Product Peek: SyslogAnalyzer 2.0

A quick look at SyslogAnalyzer 2.0, which helps administrators sift through server log files.

Reading server log files ranks up there with visiting the dentist and preparing your taxes by hand. But unless you read those log files, you might miss something really important – such as attempted security breaches or a hard drive starting to fail. On the other hand, you could use the tool SyslogAnalyzer from eIQnetworks to do the sifting for you.

SyslogAnalyzer examines system log files on Windows NT, 2000, XP and Windows 2003, as well as various types of Unix platforms. NT platforms must have Service Pack 6a and the Windows Management Interface (WMI) installed. The basic license for the software lets you monitor up to 15 unique servers. For Windows systems SyslogAnalyzer can monitor the three log files – system, security and application – depending on how you configure it. Each of the three log files keeps track of six levels of events, including success, error, warning, information and audit success/audit failure.

Windows does not audit logon events by default. This feature must be enabled by the system administrator along with other auditable events, such as access to specific files. Microsoft knowledge base article No. 300549 describes in detail how to enable and apply security auditing in Win 2000.

The SyslogAnalyzer console uses a Web browser interface, making it accessible from virtually anywhere. Critical events show up in the console as red flashing stop signs to get your attention. Graphical reports help users quickly visualize alert categories and see the highest-volume offenders. Report format options include Microsoft Excel or Word, HTML, PDF and plain text.

Customizing reports is a snap using the Web-based report tool. New reports can be created from the basic, provided templates, or you can start from scratch. Once a report has been defined, custom filtering also can be applied to present only the information of interest. If no filters are selected, the system defaults to the last two days of information.

Before monitoring other systems you must add them using the Hosts option from the main administration page. Adding a Windows-based host only requires that you know the administrator password for the target system. On Unix machines you must perform several additional steps, including editing a system configuration file. The quick help guide provides most of the steps, but falls a little short in leading you through all the necessary details.

One of the most useful capabilities of SyslogAnalyzer is the alerting feature. Alerts let you specify which log entries or events should receive immediate attention. When one of these events is detected, an alert is sent using e-mail to a pre-defined address. You could just as easily send a message to a cell phone with the same e-mail interface. There’s also an option to generate a popup message and audible alarm on the system console.

To use the alert feature, the details must be configured for your Simple Mail Transfer Protocol server, including logon information if it’s required. You might want to change other configuration deatils such as the frequency of retrieval for log files, and how often to delete events from the database (default is everything older than two days).

This product is definitely not for the small office with only a few servers to monitor. For larger installations it could be a useful addition to the toolbox of a system administrator responsible for several servers, especially if they are spread out geographically.