How To setup Windows NT centralized Monitoring

Article created 2001-09-24 by Rainer Gerhards.

Monitoring Windows NT/2000/XP is important even for small environments. After writing an article on this issue, I had lots of calls on how to exactly set up such a system. So I finally decided to write a small article on how to accomplish this.

Thus, this article is strictly task focused. It does not describe why the systems should be monitor nor does it provide any further background. Please see the respective backgrounders or product documentation on this. This article is a step-by-step description of what you need to do in order to centrally monitor your Windows NT/2000/XP and .NET systems.

The Scenario

This article focuses on a typical small to medium business topography with a single geographical location and 5 Windows servers. All systems are well-connected via a local Ethernet. There is also an important Windows workstation running some data gathering application that should also be monitored. The administrator shall receive daily consolidated event reports. Event reports are to be viewed via the local Intranet (one of the servers is a web server).

What you need

In this article, I am focusing on building a solution with Adiscon's MonitorWare line of products. From there, we take the EventReporter, WinSyslog and MoniLog products. This combination allows you to centralize all your event logs and report events from them. Free 30 day trial versions are available at the respective product sites (links below), so you can try the system without the need to buy anything.

You need to run the following products:

• 1 EventReporter for each system that is to be monitored. In our scenario, this means 6 copies, one for each server and one for the workstation to be monitored.
• 1 WinSyslog to receive and store event reports from the EventReporter monitoring agents.
• 1 MoniLog to automatically generate consolidated reports based on the gathered log data.
• to deliver MoniLog reports, you need a local web server (for example Microsoft's IIS or Apache) and a mail server capable of talking SMTP (most modern servers support this)

Obviously, each of the EventReporter agents need to be installed on the machine to be monitored. For WinSyslog and MoniLog, the web server is chosen to run these new services. In our typical scenario, the load placed on that server is very low, so it is tolerable to use a non-dedicated machine. Placing both products on the web server provides optimal performance, because all file processing can be done on locally attached disks.

You need administrative privileges on each of the machines. This is required both for installation and configuration. Make sure you log on with a sufficiently privileged user account.

Getting the system up and running

Step 1 - Download Evals

Ok, maybe a bit to basic... But I wanted it to be a complete step by step guide. So I can place a reminder that you should check the web sites for new versions if you downloaded your copies a while ago. Security and monitoring is a short lived business, and new product versions can appear quickly.

Step 2 - Install WinSyslog

Identify the system WinSyslog (and probably MoniLog) should run on. Take a note of its IP address or host name. You'll need this value when configuring the EventReporter agents. For our example, I assume this system has an IP address of 192.168.0.1.

Please note that there is also an online seminar available that actually is a recorded session of WinSyslog being configured for file logging. You might want to view this short seminar in addition to reading this document.

Run the WinSyslog setup with default parameters. When setup has finished, WinSyslog automatically is configured to operate as a simple syslog server. However, it does not yet create the log file we need. So we will go ahead and change this:

1. start the WinSyslog client
2. select your language - in this example, I use English, so it might be a good idea to chose English even if that is not your preference. You can change it any time later, but using English makes it much easier to follow this guide here.
3. In the treeview, expand the "Default RuleSet" node, then "ForwardSyslog", then "Actions".
4. Now, select "Write to File 2" in the treeview. The file write properties will be shown in the right-hand window:
5. You need to uncheck the "Include Date and Time reported by Device" as MoniLog is not compatible with that option. We will save our files to C:\temp with default naming conventions. So you do not need to change anything here. If you absolutely need to move the directory, just modify the "File Path Name" setting - nothing else. Be sure that the directory (either C:\temp or the one you entered) exists!
6. The "Write to File 2" properties should now look as in this screen shot:
   
   Now, make sure you press the "Save" button - otherwise your changes will not be applied and MoniLog will not work correctly!
7. make sure that the WinSyslog service is  started. To check if it is, open the "File" menu. If you can select the menu option "Start" it is not yet running. If it isn't, select this option to start it.
8. As a precautionary step, have a look at the system and application event logs. Any startup errors have been recorded there. I do not expect any errors.

This conclude the first step. You do now have a working instance of WinSyslog running. Please note that there is no need to install it on any other machine.

Step 2 - Install the EventReporter Agents

Run the EventReporter setup program on all systems that should be monitored. This means you need to run it on all 5 servers and the 1 workstation. For larger installations (with many more servers), there are ways to set it up simpler, but in a scenario like ours, it is faster to install it on each machine manually. You can install it with the default settings. After installing, you need to configure it for use with WinSyslog and Monilog. You can do this by starting the EventReporter configuration program on each of the machines or by launching it on one machine and remotely connecting to the others. It is your choice. In this sample, I use the client on each machine (it is easier to follow).

The steps to configure the agents are as follows (repeat this on each of the 6 machines):

1. start the EventReporter client
2. as with WinSyslog, select your language - English preferred to follow this sample
3. There are some very important settings on the "General" tab. In our example, it should look as follows:
   
   Please note the read areas: the syslog server settting must point to the name or IP address of the system WinSyslog is installed on. In our case, that was 192.168.0.1. Under "Additional Options", only the "Add Facilitystring" setting can be checked. These options affect the format of generated messages. If any of the other boxes is checked - or "Add Facilitystring" unchecked - MoniLog will not report any events. Leave all other settings as default.
4. Do not make any other modifications. The defaults are good for our intended setup.
5. You now need to start the EventReporter service. To do so, select "Service", then "Start EventReporter Service" from the menu.

