WhatsUp Event Alarm^©

WhatsUp Event Alarm^® Overview

Keeping your network and your data secure is easier said than done. Your infrastructure and applications generate thousands of event and security logs every hour and every day. Maintaining a watchful eye over individual log files, repeated login failures and multiple event ids is impossible to do manually. You need an automated system that can monitor all your log files across your entire infrastructure in real-time – and bring only the critical events to your attention so that you can respond to them effectively and quickly.

Without real-time automation of your log monitoring, it is easy to miss the critical few security events in a flood of benign messages

WhatsUp Event Alarm® is an easy-to-configure network security software application that can alert network staff the moment specific events happen anywhere in the network. Running behind the scenes as a set of Windows services, Event Alarm constantly watches over log files, immediately sending out alert notifications at the first sign of trouble. With advance warning from Event Alarm, network personnel can initiate investigation and triage processes as per their established security policies and compliance requirements.

With WhatsUp Gold's Event Alarm you can:

• Monitor your Windows Event logs (EVT and EVTX), Syslog files and W3C/IIS logs for specific event occurrences
• Send notification to stakeholder groups via multiple modes of communication
• Choose from more than 100 different pre-packaged alarms covering commonly tracked events
• Allow flexible grouping and customization for highly contextual alarming
• Gain from quick out-of-the-box deployment covering most standard event types
• Initiate rapid response processes for operations triage and resolution
• Meet regulatory requirements for log management and security problem resolution
• Use it independently or as part of the WhatsUp Gold Log Management suite

Key Capabilities of the WhatsUp Event Alarm include:

Broad Range of Event Notification Mechanisms

Event Alarm offers the network administrator a wide range of event notification options including email alerts, network pop-ups, pager calls, Syslog server forwarding, database insertion or broadcast notifications to administrators running Event Alarm's custom notification program. Event Alarm notifications are highly flexible, with many alarm customization and grouping options. This enables network security personnel to adapt Event Alarm notifications easily into their operational workflows.

Compatibility with Both EVT and EVTX Windows Event Logs

Windows event log format underwent a major change with the release of Windows Vista and Windows Server 2008. Prior versions of Windows supported the EVT event log format, while Vista and Windows 2008 and later versions will support the EVTX format. WhatsUp Event Alarm monitors and alerts on both EVT and EVTX log file formats — using its patented and exclusive Log Refiner™ technology.

Combined Windows Event, W3C & Syslog support

WhatsUp Event Alarm monitors more than just the security event logs — it supports standard Windows events and Syslog files generated by network devices, Unix and Linux systems as well. Plus, WhatsUp Event Alarm also oversees W3C logs to give you visibility across your Web Servers, Load Balancers, Firewalls, Proxy Servers or Content Security appliances. Network administrators find everything that they need in one single and consistent tool.

Dual Modes of Remote and Agent-Based Monitoring of Log Files

WhatsUp Event Alarm can watch over event logs on remote machines without any client software installed on the host. A network administrator can adjust specific alarms and corresponding notifications on multiple infrastructure devices across their domain from one central console. However, if the network security policies restrict remote monitoring across the WAN, WhatsUp Event Alarm can operate via a hosted agent architecture that runs a copy of the software in each log server. This dual agent / agentless architecture truly sets WhatsUp Event Alarm apart from competing log monitoring products currently on the market.

Event Alarm Features

Log Collection

• Enables scheduled collection of Windows, W3C/IIS logs from multiple systems from one console
• Supports both remote and hosted agent data collection architectures
• Supports all Windows versions from NT, 2000, XP, 2003, Vista, 2008 and Windows 7
• Includes LogRefiner^™ technology to normalize EVT (XP/2003) and EVTX (Vista or later) log files; even archive EVTX logs from an XP/2003
• Allows 'leave a copy' collection of active log data on the server
• Facilitates remote log data collection through the Importer utility
• Automatically transfers log files beyond a specified file size to a working directory for local processing to optimize bandwidth and processing costs
• Allows the creation of logical workgroups for easier management of multiple servers

Log Storage

• Enables storing of collected Windows log data to a centralized data store
• Works with your existing Microsoft Access or Microsoft SQL databases
• Handles automatic database maintenance tasks based on file size or time based purging
• Enables multi-year data storage in compliance with regulatory requirements
• Protects archived files from tampering via cryptographic hashing
• Provides flexible and powerful database filtering to allow only selected events to be imported
• Protects against incomplete import of older log files by rolling back changes unless the entire process is completed

Event Alarm Frequently Asked Questions

1. Q: I have event logs from 20 servers and 100 workstations that I want to monitor. Event Alarm however runs on only my machine. How many licenses do I need?
   A: Event Alarm licensing is based on the number of servers and/or workstations from which logs are being generated for monitoring. Therefore, you would need 20 server licenses and 100 workstation licenses.
2. Q: I have event logs from 15 servers, as well as 10 syslog devices that I want to monitor on my network. Event Alarm however runs on only my machine. How many licenses do I need?
   A: Event Alarm licensing is based on the number of servers and/or workstations from which logs are being generated for monitoring. Therefore, you would need 15 server licenses, and no additional licenses for your syslogs. As long as Event Alarm is licensed to examine its own Application Log, it can monitor and alert you to syslog messages placed in its Application Log from other network devices.