Monitoring User Activity in Real Time with RTMonitor

Latest Update:

Updated Oct. 27, 2006: New version 4.4 is released with new features listed below. A free demo version is available here. The price is:

• $99.95 for new customers
• $45.95 for schools, colleges, universities, and health protection establishments
• $45.95 for upgrades from a previous version
• Special Promotion: $20.95 for ANY upgrade, until November 20, 2006! Detailed information about this program can be found at: http://www.kvy.com.ua

Upgrading:

If you already installed version 3.9.6 or earlier of the program, then you should first uninstall the old version before installing the new copy. Use the Add/Remove Programs folder in Control Panel of your workstation. This operation cleans all settings of MS Installer in the Registry.

If you already installed the 4.0.3 version (or later), then install the new copy into the same directory of this previous copy. You should not need to uninstall the old one first.

Changes since the previous versions include:

• New features of 4.4:
  
  * Added the Remote management commands to the Tools menu and History.
  * Added saving a cursor position in the History and Web Sites Report windows after pressing one of the buttons of these windows.
  * Added saving the sort order of columns of the main window for next RTMonitor sessions.
  * Added support of Euro languages in the Send message window.
  * Refreshed some codes by the new NDK (October, 2006).
  * Changed HELP.
  
  

About RTMonitor

A common question I see in the Novell public forums is "How can I see where my users are going right now?", and "How can I tell who is using a lot of bandwidth right now?"

The best answer I have seen is to use a clever little program called RTMonitor, by Victor Kulichkin. This program works by parsing the common log file almost constantly, pulling out current data, and displaying it on your PC. The program will show you 100 users (configurable), and the last 20 or so web sites they visited. In addition, the amount of bytes downloaded by each user is displayed, so that you can find users that are taking most of the bandwidth.

Starting with version 3.05 there is a button to click on that will attempt to associate an IP address from the log files with a user currently logged in to a server. (There are limitations on how this works, but basically, if you do not have proxy authentication enabled, and your users are logged into a NetWare 5 or 6 server via TCP/IP, and you are running RTMonitor on Win2k / XP, the feature should work).

I find this program especially useful when setting up access rules, and discovering what sites kids are getting to in schools. (Sites not being blocked by SurfControl, N2H2 or LinkWall). I can then modify the access rules as needed. Versions since 3.05 even show me if the last access to a site was Forbidden, by displaying the HTTP connection code from the logs.

Version 3.1.4 and later have a very useful LinkWall integration feature, that makes it extremely easy to block a URL with LinkWall. Click on a URL in RTMonitor's display, and you will have an option to add that URL to a LinkWall blocking list. You even have another button to tell LinkWall to refresh itself, so that it will read in the new URL and block it right away. If you do not have LinkWall, this feature can be used to simply make a list of URL's you might want to track, or manually add to your own access rules. If you haven't tried LinkWall, you should. (You can download a LinkWall 45-day eval for free HERE).

RTMonitor is not expensive at only $99.95 (about half that for schools)! Every BorderManager administrator should get a copy. The program is available for purchase at Victor Kulichkin's web site.

A RTMonitor demo version is available HERE. This version will only display 3 users. It is a small program, runs on Windows, and it is easy to install and uninstall. Victor Kulichkin's web site shows an example of how the program looks in action.

Note: If you have installed older versions of RTMonitor, you must uninstall the old version before the new version will install. Running the install program has an option to uninstall the program, but it will not automatically detect and uninstall older versions for you. If you install a new version with an old version installed, the old version will remain in place.

Some hints on how to make best use of this program:

• Using this program requires you to have common logging enabled, so be sure to enable common logging. RTMonitor does not make use of extended or indexed log files. I highly recommend setting up a dedicated log volume - do not put the log files on a cache volume, and try to avoid the sys volume.
• Because RTMonitor must parse through the most current common log file, it works best (fastest) if you have multiple small common log files, instead of very large ones. I recommend that you try to roll over your log files frequently, and at least try get them down to no more than 10MB each.
• Because RTMonitor caches the current log file on your workstation while working on it, you must reserve a certain amount of RAM in the program setup to hold the current log file. The default value is 10MB. If you roll your log files frequently, you can reduce the RAM limit for RTMonitor. If you have lots of RAM on your PC and like to have 50-60MB log files, you can increase the cache size limit in RTMonitor. (But RTMonitor will still take longer to parse a 60MB log file than a 10MB log file). Version 3.9.6 changed how the log files are processed, and this may not be as much of a limitation as before.
• There is a History option in RTMonitor so that you can see the last 1000 or so URL's accessed by a user. I requested that Victor add this feature because some web sites have many advertisement links that would otherwise obscure where the user was browsing. For instance, browsing to www.cnn.com will show you one URL for www.cnn.com, but serveral others as well, including ar.atwola.com, which usually shows up as the last URL. Without the history feature, you would not know that the web site being accessed was www.cnn.com.
• There is a Connect feature, which works with Internet Explorer, to view the URL's shown in the RTMonitor display. Note that once you connect to a URL, the next pass of RTMonitor through the common log will show you as accessing that URL.
• You will only see a user name if Proxy Authentication is active and the user is authenticated.
• By default, RTMonitor makes another pass through the latest common log file 60 seconds after it completes a pass. However, it may take several seconds to parse the log file itself, so the actual (default) time between log file passes is 60 seconds + whatever time it takes for your PC to access and analyze your log file. Smaller log files are faster. You can change the idle time parameter if you don't like a 60 second delay between passes.
• Active connections are shown in red, while older connections are shown in black. After 30 minutes (default value) with no further activity, the user information is dropped from the RTMonitor display. Regardless of the time entered in the 'Clean Passive Users' parameter, only the last 100 users will be displayed.

