• EventTracker
• Log Management
  • Collection
  • Consolidation
  • Correlation
  • Analytics
  • Reporting
  • Log Storage
  • USB Monitoring
  • Automatic Remediation
• Change Monitoring
• FAQ
• Agent
• Appliance vs. Software
• Event Storage
  (EventVault)
• Editions
• Support
• ET Knowledgebase
• EventTracker 21-Day Trial
• Training & Services
• Pricing

Log Management Features

Log Storage

By default EventTracker stores all received events in EventVault, an optimized and high performance event warehouse that is purpose-built for efficient storage and retrieval of event logs. EventVault reliably and efficiently archives event logs from across the enterprise without the need for any DBMS licenses or the overhead of Database Administrators. All collected events are compressed (over 90% compression ratio), encrypted and sealed with an MD-5 signature to prevent potential tampering.

A purpose built event archive is a far better choice for log retention than a traditional relational database because of the unique requirements of event log data. First, much of the value that a database system brings to data management is in its ability to manage not only the creation and reading of data, but also the potential update and deletion of data by multiple users. Much of what a database does very well (and incurs much of the overhead) is record locking and managing privileges for updating and deleting data. Event data on the other hand is write once, read many times. By its very nature event logs should never change, and much of the overhead inherent in a DBMS is simply not required.

Further, a database is not an efficient storage mechanism, one million event records can easily consume 5GB of storage, and storing even a few months of enterprise event data can require a big database, a big server and expensive DBA’s to keep it running. If 100 million events are archived, a traditional database can grow to 400 GB while EventVault would require just 10 GB. Further, the database needs constant maintenance to keep it running smoothly and a complex system to write to off-line storage is often required to save on storage costs. Databases are also not guaranteed to be secure storage. Event log data can be tampered with and the tampering disguised by any competent DBA.

With EventVault, log data is encrypted, compressed by over 90%, sealed, then written to CAB files and stored on the file system. When a report is generated, EventTracker automatically selects the required archived data, unseals and decompresses it, and then generates the necessary report. Despite the decompression step, reports via EventVault are still usually generated faster than using a standard RDBMS, and sophisticated caching of the event data, once opened, enables subsequent report generation to be very fast. The EventVault archives can be stored on any storage device that can be accessed from the EventTracker Manager.

Although storage of large quantities of events is extremely efficient, the CABs can also be backed up and restored as simple flat files with no open file issues. This enables storage of indefinite amounts of log data subject only to storage availability, while at the same time old data can be easily deleted or moved to offline storage.

Though EventVault provides substantial advantages, some organizations still prefer to archive collected events in traditional databases. As a result, EventTracker also supports SQL Server, Oracle and Microsoft Access for storing events. The database can be installed on the same server or a separate dedicated database server.