Messing with Syslog servers.

In work I have been trying to fix the implementation of a syslog / eventlog server that currently runs on a Windows 2003 server. It’s a very nice product called event log analyser by Manage Engine.

I’ve had issues with the database. Not due to the software but due to my lack of understanding of how it was configured. Unfortunately the person who set this software up is no longer with the company that I work for and it looks like although he has made the application very secure he has not documented his work. This is probably one of the most under rated but most important responsibilities of a system administrator. IF your setting up a new system or even if your just making a change to the configuration of a system it needs to be documented. At most you will ensure the person succeeding you will be able to take over where you left off but at minimum you’ll remind your self what you did a few months later when you have to look at it again.

The event log analyser that we use looks like it would run on Linux more efficiently. The Windows server it is currently installed on is using more resources on keeping the operating system running than keeping the application performing well. I also prefer this kind of thing running on Linux because it’s rock solid and in the unlikely event that something goes wrong the logs are usually much more comprehensive and easier to read than those found in windows.

The problem with the event log analyser running on Linux is that it requires a Windows event log forwarder on each monitored system running the Windows operating system. As this organization primarily uses Windows this is a bit of a chalange. Of course, if I found a good event log forwarder that ran as a service and could be configured remotely then I’d be fine because using either SCCM or group policy I could easily deploy it to all servers in the estate. With a bit of research I found that using event mon from monware will do everything I need. It runs as a small service requiring no user intervention during installation and it can be configured via the registry. This registry configuration can be exported by the eventmon client and then distributed via group policy or SCCM so it would be really nice to get this running. Unfortunately it involves a licence cost. As we’re already paying for the ManageEngine event log analyser this isn’t really a viable option. There is no way that I can justify my own preferences for the purchase of additional licenses when with a little more work I can get the event log analyser running on a Windows machine that will inherently support our Windows servers without the use of an event log forwarder. There is an appliccation out there called NT syslog however although this runs as a service and from my understanding it’s free, it doesn’t support windows 2008 servers and it’s no longer in development.

There are a few things I don’t like about the event log analyser. Firstly, it looks like it was made for Linux and just ported to Windows as an afterthought. There is no real user interface on the windows side of things. Of course the event log analyser comes with a really great web interface but when trying to troubleshoot why the application isn’t connecting to it’s proprietary and cut down version of MySQL it’s very difficult to see how it all fits together. There are bat files that expect arguements when run from a command line however there’s no documentation of these arguements. when I’ve tried to guess them the output I get is far from descriptive. There are also scripts and exedutables everywhere and very little documentation of anything outside the web interface.

I love syslog servers. The ability to see all the event logs at a glance and report on the top errors and the top error generators is a fantastic facility. Especially when administering hundreds of servers. Unfortunately my experience with this type of server has been far from good. They usually have fantastic web front ends and terrible back ends / terrible documentation for the back end or they have a fantastic back end but poor or limited functionality in the web based interface. I just don’t seem to be able to wind when using these products.

Ok. I’m going to dive into this again.

Hay, on the up side, while configuring the test Linux server yesterday I decided to install OpenSuSE 11.3. I hadn’t used OpenSuSe in a while so it was nice to have a look at the changes in it. To my delight and surprise it connected to the active directory instantly without any added configuration. This is a really nice improvement. I hope that other distributions of Linux follow this example. It would be nice to have one set of credentials for all systems.