Which Event Log Monitor to use for Vista?

Created 2007-04-10 by Rainer Gerhards.

Starting with EventReporter 8.3 and MonitorWare Agent 4.3 two different event log monitor services are provided. They are called "Event Log Monitor" (V1) and "Event Log Monitor V2". In short, the V2 version is recommended for Windows Vista (and above, e.g. Longhorn Server) while the other version is for previous releases of Windows (NT, 2000, 2003, XP).

But why does Adiscon provide two different event log monitors and not combine them into a single one? The root cause is a change in Windows. Windows Vista comes with a totally new event logging system. While to the casual user it looks quite similar to the previous system, it actually was re-designed from scratch (at least to the best of my knowledge). Microsoft realized that the old system was too limited to catch up with today's administrative and auditing needs. Instead of trying to add more and more bells and whistles to the old  system, Microsoft did the right thing and engineered a new, well designed one. That new system provides a compatibility layer which will make it look familiar to the user. The layer also emulates the previous API calls. For that reason, even our V1 event log monitor works quite well. It, too, could be used to poll Vista logs. However, there are a number of good reasons to use the V2 version:

  • support the variety of new Vista event logs
  • support for new and improved message formats
  • great performance thanks to using native APIs and event subscriptions
  • there are some subtle compatibility problems with the legacy APIs. We assume that Microsoft fixes that in some point in the future. But why wrangle with problems when you can avoid them?
  • the V2 monitor is a Vista native and thus performs well and very robust

The V2 event log monitor is not available on Windows 2000, 2003 and XP because the required APIs are not available on those platforms.

Customers interested in monitoring Windows Vista as well as Windows 2000, 2003 and XP systems can do that form a single machine. To do so, V1 and V2 event log monitors can be combined. Multiple of them can be configured and running at the same time. The only restriction is that this EventReporter/MonitorWare Agent must run on a Vista machine because only Vista provides the necessary APIs for the V2 monitor. Customers with further questions should kindly contact Adiscon support at support@adiscon.com.

 

Back to Non-Printer Version