Event Archiver

Overview

Reliability. Flexibility. Automation.

Event Archiver has been a pioneer in event log management and is today the flagship of Dorian Software's Total Event Log Management Suite.

In most cases, it acts as a "set once, run forever" application that helps your organisation's compliance with internal security standards and regulatory acts. In addition, it can save considerable time and IT budget. Any Microsoft Windows ® NT / 2000 / 2003 administrator can attest to the drain on resources that manual collection and maintenance of events logs is - both to the larger organisation and to IT staff on the frontline.

After installing Event Archiver, administrators can start analysing event log entries instead of just trying to save and store them manually whenever a free afternoon is available. In fact, collection and retention of log files is a required component of regulatory compliance efforts anyway. If your organisation is facing HIPAA or Sarbanes-Oxley requirements, make sure that you have a process in place for routine and reliable collection of critical log data - one that doesn't rely on one or more people to simply remember to do it.

Event Archiver Enterprise Features

When used in conjunction with Dorian Software's Event Analyst ® and Event Alarm ®, Event Archiver provides a solid foundation for an effective security and auditing strategy. But, even when working alone, Event Archiver provides these enterprise quality features to networks of all sizes:

Cryptographic Hashing of Flat Files

In Version 7 and above, Event Archiver can be configured to automatically generate an MD5 hash immediately after collecting an EVT or EVTX file, as well as immediately after converting an EVT or EVTX file to a comma-delimited text file. The MD5 hash is logged separately by the Event Archiver Service at the time of the archive. This way, administrators can compare older archived files against the hash at a later date to detect any type of tampering.

Save Time and Bandwidth With Event Archiver’s Working Directory

Concerned about bandwidth and log collection? Event Archiver 7.0 includes a Working Directory feature for log processing. Administrators can effectively specify a log file size that is "too big" to work with across the network, and Event Archiver will automatically transport any archived log greater than that size to a special folder on the machine where Event Archiver is installed.

Then, most all processing – such as zip compression, MD5 hash calculation, and conversion - will take place locally, substantially speeding up these activities and saving bandwidth.

Not ready to move to Windows Vista ™?

Your existing log files aren’t either. Dorian Software's log management and eventing solutions can help you in a painless transition – whether you’re ready today or not. Take a look at these Microsoft Vista related features made possible with Dorian's exclusive LogRefiner ™ technology:

Windows Vista EVTX File Support

Event Archiver Version 7.0 and later has the capability to collect and convert EVTX log files. This is the new logging format first introduced in Microsoft Windows Vista and planned for use in Microsoft Windows Server ® 2008. Simply install Event Archiver to a Windows Vista workstation to start collecting EVTX files from other Vista workstations.

No vaporware promises – Dorian ® has the technology today and ready for you to download.

LogRefiner ™ Technology Makes Downlevel EVT File Processing in Microsoft Vista Possible

Have you tried to open a downlevel EVT file (saved from a Windows NT / 2000 / XP / 2003 computer) in the new Windows Vista Event Viewer? If you have, you noticed that key information in many of the events - such as the category and description fields - is missing.

When installed to a Microsoft Vista workstation, Event Archiver Version 7.0 has no such limitations. That's because Dorian's exclusive LogRefiner technology can archive and convert EVT files from downlevel systems directly alongside the EVTX files from Windows Vista and newer operating systems.

With Event Archiver's special new technology, no information goes missing when converting downlevel EVT files into new formats – all event log fields are processed properly the first time.

Streamlines Fields Between EVT and EVTX Logs With LogRefiner ™ Technology

Did you know that Windows Vista’s EVTX logs have even more fields? Event Archiver 7 can be instructed to automatically consolidate these fields - the Keyword and Opcode fields specifically - into the Task (Category) field so that you can have a uniform data structure for EVT and EVTX exported log files.

LogRefiner ™ Technology Maintains Field Consistency Across Logs

In the Windows Vista Security Log, no information about the user performing the action or affected by the action is recorded in the User field when an event is logged. Instead, all user information is placed in the Description of the event.

Event Archiver 7.0, however, has the ability to place the most relevant user information back into the User field as it converts EVTX files into new formats. By helping maintain the consistency of log data and its formatting, this feature greatly aids the administrator or compliance officer in charge of reviewing the consolidated data.

Defines Success Audits Versus Failure Audits Using LogRefiner ™ Technology

Another major change in the Windows Vista security log is that all events are recorded as “Informational.” To discern whether or not the event represents a failed or successful action, the administrator must refer to the Keyword of the event.

But, Event Archiver 7.0 - when converting security EVTX Files - has the ability to properly record whether or not the event was a Success Audit or Failure Audit, greatly aiding the reviewer of log data generated from both EVT and EVTX log files.

These are in addition to the recent improvements including:

Automatic Database Maintenance

The data retention requirements of security standards and regulatory compliance are more and more frequently requiring that network administrators become familiar with database platforms like Microsoft Access® and Microsoft SQL®. To ease the pain of these new requirements, Event Archiver includes an automatic database maintenance tool that can:

Automatically archive Microsoft Access MDB files based on their file size
Automatically purge data older than a certain number of days from Microsoft SQL Database tables
Automatically run at a specifically scheduled time daily

Custom Domain Creation

As networks grow and merge, domain and workgroup structures expand in size and complexity. Event Archiver tackles this problem by allowing network administrators to create "custom domains" - logical groups of related computers.

For example, delegation of administration may require that an administrator manage specific servers in three different organisational units of a larger domain. Using Event Archiver, she can now map these individual computer names to a custom domain. Then, she can easily reference that custom domain to adjust log collection settings on all of these computers at once.

