RippleTech, Inc.

LogCaster's licensing structure controls the number of servers and workstations that LogCaster software can be installed upon, as well as a licensing expiration date. The LogCaster license code is normally sent via e-mail and should be copied onto your hard disk.

What are the system requirements for LogCaster?

Before installing LogCaster in your environment, it is important to take the time to verify that all operating system, hardware, and user privilege requirements have been met. LogCaster is designed to work best under the conditions listed below. Each data component of LogCaster may have its own additional system requirements. For example, if you are collecting Historical Performance data, then the requirements will increase depending on the amount of counters, instances, and time intervals set during configuration. In summary, the complexity of your configuration may affect the recommended minimum requirements listed below.

A basic recommended minimum would be 1GB free hard disk space on the LogCaster Server and 2+GB free hard disk space on the LogCaster SQL database server. The LogCaster Server and the database server can reside on the same server and disk drive, if you have adequate available disk space. MSDE SQL server requires the database to reside on the C: drive, and there is a 2GB limitation.

View LogCaster Installation, System and User ID Requirements.

How can I view the LogCaster license information?

Information on the number of servers and workstations your copy of LogCaster is licensed for and how many of each is currently deployed can be viewed by choosing Help/About RippleTech LogCaster and choosing the License Information tab. The expiration date of your license is also listed here.

Components

What is the LogCaster Event Watcher?

LogCaster consolidates all of the Windows NT/2000/2003/XP events from all systems running the LogCaster Agent software onto one manageable console. This viewing area is the LogCaster Live Events Watcher window. The Live Events Watcher contains all Windows Events, as well as all events generated by LogCaster. To condense this information, you can apply filters to eliminate unimportant events and alert on critical events.

Within LogCaster, these filters are referred to as Event Watcher Rules. Event Watcher Rules help control the amount of traffic being sent from the LogCaster Agents to the console, the urgency applied to the events being sent, as well as the forwarding of notifications to the desired destinations.

What is the LogCaster Service Watcher?

LogCaster's Service Watcher monitors any Windows NT/2000/2003/XP or application service. Service Watcher will alert you if there is any change of state in the service being monitored, and allow you to automatically take corrective action when the service fails, such as restarting the service or rebooting the machine itself. The drag-and-drop interface provides Service Templates (or you can create your own) that can be applied to multiple machines and Business Groups for easier and faster configuration.

If the LogCaster Service Watcher detects a problem with any service being monitored, it will create an event in the Windows NT/2000/2003/XP Event Viewer reflecting the problem. This event will be detected by LogCaster and can then be routed using any of the LogCaster Event Routing options. The Service Watcher stores historical data in LogCaster’s database repository. The data collected from the services being monitored includes the status, the uptime duration, the computer, the service being monitored, and the number of failures. Reports on this data can be run using LogCaster’s reporting tools, or a third-party reporting package.

What is the LogCaster Performance Watcher?

This feature allows LogCaster to alert the user when a Windows NT/2000/2003/XPperformance counter breaches a user-defined threshold. Performance counter monitoring is performed at the LogCaster Agent level so monitoring overhead is minimal. In the event of a breach, a user-defined event will be generated in the Windows Event Log. Using the existing routing capabilities of LogCaster the event can be routed via email, pager, etc.

What is the LogCaster TCP/IP Watcher?

With the LogCaster TCP/IP Watcher, you can monitor any TCP/IP device on your network and check the state of the device without having to install a LogCaster Agent on that device. If the LogCaster TCP/IP Watcher detects a problem with any device being monitored, it will create an event in the Windows Event Viewer reflecting the problem. This event will be detected by LogCaster and can then be routed using any of the LogCaster event routing options.

The TCP/IP Watcher stores historical data, including status, uptime duration, response time, number of failures, and its scan rate, in LogCaster’s database repository. This data can then be reported upon using LogCaster’s report templates or a third-party reporting tool.

What is the LogCaster Text File Watcher?

Text File Watcher is a powerful tool allowing users to convert any text file entries into a Windows NT/2000/2003/XP event for easier monitoring. Usually, an application will generate logs for its own activity; however, the log cannot be viewed outside of the application. This can limit the usefulness of the application log because system administrators cannot actively view the logs in real time or remotely from another machine. With LogCaster’s Text File Watcher, you are able to generate Windows events based on the text written to an application log or text file and then utilize LogCaster’s routing to be alerted via pager, email, SMTP trap, etc, or even execute a corrective action.

You can create individual Text File Watcher rules, or create or import a template which can than be applied to one or more files with the same text format.

What is the LogCaster Syslog Watcher?

