Free tool for Event Logging on 30 Servers?

fommy

hi i have been tasked to monitor all event logs on 30 windows servers every day? is there a free tool which can do this for me.
Some windows 2000, mostly windows 2003.
Need to monitor all event logs if possible
Also to flag cirtical errors?

Any thoughts anyone? I dont want to remote into each one every day!!! I wanna save some time. Any advice would be grand.

Thanks, Matt.

blargoe

Free? Good luck with that...

There's some decent tools out there that you could use that aren't free but shouldn't set you back more than $1000 or so. Hyena and Operations Manager Workgroup Edition come to mind.

The only free thing I could think of that even comes close is a Microsoft download called EventCombMT. You can remotely scan all of the servers for whatever and write the output as .csv files. You need to know exactly what you are searching for if you do this.

fommy

thanks for the adice. yes I seen the eventcombMT in the resource kit, played around with it today. seems to pull all the data into a format which was not helpful. unless I done it wrong?

thanks for getting back to me so quick.

blargoe

I haven't used it a whole lot but there's an option in one of the menus to save to a CSV file, which you can open in Excel for better readability. Also there is a way to choose a date range.

Again, it's one of those things where you have to sort of know what you're looking for. Dumping every event to a CSV file isn't going to be very helpful, but perhaps if you know the event ID of an error or event, you can search for that, or search for only Error messages.

fommy

blargoe wrote:

I haven't used it a whole lot but there's an option in one of the menus to save to a CSV file, which you can open in Excel for better readability. Also there is a way to choose a date range.

Again, it's one of those things where you have to sort of know what you're looking for. Dumping every event to a CSV file isn't going to be very helpful, but perhaps if you know the event ID of an error or event, you can search for that, or search for only Error messages.

thats exactly what I need. thanks for the help mate. 10/10. all i need now is the list of ever event ID which is bad!!! sounds like work to me!! hehe

Sie

Why not just build a MMC with Computer Management Setup for each of the servers and view it all remotley from one machine?

1: Start > Run
2: Type MMC and hit Enter
3: Control+M
4: Click Add
5: Choose Event Viewer
6: Select other computer and enter details
7: Click ok
8: Repeat Step 4 to 7 for as manay as you need to add.

Once done you can even right click each Event Viewer entry and select View > Filter and remove which alerts you dont want to see.

Takes a bit of setting up but once its done your good to go.

[Edit -

Just dont forget to SAVE it!!!!!

/Edit]

Obviously there are better ways but the above is free as you asked.

JDMurray

You mean you are going to read through the event logs of 30 Windows servers every day? You will go crazy doing that, and you'll end up missing important incidents too. You need a box that will not only collect events as a syslog server, but also analyze the event information, send alerts, and generate reports.

One of the better--and less expensive--SIEM (Security Information and Event Management) appliances is Cinxi from High Tower. You will eventually find that such a box is the only way to efficiently and effectively perform event log collection and analysis, even for small to mid-size organizations.

High Tower Support Newsletter - April 2008 (PDF)

fommy

thanks to sie and jdmurry. both good responces. i will see if the boss will part will any dosh!!!

cheers

stupidboy

WMI script, pull the data into Excel and away you go

Install SPLUNK to aggregate the logs and make then search able, SAPLUNK rocks!

JDMurray

stupidboy wrote:

Install SPLUNK to aggregate the logs and make then search able, SAPLUNK rocks!

Splunk is a good tool to have, but it falls way short on intelligent event correlation. In other words, even with Splunk in your toolbox, you'll still have a lot incident detection work to do. The free version also won't be able to process all of the events produced by 30 active servers in a single day.

datchcha

Can't remember but doesn't a simple tool called Kiwisoft or something can monitor logs?

seuss_ssues

Im not sure what all you need....but if your just wanting a centralized way to view all of the eventlogs then there is absolutely no reason to spend money.

Get a spare machine, install linux, and partition it so that /var has the majority of the drive. Install syslog-ng and then install eventlog to syslog on each of the windows servers. Confgure them to point to your syslog-ng computer.

eventlog to syslog is here:
https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys

php-syslog-ng a nice php implementation to view the logs and search/sort them is available here:
http://freshmeat.net/projects/php-syslog-ng

You may want to tweak your syslog-ng settings on what all is logged, etc....just google and there are lots of tutorials

Ahriakin

Another option for centralised viewing, not correlation though, is Hyperic HQ. It's a broad range network monitor but you can set it to monitor the Event logs for Windows servers and do some basic sorting based on severity etc. Far from a dedicated event correlation device but pretty good for free (and the rest of Hyperic's functions are worth it).

JDMurray

datchcha wrote:

Can't remember but doesn't a simple tool called Kiwisoft or something can monitor logs?

Kiwi Syslog Daemon is a very popular syslog server that I use quite a bit. It receives syslog messages from hosts, but it doesn't analyze them for you. Log collection is easy; it's the log analysis that's the tricky bit. FYI: Top 11 Reasons to Analyze Your Logs

Sie

Would this do you any good???

Event Comb
http://support.microsoft.com/kb/308471

The Event Comb tool (Eventcombmt.exe) is a multi-threaded tool that can be used to gather specific events from the Event Viewer logs of different computers at the same time.

The Event Comb tool includes preconfigured search categories, for example account lockouts. The account lockout search includes events relevant to account lockouts, such as Events 529, 644, 675, 676, and 681.

Edit -Bleh its already been mentioned. Oh well.