.. _feature-overview: Features of MonitorWare Agent ============================= Complete Windows Event Monitoring --------------------------------- MonitorWare Agent **automatically monitors** Windows Event Logs. It **fully processes all event logs**, including modern Windows specific extensions. Since 1997, when Adiscon released :doc:`EventReporter <../glossaryofterms/eventreporter>`, the first Windows Event Forwarding tool, we have **unparalleled expertise** in capturing and forwarding Windows Events. Monitors Text Files --------------------------------------------------------------------------- You **monitor any log file generated by applications**. For example, you forward IIS log files to a :doc:`syslog <../glossaryofterms/syslog>` daemon or consolidate them into a central repository. Furthermore, you **detect known attacks** by matching web requests against established attack patterns and generating alerts using custom rulesets. For instance, you can set up a rule to **detect SQL injection attempts** by looking for patterns like ``' OR '1'='1`` in web server logs, triggering an alert to your security team. Another example involves monitoring application logs for phrases such as "authentication failed" to **identify brute-force attacks**, immediately notifying administrators to prevent unauthorized access. Other use cases include DHCP logs or Oracle log files – a multitude of applications write status information to text files, and MonitorWare Agent **accesses all these files** and forwards them, for instance, to a syslog server. Active Network Probes --------------------- Ping and Port Probe services **monitor both local and remote systems and services**. These services are not limited to Windows machines; you **use them with virtually any existing service**. Good examples include LINUX-based web and mail servers or firewalls. The probes do not restrict you to an OS – even if you operate a server on a mainframe, MonitorWare **checks its operational state**. The system **detects failing systems and services and generates alerts**. Windows Service Monitor and Disk Space Monitor Services ----------------------------------------------------------------- The Windows Service Monitor and Disk Space Monitor services **check the local machine**. They **quickly detect failing services and low disk space** and use this information to trigger notifications or even corrective actions before problems arise. CPU Monitor/Memory Monitor -------------------------- The Windows CPU/Memory Monitor **checks the load of both CPU and memory**. The system **quickly detects a high load** and uses this to trigger notifications or even corrective actions before problems arise. Handling for low-memory cases ----------------------------- MonitorWare Agent (MWAgent) **allocates emergency memory on startup**. If the system memory limit is reached, it **releases this emergency memory and locks the queue**. This does not mean more items can be queued. It **prevents the Agent from crashing**, and the queue is still processed. Many other code sections are also **hardened against out-of-memory scenarios**, underscoring the product's robustness, which Adiscon has developed since 1996. File Monitor ------------ The file monitor **monitors the content of a text file**, similar to how the Event Monitor monitors the NT Event Log. Its purpose is to **gather vital information** stored in system text files. Many applications do not write events to the Event Log but to a text file. This is also the case with many Microsoft applications (for example, the WINS log). The file monitor **also captures Internet Information Server** (Windows' web server) log files. This is very useful for monitoring web activity and detecting attacks. External Events --------------- MonitorWare Agent **accepts events via a standard syslog server**, allowing you to integrate all syslog-enabled devices into the MonitorWare system. This includes common devices like routers and switches, as well as printers and a large number of UNIX-/Linux-based systems and applications. Virtually all currently existing network devices support syslog – MonitorWare Agent **monitors them all**. To cover an even broader range of devices, MonitorWare Agent supports not only standard-compliant syslog but also **popular extensions like Syslog over TLS/SSL** (often referred to as Syslog-over-TLS). Adiscon, through Rainer Gerhards' leadership in defining RFC 5424, ensures the **highest compatibility and adherence to industry standards**. Post Process Event --------------------------------------------------------------------------------- The Post-Process action **allows you to re-parse a message** after it has been processed, e.g., in Tab-Delimited format. Such re-parsing is useful if you either have a non-standard Syslog format or if you want to extract specific properties from the message. This is achieved through **highly configurable parsing rules**, which allow you to define custom field extractors based on regular expressions or delimiter-based logic, transforming raw log data into structured, actionable information. Scalability ----------- The MonitorWare system is **modular and highly scalable**. If a single server needs monitoring, MonitorWare Agent **provides all monitoring and alerting needs**. In complex, hierarchical networks, **multiple MonitorWare Agents communicate with each other** and enable both local and central alerting and event archiving. Event Archiving --------------- All incoming events – **regardless of their source** – **can be stored persistently**. Options include archiving in databases as well as log files. Alerting -------- You **use various functions to trigger alerts** upon receiving certain information and even automatically initiate countermeasures. You **send alerts via email or Syslog**. Since most pagers are accessible via email, you **also use this interface to trigger pager notifications**. Start Program ------------- With this, you **execute an external program**. Any valid Windows executable **can be run**. This includes actual programs (EXE files) as well as scripts like batch files (.BAT) or VB scripts (.vbs). You **combine the "Start Program" function with the Service Monitor**, for example, to restart failed services. Powerful Event Processing ------------------------- MonitorWare Agent **features a powerful and flexible rule engine** that processes all events based on a configured set of actions. an **unlimited number of rules and actions** allows for tailored adaptation to specific