• Features
• How It Works
  • Collection
  • Consolidation
  • Knowledge
  • Correlation
  • Storage
  • User Interface
• Where It Fits
• Editions

How It Works

Log Storage

EventTracker stores all collected event logs in EventVault, an optimized and high performance event warehouse that is purpose-built for efficient storage and retrieval of event logs. EventVault reliably and efficiently archives event logs from across the enterprise without the need for any DBMS licenses or the overhead costs of Database Administrators.

With EventVault all collected events are compressed (over 90% compression ratio), sealed with a SHA-1 signature to prevent tampering and then written to standard CAB files and stored on the file system. When a report is generated, EventTracker automatically selects the required archived data, unseals and decompresses it, and then generates the necessary report. Despite the decompression step, reports using EventVault are still generated faster than using a standard RDBMS, and sophisticated caching of the event data, once opened, enables subsequent report generation to be very fast. The EventVault archives can be stored on any physical device that can be accessed from EventTracker.

Although storage of large quantities of events is extremely efficient, the backup of logs is also straightforward. CABs can be backed up and restored as simple flat files. This enables storage of indefinite amounts of log data subject only to storage availability, while at the same time older data can be easily deleted or moved to offline storage.

EventVault vs. Database

A purpose built event archive is a far better choice for log retention than a traditional relational database because of the unique requirements of event log data. First, much of the value that a database system brings to data management is in its ability to manage not only the creation and reading of data, but also the potential update and deletion of data by multiple users. Much of what a database does very well (and incurs much of its overhead) is record locking and managing privileges for updating and deleting data. Event data on the other hand is write once, read many times. By its very nature event logs should never change, and much of the overhead inherent in a DBMS is simply not required.

In addition, a database is not an efficient storage mechanism in terms of disk space, one million event records can easily consume 5GB of storage, and storing even a few months of enterprise event data can require a big database instance, a bigger server and expensive DBA’s to keep it all running. If 100 million events are archived, a traditional database can grow to 400 GB while EventVault would require just 10 GB. Further, the database needs constant maintenance to keep it running smoothly and a complex system to write to off-line storage is often required to save on storage costs. Finally, databases are also not guaranteed to be secure storage. Event log data can be tampered with and the tampering disguised by any competent DBA.