NT Event Log Monitoring

When my Windows NT customers hear that I do “monitoring” for other clients, the first question is always (something like), “Can you monitor the event logs of all of our servers?” Up til now, the only real option I’ve known off the top of my head is using Nagios’ check_NT command (along with NSClient++) to look for specific events (something that doesn’t completely cut it in most environments). Recently, I’ve come across a cool project that I hope to possibly implement for one of my clients: Event Log Monitor.

Here are some screenshots. It seems to integrate with one of my favorite Windows-related sites (EventID.net), has cool filtering / alerting, and (perhaps the best part) is also open source! Here is an install guide, requirements, config tool, and the client agent.

Here is the description lifted their front page:

SB EventLog Monitor is tool for monitoring and consolidating Windows EventLogs.
Events can be collected: 1. using VBS script, that will collect all events remotly via WMI

2. using Windows agent, that will collect all local events and send them over HTTP(s) to the server.

After that, collected events are parsed using PHP and YOUR rules and are stored in MySQL database. There are two tables for this. All events are stored in the first one and in the second one only “Alerts” are saved. Alerts are Events, that matched against one of the rule. Alerts can be also send using email. Front end is web-based application with filtering and sorting.
Eventlog Monitor has 3 parts

Collector

First part is written in Microsoft VB script (executed using cscript) and used to collect EventLogs from computers using WMI (only new events are collected).
OR You can use the Windows agent for collecting events. Windows agent must be installed on each monitored machine. This agent will collect events and will send them over HTTP(s) to the server.

You can use both collecting methods together. ELM server can handle this.

Parser

The second part is written in PHP and it will parse all collected events and will store them in MySQL database. The “parse” also run user-defined rules on each event, so important events can be send using email or just stored (copy) in different table - so no important event is missed. Rules can also mark event as “noise” and then this event is hidden from standard views.

Web UI

The last part is web-based user interface for browsing the events and alerts. User can set filters, for better orientation. Web-UI is also used for configuring collector (which computers, how often, computer group); user control; rules creation and settings; cron control (how often are data parsed, when the old events can be deleted, …).

All is based on PHP(5.0+), web server (apache, IIS) and vbscript (and WMI). Only one scheduled task must be created, to execute collector and “cron” (PHP scripts for parsing data, sending emails, …). Collector must be run as user with administrative rights on monitoring computers!
VBS/WMI Collector

There are one little batch file and WMI script… The batch file will do web request (using curl.exe) to “prepare-bat.php” script and this is how, the “WMI-EVENTS.txt” file is created. Inside this file is just a list of target machines. Then WMI-EVENTS.vbs is called, and the Event collecting is started. ONLY NEW EVENTs are collected. All collected datas are saved as XML files. There are also “.dat” files - inside is the time of last event. When collecting is done, the “cron.php” is called (also using curl.exe) and events in XML files are parsed and stored in MySQL database. Thats the whole magic