I've used many GFI products over the last 10 years, and in that time, I've found most of them to be user-friendly and a good value, though they tend to be aimed at small and midsize Microsoft Windows shops. GFI EventsManager follows that tradition while also supporting Linux and Unix clients.
EventsManager comes as a single installable executable. (You can download a time-limited trial version of GFI EventsManager for free.) As with all GFI products, the install is almost as simple as Next, Next, and Enter. GFI will install Microsoft SQL Server 2005 Express, if it doesn't detect an existing SQL Server instance, although you might need to apply the latest SQL Server service pack afterward.
During the install, you'll need to provide domain admin credentials, which EventsManager uses to access remote Windows computers. You can provide separate credentials for each client (the hosts from which you're collecting events) at a later time. I'll give GFI kudos for this small touch, which allows great security protection. You'll also need to install EventsManager on a Windows Vista, Windows 7, or Windows Server 2008 computer if you want to collect events from Microsoft's newest operating systems. Lastly, for the best reporting you'll need to download and install GFI's free Report Pack.
GFI EventsManager: Event log support and processing rules
EventsManager is able to collect and process various event log types, including Windows event logs, Internet Information Service (IIS) W3C logs, SQL Server, syslog, and SNMP trap messages. For Windows event log collection, the Remote Registry service must be enabled on the clients. For IIS W3C log collection, an accessible NetBIOS share must be assigned to the log folder. Syslog and SNMP hosts should forward their events to the computer hosting the EventsManager service. GFI has done an excellent job of coding EventsManager to work with various popular SNMP MIB databases beyond the simple generic trap messages.
After EventsManager is installed, event source hosts can be added to one or more Event Sources Groups to ease management. Each Event Sources Group (and event source host) can be configured from various attributes, including logon credentials, collection interval, and operational time. The time option allows EventsManager to adjust the priority of a particular event based on when it occurs. For example, a logon event that occurs during the weekend should be a higher priority than one that occurs during a normal workday.
Incoming events are matched against a collection of event processing rules that filter, prioritize, and classify events and generate additional actions. Rules can be grouped into rule sets, or "scanning profiles," to broaden or narrow the information you collect. EventsManager ships with a healthy collection of preconfigured event processing rules and rule sets (for Windows, IIS, SQL Server, Syslog clients, SNMP, and so on). While not a comprehensive set, they number in the hundreds and are a nice starting baseline for new deployments.
GFI provides a handy list of event log sources that can be processed by GFI EventsManager out of the box on its website. You can edit these rules or create your own. Incoming event messages can be compared against all rules or applied only to particular rule sets (scanning profiles) to speed up the process. After all, there's no need to compare IIS or SQL Server event rules against Linux hosts, for example.
In the Events Browser section, you can also browse the details all the collected events. By default GFI breaks the events into five major categories (Windows event logs, IIS, SQL Server, SNMP, and Syslog) and subcategories under each major category.
You can conduct queries and keyword searches in an event category by selecting one or more fields to search against. Multiple search criteria can be selected, and you can combine criteria with Boolean logic. Requiring that the fields of the search be defined as part of the query makes ad hoc or unstructured queries difficult to perform. Also, you cannot perform cross-platform or cross-device queries and searches, which is a bit limiting. For example, searching for every captured logon using the name of JSmith across all collected events from all device sources (Windows, Linux, firewalls, and more) would be difficult or impossible to perform.
EventsManager is missing enterprise features such as event compression, network bandwidth throttling, a command-line interface, and storage groups. EventsManager also lacks granular access controls. It comes with only one predefined privilege group, EventsManagerAdministrators, which has full privileges. Other groups can be defined, but the only other privilege that can be assigned is read only. This is not quite flexible enough for most large enterprises.