Previous Updates to this page:

• New Features of Previous Version (4.2.6):
  
  * Added the Create web report command. With this command you will see all websites that your users are visiting at the moment. The command forms two kinds of reports - A report of websites and A report of visitors of these sites.
  
  * Added the Send message command. With this command you can send messages to a user by using the Message services of NetWare.
  
  * Added the Report options window for creating reports.
  
  * Enhanced the Define name mode:
  a. Added the option allowing you to manually make a servers list for scanning of users. This option allows you to reduce the time of this mode and is also useful for networks that have NetWare servers at the opposite sides of WAN.
  b. Modified the algorithm of this operation for the last eDirectory versions in IP and IPX environments. The old Define Name command found user names without their NDS contexts.
  c. Added seven additional criteria of search by connection types into the algorithm. The previous programs had only two.
  d. Added the filter for ignoring NDS non-user objects. This option is useful for networks with ZENworks.
  e. Added support of NDS multi trees.
  
  * Enhanced the History mode:
  a. Changed the window interface.
  b. Added a pop-up menu.
  c. Added the option allowing you to increase History cache to 1023 records.
  d. Added sorting of information for two directions in the columns of the History window.
  e. Added the NDS Info command to this window.
  f. Added the Send message command.
  g. Added the button for the Connect operation.
  
  * Enhanced the Whois option:
  a. Corrected hanging of the program when it tried to set a connection with a closed Whois server.
  b. Added the "Paste" button for operations with Clipboard.
  c. Added the "Transfer to DNS name" button. This button will allow you to get a host name through its IP.
  d. Added the buttons: "Move to the top of the URL list" and "Move to the tail of the URL list". By these the button you will move a host name to the top or the tail of the URL list.
  e. Added some improvements to searching operations.
  f. Improved the interface.
  
  * Added an icon for the Connect command to the toolbar.
  
  * Refreshed some codes from the new NDK (March, 2005).
  
  * Changed HELP.
  

Updated June 11, 2004: New version 3.9.6 is released with new features listed below.

• Added LinkWall 2.00 support
• Added Check Log command - check the log immediately without waiting for the next pass
• Add NDS Info command - get NDS personal information for a selected user
• Added automatic start to most recently used common log path
• Enhanced algorithm for reading log files to be more efficient with both bandwidth and memory
• Enhanced history mode, to allow tracing a user activity more easily
• Added history icon to toolbar
• Enhanced Define Name mode - you can now halt this operation in progress
• Changed the icon for Define Name in the toolbar
• Changed some codes from the latest Novell NDK
• Changed license agreement and Help file

Updated Jan 5, 2004: New version of RTMonitor released. New demo version uploaded here.

• Changes include: Traffic diagram feature added - requires a certain minimum amount of time, so give it a few minutes to run before graphing the data.
• Price increased to $44.95.

Updated Sept. 25: People were having problems with browsers not downloading .MSI files properly (MIME setting issue in the browser), so I repackaged the RTMonitor demo download in .ZIP format. No other changes.

Updated July 23, 2003, with new demo version, and explanation of new features:

• LinkWall integration - click on a URL, and easily add it to a LinkWall blocking list
• Flag 403 Forbidden Users - enable this feature, and any user with a 403 error will be highlight. (Useful for school administrators watching for problem children).
• Beep on 403 Forbidden - enable this feature, and if a 403 Forbidden comes up in the current pass, the PC will beep once to get your attention
• History buffer per user increased from 10 to 20 URL's
  

Updated May 26, 2003: - updated information for new version 3.05.

Return to the Main Page