0% found this document useful (0 votes)
137 views

Eventlog Analyzer User Guide

Manage Engine Log Manager Eventlog Analyzer User Guide

Uploaded by

Khandy Ruth
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
137 views

Eventlog Analyzer User Guide

Manage Engine Log Manager Eventlog Analyzer User Guide

Uploaded by

Khandy Ruth
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 572

Contents

1. What is in this guide 1

1.1. What is in this guide? 1

2. Introduction 2

2.1. Overview 2

2.2. Release Notes 4

3. Setup the Product 5

3.1. Setup EventLog Analyzer 5

3.2. System Requirements 6

3.3. Prerequisites 9

3.4. How to Install and Uninstall EventLog Analyzer 12

3.5. How to Start and Shutdown EventLog Analyzer 14

3.6. Access EventLog Analyzer Server 17

3.7. How do I backup my database? 18

3.8. License Details 20

3.9. Get Started 22

4. Add Log Sources 24

4.1. Adding Devices 24

4.2. Adding Windows devices 25

4.3. Adding Syslog Devices 28

4.4. Adding Common Event Format (CEF) Devices 30

4.5. Adding Other Devices 31

4.6. Adding IBM iSeries (AS/400) devices 32

4.7. Adding VMware (ESXi) devices 34

4.8. Adding vCenter 35

4.9. Adding SQL server 36

4.10. Adding an IIS server 40

4.11. Adding MySQL Server 43

4.12. Adding Oracle Application Server 46

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] I


4.13. Adding Print Servers 48

4.14. Adding a Syslog Application 49

4.15. Adding Sysmon Application 51

4.16. Adding Terminal Servers 53

4.17. Adding other servers 54

4.18. Import Log Files 55

4.19. How to monitor logs from an Amazon Web Services (AWS) Windows instance 66

5. Configuring, and enabling logging/auditing in sources 71

5.1. Enabling Logs 71

5.2. Enabling Hyper V logging 72

5.3. How to enable Audit for IBM AS400/iSeries Journal Logs 73

5.4. Enabling Stackato Logging 75

5.5. Configuring McAfee Solutions 76

5.6. Steps to configure external applications 78

5.7. Configuring Zscaler NSS 81

6. Configuring Syslog Service 82

6.1. Configuring the Syslog Service on a UNIX devices 82

6.2. Configuring the Syslog Service on a Mac OS devices 85

6.3. Configuring the Syslog Service on a HP-UX/Solaris/AIX Device 86

6.4. Configuring the Syslog Service on VMware 87

6.5. Configuring the Syslog Service on Arista Switches 88

6.6. Configuring the Syslog Service on Cisco Switches 89

6.7. Configuring the Syslog Service on HP Switches 90

6.8. Configuring the Syslog Service on Cisco devices 91

6.9. Configuring the Syslog Service on Cisco Firepower devices 92

6.10. Configuring the Syslog Service on SonicWall devices 93

6.11. Configuring the Syslog Service on Juniper devices 94

6.12. Configuring the Syslog Service on PaloAlto devices 95

6.13. Configuring the Syslog Service on Fortinet devices 96

6.14. Configuring the Syslog Service on Check Point devices 97

6.15. Configuring the Syslog Service on NetScreen devices 98

6.16. Configuring the Syslog Service on WatchGuard devices 99

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] II


6.17. Configuring the Syslog Service on Sophos devices 100

6.18. Configuring the Syslog Service on Cyberoam devices 101

6.19. Configuring the Syslog Service on Barracuda devices 102

6.20. Configuring the Syslog Service on Barracuda Web Application Firewall 103

6.21. Configuring the Syslog Service on Barracuda Email Security Gateway 104

6.22. Configuring the Syslog Service on Huawei Firewall devices 105

6.23. Configuring the Syslog Service on Malwarebytes devices 106

6.24. Configuring the Syslog Service on Meraki devices 107

6.25. Configuring the Syslog Service on FireEye devices 108

6.26. Configuring the Syslog Service on pfSense devices 109

6.27. Configuring the Syslog Service on Symantec DLP devices 110

6.28. Configuring the Syslog Service on Symantec Endpoint Protection devices 111

6.29. Configuring the Syslog Service on H3C devices 112

6.30. Configuration the Syslog service on Stormshield firewall 113

6.31. Configuration steps for Syslog forwarding from F5 devices to EventLog Analyzer 114

6.32. Configuration steps for Syslog forwarding from Trend Micro - Deep Security devices to EventLog Analyzer 116

7. User Interface 117

7.1. User Interface Tabs 117

7.2. Dashboard Views 122

7.3. Customizing Dashboard Views 130

8. EventLog Analyzer Reports 135

8.1. EventLog Analyzer Reports 135

8.2. Setting up Windows Event Log Reports 137

8.3. Manage Predefined Reports 139

8.4. Manage Report Views 140

8.5. Custom Reports 143

8.6. Schedule Reports 151

8.7. Adding reports to the Favorites section 154

8.8. List of Network Device Event Reports 156

8.9. List of Windows Event Reports 157

8.10. Unix Event Reports 164

8.11. Reports for Applications 171

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] III


8.12. List of reports for vCenter Monitoring 184

8.13. Reports for H3C Devices 186

8.14. Reports for Arista Devices 188

8.15. StormShield Reports 190

8.16. HP Switches Reports 192

8.17. Barracuda reports 197

8.18. CheckPoint reports 202

8.19. FirePower reports 207

8.20. Reports for Fortinet Devices 211

8.21. Reports for Huawei Devices 215

8.22. Reports for Juniper Devices 220

8.23. Reports for Malwarebytes devices 225

8.24. Reports for Meraki Devices 230

8.25. NetScreen reports 235

8.26. Palo Alto reports 239

8.27. pfSense reports 243

8.28. SonicWall reports 247

8.29. Sophos reports 251

8.30. WatchGuard reports 254

8.31. F5 reports 258

8.32. IBM AS/400 reports 261

9. Threat Intelligence Data Analytics 265

9.1. Threat Data Analytics 265

9.2. FireEye Threat Solutions 266

9.3. Symantec Endpoint Solutions 268

9.4. Symantec DLP Application 270

9.5. Malwarebytes Reports 272

9.6. CEF format Reports 274

10. Vulnerability Data Analytics 276

10.1. Vulnerability Data Analytics 276

10.2. Vulnerability Reports 278

11. Real-time Event Correlation 283

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] IV


11.1. Understanding correlation 283

11.2. Generating Incident Timeline Reports in Correlation 287

11.3. View Last 10 Incidents 292

11.4. Activity Monitoring 293

11.5. Creating Correlation custom rules with the Correlation Rule Builder 298

11.6. Manage Correlation Rules 305

12. Compliance Reports 306

12.1. Compliance Reports 306

13. Search Logs 309

13.1. Log Search in EventLog Analyzer 309

13.2. Saving search and exporting search results 313

13.3. Custom Log Parser 316

13.4. Tagging tool 321

14. Alerts 326

14.1. Event Alerts 326

14.2. How to create an alert profile 329

14.3. Active Alerts 333

14.4. Alert Notification & Remediation 341

14.5. Ticketing Tool Integration 344

14.6. Manage Profiles 350

15. Incident Management 354

15.1. Incident management 354

15.2. Incident workflow management 360

16. Framework Integration 367

16.1. Integrating and using the MITRE ATT&CK framework with EventLog Analyzer 367

17. Configurations 369

17.1. Configurations 369

17.2. Device Management 370

17.3. Manage Applications 377

17.4. File Integrity Monitoring (FIM) 378

17.5. Manage Threat Source 383

17.6. Threat Management 385

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] V


17.7. Threat Whitelisting 391

17.8. Manage Vulnerability Data 397

17.9. Device Group Management 398

17.10. Manage vCenter 401

17.11. Log Forwarder 402

18. Admin Settings 403

18.1. Admin Settings 403

18.2. Privacy Settings 404

18.3. Agent Administration 406

18.4. Archive 417

18.5. Technicians and Roles 426

18.6. Logon Settings 433

18.7. Domains and Workgroups 444

18.8. Working Hour Settings 447

18.9. Product Settings 448

18.10. DB Retention Settings 452

18.11. Log Collection Filter 453

18.12. Log Collection Failure Alerts 455

18.13. Report Profiles 456

18.14. Resource Grouping 459

18.15. Custom Patterns for Log Parsing 460

18.16. Tags 462

18.17. Dashboard Profiles 463

19. System Settings 465

19.1. System Settings 465

19.2. Notification Settings 466

19.3. Manage Account TFA 472

19.4. NT Service 474

19.5. Configure Connection Settings 475

19.6. Re-branding 477

19.7. Server Diagnostics 479

19.8. Database Access 480

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] VI


19.9. Reset Log Collector 481

19.10. Log Level Settings 482

19.11. Port Management 483

20. Help, Questions, and Tips 488

20.1. EventLog Analyzer - Troubleshooting Tips 488

20.2. EventLog Analyzer - Frequently Asked Questions 514

20.3. EventLog Analyzer Help 522

21. Additional Utilities 523

21.1. EventLog Analyzer - Additional Utilities 523

21.2. Working with HTTPS 524

21.3. Configuring the MS SQL database for EventLog Analyzer 529

21.4. Migrate EventLog Analyzer Data from PGSQL to MS SQL Database 534

21.5. Migrate EventLog Analyzer Data from MySQL to MS SQL Database 538

21.6. Moving the EventLog Analyzer MSSQL Database to a Different Directory in the Same Server 542

21.7. Moving the EventLog Analyzer Installation to Another Machine 544

21.8. Log360 Cloud 549

22. Distributed Edition 553

22.1. EventLog Analyzer distributed edition 553

22.2. Convert EventLog Analyzer standard edition to an admin server 554

22.3. Converting EventLog Analyzer standard edition to a managed server 555

22.4. Frequently Asked Questions - EventLog Analyzer Distributed Edition 556

23. Technical Support 559

23.1. EventLog Analyzer Technical Support 559

23.2. Create an EventLog Analyzer Support Information File (SIF) 560

23.3. Contacting EventLog Analyzer Support 563

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] VII


Chapter 1 What is in this guide

What is in this guide?


This document allows you to make the best use of EventLog Analyzer.
Explore the solution's capability to:

Collect log data from sources across the network infrastructure including servers, applications, network devices, and
more.
Analyze log data to extract meaningful information in the form of reports, dashboards, and alerts.
Monitor user behavior, identify network anomalies, system downtime, and policy violations.
Detect internal and external security threats.
Generate predefined reports to meet the requirements of regulatory compliance mandates such as PCI DSS,
HIPAA, FISMA, SOX, GLBA, SOX, ISO 27001, and more.

Are you new to EventLog Analyzer?


A quick glance of the topics discussed below should be good enough to let you be able to deploy, configure, and generate
reports using EventLog Analyzer.

How to add devices and applications, and get logs into EventLog Analyzer?
What are the reports available?
How to generate custom rerports?
How to search logs for specific information?
How to extract additional fields from the logs?
How to generate and send alert notifications?
How to customize the web client?

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 1


Chapter 2 Introduction

Overview
EventLog Analyzer is a web-based, real-time, log monitoring and compliance management solution for Security Information
and Event Management (SIEM) that improves network security and helps you comply with the IT audit requirements. Using
an agent less architecture, EventLog Analyzer can collect, analyze, search, report on, and archive logs received from systems
(Windows, Linux/UNIX), network devices (routers, switches, firewalls, and IDS/IP), applications (Oracle, SQL and Apache). It
provides important insights into user activities, policy violations, network anomalies, system downtime, and internal threats.
It can be used by network administrators and IT managers to perform audits for regulations such as SOX, HIPAA, PCI DSS,
GLBA, etc.

You can use EventLog Analyzer to:

Monitor activities of servers, workstations, devices, and applications spread across geographies.
Monitor user activities like logons/logoffs and objects accessed.
Generate reports for security events of interest.
Generate compliance reports for PCI DSS, HIPAA, FISMA, SOX, GLBA and other regulatory mandates.
Perform log forensics by swiftly searching the log database and save the search results as reports.
Configure automatic e-mail or SMS alerts for indicators of compromise, such as network anomalies or compliance
threshold violations.
Execute workflows upon alert generation to respond to security threats automatically.
Secure and tamper-proof archival of log data for forensic analysis and compliance audits.

Get log data from devices and applications


ManageEngine EventLog Analyzer collects, analyzes, searches, reports on, and archives event logs from distributed Windows
devices; syslogs from Linux/UNIX devices, routers, switches and other syslog devices; and application logs from IIS
web/FTP servers, print servers, MS SQL and Oracle database servers, DHCP Windows/Linux servers, and more.

For real-time Windows event log collection, DCOM, WMI, and RPC have to be enabled in the remote windows
machine for the logs to be collected by EventLog Analyzer.
For real-time syslog collection ensure that the syslog listener ports in EventLog Analyzer are configured to listen to
the port where the syslog or syslog-ng service is running on that particular (Cisco device, UNIX, HP-UX, Solaris or
IBM AIX) machine.
For application logs, EventLog Analyzer can be scheduled to import logs (HTTP or FTP) periodically from the
application devices. You can also import and analyze the older logs from Windows and Linux machines.

Search log data and extract new fields to extend search


EventLog Analyzer provides a powerful log search engine for all types of logs. Universal log search is made possible with the
help of the field extraction procedure, which allows you to define/extract new fields from your log data, in addition to the
set of default fields that EventLog Analyzer automatically parses and indexes. Once new fields have been extracted,
EventLog Analyzer automatically parses and indexes them from the new logs that are subsequently received; this drastically
improves your search performance and helps EventLog Analyzer handle any kind of log format.

Generate IT audit reports to assess network security and comply


with IT regulations

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 2


EventLog Analyzer provides a set of canned reports addressing important aspects of internal security. The software has the
flexibility to create custom reports to address your IT department?s complex requirements. Over and above the set of
canned reports for SOX, HIPAA, GLBA, FISMA and PCI DSS, EventLog Analyzer also allows you to create customized
reports for other compliance requirements.With this software you can schedule periodic report generation and distribute
them to various users in different formats.

Real-time event correlation, instant alert notification and quick


remediation
EventLog Analyzer comes with a robust event correlation and alerting moduleThe software can correlate events occurring
across systems and applications and generate alerts. You can get instant notification via email and SMS. You can also
execute workflows upon the generation of alerts to take quick remedial action.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 3


Release Notes
This section contains a summary of the updates in EventLog Analyzer version 12.1.6 (Build 12160).

12.1.6 Build 12160 - Standalone Edition


New Features
EventLog Analyzer provides reports for Sysmon application.
EventLog Analyzer will now assign a dedicated access key from Log360 feeds and provide sign up instructions for
threats.
A new ATA Whois Info tab has been added to provide exhaustive information on URL and Domain sources.

Enhancements
Custom Pattern enhancements:
The Custom log parsing UI has been enhanced for better user experience
You can now use delimiters to extract additional fields while parsing logs.
An Auto-Identify option has been included to detect standard fields and key-value pair logs.
Application & Windows Reports Enhancements :
The Application and File Monitoring device drill down can now be viewed under Reports.
Reports for Windows File Monitoring have been added.
You can now get All Events and Important Reports for Applications.
Windows Reports have now been regrouped to provide significant information.
The packet capture tool for troubleshooting in Syslog Viewer has been enhanced for better filtering.
The performance of the log collector has been enhanced to ensure optimum utilization of resources.
The service pack installation has been made secure by checking the PPM file for any tampering.
EventLog Analyzer now supports vCenter version 7.
EventLog Analyzer now supports SMB version 3.

Fixes
This release includes fixes for issues related to:

Issue with incorrect or null field values being sent via SMS notification has been fixed.
It was observed that Archives were being wrongly flagged as tampered during unanticipated shutdowns of
EventLog Analyzer. This has been fixed.
A memory issue while loading archived logs with parsed fields has been fixed.
The incorrect log count issue in device drill down of Application and File Integrity Monitoring in log sources has
been fixed.
The issue of excessive storage consumption of databases has been fixed.
Issue in HSTS and XSS has been fixed.
SQL injection and RCE vulnerabilities have been fixed.

Note: The enhancements and fixes for the Distributed Edition are the same as that of the Standalone edition.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 4


Chapter 3 Setup the Product

Setup EventLog Analyzer


Download the product
Check the installation requirements
Install the product
Ensure the prerequisites are met
Run the product
Connect to the EventLog Analyzer Server
Backup the EventLog Analyzer database
Check the EventLog Analyzer editions available
Buy the product

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 5


System Requirements
This section lists the minimum system requirements for installing and working with EventLog Analyzer.

Hardware Requirements

For 32 bit machines

1 GHz, 32-bit (x86) Pentium Dual Core processor or equivalent


2 GB RAM
5 GB Hard disk space for the product

For 64 bit machines

2.80 GHz, 64-bit (x64) Xeon� LV processor or equivalent


2 GB RAM
5 GB Hard disk space for the product

EventLog Analyzer is optimized for 1024x768 monitor resolution and above.

Operating System Requirements


EventLog Analyzer can be installed and run on the following operating systems (both 32 Bit and 64 Bit architecture) and
versions:

Windows�

Windows Server 2019


Windows Server 2016
Windows Server 2012
Windows Server 2008
Windows Server 2003
Windows Server 2000
Windows 10
Windows 8
Windows 7
Windows 2000
Windows Vista
Windows XP, NT

Linux

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 6


Linux - RedHat RHEL
Linux - Mandrake
Linux - Mandriva
Linux - SuSE
Linux - Fedora
Linux - CentOS
Linux - Ubuntu
Linux - Debian

VMware

VMware environment

Supported Web Browsers


EventLog Analyzer has been tested to support the following browsers and versions:

Internet Explorer 9 and later


Firefox 4 and later
Chrome 8 and later

Supported Logs and Data Sources


EventLog Analyzer can collect, index, analyze, archive, search and report on logs from over hundreds of devices, platforms
and services. To know the latest supported logs and data sources visit
https://www.manageengine.com/eventlog/supported-data-sources.html

Note :
With its Universal Log Parsing and Indexing (ULPI) technology, EventLog Analyzer can support any log and
data source that is in human-readable format.
For analyzing logs from Windows NT machine, WMI core should be installed on the Windows NT machine.
Syslogs received from SNARE agents for Windows will be displayed as Windows devices.

RAM Size and Disk Space Requirement Approximation


The following table recommends the RAM size and disk space requirements of the machine in which the EventLog Analyzer
server is installed. The RAM size and disk space requirements depend on the number of devices sending log information to
EventLog Analyzer, and the number of log records received per second or the log data received per day by EventLog
Analyzer. The below approximation is worked out for 100 devices and an average log record size of 350 bytes.

Log Records Rate (or) Volume RAM Size Hard Disk Space Requirement Per Month to Archive Logs

100/sec or 3 GB/day 1 GB 300 GB

500/sec or 14 GB/day 2 GB 1440 GB

1000/sec or 28 GB/day 4 GB 2880 GB

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 7


Supported Databases

Bundled with the product

PostgreSQL

External Databases

Microsoft SQL 2012


Microsoft SQL 2014
Microsoft SQL 2016
Microsoft SQL 2017
Microsoft SQL 2019

Recommended System Setup


Apart from the System Requirements, the following setup would ensure optimal EventLog Analyzer performance:

Run EventLog Analyzer on a separate, dedicated PC or server. The software is resource-intensive, and a busy
processor may cause problems while collecting event logs.
Use the PostgreSQL bundled with EventLog Analyzer that runs on port 33335. You need not start another separate
instance of PostgreSQL.
As mentioned in the prerequisites, for better performance, you can modify the existing PostgreSQL parameters.
Enable Disc encryption for better security.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 8


Prerequisites
Before starting EventLog Analyzer in your environment, ensure that the following are taken care of.

What are the ports required for EventLog Analyzer?


EventLog Analyzer requires the following ports to be free for web server, syslog, and PostgreSQL/MySQL:

Port
Ports Usage Description
Numbers

8400 This is the default web server port used by EventLog Analyzer. This port is used
Web server port
(TCP) for connecting to EventLog Analyzer using a web browser.

513, 514 These are the default Syslog listener ports for UDP. Ensure that devices are
Syslog listener port
(UDP) configured to send Syslogs to any one of these ports.

514 This is the default Syslog listener port for TCP. Ensure that devices are configured
Syslog listener port
(TCP) to send Syslogs to this port.

33335 PostgreSQL/MySQL This is the port used for connecting to the PostgreSQL/MySQL database in
(TCP) database port EventLog Analyzer.

EventLog Analyzer uses the following ports for WMI, RPC, and DCOM:

Port Numbers Ports Usage Description

Outgoing traffic ports in EventLog Analyzer server. The same ports


will be used as incoming traffic ports in the devices and must be
135,445,139(TCP) WMI,DCOM,RPC opened. Windows services DCOM, WMI, RPC uses these ports and
EventLog Analyzer in turn uses these services to collect logs from
Windows machines in default mode (Event Log mode).

Incoming traffic ports in EventLog Analyzer server. The same ports will be
49152-65534 used as outgoing traffic ports in the devices and must be opened. DCOM
WMI,DCOM,RPC
(TCP) uses callback mechanism on random ports between 49152-65534 for
Windows Server 2008 and 1024-65534 for previous versions.

EventLog Analyzer uses the following ports for local agent to server UDP communication:

Port Numbers Ports Usage Description

UDP ports for EventLog Analyzer uses these UDP ports internally for agent to server
EventLog communication. Ensure that the ports are free and not occupied by other
5000,5001,5002(UDP) Analyzer local local applications running in the machine. Some additional higher range
agent-server ports (1024-65534) will be opened to connect with these ports for
communication internal communication.

EventLog Analyzer uses the following ports for remote agent to server TCP communication:

Port
Ports Usage Description
Numbers

TCP port for EventLog


EventLog Analyzer uses this TCP port for remote agent to server
Analyzer remote
8400(TCP) communication. Ensure that the port is free and not occupied by other local
agent-server
applications running in the machine. This port should be opened in the firewall.
communication

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 9


Note: During automatic agent installation, the WMI, RPC, and DCOM ports are used once.

For IBM AS/400

Port Numbers Ports Usage

446-449, 8470-8476, 9470-9476 (TCP) Keep the mentioned ports opened for access to IBM AS/400 machines.

For IIS website autodiscovery

Port Numbers Ports Usage

445 (TCP) The Server Message Block (SMB) protocol uses this port to read the log files.

Procedure to change the default PostgreSQL port

Edit the database_params.conf file, which is located in the


<EventLog Analyzer Home>\conf folder.
Change the port number in the following line to the desired port number:

> url=jdbc:postgresql://localdevice:33335/eventlog?stringtype=unspecified

Save the file and restart the server.

Permission to access PostgreSQL to troubleshoot


Open the pg_hba.conf file which is in the
<EventLog Analyzer Home>\pgsql\data directory and add the line
device all all <IP address of the remote machine to be used to troubleshoot>/32 trust

after the line

device all 127.0.0.1/32 trust

and save the file.

The edited part of the file looks like this:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 10


# TYPE DATABASE USER ADDRESS METHOD

# IPv4 local connections:

device all all 127.0.0.1/32 trust

# IPv6 local connections:

device all all ::1/128 trust

to

# TYPE DATABASE USER ADDRESS METHOD

# IPv4 local connections:

device all all 127.0.0.1/32 trust

device all all <IP address of the remote machine to be used to troubleshoot>/32 trust

# IPv6 local connections:

device all all ::1/128 trust

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 11


How to Install and Uninstall EventLog Analyzer
How to install?
If you want to install EventLog Analyzer 32 bit version:

In Windows OS, execute ManageEngine_EventLogAnalyzer.exe


In Linux OS, execute ManageEngine_EventLogAnalyzer.bin

If you want to install EventLog Analyzer 64 bit version:

In Windows OS, execute ManageEngine_EventLogAnalyzer_64bit.exe


In Linux OS, execute ManageEngine_EventLogAnalyzer_64bit.bin

For Linux installation:

Before installing EventLog Analyzer, make the installation file executable by executing the following commands in
Unix Terminal or Shell,

> chmod +x ManageEngine_EventLogAnalyzer.bin

Now, run ManageEngine_EventLogAnalyzer.bin by double clicking or


running ./ManageEngine_EventLogAnalyzer.bin in the Terminal or Shell.

Upon starting the installation you will be taken through the following steps:

Agree to the terms and conditions of the license agreement. You may print it for offline reference.
Select the folder to install the product. Use the Browse option. The default installation location
is C:\ManageEngine\EventLog Analyzer. If the new folder or the default folder does not exist, it will be created and
the product will be installed.
Enter the web server port. The default port number is 8400. Ensure that the default port or the port you have
selected is not occupied by some other application.
Enter the folder name in which the product will be shown in the Program Folder. The default name
is ManageEngine EventLog Analyzer.
Enter your personal details to get assistance.

At the end of the procedure, the wizard displays the ReadMe file and starts the EventLog Analyzer server.
With this the EventLog Analyzer product installation is complete.

How to uninstall?
The procedure to uninstall for both 64 Bit and 32 Bit versions is the same.

Windows:

1. Navigate to the Program folder in which EventLog Analyzer has been installed. By default, this is Start > Programs >

ManageEngine EventLogAnalyzer <version number>.

2. Select the option Uninstall EventLogAnalyzer.

3. You will be asked to confirm your choice, after which EventLog Analyzer is uninstalled.

Linux:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 12


1. Navigate to "<EventLogAnalyzer Home>/_ManageEngine EventLogAnalyzer_installation" directory.

2. Execute the command in Terminal Shell.

3. You will be asked to confirm your choice, after which EventLogAnalyzer is uninstalled.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 13


How to Start and Shutdown EventLog Analyzer
Once you have successfully installed EventLog Analyzer, start the EventLog Analyzer server by following the steps below.

How to start EventLog Analyzer Server/Service


Windows Application:

Select the desktop shortcut icon for EventLog Analyzer to start the server. (or)
Select Start > Programs > ManageEngine Log360 <version number> > Log360to start the server.
If the server is started and you wish to access it, you can use the tray icon in the task bar to connect to EventLog
Analyzer.

Windows Service:

During installation, you would have chosen to install EventLog Analyzer as an application or a service. If you installed it as
an application, you can carry out the procedure to convert the software installation to a Windows Service .

Once the software is installed as a service, follow the steps given below to start EventLog Analyzer as a Windows Service:

Go to the Windows Control Panel > Administrative Tools > Services.


Right click ManageEngine EventLog Analyzer <version number> and select Start in the menu.
Alternatively, right click and select Properties. In the General tab, check the Service status is ?Stopped? and Start
button is in enabled state and other buttons are grayed out. Click the Start button to start the server as a Windows
service.

Linux Application:

Navigate to the <EventLog Analyzer Home>/bin directory and execute the run.sh file.
When the respective run.sh file is executed, a command window opens up and displays the startup information of
several EventLog Analyzer modules. Once all the modules are successfully started, the following message is
displayed:

Server started.

Please connect your client at http://localdevice:8400

The 8400 port is replaced by the port you have specified as the web server port during installation.

Note: If the default syslog listener port of EventLog Analyzer is not free then EventLog Analyzer displays "Can't Bind
to Port <Port Number>" when logging in to the UI.

Linux Service:

During installation, you would have chosen to install EventLog Analyzer as an application or a service. If you installed it as
an application, you can carry out the procedure to convert the software installation to a Linux Service.

Once the software is installed as a service, execute the command given below to start Linux Service:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 14


> /etc/init.d/eventloganalyzer start

Check the status of the EventLog Analyzer service by executing the following command (sample output given
below):

> /etc/init.d/eventloganalyzer status

ManageEngine EventLog Analyzer 11.0 is running (<Process ID>).

How to shut down EventLog Analyzer Server/Service


Follow the steps below to shut down the EventLog Analyzer server. Note that once the server is successfully shut down, the
PostgreSQL/MySQL database connection is automatically closed, and all the ports used by EventLog Analyzer are freed.

Windows Application:

Navigate to the Program folder in which EventLog Analyzer has been installed. By default, this is Start > Programs >
ManageEngine Log360 <version number>. Select the Shut Down EventLog Analyzer option.
Alternatively, you can navigate to the <EventLog Analyzer Home>\bin folder and execute the shutdown.bat file.
You will be asked to confirm your choice, after which the EventLog Analyzer server is shut down.

Windows Service:

To stop a Windows service, follow the steps given below.

Go to the Windows Control Panel. Select Administrative Tools > Services.


Right click ManageEngine EventLog Analyzer <version number>, and select Stop in the menu.
Alternatively, right click and select Properties. In the General tab of the screen, check the Service status is ?Started?
and the Stop button is in enabled state and other buttons are grayed out. Click the Stop button to stop the
Windows service.

Linux Application:

Navigate to the <EventLog Analyzer Home>\bin directory. Execute the shutdown.sh file.
You will be asked to confirm your choice, after which the EventLog Analyzer server is shut down.

Linux Service:

Execute the commands given below to stop the Linux service (sample outputs are given):

Stop the service

> /etc/init.d/eventloganalyzer stop

Stopping ManageEngine EventLog Analyzer <version number>...

Stopped ManageEngine EventLog Analyzer <version number>


Check the status of the service again:

> /etc/init.d/eventloganalyzer status

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 15


ManageEngine EventLog Analyzer <version number> is not running.

How to restart EventLog Analyzer Server/Service


1. Stop EventLog Analyzer:

For the console application

Windows

Find the EventLog client from the process list.

Right click on this and select shutdown.

(or)

Use the Direct Call option.

Linux:

Use the Direct Call option.

Direct Call:

Go to <EventLog Analyzer Home>\bin.

Execute the shutdown.bat file.

Wait till the process completes.

For the service mode:

Go to the service console.

Find the ManageEngine EventLog Analyzer service.

Click on ' Stop'.

2. Start EventLog Analyzer:

For the console application:

Direct Call:

Click on the shortcut icon.

(or)

Go to <EventLog Analyzer Home>\bin.

Execute wrapper.exe ..\server\conf\wrapper.conf

Note: You can also execute run.bat but this is not preferred.

For the service mode:

Go to the service console.

Find the ManageEngine EventLog Analyzer service.

Click on ' Start'.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 16


Access EventLog Analyzer Server
Once the server has successfully started, follow the steps below to access EventLog Analyzer.

Open a supported web browser. Type the URL address as http://<devicename>:8400 (where <devicename> is the
name of the machine in which EventLog Analyzer is running, and 8400 is the default web server port)
You can also open EventLog Analyzer from the EventLog Analyzer shortcut available in the desktop.
Log in to EventLog Analyzer using the default username/password combination of admin/admin.
If you import users from Active Directory or add RADIUS server details, you will find that the options are listed in
the Log on to field (below the Password field). In this case, enter the User Name, Password, and select one of the
three options in Log on to (Local Authentication or Radius Authentication or Domain Name). Click the Login
button to connect to EventLog Analyzer.

EventLog Analyzer provides two external authentication options apart from the local authentication. They are Active
Directory and Remote Authentication Dial-in User Service (RADIUS) authentication. The Log on to field will list the
following options:

Local Authentication - If the user details are available in the local EventLog Analyzer server user database.
Radius Authentication - If the user details are available in a RADIUS server and dummy user entries are available in
the local EventLog Analyzer server user database.
Domain Name(s) - If the user details of a domain are imported from Active Directory into the local EventLog
Analyzer server user database.

Once you log in, you can start collecting logs, generating reports and more.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 17


How do I backup my database?
Below are the procedures for backing up data from PostgreSQL, MySQL and MS SQL databases.

Note: Before starting the backup process, stop EventLog Analyzer service.

Database backup procedures for PostgreSQL:


Take a backup of the existing EventLog Analyzer PostgreSQL database by creating a ZIP file of the contents available
in <EventLog Analyzer Home>\pgsql directory and save it as pgsql_backup.zip in <EventLog Analyzer Home> directory.

Database backup procedure for MySQL:


Take a backup of existing EventLog Analyzer MySQL database by creating a ZIP file of the contents available
in <EventLog Analyzer Home>\mysql directory and save it as mysql_backup.zip in <EventLog Analyzer Home> directory.

Database backup procedure for MS SQL:


Find the current location of the data and log file for the database eventlog by using the following commands:

> use eventlog

go

sp_helpfile

go

Detach the database using the following commands:

> use master

go

sp_detach_db 'eventlog'

go

Backup the data file and log file from the current location <MSSQL Home>\data\eventlog.mdf and
<MSSQL_Home>\data\eventlog_log.LDF to the new location <New Location>\eventlog.mdf and
<New Location>\eventlog_log.LDF.
Re-attach the database and point to the old location by using the following commands:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 18


> use master

go

sp_attach_db 'eventlog' , '<MSSQL Home>/data/eventlog.mdf' , <MSSQL


Home>/data/eventlog_log.LDF

go

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 19


License Details
Unlike some of our competitors, who charge based on log volume processed, ManageEngine EventLog Analyzer offers a
simple licensing model. Licensing is based on the edition, license model and number of devices. The editions
are Standalone/Premium, and Distributed. The license models are, Perpetual (Standard) and Annual Subscription Model
(ASM).

EventLog Analyzer comes in two editions: Standalone and Distributed. The solution is licensed based on the number of
Windows Workstations, Windows Servers, and Syslog devices along with add-ons such as Application Auditing for IIS and
SQL servers , Linux File Server Auditing and Advanced Threat Analytics.

Available Editions
Standalone Edition

If your company is a Small or Medium Business (SMB), the network is in a single geographical location, and the number of
devices and/or applications to be monitored is less than 1000, the Standalone edition is suitable for your company. Also, the
log reception rate should be well within 20,000 logs/second. If your log rate increases, then you can easily switch over to
Distributed Edition to handle the capacity.

Distributed Edition

If your company is a Large Business or Managed Security Service Provider (MSSP), and the network is spread
across multiple geographical locations, the Distributed edition is suitable for your company. You can monitor 50 to virtually
unlimited number of hosts/applications with this edition.

License Models
Perpetual model

In this model, the licensing is perpetual and a nominal amount is charged as Annual Maintenance and Support (AMS) fee to
provide the maintenance, support, and updates.

Annual Subscription model

In this model, the license is valid for one year and after that the license expires. To continue the license should be renewed
every year. Annual Maintenance and Support (AMS) fee is included in the subscription price and not charged separately.

Advantages of ManageEngine Licensing

Simple cost-conscious, need-based licensing, depending on the number of devices/applications to be monitored.


The 64-bit installation is of the same price as 32-bit installation.
The Distributed license is applied on the Admin server and there will be no restriction on the number of Managed
servers deployed.

How to choose the license

Assess your network and decide upon Standalone or Distributed.


Choose Perpetual model for a license with no expiry and choose Annual Subscription Model for low entry cost.
Decide upon the number of devices/ applications to be monitored.

Upgrade from evaluator to purchased license

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 20


Before upgrading the current license, ensure that you save the new license file from ZOHO Corp. on the machine in
which EventLog Analyzer is installed.
After you log in to EventLog Analyzer, click the Upgrade Licenselink present in the top-right corner of the UI.
Browse for the new license file and select it.
Click Upgrade to apply the new license file.

Note: The new license is applied with immediate effect. You do not have to shut down and restart the server after the
license is applied.

Display license details


The License window that opens up displays the license information for the current EventLog Analyzer installation. It
displays the following information:

Type of license applied - Free or Premium or Distributed


Number of days remaining for the license to expire
Maximum number of devices that you are allowed to manage

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 21


Get Started
EventLog Analyzer is a comprehensive log management solution for SIEM and compliance. Here are some points to help
you get started once you've installed EventLog Analyzer.

Home

The Home tab provides dashboards that allow you to gain a high-level overview of important security events in the
network. You can view the severity levels of events, trends in logs, network traffic, and security threats that have been
flagged.

Reports

The Reports tab displays audit reports. EventLog Analyzer provides over 1000 pre-built reports for a wide range of devices,
networking equipment, and applications. You can view, add, manage, schedule, and filter reports from the reports tab. To
learn more about EventLog Analyzer's reports, click here (attach link here).

Compliance

EventLog Analyzer simplifies IT compliance and regulatory audit(s). The Compliance tab in the UI helps you export
comprehensive compliance reports in any format, tweak the existing report templates, and create new compliance reports.
Click here (attach link to learn more about compliance here) to learn more about compliance reports.

