Home
Resources
Training
About Us
eStore

>

resources > security log central > software

 

 

 

 

 

 

 

Latest Blog: WinSecWiki is Live!

  

TNT Software's ELM products

What distinguishes the ELM products:

  • Emphasis on resiliency
  • Scalability and Performance
  • Archival
  • etc...

As you are probably aware I try to stay up-to-date on security log management tools and share with you what distinguishes one product from another. TNT Software has been a loyal supporter of UltimateWindowsSecurity.com but I’d never gotten around to seeing their ELM products. That changed today when Brent Skadsen and Martin Schneider gave me a tour of ELM Enterprise Manager. If you are in the market for a solution to help you collect, monitor, report, archive and comply with security log requirements here is what you should know about the ELM line of products from TNT Software.

TNT Software sells 3 ELM products each being a superset of the next. The core of all three products is a full featured log collection, monitoring, reporting and archival solution. The architecture is agent-optional and the database is SQL server. ELM Enterprise Manager is the fullest featured, flagship product which offers significant health and quality of service monitoring feature set (e.g. file monitoring, WMI, performance counters) in addition to the core log management. If you just need ELM’s core Windows event log management you don’t have to pay for all the extra functionality; check out ELM Event Monitor instead.

Here is what distinguishes the ELM products:

I was super impressed with the reports that they’ve built into ELM for the Windows security log. As you may know I believe the log management solution should do the work of analyzing cryptic security log events and present you with information not raw data. The reports in TNT Software for logons and user account maintenance are among the very best I’ve seen. For instance the logon report translates the logon type code found in Logon/Logoff events into a plain English explanation such as “Remote Interactive Logon” or “Network Logon”. That’s just one example of how they’ve taken the time to learn what Windows security events mean and pull the relevant details out of the event descriptions into easily readable columns on the report. Here are examples of the logon and user account maintenance reports. TNT has put a lot of work into making their reports as useful as possible including very good documentation about what the report means and what you should do with it.

Other notable features

1) Emphasis on resiliency. The ELM server will automatically failover to a 2nd SQL server if the normal SQL server fails. When the primary database comes back up, ELM moves the data logged to the failover database back to the primary. The ELM server and its agents employ a 2-way heart beat so that you know as soon as any agent or the ELM server itself fails.

2) Scalability and Performance. I’m always interested in how log management products handle the large influx of events during peak times of activity. TNT Software has basically managed to make scalability a SQL server hardware issue and they provide a sizing assistance to ensure you have sufficient capacity. An interesting point Brent made about this sizing a system to just be able to “keep up” with collecting events during peak periods isn’t enough. Their goal is to size the system so that you can still get into the ELM server during “event storms” because those are exactly the times when you most need to be able to access the dashboards and view reports to find out what’s happening and respond.

3) Archival. Every developer has a different way of addressing the dilemma between quick query capability and long term archival for compliance. ELM periodically prunes older events from its primary SQL database to an archive database for long term retention

4) Broad support. ELM Enterprise Manager has excellent support for other logs besides Windows event logs such as IIS and proprietary application logs, syslog and SNMP traps.

5) Security. ELM like most other log management solutions I’ve reviewed provide encryption and authentication between the agent and server. ELM also leverages Windows permissions and the MMC console architecture to allow you to delegate and control access to different features in ELM. For instance you can allow a user to view reports but prevent them from reconfiguring ELM.

6) Log Management. Right now ELM agents only forward relevant events from each system to the central ELM server. In the next version of the core ELM feature set, TNT Software will add the capability to periodically collect the actual EVT files for central archiving. This is a trend I’ve seen among log management vendors to support compliance.

7) File Monitoring. If you know the Windows Security Log you know that it’s functionality for monitoring file access leaves a lot to be desired. TNT Software has developed an impressive module for file monitoring built on WMI that addresses many of the weaknesses with trying to use object access events from the security log.

To download an evaluation copy of ELM Enterprise Manager, ELM Log Manager or ELM Event Log Monitor click here.

A
D
V

Get Randy's Security Log Resource Kit

NEW! GFI EventsManager 8 Extends Event Management Capabilities. Find Out More.

Next Security Log Webinar: Monitoring Access Changes with the Windows 2003 and 2008 Security Logs

Filling the Gap in Exchange Auditing


Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2007 Monterey Technology Group, All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.

Site Map