Windows systems monitoring is really important for all small to large sized environments. The MonitorWare line of products helps to accomplish this important task. This article is to help you establish a small setup to monitor your Windows systems.
This article is strictly task focused. It does not describe why the systems should be monitored nor does it provide any further background. Please see the respective backgrounds or each of the products documentation on this. This article is a step-by-step description of what you need to do in order to centrally monitor your Windows systems.
Centralized Event Reports
In this step-by-step guide, we want to monitor the windows eventlog on all of our client machines (which can be done either with EventReporter or MonitorWare Agent) and then forward the logfiles to a central log server which writes the data into a database (can be done with WinSyslog or MonitorWare Agent).
This guide focuses on a typical small to medium business topography with a single geographical location and five windows clients and a central hub server. All systems are well connected via a local ethernet. Event reports from all machines should be stored in a database. The administrator shall receive daily consolidated event reports.
What you need
In this guide, I am focusing on building a solution with Adiscon’s EventReporter and WinSyslog. (Please note that you can use and configure MonitorWare Agent in the same way like either WinSyslog or EventReporter because it is our main product which has all the features of the other two products too. Please also see our article on which product to choose if you are in doubt which one is right.)
This combination allows you to centralize all your event logs and reports on them. Free 30 day trial versions are available at the respective product sites (links below), so you can try our products without the need to buy anything. You need to run the following products:
- One EventReporter (alternative: MWAgent) for each system that is to be monitored. In our scenario, this means 6 copies, one for each client and one for the central hub server, if you want to monitor the hub server as well.
- One WinSyslog (alternative: MWAgent) to receive and store event reports from the EventReporter (alternative: MWAgent) monitoring agents.
- You need administrative privileges on each of the machines. This is required both for installation and configuration. Make sure you log on with a sufficiently privileged user account.
- You need a database to store the events. Recommended are MySQL or MSSQL databases, but you could use a JET database as well.
Step 1 – Download Software
You should check the web sites for new versions if you downloaded your copies a while ago as security and monitoring is a short lived business, and new product versions can appear quickly. Please visit www.eventreporter.com/en/download, eventually www.mwagent.com/en/download and www.winsyslog.com/en/download to download the latest versions of EventReporter, MWAgent and WinSyslog.
Step 2 – Installing WinSyslog/MWAgent
Identify the system; WinSyslog or MWAgent should run on. Take a note of its IP address or host name. You’ll need this value when configuring the EventReporter clients. For our example, I assume this system has an IP address of 192.168.0.1.
Run the WinSyslog/MWAgent setup with default parameters. When setup has finished, it automatically is configured to operate as a simple Syslog server. However, it does not yet use a database as we need it to. We’ll later set it up to write data into the database.
Step 3 – Install EventReporter/MWAgent
Run the EventReporter/MWAgent setup program on all systems that should be monitored. This means you need to run it on all five clients and the central hub server (as mentioned above that it is also to be monitored).
For larger installations (with many more servers) there are ways to set it up in a simpler fashion, but in a scenario like ours, it is faster to install it on each machine manually. You can install it with the default settings. When setup has finished, the program automatically is configured to operate simply to report events. However, it does not yet create the log in our database we need. So we will go ahead and change this on each of the machines or by launching it on one machine and remotely connecting to the others. It is your choice. In this sample, I use the EventReporter/MWAgent on each machine (it is easier to follow).
Step 4 – Configuring the Central Agent
The steps described are for setting up your WinSyslog/MWAgent installation on your central hub server. Some steps will be described in a mini-guide, so be sure to follow the links:
1. Start WinSyslog/MWAgent.
2. Select your language – in this example, I use English, so it might be a good idea to choose English even if that is not your preference. You can change it any time later, but using English makes it much easier to follow this guide here.
3. We will now create a ruleset for logging into a database. You can see the detailed steps in the following guide. It describes setting up the action and the ODBC datasource. In this example, a JET database will be used, but you can adapt these steps to let the ODBC driver point to a different database. For setting up the database, please refer to the software producer. Immediate troubleshooting can be done with us, too.
How to create a ruleset for database logging?
4. Now that we have created our ruleset, we are ready to configure the receiving service. Again, follow the mini-guide for the specific steps. We will create a SETP server. With this, we will be able to receive the eventlog data from our agents on our central hub server. Why not using syslog? Because syslog will change the format of the log message and for creating reports we need the correct format.
How to create a SETP server service?
5. Make sure you press the “Save” button – otherwise your changes will not be applied. The only thing left is to start/restart the service with the Play button. Once done, your central agent is ready to receive the log data and store it into your database.
Step 5 – Configuring the Reporting Agents
The steps you will take now will show you how to setup your EventReporter/MWAgent to monitor your Windows Events and forward them via SETP to your central hub server from Step 4. The procedure is the same as above. Follow the links to the miniguides for a detailed description of the respective step.
Please Note: If you use MonitorWare Agent on your central hub server, then you do not need to install EventReporter. You can do these configuration parts in MWAgent, too. You just have to make sure, that the service uses the correct ruleset!
1. Start WinSyslog/MWAgent
2. Again, you can select the language to use. And again, I suggest using English, as this makes the guide easier to follow.
3. We will now setup a new ruleset for forwarding the log data to our central host. Please make sure, that you insert the IP 192.168.0.1 (respective the IP you noted and which belongs to your central hub server) into the forward SETP action. This is crucial or else your central hub server will not receive any data.
How to create a SETP Action?
4. After creating the ruleset, we will now create the service which will poll the eventlog data for forwarding via SETP. The service we are going to create is the EventLog Monitor. It will check in set time intervals for new events and if some occurred, they will be processed by the ruleset. Here are the steps for this procedure:
How to create the EventLog Monitor Service?
5. Again, make sure you press the “Save” button – otherwise your changes will not be applied. The only thing left is to start/restart the service with the Play button. Once done, you reporting agent will begin to poll the log data from your eventlog and forward it via SETP to your central hub.
You are done!
Well, this is all you need to do to configure the basic operations. Once you are comfortable with the basic setup, you can enhance the system with local pre-filtering of event and enhanced logging and alerting (with MonitorWare Agent).
I hope this article is helpful. If you have any questions or remarks, please do not hesitate to contact us at firstname.lastname@example.org.