Search

The Search tab allows you to search through your logs and extract relevant information about a security incident. The click-
based search engine makes it easy to drill-down to the root cause of an incident. The search results can then be saved as a
report for auditors.

Correlation

EventLog Analyzer's real-time correlation engine helps you detect and mitigate security threats at an early stage. You can
leverage the predefined rules that address a wide range of use cases and set custom rules based on the requirements of
your organization. Click here (attach link here) to learn more about correlation feature in EventLog Analyzer.

Alerts

The Alerts tab in the UI helps you view all alerts that have been triggered in your network. You can leverage the built-in
alert profiles and configure custom alerting criteria as per your requirements. Furthermore, critical capabilities for incident
response such as ticketing tool integrations and response workflows can be configured here.

Settings

The Settings tab can be used to access the configuration settings (attach link here), admin settings (attach link here) and
system settings (attach link here).

LogMe

The LogMe tab in the UI displays the different log sources supported by EventLog Analyzer and describes how to configure
them for auditing.

Support

The Support tab allows you to get in touch with our technical support team and gives you access to resources that help you
learn more about the solution. You can also request for a new feature and create support logs from this tab.

+Add

The +Add button in the UI is a shortcut that helps you add log sources for auditing and configure alerts, reports and log
filters without having to use the settings tab.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 22


Just getting started? Download our quick start guide to see how to install EventLog Analyzer, add devices, import logs etc.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 23


Chapter 4 Add Log Sources

Adding Devices
Add a device in the user interface using any one of the following menu options:

Home tab > Manage Devices > Devices > +Device


+Add tab > Device
Settings tab > Configurations > Device Management > +Add Device(s)

Adding Device Groups


You can group your devices into a particular Device Group. The default device groups available are Windows Group, Unix
Group and Default Group (which contains all the devices). To add a new host group, click on the Add link beside Device
Groups field in Device group management page. You can manage the device groups in the Device Group Management
page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 24


Adding Windows devices
In all Windows devices, ensure that WMI, DCOM are enabled, and logging is enabled for the respective modules/objects. To
forward the Windows event logs in syslog format, use a third party utility like SNARE. To add a domain or to update a
domain or workgroup, refer to the Domains and Workgroups page.

To add Windows devices


1. Click on +Add Device(s) and select the domain from the select category drop down menu. The Windows devices in the

selected domain will be automatically discovered and listed.

2. Select the device(s) by clicking on the respective checkbox(es). You can easily search for a device using the search box

or by filtering based on the OU using OU Filter.

3. Click on the Add button to add the device(s) for monitoring.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 25


To add workgroup(s):
1. Choose the workgroup under the workgroups option in Select Category drop down menu.

2. Select the device(s) by clicking on the respective checkbox(es).

3. Click on the Add button to add the device(s) for monitoring.

Note: You have the option to update, reload and delete a workgroup by clicking on the respective icons next to

the Select Domain drop down window. Optionally, you can manually add the device as shown below by clicking

on the Configure Manually link.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 26


1. Enter the Device name or IP address. You can add the device as a Syslog device by clicking the Add as Syslog device

checkbox.

2. Enter the Username and Password with administrator credentials, and click on Verify Credential.

3. Click on the Add button to add the device for monitoring.

Caution: If EventLog Analyzer has been installed on a UNIX machine, it cannot collect event logs from Windows
devices. However, third party applications can be used to convert the Windows event logs to Syslogs and forward
them to EventLog Analyzer.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 27


Adding Syslog Devices
Prerequisite: Click here to configure the syslog services on your device.

In the Manage Devices page, navigate to the Syslog Devices tab and click on the +Add Device(s) button.

Enter the device name or IP address in the Device(s) field and click on the Add button. Follow the steps below to discover
and add the Syslog devices in your network automatically:
1. Click on the Discover & Add link in the Add Syslog Devices window. You can discover the Syslog devices in your

network based on the IP range (Start IP to End IP) or CIDR.

2. Enter the Start IP and End IP or the CIDR range in order to discover the Syslog devices and click on Next.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 28


3. Pick the SNMP credentials to automatically discover the Syslog devices in your network. By default, the public SNMP

credentials can be used to scan the Syslog devices in your network.

4. You may also add an SNMP credential by clicking on the +Add Credential button. Once you pick the SNMP credential,

click on the Scan button to automatically discover the Syslog devices in the specified IP or CIDR range.

5. Select the device(s) by clicking on the respective checkbox(es). You can easily search for a device using the search box

or by filtering based on the Device Type and Vendor.

6. Click on the Add Device(s) button to add the devices for monitoring.

Once a Unix device has been added, you will be prompted to Configure Auto Log Forward.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 29


Adding Common Event Format (CEF) Devices
1. Login to the application or device which supports CEF log format.

2. Go to syslog server configuration.

3. In the field for Log Format, select CEF Format.

4. In the Syslog Server IP address field, enter the <EventLog Analyzer IP address>.

5. Enter the syslog port and save the configuration.

To add CEF devices to EventLog Analyzer, click here.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 30


Adding Other Devices
In the Manage Devices page, navigate to the Other Devices tab and select the device type as required.

1. Select the Device Type as ESXi/IBM AS/400.

2. Enter the Device Name.

3. Click on the Add button to add the device for monitoring.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 31


Adding IBM iSeries (AS/400) devices
Keep the ports 446-449, 8470-8476, 9470-9476 open in EventLog Analyzer to receive IBM AS/400 machine logs.

In the Manage Devices page, navigate to the Other Devices tab and click on the Add Device(s) button. This will open the
Add Device(s) window.

1. Choose the Device type as IBM AS/400.

2. Use the Device Name box to type a single device name, or a list of device names separated by commas.

3. Specify the Monitor Interval to configure the frequency at which EventLog Analyzer should fetch logs from the IBM
AS/400 machines. The default (and minimum) monitor interval is 10 minutes.

4. Enter credentials (Login Name and Password) with admin privileges. Verify the details using the Verify Credential link

beside the password text.

5. Select the Date Format and the Delimiter. This is the date format used in the logs that will be collected from the IBM
AS/400 devices.

6. Click Add and Close to add this device and return to the list of device monitored, or click Add to add this device and

continue adding more devices.

To import SSL certificate, follow the steps below:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 32


1. Save the SSL certificate in the location C:\test.cer

2. iIn the command prompt navigate to <installation folder

3. Run the command keytool -importcert -alias myprivateroot -keystore ..\lib\security\cacerts -file C:\test.cer

4. Now provide the password when prompted. The default password is Changeit

5. To trust the certificate press Y

6. Restart the EventLog Analyzer server. The certificate will be successfully added.

Note: The credentials provided must have an authority level of 50. Otherwise, EventLog Analyzer will not be able to
login to fetch History logs from these devices.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 33


Adding VMware (ESXi) devices
1. In the Manage Devices window, navigate to the Other Devices tab and click on +Add Device(s).

2. Select the Device Type as ESXi and add the VMware device as a Unix device as per the steps given here.

3. Configure the syslog daemon in the VMware device as per the steps mentioned here.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 34


Adding vCenter
The vCenter servers to be monitored by EventLog Analyzer can be added using the Add vCenter button . You can also view
and manage the vCenter servers that are being monitored.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 35


Adding SQL server
Steps to add a SQL Server
1. Navigate to Settings > Configuration > Manage Application Sources.

1. In the Application Source Management page, click + Add SQL Server Instance. The SQL server instances are

automatically discovered and listed out.

1. Select the SQL Server instance(s) you wish to monitor and click Next. You will be taken to the Credential

Configuration page and prompted to enter valid credentials.

2. If you wish to use the default credentials, select the check-box (default credentials could be the device or domain or

logged on credentials). Alternatively, you can enter a username and password in the credentials field and click Save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 36


If the SQL Server instance you wish to add for monitoring is not discovered automatically, click

+ Add Manually and you will be prompted to enter details for Windows Server configuration and SQL Server instance
configuration.

Steps to add a SQL Server instance manually


Windows server configuration

Select the Windows server and enter valid credentials. Alternatively, you can use the default credentials.
SQL Server instance configuration
Enter the instance name, port number, and credentials in the given fields
Enable or disable Advanced Auditing.

Note: Enabling advanced auditing will create an audit policy and disabling advanced auditing will remove
the audit policy on the selected SQL Server instance.

Select the instance authentication method (Windows or SQL authentication) from the available dropdown menu.
Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 37


Advanced Auditing

The following are configured when Advanced Auditing is enabled.

DDL/DML monitoring A Server Audit is created with a Server Audit Specification for the following audit action types:
1. FAILED_LOGIN_GROUP

2. SUCCESSFUL_LOGIN_GROUP

3. DATABASE_OBJECT_CHANGE_GROUP

4. DATABASE_PRINCIPAL_CHANGE_GROUP

5. SCHEMA_OBJECT_CHANGE_GROUP

6. SERVER_PRINCIPAL_CHANGE_GROUP

7. LOGIN_CHANGE_PASSWORD_GROUP

8. SERVER_STATE_CHANGE_GROUP

9. SCHEMA_ACCESS_CHANGE_GROUP

Note:
The minimum permission required for a user for advanced auditing is CONTROL SERVER.
EventLog Analyzer supports DDL/DML auditing for the following editions:
Prior to Microsoft SQL Server 2012 - Enterprise and Datacenter editions.
Microsoft SQL Server 2012 and later - Enterprise, Datacenter, and Standard editions.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 38


Database auditing

Only enabled SQL Server instances will be audited. Data presented in the reports is retrieved and updated at the last hour
of each day.

Column Integrity Monitoring

1. The Column Integrity Monitoring report provides information on the changes in a monitored column including who

changed the value, at what time the value was changed, and the database table in which the value was changed.

Additionally, the old and new values are shown.

2. Data types such as text, ntext, and images will not be monitored.

3. Columns to be monitored must be chosen carefully, as triggers are used to monitor changes and is a performance

intensive operation.

Events Collected

The following are the IDs of events that are collected when advanced auditing is enabled:

SQL Server DBCC Information Reports - 211, 427, 610, 8440, 9100, 15612, 15615, 2509, 2510, 2514, 17557

SQL Server Host Activity Reports - 18100

SQL Server Integrity Reports - 806, 825

SQL Servers Logins Reports - 18453, 18454, 18455, 28046, 15537, 15538, 18401, 18451, 18456, 18461, 18462, 18463,
18464, 18465, 18466, 18467, 18468, 18470, 18471, 18486, 18487, 18488, 28048

SQL Server Permission Denied Reports - 229, 300, 230, 262, 916, 5011

SQL Server Violation Reports - 17308, 17311

Viewing added SQL Server instances


EventLog Analyzer lists all the SQL Server instances being monitored. From this list, you can enable, disable, or delete SQL
Server instances.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 39


Adding an IIS server

1. Navigate to Settings > Configuration > Manage Application Sources.

2. In the Application Source Management page, click the + Add IIS server button.

3. Click the + icon to browse and add IIS servers.

4. If you wish to use the default credentials, select the check-box (Default credentials could be the device or domain or

logged on credentials). Alternatively, you can enter a username and password in the credentials field.

5. Select the time-zone from the dropdown menu and enter the desired monitoring interval.

Note:

The time-zone selected must be the same as that of the IIS server. Also, EventLog Analyzer uses port 445 (TCP)
to read IIS log files using the Server Message Block (SMB) protocol.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 40


1. Click on + Add Sites. From the list of discovered sites, choose the sites you wish to monitor.

Alternatively, you can manually add a site by entering the site name, protocol, and log file path in the pop-up that
appears. Choose the file encoding scheme and schedule the log file rollover.

1. Click Add and then Configure to start monitoring the site.

IIS Configuration Change Logs


Configuration change logs are collected in the IIS similar to how logs are collected for Windows. These logs are collected
through the Microsoft-IIS-Configuration/Operational event source file.

Troubleshooting steps:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 41


1. Ensure that configuration log has been successfully configured. If not, you must configure it.

2. The device that has been configured must be enabled. This can be done in the Manage Devices tab.

3. Ensure that the Microsoft-IIS-Configuration/Operational option is enabled in the configure event source file for the

device. This option can be enabled in the Manage Devices tab.

4. The credentials provided must have the WMI access.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 42


Adding MySQL Server
To add a MySQL server for monitoring:

Navigate to Settings > Manage application sources > MySQL Server.


Click on the +Add Instance button.

Enter the name of the device or click on the + icon to choose from the list of discovered MySQL servers.
Enter the port number of the MySQL server.

Note: If the name of the MySQL server is manually entered, the port number has to be filled. For the MySQL
servers selected from the list of discovered servers, the port number will be filled in automatically.

Select the appropriate protocol to be used from the drop down.


Enter the file path of the general and error logs.
Click on Verify & Save to save the changes made

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 43


Advanced Settings

To make changes to the time zone and file encoding, click on the Advanced button and choose the relevant option from the
drop downs provided.

Prerequisites to Discover MySQL Servers


Discovering MySQL servers in UNIX or Linux devices:

The MySQL server configuration file is found using the mysqld process.

The Secure Shell protocol is used to access the mysqld process to get the configuration file path.
The SFTP protocol is used to read configuration file.

Discovering MySQL servers in Windows devices:

The MySQL server configuration file is found using the mysqld.exe process.

WMI API is used to access mysqld.exe process to get the configuration file path.
SMB protocol is used to read the configuration file.

In addition, the configuration file parameters are explored in the order:

--defaults-extra-file
--defaults-file

If the MySQL configuration file is not found with the mysqld or mysqld.exe process, then the following occurs:

UNIX or Linux: The configuration file location defaults to the location

/etc/my.cnf
/etc/mysql/my.cnf.

Windows: The configuration file location defaults to the following locations

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 44


C:/Windows/my.ini
C:/Windows/my.cnf
C:/my.ini
C:/my.cnf

From the command line parameters and the configuration file, the MySQL server General log path and Error log path are
discovered.

Credentials for discovery:

For Windows devices, credentials for discovery is picked in the following order:
1. Domain/workgroup credential if a device is under a domain or a workgroup.

2. Device credential, if it is provided in the "Manage Devices" page.

3. Logon credential.

For Linux devices, the credentials used while configuring auto log forward will be used for MySQL discovery.

Note: In Linux installations, MySQL server discovery on Windows devices is not possible.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 45


Adding Oracle Application Server
Navigate to Settings > Configuration > Manage Application Sources. You can also click on the +Add button on the
top right corner of the Home page and select Application.
Next, select the Other Application Sources tab and click on the +Add Application button.
Enter the name of the device and click on the Add button.
After adding an Oracle device in EventLog Analyzer, configure the Oracle server as instructed below.

Oracle Server Configuration


Oracle server - Windows platform
Oracle server - Linux platform

Reference: http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#CEGBIIJD

For Oracle server installed in Windows platform

Connect to SQL *Plus using the sqlplus command.


Change audit parameters using the below command:

> ALTER SYSTEM SET AUDIT_TRAIL=OS SCOPE=SPFILE;

Restart the Oracle server to let the changes take effect.

For Oracle Server installed in Unix platform

To enable Oracle syslog auditing, follow the procedure given below:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 46


1. Change audit parameters using the below command:

> ALTER SYSTEM SET AUDIT_TRAIL=OS SCOPE=SPFILE;

2. Manually add and set the AUDIT_SYSLOG_LEVEL parameter in the initialization parameter file, initsid.ora.

The AUDIT_SYSLOG_LEVEL parameter is set to specify a facility and priority in the format
AUDIT_SYSLOG_LEVEL=facility.priority.

facility: Describes the part of the operating system that is logging the message. Accepted values are user, local0?local7,
syslog, daemon, kern, mail, auth, lpr, news, uucp, and cron.

The local0?local7 values are predefined tags that enable you to sort the syslog message into categories. These
categories can be log files or other destinations that the syslog utility can access. To find more information about these
types of tags, refer to the syslog utility MAN page.

priority: Defines the severity of the message. Accepted values are notice, info, debug, warning, err, crit, alert, and
emerg.

The syslog daemon compares the value assigned to the facility argument of the AUDIT_SYSLOG_LEVEL parameter
with the syslog.conf file to determine where to log information.

For example,the following statement identifies the facility as local1 with a priority level of warning:

AUDIT_SYSLOG_LEVEL=local1.warning

See Oracle Database Reference for more information about AUDIT_SYSLOG_LEVEL.


3. Log in to the machine that contains the syslog configuration file, /etc/syslog.conf, with the superuser (root) privilege.

4. Add the audit file destination to the syslog configuration file /etc/syslog.conf.

For example: assuming you had set the AUDIT_SYSLOG_LEVEL to local1.warning, enter the following:

local1.warning /var/log/audit.log

This setting logs all warning messages to the /var/log/audit.log file.


5. Restart the syslog logger:

$/etc/rc.d/init.d/syslog restart

Now, all audit records will be captured in the file /var/log/audit.log through the syslog daemon.
6. Restart the Oracle server so that the changes take effect.

Note: When logged in as SYSDBA/SYSOPER, Oracle database provides limited information on database activity
monitoring.
Hence, to get the complete audit trail activities of Oracle database, we suggest that you log in as a user with privilege
other than SYSDBA/SYSOPER.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 47


Adding Print Servers
To configure and monitor the logs of Print Servers, follow the procedure below.

Navigate to Settings > Configuration > Manage Application Sources. You can also click on the +Add button on the
top right corner of the Home page and select Application.
Next, select the Other Application Sources tab and click on the +Add Application button.
Choose the Application Type as Printer and enter the name of the device.
Click on the Add button.
After adding an Print Server in EventLog Analyzer, you can configure logging as instructed below.

Print Server Configuration

Enable Print Server Log: Go to Event Viewer > Application and Service Logs > Print Service. Right click on this and select
'Enable Log'. This will enable logging for the corresponding 'Admin', 'Debug' or 'Operational' processes. The logs can be
viewed in Event Viewer.

Note: If the print server device is a 64-bit Windows OS machine (i.e., Windows Vista and above), carry out the
following registry configuration:

Open the registry editor ' regedit' of the print server machine in the Command Line Window.
Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\
To create a new key, right click on eventlog, click new > key. You can name the key as Microsoft-Windows-
PrintService/Operational or Microsoft-Windows-PrintService/Admin or Microsoft-Windows-
PrintService/Debug as per your logging process requirement.
For instance, if you need to enable logging for the Operation process, create a new key with the name Microsoft-
Windows-PrintService/Operational.

This will convert the log type to 'Administrative' thus enabling you to perform searches and generate reports out of these
logs.

This configuration is not required for a 32-bit Windows OS versions.

In order to obtain the document name, you have to enable the audit policy:

Computer Configuration>Administrative Templates>Printers> Allow job name in event logs

(or) Registry edit:


[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\Printers]
"ShowJobTitleInEventLogs"=dword:00000001

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 48


Adding a Syslog Application
When should Syslog Application be used?

If syslogs are simultaneously forwarded from a device that has already been configured as a Windows Device, EventLog
Analyzer server will ignore the syslogs in order to maintain a single base log source. If you want to configure EventLog
Analyzer server to receive syslogs too from a Windows device, follow the procedure given below:

Navigate to Settings > Configuration > Manage Application Sources


Click on the Other Application Sources tab
Choose Syslog Application as Application Type
Mention the name of the Device and click Add

In Search

Navigate to Search. You can search for Syslog Application logs by clicking the drop down box and scrolling down. You will
find a specific logtype categorization for Syslog Application.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 49


To gain more insights from Syslog Application logs, you can extract or create custom/new fields from the logs. Click here to
know more.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 50


Adding Sysmon Application
Sysmon (System Monitor), when installed on a system, audits the activities of the system, which include registry activities,
file activities, process activities, network driver activities and more.

Devices that have Sysmon installed in them can be added as Sysmon Application to categorize the events into different
reports.

Procedure to add a device as Sysmon Application is given below,

Navigate to Settings > Configuration > Manage Application Sources


Click on the Other Application Sources tab.
Choose Sysmon Application as Application Type
Mention the name of the Device and click Add. The Device being added can either be a new device with
credentials or an already existing device.

In Search

Navigate to Search. You can search for Syslog Application logs by clicking the drop down box and scrolling down. You will
find a specific logtype categorization for Sysmon Application.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 51


To gain more insights from Sysmon Application logs, you can extract or create custom/new fields from the logs. Click here
to know more.

EventLog configurations for logging

Please note that these configurations will be added automatically when the device gets added as a Sysmon Application,
provided the credentials have the privilege to access the registry and add the key. If not configured automatically, this key
has to be added and enabled for logging to take place.

Steps to add the key in the registry

Using the Command Line window, open the registry editor ' regedit' of the print server machine.
Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\
To create a new key, right click on eventlog, click new > key. You can name the key as Microsoft-Windows-
Sysmon/Operational.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 52


Adding Terminal Servers
Navigate to Settings > Configuration > Manage Application Sources. You can also click on the +Add button on the
top right corner of the Home page and select Application.
Next, select the Other Application Sources tab and click on the +Add Application button.
Choose the Application Type as Terminal and enter the name of the device.
Click on the Add button.
After adding the Terminal Server in EventLog Analyzer, you can configure logging as instructed below.

Configuring Terminal Server: Open Event Viewer > Application and Service Logs > Microsoft > Windows >
TerminalServices-Gateway > Operational and right click and select ' Enable Log'. This will enable logging for the
corresponding 'Gateway' or 'Operational' processes. The logs can be viewed in Event Viewer.

Note: If the terminal server device is a 64-bit Windows OS machine (i.e., Windows Vista and above), carry out the
following registry configuration::

Open the registry editor ' regedit' of the Terminal Server machine in the Command Line Window.
Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\
To create a new key, right click on eventlog, click new > key. You can name the key as Microsoft-Windows-
TerminalServices-Gateway/Operational.

This will convert the log type to 'Administrative' thus enabling you to perform searches and generate reports out of these
logs.

The above configuration is not required for 32-bit Windows OS versions.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 53


Adding other servers
To add Password Manager Pro , OpManager, ADAudit Plus, Syslog Application, and Sysmon follow the below listed steps.
1. Navigate to Settings > Configuration > Manage Application Sources.

2. In the Application Source Management page, navigate to Other Servers > Add application.

3. Select the desired application from the dropdown menu.

4. Enter the device's name in the given field. Alternatively, you can select the device by clicking the + button.

5. Click Add.

Troubleshooting tips

If you are unable to add a SQL Server or other applications, ensure the following:
1. The credentials used are valid and have the necessary permissions.

2. The device is reachable.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 54


Import Log Files
EventLog Analyzer helps you collect and analyze logs from different sources such as servers, network devices, and
applications. The solution provides actionable intelligence that helps security teams stay on top of security threats in the
organization.

This solution provides you the capability to import log files. The supported log formats include Windows and syslog device
formats, application log formats and archived files log formats.

Windows and syslog device log formats

Windows Eventlog (EVTX format)


IBM AS/400
Linux/Unix Syslog format (RFC 5424 and 2131)

Note: To import .evt logs (Windows XP and Windows 2003), you will need to convert the .evt to .evtx using the
command wevtutil export-log application.evt application.evtx /lf in your EventLog Analyzer installation.

Application log formats

Apache access logs


DHCP Linux logs
DHCP Windows logs
IBM Maximo logs
IIS W3C FTP logs
IIS W3C Web Server logs
MSSQL Server logs
MySQL logs

Archived files log formats

Cisco archive files


Syslog archive files
Windows archive files

Steps to import log files


Navigate to the Import Configuration page using any one of the following menu options:

+Add >Import Logs


Settings > Configurations > Import Log Data
Home > Applications > Imported Logs
Home > Applications > Actions > +Import

Importing log files from different locations


EventLog Analyzer allows you to import:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 55


Log files from a local path.
Log files from a shared path.
Log files from a remote path.
Log files from cloud storage.

Log file import from a local path

With this option, you can import log files from any device that has access to EventLog Analyzer.

Note: Log import cannot be scheduled to run at regular time intervals.

1. From the File Location option, select Local Path.

2. Click on Browse to select the necessary file(s) from your local device. Alternatively, you can enter the device name (or)

IP address of the device (or) specify the full UNC path, then click on Open. The necessary file(s) is selected.

3. If you know the log format of the log file, select the log format from the given drop-down. If you do not know the log

format select Automatically Identify.

Note: You can view a preview of the selected log file and extract the desired fields, by clicking on the View
symbol of the attached log file and enabling the pop-up window option in your browser.

4. Click on the + button and OK to select the device that the log file is associated to. You can also enter the name of the

device or select the device from the pop-up that appears.

5. If you wish to store the imported logs for 2 days, enable the Store logs for a short term option. By default, the log

storage time-period is 32 days.

6. Click on Import.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 56


Log file import from a shared path or UNC path

The log file import via Universal Naming Convention (UNC) path allows you to access shared network folders on a local area
network (LAN).
1. From the File Location option, select Shared Path.

2. Enter the device name or IP address from which you wish to upload the log file. Alternatively, you can click on Browse

to select the Windows device.

3. Select the desired file from the device and click OK. The necessary file is selected.

4. If you know the log format of the log file, select the log format from the given drop-down. If you do not know the log

format select Automatically Identify.

Note: You can view a preview of the selected log file and extract the desired fields, by clicking on the View
symbol of the attached log file and enabling the pop-up window option in your browser.

5. Click on the + button and OK to select the device that the log file is associated to. You can also enter the name of the

device or select the device from the pop-up that appears.

6. If you wish to store the imported logs for 2 days, enable the Store logs for a short term option. By default, the log

storage time-period is 32 days.

7. If you want to automate a log file import at regular time intervals, enable the Schedule log import option.

8. With the Schedule drop-down menu you can customize the time interval between each log file import.

9. Additionally, you can build a file name pattern for the imported log files, using the time format options given. The name

of the file stored at the specified time is updated in accordance to the file name pattern.

10. Click on Import.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 57


Log file import from a remote path

To import log files from a remote path you will need the credentials of the device you are trying to access (username and
password).
1. From the File Location option, select Remote Path.

2. Enter the device name or IP address from which you wish to upload the log file. Alternatively, you can click on the +

button and browse to select the Windows device.

3. Select the desired file from the device and click OK. The necessary file is selected.

4. Choose the required protocol (Ethernet, FTP and SFTP) and enter the port number.

5. Enter the credentials in the given fields (ie) username and password for the remote device.

6. If you know the log format of the log file, select the log format from the given drop-down. If you do not know the log

format select Automatically Identify.

Note: You can view a preview of the selected log file and extract the desired fields, by clicking on the View
symbol of the attached log file and enabling the pop-up window option in your browser.

7. Click on the + button and OK to select the device that the log file is associated to. You can also enter the name of the

device or select the device from the pop-up that appears.

8. If you wish to store the imported logs for 2 days, enable the Store logs for a short term option. By default, the log

storage time-period is 32 days.

9. If you want to automate a log file import at regular time intervals, enable the Schedule log import option.

10. With the Schedule drop-down menu you can customize the time interval between each log file import.

11. Additionally, you can build a file name pattern for the imported log files, using the time format options given. The name

of the file stored at the specified time is updated in accordance to the file name pattern.

12. Click on Import.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 58


After selecting the log file that you want to import, click on Advanced to select the encoding type and the time zone of the
imported logs.

File Encoding

EventLog Analyzer supports different encoding types for log files. You can choose the encoding type of the log files that you
import. The default encoding type is UTF-8.

Time Zone

EventLog Analyzer gives you the option of choosing the time zone based on which the imported log had been recorded. The
default time zone would be the one with which the EventLog Analyzer server has been configured with.

Log file import from cloud storage

To import logs from AWS S3 buckets, you first need to create an IAM user with access to the S3 bucket(s). You can also
grant users access to only specific S3 buckets by following the steps given in this link.

To configure AWS S3 buckets for importing logs,

In the Cloud tab, click the link displayed to configure the AWS account.

Enter the Display Name, Access Key, and Secret Key of the AWS account and click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 59


Once the AWS account gets added, it will be displayed in the drop-down list available in the Cloud tab.
From the drop-down list, select the AWS account and then the S3 bucket from which logs are to be imported.
Click Import to initiate log importing.

MySQL Logs
EventLog Analyzer supports only error logs and general logs from MySQL. MySQL logon failures are taken into account
from MySQL general query logs.

To enable logging in MySQL,

Open the my.cnf file (in case of Linux) or my.ini file (in case of Windows) and add the below entries to the file.
For error logs: log_error=<error-log-file-name>
For general logs:
>= v5.1.29:
general_log_file=<general-log-file-name>
general_log=1 (or) ON
< v5.1.29:
log=<log-file-name>
Restart the MySQL instance for the changes to take effect.
To import MySQL logs in EventLog Analyzer,
You can import MySQL log files from a local path, a shared path , or a remote path.
To import MySQL log files, you need to manually choose the log format. Once you've selected the right file, select
MySQL Logs from the Log Format drop-down list in the Selected File(s) section.
Click Import to initiate the log importing process.

SAP ERP Audit Logs


To add the SAP ERP application for monitoring, the audit logs have to be enabled.

To enable the SAP ERP audit logs:

To the DEFAULT.PFL file in the location <SAP_installed path>\sys\profile, add

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 60


rsau/enable = 1
rsau/local/file = <log location>/audit_00

Note: The user should have permission to read this audit file while importing.

DB2 Audit Logs


Db2 database systems allow auditing at both the instance and database levels. The db2audit tool is used to configure the
auditing process. The tool can also be used to archive and extract audit logs, from both instance and database levels. The
audit facility can be configured by following these six steps.
1. Configuring db2audit data path, archive path, and scope.

2. Creating an audit policy for database auditing.

3. Assigning the audit policy to the database.

4. Archiving the active logs.

5. Extracting the archived logs.

6. Importing the logs to EventLog Analyzer.

EventLog Analyzer also supports diagnostic logs. Click here to learn how to generate the diagnostic logs report.

1. Configuring db2audit data path, archive path, and scope

The configure parameter modifies the db2audit.cfg configuration file in the instance's security subdirectory. All updates to
this file will occur even when the instance is stopped. Updates occurring when the instance is active will dynamically affect
the auditing being done by the Db2 instance. To know more on all possible actions on the configuration file, refer source

Open DB2 Command Line Processor with administrator privilege.


Run the following command:

> db2audit configure datapath"C:\IBM\DB2\DataPath"archivepath"C:\IBM\DB2\ArchivePath"

Note: Replace the given paths with the paths of your choice for data path and archive path respectively.

Run the following command:

> db2audit configure scope all status both error type normal

Note: Replace the given parameters with the parameters of your choice.

Run the following command:

> db2audit start

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 61


Now the logs will be generated for the DB2 instance in the given data path.

2. Creating an audit policy for database auditing

Open DB2 Command Line Processor with administrator privilege.


Run the following command to connect to a database:

> db2 connect toyour_database

Note: Replace your_database with the database name of your choice.

Run the following command to create an audit policy for the database:

> db2 create audit policypolicy_namecategoriesallstatusbotherror typeaudit

Note: Replace policy_name with the policy name of your choice. Replace the given parameters with the
command parameters of your choice. To know more on the allowed command parameters, refer source.

Run the following command to commit:

> db2 commit

Now the audit policy has been created.

3. Assigning the audit policy to the database

Open DB2 Command Line Processor with administrator privilege.


Run the following command to assign a policy to the database:

> db2 audit database using policypolicy_name

Note: Replace policy_name with the name of the audit policy that you created.

Run the following command to commit:

> db2 commit

Now the created audit policy is assigned to the database.

4. Archiving the active logs

You can archive the active logs from both instance and database. The logs will be archived to the archive path that you
configured in the first step.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 62


Open DB2 Command Line Processor with administrator privilege.
Run the following command to archive the active database logs:

> db2audit archive databaseyour_database

Note: Replace your_database with the name of the database.

Run the following command to archive active instance logs:

> db2audit archive

Now the logs will be archived to a new file with a timestamp appended to the filename. An example of the filename is given
below.
Instance Log file: db2audit.instance.log.0.20060418235612
Database Log file: db2audit.db.your_database.log.0.20060418235612

Both files have to be extracted into a human-readable format to be imported into EventLog Analyzer.

5. Extracting the archived logs

Open DB2 Command Line Processor with administrator privilege.


Run the following command to extract the archived instance logs:

> db2audit extract fileC:/IBM/DB2/instancelog.txt from files


db2audit.instance.log.0.20060418235612

Note: Replace the instancelog with the filename of your choice. Replace
db2audit.instance.log.0.20060418235612 with the filename of the archived instance logs.

Run the following command to extract archived database logs:

> db2audit extract fileC:/IBM/DB2/databaselog.txt from files


db2audit.db.your_database.log.0.20060418235612

Note: Replace databaselog with the filename of your choice. Replace


db2audit.db.your_database.log.0.20060418235612 with the filename of the archived database logs.

Both files will be extracted to the given archive path and can be imported into EventLog Analyzer.

6. Importing the logs to EventLog Analyzer

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 63


Now you will have to import the extracted database and instance log files into EventLog Analyzer. Here is a comprehensive
guide on how to import log files in EventLog Analyzer .

Diagnostic Logs
EventLog Analyzer also provides a report for diagnostic logs. To generate the diagnostic logs report, follow the given steps.

Run the following command to find the location of the diagnostic log file.

> db2 get dbm cfg | findstr DIAGPATH

or

> db2 get dbm cfg | grep DIAGPATH

or

> db2 get dbm cfg

Note: The path corresponding to Current member resolved DIAGPATH is the path to the diagnostic log file.

Navigate to the specified path and import the file named db2diag.txt to EventLog Analyzer. Here is a
comprehensive guide on how to import log files in EventLog Analyzer .

Import Troubleshooting tips


If you are unable to import a log file, ensure the following:
1. The credentials used are valid and have the necessary permissions.

2. The device is reachable.

3. The specified file exists and is accessible.

4. The log file format selected from the drop-down matches the log format of the chosen file.

Field extraction from logs


1. You can create a custom field by clicking on the tools icon at the top right corner of your log message. Follow the steps

given in this page to use custom patterns for logs.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 64


a. Now custom fields are also displayed in the left pane.

b. Click on the Save button.

List of imported log files


You can view a list of all imported log files in your EventLog Analyzer installation. This is the default page that appears when
the import log option is selected. This page provides details of the imported log file including, filename, device, monitoring
interval, time taken to import the log file, log format, and size of the log file.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 65


How to monitor logs from an Amazon Web Services
(AWS) Windows instance
Installation procedure
Ensure that EventLog Analyzer server can access EC2 Windows instance.

Welcome screen with copyright protection message appears.

Confirm the agent installation.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 66


Enter the server details: Server Name or Server IP Address, Server Database, Server Protocol, AWS Instance (choose Yes if
agent installation is on AWS, No if it is not), Server Port (mention the HTTP/HTTPS server port, default port is 8400).

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 67


EventLog Analyzer agent is installed as a service in AWS Windows instance.

Check whether the service is running.

EC2 server name is resolved from the IP address provided.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 68


You can check that the AWS instance is displayed in both the Devices tab and the Agent Administration settings page.

After five minutes you can view the reports rolling out for the AWS instance.

Note:
Install one agent on each AWS Windows server instance.
You should not associate other AWS server instances with an AWS agent.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 69


Configuring, and enabling logging/auditing in
Chapter 5

sources

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 70


Enabling Logs
Enabling Windows Firewall Logs
In order to monitor Windows firewall logs, add the Windows device from which the firewall logs are to be collected.

For EventLog Analyzer to collect Windows Firewall logs, modify the local audit policy of added Windows devices and enable
firewall related events. Follow the steps below to carry this out.
1. Open the command prompt.

