olly - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What works for daily event log monitoring?

I have 80 Windows servers in the data center. What can I use for daily event log monitoring?

Windows event log files contain a treasure trove of information on server performance and operations. But they're tedious to trawl through on a regular basis, especially when you have more than a few servers to maintain in the data center.

Windows Server sorts event logs into Application, Security and System sections and saves the event log files locally on each server by default.

There is a plethora of event log monitoring tools available, both free and paid. You'll need to decide which one best fits your needs. Whatever tool you pick, expect to do a lot of work at the beginning to clean up and remediate or ignore a lot of errors that it picks up from the log files. Once you remove the noise, what's left is a very valuable tool for maintenance and troubleshooting on Windows servers.

Here are a few options for log file monitoring, but due to the scale of offerings out there, please take this as a sampling only.

Free vs. paid log monitoring tools

At the free low-end scale, try Microsoft Windows Event Viewer's subscriptions option. You can create a central point to collect and read the event log files from multiple machines and apply filters, such as "Errors & Warnings." You can review the files on a daily basis, with errors remediated. This is as simple as you can get in log monitoring, so you will miss out real-time error alerting, or easy results management from hiding or ignoring certain errors.

Also free, but more feature-rich and complex are syslog -- a standard for message logging, with many variants, builds and add-ons -- and the ELK stack, which includes Elasticsearch, Logstash and Kibana. These will collect and collate logs from Windows Event Viewer tool as well as other sources. You can start by monitoring event logs, then collect application-specific logs from IIS, SQL or other applications from outside of Windows Event Viewer.

At the paid end, two popular examples are SolarWinds Log & Event Manager and Splunk on-premises or as a service. These products are for the higher end of the market, and are not just plug and play.

Paid or enterprise versions of event log monitoring tools provide great amounts of information and alerting around all manner of logs, including Event Viewer logs. However, they may be too complex for a small IT team to maintain.

Look for vendors like Splunk and SolarWinds that offer demos, which will give you a feel for how the tool can help in your server environment.

Next Steps

Investigate more free Windows Server monitoring tools

The basics of server performance monitoring tools

Cell or email message? Classifying alert importance

Dig Deeper on Real-Time Performance Monitoring and Management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Which program(s) do you use for event log monitoring on your servers?
The article mentions the two extremes - MS event viewer and the enterprise-scale paid solutions, but there are a lot of good solutions in between, and you've got weigh the cost of the software against the associated cost of staff that will still be needed to run it, no matter how sophisticated it is.

For example smaller packages (such as "LogMeister") can happily monitor smaller setups without having the costs quickly mount up when adding a couple of extra server boxes.
PaulRoberts you're completely correct. It's hard to cover a bunch of options in a short article, without turning it into a list of products and still missing out everyone else's favorite. 

All requirements are different, and due diligence is required to work out what's the best fit.

Good point Adam, though I agree with Paul in that a few products were cherry-picked and give the impression that they are a standard bearers.

Splunk & ELK are certainly popular products that deserve mentioning, but Solarwinds certainly does not. I would consider directing readers to comparison web sites which list the most popular products available on the market today.

We get really good results with EventSentry, which specializes on real-time Windows event log monitoring, with an extremely advanced filtering rules engine that supports virtually any requirement (timers, summary, chaining, regex, day/time, recurring events) and is reasonably priced (although not as low as LogMeister from what I just saw).
Great article Adam, thanks!
If you really have 80 servers in your network, I strongly suggest to look into NXLog - https://nxlog.co/products/nxlog-community-edition - a high-performance centralized log management tool, which is highly scalable and it's open source, so an instant free download is available on the website.