• Active Directory
  • Application
  • Desktop & Mobile
  • Help Desk
  • Network
  • IT Security
  • MSP
  • On-Demand
 
 
Device Management, made easy
Manage control and secure your workstations, mobile
devices and tablets
 
 
Help Desk for Everyone
IT Help Desk Software and Customer Support Software
 
 
Protect Your IT. Save Your Business
Build a secure fortress with our security management solutions
 
 
MSP
Manage services faster, with multi-tenanted, ITIL-ready, and unified RMM solutions
 
 
On-Demand Solutions
IT Help Desk, Active Directory, and Operations Management from the Cloud
 

Product docs

EventLog Analyzer - Performance Tuning

EventLog Analyzer product performs better in the supported Operating Systems. Also, the EventLog Analyzer performance depends on the speed of the hosts. The product, in addition, maintains compatibility with the server parameter.

MySQL Database Tuning

MySQL database is bundled with EventLog Analyzer. The batch/script file (startDB.bat/sh) in which the parameters need to changed is located at /bin directory. You have to replace the existing MySQL parameters depending up on the RAM size of the EventLog Analyzer server. The values of the parameters are given in the table below:

RAM Size MySQL Parameter Changes
1 GB Default configuration as given in the startDB.bat/sh file
2 GB " --innodb_buffer_pool_size=1200M "
3 GB " --innodb_buffer_pool_size=1500M "
4 GB " --innodb_buffer_pool_size=1500M "
8 GB (64 Bit) " --innodb_buffer_pool_size=3000M "
16 GB (64 Bit) " --innodb_buffer_pool_size=3000M "
 

Java Parameters Tuning

For RAM size exceeding 2 GB for EventLog Analyzer server, follow these guidelines to allocate more memory to Java process. This will improve overall performance of the application.

  1. Shutdown EventLog Analyzer.
  2. Open the file wrapper.conf, located at <EventLog_Analyzer_Home>/server/conf directory, in a text editor.

    Note: For older versions, the file wrapper.conf will be located at <EventLog_Analyzer_Home>/server/default/conf directory

    Search for the following parameters in the file:

    wrapper.java.initmemory=128
    wrapper.java.maxmemory=512

    Replace values 128 and 512 to 512 and 1024 respectively.

    wrapper.java.initmemory=512
    wrapper.java.maxmemory=1024

  3. Save and close the wrapper.conf file.
  4. Open the file named run.bat/sh with text editor, located at <EventLog_Analyzer_Home>/bin directory.

    Windows OS Configuration Method:

    Search for the following parameters in the file:

    set JAVA_OPTS=%JAVA_OPTS% -Xms128m -Xmx256m

    Replace values 128m and 256m to 512m and 1024m.

    set JAVA_OPTS=%JAVA_OPTS% -Xms512m -Xmx1024m

    Linux OS Configuration Method:

    Search for the following parameters in the file:

    # Setup JBoss specific properties
    JAVA_OPTS="$JAVA_OPTS -Xms128m -Xmx256m -Dprogram.name=$PROGNAME
    -Djboss.server.type=com.adventnet.j2ee.deployment.system.AdventNetServerImpl
    -Djboss.deploy.loc
    alcopy=true-Djboss.boot.library.list=log4j-boot.jar,jboss-common.jar,
    jboss-system.jar,AdventNetDeploymentSystem.jar,commons-logging.jar

    Replace values 128m and 256m to 256m and 512m in the above command.

    # Setup JBoss specific properties
    JAVA_OPTS="$JAVA_OPTS -Xms256m -Xmx512m -Dprogram.name=$PROGNAME
    -Djboss.server.type=com.adventnet.j2ee.deployment.system.AdventNetServerImpl
    -Djboss.deploy.loc
    alcopy=true -Djboss.boot.library.list=log4j-boot.jar,jboss-common.jar,jboss-
    system.jar,AdventNetDeploymentSystem.jar,commons-logging.jar"

  5. Save and close the run.bat/sh file.

    Note: Even though, you can change the settings up to 1500 in 32 bit installation in a dedicated server, it is not recommended.
  6. In case of 64 bit, 8 or 16 GB RAM, you can allocate the memory for Java process, based on the available physical memory.

    • To assess 'Available Physical Memory' in Windows, select Task Manager > Performance.
    • To assess the physical memory available in Linux, run the command free -m and calculate the available memory by using the formula: Total Memory - Cache.

    You can increase the values by 30% and 60% of available physical memory to Min and Max values respectively.

  7. Start the EventLog Analyzer service.
 

Disk Space Optimization

The role of EventLog Analyzer in your organization IT is to collect, analyze, record and preserve the logs. The analysis of the logs will detect operational issues in systems and servers within the IT environment. It finds out internal security issues and assists in confirming compliance and forensic investigation. The performance of EventLog Analyzer in your environment is determined by the following factors: the rate at which the logs are generated, the number of hosts that require monitoring and the volume of logs produced.

