Ripple Software Helps Break through the Log Jam

Hands On

Fixing problems is what network administrators do, and the key to successful problem solving is having the right information. The best way to fix a problem is to prevent it or catch it as soon as it happens. While Windows NT Event Log dutifully records failures and contains volumes of vital information, it doesn’t quite do the trick, unless someone is monitoring it constantly -- an unrealistic approach.

But constantly reading the event logs is what Ripple Technologies Inc.’s LogCaster is designed to do. When we tested the latest version, LogCaster 2.1.1, we found a multifaceted utility that is simple to comprehend in short order, yet flexible and powerful enough to satisfy sophisticated needs. From its monitoring functions to its reporting and notification capabilities, LogCaster is a good addition to any NT administrator’s toolkit.

We tested LogCaster on a two-server network in an NT domain. Initially, we looked over the shrink-wrapped previous release, version 2.1. This package includes a CD and a 150-page spiral bound manual that covers the basic installation and use topics. We then upgraded to the newly released 2.1.1 by downloading the product from the company’s Web site.

One of the first surprises was that a RippleTech representative phoned and e-mailed us, offering to walk us through the installation process and familiarize us with the product, a follow-up service the company normally provides. Installing and configuring the product is simple enough that most administrators will be able to install it without incident; nevertheless, we appreciated the personal attention.

LogCaster is composed of four basic elements: a core dispatcher service, two agent services and an administrative console program. The event dispatcher service (EDS) runs on one machine in the network and handles the important notification processes of LogCaster. The basic LogCaster Agent runs on all the NT servers and workstations to be monitored. The LogCaster Service Watcher -- the second agent service -- is also run on all NT systems that you want to monitor and control. The LogCaster Management Console can be run from any Windows NT 4.0 system to control and configure LogCaster.

The management console contains menus for logging in and out of accounts, a dashboard for viewing activity, a configuration section for setting up various elements and a reports section for summarizing and exporting information. Any number of users can be defined as having access to the administrative console, plus multiple consoles can be run simultaneously, but only one at a time per defined user.

The first thing LogCaster does is consolidate information from various event logs into a single place. The agent running on each machine forwards events as they occur to the central EDS system.

The second thing LogCaster does is to reduce the volume of event log messages. LogCaster does this by allowing the administrator to define a series of filters, actions and notifications. The individual agents apply the filters at each system before forwarding events, generating less network traffic.

If you don’t know which filters you wish to apply, several samples are supplied. You also can allow the system to gather events unfiltered and then build filters by right clicking on an event and following the menus. Each filter decides whether or not to forward events to the EDS. An event, once forwarded, can trigger a combination of notifications from generic pager, to SkyTel paging, to e-mail, to console alerts, to SNMP traps or can transfer to any ODBC database.

A forwarded event can trigger other actions, such as running a designated program to perform corrective actions. Triggers can be conditioned on the number of times an event occurs. An event, such as accounts being locked out repeatedly, might trigger a page to the security administrator advising of a possible break-in attempt, an e-mail to affected users letting them know someone may be accessing their accounts or a custom program being started to check an important database.

LogCaster also offers tools to monitor NT services, performance counters or virtually any device on the network.

The Service Watcher agent can be configured to monitor and report on any NT service, restarting services when stopped. The restarts can be delayed by up to 10 minutes from the time of failure. The agent can be configured to reboot a system if a specified service fails a given number of times. One option will automatically reboot a system on a scheduled basis.

The Performance Monitor helps administrators monitor any NT performance counter as they would with the NT Performance Monitor tool. The LogCaster version, though, has numerous graphing options, including line, bar, ribbon, Web and strata charts.

Going one step further, LogCaster provides a means to include data from programs that produce a generic ASCII log file. Through a point and click process similar to the import function in Microsoft Excel, the administrator can define a template for bringing in events from an external log file. Once defined, the template can be applied to an appropriate file on any monitored system. The agent on that system then monitors the entries into the ASCII log file and creates a corresponding entry in the system’s application event log, which is then handled like any other event.

LogCaster’s reporting functions can summarize event data and export it to other programs for further analysis and reporting. The ability to summarize and select event data is excellent, and the ability to export the resultant data to a comma separated values file lets users perform any other analysis on it.

If there was any flaw in LogCaster, it was a tendency for the main window in the administration utility to become cluttered with tabbed sections as we hopped from function to function setting up filters and defining alerts and corrective actions. Overall, we were impressed with the completeness and usability of this product.

LogCaster 2.1.1
Ripple Technologies Inc.
Washington Crossing, Pa.
(215) 321-9600
www.rippletech.com
Price: $795 per server and $95 per workstation monitored; volume discounts available

+ Easy to learn
+ Excellent filtering capability for events from multiple machines
+ Can import data from ASCII event logs generated by other applications

- Easy to clutter management console