There are several contenders in the crowded world of monitoring. The competition consists of everything from small, handwritten scripts to full suites with exhaustive features and capabilities. The trick is finding the one that works best, not only in your environment but, more importantly, for you.
One major contender in this space is EventSentry by NETIKUS. NETIKUS has been continuously developing and enhancing its array of tools since EventSentry’s inception in 2002. With its list of numerous Fortune 500 companies in both the US and abroad, NETIKUS’ offering is no small rival to go unnoticed.
Two versions of EventSentry exist: the free EventSentry Light and full-featured EventSentry. You can look at the full comparison list on EventSentry’s website. I will be reviewing the full version, which provides a generous 30-day, fully functional trial that even includes support.
The installation is pretty straightforward. The only items you will need are your registration information, including the key that was sent after you signed up (or purchased) EventSentry, and a password that you would like to use for the PostgreSQL database that is automatically installed. You may also choose to change the default ports being used to serve the web-based reporting module. Either way, all ports will automatically be configured if you are running the Windows Firewall.
NOTE: Although PostgreSQL is installed by default, the EventSentry website has a ton of documentation on how to use other types of database servers.
The Configuration Assistant ^
When the installation completes, you will be prompted to run the Configuration Assistant to personalize EventSentry for your environment.
The Configuration Assistant will walk you through several steps to gather information to customize your environment. The prompts include enabling email alerts, specifying SMTP settings, specifying who to send the alerts to, and indicating whether or not you want to enable heartbeat, syslog, and SNMP monitoring.
When the Configuration Assistant completes, and depending on whether you enabled email alerts, you will immediately start receiving emails about the status of the server on which EventSentry is installed. These are all default alerts and can be modified through the EventSentry interface.
The EventSentry interface ^
Open EventSentry from the Start Menu to view the configuration interface.
From this interface, you can navigate to and configure any part of EventSentry. You can create and delete computer groups, add and remove servers from those groups, and deploy the EventSentry clients to those machines.
Managing computer groups
EventSentry makes deploying the required clients very easy and efficient. The package is small and deploys in a matter of seconds.
One of the greatest things about EventSentry is how easily you can assign what is referred to as “packages” to computer groups or to just a single server. Packages are basically how you want the boxes to be monitored. You can monitor event logs, DHCP and antivirus activity, PCI compliance, system health, and much more by simply checking the box for that package.
Event log packages
Another great thing about the packages is that you can create your own. If you need to monitor specific services or event log entries on a server, you can create a new package and easily assign it to that server.
The reporting module is a separate, web-based interface that also requires an initial configuration on the first run.
Initial setup of reporting module
Once you have completed the configuration wizard, the main dashboard is shown. It shows you a high-level overview of what is currently going on in your environment. Every section in this single window is customizable. You can add and remove sections, as well as change how the data is presented.
Navigating further into the reporting area reveals a plethora of real-time statistics available for each group or individual server. Performance, compliance, and trending are just a few examples of the vast types of information easily available.
The Reports tab, with its Compliance and Event Log sections, has even more information that can be gathered from EventSentry.
The Compliance reports help satisfy PCI compliance requirements. These reports can provide information about Active Directory changes, logons and logoffs, and even programs executed by users on the domain controllers.
The Event Log section is just as useful, albeit much smaller. The most useful report in this section, in my opinion, is the Most Common Security Event IDs report, which can quickly inform you of any shady happenings on your network.
The licensing structure for EventSentry is very straightforward. As mentioned before, there is a light version of EventSentry and a full-blown version. For the full version, you can purchase between one and 1000 licenses. If you need more, you can request a quote.
Free upgrades, bug fixes, and support are provided for the first year. If you wish to continue receiving upgrades, bug fixes, and support after the initial free 12 months, you can purchase an extension for only 18% of the cost. There is also a 60-day, money-back guarantee if you are not completely satisfied.
To find out more about the EventSentry licensing structure and pricing, see the EventSentry website.
I enjoyed many elements of EventSentry. First and foremost, it was extremely easy to install. I find it difficult to remember an easier monitoring software installation in my many years of being a sysadmin. Installation also didn’t take much time. I had EventSentry installed, monitoring, and reporting in well under 15 minutes.
EventSentry’s documentation and tutorials are also top notch. The community may not be as large as some out there, but the documentation is solid. It took less than a few minutes of searching on their site to find anything I needed.
PCI compliance is very complicated and open to interpretation. One of the great things about EventSentry is that it helps to be compliant and fulfills many requirements.
A nice little extra that I found while exploring this software was the responsive layout of the reporting module. In our increasingly mobile environments, it’s nice to be able to pull out your phone or tablet and be able to effectively navigate the reporting module.
Cons and room for improvement ^
I only found a few items I didn’t like about EventSentry. The first one was that you have to install an agent on each server. Although agents are small, easily deployed, and quite possibly more efficient, other monitoring software does not require them, thus making it faster to deploy.
The other inefficiency I found was that the reporting module was web based and the management console was a fat client. The interface was also clunky and difficult to navigate using your keyboard.
Response from NETIKUS ^
Upon completion of my trial for EventSentry, I decided to give some feedback to NETIKUS by taking their survey. I mentioned the same thoughts I put in this article, and I got a response very quickly. So I will have to add this as a “pro” for this company: quick and helpful feedback from the founder! Here’s what Ingmar Koecher had to say:
We currently use a hybrid approach for agent-based and agent-less monitoring. Windows machines are only monitored with agents, and unfortunately we don’t currently have plans to move to an agent-less architecture. Real-time log monitoring is a key component of EventSentry, something that is just not possible without agents (even if you read otherwise on the Internet). Developing agents is certainly more involved and sometimes a bit more difficult to deploy, but it is in, in our opinion, a far more reliable and efficient way to collect and store information (again, this applies mostly to collecting event log, log, and performance data). Have you had any difficult deploying the agents? Non–Windows machines are currently monitored using Syslog as well as SNMP, in which case no agents are being used.
We are considering a web-based management console, although there are no concrete plans yet. The management console is a native Windows app since it performs a variety of actions (e.g. built-in event viewer and agent deployment) that require direct access to Windows. In the distant future, we plan to add the ability to configure some parts of EventSentry using a web-based interface, especially for managing the filter rules.
Overall, I really enjoyed trying this software out. Given the risk-free 60-day trial, free support during that time, and easy installation, I would encourage anyone looking for an outstanding monitoring solution to give EventSentry a try. Thanks for reading!