Convenient Licenses-In-Use Tracker

Quickly tally the number of computers currently being managed by an instance of the software.

Event Archiver Log Entry Viewer

The recent history of Event Archiver's log collection operations are simply a menu click away. In addition, administrators can filter the entries by type - information, warning, or error messages, for example - and then export them to HTML if necessary.

Quick Configuration of Database Import Filters

This feature is a great timesaver for admins who only need to retain specific events for compliance reporting in their databases. Administrators can quickly scroll through and choose from more than 100 predefined events - most of which are related to auditing and relevant to compliance - to better control which events are centralised in Event Archiver database tables during log collection.

Transactionalized Imports of Older Event Log Files

The "Import Older EVT Files Wizard" in Event Archiver supports transactionalized imports of EVT file data into Microsoft Access and Microsoft SQL Database tables. If for any reason a log file is corrupt, or an import must be cancelled, data from partially imported log files will be rolled-back and removed. Only when an import of log data completes in its entirety will the data be committed to the database table.

Customisable Sender Address for Error Notification Emails

Administrators can customise the sender address used to transmit email messages about errors or warnings encountered by the Event Archiver Service.

More Selective Database Import Filtering

Event Archiver can be configured to exclude certain types of events from being imported into database tables during conversion. Filtering based on the type of event - Success Audit versus Failure Audit, for example - is now supported in addition to filtering based on the Source and Event ID fields.

Leave-A-Copy Collection

Allows administrators to make backup copies of active event log files in EVT format, without clearing the active log file, while also consolidating events into a central database.

Special marker technology helps prevent duplicate events in the central database, and active event log files remain uncleared on each server. For organisations whose server administrators must review active logs on each server, yet who also need a central event repository for aggregated multi-server analysis of log data, this is "must have" capability.

Global Database Import Filters

Gives administrators control over which events are imported into a central database during collection, either by defining a finite set of events to import, or by importing all events with a few exceptions.

When implemented, these import filters both reduce database size and increase archiving speed. As a bonus, Event Archiver ships with a Security Log Event Identifier Lookup Chart, so that administrators can quickly determine which security events they want to import and which events they want to discard.

True Organisational Unit Support

Now, larger domains with administrative control distributed among different OUs in Active Directory can configure Event Archiver to work within an OU and its children. The Event Archiver Service account can be configured to run as an OU Admin (with local administrative control over computers in the OU), and administrators can limit the computer accounts retrieved by Event Archiver in various operations to a specific OU, as opposed to the entire domain.

Rapid Reimport of Compressed EVT Files

Event Archiver enables hassle-free, direct reimport of zip-compressed EVT files into a database.

Support For the SQLOLEDB Database Provider

For organisations with intermittent network connectivity issues, Event Archiver supports use of the SQLOLEDB provider for SQL Server database import operations. Internal testing has shown SQLOLEDB to be a more reliable provider than ODBC for large database import operations.

As well as the same great features that have made Event Archiver an effective solution for networks around the world:

Runs 24/7 as an unattended service on a Windows NT / 2000 / 2003 Server or Workstation
Ships with the Event Archiver Control Panel, a centralised graphical management console
Ships with a batch file importer tool, allowing you to import old, saved EVT files or orphaned EVT files en masse into a database whenever necessary
Automated Compression - EVT files and comma-delimited text files can be automatically compressed before they are moved to and stored on a central file server
FTP Support - EVT files and comma-delimited text files can be transported via FTP to any file server in any part of a network, regardless of logical network boundaries or firewall restrictions
Hourly scheduling option enables administrators to repeatedly archive logs every 1, 2, 4, 6, 12 hour(s). The selected days scheduling option enables archiving of logs at a certain time on specific days of the week - Mon, Wed, Fri, for example
"Always Archive When Full" Global Option - when set, Event Archiver will always archive event logs that are about to fill up, regardless of their other primary schedule, such as weekly archiving
Support for Directory Service Access events that appear in the Security Event Log. Object identifying numbers are translated into Active Directory object names.
Does not require multiple client installations; service runs as a domain admin account
Archives logs into EVT format, comma-delimited text, and Access or ODBC databases
Native Oracle® Support - tested directly against Oracle 9i databases, allowing you to create Oracle-compatible tables in certain schemas and tablespaces automatically.
Moves EVT or TXT log files to a UNC share on any file server
Ships with a failed archiving manager, which automatically attempts to retry partially failed archives, that can arise when database servers become unavailable or a central file server is taken offline. Administrators can manage the failed archives inside the Event Archiver Control Panel.
Can be configured to notify an administrator when a warning or error is encountered while performing an archiving operation. All that is required to enable this option is a recipient email address and a valid SMTP server through which to relay.
Ships with a batch file importer tool, allowing the import of old, saved EVT files or orphaned EVT files en masse into a database whenever necessary
Allows wizard-based multiple log registrations
A step-by-step wizard allows administrators to quickly reconfigure archiving settings on multiple servers already managed by Event Archiver
Allows wizard-based audit policy unification across multiple machines
Allows wizard-based log setting unification (e.g. file size, retention) across multiple machines
Allows administrators to "archive-on-demand" -- archiving can be initiated manually any time
Records archiving success and failures in the central server Application event log
Supports the real-time registration of new logs, editing existing logs, and deletion of logs
Supports the consolidation of log entries from non-trusting domains into a central ODBC database using TCP/IP
Supports installation to multiple designated "archiving servers" -- optimising network traffic across WAN segments
Supports customisation of the service's log polling loop for CPU optimisation
Contains a multi-process architecture for maximum CPU efficiency