2. Execute the following commands to enable logging of all firewall-related events:

> auditpol.exe /set /category:"Policy Change" /subcategory:"MPSSVC rule-level policy change"


/success:enable /failure:enable

> auditpol.exe /set /category:"Policy Change" /subcategory:"Filtering Platform policy change"


/success:enable /failure:enable

> auditpol.exe /set /category:"Logon/Logoff" /subcategory:"IPsec Main Mode" /success:enable


/failure:enable

> auditpol.exe /set /category:"Logon/Logoff" /subcategory:"IPsec Quick Mode" /success:enable


/failure:enable

> auditpol.exe /set /category:"Logon/Logoff" /subcategory:"IPsec Extended Mode"


/success:enable /failure:enable

> auditpol.exe /set /category:"System" /subcategory:"IPsec Driver" /success:enable


/failure:enable

> auditpol.exe /set /category:"System" /subcategory:"Other system events" /success:enable


/failure:enable

> auditpol.exe /set /category:"Object Access" /subcategory:"Filtering Platform packet drop"


/success:enable /failure:enable

> auditpol.exe /set /category:"Object Access" /subcategory:"Filtering Platform connection"


/success:enable /failure:enable

3. Restart the device (or) force a manual refresh by using the following command: gpupdate /force

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 71


Enabling Hyper V logging
To monitor Hyper V Logs, add the Windows Server from which the Hyper V logs are to be collected.

For EventLog Analyzer to collect Hyper V logs, follow the steps below in the respective Windows device:
1. Open your Event Viewer.

2. Go to Application and Service Logs> Microsoft> Windows.

3. Right click on the following and select 'Enable Log':

Hyper-V-Config

Hyper-V-High-Availability

Hyper-V-Hypervisor

Hyper-V-Integration

Hyper-V-SynthFC

Hyper-V-SynthNic

Hyper-V-SynthStor

Hyper-V-VID

Hyper-V-VMMS

This will enable logging of Hyper V Logs and the logs can be viewed in Event Viewer.

To perform searches and generate reports out of these logs, carry out the following registry configuration on the respective
Windows machine:
1. Open the registry editor, 'regedit' in a Command Line Window.

2. Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog

3. Right click on 'eventlog' and create new keys with the following names:

Microsoft-Windows- Hyper-V-Config

Microsoft-Windows-Hyper-V-High-Availability

Microsoft-Windows-Hyper-V-Hypervisor

Microsoft-Windows-Hyper-V-Integration

Microsoft-Windows- Hyper-V-SynthFC

Microsoft-Windows-Hyper-V-SynthNic

Microsoft-Windows- Hyper-V-SynthStor

Microsoft-Windows- Hyper-V-VID

Microsoft-Windows- Hyper-V-VMMS

Note: EventLog Analyzer supports log collection from any device which has remote logging capability, via UDP or TCP
protocol. The default UDP ports are 513,514 and the default TCP port is 514 in EventLog Analyzer.

TCP based log collection offers reliability.


UDP based log collection is not reliable, but reduces load on your network when compared to TCP.

Depending on the requirements of your environment, you can choose the appropriate protocol for log collection.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 72


How to enable Audit for IBM AS400/iSeries Journal Logs
For analyzing journal logs of IBM AS400/iSeries devices, you need to enable auditing in those systems.

To enable auditing for AS400/iSeries journal logs you have to:


1. Create a journal receiver.

2. Attach the journal receiver to a journal .

3. Specify the audit logs that are to be stored in the journal receiver .

Once the journal receiver is created and the logs specified are collected in it, EventLog Analyzer will fetch those logs for
monitoring, report generation and alert notification.

Note: For setting up Security auditing in AS 400/iSeries machines, you must have the *AUDIT special authority.

Create a journal receiver


You can create a journal receiver in a library of your choice by using the following command:

> CRTJRNRCV JRNRCV(JRNLIB/AUDRCV0001) + THRESHOLD(100000) AUT(*EXCLUDE) +


TEXT('Auditing Journal Receiver')

Note: This example uses a library called JRNLIB for journal receivers.

Place the journal receiver in any library of your choice. Ensure that it is not placed in the QSYS library, which is a
system library.
Enter a name for the journal receiver.
When you want the naming convention to be applied to naming all journal receivers, use the *GEN option.
Specify an appropriate threshold level that suits your system size and activity. The size you choose should be based
on the number of transactions on your system and the number of actions you choose to audit. For system change
journal management support, the threshold must be at least 5000KB.
To limit access to the information stored in the journal, specify *EXCLUDE on the AUT parameter.

Attach the journal receiver to a journal


Create the QSYS/QAUDJRN journal by using the following command:

> CCRTJRN JRN(QSYS/QAUDJRN)+

JRNRCV(JRNLIB/AUDRCV0001)+

MNGRCV(*SYSTEM) DLTRCV(*NO)+

AUT(*EXCLUDE) TEXT('Auditing Journal')

The journal name QSYS/QAUDJRN must be used.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 73


Note: To create this journal you must have the authority to add objects to QSYS.

Specify the journal receiver name that you created, using the JRNRCV parameter.
Specify *EXCLUDE on the AUT parameter to limit access to the information stored in the journal.
(*SYSTEM) is passed as the parameter for Manage Receiver (MNGRCV). Thus when the attached journal receiver
reaches its threshold size, the system itself detaches this receiver and creates and attaches a new journal receiver.
Avoid detaching receivers and creating & attaching new receivers manually, using the CHGJRN command.
To retain the detached journal receivers, specify (*NO) as the value for DLTRCV. This will prevent the automatic
deletion of detached receivers by the system.
QAUDJRN receivers are your security audit trail. Hence, ensure that they are adequately archived.

Specify the logs that are to be captured by the journal receiver


Use the following command to specify the logs that are to be stored in the journal receiver created:

> CHGSECAUD QAUDCTL(*ALL) QAUDLVL(*ALL)

To specify which actions are to be logged into the audit journal for all the users on the system, you need to set the
audit level to the QAUDLVL system value using the WRKSYSVAL command.
If you want to set action and object auditing for specific users, use the CHGUSRAUD command.
You can also set object auditing for specific objects as per your requirement, using
the CHGOBJAUD and CHGDLOAUD commands.
Setting the QAUDENDACN system value helps you determine the systems action when it is unable to write an
entry to the audit journal.
With the QAUDFRCLVL system value parameters, you can control the transfer of audit records from memory to
auxiliary storage.
To start auditing set the QAUDCTL system value to any value other than *NONE.

Once this security auditing set up is completed, EventLog Analyzer will automatically fetch the logs collected in the journal
receiver of the AS400/iSeries device that is added for monitoring. If the AS400/iSeries machine is not added to EventLog
Analyzer server, add the device to begin collecting its logs.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 74


Enabling Stackato Logging
EventLog Analyzer automatically adds and collects your stackato logs upon executing the following command in your tty
console:

$kato config set logyard drainformats/<Format Name>[<PRI>{{.Text}}]


For UDP based log collection:
$kato drain add ela udp://<ela_server_name>:<udp_port_no> -f systail-ela-local

For TCP based log collection:

$kato drain add ela tcp://<ela_server_name>:<tcp_port_no> -f systail-ela-local

Example:
$kato config set logyard drainformats/systail-ela-local[{<13>{{.Text}}]

$kato drain add ela udp://ELA:514 -f systail-ela-local

By default, EventLog Analyzer uses 513 and 514 as default UDP ports. In case you have changed the UDP port
number, specify the same here.

Logyard will now drain all logs in the format name as specified to EventLog Analyzer's UDP port number as given. EventLog
Analyzer can now collect all the stackato logs as syslogs and analyze them with special reports.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 75


Configuring McAfee Solutions
EventLog Analyzer collects log data from McAfee solution and presents it in the form of graphical reports. For the solution
to start collecting this log data, it has to be added as a threat source.

To configure McAfee in EventLog Analyzer, please follow the steps below.


1. Configure HTTPS in EventLog Analyzer.

2. Enable the required TLS port. Settings > System Settings > Listener ports

3. Configure your McAfee ePO server to use the newly created syslog server.

4. Add a new registered server and select Syslog for the type of server.

5. Enter the FQDN of the Syslog server.

6. Enter 6514 for the port number. If the listener port number was changed in the TLS, enter that port number.

7. Click on enable event forwarding.

8. Click on test connection. A Syslog connection success message will be displayed.

9. Click on save.

Once the threat source is added, EventLog Analyzer will start parsing the fields in the logs. This log data can now be viewed
in the form of reports.
1. In the EventLog Analyzer console, navigate to Settings > Configurations > Manage Threat Source > Add Source

2. Click on Existing Host and select the device you had added from the list of existing devices.

3. Select the Addon Type from the list.

4. Click on Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 76


Available reports:

McAfee Events
McAfee Threat Reports
McAfee Virus Reports

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 77


Steps to configure external applications
Configuring ManageEngine Password Manager Pro
Here are the steps to configure Password Manager Pro.
1. Login to Password Manager Pro.

2. Navigate to Audit -> Resource Audit -> Audit Actions -> Configure Resource Audit. Enable the Generate Syslog option
for all operations and click Save.

3. Navigate to Audit -> User Audit -> Audit Actions -> Configure User Audit. Enable the Generate Syslog option for all
operations and click Save.

4. Navigate to Admin -> Integration -> SNMP Traps / Syslog Settings and click Syslog Collector.

Enter the EventLog Server name and a port that the EventLog Analyzer instance is listening to.

Select the protocol (UDP/TCP) and a facility name. Click Save.

Configuring ManageEngine OpManager


The following are the steps to configure ManageEngine OpManager.
1. Login to OpManager.

2. Navigate to Settings -> Notifications.

3. Click Add.

Profile Type

Select Syslog Profile and enter the following details.

Destination Host - EventLog Analyzer server name or IP address.

Destination Port - Any port that the EventLog Analyzer instance is listening to.

Severity and Facility must be the default values i.e. $severity and kernel.

For EventLog Analyzer to parse logs from OpManager, the message variables in the syslog profile of OpManager
should be entered in the following format:

Mandatory message variables

ALARM_MESSAGE:$message

ALARM_ID:$alarmid

ALARM_CODE:$alarmid

Other important message variables

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 78


ALARM_SOURCE:$displayName

ALARM_CATEGORY:$category

ALARM_SEVERITY:$stringseverity

ALARM_TRIGGER_TIME:$strModTime

ALARM_EVENT_TYPE:$eventType

Entity: $entity

Last Polled Value: $lastPolledValue

4. Click Next.

Criteria

Click on the Criteria check-box.

Enable the notification for all severities and click Next.

Device Selection

Select the By Device option and select all the devices listed under Remaining Devices and click Next.

Schedule

You don't have to configure anything in this section. Click Next.

Preview

Enter a profile name and click Save.

Note: If the same machine is running two or more ManageEngine products, ensure the following:

The ports used by the products are unique.

The EventLog Analyzer port receiving logs from OpManager and Password Manager Pro is not used by other
ManageEngine products.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 79


www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 80
Configuring Zscaler NSS
Navigate to Edit NSS Feed in the console and specify the following details:
1. Enter the EventLog Analyzer server IP address in the field SIEM IP address.

2. Enter 514 as the SIEM TCP Port. If you have changed the default TCP port, then specify the changed port number

here.

3. Select the Field Output Type as Tab-separated.

4. Append <96> at the start of the Feed Output Format before "%s... which specifies to EventLog Analyzer that the log

messages must be processed.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 81


Chapter 6 Configuring Syslog Service

Configuring the Syslog Service on a UNIX devices


Note: Please take a note of the default port numbers used for the different protocols.

Default port number protocol used


1. 513 & 514 UDP

2. 514 TCP

3. 513 TLS

Login as root user and edit the syslog.conf/rsyslog.conf/syslog-ng.conf file in the /etc directory.
You can check the logger in the device by executing 'sp -aux | grep syslog' command in the Terminal or Shell.
For UDP based log collection, append:
*.*<space/tab>@<eventloganalyzer_server_name>:<port_no> at the end, where <eventloganalyzer_server_name>
is the name of the machine on which EventLog Analyzer is running. Save the configuration and exit the editor.
For TCP based log collection, append:

*.*<space/tab>@@<eventloganalyzer_server_name>:<port_no> at the end, where <server_name> is the name of the


machine on which EventLog Analyzer is running. Save the configuration and exit the editor.

For TLS based log collection:

Prerequisites:

Enable HTTPS and configure a valid certificate in server.xml. Click here to know how to configure a
valid SSL certificate.
Only pfx format is supported for storing certificate, if you use keystore format, please convert it to pfx.

Using self-signed certificates:

After applying a self-signed certificate, a file named ca.crt will be created in the location
<EventLogAnalyzer_Home>/Certificates.
Use this file as the root certificate while configuring log forwarding in clients.

Using other certificates:

For configuring log forwarding, get the root certificate from the certificate vendor.
After checking the prerequisites, append the below comments in the syslog.conf/rsyslog.conf/syslog-ng.conf file in
the /etc directory.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 82


> $DefaultNetstreamDriverCAFile <CACertificate>

$ActionSendStreamDriver gtls

$ActionSendStreamDriverMode 1

$ActionSendStreamDriverAuthMode x509/name

$ActionSendStreamDriverPermittedPeer <hostname>

*.*<space/tab>@@<eventloganalyzer_server_name>:<port_no>

Save the configuration and exit the editor.

Note: If you want to use a different port other than the default ports as specified above, please specify it in the port
management settings.

Restart the syslog service on the device using the command:

/etc/rc.d/init.d/syslog restart

Note: To configure the syslog-ng daemon in a Linux device, append the following entries at the end of /etc/syslog-
ng/syslog-ng.conf

For UDP based log collection:

*.*<space/tab>@<eventloganalyzer_server_name>:<port_no> at the end of the configuration file,


where <eventloganalyzer_server_name> is the DNS name or IP address of the machine on which EventLog Analyzer is
running. Save the configuration and exit the editor.

For TCP based log collection:


*.*<space/tab>@@<eventloganalyzer_server_name>:<port_no> at the end, where <server_name> is the DNS name or IP
address of the machine on which EventLog Analyzer is running. Save the configuration and exit the editor.

Note: Ensure that EventLog Analyzer server that you provide is reachable from the Syslog device.

For TLS based log collection:

destination d_eventloganalyzer { tcp("<hostname>" port(<port>)tls(ca_dir("<CACertificate>") ); };

log { source(src); destination(eventloganalyzer); };

Note: The above configuration will only enable forwarding of machine logs to the EventLog Analyzer server.

Forwarding audit logs to the EventLog Analyzer Server

The below given configurations have to be done in Linux devices under rsyslog.conf (or) syslog.conf :

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 83


1. Under the MODULES section, check whether the "$ModLoad imfile" is included. (This module "imfile" converts any

input text file into a syslog message,which can then be forwarded to the EventLog Analyzer Server.)

2. The following directives contain the details of the external log file:
$InputFileName <Monitored_File_Absolute_Path>

$InputFileStateFile <State_Filename>

$InputFileSeverity <Severity >

$InputFileFacility <Facility >

$InputRunFileMonitor
3. To forward the logs we must provide this line: <Facility>.<Severity> @Host-Ip:Port

Example:

$InputFileName /var/log/sample.log

$InputFileStateFile sample

$InputFileSeverity info

$InputFileFacility local6

local6.info @eventloganalyzer-Server:514

Here /var/log/sample.log is the external file to be forwarded.

Note:
1. These instructions can be applied to all Linux devices.

2. Please use a unique <State_Filename> for different <Monitored_File_Absolute_Path>.

3. When forwarding audit logs, sometimes default policies in Red Hat systems with Security enhancement (SElinux)

won't allow the audit logs to be read. In that case, the audit logs can be forwarded by adding "active=yes" in

etc/audisp/plugins.d/syslog.conf:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 84


Configuring the Syslog Service on a Mac OS devices
1. Login as root user and edit the syslog.conf file in the /etc directory.

2. Append *.*<tab>@<server_IP> at the end, where <server_IP> is the IP Address of the machine on which EventLog

Analyzer is running.

Note: Ensure that the EventLog Analyzer server IP address is reachable from the MAC OS device.

3. Save the file and exit the editor.

4. Execute the below commands to restart the syslog device:

$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist

$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

Note: TLS option is not available for Syslog.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 85


Configuring the Syslog Service on a HP-UX/Solaris/AIX
Device
1. Login as root user.

2. Edit the syslog.conf file in the /etc directory as shown below.


*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;*.debug<tab-separation>@<ela_server_name>

where <ela_server_name> is the name of the machine where EventLog Analyzer is running. Ensure that there is only a
tab separation in between *.debug and @< ela_server_name>.

Note: For a Solaris device, it is enough to include *.debug<tab-separation>@<ela_server_name> in the


syslog.conf file.

3. Save the configuration and exit the editor.

4. Edit the services file in the /etc directory.

5. Change the syslog service port number to 514, which is one of the default listener of EventLog Analyzer. But if you

choose a different port other than 514 then remember to enter that same port when adding the device in EventLog

Analyzer.

6. Start the syslog daemon on the OS with the appropriate command:

(for HP-UX) /sbin/init.d/syslogd start


(for Solaris) /etc/init.d/syslog start
(for Solaris 10) svcadm -v restart svc:/system/system-log:default
(for IBM AIX) startsrc -s syslogd

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 86


Configuring the Syslog Service on VMware
All ESX and ESXi devices run a syslog service (syslogd), which logs messages from the VMkernel and other system
components to a file.

To configure the syslog service on an ESX device::

Neither vSphere Client nor vicfg-syslog can be used to configure syslog behavior for an ESX device. To configure syslog for
an ESX device, you must edit the /etc/syslog.conf file.

To configure the syslog service on an ESXi device:

On ESXi devices, you can use the vSphere Client or the vSphere CLI command vicfg-syslog to configure the
following options:
1. Log file path: Specifies a datastore path to the file where syslogd logs all messages.

2. Remote host: Specifies a remote device to which syslog messages are forwarded. In order to receive the
forwarded syslog messages, your remote host must have a syslog service installed.

3. Remote port: Specifies the port used by the remote host to receive syslog messages.

Configuration using vSphere CLI command: For more information on vicfg-syslog, refer the vSphere Command-
Line Interface Installation and Reference Guide.
Configuration using vSphere Client:
1. In the vSphere Client inventory, click on the host.

2. Click the Configuration tab.

3. Click Advanced Settings under Software.

4. Select Syslog in the tree control.

5. In the Syslog.Local.DatastorePath text box, enter the datastore path to the file where syslog will log messages.
If no path is specified, the default path is /var/log/messages.

The datastore path format is [<datastorename>] </path/to/file> where the path is relative to the root of the
volume backing the datastore.

Example: The datastore path [storage1] var/log/messages maps to the path /


vmfs/volumes/storage1/var/log/messages.
6. In the Syslog.Remote.Devicename text box, enter the name of the remote host where syslog data will be
forwarded. If no value is specified, no data is forwarded.
7. In the Syslog.Remote.Port text box, enter the port on the remote host where syslog data will be forwarded. By
default Syslog.Remote.Port is set to 514, the default UDP port used by syslog. Changes to Syslog.Remote.Port
only take effect if Syslog.Remote.Devicename is configured.
8. Click OK.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 87


Configuring the Syslog Service on Arista Switches
1. Login to the Arista Switch

2. Go to the config mode.

3. Configure the Switch as below to send the logs to the Eventlog Analyzer Server

Arista# config terminal

Arista(config)# logging host < Eventlog_Server_Ip > < port_number > protocol [tcp/udp]

Arista(config)# logging trap information

Arista(config)# copy running-config startup-config

To configure command executed logs:

Arista (config)# aaa accounting commands all console start-stop logging


Arista (config)# aaa accounting commands all default start-stop logging
Arista (config)# aaa accounting exec console start-stop logging
Arista (config)# aaa accounting exec default start-stop logging
Arista (config)# copy running-config startup-config

To configure logon logs:

Arista (config)# aaa authentication policy on-success log


Arista (config)# aaa authentication policy on-failure log
Arista (config)# copy running-config startup-config

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 88


Configuring the Syslog Service on Cisco Switches
1. Login to the switch.

2. Go to the config mode.

3. Configure the switch as below (here, we have used Catalyst 2900) to send the logs to the EventLog Analyzer server:

<Catalyst2900># config terminal

<Catalyst2900>(config)# logging <ela_server_IP>

For the latest catalyst switches

Catalyst6500(config)# set logging <ela_server_IP>

We can also configure logging facility and trap notifications with the below commands:

> Catalyst6500(config)# logging facility local7

Catalyst6500(config)# logging trap notifications

Note: The same commands are also applicable for Cisco Routers.
Please refer Cisco� documentation for detailed steps on configuring the Syslog service in the respective routers or
switches. Contact [email protected] if the Syslog format of your Cisco devices are different from
the standard syslog format supported by EventLog Analyzer.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 89


Configuring the Syslog Service on HP Switches
1. Login to the switch.

2. Enter the following commands.

HpSwitch# configure terminal


HpSwitch(config)# logging severity debug

HpSwitch(config)# logging <ELA IP_ADDRESS>

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 90


Configuring the Syslog Service on Cisco devices
To configure the Syslog service on Cisco devices, follow the steps below:
1. Login to the Firewall.

2. Go to the config mode;

3. Configure the switch as given below (here, we have used Catalyst 2900) to send the logs to the EventLog Analyzer

server:
Cisco-ASA# config terminal

Cisco-ASA (config)# logging host <EventLog _server_IP> [TCP/UDP]/< Port_Number >

Cisco-ASA (config)# logging trap information

Cisco-ASA (config)# logging facility local7

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 91


Configuring the Syslog Service on Cisco Firepower
devices
Step 1: Syslog server configuration

To configure a Syslog Server for traffic events, navigate to Configuration > ASA Firepower Configuration > Policies >
Actions Alerts and click the Create Alert drop-down menu and choose option Create Syslog Alert. For web interfaces,
navigate to Policies > Actions Alerts. Enter the values for the Syslog server.

Name: Specify the name which uniquely identifies the Syslog server.
Host: Specify the IP address/hostname of Syslog server.
Port: Specify the port number of Syslog server.
Facility: Select any facility that is configured on your Syslog server.
Severity: Select any Severity that is configured on your Syslog server.
Tag: Specify tag name that you want to appear with the Syslog message.

Step 2: Enable external logging for Connection Events

Connection Events are generated when traffic hits an access rule with logging enabled. In order to enable the
external logging for connection events, navigate to ASDM Configuration > ASA Firepower Configuration > Policies
> Access Control Policy. For web interfaces, navigate to Policies > Access Control Policy. Edit the access rule and
navigate to logging option.
Select the logging option either log at Beginning and End of Connection or log at End of Connection. Navigate
to Send Connection Events to option and specify where to send events.
In order to send events to an external Syslog server, select Syslog, and then select a Syslog alert response from the
drop-down list. Optionally, you can add a Syslog alert response by clicking the add icon.

Step 3: Enable external logging for Intrusion Events

Intrusion events are generated when a signature (snort rules) matches some malicious traffic. In order to enable the
external logging for intrusion events, navigate to ASDM Configuration > ASA Firepower Configuration > Policies >
Intrusion Policy > Intrusion Policy. For web interfaces, navigate to Policies > Intrusion Policy > Intrusion Policy.
Either create a new Intrusion policy or edit an existing one. Navigate to Advanced Setting > External Responses.
In order to send intrusion events to an external Syslog server, select option Enabled in Syslog Alerting then click
the Edit option.
Logging Host: Specify the IP address/hostname of Syslog server.
Facility: Select any facility that is configured on your Syslog server.
Severity: Select any Severity that is configured on your Syslog server.

Note: From Version 6.3 and above, make sure to enable timestamping in the RFC 5242 format in Firepower

Threat Defense for collecting syslogs along with their timestamps.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 92


Configuring the Syslog Service on SonicWall devices
To configure the Syslog service on SonicWall devices, follow the steps below:

1. Login to the SonicWall device as an administrator.

2. Navigate to Log > Automation, and scroll down to Syslog Servers.

3. Click on the Add button.

Use a web browser to connect to the SonicWall management interface and login with your username and
password.

1. Click on the Log button on the left menu. This will open a tabbed window in the main display.

2. Click on the Log Settings tab.

3. Under Sending the Log, enter the IP address of the machine running the Kiwi Syslog Server into the field Syslog Server

1. If you are listening on a port other than 514, enter that value in the field Syslog server port 1.

4. Under Automation, set the Syslog format to Enhanced Syslog.

5. Under Categories > Log, check all the types of events that you would like to receive Syslog messages for.

6. Click on the Update button.

For SonicOS 6.5 and above:

1. Login to the SonicWall device as an administrator.

2. Click on Manage tab and expand Log Settings> SYSLOG

3. Click Add under Syslog Servers.

4. From the Add Syslog Server window, enter the IP address or host name of the Eventlog Analyzer server.

5. Enter the port number and set the Server Type to Syslog.

6. Set the Syslog format to Enhanced Syslog.

7. Click OK to configure.

A reboot of the SonicWall may be required for the new settings to take effect.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 93


Configuring the Syslog Service on Juniper devices
1. Login to the Juniper device as an administrator.

2. Navigate to the Configure tab.

3. Expand CLI Tools on the left pane, click on CLI editor in the subtree, and navigate to syslog under system.

4. For standard logs, insert the host node with the required values such as the host name, severity, facility and log prefix.

Consider the following command:


host ela-server{
any any;
port 513;
}

This will forward the log data in standard format. You can customize the syslog severity level by editing the command.
5. For structured logs, mention 'structured-data' in the command line. Consider the following command.
host ela-server{
any any;
port 513;
structured-data;
}

This will forward the log data in a structured format.


6. Click on Commit to save the changes. To view the changes, click on the CLI viewer.

Note: It is recommended to use structured logs

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 94


Configuring the Syslog Service on PaloAlto devices
To configure the Syslog service in your Palo Alto devices, follow the steps below:
1. Login to the Palo Alto device as an administrator.

2. Navigate to Device > Server Profiles > Syslog to configure a Syslog server profile.

3. Configure Syslog forwarding for Traffic, Threat, and WildFire Submission logs. First, navigate to Objects > Log

Forwarding, and click on Add to create a log forwarding profile.

4. Assign the log forwarding profile to security rules.

5. Configure Syslog forwarding for System, Config, HIP match, and Correlation logs.

6. Click on Commit for the changes to take effect.

For version 7.1 and above:

1. Login to the Palo Alto device as an administrator.

2. Configure a Syslog server profile for the EventLog Analyzer server

Select Device > Server Profiles > Syslog.

Click Add and provide a name for the profile.

If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where this

profile is available.

For the EventLog Analyzer server, click Add and enter the requested information.

Click OK.

3. Configure syslog forwarding for Traffic, Threat, and WildFire Submission logs.

Create a log forwarding profile.

Select Objects > Log Forwarding, click Add, and enter a Name to identify the profile.

For each log type and each severity level or WildFire verdict, select EventLog
Analyzer's Syslog server profile and click OK.

Assign the log forwarding profile to security rules.

4. Configure syslog forwarding for System, Config, HIP Match, and Correlation logs.

Select Device > Log Settings.

For System and Correlation logs, click each Severity level, select EventLog Analyzer's syslog server

profile, and click OK.

For Config, HIP Match, and Correlation logs, edit the section, select EventLog Analyzer's syslog server

profile, and click OK.

5. Click Commit to save your changes.

Source: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/monitoring/configure-syslog-monitoring

Note: It's recommended to use BSD format in syslog profiles.

Once you have completed the configuration steps, the logs from your Palo Alto device will be automatically forwarded to
the EventLog Analyzer server.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 95


Configuring the Syslog Service on Fortinet devices
To configure the Syslog service in your Fortinet devices (FortiManager 5.0.7 and above) follow the steps below:
1. Login to the Fortinet device as an administrator.

2. Define the Syslog Servers either through the GUI System Settings > Advanced > Syslog Server or with CLI commands:

> config system syslog


edit <server name>

set ip <Syslog server IP>


end

3. Enable sending FortiManager local logs to the EventLog Analyzer server via CLI.

config system locallog syslogd setting


set syslog-name < Remote syslog server name, defined at previous step>

set severity <emergency | alert | critical | error | warning | notification | information | debug> (Least severity level to log)

set status <enable | disable>

set csv Whether to enable CSV.

set facility Which facility for remote syslog.


set port Port that server listens at.

end

Once you have completed the configuration steps, the logs from your Fortinet device will be automatically forwarded to
the EventLog Analyzer server.

For more details and for other versions, refer source: http://kb.fortinet.com/kb/documentLink.do?externalID=FD35387

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 96


Configuring the Syslog Service on Check Point devices
To configure the Syslog service in your Check Point devices, follow the steps below:
1. Login to the Check Point device as an administrator.

2. To override the lock, click on the lock icon on the top-left corner of the screen.

3. Click Yes on the confirmation pop-up that appears.

4. Navigate to System Management > System Logging.

5. Under the Remote System Logging section, click Add.

6. In the Add Remote Server Logging Entry window, enter the IP address of the remote server (EventLog Analyzer

server).

7. From the Priority drop-down, select the severity level of the logs to be sent to the remote server.

8. Click OK.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 97


Configuring the Syslog Service on NetScreen devices
The Syslog service in your NetScreen devices, can be configured in two ways:

Enabling Syslog Messages using the NetScreen Device:


1. Login to the NetScreen GUI.

2. Navigate to Configuration> Report Settings> Syslog.

3. Check the Enable Syslog Messages check-box.

4. Select the Trust Interface as Source IP and enable the Include Traffic Log option.

5. Enter the IP address of the Eventlog Analyzer server and Syslog port (514) in the given boxes. All other fields will have
default values.

6. Click Apply to save the changes.

Enabling Syslog Messages the CLI Console:

Execute the following commands:

> Netscreen > set syslog config <ip address> facilitates local0 local0

Netscreen > set syslog config <ip address> port 514

Netscreen > set syslog config <ip address> log all

Netscreen > set syslog enable

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 98


Configuring the Syslog Service on WatchGuard devices
To configure the Syslog service in your WatchGuard devices, follow the steps below:
1. Login to the WatchGuard device as an administrator.

2. Navigate to System> Logging> Syslog.

3. Enable the Send log messages to the syslog server at this IP address checkbox.

4. Type the EventLog Analyzer server's IP address in the box provided for IP address.

5. Select 514 in the box provided for Port.

6. Select Syslog from the Log Format drop-down list.

7. If you want to include date and time in the log message details, enable the Time stamp checkbox.

8. If you want to add serial numbers in log message details, enable Serial number of the device checkbox.

9. Select a syslog facility for each type of log message in the Syslog settings section drop-down list.

For high-priority syslog messages, such as alarms, select Local0.

To assign priorities for other types of log messages select Local1 - Local7.

To not send details for a message type, select NONE.

Note: Lower numbers have greater priority.

10. Click SAVE

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 99


Configuring the Syslog Service on Sophos devices
To configure the Syslog service in your Sophos devices, follow the steps below:

Enabling Sophos-UTM Syslog:

1. Login to Sophos UTM as administrator.

2. Navigate to Logging & Reporting > Log Settings >Remote Syslog Server

3. Enable Syslog Server Status

4. Configure the syslog server by filling the following details


Name: < Any >
Server: < EventLog Analyzer server IP Address >
Port: < 513 >
5. Navigate to Remote Syslog > select the logs that has to be sent to the EventLog Analyzer server.

6. Click on Apply

Enabling Sophos-XG Syslog:

1. Login to Sophos-XG as administrator.

2. Navigate to System > System Services > Log Settings > Syslog Servers > Add

3. Configure the syslog server by filling the following details


Name: < Any >
Server: < EventLog Analyzer server IP Address >
Port: < 513 >
Facility: < DAEMON >
Severity: < INFORMATION >
Format: < Standard Format >
4. Click on Save

5. Navigate to System > System Services > Log Settings> select the logs that has to be sent to the EventLog Analyzer

Server.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 100


Configuring the Syslog Service on Cyberoam devices
To configure the Syslog service in your Cyberoam devices, follow the steps below:

Enabling Cyberoam Syslog:


1. Login to Cyberoam as administrator.

2. Navigate to Logs & Reports > Configuration > Syslog Server > Syslog Servers > Add

3. Configure the syslog server by filling the following details


Name: < any >
Server: < EventLog Analyzer server IP Address >
Port: < 513 >
Facility: < DAEMON >
Severity: < INFORMATION >
Format: < Cyberoam Standard Format >
4. Click on Save

5. Navigate to Logs & Reports > Configuration > Log Settings> select the logs that has to be sent to the EventLog

Analyzer Server.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 101


Configuring the Syslog Service on Barracuda devices
The Syslog service in your Bararacuda devices, can be configured by following these five steps:
1. Enable the Syslog Service

Navigate to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.

Click on Lock.

Enable the Syslog service.

Click Send Changes and Activate.

2. Configure Logdata Filters

Navigate to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.

From the menu select Logdata Filters.

Click on Configuration Mode > Switch to Advanced View > Lock

Click on + icon to add a new entry.

Enter a descriptive name in the Filters and click OK.

In the Data Selection table, add the log files to be streamed. (e.g. Fatal_log, Firewall_Audit_Log, Panic_log)

In the Affected Box Logdata section, define what kind of box logs are to be affected by the Syslog daemon

from the Data Selection list.

In the Affected Service Logdata section, define what kind of logs created by services are to be affected by the

Syslog daemon from the Data Selection list.

Click on Send Changes and Activate.

3. Configure Logstream Destinations

Navigate to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.

From the menu select Logstream Destinations.

Expand the Configuration Mode > Switch to Advanced View > Lock.

Click on + icon to add a new entry.

Enter a descriptive name and click OK.

In the Destinations window select the Remote Loghost.

Enter the EventLog Analyzer server IP address as destination IP address in the Loghost IP address field.

Enter the destination port for delivering syslog message as 513, 514.

Enter the destination protocol as UDP.

Click OK

Click on Send Changes and Activate.

4. Disable Log Data Tagging

5. Configure Logdata Streams

Navigate to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.

From the menu, select Logdata Streams.

Expand the Configuration Mode menu and select Switch to Advanced View.

Click the + icon to add a new entry.

Enter a descriptive name and click OK.

Configure Active Stream, Log Destinations and Log Filters settings.

Click on Send Changes and Activate.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 102


Configuring the Syslog Service on Barracuda Web
Application Firewall
The Barracuda web application can be configured by following these steps:
1. Navigate to ADVANCED > Export Logs > Add Export Log Server

2. In the Add Export Log Server, enter the following details, and click OK

Name: Enter a name for the EventLog Analyzer Server


IP Address or Hostname: Enter the IP address or the hostname of the EventLog Analyzer server
Port: Enter the port associated with the IP address of the EventLog Analyzer server (513,514)
Log Timestamp and Hostname: Enable to send log with date and time of the event

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 103


Configuring the Syslog Service on Barracuda Email
Security Gateway
The Barracuda email security gateway application can be configured by following these steps:
1. To configure the email Syslog, using the Barracuda Email Security Gateway Web interface, navigate to the ADVANCED
> Advanced Networking

2. Enter the IP address of the EventLog Analyzer server to which syslog data related to mail flow should be sent.

3. Specify the protocol TCP or UDP, and also port (513,514) over which syslog data should be transmitted.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 104


Configuring the Syslog Service on Huawei Firewall
devices
To configure the Syslog service in your Huawei firewall devices, follow the steps below:
1. Login to the Huawei firewall device.

2. Navigate to System view > Log monitoring > Firewall log stream

3. To export traffic monitoring logs to EventLog Analyzer server, enter the following details in the space provided:
Info-center loghost <EventLog Analyzer server IP address> 514 facility <facility>

4. Exit the configuration mode.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 105


Configuring the Syslog Service on Malwarebytes devices
To configure the Syslog service in your Malwarebytes devices, follow the steps below:
1. Log into the Management console of the Malwarebytes device.

2. Move to the Admin pane and open the Syslog Settings tab.

3. Click Change and tick the Enable Syslog check box.

4. To export traffic monitoring logs to EventLog Analyzer server, enter the following details in the space provided:

Address <EventLog Analyzer server IP address>

Port <513/514>

Protocol

Payload format <CEF>

5. Click OK to save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 106


Configuring the Syslog Service on Meraki devices
To configure the Syslog service in your Meraki devices, follow the steps below:
1. Login to the Meraki device as an administrator.

2. From the dashboard, navigate to Network-wide > Configure > General.

3. Click on the Add a syslog server link. In the given fields enter the EventLog Analyzer server IP address and UDP port

number.

4. Define the roles so that data can be sent to the server.

Note: If the Flows role is enabled on a Meraki security appliance then logging for individual firewall rules can be
enabled/disabled. This can be done by navigating to the Security appliance > Configure > Firewall and editing the

Logging column.