Hardware Requirements for EventLog Analyzer

  • Installation on a 32 Bit Platform

    The basic hardware requirements for this particular type of systems are:

    • 1 GHz, 32-bit (x86) Pentium Dual Core processor or equivalent
    • 2 GB RAM*
    • 5 GB Hard disk space
  • Installation on a 64 Bit Platform

    The basic hardware requirements for EventLog Analyzer to perform on this particular type of systems are:

    • 1 GHz, 64-bit (x64) processor or equivalent
    • 2 GB RAM*
    • 5 GB Hard disk space

Software Requirements for EventLog Analyzer

The basic software requirements for EventLog Analyzer to perform on your systems is listed below:

Supported OS

  • Windows™ 7, Vista, 2000, XP, & NT and Windows™ Servers 2000, 2003, 2008 & 2008 R2
  • Linux - RedHat 8.0, 9.0, Enterprise 6.2, Cent OS 6.2, Mandriva 2011.0 (Hydrogen), Fedora 16, Debian 6.0, Ubuntu 10, SUSE
  • VMware

Configurations:

If EventLog Analyzer is installed in SuSE Linux, you need to ensure that in the mysql-ds.xml file located at /server/default/deploy directory, the localhost mentioned in: jdbc:mysql://localhost:33335/eventlog is replaced with the corresponding IP Address or DNS resolvable name of the system, in which EventLog Analyzer is installed.

Supported Browsers

  • Internet Explorer version 5.5 and above
  • Firefox version 1.0 and above

Disk Space Requirement

Quick Estimate Table

The following table focuses on the disk space and RAM size requirements of the system for installing EventLog Analyzer. This requirement is based on: the number of hosts for EventLog Analyzer to extract logs from; the rate of activities occurring per second or on per day basis.

The below mentioned data is computed by accounting 100 hosts to derive an average log size of 500 bytes.

Log Records Rate or Volume RAM Size Hard Disk Space Requirement
Per Month to Run EventLog Analyzer

100/sec or 4 GB/day

2 GB

85 GB

500/sec or 20 GB/day

4 GB

400 GB

1000/sec or 40 GB/day

8 GB 800 GB

The Method of Calculating the Required Hard Disc Space

EventLog Analyzer Disc Space scales to meet the growing collection of logs and the number of host devices configured for log collection. By default, the 'Archive' and 'Indexes' folder located at the product installation path tend to increase in size. It is advisable to calculate an estimate of the hardware requirement based on the specified criteria for a specific period of time and for 'x' number of devices. Consider the following method of calculating, considering the parameters to reach an estimate on the hard disc space requirement to run EventLog Analyzer:

Total Disc Space = Archive+Indexes + 5 GB

We can directly calculate the Archive content as below,

Archive = Average Log Size * Logs per sec per H ost * 60 * 60 * 24 * No of Days * No of Hosts Indexes = 1.3 * Average Log Size * Logs per sec per Host * 60 * 60 * 24 * No of Days * No of Hosts = 1.3 * Archive
Since we are zipping the 'Archive' and 'Indexes' folders, the folder size will reduce by 90%, implying the zipping ratio as 10:1.

Therefore, the Total Disc Space would be ===> ( Archive + 1.3 * Archive )/10 + 4 days of archive + 7days of Index+ 5 GB) i.e., Default Archive zip interval is 4 days and Index zip interval is 7 days.

Average Log Sizes:

  • For Windows : 1500 bytes
  • For Linux (Syslog) : 400 bytes
  • For AS400 : 1000 bytes

Storage Settings:

  • Default settings for Database/Indexes storage would be be '32 Days' and Archive log storage would be 'Forever'.
  • To change the Database/Indexes storage period, you browse the Settings tab located at the left pane.
  • The Archive log retention settings can be located at the following path: Settings > Archive Settings.

Noise Reduction:

EventLog Analyzer facilitates the filter option that will retain and prioritize only those logs in the database that are of corporate interest for a quick view. Rest of the logs are collected in the archive folder and are made available for viewing at any given point of time. Additionally, the filtering functionality also ensures the optimum use of hard disc. Gain an insight into the Database Filter option by accessing the link:

Define Database Filters

You may not want to apply the filtering technique to the generated logs. Regardless of the log type or severity, you may want all the logs to appear on the database as well as on the archive folder. To do so, you follow these guidelines:
Edit the runSec.bat/sh file located under <EventLog Analyzer Home>\bin directory and add the entry -filtBeforeArch 1 as below

Default Entry :

bin\SysEvtCol.exe -loglevel 2 -port 513 514 %*

Customized Entry:

bin\SysEvtCol.exe -loglevel 2 -filtBeforeArch 1 -port 513 514 %*

General Instructions to Control Disk Space Growth

In case of any disc space constraint, it is possible to shift the folders: Archive and Indexes to a different drive or Network Mapped Drive. To do so, you can access the options available on: Settings > Archive Settings page· A choice of locations is available for archiving and swapping the logs periodically. For instance, you can transfer the contents of the dormant archive to tape drive or high capacity storage for longer period of storage. Facility to assign separate dedicated drive(s) to archive log files in order to overcome the disk space limitation issue, is possible.

In case, the product is running in debug mode, after consulting the support personnel instruction, you should change it to default log level as soon as the support request is closed. Debug level will increase the 'log' folder growth (located under <EventLog Analyzer Home>\server\default directory).

For any other issues, please contact EventLog Analyzer Technical Support

Customer Speaks
 
"Windows Event logs and device Syslogs are a real time synopsis of what is happening on a computer or network. EventLog Analyzer is an economical, functional and easy-to-utilize tool that allows me to know what is going on in the network by pushing alerts and reports, both in real time and scheduled. It is a premium software Intrusion Detection System application."
Jim Lloyd
Information Systems Manager
First Mountain Bank
  • Info Security's 2014 Global Excellence Awards
  • Info Security‚Äôs 2013 Global Excellence Awards - Silver Winner