Event Alarm:

Event Log and Syslog Monitoring -
Beyond Just the Security Log

Event Alarm ® empowers administrators to focus on the proactive fine-tuning of networks instead of full time damage control duty by automating the monitoring of log files - whether generated as Microsoft Windows ® events or syslogs generated by hardware devices, UNIX, or Linux machines.

Event Alarm offers the network administrator a wide range of notification options including email alerts, network popups, pager calls, syslog forwarding, or broadcast notifications throughout the domain to administrators running Event Alarm's Listener Console - included with the software, free of charge. In addition, Event Alarm ships with more than one hundred pre-defined alarms, making selection of those events for which an alarm is desired even easier.

Furthermore, one of Event Alarm's greatest features is its ability to watch event logs on remote machines without requiring a client present on each machine. From one central console on a single workstation, a network administrator can adjust particular alarms and corresponding notifications on multiple computers across their domains. An agent can be installed if the network configuration or security settings require it though, and this agent optional architecture truly sets it apart from log monitoring products currently on the market.

Moreover, Event Alarm is syslog capable - it can receive syslog messages from Unix machines and other network devices, storing them in its Application Log for centralized collection and alerting.

Most importantly for any network professional impacted by regulatory compliance such as HIPAA, Sarbanes-Oxley, or GLBA (Gramm Leach Bliley), Event Alarm can be implemented without a knowledge of the inner workings of the event log or an extensive knowledge of what event ID best describes the event you're looking for. Finally, with its Rapid Configuration Tool, Event Alarm does the work for administrators - putting rollout of an enterprise quality log monitoring solution finally within reach.

Used alone, or coupled with another of our event log consolidation or analysis tools - Event Archiver ® or Event Analyst ® - Event Alarm is a powerful and cost-effective way to keep tabs on the health and security of your network.

When used in conjunction with Dorian Software's Event Archiver, Event Analyst, and Event Rover ™, the tools provide not just another SEM software product, but a total event log and syslog management solution.

However, acting alone, Event Alarm can provide a powerful new component in any security strategy. The latest features in Event Alarm include:

Turbo Log Scanning Mode
Instructs Event Alarm's log scanning processes to use most of the available processor cycles when scanning newly recorded events on computers. This results in much faster detection of alarms, as well as the capability to keep pace with domain controllers generating higher volumes of auditing data.

Flood Control Features
Enables administrators to determine how many of the same alarms in a certain period of time constitute a flood. Once a flood is detected on a monitored computer log, no more alarm notifications are sent for a user-adjusted period of time. Administrators can also configure the notification types – email or popup, for example - that are governed by flood control.

Custom Domain Creation
Helps tackle the problem of log management among evolving enterprise networks by allowing network administrators to create "custom domains" – or, logical groups of related computers.

For example, delegation of administration may require that an administrator monitor specific servers in three different organizational units of a larger domain. Using Event Alarm, she can now map these individual computer names to a custom domain. Then, she can easily reference that custom domain to adjust monitoring settings on all of these computers at once.

Ping Testing and System Offline Notifications
Enables ping (ICMP echo) testing of monitored servers, which provides a host of benefits. For example, Event Alarm can be configured to only scan for new events on servers that respond to ping requests, reducing the likelihood of network timeouts. Also, customized notifications can be sent immediately to administrators when servers go offline or come back online.

Customizable Notification Times
Administrators can globally adjust hour-by-hour and day-by-day when notifications are to be sent out or discarded.

Drag-Drop Configuration of Alarms and Notifications
Simply drag and drop alarms, alarm bundles, or notifications to associate them with monitored computers.

More Computer Statistics
In addition to information about log scanning, computer statistics are now available. Administrators can easily see whether or not a monitored computer can be pinged, the operating system version running on the computer, and the number of event log entries present in the log.

