides an opportunity to consolidate the records to a great
extent. I will give one example to clarify this. Some events that are generated
in the Windows Event Log have the same message but sometimes contain different
Microsoft links. If you select the check box "Remove Microsoft links" above, it
will remove the Microsoft links before consolidating them and hence a number of
different events with count 1 could be consolidated to just a single line.
Please note that it doesn’t remove the information permanently from the
database. It just removes this information for generating this report. Similarly
other check boxes can be checked to provide a greater level of consolidation.

6. Once you define the advanced filters in
the form shown above, press the "Set" button. You will be taken back to the
previous Filter From.

7. Once you have defined all the filters, you
can actually save all of your settings by pressing the "Save Report" Button in
the Filter Form so that you dont have to define these filters daily if you are
interested in seeing this report daily.

8. You can now press the "Generate Report"
button. It will open up a report in HTML format according to your defined
filters as shown below (Please note that some information has been removed
purposely for security reasons)

In this report, you also have the option of
expanding and contracting the node of From Host, Event Log Type, Event Source
and Event Id

How To setup MonitorWare Console

Wednesday, November 19th, 2003

How To setup MonitorWare Console

Article created 2003-11-19 by
Wajih-ur-Rehman.

After installation, once MonitorWare Console is started, a
dialog box similar to the one shown below would be displayed.

The default user name is “admin” and password is nothing
(as shown above). Once a user enters into the application, this password can be
changed.

At the bottom left corner of this dialog box, there are two
links “Edit Database Connection” and “License Options” The latter one is
self-explanatory. If you click on it a license dialog appears where you can view
or change your license key and/license name. There is also a link to order the
product directly via our online ordering system.

The other link in the login dialog, “Edit Database
Connection” is used if the user wants to change the database connection.
Currently MonitorWare Console supports Microsoft Access, SQL Server and MySQL.
Once the above-mentioned link is clicked, a dialog box, as shown below, will pop
up. Using this dialog box, the user can change the underlying database.

In the DSN, you can provide the name of the DSN that is
pointing to some existing MonitorWare Database (Assuming that you already have
configured MonitorWare Agent, EventReporter or WinSyslog). You can also create a
new DSN by clicking on the link “Edit Database Sources”. It opens the ODBC Data
Source Administrator window. On the System DSN tab the user can configure all
found DSNs.

Use the System DSN tab to select the data source. Press the
“Configure…” button to setup the database path for the data source.

Provider tab at the top left of the above screen is used to
select the database. Connection tab is used to select the database path. Once
the provider and the connection has been selected, Test Connection button can
test whether the connection with the specified database has been established or
not.

If the dialog box, as shown below, is displayed, it means
that the connection with the specified database has been set up properly and the
user can proceed further by pressing the OK button

On the other hand, if a dialog box, as shown below is
displayed, it means that there is something wrong and the connection with the
mentioned database has not been established.

After setting up the database, the OK button in the top
most figure
will take the user inside the MonitorWare Console application.

 

Setup Error 1923

Wednesday, September 10th, 2003

Setup Error 1923

Created on 09-10-2003 by Lutz Koch.

I receive error 1923 when installing a MonitorWare Product like EventReporter, WinSyslog or MonitorWare Agent. What to do?

If you update one of those Products to a newer Version, you might get the following warning message:

Cause:
If you changed the Services properties (for example the Log On settings), the Installer will detect that the installed Service does not match that one from the Installation Package. So this Warning message is shown to inform you about this.

Resolution:
Just click the ignore button, the EventReporter, WinSyslog or MonitorWare Agent Service will be correctly updated, and custom changes in the Services properties will remain.

"A complete step by step guide on setting up EventLogMonitor Service

Monday, February 24th, 2003

How To setup EventLogMonitor Service

Article created 2003-02-24 by Rainer Gerhards.
Last Updated 2005-08-16 by Timm Herget.



Note: This guide was initially written for MW Agent, but the steps are the same in EventReporter.

1. First, right click on "Services", then select "Add Service" and then "Event
Log Monitor":

2. Once you have done so, a new wizard starts.

If the following Popup appears, please select "Create Service":

Again, you can use either the default name or any one you like. We will use
"My Event Log Monitor" in this sample. Leave the "Use default settings" selected
and press "Next".

3. As we have used the default, the wizard will immediately proceed with step
3, the confirmation page. Press "Finish" to create the service. The wizard
completes and returns to the configuration client.

4. Now, you will see the newly created service beneath the "Services" part of
the tree view. To check its parameters, select it:


As you can see, the service has been created with the default parameters.

Note
1:
The "Default RuleSet" has been automatically assigned as
the rule set to use. By default, the wizard will always assign the first rule
set visible in the tree view to new services. In our case, this is not correct
and will be corrected soon.

Note 2: If you want to generate reports (using Monilog) on the data via this service i.e. EventLogMonitor, then you have to press
the "Configure for Monilog" button and make the settings as shown in the screen-shot.


Note 3: If you want to generate reports (using MonitorWare
Console) on the data via this service i.e. EventLogMonitor, then you have to
uncheck the "Use Legacy Format" option. This is recommended. If you don’t
uncheck this option then meaningful reports aren’t generated (i.e. reports are
not properly consolidated by MonitorWare Console).

5. Now you must differentiate between clients and central hub server. In
clients use the "Forward " RuleSet we have created in Step 2, select it as rule
set to use. In central hub server select the "Database Logging" RuleSet we have
created in Step 3. Leave all other settings in their default.

Clients:

Central hub server:

6. Finally, save the change and start MonitorWareAgent. This procedure
completes the configuration of the syslog server.

MonitorWare Agent cannot dynamically read changed configurations. As such, it
needs to be restarted after such changes. In our sample, the service was not yet
started, so we simply need to start it. If it already runs, you need to restart
it.

With step 5 the client machines configuration has finished. All the next
steps are only concerned with the central hub server.