IT Pro Verdict
Very nice package with clear business benefits. However, only targeting SQL Server and not providing reports prevents it from becoming a "must-have" in the support centre.
GFI EventsManager 7.0 is an event log management solution from security and messaging software company GFi. EventsManager is designed to capture events from a variety of sources around your network and pull then into one place.
We downloaded the software and manuals and were sent a key by GFi. If you want, you can also buy it as boxed software. The installation guide is easy to work with but doesn't tell you in the requirements that you need an account with Domain Administrator privileges. This is left until you get to the relevant screen shot. The user manual is well written and covers all the features.
EventsManager requires SQL Server to be installed in order to work. We did point it at MySQL but it wasn't interested. This seems to limit EventsManager to those sites who only have SQL Server. GFi does not provide a copy of MSDE with your license which would at least allow people to evaluate before making the additional purchase of SQL Server.
Initial installation is simple enough. You will need to have a Domain Administrator account available for EventsManager to use. We would recommend careful thought about where you create that account. If you have already split your users up into business units then you will want to put the GFi account with the main administrator accounts.
The software can be installed onto a server or a desktop. We did both and found that putting it on a virtual server was a simple way of ensuring that everyone had access when required. As it will be pulling information from a variety of log files and servers, putting it close to those that generate the most traffic makes sense. The same is true of the database instance.
Once you have completed the installation there is no need to reboot the computer, just launch the application. Before you can do anything, you will need to go through a series of configuration steps. EventsManager does not automatically detect your SQL server installation and you will need to know the name of the server you are going to add it to. This was the same even when the database server was on the same machine that EventsManager was installed onto. It will create its own database once it knows the name of the server.
There is an option to Configure Administrator Account. This is supposed to be optional but if not done, you get a warning flag. The account name that EventsManager suggests is EventsManagerAdministrator and this is the person who will be contacted in an emergency. Most companies would simply put in the details of the administrator without creating yet another user account. After all, you have already created a domain administrator level account under which it runs so another account seems crazy.Most email servers require you to log in before sending. GFi has realised this and unlike a lot of vendors, has provided the mechanism for you to configure email authentication.
Once all of this is done you can finally begin configuring Event Sources. GFi pulls information from a wide range of sources and allows you to group devices together. You get a predefined set of groups such as workstations, servers, laptops and infrastructure servers. You can create your own groups on top of this but this is a manual process. It would be nice to simply take the AD and start by importing a list of groups from there that could then be further divided. You cannot create nested groups so the more granular you want the groups, the more larger the list becomes.
If you can see multiple domains then you don't have to rely on the trusts to access them. You can add the computers and then provide EventsManager with a set of credentials to access that computer. For organisations that maintain multiple domains for security and don't want a single account accessing everything, this is a useful option.Within just minutes of adding a range of computers and forcing a scan you will have so many entries that it becomes impossible to work with them. This is where the event processing rules come into their own. GFi has provided a lot of starter rules under different categories and you can extend them yourself. Each rule can be given a weighting and is then used in the reporting system.
All of the information gathered in stored in SQL Server and GFi provide instructions on using the free Express Edition of SQL Server. This should be done only if you have a very small set of machines that you are monitoring under strict conditions. The problem is that any effective monitoring should gather all the alerts and log files without throwing stuff away. With just three servers, one desktop machine and a notebook, it took less than 24 hours before we had 6Mb of data. Might not sound like much but scale that up to a busy network with over 500 computers and the amount of raw data gathered over a month could easily reach several gigabytes. You will need to think about how you partition up non critical from critical data and how you archive the logs and alerts.
One thing that GFi has missed is the ability to use the data transformation and analysis tools within SQL Server. There is no guidance or plug-in that would allow you to start building data cubes to track infrequent or seemingly random events and locate patterns of attack. With all of the data being gathered, this seems like a missed opportunity.
There is a reports pack but rather than provide it with the product, GFi sells it as an add-on. This is unfortunate as it just gives the impression of an unfinished product. You can download the free trial version but it is difficult to see why GFi would not have provided a set of good reports as standard with the option of adding more later. Instead, most companies are likely to look at using SQL Server Reporting Services to organise their data.
Verdict
Very nice package with clear business benefits. However, only targeting SQL Server and not providing reports prevents it from becoming a "must-have" in the support centre.
. NET framework 2.0. Microsoft Data Access Components (MDAC) 2.6 or later Access to MSDE / SQL Server 2000 or later