5. Click Save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 107


Configuring the Syslog Service on FireEye devices
1. Login to the FireEye device as an administrator.

2. Navigate to Settings > Notifications, select rsyslog and the Event type.

3. Click Add Rsyslog Server.

4. In the dialog box that opens, enter the EventLog Analyzer server IP address in the given field. Choose UDP as the

protocol and the format as CEF (default).

5. Click Save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 108


Configuring the Syslog Service on pfSense devices
1. Login to the pfSense device.

2. Navigate to Status > System logs > Settings.

3. Enable Remote Logging.

4. Specify the IP address and port of the EventLog Analyzer server.

5. Check all the Remote Syslog Contents.

6. Click Save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 109


Configuring the Syslog Service on Symantec DLP devices
1. Locate and open the c onfig\Manager.properties file. The file path is as follows

2. Windows - \SymantecDLP\Protect\config directory

3. Linux - /opt/SymantecDLP/Protect/config directory

4. Uncomment the systemevent.syslog.host= line and specify the EventLog Analyzer server IP address as follows:

systemevent.syslog.host=xxx.xx.xx.xxx

5. Uncomment the systemevent.syslog.port= line and specify 514 as the port to accept connections from the Symantec

Enforce Server as follows:


systemevent.syslog.port=514

6. After making the above mentioned changes, save and close the properties file.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 110


Configuring the Syslog Service on Symantec Endpoint
Protection devices
1. Login to the Symantec Endpoint Protection device as an administrator.

2. Navigate to Admin > Servers. Select the local site or remote site from which log data must be exported.

3. Click Configure External Logging.

4. In the General tab, from the Update Frequency list, choose how often log data should be sent to the file.

5. In the Master Logging Server list, select the management server to which the logs should be sent.

6. Check the Enable Transmission of Logs to a Syslog Serveroption.

7. Enter the following details in the given fields.

Syslog Server- Enter the EventLog Analyzer IP address or domain name .

Destination Port - Select the protocol to use and enter the destination port that the Syslog server should use
to listen for Syslog messages.

Log Facility - Enter the number of the log facility that you want the Syslog configuration file to use. Valid

values range from 0 to 23. Alternatively, you could use the default.

8. Click OK.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 111


Configuring the Syslog Service on H3C devices
1. Login to the H3C security device as an administrator.

2. Navigate to System view mode.

3. Enable the Info cente check box.

4. Configure an output rule for the host:


info-center source {<module-name>|default} {console|monitor|logbuffer|logfile|loghost} {deny|level <severity>}
5. Specify a log host and configure the below parameters:
info-center loghost {<ELA_SERVER_IP>} [port <port_number>][facility <local-number>]
6. Now you have successfully configured the H3C security device.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 112


Configuration the Syslog service on Stormshield firewall
To enable log collection from Stormshield devices, follow the below steps:
1. Login to the firewall.

2. Click on the Configuration tab.

3. Click on the Notification button. Select Enable to start the Syslog service.

4. In the Destination field, enter the IP address of EventLog Analyzer.

5. Click Save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 113


Configuration steps for Syslog forwarding from F5
devices to EventLog Analyzer
1. To forward system logs:

Login into "Configuration Utility."

Navigate to System > Logs > Configuration > Remote Logging.

Enter the remote IP. The remote IP in this case would be EventLog Analyzer server's IP address.

Enter the remote port number. The default remote port for EventLog Analyzer is 514.

Click on "Add".

Click on "Update".

2. To forwarding event logs. (Ex: Firewall Events)

Create management port destination

1. Login to "Configuration Utility".

2. Navigate to System > Logs > Configuration > Log Destinations.

3. Click on "Create."

4. Enter a name for the log destination.

5. To specify the log type, click on "management port".

6. Enter the IP address of the EventLog Analyzer server.

7. Enter the listening port of the EventLog Analyzer server. The default listening port is 514.

8. For protocol, select the UDP protocol.

9. Click on "Finish".

Create a formatted remote syslog destination.

1. Now navigate to System > Logs > Configuration > Log Destinations.

2. Click on "Create".

3. Enter a name for the log destination.

4. To specify the log type, select remote syslog.

5. Under syslog settings, set the syslog format as "syslog" and select the forward to management Port as
the syslog destination.

6. Click on "Finish".

Create a log publisher to forward the logs.

1. Navigate to System > Logs > Configuration > Log Publishers.

2. Click on "Create".

3. Enter a name for the log publisher configuration.

4. In the available list, click the previously configured remote syslog destination name and move it to the

selected list.

5. Click on "Finish".

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 114


Create a logging profile for virtual servers

1. Navigate to Security > Event Logs > Logging Profiles.

2. Click on "Create".

3. Enter a profile name for the logging profile.

4. Then enable the network firewall by clicking on the checkbox.

5. Under the network firewall settings, enter the publisher. Enter the previously configured Syslog publisher.

6. Under log rule matches, click on "Accept, Drop, and Reject." ( Note: If you do not want any logs, you can

disable it).

7. Leave other options in default. ( Note: Storage Format should be "none")

8. Then click on "Create".

Apply Logging Profile to corresponding Virtual Server

1. Now navigate to Local Traffic > Virtual Servers

2. Select your virtual server to which you want to apply logging profile

3. On the top, tap on the security tab and click on the policy.

4. Go to Network Firewall.

5. Set Enforcement: Enabled, and select your network firewall policy.

6. Under Log Profile, Enable the log profile and select previously configured logging profile.

7. Then click on Update.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 115


Configuration steps for Syslog forwarding from Trend
Micro - Deep Security devices to EventLog Analyzer
1. To forward system events to ELA server:

Go to Administration ? System Settings ? Event Forwarding.

Select Forward System Events to a remote computer (via Syslog) in the SIEM section.

Specify the following information and then click Save:

1. Hostname <EventLog Analyzer IP>

2. UDP port <default 514>

3. Syslog Format <CEF>

4. Syslog Facility

2. To forward security events to ELA server:

Go to Policies.

Double-click the policy you want to use for computers to forward security events via the Deep Security

Manager.

Go to Settings > SIEM and select Forward Events To > Relay via the Manager for each applicable protection

module.

Specify the following information that is required for relaying events via the Deep Security Manager and then

click Save:

1. Hostname <EventLog Analyzer IP>

2. UDP port <default 514>

3. Syslog Format <CEF>

4. Syslog Facility

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 116


Chapter 7 User Interface

User Interface Tabs


EventLog Analyzer's user interface tabs help you navigate to different sections of the product. The tabs include:

Home tab
The home tab contains multiple dashboards that give you insights into important network activities. The below dashboards
are present by default when you click on the Home tab:

Events Overview
Network Overview
Security Overview
VPN Overview

Events Overview

This tab presents a high-level overview of security events by generating graphical reports such as Logs Trend, Syslog
Severity Events, Windows Severity Events, and Recent Alerts. These reports are generated for events that occur in a
specific time frame (which can be customized). Hovering your mouse pointer over the charts or graphs will give you
information about the Event Count of a particular device, its IP address, and the Severity of the event (Information, Notice,
Debug, Warning, Alert, Error, Critical, and Emergency).

Network Overview

This tab gives you information about network traffic in your environment. It provides details on the traffic trend, allowed
and denied network connections, and more to help you track events of interest.

Security Overview

The security overview dashboard consolidates events from network devices such as IDS/IPS, endpoint security solutions,
vulnerability scanners, and other threat detection solutions. This dashboard contains reports that help security teams keep
tabs on crucial security events such as vulnerabilities and threats. It also has an interactive widget on IDS/IPS attacks, which
helps you identify the type of attack, number of attack attempts, and the time when the attack happened.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 117


The dashboard also contains the Alerts Count Overview widget that displays the number of alerts triggered in a given time
frame.

VPN Overview

You can customize the Home tab to include the VPN Overview tab by navigating to Settings ? Add Tab ? VPN Overview.
EventLog Analyzer monitors VPN session activities and generates reports to help you visualize events of interest. The VPN
Overview dashboard will give you insights on VPN user and session activities by displaying widgets such as Live Sessions
Count, Total Logon Hours, Average Login Time, Closed Sessions, and Top Users and Status. You can also customize the VPN
dashboard by adding and reordering widgets by navigating to Settings ? Add Widgets and Settings ? Reorder Widgets
respectively.

The Home tab also contains the Log Sources, date and time selection, and settings icons.

Log Sources tab


When you click on the Log Sources tab, three tabs are displayed:

Devices
Applications
File Integrity Monitoring

Devices

The Devices section displays the entire list of systems (Windows, Linux, IBM AS/400, HP-UX, etc.) and devices (routers,
switches, etc.), from which EventLog Analyzer is collecting logs. The device list displayed is categorized based on the Device
group selected from the drop-down list (default: All Groups). You can add a new device ( +Device), or add and schedule new
reports (+Schedule) from this section. You can search for a particular device based on its IP Address or Device Name, delete
a device or set of devices, and disable/enable log collection from a particular device or set of devices.

The device list table displays details like device type, event summary (error, warning, failure, others), connection status of
the device, time when the last log message was fetched, and device group to which the device belongs. Moving the mouse
over any device brings up some options:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 118


View the last 10 events collected from a particular device.
Update the device details.
Ping the device.
Enable/disable log collection from the device.

You can even customize the columns you would like to display in the device table by clicking the column selector icon or
increase the number of devices that are displayed per page (from a minimum of 5 devices per page to a maximum of 200
devices per page). Using the drop down menu, you can list out only the Active devices or Enabled devices and have the
option to exclude synced devices from Active Directory Audit Plus.

Applications

The Applications section provides an overview pie-chart (which can be drilled down to raw log information) and lists the
devices from which application logs for IIS W3C Web Servers, IIS W3C FTP Servers, MS SQL Servers, Oracle Live Audit,
DHCP Windows/Linux Servers, Apache Web Servers or Print Servers, have been received or imported into EventLog
Analyzer. The device list displayed is categorized based on Application Type selected from the drop-down list. Applications
logs can be imported into EventLog Analyzer by selecting +Import from the Actions drop-down list.

The application device list displays details like device name, application type, total events, recent records, time imported,
start time and end time. Click on the device name or the corresponding section in the pie chart to get the complete
overview of the application event data, and generate corresponding reports. You can even customize the columns you
would like to display in the application device table by clicking the column selector icon.

File Integrity Monitoring

The File Integrity Monitoring dashboard gives information about changes made to files and folders of Windows, Linux, and
Unix machines. It tabulates and reports on the files and folders created, deleted, modified, and renamed. It also displays
changes made to file and folder permissions.

At the top of this dashboard, you can find the Manage File Integrity Monitoring tab which allows you to add, delete, and
manage devices for File Integrity Monitoring. The FIM Alert tab allows you to configure alerts for anomalous file and folder
modifications. The FIM Scheduled Reports tab helps you view and export scheduled reports.

Date and time


You can generate and view all the audit reports for the required time frame using the date and time box provided.

Settings icon
The settings icon displays multiple options to customize all dashboards by adding, managing, and ordering the widgets and
tabs that are displayed. You can also refresh the changes made to the time frame in the product using the Refresh Interval
option.

Reports tab
This tab displays a dashboard that contains reports for all events taking place in your network. At the top left corner, you
can find a drop-down menu that allows you to choose and view reports based on Devices, Applications, File Monitoring,
Threats, Vulnerability, and Virtual Machines. You can also view Custom Reports, User Based Reports, and Top and Trend
reports by clicking on the required option from this drop-down menu. The Export As drop-down menu enables you to
export reports in either the CSV or PDF formats. You can schedule reports by clicking on the +Add option present in the
Schedule Reports tab.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 119


On the left pane, you can find multiple pre-defined reports that are automatically generated when log sources are added to
EventLog Analyzer. You can also create custom reports by clicking on the Manage Reports tab present at the lower-left
corner of the screen. The Scheduled Reports tab allows you to view existing scheduled reports and export them as and
when needed.

Compliance tab
The Compliance tab provides the set of canned reports as required by various compliance policies, namely, FISMA, PCI-DSS,
SOX, HIPAA, GLBA, GPG, and ISO 27001:2013. The +Add option allows you to create and select the reports required for a
new compliance policy of your choice. The Edit option allows you to customize the reports available under each compliance
policy.

Search tab
The Search tab provides two options to search the raw logs: Basic Search or Advanced Search. The search result is
displayed in the lower half of the page and the final search result can be saved as a report (in PDF or CSV format) and can
also be scheduled to be generated at predefined intervals and be automatically mailed to a set of configured users.

You can use Basic search if you are interested in manually constructing the search query. Here you can use phrase search,
Boolean search, grouped search, and wild-card search to build your search query. You can use Advanced search to
interactively build complex search queries easily with field value pairs and relational operators. New fields can be extracted
from the search result and regular expression (regex) patterns can be constructed to easily identify, parse and index these
fields in new logs received by EventLog Analyzer.

Correlation tab
The Correlation engine analyzes logs collected from different parts of the network and generates alerts for suspicious
patterns of events. The dashboard, by default, displays the report on Recent Incidents. You can create and modify
correlation rules by clicking on the Manage Rules tab present in the dashboard.

Alerts tab
This tab displays the number of Active Alerts in the dashboard along with their severities. You can view tabulated
information about the alerts, their time of generation, the status, and their corresponding response workflow (if configured)
in the dashboard.

Settings tab
This section allows you to configure EventLog Analyzer as per your requirements. It has three sub-sections as given below:

Configuration Settings

This section allows you to Manage Devices, Device Groups, Application Sources, Import Log Data, Threat Sources, File
Integrity Monitoring, Vulnerability Data, FIM Templates, and vCenter. You can also configure threat management and log
forwarding from this section.

Admin Settings

This section allows you to perform various administrative activities by managing Alert Profiles, Archives, Technicians and
Roles, DB Retention Settings, Log Collection Filters, Working Hour Settings, Product Settings, Log Collection Failure Alerts,
Dashboard profiles, Privacy Settings, Logon Settings, Domain and Workgroups, Report Profiles, Resource Grouping, Custom
Log Parsers, Tags, and Log360 Cloud platform.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 120


System Settings

This section can allow you to configure various settings including Notification Settings, Server Diagnostics, Database
Access, Re-branding, NT Service, Connection Settings, and Listener Ports.

Add tab
This tab allows you to easily add log sources from Devices and Applications. It also has the provision to let you import logs
from other sources. You can add Alert Profiles, Log Filters and create custom Reports from this tab.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 121


Dashboard Views
EventLog Analyzer has a near real-time dashboard that presents security related data in the form of graphs and charts. The
dashboard helps you discern anomalies quickly, investigate threats and attack patterns, and get insights from log trends.
This dashboard is customizable.

Dashboard tabs:
The EventLog Analyzer dashboard comes with the following default subtabs:

Events Overview
Network Overview
Security Overview

Each tab consists of numerous widgets.

Events Overview

This tab presents an overview of various security events monitored by EventLog Analyzer. The widgets in this dashboard
provide insights on the various critical events generated in the network during the specified time frame.

The Events Overview tab has the following widgets:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 122


Widget
Function Widget image
Name

All This widget presents the total number of events/logs collected by EventLog
Events Analyzer during the given time frame.

This widget presents the total number of Windows-based events collected


Windows by EventLog Analyzer during the chosen time frame. In addition to that, the
Events pie chart splits the windows events in to error events, failure events and
warning events. Success/info events are filtered and not displayed.

This widget presents the total number of Syslog events collected during the
Syslog
given time frame. Furthermore, the pie chart splits the syslog events into
Events
warning, error and critical events.

This widget provides a count of all the enabled devices from which log data
is being collected. The server image in the corner will have a green tick if all
All logs are being collected successfully. A warning icon indicates that logs aren't
Devices being collected from some of the devices. Additionally, this widget has a
View All Devices link. Clicking on the link will redirect you to the device
dashboard page which will provide detailed information of each device.

The Events Overview tab also has the following widgets:

Widget
Function Widget image
Name

This widget presents a time-based log count trend of all events/logs ingested
into EventLog Analyzer. The X-axis represents the time range, which is based on
Logs Trend the calendar range you choose. If you choose the time range as less than 24
hours, then the graph will present you with hourly log trend data. The Y-axis
represents the Event Count.

Top 5
This widget presents the top 5 devices based on event count.
Devices

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 123


Recent
This widget presents the 50 most recent alerts for the given time range.
Alerts

Security This widget shows a summary of various security events such as Logon,
Events Account Logon, Account Management, and Object Access.

Windows
This widget displays a graph in which the X-axis represents the Severity of a
Severity
Windows Event and the Y-axis represents the Event Count.
Events

Syslog
This widget displays a graph in which the X-axis represents the Severity of a
Severity
Syslog Event and the Y-axis represents the Event Count.
Events

Top 5 File
This widget presents a 3D graph which displays the details of the top 5 file
Integrity
servers based on the log count. Each row contains additional data of various file
Monitoring
based events.
Events

Application This widget displays a pie chart of the top 10 applications like IIS, DHCP etc
Events based on event count.

Network Overview

This tab gives an overview of various network-related events monitored by EventLog Analyzer by generating graphical
reports. The widgets in this dashboard provide insights on the various critical events generated in the network during the
specified time frame.

The Network Overview tab has the following widgets:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 124


Widget
Function Widget image
Name

This widget presents the total number of network-based events collected


Total
by EventLog Analyzer during the given time frame. Network-based events
Network
refer to events collected from network devices such as firewalls, switches
Events
and routers.

This widget presents the count of all the connections that were allowed by
Allowed the network device. The pie chart highlights the allowed connections from
Connections the total number of connections that occurred in the network during the
specified time period.

This widget presents the count of all the connections that were denied by
Denied the network device. The pie chart highlights the denied connections from
Connections the total number of connections that occurred in the network during the
specified time period.

Network This widget provides a total count of network devices that are added for
Devices monitoring.

The Network Overview tab also has the following widgets:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 125


Widget
Function Widget image
Name

This widget presents a 3D graph that shows a time based trend of allowed traffic
and blocked traffic. The X-axis represents the time range. It will be based on the
Traffic calendar range you choose. If the calendar range is less than 24 hours, then this will
Trend show hourly ranges. If it is less than 1 hour, it will show 1 minute ranges. If it is less
than 30 days, it will show 1 day ranges. If it is more than 30 days, it will show 1
month ranges. The Y-axis represents the Event Count.

Top
This widget displays the top 10 network devices based on the log count. Each row is
Network
further split into allowed traffic and blocked traffic.
Devices

Top 5
Denied
This widget displays the top 5 sources for which connections were denied.
Connections
by Source

Recent
This widget shows the recent interface status for each interface in each network
Interface
device. The red downwards arrow indicates that the interface is down. The green
Status
upwards arrow indicates that the interface is up.
Changes

Top
This widget categorizes the top 10 websites accessed based on the number of times
Websites
the site was accessed.
Accessed

Top VPN
Logons by This widget lists the top 10 users based on VPN logons.
User

Security Overview

This tab provides an overview of the key security events monitored by EventLog Analyzer. The widgets in this dashboard
provide insights on the various critical events generated in the network during the specified time frame.

The Security Overview tab has the following Widgets:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 126


Widget Name Function Widget image

Correlative This widget refers to the number of incidents detected via EventLog
Incidents Analyzer's correlation engine.

This widget presents the total number of threats detected during the
Threats
chosen time frame from the Threat Sources (such as Symantec, McAfee,
Detected
Malwarebytes etc) added in the EventLog Analyzer.

This widget displays the total number of vulnerabilities detected by the


Vulnerabilities vulnerability scanner(s) whose data are being imported into EventLog
Analyzer.

This widget presents the total count of IDS/IPS events during the
IDS/IPS
chosen time frame.

Threats
detected by
This widget displays the count of threats detected by "Advanced Threat
Advanced
Analytics" feature in EventLog Analyzer.
Threat
Analytics

The Security Overview tab also has the following widgets:

Widget Name Function Widget image

This widget provides an overview of each configured alert


Alert Count
profile. The X-axis denotes the alert profile and the Y-axis
Overview
denotes the count.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 127


This widget includes a 3D graph showing a time based trend
for IDS/IPS events. The X-axis represents the time range. It
Top Network
will be based on the calendar range you choose. The Y-axis
Attacks
represents the event count and the Z-axis represents the
(IPS/IDS)
IDS/IPS event type. Top 10 events are displayed based on the
event count.

Recent
This widget displays the most recent 50 threats based on the
Threats
calendar range.
Identified

This widget is similar to Alert Count Review. It provides an


Recent
overview of the recent correlated incidents. The X-axis
Correlated
denotes the correlation rule and the Y-axis denotes the event
Incidents
count.

Top Affected
This widget shows the Top 5 endpoint devices in which
Endpoints
threats were detected by Threat Sources (Symantec, McAfee,
from Threat
etc)
Sources

Top
Vulnerabilities This widget includes a pie chart that displays the top 5
from vulnerabilities (selected on the basis of event count) detected
Vulnerability in endpoint devices by the vulnerability scanner.
Scanners

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 128


In addition to the above, predefined templates are also available for dedicated monitoring of Cisco, IIS and SQL Server
Devices.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 129


Customizing Dashboard Views
The dashboard is populated using the data collected from various log sources. Click Log Sources on the top-right corner of
the dashboard to view the list of devices, applications, and monitored files from which the data is being collected.

To edit dashboard profiles, click here.

To customize the dashboard according to your preferences, the following options are available to you:

Adding a new tab to the dashboard


To add a new tab to the dashboard,

In EventLog Analyzer's dashboard, click the icon on the top-right corner and select Add Tab.

In the pop-up box that appears, you can see the following:
1. Three default tabs: Events Overview, Network Overview, and Security Overview

2. Three predefined templates: Cisco Overview, IIS Overview, and SQL Server Overview

3. Add Custom Tab option

Click Add Custom Tab. Enter a name for the tab in the given field and click Add.
Navigate to the new tab in your dashboard and click Add Widget to start adding widgets of your choice.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 130


If you want to add an existing report as a widget, click here to know how.

Adding a new widget to a tab


To add a new widget,

In EventLog Analyzer's dashboard, navigate to the tab to which you want to add a new widget and click the icon
on the top-right corner.
Click Add Widget. In the pop-up box that appears, select the widget, widget type, chart type, chart color, and enter
a display name for the widget.

Once you've entered all the details, click Add.

You also have the option of pinning a report as a new widget. To know how, click here.

Deleting and reordering tabs in the dashboard


To delete tabs from the dashboard,

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 131


In EventLog Analyzer's dashboard, click the icon on the top-right corner and click Manage Tabs.

In the Manage Tab dialog box that appears, click the icon corresponding to that tab that you want to delete.
In the pop-up confirmation box, click Yes to complete the deletion of the tab

To edit the order of tabs in the dashboard,

In EventLog Analyzer's dashboard, click the icon on the top-right corner and click Manage Tabs.

Click the icon and drag and drop the tabs in the order of your choice.

Reordering and resizing widgets


To reorder the widgets in a tab,

In EventLog Analyzer's dashboard, navigate to the tab whose widgets you want to reorder, click the icon on the
top-right corner and click Reorder Widgets.
Click and drag the widgets wherever you want to place them.
You can also resize widgets by dragging them from their bottom-right corner and adjusting their sizes as required.
Click on the Save button present on the top-right corner.

Editing and deleting widgets


To edit a widget in a tab,

In EventLog Analyzer's dashboard, click the icon corresponding to the widget that you want to edit.
Select Edit Widget. Update the necessary information and click Update.

To delete a widget from a tab,

In EventLog Analyzer's dashboard, click the icon corresponding to the widget that you want to delete.
Select Delete Widget and click Yes in the pop-up box that appears.

Viewing the dashboard in full screen mode


To view the dashboard in full screen,

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 132


In EventLog Analyzer's dashboard, click the icon on the top-right corner.

In the full screen view, you can view a slideshow of the tabs by clicking the play icon located at the top of the
screen.
You can switch to different tabs by clicking on the drop-down button located at the top of the screen.
You can also remove a particular tab from the slideshow by clicking the toggle button next to the name of the tab in
the drop-down list.
You can also switch to dark mode by clicking the toggle button at the top-right corner of the screen.
To go back to the normal viewing mode, click the icon.

Viewing a widget in full screen mode


To view a widget in full screen, in EventLog Analyzer's dashboard, click the icon on the top-right corner of the widget
you want to view.

Refreshing the dashboard and widgets


To refresh the dashboard, in EventLog Analyzer's dashboard, click the icon on the top-right corner of the screen.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 133


To refresh a particular widget, in EventLog Analyzer's dashboard, click the icon on the top-right corner of the widget.

Changing refresh interval


To change the time interval for the automatic refreshing of the dashboard,

In EventLog Analyzer's dashboard, click the icon on the top-right corner and click Refresh Interval.
In the pop-up box that appears, select the refresh interval?Never, 30 Secs, 1 Min, 5 Mins, 10 Mins, and 1 Hr.

Note: If you choose Never for the refresh interval, the dashboard will never be refreshed automatically. You will

have to refresh it manually.

Check out our video for a step by step demonstration of customizing the EventLog Analyzer dashboard here.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 134


Chapter 8 EventLog Analyzer Reports

EventLog Analyzer Reports


EventLog Analyzer offers 1000+ out-of-the-box reports and also the capability to create custom reports as per your
requirements. These reports can help review the key security events happening in your network and also meet compliance
requirements.

The reports can be accessed from the Reports tab of the UI. The event counts shown in the reports can be drilled down to
the raw logs. The logs can be further filtered based on various log fields. EventLog Analyzer also allows you to schedule
reports to be automatically generated and emailed periodically. The custom report profiles can be exported as XML files and
later imported if needed.

Types of reports
EventLog Analyzer offers a wide category of reports. Some of them are listed below.

Windows

The Windows reports allow you to get an overview of the events happening in your Windows environment. A few examples
are given below:

Windows Logon Reports


Policy Changes
Windows Logoff Reports
Windows Firewall Threats
Application Crashes

Unix

The Unix reports allow you to get an overview of the events happening in your Unix environment. A few examples are given
below:

Unix Logon Reports


Unix Logoff Reports
Unix Failed Logon Reports
Unix User Account Management
SU Commands

Applications

The application reports allow you to get an overview of the events happening in the applications installed in your network.
ManageEngine EventLog Analyzer supports a wide range of applications including Terminal Server, DHCP Windows and
Linux Servers, MS IIS W3C FTP Server, MS IIS W3C and Apache Web Servers, MS SQL and Oracle Database Servers,
Sysmon, and Print Server. These reports also help you to identify the performance and security status of the above
applications.

A few examples are given below.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 135


Terminal Server Gateway Logons
Terminal Server Gateway Logons
SQLServer DDL Auditing Report
Oracle Security Reports
Printer Auditing

Network Devices

The network devices reports allow you to get an overview of the events happening in your networking devices. A few
examples are given below.

Router Logon Report


Router Configuration Report
Router Accepted Connections
Firewall Account Management
Network Device Risk Reports

Custom Reports

The custom reports that you have created will be listed in this section.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 136


Setting up Windows Event Log Reports
EventLog Analyzer comes packaged with over 1,000 predefined reports that help organizations view consolidated security
events, conduct security audits, and meet various compliance requirements. These reports help organizations visualize
security events in their network and meet various security and compliance requirements.

In this help document, you will learn to set up Windows report generation.

Setting up Windows report generation


In EventLog Analyzer, most Windows reports get generated automatically when the device is added for monitoring and the
event source is configured. To learn how to add a device, check out this page. To learn how to configure an event source,
check out the How to configure event source files in a device?section in this page.

There are certain reports, mentioned in the table below, that will require manual creation of keys in your Windows Registry.
To set up the generation of these reports, follow the steps given below.

Please make sure event logging has been enabled by right clicking on the event source > Properties > checking the
Enable logging box, in Event Viewer.
Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Service >
EventLog. Here, create the keys given in the New keys column of table below.
Next, open Local Group Policy Editor and navigate to Computer Configuration > Windows Setting > Security
Setting. Further paths and steps to enable the generation of reports are given in the Audit policies column.

Reports New keys Audit policies Other prerequisites

Start the service Application Identity.


On creation of the two new keys, a event source Microsoft-Windows-AppLocker/EXEandDLL will be created on the left
Enable panel. Right click on the event source, click Properties, and copy the Log path.
AppLocker Then navigate to
Application Microsoft-Windows-
under
Whitelisting AppLocker/EXEandDLL Microsoft- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-
Application
Reports Windows-AppLocker/MSI and Script Windows-AppLocker/EXE and DLL, and create an expandable string value with name File. Use the copied log path from
Control
the previous step as Value data.
Policies
Configure the Executable rules, Windows Installer rules, and Script rules under the mentioned audit policies.
Restart the machine.

Enable Audit
MPSSVC
Rule - Level
Policy
Windows
change,
Firewall Microsoft-Windows-Windows Firewall
under
Auditing With Advanced Security/Firewall
Advanced
Reports
Audit Policy
Configuration
> Policy
Change.

Enable Audit
Handle
Manipulation
and Audit
Removable
Removable
Microsoft-Windows-DriverFrameworks- Storage, Set SACL for the removable disk by right-clicking on the required folder and navigating to Property > Security tab > Advanced >
Disk
UserMode/Operational under Auditing.
Auditing
Advanced
Audit Policy
Configuration
> Object
Access.

Enable Audit
Registry,
under
Registry Advanced Set SACL for the registry key by right-clicking on the required registry and navigating to Permission > Advance > Auditing in
changes Audit Policy Registry Editor.
Configuration
> Object
Access.

Windows
No
Backup &
Microsoft-Windows-Backup modification
Restore
required.
Reports

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 137


Microsoft-Windows-
GroupPolicy/Operational Microsoft-
Windows-NetworkProfile/Operational
Microsoft-Windows-
WindowsUpdateClient/Operational
Microsoft-Windows-
Winlogon/Operational Microsoft-
Windows Windows-WLAN- No
System AutoConfig/Operational Microsoft- modification
Events Windows-TerminalServices- required.
Gateway/Operational Microsoft-
Windows-TerminalServices-
RDPClient/Operational Microsoft-
Windows-TerminalServices-
RemoteConnectionManager/Operational
Microsoft-Windows-Wired-
AutoConfig/Operational

Microsoft-Windows-Hyper-V-Worker-
Hyper-V
Admin Microsoft-Windows-Hyper-V-
Server
VMMS-Storage Microsoft-Windows- No
Events
Hyper-V-VMMS-Networking Microsoft- modification
Hyper-V VM
Windows-Hyper-V-VMMS-Admin required.
Management
Microsoft-Windows-Hyper-V-
Reports
Hypervisor-Operational

Program No
Microsoft-Windows-Application-
Inventory modification
Experience/Program-Inventory
Reports required.

No
IIS Microsoft-IIS-Configuration/Operational modification To access IIS reports, open EventLog Analyzer and navigate to Reports > IIS W3C web server > IIS Admin Configuration Reports.
required.

Microsoft-Windows- No
Print service PrintService/Operational, Microsoft- modification
Windows-PrintService/Admin required.

No
Microsoft-Windows-TerminalServices-
Terminal modification
Gateway/Operational
required.

EventLog Analyzer will now start generating the reports mentioned in the table.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 138


Manage Predefined Reports
EventLog Analyzer allows you to personalize the appearance of the reports page as required. You can customize the
arrangement of reports and report groups.

Customizing the arrangement of reports and report groups


To customize the arrangement of reports and report groups, follow the steps given below.

Open EventLog Analyzer and click on the Reports tab.


Click on Manage Reports at the bottom of the left panel. Then, click on Manage Predefined Reports at the top right
corner.
Select the required log source by clicking on the corresponding tab.
The arrangement of the sub-categories of the log sources, as seen on the top bar of the reports page, will be
displayed. For example, when Devices is chosen as the log source, the top bar will display the first few devices and
the rest is displayed in a drop-down list. You can choose to have your most-used devices displayed first in the top
bar to ensure easy access.

To change the order of devices, hover the mouse pointer on the space to the left of the device name. A icon will
appear.

Use the icon to drag and drop the devices in the required order.
You can also enable or disable reports by clicking on the toggle button under the Enable/Disable Format column
corresponding to the required device.
Similarly, you can also rearrange the reports inside each report group by clicking on the report group and following
the steps mentioned above.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 139


Manage Report Views
EventLog Analyzer allows you to create multiple views of the same report. This enables you to view the report based on
different parameters such as time, domain, source, etc. The different views will be generated from the same set of log data.

In this help document, you will learn to perform the following operations.

Creating a new report view


To create a new report view,

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 140


Open EventLog Analyzer and select the Reports tab.

Choose the required report and click on the (Manage Custom Views) icon present on the right corner.

In the pop-up window that appears, click on +Add View.

Enter a suitable name for the view and choose the required parameters on which the view should be based. You can
choose up to four different parameters.
Click on Add.
The new view will be added as a separate tab in the report.

Editing, deleting, or disabling report views


To edit, delete, or disable the views that have been created:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 141


Open EventLog Analyzer and select the Reports tab.

Choose the report whose views you want to edit and click on the (Manage Custom Views) icon present on the
right corner.

In the pop-up that appears you can see a list of views for that report.

To edit a report view, click the icon corresponding to the view that you want to modify. Make the required
changes and click on Update.
To delete a report view, click the icon corresponding to the view that you want to delete.
To enable/disable a report view, check/uncheck the checkbox under the Enable/Disable column, corresponding to
the required view.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 142


Custom Reports
EventLog Analyzer can generate custom reports based on criteria set by you. You can specify the criteria with field values
and logical operators. These reports will be listed under Custom Reports.

Create custom reports


1. Navigate to Reports and select Manage Reports at the bottom-left. In the Manage Reports dashboard, click +Add new

reports button on the top-right.

2. In the Create Custom Report dashboard, enter a name for your report.

3. Click Select Device to generate reports for specific devices or applications.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 143


4. Click Report Group to add the new report to the desired group. The drop down displays all available report groups

under Custom Reports. Select one of these or create your own group and click '+'. If not specified, the custom report

will be added to the Default Group.

5. Select the type of view for your report (see types of view).

6. Set the criteria for the report. You can add multiple criteria and perform AND or OR operations between them. You

can also add criteria to groups and perform AND or OR operators between the groups.

7. Click Add to save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 144


Manage Custom Reports
You can edit, delete, or disable the custom reports.
1. Navigate to Reports. Click Manage Reports at the bottom of the left panel.

2. To edit a custom-made report, click on the adjacent edit icon and make the necessary changes. Click Update.

3. To delete a custom-made report, click on the adjacent delete icon. Click Yes in the pop-up box that appears.

4. To disable a custom-made report, click on the corresponding tick box in the Status column.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 145


5. To share the reports with technicians, hover over the report and click on the share icon that appears. Select the

technician(s) and click Share.

Types of views
Tabular View

This view displays the data in the form of a simple table. You just need to frame the criteria for selecting logs for the report.
You can generate different views of the same tabular view report. To create a new view, refer the Manage Report Views
section.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 146


Summary View

This view gives you a more granular representation of the log data. It allows you to select multiple criteria based on which
data wil lbe displayed. After framing the report criteria, you need to select the fields based on which the summary view
report will be generated.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 147


Note: When you apply onlyone criteria, a graph would be generated. When you apply more than one criteria, a

graph would not get generated, but the data would be displayed in a table.

Pivot View

This view is useful when you have to monitor particular values of the field based on which the report is generated. After
selecting the report criteria, you can select the field and the values in the field that you want to monitor. Each of those
values will be displayed as separate columns with the'count'.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 148


Note: A maximum of five values can be chosen for monitoring.

Multi Report View

This view is useful to monitor numerous reports at one glance. It will give you a holistic view of the reports that you have
added to the multi report. In this view, each report has a View Report button that navigates to the original report.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 149


www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 150
Schedule Reports
EventLog Analyzer lets you schedule report generation, export, and redistribution over email. This page elaborates on the
procedure to create and manage report schedules.

Creating a New Report Schedule

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 151


1. Click on the Schedule Report link on top right corner of the Reports page. Alternatively, you can click on the +Create

New Schedule button on the top right corner of the Scheduled Reports page. This will open the Create New Schedule

page.

2. In the Create New Schedule window,

Enter the name of the schedule, devices for which the schedule is for, and the reports which are to be included

in the schedule.

