TechWeb

Free EventTracker Pulse Logs Impressive Capabilities

Jun 11, 2009 (07:06 AM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=217800777


Sifting through system logs is akin to looking for a needle in a pile of needles. Although most applications provide some method of reviewing generated logs, it's not always an easy task to drill down to the logs that are important. Prism Microsystems' EventTracker Pulse, however, allows you to collect, store, and search through logs generated by Windows and syslog-enabled systems with centralized agent management and an easy-to-use interface.

One of the most impressive features of EventTracker Pulse, and what sets it apart from competitors, is that Prism Microsystems has chosen to not limit the number of events the application can receive, typically measured in an event-per-second (EPS) rate, nor does it limit the number of logs that can be processed. This is a standard limitation imposed on most scaled-down versions of enterprise products. Instead, Prism tempts users to upgrade to its full-fledged EventTracker log management product by offering enhanced features such as USB device monitoring, real-time correlation, and real-time alerting.

EventTracker Pulse is built to aid systems and network administrators who require visibility into the logs generated on their networks, but don't need all the bells and whistles. The freeware touts a Google-like interface for searching collected logs, which allows for free-form text, operator, and wildcard searching of logs. This makes fairly quick work of pinpointing the data you're looking for. However, administrators who are used to powerful regular expression matching -- something that is ever present in traditional log search products -- might feel like their hands are tied without these capabilities.

EventTracker Pulse can be installed on any Windows XP or Vista workstation, or Windows 2000, 2003, or 2008 server. A 3-GHz-plus CPU is recommended, but the product can run on a less-powerful processor, provided you're willing to accept resulting speed degradation. In a space where custom-built Linux or Unix syslog servers still reign supreme, and the acquisition of new equipment is on hold for many organizations, these minimum requirements might scare off some potential users.

For those unfazed by EventTracker Pulse's Windows-centricity or system requirements, installation is fairly straightforward. Once installation is complete, you're asked if you want to import the existing Windows event log entries -- a task that some competitors don't even consider. We stress-tested the import task by running it on a Windows 2003 server with a portly 300-MB security event log. The import took roughly an hour, but we could then search through every historic log, and every new log since the import took place, using the EventTracker Pulse interface.

Many security- and operations-conscious administrators hate the idea of installing yet another piece of software that could slow performance or introduce a new vulnerability to an already sensitive host. These admins will appreciate EventTracker Pulse's Auto-Discover Mode, which detects and adds all Windows systems that are part of the domain and, as with many of its competitors, uses an agentless collection method.

EventTracker Pulse introduces something we don't recall encountering before in a log management tool: the ability to add remote hosts by specifying an IP subnet. Although not a breakthrough feature, it does make deployment in a large Windows environment a simple, and centralized, task.

Our Take
PRISM EVENTTRACKER PULSE
Powerful Google-like interface to your collected logs for easy retrieval and review.
Fills a need for systems and security administrators who don't have the budget for a traditional enterprise log management product.
Sets itself apart from competitors by not limiting the number of events it can receive or process.
We'd like to see additional log protocols supported.
The product also handles syslog messages from various sources quite well. In tests, it ably handled logs sent from different Cisco devices and various flavors of Linux and Unix servers, and stored, categorized, and recalled the logs without missing a beat.

EventTracker Pulse supports Windows event logs and those sent via syslog, but it's missing support for more complex protocols such as Simple Network Management Protocol, Check Point's Open Platform for Security Log Export API, and Cisco's Security Device Event Exchange -- all of which are, or will eventually be, supported in Prism's full-fledged EventTracker log management system, currently priced at $15,000 for 50 monitored servers. EventTracker Pulse also is missing advanced reporting and alerting functions found in some competitors such as OSSEC, Splunk, and Q1 Labs Simple Log and Information Management FE. That said, this free software is good for basic logging chores in smaller Windows shops, and its price is unbeatable.

Andrew Hay is an independent security analyst with more than a decade of experience in networking and security.