Updated Event Alarm Listener Console
Based on direct user feedback, this tool - a companion utility that receives broadcast and syslog notifications sent out by the Event Alarm Service - has been revamped and offers numerous new features, including:

• A grouped, tree-view of received syslog messages
• Automatic saving of previously received syslog messages saved when the program is shut down, then reloaded when the program is restarted
• Temporary pausing of incoming message processing
• Hiding and showing tabs related to certain types of messages,
  such as NetBIOS versus syslog

Detailed Syslog Device Messages
Now, when the Event Alarm Syslog Bridge service redirects incoming syslog messages from syslog devices on the network into the Microsoft Windows Application event log, it logs both the IP address and the device name in the description field of the redirected event. Consequently, it is now easier to search for, monitor, and correlate syslog messages from certain devices within the Microsoft Windows Application event log.

Log Monitoring History Tracking
The recent history of log monitoring operations is now simply a menu click away. In addition, administrators can filter the entries by type - information, warning, or error messages, for example. Export to HTML is then possible if desired.

Customizable Port for SMTP Mail Server Relay
Increasingly, IT departments are configuring mail servers to only relay mail that arrives on non-standard ports. Event Alarm 5 supports the relay of notifications through a mail server on ports other than port 25.

The Rapid Configuration Tool
Finally, no special knowledge of event log structure or event identifiers is necessary to implement an enterprise grade event monitoring solution. This feature enables users to identify general types of activity for which they want notification - when group members are removed, when users are created, or when logon failures occur, for example. The tool then, behind-the-scenes, maps these common language categories to very specific events. It even goes so far as to remind the user when auditing categories must be enabled in Group Policy.

And, Event Alarm still features the same great capabilities that has made it the choice for network monitoring around the world. Among those capabilities are:

• Runs 24/7 as an unattended service on a Windows NT / 2000 / XP / 2003 Server or Workstation
• Ships with the Event Alarm Control Panel, a centralized GUI-based management console
• Watches over the Application, System, Security, DNS Server, Directory Service, and File Replication Service Logs remotely on Microsoft Windows NT / 2000 / XP / 2003 Servers and Workstations
• Can receive syslog messages from other computers, routers, and firewalls on your network, storing them in the Application Log for centralized collection and alerting
• Notification options include email, network popup, pager, syslog forwarding, or broadcast messages to users of the Event Alarm broadcast client software
  
• False Positive Reduction - Administrators can flag certain events to be ignored in routine monitoring of the network. This "exclusionary" capability extends Event Alarm's flexibility, ease of implementation, and ease of ongoing use.
• Alarm Grouping Capability - Commonly used alarms can be grouped into more easily managed Alarm Groups. This functionality further minimizes any lengthy server reconfigurations on the part of the administrator.
• Flexible Custom Notifications - Email and popup alarm notification content can be customized to meet certain specific needs of Event Alarm users and their networks.
• Alarm Importing and Exporting - Event Alarm can import and export alarms and alarm group sets from one installation to another, easing rollout in large networks.
  
• Supports threshold-based notifications ("notify me if this event happens more than three times" for example) to reduce the likelihood of false alarms
• Ships with over one hundred predefined alarms in various categories, many of which correspond to auditable security events
• Does not require multiple client installations; service runs as a domain admin account
• Deployable in both a domain environment or on single isolated servers
• Event log entries triggering notifications can be placed in Access or ODBC databases for later review ("discriminating collection" capability)
• Can unify audit policies and log settings across entire domains with simple step-by-step wizards
• Supports the real-time registration of new logs, editing of existing log registrations, and deletion of log registrations
• Supports installation to multiple designated "watcher servers" in order to optimize network traffic across certain LAN segments
• Contains a multi-process architecture for maximum CPU efficiency
• Works alone or seamlessly with Event Archiver, Event Analyst, and Event Rover to create a total event log management solution

View Shots From Event Alarm in Action

Quick Setup Guides to Aid in Your Deployment

Download the Whitepaper

Read the Event Alarm Syslog Support Guide