How To setup Windows centralized Monitoring

Article created 2003-09-05 by Rainer Gerhards.
Article updated 2004-07-16 by Tamsila-Q-Siddique.

Please Note: This article is valid for EventReporter 6.2 and lower in addition to WinSyslog 5.1 and lower!

Monitoring Windows NT/2000/XP/2003 is important even for small environments. After writing an article on this issue, I had lots of calls on how to exactly set up such a system. So I finally decided to write a small article on how to accomplish this.

Thus, this article is strictly task focused. It does not describe why the systems should be monitor nor does it provide any further background. Please see the respective backgrounders or product documentation on this. This article is a step-by-step description of what you need to do in order to centrally monitor your Windows NT/2000/XP and 2003 systems.

This article has been extracted from the EventReporter documentation. Please be sure to check the EventReporter online help if a newer version is available.

Centralized Event Reports

In this step-by-step guide, EventReporter is configured to work together with Adiscon's WinSysLog and MoniLog to automatically generate event summaries for the monitored servers and other devices.

This guide focuses on a typical small to medium business topography with a single geographical location and 5 Windows clients and a central hub server. All systems are well connected via a local Ethernet. Event reports from all machines should be stored in a database. The administrator shall receive daily consolidated event reports.

What you need

In this guide, I am focusing on building a solution with Adiscon's EventReporter, WinSyslog and MoniLog. This combination allows you to centralize all your event logs and report events from them. Free 30 day trial versions are available at the respective product sites (links below), so you can try the system without the need to buy anything.

You need to run the following products:

  • 1 EventReporter for each system that is to be monitored. In our scenario, this means 6 copies, one for each client and one for the central hub server to be monitored. (if you want to monitor the hub server as well.)
  • 1 WinSyslog to receive and store event reports from the EventReporter monitoring agents.
  • 1 MoniLog to automatically generate consolidated reports based on the gathered log data.
  • To deliver MoniLog reports, you need a local web server (for example Microsoft's IIS or Apache) and a mail server capable of talking SMTP (most modern servers support this)

You need administrative privileges on each of the machines. This is required both for installation and configuration. Make sure you log on with a sufficiently privileged user account.

Our new product called, MonitorWare Console can also be used with EventReporter. MonitorWare Console is a very strong and comprehensive tool that will help you out in carrying out sophisticated analysis of your system. For more information about MonitorWare Console, please refer to its manual.

Step 0 - Download Software

Ok, maybe a bit to basic... But I wanted it to be a complete step by step guide. So I can place a reminder that you should check the web sites for new versions if you downloaded your copies a while ago. Security and monitoring is a short lived business, and new product versions can appear quickly.

Please visit and to do download the latest versions of EventReporter ane WinSyslog. In addition tose, you need also the MoniLog product. A free, full-featured 30 day trial is available at

Step 1 - Install WinSyslog

Identify the system WinSyslog (and probably MoniLog) should run on. Take a note of its IP address or host name. You'll need this value when configuring the EventReporter clients. For our example, I assume this system has an IP address of

Run the WinSyslog setup with default parameters. When setup has finished, WinSyslog automatically is configured to operate as a simple syslog server. However, it does not yet use a database as we need it to. We'll later setup WinSyslog to write data into a database.

Step 2 - Install EventReporter

Run the EventReporter setup program on all systems that should be monitored. This means you need to run it on all 5 clients and the central hub server.

For larger installations (with many more servers) there are ways to set it up in a simpler fashion, but in a scenario like ours, it is faster to install it on each machine manually. You can install it with the default settings. When setup has finished, the program automatically is configured to operate as a simple event reporter. However, it does not yet create the log in our database we need. So we will go ahead and change this on each of the machines or by launching it on one machine and remotely connecting to the others. It is your choice. In this sample, I use the EventReporter on each machine (it is easier to follow).

Step 3 Create a RuleSet for Forward by Syslog

The steps to configure the EventReporters are as follows (repeat this on each of the 5 client machines). This step needs not to be done on the central hub server!:

1. Start EventReporter.

2. Select your language - in this example, I use English, so it might be a good idea to choose English even if that is not your preference. You can change it any time later, but using English makes it much easier to follow this guide here.

3. Then define a new rule set, right click "Rules". A pop up menu will appear. Select "Add Rule Set" from this menu. On screen, it looks as follows:

4. Then, a wizard starts. Change the name of the rule to whatever name you like. We will use "Forward Syslog" in this example. The screen looks as follows:

Click "Next". A new wizard page appears.

5. Select only Forward by Syslog. Do not select any other options for this example. Also, leave the "Create a Rule for each of the following actions" setting selected. Click "Next". You will see a confirmation page. Click "Finish" to create the rule set.

6. As you can see, the new Rule Set "Forward Syslog" is present. Please expand it in the tree view until the action level of the "Forward Syslog" Rule and select the "Forward by Syslog" action to configure.

7. Now, type the IP address or host name of our central hub server in the "Syslog Server" field:

8. Make sure you press the "Save" button - otherwise your changes will not be applied.

 The Products
MonitorWare Products
Product Comparison
Which one to Purchase?
Order and Pricing
Upgrade Insurance Info
News Releases
Version History
MonitorWare Tools
 Event Repository
 Reference library
General Information
Step-by-step guides
 - All
 - Installation and Configuration
 - Services related
 - Actions related
 - Central Monitoring
Common Uses
Syslog configuration
Syslog Log Samples
Security Reference
 - All
 - General questions
 - Configurations related
 - Monitorware Agent
 - Monitorware Console
Seminars Online
 - All
 - General
 - MonitorWare Console
 - MonitorWare Agent
 - WinSyslog related
 - EventReporter
 Order & pricing
Order now
Product Comparison
Pricing Information
Upgrade Insurance Info
Local Reseller
 Contact Us
 Data privacy policy

Printer Version Send this page to a friend

Copyright © 1988-2005 Adiscon GmbH All rights reserved.
Contact us via Secure Web Response | Privacy Policy
Topic Links: syslog | Free Weblinks Directory