The SysLog Watcher tool monitors and manages any UNIX or Linux system, routers or any other devices that produces SysLogs. The SysLog Watcher will “listen” over UDP Port 514 and “translate” the SysLogs into Windows Event Logs, which can then be routed to a pager, email, etc. This new tool takes the aggravation out of managing a mixed environment by allowing system administrators to monitor any Windows NT/XP/2000/2003, most any UNIX or Linux platform, and other devices such as routers and switches from one consolidated management console.

Features/Configuration

How do I import/export application templates?

Application Templates improve the ease of use and configuration of LogCaster by providing pre-configured rule settings for each of the components of LogCaster. These templates can be applied to servers and workstations running many popular applications.

Using templates helps to reduce the effort required to closely monitor different types of applications. In addition, templates are extremely valuable for users who may not be familiar with “normal” or “abnormal” functions of these applications.

Sets of rules, or templates, can be imported into your LogCaster configuration at any time. You can also export your own templates for use in a separate LogCaster configuration, or as an easy way to backup single components of your LogCaster configuration.

To view Event Watcher Application Templates that ship with LogCaster, use Windows Explorer to open the Application Templates directory located within in your LogCaster installation directory. To import any of these application templates into your configuration, use the File/Import menu option. Browse the applications listed until you find one that interests you and look for the sample Event Watcher template within. Each template ends with a ".cfg" file extension.

How does LogCaster Use Rules?

Understanding how LogCaster uses Event Watcher rules is critical to understanding how valuable LogCaster can be within your organization.

Once a LogCaster Event Watcher rule set has been created, the LogCaster Agent machines automatically pull it down at regular intervals (each Agent checks the Server for updates to its active rule set once per minute). When a new LogCaster Agent is installed, the Agent will automatically pull down and assume all rules presently listed in the "All Groups" section of the Event Watcher configuration, as well as the rules listed in the specific group of which the new machine is a member.

Rules are listed in prioritized order, with the "All Groups" rules assuming higher priority than a rule associated with a specific group. When a new log is generated, it is compared to each rule in the list, beginning with the rule of highest priority. Once a match is found, LogCaster will not proceed further through the list to look for other matches. When an event is found to match a rule, the LogCaster Agent executes any action specified within the rule. The event is then either discarded, or forwarded along to the LogCaster Server.

If the event is forwarded to the LogCaster Server, it is tagged with the routing information assigned within the rule. The LogCaster Server records the event locally in the LogCaster database, and sends the event to the appropriate routing device (email, pager, SNMP trap, etc.).

At the bottom of all rule sets lies the "Default Event Watcher Rule”. It is highly recommended that you configure the Default Event Watcher Rule to discard, or not forward, these events to the server to prevent huge numbers of unnecessary log entries being stored on your LogCaster Server.

How are Rules Created?

There are five types of Event Watcher filter rules:

An Event Watcher Rule created from a Live Event
A Custom Event Watcher Rule
An Event Watcher Rule created from an included Standard NT Event database
An Event Watcher Rule created from an Event Report
An Event Watcher Rule imported from an Application Template

LogCaster ships with a comprehensive set of predefined standard rules to assist you in tracking internal security and auditing -- right out of the box and upon initial installation. You can keep, modify, or delete these rules.

Does LogCaster provide any functionality specific to security?

Systems intelligence is a key element in any security initiative. With RippleTech’s Security Results Pack, you can immediately begin capturing critical data points regarding user, application and system behaviors. This intelligence gives you immediate answers to the who, what, when and why, plus alerts you immediately to security events. LogCaster stores all critical Windows Events and consolidates that information into one location. Administrators can easily report on system activity such as security event logs, giving no need to visit every server when retrieving critical data points.

Does LogCaster provide any functionality specific to auditing?

LogCaster provides an internal security monitoring, auditing and reporting solution utilizing its unique Informant technology. Logcaster also helps protect electronic information assets stored on corporate networks from trusted intruders. Through its robust reporting, LogCaster delivers instant audit trail data on user activity, account management operations, audit policy changes and more, allowing management to know who did what, when and where. LogCaster’s comprehensive data aggregation, real-time alerting and security reporting help security professionals perform improved security management, decrease security threats, diminish corporate liability and better meet the strategic needs of the business. Plus, the straightforward installation takes just minutes and delivers out of the box reporting functionality.

Does LogCaster provide any functionality specific to Compliance?

In order to help LogCaster meet various regulatory and audit requirements, compliance is a quick and accurate proof that the audit and security policies are in place and workable. One major component of compliance remains the ability to track selected events and take the required actions on those events. This wide range of flexibility when collecting all types of events provides the foundation upon which compliance can rapidly modify both the events it tracks and captures, and its response to any selected event.