Schedule Frequency: Specify the frequency at which reports need to be exported. The frequency can be 'Only

Once', 'Hourly', 'Daily', 'Weekly', or 'Monthly'.

Export Time Range: Select the time range for which the report needs to be created and later exported.

Report Format: Choose the file format in which the report needs to be exported i.e. PDF or CSV.

Email Address: Configure the email address to which the reports need to be sent.

Email Subject: Enter the subject of the mail that contains the exported reports.

3. Once you've entered the necessary details for the schedule, click Save to complete creating the report schedule.

Manage Report Schedules


You can view, edit, delete, or disable report schedules. The procedure is as below.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 152


1. Navigate to the Reports page.

2. In the left pane, click Scheduled Reports present at the bottom. You can now see a list of report schedules.

To edit a report schedule, click the edit icon corresponding to the report schedule and make the necessary

changes.

To delete a report schedule, click the corresponding delete icon. Click Yes in the pop-up box that appears.

To disable a report schedule, click on the corresponding tick in the Actions column.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 153


Adding reports to the Favorites section
If you have reports that you frequently refer to, these can either be added to the "Favorites" section or they can be pinned
as a widget in the dashboard for quick access.

Adding a report to the Favorites Section


From the list of available reports, you can select up to 20 reports to be added to the Favorites section.

To add reports to Favorites,

Navigate to the required report.

On the right top corner of the tab, click on More and select Add to Favorites.
The selected report will be added to the Favorites section.
This can now be accessed quickly by clicking on ''Favorites'' in the top right corner.

Removing a report from the Favorites section,

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 154


Navigate to the report which you want to remove from Favorites.
On the right top corner of the tab, click More and select Remove from Favorites.

Note: While upgrading to the latest build of EventLog Analyzer, favorite reports in Builds 11212 and below will

not be retained.

Adding a widget to the EventLog Analyzer Dashboard


Any report of your choice can be pinned to the EventLog Analyzer dashboard for a quick reference.

To pin a report,

Navigate to the report you want to pin to the dashboard.


In the top-right corner of the report, click More and select Pin to Dashboard.
This report will now get added as a widget in the dashboard.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 155


List of Network Device Event Reports
Apart from servers, applications and workstations, enterprise networks also consists of various perimeter networking
devices such as routers and switches. It is important to monitor these devices to gain visibility into who is entering and
leaving your network.

For instance, a misconfigured router, switch, or firewall can lead to the entry of malicious traffic. Monitoring network
activity along with the changes in perimeter network devices can spot and help seal such loopholes.

EventLog Analyzer helps you collect, analyze, and conduct forensic investigation on perimeter devices' log data.

This solution offers built-in support for different types of networking and security devices such as routers, switches,
intrusion detection and prevention systems, and firewalls.

Some important report categories are mentioned below.

Router Logon Reports

These reports provide insights into events such as successful logons, failed logons, VPN logons, etc.

Router Configuration Reports

These reports ensure that all the changes made to your network's configuration are authorized and don't create any
loopholes in your network security.

Router/Switch System Events

The reports in this category provide critical insights into the key events taking place in your routers and switches such as
the commands executed, the fan status, the system temperature, etc.

Router Traffic Errors

Keep track of router transmission errors such as occurrences of too many fragments, fragment overlap, or invalid fragment
length.

IDS/IPS Activity

The reports in this category help you to understand what type of attacks your network is susceptible to, which network
devices need to be secured further, how to decide which malicious traffic sources to target, and more.

Firewall Threats

These reports give detailed information on possible security threats to the network.

Firewall Traffic Reports

These reports provide insights into the allowed and denied traffic with details on the source, destination, port, and protocol.

Firewall Logon Reports

With these reports, you can monitor the successful and failed firewall logons.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 156


List of Windows Event Reports
EventLog Analyzer offers a range of reports for the Windows environment that can aid in granular monitoring and auditing
of events. It also contains reports on attacks common to Windows devices. The moment an a suspicious event is detected,
an alert notification will be sent via email or SMS. The following are the report groups for Windows devices.

Windows Event Reports


Windows Firewall Auditing

Reports on the common attacks that can be detected by monitoring events in the Windows Firewall will be listed here.

Spoof Attack - A malicious entity poses as a legitimate user to compromise a system.


Internet Protocol half-scan attack - The attacker attempts to scan for open ports by requesting ACK packets to
launch an attack.
Flood Attack - This is a DDoS attack where the attacker initiates multiple connections without finalizing any
connection.
Ping of Death Attack - A DDoS attack where malicious actors try to disrupt a server by sending abnormally large
packets.
SYN Attack - An attacker attempts to flood all the open ports of a server at the same time to launch an attack.

Threat Detection

This section contains reports on some common threats to the Windows environment which can aid in the detection,
analysis, and forensic investigation of vulnerabilities. The attacks in this category are primarily focused on weakening the
defenses of a system. Conducting a deeper analysis of the threats captured in these reports can help prevent an attack at a
later stage.

DoS Attack Subsided - Possible denial of service attack that have ended.
DoS Attack Entered Defensive Mode - This report is generated when the Windows Filtering Platform has
discovered a potential DoS attack and entered into a defensive mode.
DoS Attacks - This report captures information on the denial of service attacks in a system where legitimate users
will be deprived of a service due to a high volume of malicious traffic.
Downgrade Attacks - This report captures instances of Downgrade Attacks. In this attack, advanced security
features of a system will be downgraded to adopt older legacy security features thereby making it vulnerable to
attacks.
Replay Attack - This report captures instance of legitimate data or requests that are captured and replayed by an
attacker to bypass authentication or for other malicious purposes.
Defender Malware Detection - Instances of malware detection in Windows defender will be listed in this report.
Defender Real Time Protection Detection - This report contains information on anti-virus data from Windows
Defender.
Terminal Server Attacks - This report captures data on attacks to the terminal. server that enables multiple clients
in a network to communicate.
Terminal Server Exceeds Maximum Logon Attempts - Information of multiple failed logon attempts in the terminal
server will be available here.
IP Conflicts - If more than more than one host is assigned the same IP address, an IP conflict that inhibits
communication between hosts will occur.The information on such IP conflicts in a network will be listed here.
User Account Locked Out Error - Instances of user account lockouts will be listed here. This report will aid in the
investigation of the probable cause leading up to the account lockout.

Application Whitelisting

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 157


Reports on whitelisted and blocked EXE, DLL, and MSI files or automated scripts are listed here.

EXE or DLL File Allowed to Run- This event is generated when certain apps blocked by the organization are
allowed to run.
EXE or DLL Files Not Allowed to Run due to Enforced rules-This event is generated when certain apps are not
allowed to run due to enforced rules.
EXE or DLL File Not Allowed to Run- This event is generated when certain apps blocked by the organization is not
run.
MSI or Script File Allowed to Run-This event is generated when certain scripts or MSI files blocked by the
organization are allowed to run.
MSI or Script Files Not Allowed to Run due to Enforced rules- This event is generated when certain scripts or MSI
files are blocked due to enforced rules.
MSI or Script File Not Allowed to Run- This event is generated when MSI files or automated scripts blocked by the
organization are not allowed to run in a system.
Software Restricted to Access Program - Any software that is restricted from making changes to systems or files.

Domain Events

Reports on crucial Active Directory events will be listed here. Monitoring these critical changes is essential to ensure that
the security features in Active Directory have not been compromised or downgraded.

Special groups assigned to new logon - This report captures instances of logons to special groups designated by the
administrators.
SID History added to account - If a user is migrated to a new domain, the security identifier history will be added to
the new domain. This report essentially helps in tracking users across domains by recording instances where SID
history has been added to an account.
Failed SID History addition - Instances of failed additions of SID history to a user account will be listed here.
Kerberos policy changes - This report will contain a history of policy changes made to the Kerberos authentication
protocol in a network. Monitoring these policy changes is essential to ensure that authentication standards in a
network are not downgraded.
Special groups logon table modifications - This report captures all instances of modifications to special groups.

Application Crashes

This report group helps monitor issues related to performance of applications installed in Windows devices.

Application Errors - This report captures instances of errors in the loading of applications installed in Windows
devices.
Application Hanged - This report captures instances of applications hanging in Windows devices.
Windows Error Reporting - This report will have information on the frequently occurring errors in Windows
devices.
Blue Screen Error (BSOD) - This report contains instances of blue screen errors in Windows devices.
System Errors - This report contains reports of the system errors in Windows devices.
EMET Logs - Information from Microsoft Enhanced Mitigation Experience Toolkit will be available in this report.
Windows File Protection - This report captures instances of attempts to replace critical Windows system files.

Threat Detection From Antivirus

EventLog Analyzer can collect log data from antivirus solutions such as Kaspersky, Sophos, and McAfee. The reports in this
category give an overview of all the threats detected by these solutions.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 158


Threats Detections by ESET Endpoint Antivirus
Threats Detections by Kaspersky
Threats Detection by Microsoft Antimalware
Threats Detection by Sophos Anti-Virus
Threats Detection by Norton Anti Virus
Infected files detected by Symantec Endpoint Protection
Threat Detections by McAfee
Defender Malware Detection
Defender Real Time Protection Detection

Registry Changes

This report group helps in monitoring the Windows registry changes, and records attempts to modify it.

Registry Accessed - A record of all attempts to access the Windows registry.


Failed Registry Access - This report has a record of failed attempts to access the Windows registry.
Registry Created - This report will contain a record of all newly created registry keys.
Failed registry Creations - This report will contain a record of all failed attempts to create registry keys.
Registry Value Modified - This report captures the changes made to Registry values.
Failed Registry Modifications - This report captures all failed attempts to modify Registry values.
Registry Deleted - A record of deleted Registry keys will be available in this report.
Failed Registry Deletions - A record of failed attempts to delete Registry values will be available in this report.
Registry Permission Changes - All instances of a change in Registry Permissions will be listed here.
Top Users on Registry - A list of users who access the Registry the most will be listed here. This report can help flag
suspicious users.

Removable Disk Auditing

This report group gives an overview of removable disk activity in Windows devices. This also includes instances of USB or
removable disks that have been plugged in and removed even if no files are copied.

USB Plugged In
USB Plugged Out
Removable Disk Reads
Removable Disk Failed Reads
Removable Disk Creates
Removable Disk Failed Creates
Removable Disk Modifications
Removable Disk Failed Modifications
Removable Disk Deletes
Removable Disk Failed Deletes
Device Based Removable Disk Changes
Top Successful Users on Removable Disk Auditing
Top Failed Users on Removable Disk Auditing
Removable Disk Changes Trend

Windows Startup Events

This report group provides an overview of Windows System Events such as start-up, shut-downs, and restarts.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 159


Windows Startups
Windows Shutdowns
Windows Restarts
Unexpected Shutdown
System Uptime
Windows Startup and Windows ShutDown

Service Audit

These reports help you track all the services installed in your Windows devices.

New Service Installed


Service Started
Service Stopped
Service Failed

Program Inventory

These reports provide information on software, services, or updates that happen in your Windows environment.

Software Installed
Software Updated
Failed software installations
Failed software installations due to privilege mismatches
Software Uninstalled
Windows Updates - Installed
Windows update process failed
Failed hot patching
Update Packages Installed
Non valid Windows license
Failed Windows license activations
Non activated windows products
New kernel filter driver installed

Wireless Network Reports

These reports help you closely monitor your wireless network events.

Wireless Network Authentication


Wired Network Authentication
Wired Network Connected
Wired Network Disconnected
Wireless Network Connected
Wireless Network Disconnected

Eventlog Reports

These reports help you track the status of your event logging service in Windows devices.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 160


Audit Events Dropped
Error in EventLog Service
Event log automatic backup
Security Log Full

Eventlog Reports

These reports capture instances of the logging service shut down to prevent recording logs of any change including
malicious or inadvertent activity.

Event Logging Service Shutdown


Security Logs Cleared
Event Logs Cleared

System Events

These reports can help you monitor some critical system events in your Windows infrastructure.

Windows Time Change


Windows Updates Installed
AD Backup Error
GPO Queries Failed
Invalid Windows license
Non activated Windows licenses
Active Directory database corruptions
Bad disk block
Failed loadings of Kernel driver
Code Integrity Check
Invalid image hash file
Invalid page hash image file
Hard disk failures
System Restored

Windows Event

This report group gives the overall trends in Windows reports based on all recorded events, important events, and user
based events.

All Events
Important Events
User Based Report

Trend Report

This report group gives an overview of the trends detected in the logs collected from Windows devices. This report group
helps identify the events that are generated the most and the frequency of those events.

Weekly Report
Hourly Report

Windows Severity Reports

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 161


This report group gives an overview of the success, failure, information, and warning events in Windows devices.

Success Events
Information Events
Failure Events
Warning Events
Error Events

Windows Backup and Restore

This report group gives an overview of all the backup and restoration events in Windows devices.

Failed Windows backup


Successful Windows backup
Failed Windows restores
Successful Windows restores
System Restored

Windows Firewall Auditing

The Windows Firewall Auditing report group helps in auditing critical changes in Windows Firewall such as the addition,
deletion, or modification of Firewall rules and settings.

Rule Added
Rule Modified
Rule Deleted
Settings Restored
Settings Changed
Group Policy Changes

Network Policy Server

This report group helps in the monitoring of the Network Policy server in Windows devices.

Access granted to users


Access denied to users
Discarded requests for users
Discarded accounting requests for users
Locked users due to repeated logon failures
NPS Unlocked user accounts

Data Theft Detection

This report group helps mitigate data theft with reports to monitor printer activity, removable disks, and databases.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 162


Printer Document Theft
Removable Media Data Theft
Shared Network Data Theft
SQL Server Data Theft by Backups
SQL Server Data Theft by Reads
Oracle Data Theft by Reads
Windows FTP Data Thefts
Unix FTP Data Thefts

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 163


Unix Event Reports
EventLog Analyzer has a wide range of out-of-the-box reports and alert profiles for Unix devices. With these you can audit
system events such as package installs and updates, track important events such as low disk space, and more. You can also
audit critical events based on device, alert type, or severity. Apart from critical events, you can also track other events on
your Unix systems such as cron jobs, session connections and disconnections, deactivated services, and more.

Unix Logon Reports

A record of different logon types specific to Unix devices such as SU, SSH, and FTP logons will be available here. In
addition, the top logon reports classify these logons based on users, devices, remote devices, and method of logon. The
logon trend report gives real-time insights on the general trend detected in Unix logons. This can help detect sharp
deviations in general trend which could be indicative of malicious activity.

User Logons
SU Logons
SSH Logons
FTP or SFTP Logons
Logons Overview
Top logons based on users
Top logons based on devices
Top logons based on remote devices
Top Unix Logon Method
Logon Trend

Unix Logoff Reports

A record of different logoffs specific to Unix devices such as SU, SSH, FTP, and user logoffs will be available here. The
Logoffs overview report gives real-time insights on the general trend.

User Logoffs
SU Logoffs
SSH Logoffs
FTP or SFTP Logoffs
Logoffs Overview

Unix Failed Logon Reports

This report group can help in the monitoring of failed logons in any Unix device. The top failed reports based on users,
devices, and remote devices will help identify an unusual number of logon failures which could be indicative of an attack. In
addition, devices with repeated logon failures will be listed separately.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 164


User Failed Logons
SU Failed Logons
SSH Failed Logons
FTP or SFTP Failed Logons
Failed Logons Overview
Top failed logons based on users
Top failed logons based on devices
Top Failed logons based on remote devices
Top failed logon methods
Failed Logon Trend
Repeated authentication failures
Invalid user login attempts
Unsuccessful logon failures with long password
Repeated login failures based on remote devices
Repeated authentication failures based on remote devices

Unix User Account Management

This report group can help monitor critical changes to user accounts, groups, and passwords such as creations, deletions,
modification of groups, user accounts, and passwords.

Added user accounts


Deleted user accounts
Renamed user accounts
Groups added
Groups deleted
Groups renamed
Password Changes
Failed password changes
Failed user additions
Top Unix Account Management Events

Unix Removable Disk Auditing

These reports can help track removable disk activity in Unix devices.

USB Plugged In
USB Plugged Out

SUDO Commands

The reports in this group can help ensure that security privileges of the super user are not misused.

SUDO command executions


Failed SUDO command executions
Top SUDO command executions
Top Failed SUDO command executions

Trend report

The reports in this group give an overview of the trend in activity in Unix devices.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 165


Weekly Report
Hourly Report

Unix Mail Server Reports

These reports help in monitoring Unix mail servers. The 'Top' reports give the usage statistics of Unix mail servers. Reports
to monitor mailbox usage, general trends, mail deliveries and the execution of commands are also available in this report
group.

Mails Sent Overview


Mails Received Overview
Top mails sent based on senders
Top mails sent based on remote device
Top mails received from remote devices
Top Sender Domain
Top Recipient Domain
Trend report on mails sent
Trend report on mails received
Top mails rejected based on sender
Top receivers who rejected the mails
Top mail rejection errors
Top Rejected Domains
Mails rejected Overview
Mailbox Unavailable
Insufficient Storage
Bad Sequence of Commands
Bad Email Address
Non existent email address on remote side
Top Mail Errors
Top mail errors based on senders
Failed Mail Deliveries

Unix Threats

The reports in this group and their corresponding alert profiles help discover and mitigate some of the threats common to
Unix devices.

Reverse Lookup Errors


Bad DeviceConfig Errors
Bad ISP Errors
Invalid connection remote device
Denial of Service Attack

Unix NFS Events

These reports help monitor the storage of file in remote systems using the Network File Share (NFS) protocol.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 166


Successful NFS mounts
Refused NFS Mounts
Denied NFS mounts based on users
Top Successful NFS mounts based on remote device
Top Refused NFS mounts based on remote devices

Unix Other Events

This report group contains reports to monitor Unix events such as timed out or denied connections, failed updates, name
and address mismatch errors for devices, and more. This group also contains reports to monitor cron jobs or the scheduling
of commands to be executed later.

Cron Jobs
Cron Edit
Cron Job Started
Cron Job Terminated
Connection aborted by a software
Receive identification string
Session Connected
Session Disconnected
Deactivated services
Unsupported Protocol Version
Timeout While Logging
Failed Updates
Device Name Mismatch Error
Device Address Mismatch Error
Top cron jobs based on users

Unix FTP Server Reports

This report group has a range of reports to monitor the usage of the File Transfer Protocol (FTP) in Unix devices. Monitoring
this protocol is crucial for data security.

File downloads
File Uploads
Data transfer stall timeouts
Login Timeouts
Session idle timeouts
No transfer timeouts
Connection timeouts
FTP Reports Overview
Top FTP operations based on user
Top FTP operations based on remote device

Unix System Events

Crucial Unix system events such as Yum installs, stopping and restarting of the Syslog service, system shutdowns, and low
disk space can be monitored with these reports.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 167


Syslog service stopped
Syslog service restarted
Low Diskspace
System Shutdown
Yum installs
Yum updates
Yum Uninstalls

Unix Severity Reports

This report group classifies and presents Unix events in eight different levels of severity. This classification can help
prioritize events and alerts.

Emergency Events
Alert Events
Critical Events
Error Events
Warning Events
Notice Events
Information Events
Debug Events

Unix Critical Reports

This report group helps analyze critical events further based on the level, event, device, and also the general trends.

Criticality level of events


Critical reports based on event
Critical events based on device
Critical events based on remote device
Critical events Trend
Critical events Overview

VMWare Logons/Logoff

This report group helps in the monitoring of logons/logoffs of the virtual machines installed in Unix devices. The reports in
this group categorize the events based on the type, status, and the number of events.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 168


User Logons
SU Logons
SSH Logons
SFTP Logons
Logons Overview
Top logons based on user
Top logons based on remote devices
Failed Logon
Failed SU Logon
Failed SSH Logon
Failed FTP or SFTP Logon
Failed Logon Overview
Top failed logons based on users
Top failed logon based on remote devices
User Logoff
SU Logoff
SSH Logoff
SFTP Logoff
Logoff Overview

VMWare System Events

The reports in this group deal with monitoring system events in the virtual machines installed in Unix devices. Creation and
modification of user accounts, logging activity, disk space availability, and password changes can be tracked with these
reports.

User Account Added


User Account Deleted
User Account Renamed
Group Added
Group Deleted
Groups Renamed
Password Changes
Password Change Failed
User Addition Failed
Syslog Service Stopped
Syslog Service Restarted
Low Diskspace
System Shutdown

VMWare Server Events

Critical events specific to VMs such as creation, deletion, and the modification of VMs and guest logins can be monitored
with these reports.

Guest Login on VM
VM Created
VM Deleted
VM State Changes
Top VM Changes
VM Events Overview

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 169


AS400 Reports

This report group contains reports to monitor changes in AS400 devices. All critical system changes, logon events, hardware
errors, configuration changes and more can be tracked with this report.

Logons
Failed Logons
Logoff
Failed Authorization
Authority changes
User Profile changes
Objects deleted
Job changes
Ownership changes
Logon failure due to invalid passwords
System value changes report
Successful Job Start
Successful Job End
Job Logs
Device Configuration
System time changes
Subsystem varied off workstation
ASP storage threshold reached
ASP storage limit exceeded
Disk Unit Errors
Expired system IDs report
Unable to write audit record
Disabled user profiles due to maximum number of sign-on attempts
Report on weak battery
Report on battery failures
System password bypass period ended
Storage directory threshold reached
Report on serious storage conditions
Report on battery cache expiry
Report on i5 grace period expiry
Temporary IO Processor errors
System Processor Failure
Hardware Errors
Top logons based on users
Top failed logons based on users
Top jobs based on users

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 170


Reports for Applications
EventLog Analyzer has multiple report groups to track critical activity in Terminal servers, IIS Web Servers, SQL servers, and
printers. The moment a suspicious event is detected, an alert notification will be sent via email or SMS. The following are
the report groups available for applications.

Terminal Server Gateway Logons

These reports help in the monitoring of successful and failed connections in terminal servers. You can also track access to
your critical resources using these reports.

Successful user disconnections from the resource


Successful user disconnections from the resource by administrators
Successful user connections to the resource
Failed user connections to the resource
Successful connection authorizations
Failed connection authorizations
Successful resource authorizations
Failed resource authorizations

Terminal Server Gateway Communications

These reports help in the monitoring of session activity in Terminal Servers.

Top Byte transferred


Top Byte received
Top Session Duration
Top activities based on events

Terminal Server Gateway Top Reports

These reports help determine which gateways, clients, and resources in your terminal servers have the highest usage.

Top Gateway Users


Top Clients
Top Resources

DHCP Windows Based Server Reports

These reports help monitor all critical activities in your DHCP Windows based servers such as lease granted, denied, or
released, DNS updates, and critical requests. Since DHCP server auditing reports can track client-server exchanges that
occur when IP addresses are allotted, these reports can be essential in detecting suspicious network activity.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 171


Lease renewed by client
Lease denied
Lease Granted
Lease Released
Lease Expired
Lease Deleted
IP Found To Use in Network
Pool Exhausted
DNS Update Request
DNS Update failed
DNS update successful
Unreachable domain
BOOTP Lease Report
Authorization succeeded
Authorization failed
Server found in domain
Network failure
DHCP Logging started
DHCP Logging stopped
DHCP logging paused due to low disk
Critical Events Report
Error Reports
Warning Reports
Top Clients
Top Mac Address
DHCP Reports Overview

DHCP Linux Based Server Reports

Each step in the exchange of client-server messages in DHCP Linux based servers can be viewed using these reports. With
these you can get information on the most active IP addresses, MAC addresses, gateways, and operations with the top N
reports.

The DHCP Linux overview report will summarize all DHCP log events.

Discovers
Offers
Requests
Acknowledges
Releases
Negative Acknowledges
Abandoning IP
Information Report
DHCP Linux Overview
Top Operation
Top IP Address
Top MAC Address
Top Gateway

IIS FTP Server Reports

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 172


The IIS FTP Server reports can help you track user logons and logoffs, check what data is being shared, and also identify
trends in the overall file sharing activity.

Logons
Failed Logons
Login attempts
File downloads
File uploads
Disconnects
File Transfer Aborts
File Deletions
Make Directories
Remove Directories
Rename Operations
List Directory Contents
Password Changes
Bad Sequence of Commands
Successful Commands
Command Syntax Errors
Transfer Incomplete due to insufficient space
Security Data Exchange
Top File Types Downloaded
Top File Types Uploaded
Top Users
Top Clients
Top Methods
Top Status
FTP Reports Overview

IIS Web Server Error Reports

With these reports, you can detect the problems users might be facing on your website and closely track all error alerts.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 173


HTTP Status Success
Failed User Authentication
HTTP Bad Request
HTTP Payment Required
Site Access Denied
Password Change
HTTP Request URI Too Large
HTTP Request Entity Too Large
HTTP Expectation Failed
HTTP Unsupported Media Type
HTTP Locked Error
HTTP Bad Gateway
IP Address Rejected
Read Access_Forbidden
Write Access_Forbidden
Service Unavailable
Gateway Timeout
UNC Authorization Failed
Denied direct request to Global.asa
IO Operation Aborted
Web Server Restart
Web Server Busy
Information Reports
Success Reports
Redirection Reports
Client Error Reports
Server Error Reports

IIS Web Server Attack Reports

These reports can help you detect some of the most common and dangerous web server attacks instantly, including SQL
injection attacks or denial of service attacks.

SQL Injection reports


Cross site scripting reports
Malicious URL Requests
Malicious File Executions
cmd.exe and root.exe file executions
xp_cmdshell executions
Admin Resource Accesses
Denied Directory listing
DoS Attacks
Directory Traversal
Spam Mail Header

Apache Web Server Error Reports

This report group can help you track several common HTTP error codes. It also has consolidated reports for both client
errors and server errors. These reports help you identify which errors are occurring most frequently in your Apache web
servers.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 174


HTTP Status Success
HTTP Bad Gateway
HTTP Internal Server Error
HTTP Gateway Timeout
HTTP Request URI Too Large
HTTP Unsupported Media Type
HTTP Request Entity Too Large
HTTP Forbidden
HTTP Server Not Found
HTTP Request Timeout
HTTP Bad Request
HTTP Unauthorized
Information Reports
Success Reports
Redirection Reports
Client Error Reports
Server Error Reports

Apache Web Server Top Reports

These top reports can help you discover the most frequently occurring errors and rectify them. With these, you can also
identify the most popular pages in your website and see who's accessing your site most often to get insights on user
behavior.

Top Visitors
Top Users
Top URL
Top Browsers
Top Errors
Top Referrers
Apache Server Trend
Apache Reports Overview

Apache Web Server Attack Reports

These reports can help you detect some of the most common and dangerous attacks in Apache web servers such as SQL
injection attacks or cross-site scripting errors.

SQL Injection reports


Cross site scripting reports
Directory Traversal
Malicious URL Request

SQL Server Advanced Auditing Reports

These reports can help database administrators to monitor, track, and identify any operational issues. They can also help in
tracking unauthorized access to confidential data and user permissions. When a password is changed or the login
information is altered for users or user groups, the Logins Information Report displays the details about their login
information.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 175


Column Modified Report
Last Login Time Report
Delete Operations Report
Logins Information Report
Most Used Tables
Table Update Report
Index Information Report
Server Information Report
Waits Information
List Of Blocked Processes
Schema Change History
Object Change History
List Of Connected Applications
Security Changes Report
List Of Permissions
Last Backup of Database
Last DBCC Activity report

SQL Server DDL Auditing Reports

The reports in this group can help monitor and track the changes happening at the database structural level, such as
changes to the tables, views, procedures, triggers, schema, and more.

Created Databases
Dropped Databases
Altered Databases
Created Tables
Dropped Tables
Altered Tables
Created Views
Dropped Views
Altered Views
Created Stored Procedures
Dropped Stored Procedures
Altered Stored Procedures
Created Index
Dropped Index
Altered Index
Created Triggers
Dropped Triggers
Altered Triggers
Created Schemas
Altered Schemas
Dropped Schemas

SQL Server DML Auditing Reports

The reports in this group can help you figure out when functional queries are executed, who executed them, and from
where. You can also track activities such as data being viewed, updated, deleted, or new entries being added to your
confidential data.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 176


Selected Tables
Inserted Tables
Updated Tables
Deleted Tables
Execute Command
Receive Command
Check reference command executed
Inserted Schemas
Selected Schemas
Updated Schemas
Deleted Schemas

SQL Server Auditing Account Management

These reports can help you track changes made to any account with respect to the users, logons and logoffs, and
passwords. You can also track the creation, deletion, or modification of privileged accounts to ensure that unauthorized
privilege escalations don't take place. In addition, you can audit logon and logoff activities, and learn the reasons behind
logon failures and instantly know when the password of a critical account gets changed, and more.

User Created
User Dropped
User Altered
Login Created
Login Dropped
Login Altered
Database Role Created
Database Role Dropped
Database Role Altered
Application Role Created
Application Role Dropped
Application Role Altered
Credential Created
Credential Dropped
Credential Altered
Own Password Changes
Failed Own password changes
Password changes
Password changes Failed
Password resets
Password resets Failed
Own password resets
Failed Own password resets
Unlocked accounts
Enabled users
Disabled users

SQL Server Auditing Server Reports

These reports help audit MS SQL Server activities such as startups, shutdowns, logons, logon failures, database backup,
restoration, audit, audit specifications, administrator authorities, and a lot more.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 177


Database backup report
Database restoration report
Transaction log backup report
Admin authority changes report
Permission changes report
Owner Changes report
Created server roles
Dropped server roles
Altered server roles
Created Server Audits
Dropped Server Audits
Altered server audits
Created Server Audit Specifications
Dropped Server Audit Specifications
Altered Server Audit Specifications
Created Database Audit Specifications
Dropped Database Audit Specifications
Altered Database Audit Specifications
Changed Audit Sessions
Shutdown and Failure Audits
Trace Audit C2 On
Trace Audit C2 Off
Started Trace Audits
Stopped Trace Audits
Server Startups
Server shutdowns
Logons
Failure logons
Logout Accounts
Top logons based on user
Top logons based on remote devices
Top failure logons based on users
Top failure logons based on remote devices
Logons Trend
Failed Logons Trend
Event Trend report

SQL Server Security Reports

This report group gives detailed information on SQL injection and denial of service attacks, to help you conduct detailed
forensic analysis on how the attack happened.

You can also track account lockouts, privilege abuses, and unauthorized copying of sensitive data with these reports.

Privilege abuses
Unauthorized copies of sensitive data
Account Lockouts
Storage media exposure
SQL Injection
Denial of Service

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 178


SQL Server DBCC Information Reports

These reports help you track the execution of DBCC commands in your SQL servers.

DBCC Check Catalog required


DBCC Check DB required
DBCC failure events

SQL Server Host Activity Reports

This report help you track host activity in your SQL servers.

Killed processes by hosts

SQL Server Integrity Reports

These reports help you ensure that the integrity of your data is not tampered with.

Audit integrity
Failure followed by success events

SQL Server Permissions Denied Reports

The SQL server permissions denied reports can help you track unauthorized access attempts on critical data.

Object permission denied


Column permission denied
Database permission denied
Alter DB permission denied

SQL Server Violation Reports

SQL server violation report can give you details on the access violations which could be indicative of an attack or data theft.

Access violation

SNMP Trap Type Reports

These report can help you consolidate the information from SNMP traps and help you manage your network better.

Cold Start
Warm Start
Link Down
Link Up
Authentication Failure
EGP Neighbor Loss
Enterprise Specific

SNMP Severity Reports

These reports can help you track the error and information events to ensure that critical issues are brought to your notice.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 179


Error Events
Information Events

Oracle Auditing Reports

These reports provide insights into Oracle database access, command execution, critical task performance, and more,
including who did what, when, and from where.

Created Databases
Dropped Databases
Altered Databases
Created clusters
Dropped clusters
Altered Clusters
Created Tables
Dropped Tables
Altered Tables
Selected Tables
Inserted Tables
Updated Tables
Deleted Tables
Created functions
Dropped functions
Altered functions
Created Schemas
Created procedures
Dropped procedures
Altered procedures
Executed procedures
Created triggers
Dropped triggers
Altered Triggers

Oracle Auditing Account Management

These reports can help track the creation, modification, and deletion of user accounts and roles. With these reports, you can
also monitor who accessed a user account or role, from where, and when the event occurred.

Created profiles
Dropped profiles
Altered profiles
Users created
Dropped users
Altered users
Roles created
Dropped roles
Altered roles
Granted roles
Revoked roles
System Grant
System Revoke

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 180


Oracle Auditing Server Reports

These reports give insights on Oracle database access to monitor all user activity within the database. These reports help
you audit user logons, remote logons, and user logoffs.

Connect Events
Server Startup
Server Shutdown
Logons
Failed Logons
Top logons based on users
Top logons based on remote devices
Top failed logons based on users
Top failed logons based on remote devices
Logon Trend
Failed logon trend
Oracle Events Trend

Oracle Security Reports

These reports help you detect attacks on Oracle databases such as SQL injections and Denial of Service attacks. With these
you can also track expired passwords and account lockout to ensure that legitimate uses have uninterrupted access to
resources.

SQL Injection report


Account Lockouts
Expired Passwords
Denial of Service Reports

MySQL Logon Events

These reports will help you track logons in your MySQL database to ensure that there is not unauthorized access to your
MySQL database.

Logon Success
Logon Failures

MySQL General Statements

These reports help you track DDL and DML statements to make sure that there is no unauthorized modification or access
to sensitive data.

DDL Statements
DML Statements
Transactional and Locking Statements
Utility Statements
Replication Statements

MySQL Database Administrative Statements

These reports can help you track database administrative statements including account management and resource group
management statements in MySQL servers.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 181


Account Management Statements
Resource Group Management Statements
Table Maintenance Statements
Component and Plugin Statements
Other Administrative Statements
Set Statements
Show Statements

MySQL Server Events

This report helps you track startup and shutdown events in your MySQL server.

Server Startup/Shutdown Events

Printer Auditing

The printer auditing reports help you keep track of the documents that get printed within your network. These reports can
also help you identify which documents get printed the most and by whom. This can help ensure that sensitive information
is not indiscriminately printed which can increase the risk of data theft.