These 5 steps fully configure a machine in our scenario. Be sure to execute them on each machine in question.

After Step 2 is completed, the WinSyslog machine should have a log file in its C:\temp directory. This log will contain events forwarded from the EventReporter agents. Please verify if there is such a file. If it isn't check the setup you made.

Step 3 - Preparing Web Server for MoniLog

MoniLog publishes its reports through the local web server (remember: we installed MoniLog on the Intranet server).

To avid confusion, we recommend creating a separate directory on the web server for MoniLog. Let's assume you use Microsoft Internet Information Server and run it in the default configuration. Then, you web pages are stored in the c:\inetpub\wwwroot directory. Create a subdirectory "monilog" directly beneath this directory.

Step 4 - Installing and Configuring MoniLog

Now, switch back to the machine WinSyslog is installed on. For optimal performance, MoniLog should be installed on the same machine like WinSyslog. This enables it to access the log files stored on the local disk.

Log on interactively to the web server. Then, run the MoniLog setup with default parameters. When setup has finished

1. start the MoniLog client
2. select your language - again, I recommend using English as it makes this sample easier to follow.
3. switch to the "General" tab and set the log location. This is the directory, where WinSyslog stores log files. In our sample, it is c:\temp (if you changed this directory, you need to put the one you selected into this dialog). Leave all other settings at default values. The correctly configured tab looks like follows:
   
   Click "Apply" after making your changes!
4. This has already enabled MoniLog reporting. Now, we can verify the installation. To do so, switch to the "Profiles" tab. Click the “New Profile” button and enter a name. In this example I use the name “Profil1”.
   
   Click “OK” button to create a new profile.
   
5. Under "Reports Location", enter the directory where MoniLog reports should be stored. In our sample, we use "c:\inetpub\wwwroot\monilog". Leave all other settings as default. The tab should look like this one:
   
   Click "Apply" to save your changes.
6. Next step is to set your report options. To do so, click “Report Options”. A new window opens and should look like this one:
   
   Click on “OK” to close the windows by using default options.
7. Click "Analyze now" to test it. After a short while, a browser window with a MoniLog report will appear. The actual content of this report varies greatly. It depends on which events have been forwarded while setting up the agents. Probably, your report will be empty. This simply indicates there was not yet any data to be analyzed. Immediately after setup, this is OK. If you don't receive any data after some hours, there of course is something wrong. If that is the case, check the steps done before. A typical - empty - report looks like follows:
   
8. Now we have verified the system is working. Next, we can schedule the automatic report. To do so, we need to check “Enable Schedule” and also “Enable Email delivery”. A quick reminder: we would like to receive a pointer to the report via email each working day. We first need to set the web directory the reports are to be stored to and enable email delivery. It is all done in the following screenshot:
   
   The “Email Options” and “Scheduled Options” become colored and are now available!
9. Now we need to configure the email options. Click "Email Options...". We assume the web server (192.1689.0.1) is also acting as a mail server. The emails should be sent to "admins@sample.adiscon.com". With that, the dialog looks like follows:
   
   Important: make sure the values match your configuration! This is vitally important because otherwise MoniLog is incapable of sending email correctly.
   Click "OK" to apply the new settings.
10. Next, click the "Report Options..." button. As we schedule reports only on working days, we need to tell MoniLog that it should include all those events occurred since its last run into the reports. We can not leave the default of 24 hours as this would exclude the weekend's events. So change the "Report Type" option to "From last run till now" as seen below.
    
    Click "OK" to apply the setting.
11. Lastly, click on "Schedule Options" to set a schedule. As long as no schedule is set, no reports will be generated automatically. In our sample, we let MoniLog generate reports each working day at 8:00 in the morning. Weekends are not enabled. The dialog looks like this:
    
12. Click on "OK" to apply the settings. Typically, the following window occurs:
    
    This tells you that the MoniLog service has not yet been started. The service generates the scheduled reports (so you don't need to run the client in foreground). For now click "OK". We'll start the service in the next step. Please note that we now have fully configured reporting, but it will not occur because the service is not yet running.
13. To conclude your configuration of MoniLog, start the service. To do so, select "Service", then "Start Service" from the menu. This will start the service. During setup, the service is set to start automatically with system startup. So there is no need to manually restart the service after a reboot.

MoniLog is now completely configured. You will not immediately receive reports, because they will only be generated at 8am each working day. So you need to wait for the next morning. If you would like to change the schedule to have an immediate feedback, please go to "Schedule" and change the time to be a few minutes in the future. Then click "OK" and restart the service. This can be done via the "Service" menu. A restart is necessary because the service reads changed parameters at startup, only.

You are done!

Well, this is all you need to do to configure the basic operations. Once you are comfortable with the basic setup, you can enhance the system with local pre-filtering of event reports (done via EventReporter), enhanced logging and alerting (with WinSyslog) and changing report options (with MoniLog). There is also a web interface for WinSyslog available that allows to view complete detail messages. The possibilities are endless. You might be especially interested in WinSyslog's enhanced rule engine. With it, you can send email notifications for urgent events. See the individual product manuals for configuration options. The links above point to them.

I hope this article is helpful. If you have any questions or remarks, please do not hesitate to contact me at rgerhards@adiscon.com.