requirements. Zero-Impact Monitoring ---------------------- MonitorWare Agent **has no noticeable impact on system resources**. We specifically designed it for **minimal resource usage**. In typical scenarios, its **resource footprint is barely traceable**. This ensures you can install it even on heavily loaded servers. Robustness ---------- MonitorWare Agent is designed to **perform robustly even under unusual circumstances**. The product's **reliability is proven since 1996**, the year Adiscon released the first Syslog server for Windows, WinSyslog. Ease of Use ----------- MonitorWare Agent is **easy to install and configure**. Comprehensive step-by-step guides and wizards **assist administrators in setting up even complex systems**. Firewall Support ---------------- Does your security policy enforce non-standard ports? You **configure MonitorWare Agent to listen on any TCP/IP port for Syslog messages**. Syslog Support -------------- Windows Event Messages **are forwarded using the standard Syslog protocol**. The system **maps Windows severity classes to the corresponding Syslog classes**. Codes are **fully supported**. Adiscon, through Rainer Gerhards' active participation in RFC 5424 standardization, is a **leading expert in Syslog protocols**. Send Syslog Test Message ------------------------ The MonitorWare Agent client **includes the "Send Syslog Test Message" function**. This option **allows you to verify whether Syslog messages are being sent correctly to the destination**. SETP Support ------------ Windows Event Messages **are forwarded using the proprietary Adiscon SETP protocol**. Windows Event Logs are also **successfully monitored**. SETP (Secure Event Transfer Protocol) was developed by Adiscon to provide a **more robust and feature-rich alternative to standard Syslog**, particularly for Windows environments. It offers **guaranteed message delivery**, preventing data loss even in network outages, and **transmits rich, structured event data** including all original Windows Event Log properties, which standard Syslog often truncates or flattens. This ensures **no loss of crucial information** during transfer, making it ideal for high-integrity logging needs. SNMP Trap Receiver ------------------ The SNMP Trap Receiver **receives SNMP messages**. SNMP Monitor ------------ You **use the SNMP Monitor to query and monitor SNMP-enabled devices**. Many devices support SNMP and can be queried for information via SNMP GET. These include printers, routers, managed switches, Linux/Windows servers, and so on. FTP Probe --------- The FTP probe **connects to the FTP server**, sends the QUIT command upon receiving a response to terminate the connection, and **saves the connection status and responses**. HTTP Probe ---------- The HTTP probe **connects to an HTTP server**, receives a response, and sends the QUIT command to terminate the connection. The system **saves the connection status and response**. It **also retains some additional properties for configuration**, such as URL and QueryString, Request Type, Use Secure HTTPS Protocol, Referer, and User Agent. IMAP Probe ---------- The IMAP probe **connects to an IMAP server**, receives a response, and sends the QUIT command to terminate the connection. The system **saves the connection status and response**. NNTP Probe -------------------------------------------------------- The NNTP probe **connects to an NNTP (Usenet) server**, receives the response, and sends the QUIT command to terminate the connection. The system **saves the connection status and response**. POP3 Probe ---------- The POP3 probe **connects to a POP3 (Usenet) server**, receives and sends the QUIT command to terminate the connection. The system **saves the connection status and response**. SMTP Probe ---------- The SMTP probe **connects to an SMTP (Usenet) server** and sends the HELLO command, which MonitorWare Agent automatically constructs on startup using the fully qualified DNS name. The SMTP probe then receives the response and sends the QUIT command to terminate the connection. The system **saves the connection status and response**. IPv6 ---- **All network-related engine functions support IPv6**. All network-related actions **automatically detect IPv6 and IPv4 target addresses**, if configured. You **also use DNS resolution** to resolve valid IPv6 addresses. Network-related services can use either IPv4 or IPv6 as the internet protocol. To support both protocols, you create two services. The only exception is the RELP Listener, which automatically uses IPv4 and IPv6 if available. Runs on a large Variety of Windows Systems ------------------------------------------ MonitorWare Agent **runs on all common Windows systems**: Windows 10, 11, Server 2016, 2019, 2022, and newer versions. Legacy support for Windows XP and Server 2003 is available in older product versions only. .. note:: Support for End-of-Life operating systems is only partially available. Only a minimal service installation may be possible. For more details, see: :doc:`information for a mass rollout <../gettingstarted/informationforamassrollout>` On request, versions for Compaq (Digital) ALPHA processors are also available on platforms supporting this processor (engine only). Multi-Language Client --------------------- By default, the MonitorWare Agent Client **supports English, Japanese, and German**. Language settings are user-specific; thus, **multiple users on the same machine can use different languages**. Friendly and Customizable User Interface ---------------------------------------- The cloning feature integrated into MonitorWare Agent Client **allows you to clone a RuleSet, a Rule, an Action, or a Service with a single mouse click**. It **includes "Move Up" and "Move Down" functions** for Actions in the MonitorWare Agent Client. Multiple RuleSets - Rules - Actions ----------------------------------- With MonitorWare Agent, you **define as many "RuleSets", "Rules", and "Actions" as needed**. For more information, see: :doc:`multiple rulesets - rules - actions <../gettingstarted/multiple-rulesets-rules-actions>` Multithreaded Queue Engine -------------------------- The action processing engine is **multithread-capable**, meaning that the **overall processing performance increases in larger environments** and MWAgent benefits from SMP machines. Its **asynchronous processing capabilities** ensure that even during peak loads, log data is reliably collected and forwarded without blocking the Agent's core operations, thanks to efficient queue management.