Documents Printed
Deleted documents
Timed out documents
Moved Documents
Resumed Documents
Paused documents
Corrupted documents
Documents' priority changes
Insufficient Privilege to Print Documents
Top printed documents based on users
Top printed documents
Printer Activity trend
Failed Printer Activity Trend

Sysmon Process Auditing Reports

Process Created
Process Terminated
Remote Thread Creation
Process Access
Pipe Created
Pipe Connected

Sysmon Registry Auditing Reports

Registry Object Renamed


Registry Value Set
Registry Key Created
Registry Key Deleted
Registry Value Created
Registry Value Deleted

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 182


Sysmon File Auditing Reports

File Created
File Stream Creation
File Time Change
Raw Access Read

Sysmon Library and Drivers Reports

Drivers Loaded
Image Loaded

Sysmon Network Auditing Reports

Network Connection
DNS Query

Sysmon WMI Auditing Reports

WMI Filter Events


WMI Event Consumer Activity
WMI Consumer to Filter Activity

Sysmon Configuration Reports

Service State Change


Config Modification

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 183


List of reports for vCenter Monitoring
Cluster changes

Cluster created
Cluster destroyed
Cluster renamed
Cluster reconfigured

Datacenter changes

Datacenter created
Datacenter deleted
Datacenter renamed

Datastore changes

Datastore created
Datastore destroyed
Datastore renamed
Datastore file copied
Datastore file moved
Datastore file deleted

Folder changes

Folder created
Folder deleted
Folder renamed
Inventory objects moved into a folder

Permission changes

Permission created
Permission removed
Permission updated

Resource pool changes

Resource pool created


Resource pool destroyed
Resource pool moved
Resource pool reconfigured

Role changes

Role added
Role removed
Role updated

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 184


VM changes

VM created
VM deployed
VM removed
VM renamed
VM reconfigured
VM power state changes

Device changes

Device added
Device added failure
Device IP changed
Device shutdown
Device removed
Device connection overview
Device powered down to standby

EventLog Analyzer also provides predefined alert criteria for all the above mentioned vCenter events. Setting up vCenter
alert profile is same as setting up a predefined alert profile , except that you need to choose ' vCenter' type in alert criteria.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 185


Reports for H3C Devices
H3C Events Reports

All Events
Important Events

Firewall Allowed Traffic

Allowed Traffic
Top Traffic based on source
Top Top Traffic based on destination
Allowed Traffic Trend

Firewall Denied Connections

Denied Traffic
Top Denied Connections based on Source
Top Denied Connections based on Destination
Denied Connections Trend

Logon Reports

Successful Logons
Successful Logon Trend

Failed Logon Reports

Failed Logons
Failed Logons attempts
Failed Logons Trend

Firewall Rules Management Reports

Rules Added
Rules Deleted
Rules Modified

DHCP Reports

Allocated IP address
Conflicting IP Address
Lease Extend IP Address

Interface Status Reports

Interface Up
Interface Down

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 186


Firewall IDS/IPS Reports

All Attacks
Attacks Trend

VPN Logon Reports

Successful VPN Logons


VPN Logout
Successful VPN Logons Trend

Failed VPN Logon Reports

Failed VPN Logons attempts


Failed VPN Logons Trend

Firewall Security Reports

Web Filtering
Anti-virus reports

System Events

Configuration Changes
Clock Update
System Reboot
Fan Failure
Memory Status
CPU Status
Temperature Status
High Availability Status

Severity Reports

Emergency Events
Alert Events
Critical Events
Error Events
Warning Events
Notice Events
Information Events
Debug Events

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 187


Reports for Arista Devices
Arista Events

All Events
Important Events

Logon Reports

Successful Logon
Top Source
Top Users
Logoff Events
Top Source
Top Users
Successful Logons Trend

Failed Logon Reports

Failed Logons
Top Source
Top Users
Failed Logons Trend

Allowed Traffic

Allowed Traffic
Top Source
Top Destination
Top Protocol
Top Port
Allowed Traffic Trend

Denied Connections

Denied Connections
Top Source
Top Destination
Top Protocol
Top Port
Denied Connections Trend

Interface Status

Interface Up
Interface Down

System Events

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 188


Configuration Changes
Configuration Errors
System Reboot
Clock Update
Command Executed
Fan Status
Power Status
Temperature Status
Package Status

Severity Reports

Emergency Events
Alert Events
Critical Events
Error Events
Warning Events
Notice Events
Information Events
Debug Events

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 189


StormShield Reports
StormShield Events

All Events
Important Events

Logon Reports

Successful Logon
Failed Logons
Logon Overview

Traffic Reports

Allowed Traffic
Denied Connections
Traffic Overview

Firewall Rule Management

Rule Added
Rule Modified
Rule Deleted

Firewall User Management

Admin Added
Admin Modified
Admin Deleted

System Event

Clock Updated
System Shutdown
System Reboot

IDS/IPS Reports

Attack Overview

Severity Report

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 190


Emergency Events
Alert Events
Critical Events
Error Events
Warning Events
Notice Events
Information Events
Debug Events

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 191


HP Switches Reports
EventLog Analyzer supports HP Switches and provides out-of-box reports for the following categories of events:

HP Events: Provides information on all events on HP devices.


Successful and Failed Logons: Provides information on all successful and failed logons based on source and users,
including trend reports.
Interface Events: Provides information on all interface and trunk status events.
Configuration Reports: Provides information on both successful and failed commands and insights on ACL error and
VLAN status.
System Events: Provides information on configuration changes, clock update, system update and reboot, power.
and license status.
Device Severity Reports: Provides information on all emergency, alerts, critical, error, warning, and notice events.

HP Switches reports dashboard

Go to the Reports section. Select HP from the displayed list of vendors.


Click Select Device and choose the HP devices for which you need the reports. Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 192


You can set filter criteria for events based on Source, Severity and Device and Message. Use logical operators as
required.

Select the Period for which you want the data to be displayed and click Apply.
The graphs can be viewed in different formats.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 193


The left panel lists all the available out-of-box reports for HP. Select the report you want to view.

To quickly export the report, click Export as and choose the format. Once done, you can download the report.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 194


Click Schedule to have this report exported and emailed periodically.

Click More for further customization options.


1. Set as Default, to set this report as the default for HP reports.

2. Add to Favorites, to mark this report as favorite.

3. Pin to dashboard, to pin this report to the main dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 195


www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 196
Barracuda reports
EventLog Analyzer supports Barracuda Firewall and provides out-of-box reports for:

Barracuda Events: Information on all events on Barracuda devices


Firewall Allowed and Denied Traffic: Insights on traffic based on source, destination, protocol and port, also
provides a report on traffic trends.
Firewall Website Traffic: Traffic reports based on source, destination and website traffic trend reports
Successful and Failed Logons: Source and user based reports, trends reports
Firewall Rule Management: Information on rules added, deleted or modified
Firewall Accounts Management: Reports on administrators, users and groups added, deleted or modified.
Firewall IDS/IPS Events: Insights on attacks based on source and destination IP address, critical and possible attacks
with a report on attack trends
Firewall Security: Antivirus reports and anti-spam reports.
Email Security: Information on scanned, sent and received emails.
System Events: Reports on service, power and memory status, clock update, system shutdown and reboot.
Device Severity: Information on all emergency, alerts, critical, error, warning, and notice events

Barracuda reports dashboard

Go to the Reports section. Select Barracuda from the displayed list of vendors.
In the left panel, all the available out-of-the-box reports for Barracuda will be listed. Select the report you want to
view.
Click Select Device and choose the Barracuda devices for which you need the reports. Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 197


You can set filter criteria for events based on Source, Severity and Device. Use logical operators as required.

Select the Period for which you want the data to be displayed and click Apply.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 198


The graphs can be viewed in different formats.

To quickly export the report in view, click Export as and choose the format. Once done, you can download the
report.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 199


Click Schedule to have this report exported and emailed periodically.

Click More for further customization options.


1. Set as Default, to set this report as the default for Barracuda reports.

2. Add to Favorites, to mark this report as favorite.

3. Pin to dashboard, to pin this report to the main dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 200


www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 201
CheckPoint reports
EventLog Analyzer supports CheckPoint Firewall and provides out-of-box reports for:

CheckPoint Events: Information on all events on CheckPoint devices.


Firewall Allowed and Denied Traffic: Insights on traffic based on source, destination, protocol and port, also
provides a report on traffic trends.
Successful and Failed Logons: Insights on successful and failed logons categorized based on the user, the source,
and the general trend.
Firewall Accounts Management: Reports on user and user group added or deleted.
Configuration: Reports on configuration changes, interface status and executed commands.
Firewall IDS/IPS Events: Insights on attacks based on source and destination IP address and attack trends.
System Events: Reports on system shutdowns and clock updates.
Device Severity: Emergency, alerts, critical, error, warning, and notice events.

CheckPoint reports dashboard

Go to the Reports section. Select CheckPoint from the displayed list of vendors.
In the left panel, all the available out-of-the-box reports for CheckPoint will be listed. Select the report you want to
view.
Click Select Device and choose the CheckPoint devices for which you need the reports. Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 202


You can set filter criteria for events based on Source, Severity, Device and Message. Use logical operators as
required.

Select the Period for which you want the data to be displayed and click Apply.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 203


The graphs can be viewed in different formats.

To quickly export the report in view, click Export as and choose the format. Once done, you can download the
report.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 204


Click Schedule to have this report exported and emailed periodically.

Click More for further customization options.


1. Set as Default, to set this report as the default for CheckPoint reports.

2. Add to Favorites, to mark this report as favorite.

3. Pin to dashboard, to pin this report to the main dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 205


www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 206
FirePower reports
EventLog Analyzer supports Cisco FirePower Firewall and provides out-of-box reports for the following categories of
events:

FirePower Events: Information on all events on FirePower devices


Firewall Allowed and Denied Traffic: Insights on traffic based on source, destination, protocol and port, and traffic
trends.
Firewall Website Traffic: Traffic reports based on source, destination and website traffic trend reports
Firewall IDS/IPS Events: Insights on attacks based on source and destination IP address, also provides a report on
attack trends
Device Severity Reports: Emergency, alerts, critical, error, warning, and notice, information and debug events

FirePower reports dashboard

Go to the Reports section. Select FirePower from the displayed list of vendors.
Click Select Device and choose the FirePower devices for which you need the reports. Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 207


You can set filter criteria for events based on Device, Severity and Message. Use logical operators as required.

Select the Period for which you want the data to be displayed and click Apply.
The graphs can be viewed in multiple formats. To switch to a different graph format, click the drop down button.

This panel lists all the available out-of-box reports for FirePower. Select the report you want to view.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 208


To export the report in view, click Export as and choose the format. Once done, you can download the report.

Click Schedule to have this report automatically generated, exported and emailed to the specified users in the
desired format, at the specified times.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 209


Click More for further customization options.
1. Set as Default, to set this report as the default for FirePower reports.

2. Add to Favorites, to mark this report as favorite.

3. Pin to dashboard, to pin this report to the main dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 210


Reports for Fortinet Devices
EventLog Analyzer supports Fortinet firewalls and provides out-of-the-box reports for the following categories of events:

Fortinet Events: These reports provide valuable information on all events including important events such as
logons, failed logons, possible attacks, users added/deleted etc., on Fortinet devices.
Firewall Allowed and Denied Traffic: The reports in this category provide insights on traffic based on the source,
destination, protocol and port, and traffic trends.
Successful and Failed Logons: These reports provide information on source, user-based, and trends reports.
Firewall IDS/IPS Events: The reports in this category provide insights on possible attacks, and attacks based on the
source and destination IP address. They also provide reports on attack trends.
Firewall Security Events: These reports provide valuable information on applications, email and web filters. They
also provide reports on antivirus and DLP.
Firewall Accounts Management: This category provides reports on administrators and users added, deleted or
modified.
Firewall Policy Management: The reports in this category provide useful information on policies added, deleted or
modified.
Successful and Failed VPN Logon Reports: These reports provide insights on VPN logons and logouts based on
success, failure, remote devices, users and trends.
System Events: These reports provide valuable information on configuration changes, license expiration, power
restores and failures, system shutdowns and reboots and failed commands.
Device Severity Reports: The reports in this category provide insights into emergency, alerts, critical, error, warning,
notice, information and debug events.
VPN lP Assigned Reports: These reports provide information on private IP assigned, IP assigned users, remote IP
and VPN IP assigned.

Managing Fortinet reports dashboard


Go to the Reports section and click on the Devices option in the drop down menu. Select Fortinet from the
displayed list of vendors.

Click Select Device and choose the Fortinet devices for which you need the reports. Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 211


You can set filter criteria for events based on device, source, message and severity. Use logical operators as
required.

Select the Period for which you want the data to be displayed and click Apply.

The graphs can be viewed in different formats.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 212


The All Events panel lists all the available out-of-the-box reports for Fortinet. Select the report you want to view.

To export the report being viewed, click Export as and choose the format. Once done, you can download the
report.

Click Schedule to have this report exported and emailed periodically.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 213


Click More for further customization options.
1. Set as Default, to set this report as the default for Fortinet reports.

2. Add to Favorites, to mark this report as favorite.

3. Pin to dashboard, to pin this report to the main dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 214


Reports for Huawei Devices
EventLog Analyzer supports Huawei firewall devices and provides out-of-the-box reports for the following categories of
events:

Huawei Events: These reports provide valuable information on all events including important events such as logons,
failed logons, policies added/deleted, users added/deleted etc., on Huawei devices.
Successful and Failed Logons: These reports provide information on source and user-based reports, and trend
reports.
Firewall Allowed and Denied Traffic: The reports in this category provide insights on traffic based on the source,
destination, protocol and port, and traffic trends.
Firewall Accounts Management: This category provides reports on users and groups added, deleted or modified.
Firewall Policy Management: This category of reports provide valuable information on policies added, deleted,
modified, enabled or disabled.
Firewall IDS/IPS events: This category of reports provide useful insights on attacks based on the source and
destination IP address. They also provide reports on attack trends.
Firewall Security Events: These reports provide information on application, email and web filters. They also provide
reports on antivirus and DLP.
Successful and Failed VPN Logon Reports: This category of reports provide insights into VPN logons and logouts
based on source, users and trend reports.
System Events: This category provides reports on power status, command executed, CPU status, clock update,
interface status, temperature status and fan status.
Device Severity Reports: The reports in this category provide insights into emergency, alerts, critical, error, warning,
notice, information and debug events.

Managing Huawei reports dashboard

Go to the Reports section and click on the Devices option in the drop down menu. Select Huawei from the
displayed list of vendors.
Click Select Device and choose the Huawei devices for which you need reports. Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 215


You can set filter criteria for events based on device, source, message and severity. Use logical operators as
required.

Select the Period for which you want the data to be displayed and click Apply.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 216


The graphs can be viewed in different formats.

The All Events panel lists all the available out-of-the-box reports for Huawei. Select the report you want to view.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 217


To export the report being viewed, click Export as and choose the format. Once done, you can download the
report.

Click Schedule to have this report exported and emailed periodically.

Click More for further customization options.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 218


1. Set as Default, to set this report as the default for Huawei reports.

2. Add to Favorites, to mark this report as favorite.

3. Pin to dashboard, to pin this report to the main dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 219


Reports for Juniper Devices
EventLog Analyzer supports Juniper Firewall and provides out-of-the-box reports for the following categories of events:

Juniper Events: These reports provide valuable information on all events including important events such as logons,
failed logons, possible attacks, configuration errors, interface up/down, etc., for Juniper devices.
Successful and Failed Logons: These reports provide insights on source and user-based reports, trends reports.
They also provide information on firewall, web, and CLI logons.
Configuration Reports: The reports in this category provide information on interface settings, commands executed,
and configuration errors.
Firewall Allowed and Denied Traffic: This category of reports provide valuable insights on traffic based on the
source, destination, protocol and port, and traffic trends.
Firewall IDS/IPS Events: These reports provide insights on possible, critical, top attacks; attacks based on source,
destination IP address, and severity; and attack trends.
Application Tracking Reports: The reports in this category provide useful information on applications accessed
based on username and reports on applications started and stopped.
System Events: These reports provide information on process and fan status, and system reboots.
Device Severity Reports: The reports in this category provide insights on emergency, alerts, critical, error, warning,
notice, information, and debug events.

Managing Juniper reports dashboard

Go to the Reports section and click on the Devices option in the drop down menu. Select Juniper from the
displayed list of vendors.
Click Select Device and choose the Juniper devices for which you need the reports. Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 220


You can set filter criteria for events based on device, source, message and severity. Use logical operators as
required.

Select the Period for which you want the data to be displayed and click Apply.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 221


The graphs can be viewed in different formats.

The left panel lists all the available out-of-the-box reports for Juniper. Select the report you want to view.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 222


To quickly export the report being viewed, click Export as and choose the format. Once done, you can download
the report.

Click Schedule to have this report exported and emailed periodically.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 223


Click More for further customization options.
1. Set as Default, to set this report as the default for Juniper reports.

2. Add to Favorites, to mark this report as favorite.

3. Pin to dashboard, to pin this report to the main dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 224


Reports for Malwarebytes devices
EventLog Analyzer supports Malwarebytes Firewall and provides out-of-the-box reports for the following category of
events:

Malwarebytes Events: The reports in this category provide valuable information on detected threats and exploits based on
source and users. Additionally, granular reports on blocked, allowed exploits, quarantined threats, and websites blocked
based on source and users are available.

Managing Malwarebytes reports dashboard

Go to the Reports section and click on the Threats option in the drop down menu. Select Malwarebytes from the
displayed list of vendors.
Click Select Device and choose the Malwarebytes devices for which you need the reports. Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 225


You can set filter criteria for events based on object type, action value, action, object scanned, risk name, username
and source IP. Use logical operators as required.

Select the Period for which you want the data to be displayed and click Apply.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 226


The graphs can be viewed in different formats.

In the left panel, under Malwarebytes Reports, you can view all the available threat reports for Malwarebytes.
Select the report you want to view.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 227


To quickly export the report being viewed, click Export as and choose a format. Once done, you can download the
report.

Click Schedule to have this report exported and emailed periodically.

Click More for further customization options.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 228


1. Set as Default, to set this report as the default for Malwarebytes reports.

2. Add to Favorites, to mark this report as favorite.

3. Pin to dashboard, to pin this report to the main dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 229


Reports for Meraki Devices
EventLog Analyzer supports analysis of Meraki Firewall log format and provides out-of-the-box reports for the following
categories of events:

Meraki Events: The reports in this category provide information on all events including important events such as
allowed traffic, denied connections, possible attacks etc., on Meraki devices.
Firewall Allowed and Denied Traffic: This category of reports provide valuable insights on traffic based on the
source, destination, protocol, port, and traffic trends.
Logon Reports: These reports provide valuable information on user logons and its trends.
Firewall Website Traffic: This category provides reports on traffic based on the source, destination IP address,
website, and traffic trends.
Firewall IDS/IPS Events: The reports in this category provide insights on possible attacks, and top attacks based on
source and destination IP address. They also provide reports on attack trends.
Firewall Security Events: This category provides reports on web filtering.
Successful and Failed VPN Logon Reports: These reports give you valuable insights on VPN logouts and logons
based on remote devices, users and trend reports.
Device Severity Reports: The reports in this category provide insights on , alerts, critical, error, warning, notice,
information and debug events.

Managing Meraki reports dashboard

Go to the Reports section and click on the Devices option in the drop down menu. Select Meraki from the
displayed list of vendors.
Click Select Device and choose the Meraki devices for which you need to generate the reports. Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 230


You can further generate reports based on source, message and severity. Use logical operators as required.

Select the Period for which you want the data to be displayed and click Apply.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 231


The graphs can be viewed in different formats.

The All Events panel lists all the available out-of-the-box reports for Meraki. Select the report you want to view.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 232


To quickly export the report being viewed, click Export as and choose the format. Once done, you can download
the report.

Click Schedule to have this report exported and emailed periodically.

Click More for further customization options.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 233


1. Set as Default, to set this report as the default for Meraki reports.

2. Add to Favorites, to mark this report as favorite.

3. Pin to dashboard, to pin this report to the main dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 234


NetScreen reports
EventLog Analyzer supports NetScreen Firewall and provides out-of-the-box reports for the following categories of events:

NetScreen events: Detailed information on all events on NetScreen devices.


Firewall Allowed and Denied Traffic: Provides insights on traffic based on source, destination, protocol and port,
also provides a report on traffic trends.
Firewall Website Traffic: Traffic reports based on source, destination, and website traffic trend.
Successful and Failed Logons: Provides source and user based reports, trend reports.
Firewall Accounts Management: Provides reports on administrator added, deleted or modified.
Firewall Policy Management: Provides information on policies added, deleted, or modified.
Firewall IDS/IPS Events: Provides insights on attacks based on source and destination IP address, also provides a
report on attack trends.
System Events: Provides reports on configuration changes, clock update, system status, start and stop of services.
Failed VPN Logon Reports: Monitors the VPN activities from pfSense logs and offers out-of-the-box reports for
failed VPN logons.
Device Severity Reports: Provides reports on emergency, alerts, critical, error, warning, and notice events.

NetScreen Reports Dashboard

Go to the Reports section. Select NetScreen from the displayed list of vendors.
In the left pane, all the available out-of-the-box reports for NetScreen will be listed. Select the report you want to
view.
To generate reports for a specific NetScreen device, click Select Device drop down list on the right pane and
choose the needed NetScreen devices. Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 235


You can further generate reports based on Source, Severity and Device. Use logical operators as required.

If you want to generate the reports for a specific time period, select the Period calendar option from the top right
corner, specify the time period, and then click Apply.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 236


To export a report, click Export as and choose the format. The solution allows you to export the reports in PDF and
CSV formats.

To generate and redistribute the reports over email at periodic time intervals, you can use the Schedule Reports
option.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 237


The More link at the top right corner provides you the below customization options:
1. Set as Default: Allows you to set the selected report as the default report.

2. Add to Favorites: Marks the selected report as favorite.

3. Pin to dashboard: Pins the selected report to the dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 238


Palo Alto reports
EventLog Analyzer supports Palo Alto Firewall and provides out-of-the-box reports for the following categories of events:

Palo Alto Events: Provides information on all the events associated with Palo Alto devices.
Firewall Allowed and Denied Traffic: Provides insights on traffic based on source, destination, protocol and port,
and also generates a report on traffic trends.
Firewall Website Traffic: Provides traffic reports based on source, destination, and website traffic trend.
Successful and Failed Logons: Provides source and user based reports, trend reports.
Firewall Accounts Management: Provides reports on administrator added, deleted or modified.
Firewall Policy Management: Provides information on policies added, deleted, or modified.
Firewall IDS/IPS Events: Provides insights on attacks based on source and destination IP address, also provides a
report on attack trends.
System Events: Provides reports on configuration changes, clock update, system status, start and stop of services,
features and license status.
Failed VPN Logon Reports: Monitors the VPN activities from Palo Alto logs and offers out-of-the-box reports for
failed VPN logons.
Device Severity Reports: Provides reports on emergency, alerts, critical, error, warning, and notice events.

Palo Alto Reports Dashboard

Go to the Reports section. Select Palo Alto from the displayed list of vendors.
In the left pane, all the available out-of-the-box reports for Palo Alto will be listed. Select the report you want to
view.
To generate reports for a specific Palo Alto device, click Select Device drop down list on the right pane and choose
the needed Palo Alto devices. Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 239


You can further generate repots based on Source, Severity and Device. Use logical operators as required.

If you want to generate the reports for a specific time period, select the Period calendar option from the top right
corner, specify the time period and then click Apply.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 240


To export a report, click Export as and choose the format. The solution allows you to export the reports in PDF and
CSV formats.

To generate and redistribute the reports over email at periodic time intervals, you can use the Schedule Reports
option.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 241


The More link at the top right corner provides you the below customization options:
1. Set as Default: Allows you to set the selected report as the default report.

2. Add to Favorites: Marks the selected report as favorite.

3. Pin to dashboard: Pins the selected report to the dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 242


pfSense reports
EventLog Analyzer supports pfSense Firewall and provides out-of-the-box reports for the following categories of events:

pfSense Events: Provides information on all events on pfSense devices.


Firewall Allowed and Denied Traffic: Provides insights on traffic based on source, destination, protocol and port,
and also generates a report on traffic trends.
Firewall Website Traffic: Provides traffic reports based on source, destination, and website traffic trend.
Successful and Failed Logons: Provides source and user based reports, trend reports.
Firewall Accounts Management: Provides reports on administrator added, deleted or modified.
Firewall Policy Management: Provides information on policies added, deleted, or modified.
Firewall IDS/IPS Events: Provides insights on attacks based on source and destination IP address, also provides a
report on attack trends.
System Events: Provides reports on configuration changes, clock update, system status, start and stop of services,
features and license status.
Failed VPN Logon Reports: Monitors the VPN activities from pfSense logs and offers out-of-the-box reports for
failed VPN logons.
Device Severity Reports: Provides reports on emergency, alerts, critical, error, warning, and notice events.

pfSense Reports Dashboard

Go to the Reports section. Select pfSense from the displayed list of vendors.
In the left panel, all the available out-of-the-box reports for pfSense will be listed. Select the report you want to
view.
To generate reports for a specific pfSense device, click Select Device drop down list on the right panel and choose
the needed pfSense devices. Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 243


You can further generate reports based on Source, Severity and Device. Use logical operators as required.

If you want to generate the reports for a specific time period, select the Period calendar option from the top right
corner, specify the time period and then click Apply.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 244


To export a report, click Export as and choose the format. The solution allows you to export the reports in PDF and
CSV formats.

To generate and redistribute the reports over email at periodic time intervals, you can use the Schedule Reports
option.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 245


The More link at the top right corner provides you the below customization options:
1. Set as Default: Allows you to set the selected report as the default report.

2. Add to Favorites: Marks the selected report as favorite.

3. Pin to dashboard: Pins the selected report to the dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 246


SonicWall reports
EventLog Analyzer supports SonicWall Firewall and provides out-of-the-box reports for the following categories of events:

SonicWall Events: Provides information on all events on SonicWall devices.


Firewall Allowed and Denied Traffic: Provides insights on traffic based on source, destination, protocol and port,
and also generates a report on traffic trends.
Firewall Website Traffic: Provides traffic reports based on source, destination, and website traffic trend.
Successful and Failed Logons: Provides source and user based reports, trend reports.
Firewall Accounts Management: Provides reports on administrator added, deleted or modified.
Firewall Policy Management: Provides information on policies added, deleted, or modified.
Firewall IDS/IPS Events: Provides insights on attacks based on source and destination IP address, also provides a
report on attack trends.
System Events: Provides reports on configuration changes, clock update, system status, start and stop of services,
features and license status.
Failed VPN Logon Reports: Monitors the VPN activities from SonicWall logs and offers out-of-the-box reports for
failed VPN logons.
Device Severity Reports: Provides reports on emergency, alerts, critical, error, warning, and notice events.

SonicWall Reports Dashboard

Go to the Reports section. Select SonicWall from the displayed list of vendors.
In the left pane, all the available out-of-the-box reports for SonicWall will be listed. Select the report you want to
view.
To generate reports for a specific SonicWall device, click Select Device drop down list on the right pane and choose
the needed SonicWall devices. Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 247


You can further generate reports based on Source, Severity and Device. Use logical operators as required.

If you want to generate the reports for a specific time period, select the Period calendar option from the top right
corner, specify the time period and then click Apply.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 248


To export a report, click Export as and choose the format. The solution allows you to export the reports in PDF and
CSV formats.

To generate and redistribute the reports over email at periodic time intervals, you can use the Schedule Reports
option.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 249


The More link at the top right corner provides you the below customization options:
1. Set as Default: Allows you to set the selected report as the default report.

2. Add to Favorites: Marks the selected report as favorite.

3. Pin to dashboard: Pins the selected report to the dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 250


Sophos reports
EventLog Analyzer supports Sophos Firewall and provides out-of-the-box reports for the following categories of events:

Sophos Events: Provides information on all the events associated with Sophos devices.
Firewall Allowed and Denied Traffic: Provides insights on traffic based on source, destination, protocol and port,
and also generates a report on traffic trends.
Firewall Website Traffic: Provides traffic reports based on source, destination, and website traffic trend.
Successful and Failed Logons: Provides source and user based reports, trend reports.
Firewall Accounts Management: Provides reports on administrator added, deleted or modified.
Firewall Policy Management: Provides information on policies added, deleted, or modified.
Firewall IDS/IPS Events: Provides insights on attacks based on source and destination IP address, also provides a
report on attack trends.
System Events: Provides reports on configuration changes, clock update, system status, start and stop of services,
features and license status.
Failed VPN Logon Reports: Monitors the VPN activities from Sophos logs and offers out-of-the-box reports for
failed VPN logons.
Device Severity Reports: Provides reports on emergency, alerts, critical, error, warning, and notice events.

Sophos Reports Dashboard

Go to the Reports section. Select Sophos from the displayed list of vendors.
In the left pane, all the available out-of-the-box reports for Sophos will be listed. Select the report you want to
view.
To generate reports for a specific Sophos device, click Select Device drop down list on the right pane and choose
the needed Sophos devices. Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 251


You can further generate reports based on Source, Severity and Device. Use logical operators as required.

If you want to generate the reports for a specific time period, select the Period calendar option from the top right
corner, specify the time period and then click Apply.
To export a report, click Export as and choose the format. The solution allows you to export the reports in PDF and
CSV formats.
To generate and redistribute the reports over email at periodic time intervals, you can use the Schedule Reports
option.
The More link at the top right corner provides you the below customization options:
1. Set as Default: Allows you to set the selected report as the default report.

2. Add to Favorites: Marks the selected report as favorite.

3. Pin to dashboard: Pins the selected report to the dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 252


www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 253
WatchGuard reports
EventLog Analyzer supports WatchGuard Firewall and provides out-of-box reports for the following categories of events:
1. WatchGuard Events: The reports in this category provides Information on all events on WatchGuard devices.

2. Firewall Allowed and Denied Traffic: The reports in these categories provide information on traffic based on source,

destination, protocol and port. It also, provides information on traffic trends.

3. Firewall Website Traffic: This category has traffic reports based on source, destination, and website traffic trend
reports.

4. Successful and Failed Logons: The reports in these categories provide information on successful and failed logins based
on source and user. It also provides insights on logon trends.

5. Firewall Accounts Management: The reports in this category provides information on added, deleted, or modified
firewall administrator accounts.

6. Firewall Policy Management: These reports provide information on added, deleted, or modified firewall policies.

7. Firewall IDS/IPS Events: The reports in this category provide information on attacks based on source and destination

IP address. It also provides insights on attack trends.

8. System Events: These reports provide information on configuration changes, clock updates, system status, start and

stop of services, features, and license status.

9. Failed VPN Logon Reports: These reports provide information on the VPN activities from WatchGuard logs and offers

out-of-the-box reports for failed VPN logons.

10. Device Severity Reports: The reports in this category provide information on emergency, alerts, critical, error, warning,

and notice events.

WatchGuard reports dashboard

1. Go to the Reports section. Select WatchGuard from the displayed list of devices.

2. Click Select Device and choose the WatchGuard devices for which you need the reports. Click Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 254


3. You can set filter criteria for events based on Source, Severity and Device. Use logical operators as required.

4. Select the Period for which you want the data to be displayed and click Apply.

5. The graphs can be viewed in different formats.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 255


6. The panel on the left lists all the available out-of-box reports for WatchGuard. Select the report you want to view.

7. To quickly export the report in view, click Export as and choose the format. You can thendownload the report.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 256


8. Click Schedule to have this report exported and emailed periodically.

9. Click More for further customization options.

1. Set as Default, to set this report as the default for WatchGuard reports.

2. Add to Favorites, to mark this report as favorite.

3. Pin to dashboard, to pin this report to the main dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 257


F5 reports
EventLog Analyzer audits F5 devices and provides out-of-the-box reports for the following categories of events:
1. F5 Events: The reports in this group contains information on all events logged by F5 devices.

2. Logon Reports: These reports provide information on successful firewall logons and logoffs, and also gives insights into

logon trends.

3. Failed Logon Reports: The reports in this category provide information on failed firewall logons and insights into failed
logon trends.

4. LTM Health Monitoring: The reports in this category let you track recent changes made to monitor status, node status,
pool status, pool member status, and virtual server status.

5. Connection Monitoring: These reports let you view all CMI events and monitor connection limits.

6. Interface Events: The reports in this category let you monitor interface events such as Interface Up, Interface Down,

Interface error, and VLAN events.

7. Firewall Allowed Traffic: The reports in this category provide information on all connections allowed through the

firewall, and firewall trends.

8. Firewall Denied Traffic: These reports provide information on all denied connections and insights on trends in firewall

traffic.

9. Firewall Policy Changes: These reports let you track all policy changes.

10. Firewall IDS/IPS Reports: The reports in this category let you monitor attacks and attack trends.

11. System Events: The reports in this category provide information on configuration changes and errors, reports on
license, policy, and memory status. Monitor status of hardware such as chassis module, temperature, fan, and sensor.

Reports on hardware errors.

12. Application Security Reports: These reports provide an overview of application security, information on requests

allowed and blocked, and trends reports.

13. Device Severity Reports: These reports provide information on emergency, alert, critical and error events.

F5 reports dashboard

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 258


1. Go to the Reports section. Select F5 from the displayed list of devices.

2. Click Select Device and choose the F5 devices for which you need the reports. Click Add.

3. Select the Period for which you want the data to be displayed and click Apply.

4. The panel on left lists all the available out-of-the-box reports for F5. Select the report you want to view.

5. To quickly export the report in view, click Export as and choose the format. You can then download the report.

6. Click Schedule to have this report exported and emailed periodically.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 259


7. Click More for further customization options.

1. Set as Default, to set this report as the default for WatchGuard reports.

2. Add to Favorites, to mark this report as favorite.

3. Pin to dashboard, to pin this report to the main dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 260


IBM AS/400 reports
EventLog Analyzer supports IBM iSeries (AS/400) devices and provides out-of-the-box reports on:
1. Journal logons and logoffs: The reports in this category provide information on all journal logons and logoffs.

2. User activity: These reports offer insights into user profile changes, authority changes, logons and logoffs, objects

deleted, ownership changes, disabled user profiles due to maximum number of sign-on attempts.

3. Logon failures: The reports in this category provide information on failed logons and authorization, and logon failure
due to invalid passwords.

4. System events: These reports provide information on system value changes and time changes, expired system IDs,
password bypass period, and information on subsystem varied off workstation.

5. Job logs: These reports provide information on top jobs based on users, successful job start and end, and changes made
to jobs.

6. Storage events: These reports provide information on breach of ASP storage threshold, storage directory threshold,

and reports on serious storage conditions.

7. Battery condition: These reports provide information on battery cache expiry, weak battery and battery failures.

8. Reports on i5 grace period expiry

9. Configuration and hardware: These reports provide information on device configuration, hardware errors, disk unit

errors, temporary IO Processor errors, and system processor failure.

IBM reports dashboard

1. Go to the Reports section and select IBM AS/400.

2. The panel on the left lists all the available out-of-box reports for IBM AS/400. Select the report you want to view.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 261


3. You can filter data based on device and time period. To view the security events of specific device, select the IBM

AS400 device from Select Device drop down list. Click Add.

4. You can further filter and view the security events based on Source, Severity and Device. To do this, click on the filter

icon.

This opens the Create Filter dialog box. Select the appropriate criteria.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 262


5. To view the security events of specific time period, select the period from tbe Period calendar option on the top right

corner and click Apply.

6. To quickly export the report in view, click Export as and choose the format. You can then download the report.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 263


7. Click Schedule to have this report exported and emailed periodically.

8. Click More for further customization options.

1. Set as Default, to set this report as the default for IBM AS/400 reports.

2. Add to Favorites, to mark this report as favorite.

3. Pin to dashboard, to pin this report to the main dashboard in the Home page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 264


Chapter 9 Threat Intelligence Data Analytics

Threat Data Analytics


The EventLog Analyzer ingests contextual threat data from threat intelligence solutions such as FireEye, Symantec, and
Malwarebytes. The data from these solutions are analyzed and presented to you in the form of reports that highlights
critical events such as infections, possible malware and web infections, and so on.

Supported threat intelligence solutions and other similar sources:


FireEye Threat Solutions
Symantec Endpoint Solutions
Symantec DLP Applications
Malwarebytes Solutions
CEF format

EventLog Analyzer can automatically analyze data from the above solution and gives you insights on commonly found
severities, source and destination IP addresses, and the most targeted ports in the form of security analytical reports.

These reports can also be exported in the PDF, CSV, and HTML formats. Report generation can also be automated using
the Schedule report option. These are the solutions that EventLog Analyzer supports.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 265


FireEye Threat Solutions

EventLog Analyzer can process log data from FireEye and present the data in the form of graphical reports. For the solution
to start collecting log data from FireEye, it has to be added as a threat source.

Steps to add a FireEye threat source:


To add a FireEye device as a threat source, the syslog service has to be configured on the FireEye device.
1. Login to the FireEye device as an administrator.

Navigate to Settings > Notifications, select rsyslog and the Event type.

2. Click Add Rsyslog Server.

3. In the dialog box that opens, enter the EventLog Analyzer server IP address in the given field. Choose UDP as the

protocol and the format as CEF (default).

4. Click on Save.

Once the device is added in EventLog Analyzer, it should then be listed as a threat source. This can be done in a few simple
steps.
1. In the EventLog Analyzer console, navigate to Settings > Configurations > Manage Threat Source > Add Source

2. Click on Existing Host and select the device you had added from the list of existing devices.

3. Select FireEye from the Add-on Type list.

4. Click on Add.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 266


Once the threat source is added, EventLog Analyzer will start parsing the fields in the logs. This log data can now be viewed
in the form of reports.

The reports provide information on:

Domain matches
Malware infections
Callbacks
Malware objects
Web infections

EventLog Analyzer also provides reports that give information on the top:

Severities
Source IPs of infections
Target IPs
Target ports
Malware
Active sensors

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 267


Symantec Endpoint Solutions

EventLog Analyzer collects log data from Symantec Endpoint Solutions and presents it in the form of graphical reports. For
the solution to start collecting this log data from, it has to be added as a threat source.

