Latest posts by Timothy Warner (see all)
- XIA Configuration - Easy network inventory and documentation solution - Wed, Nov 29 2017
- Backup AWS EC2 instances with NAKIVO Backup & Replication - Mon, Nov 27 2017
- Move an Azure VM to a different virtual network (vNet) - Fri, Nov 24 2017
When I entered the IT field full time in 1997, managing server health, parsing system logs, and monitoring the network were "good ideas," which meant that I did so only when forced to when something went wrong.
In 21st-century IT, you manage disparate systems that exist both on-premises in different sites and probably in one or more public clouds as well. Your shop may be subject to industry and/or governmental compliance requirements that make event and log management a requirement and not optional.
Today, I'd like to show you EventSentry by NETIKUS.NET. EventSentry is a Windows Server-based security information and event management (SIEM) solution that provides real-time reporting and alerting of your network and its hosts.
The installation workflow ^
To get started, I visited the EventSentry website and registered for the free 30-day trial. The installer arrived as a single 140 MB executable. The only relevant choice during installation concerned the database as the figure below shows. EventSentry will install a local PostgreSQL instance if you don't point to an existing SQL Server, MySQL, PostgreSQL, or Oracle database server.
The post-installation setup consists of the following configuration steps:
- Decide on an e-mail alert volume. You can always change the alert frequency later.
- Point EventSentry to your Simple Mail Transfer Protocol (SMTP) e-mail server.
- Set strong passwords on the two EventSentry database service accounts.
- Enable heartbeat monitoring. This is a simple connectivity test to ensure that EventSentry can reach your hosts (and their EventSentry agent software).
- Enable syslog and Simple Network Management Protocol (SNMP) monitoring. You'll only need this to monitor non-Windows hosts.
The EventSentry Management Console shown below is your centralized administration platform.
As you can see in the above screenshot, this solution has many moving parts. In this review, we'll keep things simple and prepare a single host. To do that, we select a computer group under the Computer Groups node, and click Add in the Manage Hosts section of the Groups ribbon.
After adding the computer to EventSentry, click Assign Packages to customize the metrics you'll retrieve from the new managed host. The figure below displays a composite screenshot of the node deployment process.
Of course, you have great flexibility in which event log, log file, system health, or compliance tracking packages you can use. Consult the product documentation for details.
The monitoring workflow ^
Whereas the EventSentry Management Console is where we configure our monitoring environment, the EventSentry Web Reports portal is where we view the actual data. Installation will prompt you to choose an HTTP listener port; open your trusty web browser and log in to the portal.
On first launch, you'll test database connectivity and define admin (super user) credentials. You can then view the dashboard, as in the screenshot below. Take a deep breath--there is a lot of data to look at!
The dashboard gives you network and system health data at a glance. And yes, you can completely customize which elements appear on the default dashboard. You can also create additional dashboards to display differently targeted data and share those dashboards with other users or management.
Let's quickly review what you can do across the top navigation bar:
- Dashboard: Add, edit, and delete dashboards.
- Logs: Drill into your managed hosts' Windows event logs, Linux/macOS syslogs, and SNMP traps. The screenshot below shows you the data display of my Windows Server 2016 host's event log.
- Network: Check the agent heartbeat status, and view network uptime and response times.
- System Health: Analyze node performance, disk space, services, file integrity, and scheduled tasks.
- Compliance: Gain insight on network logons, policy changes, and account adjustments to comply with regulations such as HIPAA, SOX, PCI-DSS, GLBA, and FISMA.
- Inventory: List your hardware assets along with installed software and system updates.
- Reports: Run pre-built reports covering general-purpose and compliance scenarios. In addition to viewing reports in the web portal, you can export report data in PDF or CSV format. You also can programmatically interact with reports by using the EventSentry API.
To get a feel for how powerful the EventSentry reporting system is, I encourage you to check out the live demo on the EventSentry website.
EventSentry alerting workflow ^
If you're like me, then you're busy and don't have time every workday to inspect your monitoring dashboards. Instead, I want the monitoring solution to alert me proactively when its sensors detect important events.
EventSentry can alert you in a number of different ways, including, but not limited to the following:
- HTTP API
- instant message
- network notification
- text file
One of the things that sets EventSentry apart are its intuitive and enhance email alerts, which are augmented with contextual information that make troubleshooting an issue significantly easier. For example, Kerberos and cryptic security error codes are automatically resolved in audit alerts, and IP addresses are supplemented with GEO IP information and a hostname (reverse lookup) whenever possible. Performance alerts have an intuitive chart embedded, and every email contains a status footer with information about the host which generated the alert – including the uptime, system metrics, a list of currently logged on users just to name a few.
You can configure alert rules at the package level. Recall that "packages" define your monitoring metrics. For example, the screenshot below shows you the Disk Space Monitoring metric; you'll see that we can set alerts when a node's disk free space percentage reaches a particular number.
The Actions section of the EventSentry Management Console allows you to configure notification actions that take place when a package metric triggers an alert. The screenshot below displays what this looks like.
EventSentry has a per-node license. As of this writing in February 2017, the price works out to the following:
- Windows device: $85 per node
- Network device (includes Linux, macOS, firewalls, switches, and VMware virtualization hosts): $58 per node
- NetFlow collector: $1599 per node
Note that your EventSentry license grants you one year of free support as well.
Overall, I found EventSentry to be a cost-effective, self-contained, and easy-to-use SIEM tool. For a business that hasn't already invested in another enterprise product, I think EventSentry may fit the bill nicely, especially for businesses under compliance requirements. But even users who already have a SIEM solution in place may want to take a look - EventSentry’s attractive price point and extensive feature set make it worthy contender.