Adding a Symantec Endpoint Solutions device as a threat source:


To add a Symnatec Endpoint Solutions device as a threat source, the syslog service has to be configured.
1. Login to the Symantec Endpoint Protection device as an administrator.

2. Navigate to Admin > Servers. Select the local site or remote site from which log data must be exported.

3. Click Configure External Logging.

4. In the General tab, from the Update Frequency list, choose how often log data should be sent to the file.

5. In the Master Logging Server list, select the management server to which the logs should be sent.

6. Check the Enable Transmission of Logs to a Syslog Server option.

7. Enter the following details in the given fields.

Syslog Server- Enter the EventLog Analyzer IP address or domain name .

Destination Port - Select the protocol to use and enter the destination port that the Syslog server should use

to listen for Syslog messages.

Log Facility - Enter the number of the log facility that you want the Syslog configuration file to use. Valid

values range from 0 to 23. Alternatively, you could use the default values.

8. Click on OK.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 268


1. In the EventLog Analyzer console, navigate to Settings > Configurations > Manage Threat Source > Add Source

2. Click on Existing Host and select the device you had added from the list of existing devices.

3. Select Symantec Endpoint Protection in Add-on Type.

4. Click on Add.

Once the threat source is added, EventLog Analyzer will start parsing the fields in the logs. This log data can now be viewed
in the form of reports.

The reports provide information on:

Security risks
Virus detected
Port cans
Installation of commercial applications
Threat activities
HIPS activities

EventLog Analyzer also provides reports on the top:

Affected devices
Source devices
Risks
Problems

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 269


Symantec DLP Application

EventLog Analyzer collects log data from Symnatec DLP Applications and presents it in the form of graphical reports. For
the solution to start collecting this log data, the it has to be added as a threat source.

Adding a Symantec DLP Application device as a threat source:


To add a Symnatec DLP Application device as a threat source, the syslog service has to be configured.
1. Locate and open the config\Manager.properties file. The file path is as follows

Windows - \SymantecDLP\Protect\config directory

Linux - /opt/SymantecDLP/Protect/config directory

2. Uncomment the systemevent.syslog.host= line and specify the EventLog Analyzer server IP address as follows:
systemevent.syslog.host=xxx.xx.xx.xxx

3. Uncomment the systemevent.syslog.port= line and specify 514 as the port to accept connections from the Symantec
Enforce Server as follows:

systemevent.syslog.port=514

4. After making the above mentioned changes, save and close the properties file.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 270


1. In the EventLog Analyzer console, navigate to Settings > Configurations > Manage Threat Source > Add Source

2. Click on Existing Host and select the device you had added from the list of existing devices.

3. Select the Addon Type from the list.

4. Click on Add.

Once the threat source is added, EventLog Analyzer will start parsing the fields in the logs. This log data can now be viewed
in the form of reports.

The reports provide information on the top:

Senders
Recipients
Targets
Protocols
Data Owners
Severities

Additionally, a Symantec DLP overview report is also provided.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 271


Malwarebytes Reports

EventLog Analyzer collects log data from Malwarebytes and presents it in the form of graphical reports. For the solution to
start collecting this log data, the device has to be added as a threat source.

Adding Malwarebytes as a threat source:


To add a Malwarebytes as a threat source, the syslog service has to be configured.
1. Log into the Management console of the Malwarebytes device.

2. Navigate to the Admin pane and open the Syslog Settings tab.

3. Click Change and tick the Enable Syslog check box.

4. To export traffic monitoring logs to the EventLog Analyzer server, enter the following details in the space provided:

Address <EventLog Analyzer server IP address>

Port <513/514>

Protocol

Payload format <CEF>

5. Click on OK to save.

Once the threat source is added, EventLog Analyzer will start parsing the fields in the logs. This log data can now be viewed
in the form of reports.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 272


1. In the EventLog Analyzer console, navigate to Settings > Configurations > Manage Threat Source > Add Source

2. Click on Existing Host and select the device you had added from the list of existing devices.

3. Select the Addon Type from the list.

4. Click on Add.

The available reports are:

Detected Threats
Quarantined Threats
Allowed Threats
Top Threats based on source
Top Threats based on user
Top Threats Types
Top Websites blocked based on source
Detected Exploits
Blocked Exploits
Allowed Exploits
Top Exploits based on source
Top Exploits based on user
Top Exploits types
Malicious Websites Blocked
Top Websites Blocked

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 273


CEF format Reports

EventLog Analyzer collects log data in the CEF format and presents it in the form of graphical reportsFor the solution to
start collecting this log data, the device has to be added as a threat source.

Adding a device with logs in the CEF format as a threat source:


To add the application that uses CEF as a threat source, the syslog service has to be configured.
1. Login to the application or device which supports CEF log format.

2. Go to syslog server configuration.

3. In the field for Log Format, select CEF Format.

4. In the Syslog Server IP address field, enter the <EventLog Analyzer IP address>.

5. Enter the syslog port and save the configuration.

Once the threat source is added, EventLog Analyzer will start parsing the fields in the logs. This log data can now be viewed
in the form of reports.
1. In the EventLog Analyzer console, navigate to Settings > Configurations > Manage Threat Source > Add Source

2. Click on Existing Host and select the device you had added from the list of existing devices.

3. Select the Addon Type from the list.

4. Click on Add.

The available reports are:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 274


CEF Format Overview
Very High Severity Events
High Severity Events
Medium Severity Events
Low Severity Events
Top Events Based On Event Class ID
Top Events Based On Event Name

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 275


Chapter 10 Vulnerability Data Analytics

Vulnerability Data Analytics


EventLog Analyzer can process log data from vulnerability scanners such as Nessus, Qualys, OpenVAS, and NMAP. The data
ingested from vulnerability scanners can be incorporated into the correlation engine to discover complex attack patterns.
The solution generates out-of-the-box reports and predefined alert criteria that help in identifying and prioritizing
vulnerabilities in your network. The report groups available are:

Top Vulnerability Reports


Reports on Nessus vulnerability data
Reports on Nessus Compliance
Reports on Qualys vulnerability data
Reports on NMAP vulnerability data
Reports on OpenVas vulnerability data
Reports on Nexpose vulnerability data

EventLog Analyzer also has predefined alert criteria corresponding to the above categories. Setting up an alert profile for
vulnerability scanners is similar to a predefined alert profile. The only difference is that you need to choose Vulnerability as
the type from the predefined list and then choose the appropriate alert condition.

Adding vulnerability scanners to EventLog Analyzer


To monitor vulnerability scanner data in EventLog Analyzer, you need to import the corresponding log data to the EventLog
Analyzer server. You can import log data by navigating to Settings > Vulnerability Data Analysis > Import.

1. Enter the vulnerability scanner's name.

2. Choose the vulnerability scanner's application type.

3. Specify the location of the log file which has to be imported.

4. Click on Import.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 276


www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 277
Vulnerability Reports
EventLog Analyzer has over 50 out-of-the-box reports for analyzing log data from vulnerability scanners such as Nessus,
Qualys, OpenVAS, and NMAP. The reports are essential for discovering and remediating network vulnerabilities.

Reports on Nessus vulnerability data


The information on potential vulnerabilities in a network including credential failures, elevated privilege failures, registry
access failures gathered from Nessus are provided as reports. The information in the reports is also presented in the
graphical format for improved insights.

Available reports:

GHOST in Linux - This report lists any detected instance of the GHOST vulnerability in Linux.
Shellshock Report - This report contains information on the detected instances of the Shellshock privilege
escalation vulnerability in Linux systems in your network.
Admin Discovery Report - An overview of all the admin accounts in a network will be available in this report.
Top exploitable vulnerabilities - An overview of the vulnerabilities in your network that are most prone to attacks
will be available here.
Credential failures report - An account of all instances of credential failures in your network will be displayed here.
Elevated privilege failures report - Failed attempts at privilege escalation will be displayed here.
Registry access failures - Failed attempts at accessing the Windows Registry will be recorded here.
Patch report - A report of all the patches applied in the device will be displayed.
Overall Nessus report - An overview of events in Nessus vulnerabilty scanners in your network will be available
here.

Ensuring Compliance to regulatory mandates:


EventLog Analyzer helps in complying with regulatory mandates such as the GDPR, PCI DSS and NIST. These regulations
mandate that critical events in devices and applications that could potentially lead to a data breach need to be monitored. If
any indication of a breach is detected, remediating action has to be taken to mitigate this risk. Information from vulnerability
scanners like Nessus form a critical part of the data that needs to be monitored.

For instance, the risk assessment (ID.RA) section of NIST compliance that states,

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 278


"The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or
reputation), organizational assets, and individuals. Threat and vulnerability information is received from information sharing
forums and sources."

The data from vulnerability scanners that can be used to ensure compliance to regulations are also categorized according to
the device types, in EventLog Analyzer. The solution categorizes the reports as follows based on the devices' data that
Nessus analyzes.

Windows devices
Unix devices
Databases
Cisco IOS
Huawei
Unix file contents
IBM iSeries
SonicWall, SonicOS
Citrix XenServer
VMware, vCenter, and vSphere infrastructure

Once the Nessus vulnerability scanner is added, this data from Nessus can be manually imported into EventLog Analyzer or
automated imports can be scheduled. This data is then collated into comprehensive reports to comply with PCI DSS
requirements.

Denial of remote access software


Denial of insecure communication
Handling false positives

Reports on Qualys vulnerability data

The information on potential vulnerabilities in a network including service vulnerabilities and potential vulnerabilities
gathered from Qualys will be provided in these reports. This information is also presented in the graphical format for
improved insights.

Available reports:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 279


Information gathered from vulnerabilities - Information that can be gathered from detected vulnerabilities such as
CVSS scores and the severity level will be available in this report.
Services vulnerabilities - Service vulnerabilities like open TCP and UDP services will be listed in this report.
Potential vulnerabilities - Vulnerabilities that could be exploited by an attacker will be listed in this report.
Confirmed vulnerabilities - Vulnerabilities that are above a CVSS base score of 5 will be listed in this report.
Severe vulnerabilities - Vulnerabilities with the severity level 'Urgent'will be listed in this report.
Open TCP Ports - Open TCP ports in the network will be displayed in this report.
Open UDP Ports - Open UDP ports in the network will be displayed in this report.
Qualys Reports Overview - An overview of all important events in Qualys reports will be displayed here.

Reports on NMAP vulnerability data


EventLog Analyzer can collect vulnerability data from open source, vulnerability scanning platforms such as NMAP. These
reports can help you discover open ports in your network sorted according to device, service, or protocol.

Available reports:

Top Vulnerable Service - From NMAP data, the services in the system most prone to be exploited will be available
here.
Top Vulnerable OS - From NMAP data, the services in the operating systems most prone to be exploited will be
available here.
Top Open Ports - A list of all the open ports in the system will be available here.
Open Ports - A list of all the open ports in the system will be available here.
Top Vulnerable Devices - A list of the most vulnerable devices, according the the NMAP data will be available here.
Top Vulnerable protocol - The most vulnerable protocols used in the system will be available in this report.
Top Vulnerable ports - A list of the most vulnerable ports according to the NMAP data will be available here.

Reports on OpenVas vulnerability data

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 280


EventLog Analyzer collects data from OpenVas and helps you classify the reports based on the threat level as high, medium,
or low.

Top Vulnerabilities High Threat - Vulnerabilities that pose the highest risk of attacks will be listed here.
Top Vulnerabilities Medium Threat - Vulnerabilities that pose a moderate risk of attacks will be listed here.
Top Vulnerabilities Low Threat - Vulnerabilities that do not pose a high risk of attacks will be listed here.

Data from OpenVas is also segregated based on severity, CVS score, and group.

Top CVS Score by Count - This report identifies the most frequent vulnerabilities categorized based on the CVS
score.
Top Vulnerable Group - This report lists the most vulnerable workgroups in your network based on the
Top Vulnerabilities - This report lists the most common vulnerabilities in the network.

Reports on Nexpose vulnerability data

EventLog Analyzer collects data from Nexpose and categorizes the vulnerability information based on the level of severity.

Available reports:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 281


Available reports:

Critical threats - Vulnerabilities that pose the highest risk of attacks will be listed here.
High threats - Vulnerabilities that pose a considerably high risk of attacks will be listed here.
Medium threats - Vulnerabilities that pose a moderate risk of attack will be listed here.
Low threats - Vulnerabilities that do not pose a high risk of attacks will be listed here.
Vulnerability trend - The general trend that can be inferred based on the vulnerabilities in your network will be
listed here.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 282


Chapter 11 Real-time Event Correlation

Understanding correlation
What is correlation?
Correlation is the process of identifying a sequence of multiple events, across one or more devices, which are all related, and
form a single large incident. The main reason correlation is so useful is because, in many cases, the individual events may
not seem suspicious on their own, but when taken in relation to the other events, a larger picture emerges which points to
a potential security incident.

For instance, the two events "employee logs on to Device A" and "employee logs on to Device B" seem perfectly normal.

However, "same employee logs on to two different devices (Device A and Device B) at almost the same time" may indicate
a possible account sharing incident.

What is a correlation rule?


A correlation rule is a pattern or a template used to relate multiple logs and identify a security incident. The rule specifies a
series of events that make up a larger incident, the time window between events, and specific conditions if any. The
following illustrates the various parameters that can be specified in a correlation rule:

Correlation rule: A correlation rule is an ordered sequence of network actions.


Actions: An action corresponds to a network log. It contains several fields with unique values such as username,
device name, and so on.
Time window between actions: Each action has to follow the previous action within a specified time window.
Threshold for an action (optional):A single action may have to occur several times continuously for a specific rule
to hold true. A threshold can be specified for the minimum number of repetitions that need to be observed within
the specified time window.
Filters for an action (optional): Conditions can be imposed on the fields within each action, with the use of filters.

For more information on constructing a correlation rule using these parameters, see Constructing custom correlation rules.

Example:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 283


Correlation Rule:Brute force

A brute force attack occurs when an attacker tries to gain access to a device in your network, by trying several
logon credentials until one succeeds. It is characterized by several failed logons on a device, followed by a
successful logon:

General pattern: Failed logon -> Failed logon -> Failed logon -> (...) -> Successful logon (all within a few minutes,
to the same device)

Specific pattern: At least 10 failed logons to a single device within 2 minutes -> (within the next 1 minute) ->
Successful logon to the same device

The rule can thus be configured as below:

Action 1: Failed logon - an employee fails to log on to a network device.

Threshold: This action should occur a minimum of 10 times within 2 minutes.


Filters: The device name should be the same for all occurrences of Action 1.

Time window between Action 1 & Action 2: 1 minute

Action 2: Successful logon - an employee logs on to a network device.

Threshold: None.
Filters: The device name should be the same as the device name from Action 1.

Comparison between correlation rules and alert profiles


A correlation rule specifies one or more events, occurring on one or more devices. An alert profile can only specify
a single event, from a single device type.
A correlation rule provides more power than an alert profile in defining a scenario. As a correlation rule can include
more than one event, it allows you to specify the ordering of the events, time windows between events, and make
use of various conditions.
Threshold limits can be specified in both correlation rules and alert profiles. However, while a correlation rule can
check that a specific field's value is the same throughout all repetitions of an action, an alert profile cannot.

Best practices for correlation


Correlation is a memory intensive process. If you enable the correlation engine, be sure to enable/create rules only
for your most important business use cases.
Before creating a new rule, ensure that the same rule cannot be created as an alert profile instead. Please configure
your use case as an alert profile instead of a correlation rule, if your answer is "yes" to all items in the below
checklist:
Your use case consists of only one action.
You only need to specify the devices to which the use case is applicable, and don't need to check for a
specific value for other fields (like username).
In case you specify a threshold value for the action, you don't need to check for a constant field value for
any field (username, device name, etc.).
Periodically review the logic for your correlation rules. If any rule is generating too many false positives, you can
adjust the rule parameters to reduce them.

To know more about correlation, check out the following pages:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 284


1. Managing correlation rules

2. Session activity

3. Viewing last 10 incidents

4. Creating custom correlation rules

Some examples

Correlation Rule : Excessive application crashes (Windows)

A series of application crashes on a device over a short time-frame may point to a faulty device. Further, this
check should not be applied to a specific device named "Device-1234" as it is used for application crash testing
purposes and may generate too many false positives.

General action flow: Application crash -> Application crash -> (...) -> Application crash (all within few hours on a
single device, not applicable to Device-1234)

Specific action flow: At least 5 application crashes on a single device within 180 minutes (except for Device-
1234)

The rule can thus be configured as below:

Action 1: Application crash - an application crashes on a Windows device.

Threshold: This action should occur a minimum of 5 times within 180 minutes.
Filters:
The device name should be the same for all occurrences of Action 1.
The device name should not equal Device-1234.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 285


Correlation Rule: Possible ransomware activities (Windows)

A ransomware attack typically progresses with a newly started process modifying several files on a network
devices (in order to encrypt them). It can be identified with a process being started, shortly followed by multiple
file modifications.

General action flow: Process started -> File modified -> File modified -> (...) -> File modified (all within a few
minutes, on the same device)

Specific action flow: Process started -> (within the next 5 minutes) -> At least 15 file modifications on the same
device, by the same process

The rule can thus be configured as below:

Action 1: Windows Process started - a process is started on Windows.

Threshold: None.
Filters: None

Time window between Action 1 & Action 2: 5 minutes

Action 2: File modified - a file is modified on a Windows device.

Threshold: 15 times within 30 minutes.


Filters:
The device name should be the same for all occurrences of Action 2.
The process name should be the same for all occurrences of Action 2.
The device name should be the same as the device name from Action 1.
The process name should be the same as the process name from Action 1.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 286


Generating Incident Timeline Reports in Correlation
With EventLog Analyzer's correlation reports, you can understand complex incidents happening across your network and
get a clear picture of the sequence in which they unfold.

Three types of reports are available:

Incidents overview report


Incident reports
Timeline view

You can also perform several reporting actions, empowering you to gain maximum value from your log data. To know more
about what correlation is, how correlation rules are structured, and more, see understanding correlation.

Incidents overview report


The incidents overview report provides a summary of the various incident types encountered. Each incident type
corresponds to a correlation rule. For each incident type, you can view the total count of correlated incidents.

To view the incidents overview report,

Click on the Correlation tab.


Select Recent Incidents from the left menu.

Incident reports
An incident report provides the details of the various occurrences of a specific incident type (or correlation rule). It displays
the count of correlated events over time.

To view the report for a specific rule, go to the Correlation tab, navigate to the rule name on the left menu, and click on it.
You can also go to the incident report from the incidents overview report by clicking on the corresponding entry in the
graphical or tabular parts of the report.

Click on the Correlation tab.


Select the desired rule name from the left pane.
You can also view the incident report for a particular incident by selecting the corresponding entry from the table.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 287


Timeline view
The timeline view provides the history of correlated actions for each occurrence of an incident. It is a sequential list of logs
that led to the triggering of a particular rule.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 288


To get an Event timeline for each incident on the table, click on Event Timeline corresponding to the specific
incident.

To view the details of each log, click on the Details next to each event.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 289


Incident report actions
The following actions can be performed on the incident reports:
1. Export reports

You can export incident reports in either PDF or CSV format.

To export a report, navigate to the required report, and click on the Export as option.

Select the format in which you would like to export the report from the drop down list.

The status of all previous and ongoing exports can be viewed by clicking on the Report export history icon

next to the Export as option.

2. Schedule reports

An incident report schedule allows you to generate incident reports at regular periods, and optionally receive them via
email.

To view the list of existing schedules for a specific report, navigate to the required incident report and click on

Schedule Report.

You can enable/disable or edit the schedules by clicking on the respective icons. To create a new schedule,

click on Add Schedule.

Specify the following details for the schedule:

Schedule name: A name for the new schedule.


Schedule frequency: The frequency to generate the report (only once/hourly/daily/weekly/monthly)
Run schedule at: The day/time within the chosen period at which the report must be generated.
Export time range: The time range for which the report data must be exported..
Report format: Reports can be generated in either PDF or CSV formats.
Email address: The email address to which the report needs to be sent to.
Email subject line: The subject of the email to be sent.
Click on Save.

You can choose what information must be displayed in your incident report by adding or removing the required fields as
columns in the report.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 290


To select the fields, click on the column selector icon on the top right cornerof the required report.

Select the fields to be displayed in the report by choosing the respective checkboxes under each action.

You can also specify the below options for each field by clicking on the edit icon next to the required field.

Display name: This is the name of the field as displayed in the report. This is useful if you would like to display the
same field (e.g. username) from more than one action. You can distinguish between similar fields by changing their
display names. For instance, 'Failed logon username' and 'Successful logon username'.
Show value of: When you have specified a threshold value for the action and it occurs more than once, you can
choose to display the field value from either the first, last or all occurrences of the action. Once you have specified
the required information to be displayed, click Save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 291


View Last 10 Incidents
EventLog Analyzer's correlation engine allows you quick access to the last 10 correlation incidents that happened on the
network. To view the last 10 correlation events:

Click Last 10 incidents in the Rules Overview or Rule Report window.

The Incidents Overview window provides you with the list of 10 previous correlation incidents, in raw log format.

?
Users can toggle between the List and Grid ?report views.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 292


Activity Monitoring
EventLog Analyzer processes log data across your network and provides reports on session activity of your network devices
and users. You can access these reports by clicking on Activity Monitoring under the Correlation tab.

Activity Monitoring Rules


You can either use the predefined rules in EventLog analyzer to generate reports on session activity or you can build your
own rules with individual actions.

Predefined activity rules

Navigate to Correlation > Manage Rules > Activity Rules.


Select the predefined rules which you wish to use, click the enable icon, and confirm the same.

Custom activity rules

To open the activity rule builder, navigate to Correlation > Manage Rules > Activity Rules > Create Activity Rule.
1. Select the individual actions that make up the rule, from the categorized list of actions on the left of the screen.

You can also search for actions using the search bar on top of the list.

You can drag and drop the actions to rearrange their order, or delete the action by clicking on the delete icon

on its right.

To detect repetition of the same action within a particular time interval, tick the Threshold limit check box and

enter the number of occurrences and time interval.

2. For each action, specify the time interval within which it is to be followed by the next action, under the Followed by

within label. You can specify the time interval in seconds or minutes by using the provided dropdown.

3. To configure advanced options for any of the selected actions, click Filters on the top right corner of the action.

4. The first rule starts the session and the last rule ends the session. The duration of the session is the time-interval

between the first and the last rule.

Advanced options

Each action in a activity rule corresponds to a log. Logs contain various fields, and each field has a specific value. With
advanced options (found under Filters on the right of the action), you can provide filter criteria for each field of the
log/action and specify a threshold limit on the minimum number of repetitions of the action.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 293


1. You can select a filter field from the dropdown list provided. The fields provided in the dropdown may vary based on

the action selected.

2. You can select the comparison type as equals, not equals, contains, starts with, ends with, link to, or is constant, from

the dropdown provided.

Note: When you provide more than one value for an equals comparison, the set of values provided are

treated as a list of possible values and the action is accepted if any one value from the list is true. The same

holds true for the contains, starts with, and ends with comparisons.

When you provide more than one not equals comparison, the set of values provided need to hold true for the action to
be accepted.

Link to

The link to comparison type is used to check the value of the selected field against the value of a field in another action
(belonging to the same rule or the primary action of the other rule). For instance, if the field Device type of Action 1 is
linked to Action 2's Device type value, then Action 1 would get triggered only if the value of both the linked fields are the
same.

When you choose link to, the icon appears at the end of the filter. Clicking on the icon will present a new tab.

Note: At least one field of the starting rule should be linked to a field in the ending rule.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 294


Click the check box corresponding to the field of the second action against which you want to compare the value of the
previous action. Click OK to complete linking the two actions.

Is constant

The is constant option is used to treat the specific field as constant. By selecting this option, a set of repeated actions are
accepted by the rule only if this field's value remains constant throughout all the iterations. For instance, if the Target User
field is kept as constant, then the action gets triggered only when the value of this field remains constant in all the
iterations. The action doesn't get triggered if the event is generated with different values.

Activity Monitoring Reports


EventLog Analyzer's Activity Monitoring Reports provide information on Windows, Unix and VPN Sessions. The reports
provide details such as Device name, Username, Start Time, End Time, Status, and Duration.

EventLog Analyzer provides the following reports for activity monitoring:

Interactive Sessions, Remote Interactive Sessions, and PMP Sessions for Windows machines.
Unix Session Reports to provide you all details about all the Unix sessions.
VPN Session reports such as Cisco VPN Sessions, Fortinet VPN Sessions, Sonicwall VPN Sessions, Huawei VPN
Sessions, H3C VPN Sessions, Meraki VPN Sessions, PaloAlto VPN sessions, and WatchGuard VPN sessions for the
respective VPN devices.
Custom reports are also displayed under the activity monitoring section, if any.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 295


The calendar widget allows you to select the time period for which you want to review the session activity for the selected
devices/users. You can also schedule an activity monitoring report. The activity monitoring report can be exported in the
PDF and CSV formats, by clicking Export as.

To know more details of a particular session, you can click on View History. This tab displays all the details as given below:

This page contains the Configure Fields and Advanced View tabs. The Configure Fields tab allows you to view similar logs
generated in a session by extracting logs that have the same field value (Domain, Device Name, Logon ID, and Username).
You can choose the field by which you want to retrieve logs by clicking on the desired options from the drop-down box. By
clicking on the Advanced View tab, you can drill down and view the raw logs of that session.

Viewing Activity Monitoring Reports

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 296


EventLog Analyzer allows you to view the Activity Monitoring Reports for Windows, Unix, and VPN Sessions based on
users and devices in the form of User-Based View and Device-Based View, in addition to the default view.

In the User-based view, you can analyze the weekly login and logout activities of a particular user. You can hover your
mouse pointer over a generated user-based report in the table to find the Weekly Login View tab. Clicking on this tab
displays a timeline graph for every day of the week in which you can view a particular user's active session duration, login
time, and logout time for any given day. This view also provides the number of hours the user was active per day and for
the entire week. The Weekly Login View report is available only for all system-generated reports.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 297


Creating Correlation custom rules with the Correlation
Rule Builder
EventLog Analyzer comes equipped with a custom correlation rule builder, which allows you to form custom rules easily by
combining various network actions, and specifying the threshold limits and filter criteria as per expected attack patterns in
your organization. This enables you to create a highly flexible and powerful rule set that suits your specific organizational
environment.

To open the correlation rule builder, click on the Correlation tab of the product. Click on Manage Rules on the top right of
the tab and select +Create Correlation Rule on the top right. Creating a custom rule involves:

To know more about what correlation is, how correlation rules are structured, and more, see Understanding correlation.

Building a new rule


To build a new rule, follow the below steps:

1. Select the individual actions that make up the rule, from the categorized list of actions on the left of the screen.

You can also search for actions using the search bar on top of the list.

You can drag and drop the actions to rearrange their order, or delete the action by clicking on the delete icon (

) on its right.

To detect repetition of the same action within a particular time interval, tick the Threshold limit check box and

enter the number of occurrences and time interval.

2. For each action, specify the time interval within which it is to be followed by the next action, under the ' Followed by

within' label. You can specify the time interval in seconds or minutes by using the provided dropdown.

3. To configure advanced options for any of the selected actions, click Filters on the top right corner of the action.

Advanced options

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 298


Each action in a correlation rule corresponds to a log. Logs contain various fields, and each field has a specific value. With
advanced options (found under Filters on the right of the action), you can provide filter criteria for each field of the
log/action, specify a threshold limit on the minimum number of repetitions of the action, and also bunch the filter criteria
into groups, which can be used to create rules for complex scenarios.

1. You can select a filter field from the dropdown list provided. It is to be noted that the filters provided in the dropdown

may vary based on the action selected.

2. From the dropdown list provided, you can select the comparison type as one among the

following: equals, contains, starts with, ends with, less than, greater than, between, is malicious, not equals, not

contains, not starts with, not ends with, not between, link to, is constant, or is variable.

Note: When you provide more than one value for an equals comparison, the set of values provided are

treated as a list of possible values and the action is accepted if any one value from the list is true. The same

holds true for the contains, starts with, ends with, less than, greater than, and between comparisons.

When you provide more than one not equals comparison, the set of values provided need to hold true for the action to
be accepted. The same holds true for the not contains, not starts with, not ends with, and not between comparisons.

Less than, greater than, between, and not between conditions are applicable only for IP, port number, and privilege
fields.

Port range is between 0 and 65535.

Privilege range is between 1 and 15.

Link to

The link to comparison type is used to check the value of the selected field against the value of a field in another action
(belonging to the same rule). For instance, if the field Device type of Action 1 is linked to Action 2's Device type value,
then Action 1 would get triggered only if the value of both the linked fields are the same.

When you choose link to, the icon appears at the end of the filter. Clicking on the icon will present a new tab.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 299


Click the check box corresponding to the field of the second action against which you want to compare the value of the
previous action. Click OK to complete linking the two actions.

Note: Using the link to condition, you cannot link a field to another one having the is variable condition.

Is constant

The is constant condition is used to treat the specific field as constant. When you select this condition, this action will
get triggered when the field's value remains constant in all the iterations. For instance, if the is variable condition is
applied for the 'Target User' field in an action, the action would get triggered when the value of this field is the same in
all iterations. The action doesn't get triggered if events get generated with different values for that field.

Is variable

The 'is variable' condition is used to treat a field as a variable. When you select this condition, this action will get
triggered when the field's value keeps changing each time it is checked. For instance, if the is variable condition is
applied for the 'Target User' field in an action, the action would get triggered when the value of the field is different in
each iteration.

Note: A field having the is variable condition cannot be linked to another one using the link to condition.

Is malicious

The 'is malicious' condition is available only for IP address fields. It can be used to check if the detected IP address is
present in the predefined list of malicious IP addresses that the product has stored in the internal database.

3. Values which are to be compared against the selected field can be provided directly in the textbox. Specify the value to

be checked for, in the corresponding textbox.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 300


1. To add another filter to the same log/action, click the icon on the right side of the value textbox. The new filter gets

added on the next line.

You can choose if the two filters are to be logically ANDed or ORed with the previous one, by selecting AND

or OR from the dropdown list present on the left side of the second filter.

You can delete a filter by clicking on the icon on its right.

2. Filters can be collected together by creating groups. This would help to create correlation rules for complex scenarios.

To create a new group, click +Add group on the bottom right corner of a log/action.

Select the criteria for the filter in the new group. You can also add more filters to the new group.

You can delete a group by clicking the Remove group icon on the top right of the group.

3. You can choose if two groups are to be logically ANDed or ORed, by selecting AND or OR from the dropdown list

present between the two groups.

Threshold limit filter

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 301


A threshold limit filter for an action allows you to specify the minimum number of times the action has to occur (within the
time window specified for the action to follow from the previous action), for the rule to be triggered. To set a threshold
limit, click on the Filters link on the right of the action, and select the Threshold Limit checkbox. In the text box provided,
specify the minimum number of occurrences.

Note: If the action is the first action in the rule, then you should also provide a time window within which the
repetitions have to be observed (as it is the first action and there is no preceding action or time window).

Specifying rule configurations

Along with the rule definition, you can also provide some descriptive information to finish configuring the rule:

Rule name: A unique name for the rule.


Rule description: A short explanation describing the attack pattern that the rule checks for.

Click Save to save these rule configurations.

Once you have built the rule pattern and specified the configurations, click Create so that the rule gets saved and EventLog
Analyzer can start correlating logs to check for this rule pattern.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 302


You can now choose what report will be displayed by clicking on the check box. The selected report will be displayed or
hidden from the Correlation Custom Rules Screen.

Create Custom Action

To create a Custom Action, click on Manage Custom Actions.


The manage custom actions popup will open. In the top right corner, click on the "create new action" button.

The Create Custom Action popup will open.


Enter the name for the action, action description (if required).
Choose from the drop downs provided to set the criteria for the action.
Click on Create.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 303


www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 304
Manage Correlation Rules
You can manage all your correlation rules from the Manage Rules page, which you can access by clicking the Manage Rules
button on the top right of the Correlation tab. The Manage Rules page provides you with a tabular list of all correlation
rules:

You can use the search bar ( ) on the top of the table to search for a specific rule. You can use the dropdown on the top
right of the table to select the number of rules to be displayed per page.

Rule actions
You can perform a several managerial actions on the rules, by clicking on the respective icons, as described below:

Enable/disable rule ( / ): The icon implies that a rule is currently enabled, and the icon implies that it is
disabled. You can toggle between enabling/disabling the rule by clicking on these icons. When a rule is disabled,
EventLog Analyzer does not check for the pattern and does not report on the rule.
Update rule ( ): You can modify the rule definition and configurations by selecting this icon, which takes you to
the correlation rule builder page. You can modify all details except for the rule name.

Delete rule ( ): You can delete any of the custom rules created by clicking on this icon. Predefined rules cannot
be deleted.
Enable/disable notification ( ): You can enable or disable notifications/alerts for the correlation rules by using
this option. You can view and manage correlation alerts under the Alerts tab of the product:
View correlation alerts, assign owners and track their status under Correlation Alert Profiles.
You can update notification settings for each correlation alert profile on the Manage Alert Profile page.

You can also enable or disable a group of rules by selecting the rules and clicking on the enable or disable icon on the top of
the table. You can enable or disable all rules by using the More Options dropdown.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 305


Chapter 12 Compliance Reports

Compliance Reports
Organizations must maintain audit reports to demonstrate compliance. EventLog Analyzer provides predefined audit
reports for IT regulations such as FISMA, PDPA, CCPA, PCI DSS, SOX, HIPAA, GLBA, GPG13, Cyber Essentials, ISO
27001:2013, ISLP, NRC RG 5.71, GDPR, FERPA, NERC, CoCo, and NIST. The predefined audit reports are automatically
generated and can only be disabled, not deleted.

Configuring custom compliance reports


EventLog Analyzer allows you to create custom compliance reports for IT regulations that aren't supported out-of-the-box
or to meet internal organizational policies.
1. Navigating to the Compliance tab of EventLog Analyzer andclick on Manage Compliance in the left pane.

2. Click on the +Create New Compliance button.

3. In the Add Compliance page, enter a name for the compliance mandate in the Compliance Name field.

4. Click on the Description link to enter a brief description about the compliance mandate.

5. In the Source Selection box, click on the required device tab.

6. Select the devices for which you want to generate reports by clicking on the + icon present in the Select Devices field.

7. Select the reports to be generated for this compliance mandate from the list of reports displayed.

8. Click Save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 306


Editing and deleting compliance regulations
You can edit and delete compliance regulations by navigating to the Compliance tab ? Manage Compliance page and
clicking on the edit and delete icons present against the compliance mandates. You can use the Show/Hide toggle button to
show or hide the compliance regulations in the left pane of the Compliance tab.

Scheduling compliance reports


You can schedule and send compliance reports to your mail IDs by following the below steps:
1. Navigate to the Compliance tab ? Schedule Compliance ? +Create New Schedulerpage.

2. Enter a name for the scheduler in the Scheduler Name field.

3. Select the compliance for which you want to schedule reports from the drop-down menu.

4. In the Schedule Frequency field, select the frequency and the date and time at which the reports have to be scheduled.

5. You can generate the report for a specific time frame by selecting an option from the Report For drop-down menu.

6. Select the format of the report from the Report Format drop-down menu.

7. Select the type of report you want to generate: Only Summary or Summary and Details.

8. Enter the mail IDs to which the report has to be sent in the Email ID field. Use a comma (,) to separate multiple mail

IDs.

9. Enter a subject line for the mail in the Subject field.

10. Click Save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 307


Editing and deleting compliance schedulers
You can edit and delete compliance schedulers by navigating to the Compliance tab ? Schedule Compliance page and
clicking on the edit and delete icons present against the compliance mandates. You can also enable/disable schedulers by
clicking on the icon present under the Actions tab.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 308


Chapter 13 Search Logs

Log Search in EventLog Analyzer


EventLog Analyzer provides a robust search engine to help you retrive log data during investigations. You can search raw
logs collected by the server and detect events of interest such as misconfigurations, viruses, unauthorized access, unusual
logons, applications errors, and more.

EventLog Analyzer provides basic and advanced search functionalities. Types of search queries supported are wild-card,
phrase, boolean, grouped searches.

How to search: Basic and Advanced


1. Go to the Search tab.

2. Click Pick device and select the devices across which you want to search. Click Add. If nothing is specified in this field,

log search will be carried out across all available devices.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 309


3. Select log type from the drop-down box. By default the selection is All Log Types, and the search is carried out across

all log types.

4. Select the period as required.

5. Search Help Card is a built-in guide that lists the types of search queries you can perform in the search box. You can

also watch how to search tutorials.

6. Use Basic search to enter your own search string/search criteria.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 310


Type the field value into the Search box.

Type the field name and value into the Search box.

7. To build complex search expressions with the interactive search builder, click Advanced.

Specify field values for your search criteria.

Click '+' to add a field. Click '?' to remove a field.

Select logical operator 'AND' and 'OR' between the fields.

Click Add group to construct a new set of field values.

Click Add.

8. Click Search to see the results and result graph.

Note: The result graph is displayed for a period of two weeks only.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 311


Types of basic search queries
Using boolean operators:

You can use the following boolean operators: AND, OR, NOT.

Syntax: <field name>=<field value> <boolean> <field name>=<field value>.

Example: HOSTNAME = 192.168.117.59 AND USERNAME = guest

Comparison operators:

You can use the following comparison operators: =, !=, >, <, >=, <=.

Syntax: <field name> <comparison operator> <field value>.

Example: HOSTNAME = 192.168.117.59

Wild-card characters:

You can use the following wild-card characters: ? for a single character, * for multiple characters.

Syntax: <field name> = <partial field value> <wild-card character>

Example: HOSTNAME = 192.*

Phrases:

Use double quotes ("") to specify a phrase as the field value.

Syntax: <field name> = "<partial field value>"

Example: MESSAGE = "session"

Using grouped fields:

Use round brackets () to enclose groups of search criteria and relate them to other groups or search criteria using boolean
operators.

Syntax: (<search criteria group>) <boolean operator> <search criterion>

Example: (SEVERITY = debug OR FACILITY = user) and HOSTNAME = 192.168.117.59

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 312


Saving search and exporting search results
EventLog Analyzer drills down to the raw logs when retrieving results for your search query. The results can be saved, or
used to create report and alert profiles.

How to save search?


1. Go to the Search tab and enter the search criteria as required (see how to search).

2. Click Search for the results.

3. You can save the search criteria as search, reports or alerts.

4. To save as search, click Save Search. Enter a name without space. Click Save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 313


5. To save as report, click Save as Report. Enter Report name and click Add (see create reports).

6. To save as an alert, click Save as Alert. In the window that opens, click Save (see Create alert profile).

How to export search?

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 314


1. Go to Search and enter the search criteria.

2. Click Search.

3. Click Export as on the top-right corner. Select the format.

4. View the report export history by clicking on the icon, which can then be downloaded if required.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 315


Custom Log Parser
Network administrators are always in need of more information and insights from their log data. There are times when an IT
administrator would identify some log information which is useful and would like to have it indexed automatically as a new
field. Having more fields being indexed makes your log data more useful while conducting log forensics analysis and creating
network security reports.

EventLog Analyzer allows administrators to create custom (new) fields or extract fields from raw logs by using the
interactive Field Extraction UI to create regular expression (RegEx) patterns to help EventLog Analyzer to identify, parse
and index these custom fields from new logs it receives from network systems and applications.

How to extract additional fields using EventLog Analyzer?

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 316


Navigate to the Search tab and search for the logs from which fields need to be extracted. Click Create Additional
Fields to view and extract fields.

Note: Alternatively, you can also extract additional fields while importing the log file.

You can view the extracted field details in the Event Information window. If the required value is not parsed, you
can extract further fields by clicking the Extract Additional Fields.

Specifying custom field values


There are two methods by which custom fields can be specified viz.

Regex method
Delimiter method

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 317


Regex method
Provide a rule name.
Select and click the word(s) in the message, to be extracted as a field.
You can use the Auto Identify option to identify the fields automatically.

Provide a name for this field. Optionally, specify the prefix and suffix to the field value.
Click on Create Pattern to generate a parser rule pattern.

Adding prefix and suffix

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 318


You can also include the prefix and/or suffix of a field value to improve precision. To include a prefix and/or suffix,
click on the icon in the right corner of the Fields table and select the required option. Click Apply.
For instance, consider the message : Successful Network Logon: User Name: sylvian Domain: ADVENTNET Logon
ID: (0x0,0x6D51131) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name:
SYLVIAN Logon GUID: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited
Services: - Source Network Address: 192.168.113.97 Source Port: 0 22873
The prefix Logon Type can be a static value as most of the logs will have the exact word as Logon Type where as
Source Network Address can be dynamic as the logs may have different word(s) like, Source IP Address, Source
Address, but with the same pattern.
If the prefix and suffix are defined with exact match, the field extraction will be precise.

Note: An open attribute will not have a prefix or suffix.

Validating the pattern


A parser rule pattern is created using the field definition. You can edit the generated pattern manually, if you are familiar
with regular expressions.

Validate link is used to test the generated pattern against the previous search results. You can manually check the suitability
of the pattern by analyzing the 'Matched Log Messages' and 'Unmatched Log Messages' displayed.

Click on Choose another pattern to choose a pattern from the list of patterns generated by the application.
You can define any existing field matching criteria to apply the pattern for this specific log type.
Save the pattern to extract the field(s) from the upcoming logs.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 319


Delimiter method
Provide a rule name.
You can use the Delimiter to extract fields using delimiters such as Space, Comma, Tab, or Pipe.

To save the created rule, click Save rule.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 320


Tagging tool
EventLog Analyzer's tagging tool bookmarks your logs and complex search queries using hashes, helping you view searches
across different sources. You can also add troubleshooting tips or notes along with your tag.

How to create a tag?


To create a tag, go to Search tab and follow the below steps:
1. Specify all the search criteria which you wish to associate with your new tag and click Search.

2. Click on the tag icon on the right side of any log entry in the displayed search result.

3. Fill the required details in the Add Tag pop-up:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 321


Provide the name of the tag.

Select the tag criteria from the predefined list. The list is based on the fields available in the search result. If it

does not have the field you are looking for, then add those fields to the search results using the column

selector at the top-right corner of the search results.

Provide troubleshooting tips/notes for the tag, if any.

Specify the user name. By default, the current user name (logged on to the EventLog Analyzer web client), is

displayed.

4. Click Apply to save the tag.

How to edit a tag

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 322


1. Navigate to Settings > Admin settings > Tags.

2. Click the edit icon next to the tag.

3. Modify the tag criteria.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 323


Note: You can also edit tags on the search results page by clicking the edit icon below the tag name.

How to perform log search using a tag


You can search for tags by their name, prefixed with #, in the search query text box.

Note: Typing # provides you with a list of all created tags for ease of selection.

How to delete a tag

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 324


1. Navigate to Settings > Admin settings > Tags.

2. Click on the delete icon beside the tag name in the tag table. Click Yes in the pop-up.

The tag name and the notes added to the tag should contain only alphanumeric characters.
Tag criteria can be edited only by the user who created the tag and EventLog Analyzer users with
Administrative privilege.
Any user of EventLog Analyzer can add a note to a tag, irrespective of the creator of the tag.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 325


Chapter 14 Alerts

Event Alerts
EventLog Analyzer keeps you informed about security events of interest with its alerting feature. The solution audit logs
identifies indicators of compromise (IoCs) and notifies you via SMS or email as required.

The alerts are categorized on three severity levels: Attention, Trouble, and Critical. The severity level indicates the degree of
importance associated with the alert. This helps you prioritize alerts and remediate them quickly.

EventLog Analyzer offers a powerful real-time event response system with which you can generate:

Security event alerts including those for imported logs


Compliance-specific event alerts.
File integrity monitoring alerts for critical changes occurring in sensitive files/folders.

Predefined and custom alert profiles


EventLog Analyzer provides 1000+predefined alerting criteria that address a wide range of security use cases. You can also
customize alert profiles based on your needs. With additional parameters such as the threshold and time range, you can
specify the precise criteria for the alert to be triggered. This helps you be informed about any critical event that might affect
your organization's security.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 326


Remediation through alerts
You can also manage a security incident within the EventLog Analyzer console or by raising tickets in an external ticketing
tool like ServiceDesk Plus, ServiceNow, Jira Service Desk, Zendesk, Kayako, and BMC Remedy Service Desk. This ensures
accountability and helps build an effective event response system.

You can also designate a workflow for a triggered alert to automatically initiate responses such as disabling the affected
Active Directory user account, shutting down a system, and killing a process.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 327


The list of all alerts triggered can be viewed under the Alerts tab.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 328


How to create an alert profile
EventLog Analyzer provides predefined alert profiles and the ability to define customized criteria for specific requirements.

Creating Alert Profiles


To create an alert profile, click on +Add in the top right corner of the navigation bar. You can also add an alert profile by
clicking on the "Add Profile" button in the Manage Profile page.

Here's what you can do to create an an alert profile:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 329


1. Enter a unique name for the alert profile.

2. Assign a criticality to the alerts generated using this profile. Choose from Critical, Trouble and Attention.

3. Click on the icon to select device(s) and/or device groups(s) which should generate this alert.

4. Click on the icon to define the alert criteria.

5. The Alert criteria can be chosen from the following categories:

Predefined Alerts - choose from a vast collection of predefined alert criteria. This saves time and you can set

up an alert profile with minimum effort.

Compliance Alerts - Contains a list of pre-defined alert criteria to help you comply with all the IT regulations.

Custom Alerts - customize your own alert conditions based on log message, type, and more. This option is

useful to set alerts for imported logs.

6. You can customize your alert message by adding information such as User Account Name and more.

7. Clicking on +Add near the Alert Format Message section will open another pop-up. There you can set the variables by
clicking on the drop down and enter the required message format in the space provided.

8. Click the Save Profile button once you have set all the necessary fields.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 330


Predefined Alerts
Select Predefined Alert under Define Criteria:

Select the log type and then choose the desired category.
Among the reports, select the desired report by clicking on the radio button next to it.
Append new criteria to predefined alert by clicking + Add Criteria.
You can use the Advanced settings to tweak the alert trigger conditions in order to reduce alert noise. Here you
can set the threshold (number of occurrences of an event within a specific time frame) and time range (working
hours) for the alert profile.

You can then specify the notification type for the alert profile .

Compliance Alerts
Compliance alerts contain sets of pre-defined compliance related alerting criteria to notify you of any violation of IT
regulations. EventLog Analyzer provides granular audit reports to help you comply with compliance regulations such as PCI
DSS, SOX, HIPAA, GLBA, PDPA, NIST, CCPA, GDPR, ISO 27001:2013, and more. The compliance alerts detects anomalies
such as policy changes, privilege escalations, sensitive file access and modification events, and unauthorized logons to help
you mitigate internal and external threats.

You can then specify the notification type for the alert profile created .

Custom Alerts

You can define 'n' number of criteria and group them with AND/OR operations.
To define alert criteria, choose desired attributes from the predefined list.
Specify the values for the attributes. Select the comparator and then provide the value for the attributes.
With drag and drop, you can group and ungroup the alert criteria.

Generating Alerts for Imported Logs


With EventLog Analyzer's Advanced Custom Alert option, you can generate alerts for custom extracted fields for Oracle,
Microsoft SQL, print Servers, IIS, and other imported application logs.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 331


To generate alert for specific custom extracted field of imported log, choose the log type and select the imported log for
which you need to trigger alerts. Specify the custom field and its value, upon the occurrence of which the alert has to be
triggered. EventLog Analyzer will automatically populate all the custom extracted fields for the selected log type and you
choose the field of your choice from the list and then specify the value for the selected custom field.

Note: To add multiple custom extracted fields, make use of + option.

You can then specify the notification type for the alert profile created .

Default Alert Profiles


EventLog Analyzer has prebuilt alert profiles that are enabled by default. To make it easier for users, newly added devices
will also get added automatically to the corresponding alert profile(s) based on the device types selected in the alert profile.
For example, firewalls will be automatically added to alert profiles based on network devices.

You can edit, enable, disable, and delete the default alert profiles.

Note: When you edit a default custom alert profile, auto-addition will be stopped. For example, if you manually

add devices to an alert profile, devices will not be automatically added to that alert profile from then on.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 332


Active Alerts
The Alerts tab lists details of all alerts triggered (if you have not set up any alert profiles, the tab directs you to do so). You
can view the timestamp of the alert, the device which triggered it, the severity, the status of the alert, and the message.

Filtering Alert Profiles

By clicking on the filter icon in the top right corner, you can select the appropriate filter options.

You can select one or more options from the categories provided to customize your view of alerts. For instance, if you want
to view your open, unassigned, and critical alerts, you can simply select the respective criteria by clicking on the check
boxes. All you open, unassigned, and critical alerts will be displayed on the screen.

Additionally, clicking on Critcal Alerts, Trouble Alerts, Attention Alerts, and All Alerts will give you the respective alerts.

Creating Alert Views


EventLog Analyzer categorizes the alerts as views Active alerts, Critical alerts, Trouble alerts, Critical alerts, Attention alerts,
and All alerts. You can select the required view from the Select view drop-down menu.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 333


You can also create custom views for alerts by configuring a filter for the alert and clicking Apply. Click the Save As View
link to enter a name for the view and click Save.

The custom views can only be viewed by the respective users who created the views. Hover your mouse pointer over the
created view in the Select View drop-down menu to edit and delete the created views.

Alert Configurations
You can access the following options from the top right corner of the Alerts page:

The Export As drop-down menu allows you to export alert messages in the CSV and PDF formats.
The +Add Alert Profile link allows you to add a new alert profile.

Click the settings icon on the top right corner of the page to view the following options:

Manage Profiles: You can view, enable, disable, edit, and delete alert profiles using this option.
Workflow: This option allows you to assign workflows to alert profiles to execute a logical action in your network
when an adversity is detected.
Ticketing tool Integration: This option allows you to configure an external help desk software (ServiceDesk Plus,
ServiceNow, Jira Service Desk, Zendesk, Kayako, and BMC Remedy Service Desk) to forward the alerts to.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 334


Whitelisting Threats

Click on the check boxes to select the required alerts. Once the alerts are selected, the options Assign, Status, Delete, and
More will appear. You can assign the alert to an administrator, change the status, or delete the alerts by choosing the
appropriate options.

Clicking on More will give you the option to Whitelist the Source. In case an alert is raised by Advanced Threat Analytics
and you are convinced that the source is not malicious, you can whitelist it by choosing the option here.

Information on the alert

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 335


Hovering over the alert gives additional information such as what triggered the alert, the domain, the device involved and
more.

Alert Format Message

Clicking on an alert opens a pop-up titled Alert Format Message.

Details such as SL Event ID, Logon Type and more can be obtained by clicking on More Details.

Workflow status

In case a workflow is configured for the alert, the status of the workflow can be viewed in the Alert Format Message pop-
up.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 336


Click the status of the workflow for more information. Once clicked, a pop-up will open.

Threshold alerts

For Threshold based alerts, you can now view each instance by clicking on the alert. There will be a section called
Threshold.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 337


Clicking on the threshold number will give you a pop-up with more details.

Add / Remove Columns


Cloumns can be added or removed by clicking on the Add / Remove option in the top right corner. You have the option to
choose and rearrange the columns as needed. A minimum of 3 and maximum of 7 can be selected.

Note: The default columns cannot be removed and rearranged. The default columns are Time, Notes, and Alert
Format message.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 338


Clicking on this will give you a pop-up. Choose the required options by clicking on the checkboxes.

Advanced Threat Analytics Alerts

These alerts are raised when malicious domains, URLs, and IPs intrude into your network. Clicking on this alert will give you
a reputation score, the number of times it had appeared on a threat list and more.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 339


www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 340
Alert Notification & Remediation
EventLog Analyzer provides you with two alert notification mechanisms

Further, you can also remediate the alert condition by creating incident workflows.

Settings to notify alert by Email


Enter the details required for sending alert notification via email.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 341


1. Enable the Email Notification check box under the Notification Settings tab to enable email notifications.

2. Specify the receiver's email address and for multiple emails, separate the addresses with commas (,).

3. Add a subject line for the email notification. You can also append the alert argument(s) to the subject line. Select the

arguments from the list available under Macros.

4. The default mail content is shown above, you can modify this and also add arguments from the Macros list. Click Save

Profile.

Note: The email content of correlation alerts can be customized to include the rule name, correlated time,

and the action. Furthermore, you can select and add specific fields of the action by choosing them from the

list that appears when the action is clicked. Please refer to the image below.

5. If the mail server is not configured in EventLog Analyzer, you will be prompted to when Notify by Email option is

selected.

Settings to notify alert by SMS


Enter the details required for sending alert notification using SMS.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 342


1. Enable the SMS Notification check box under Notification Settings tab checkbox to enable SMS notifications.

2. Enter the recipient?s number.

3. You can customize the SMS content by clicking Add More Fields next to SMS Message field.

If SMS settings is not configured in EventLog Analyzer, you will be prompted to set it when Notify by SMS option is
selected.

Note: Notification using Run Program can now be configured with Incident Management Workflows.

Assigning Workflows to Security Incidents


You can associate incident workflows with the security alerts configured in the product. This way, when a security alert is
triggered, the corresponding workflow automatically starts executing, and you can view its status on the Manage
Workflows page.

To assign a workflow to a new security alert:

Navigate to Alerts ? +Add Alert Profile, or


Click on +Add ? Alerts

And configure your alert as given above.

To assign a workflow to an existing alert:

Navigate to Alerts ? Alert Configurations ? Manage Alert Profiles ?Select the update

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 343


Ticketing Tool Integration
With EventLog Analyzer, you can efficiently manage security incidents by raising tickets and assigning them to
administrators for alerts that are generated. You can easily manage the incident within the EventLog Analyzer console itself
or use an external help desk software for raising tickets. Under Alert Configurations, click on ticketing tool integration to
configure an external help desk - ServiceNow, ManageEngine ServiceDesk Plus, Jira Service Desk, Zendesk, Kayako, or BMC
Remedy Service Desk. Click Assign Rules to automatically assign tickets to admins based on devices/device groups upon the
generation of alerts. In the Alerts page, you can always assign or update a ticket manually by clicking on the Update icon.

Manage Incident Configuration


To configure incident management with ticketing tools, click on ticketing tool integration under Alert Configuration. From
the Incident Tool drop-down list, select the ticketing tool that you want to configure EventLog Analyzer with. Then, follow
the following steps based on the ticketing tool used.

For ServiceNow:

1. Enter the ServiceNow subdomain name or IP address.

2. Enter the login name and password of a valid account in the ticketing tool.

3. Enter a short description and a description for the alert. You can select them from a predefined list available under

Macros or type your own descriptions.

4. Click the Test and Save button to establish communication and complete configuration.

For ManageEngine ServiceDesk Plus:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 344


1. Enter the ManageEngine ServiceDesk Plus server name or IP address.

2. Enter the port number.

3. Choose the protocol for communication - HTTP/HTTPS.

4. Select the API type.

For Rest API:

1. Enter the API key in the appropriate column. If you do not have an API key click on Steps to Generate API Key for

instructions on generating an API key in ServiceDesk Plus.

2. Enter a subject for the alert. You can choose the subject from a predefined list available under Macros or type your

own.

3. Click the Test and Save button.

For Servlet API

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 345


Select the mode of authentication - Local or Active Directory.

Enter the login name and password of the account.

Enter a subject for the alert. You can choose the subject from a predefined list available under Macros or type your
own.

Click the Test and Save button to establish communication and complete configuration.

For Jira Service Desk:

To configure EventLog Analyzer with Jira Service Desk, you would first need to get a few details from your Jira ticketing
tool.

1. After logging into your Jira Service Desk account, click the settings icon on the top right corner and select Projects.

2. In the project list, note down the Key corresponding to the project in which you want your tickets to be raised.

3. Navigate to the Issues tab and reenter your username and password when prompted.

4. Note down the type of issues that the particular project can hold. The issues raised from EventLog Analyzer should have

the same type for a ticket to be successfully raised in Jira Service Desk.

5. Close Jira Service Desk and open EventLog Analyzer to complete the configuration process.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 346


In EventLog Analyzer, navigate to the Alerts tab and click on ticketing tool integration under Alert Configuration. From the
Incident Tool drop-down list, select Jira Service Desk.

1. Enter the Jira Service Desk server name or IP address.

2. Enter the port number.

3. Choose the protocol for communication - HTTP/HTTPS.

4. Enter the login name and password of the account having admin privileges.

5. Enter the project ID. This is the Key of the particular project noted from the ticketing tool.

6. Enter the type of issue. This needs to be same as the issue type that the project has been configured to hold.

7. Enter a summary for the alert. You can select it from a predefined list available under Macros or type your own

summary.

8. Click the Test and Save button to establish communication and complete configuration.

For Zendesk
To configure EventLog Analyzer with Zendesk, you would first need to get a few details from your Zendesk ticketing tool.

1. After logging into your Zendesk account, click the settings icon on the leftmost pane.

2. In the left tab of the page, click API under Channels.

3. In the right pane, move to OAuth Clients and click the + icon to create a new OAuth Client.

4. Enter the client name, description, and name of the company. Select a logo.

5. The value that appears corresponding to Unique Identifier needs to be saved in a separate document. This would be

needed while configuring Zendesk in EventLog Analyzer.

6. Once you click Save, a secret code will appear above the Save button. Click Copy and save it in a separate document.

This would also be needed while configuring Zendesk in EventLog Analyzer.

7. Click Close and open EventLog Analyzer to complete the configuration process.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 347


In EventLog Analyzer, navigate to the Alerts tab and click on ticketing tool integration under Alert Configuration. From the
Incident Tool drop-down list, select Zendesk.

1. Enter the Zendesk subdomain name.

2. Enter the login name and password of a valid account in the ticketing tool.

3. Enter the client ID. This is value of Unique Identifier noted from the ticketing tool.

4. Enter the client secret ID. This is the value of the secret code obtained from the ticketing tool.

5. Enter a subject and a message for the alert. You can select them from a predefined list available under Macros or type

your own.

6. Click the Test and Save button to establish communication and complete configuration.

For Kayako:

1. Enter the Kayako subdomain name.

2. Enter the login name and password of a valid user in the ticketing tool.

3. Enter a short description and a description for the alert. You can select the descriptions from a predefined list available
under Macros or type your own descriptions.

4. Click the Test and Save button to establish communication and complete configuration.

For BMC Remedy Service Desk:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 348


1. Enter the BMC Remedy Service Desk server name or IP address.

2. Enter the port number.

3. Choose the protocol for communication - HTTP/HTTPS.

4. Enter the login name and password of the account having admin privileges.

5. Enter a description for the alert. You can choose the description from a predefined list available under Macros or type

your own description.

6. Click the Test and Save button to establish communication and complete the configuration.

After configuring EventLog Analyzer with the ticketing software, you can select the alert profiles for which tickets need to
be raised.

In the ticketing tool integration page, you will have a list of existing alert profiles. Select the ones for which you want a
ticket to be raised. You can search for specific alert profiles using the search box. You can also select all the alert profiles by
ticking the Select All check box. If Select All is checked, all the alert profiles added in the future will be automatically
selected and tickets will be raised for them as well. Once you've completed selecting the alert profiles, click Update.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 349


Manage Profiles
With EventLog Analyzer, you can centrally view and manage the configured alert profiles.

In the manage profiles tab, you can enable, disable, export and import alert profiles. You can also enable or disable
correlation based alert profiles.

Correlation based alert profiles and Profile based alert profiles will be in two separate tab as shown in the image above.

Import Alert Profiles

Alert profiles can be imported or exported by clicking on the Import option. Once you select an option, you will get the
message below.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 350


Select the file from which you wish to import the alert profiles by clicking on Browse.

In case an imported alert profile is similar to an existing alert profile, you will get the message below. To overwrite an
existing profile with an imported profile, select the required profile and click on Import.

Export alert profiles

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 351


To export alert profiles, select the required alert profiles and click on Export.

Note: Default alert profiles cannot be exported.

Filtering alert profiles

To filter alert profiles based on the number of alerts raised, click on the number of alerts under the No. of Alerts column.

Showing and select the required category.

To configure notifications for the alert:


To configure notifications for the alert, click on configure. You will be directed to the edit alerts page. You could set the
notification type there.

Delete Alert profiles

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 352


To delete an alert profile, select an alert profile and click on the delete option. A pop-up like the one shown below will
appear. Click on yes to proceed.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 353


Chapter 15 Incident Management

Incident management
EventLog Analyzer helps you streamline the process of managing and investigating security incidents.. You can track the
status of security incidents by navigating to the Alerts tab ? Incident.

Viewing and editing incidents


In the Incident page, you can view the list of all incidents in your network along with crucial information such as the
assignee, status, and severity. You can click on any incident to view and edit the incident's name, description, assignee,
status, and severity. The Evidence and Notes tab display the list of evidence and notes attached to an incident. The Activity
Logs page records and displays the events pertaining to the creation, modification, and deletion of incidents.

The incident page displays details such as the age of the incident, who created it, and when it was created. The Actors
widget contains the list of users, entities, services, and processes responsible for the incident to help the assignee quickly
investigate the incident and take remedial action.

Steps to create an incident


You can create an incident in EventLog Analyzer by navigating to the Alerts tab ? Incident ? +Add Incident.

In the Incident page, enter a name and description for your incident in the respective fields.
Select the assignee, severity, and status of your incident from the respective drop-down menus.
Click on Create.

You can view the incident creation event being logged in the Activity Logs pane.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 354


Additionally, you can create incidents in EventLog Analyzer by:
Mapping alerts as incidents
Mapping search results as incidents
Mapping reports as incidents
Automating incident creation by configuring incident rules

Steps to map alerts as incidents

In EventLog Analyzer, you can map a triggered alert as an incident, assign a security technician to respond to the incident,
and track its status by following the steps given below:

Navigate to the Alerts tab.


Select the alert for which you want to create an incident.
Click on the +Add to Incident button present at the top of the alerts table and click on the +Add New Incident
option to create a new incident.
Enter the name and description of the incident.
Select the assignee, status, and severity of the incident from the respective drop-down menus.
Click on Create.

You can also add an alert as evidence to an incident by selecting the alert, clicking on the +Add to Incident button, and
selecting the required incident from the list displayed. The alert can now be viewed under the Evidence tab of the selected
incident.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 355


Steps to map search results as incidents

EventLog Analyzer allows you to map search results as incidents to help you backtrack an attack and conduct root cause
analysis by following the steps given below:

Navigate to the search tab and execute the required search query.
In the search results pane, click on the Incident button.
Now, select the search result(s) you want to add to an incident.
Click the +Add to Incident button and choose the incident to which you want to add the search result(s).
Alternatively, you can also create a new incident to map the selected search results by clicking the +Add New
Incident link.
If you're creating a new incident, enter a name and description for the incident. Select the assignee, status, and
severity from the respective drop-down menus.
Click Create.

You can now view the search results added as evidence under the Evidence tab of the incident.

Steps to map reports as incidents

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 356


If anomalies are detected in a report, you can further investigate the deviant events specified in the report by mapping
those events as incidents and thoroughly examining them by assigning a dedicated IT security professional. You can map
reported events as incidents by following the steps given below:

Navigate to the Reports tab and click the report you want to add as an incident.
Click the Incident button and select the events of interest.
Click the +Add to Incident button and select the name of the incident to which you want to add the selected
events.
Alternatively, you can also create a new incident by clicking the +Add New Incident link.
If you're creating a new incident, enter a name and description for the incident. Select the assignee, status, and
severity from the respective drop-down menus.
Click Create.

You can now view the events of the report listed under the Evidence tab of the selected incidents.

Configuring incident rules

You can configure pre-defined incident rules for devices, device groups, and alert profiles to automatically create incidents
when a specific number of alerts get triggered within a specified time span.

Steps to create an incident rule


Navigate to the Alerts tab ? Incident ? Incident Rule ? +Add Incident Rule.
Enter a name and description for your incident rule.
Assign the incidents created by this rule to a technician by selecting a name from the Assign To drop-down menu.
Select the severity: Attention, Critical, or Trouble from the Severity field.
Enter the threshold value to create the incident. An incident will be created when the specified number of alerts get
triggered within the time frame.
In the Criteria field, specify the Device, Device Group, or Alert Profile for which you want to create an incident.
You can also create a criteria with multiple fields by clicking on the + icon to add another field and combine them
using AND and OR logical operators.
Click on Save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 357


You can click on the Incident name to edit the name, description, assignee, severity, and status of the incident. You can view
the Evidence, Notes, Activity Logs, and Actors of the incident. Additionally, you can also view who created the incident,
when it was created, and the age of the incident in this page.

Note: You can create up to 10 incident rules in your EventLog Analyzer instance. The solution is capable of triggering
up to fifty incidents per incident rule in a day.

Creating Incident views


You can view the incidents under various categories such as All incidents, Active incidents, and Critical incidents by
selecting the required view from the Select View drop-down menu. You can also create custom views by configuring a filter
for the type of incidents you want to view.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 358


Apply the filter and click the Save as View link to enter a name for the view and click Save. Custom views are personal to
the users who created them and can be viewed only by them. You can edit and delete the custom view by hovering your
mouse pointer over the created view in the Select View drop-down menu.

Viewing and editing incident rules


In the Incident Rule page, you can select incidents to enable, disable, and delete them.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 359


Incident workflow management
You can mitigate security incidents in your network before they result in a breach by automating response workflows when
alerts are triggered. EventLog Analyzer allows you to create workflows to automatically perform actions such as disabling
USB ports, shutting down systems, and changing firewall rules when security incidents are detected.

Steps to create a workflow


1. In EventLog Analyzer, click on the Alerts tab.

2. Click on the More tools icon present at the top-right corner of the page.

3. Click on Workflow to open the Manage Workflow page and click on the +Create Workflow button.

4. Enter a name for the workflow in the Workflow Name field.

5. Click on the Description link next to the Workflow Name field to enter an appropriate description for the workflow.

6. Create a workflow by dragging and dropping the workflow blocks from the left pane into the space provided. Ensure

that these blocks are logically arranged to execute an event in your infrastructure.

EventLog Analyzer contains multiple workflow blocks to help you configure workflows to perform the required actions. The
logic blocks are categorized under different sections.

The list of workflow blocks and the details to be specified while configuring workflows using them are given below:

Logic blocks Details to be specified

Logic actions

Decision
Allows you to branch the workflow based on the
status of the previous action.

Time Delay
Allows you to introduce a time delay in the execution The time delay in minutes.
of the workflow.

Network actions

The name of the device to be pinged.


Ping Device Number of echo request messages to be sent.
Allows you to ping a device within your network to Size of the packet to be sent.
check connectivity Timeout for the action.
Number of action retries within the specified time.

The name of the device you wish to trace the


Trace Route
route to.
Allows you to run a trace route function to a device in
The maximum number of hops.
your network to identify the path.
Timeout for the action.

Process actions

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 360


The name of the device on which you want to test
the process.
Test Process The process you want to test.
Allows you to test whether a process is running on a ExecutablePath and CommandLine to execute the
device. process.

The name of the device on which you want to


Start Process start a process.
Allows you to start a process on a device The process working directory.
The command to start the process.

The name of the device on which you want to


stop the process.
Stop Process
The process you want to stop.
Allows you to stop a process on a device.
ExecutablePath and CommandLine to execute the
process.

Service actions

Test Service The name of the device on which you want to test
Allows you to test whether a service is running on a the service.
device. The service you want to test

The name of the device on which you wish to


Start Service
start a service.
Allows you to start a service on a device.
The service to be started.

The name of the device on which you wish to stop


Stop Service
a service.
Allows you to stop a service on a device.
The service to be stopped

Windows actions

Log Off
The name of the device you want to log off from.
Allows you to log off from the currently active session
Select whether you'd like to force this action.
on a device.

Shut Down System The name of the device to be shut down.


Allows you to shut down a Windows device. Select whether you'd like to force this action.

Restart System The name of the device to be restarted.


Allows you to restart a Windows device. Select whether you'd like to force this action.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 361


The name of the device on which you want to
execute the script file.
The type of script file.
Execute Windows Script
Upload the script file to be executed.
Allows you to execute a specified script file on a
Arguments to the script, if any. You can separate
Windows device.
multiple arguments using commas.
Timeout for the action.
The working directory for the script's execution.

Disable USB The name of the device on which you want to


Allows you to disable the USB port on a device. disable the USB port.

Linux actions

Shut Down Linux The name of the device to be shut down.


Allows you to shut down a Linux device. Select whether you'd like to force this action.

Restart Linux The name of the device to be restarted.


Allows you to restart a Linux device. Select whether you'd like to force this action.

The name of the device on which you want to


execute the script file.
The type of script file.
Execute Linux Script
Upload the script file to be executed.
Allows you to execute a specified script file on a Linux
Arguments to the script, if any. You can separate
device.
multiple arguments using commas.
Timeout for the action.
The working directory for the script's execution.

Notification actions

The name of the device on which you want to


Send Pop-Up Message
display the message.
Allows you to display a pop-up message on a device.
The message to be displayed.

Send Email The recipient's email address.


Allows you to send an email message. The email subject and body.

Send SMS The recipient's mobile number.


Allows you to send an SMS message. The SMS content.

Community.
Port number.
Send SNMP Trap
Enterprise OID.
Allows you to send SNMP traps to the required
SNMP Manager.
destination.
Message content.
Version.

Active Directory actions

Disable User
The name of the user account you want to disable.
Allows you to disable a user's account.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 362


Delete User
The name of the user account you want to delete.
Allows you to delete a user account.

Disable Computer
The name of the computer account you want to disable
Allows you to disable a computer account.

Cisco ASA actions

The name of the firewall device.


Add Inbound Rule The Interface name.
Allows you to add an inbound rule. Source address.
Destination address.

The name of the firewall device.


The Interface name.
Add Outbound Rule
Source address.
Allows you to add an outbound rule.
Destination address.

Miscellaneous actions

The name of the device on which the file is


located.
The file name.
Write to File
The absolute file path.
Allows you to write a message to a file
The text to be written to the file.
Select whether you would like to append to or
overwrite a file if it already exists.

Upload the CSV file to perform by clicking on


CSV Lookup "Browse".
Allows you to search for values within a CSV file. Specify the header or column number.
Select the field to be matched.

Name of the destination server.


Forward Logs
The protocol to be used.
Allows you to forward logs to the required destination.
Port number and standard.

The URL to which you want to send an HTTP


HTTP Request request to.
Allows you to send an HTTP request to a URL. Specify the Method you want to use (Get or Post).
Add the required parameters.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 363


7. You can enter a brief description for each logic block to record its purpose in the workflow. This makes it easier for

you to understand and edit the workflow later.

8. Click on the Save button to create the workflow.

To edit an existing workflow you can click on the edit icon present against the workflow name in the Manage Workflow
page.

Managing workflows
You can view and edit existing workflows in EventLog Analyzer by navigating to the Alerts tab and clicking on Workflow
from the More tools icon. The Manage Workflows page displays the list of workflows, their descriptions, the number of alert
profiles associated with each workflow, and their histories. You can enable or disable, delete, edit, and copy the workflows
by clicking on the respective icons.

Updating workflow credentials

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 364


You can automate workflows on Windows, Linux, and Cisco devices for which you have administrative privileges. You have
to update credentials of these devices in EventLog

Analyzer for seamless execution of the workflows.

To automate workflows in Windows devices:

If the Windows devices have already been added to EventLog Analyzer, workflows can be executed by using the devices
credentials or the domain credentials of the devices. So, you need not manually update credentials for Windows devices.

To automate workflows in Linux devices

You can configure a set of common credentials for executing workflows in all Linux devices by following the steps given
below:

Click on the Workflow Credentials link present in the Manage Workflow page.
Click on the Edit link provided for Linux devices.

Enter the username, password, and port number.


Click on Update to store and use these credentials to execute workflows in all Linux devices.

To automate workflows in Cisco devices

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 365


You must configure the REST API agent in the Cisco firewall to execute workflows by following the steps given in this link.
(The Cisco REST API supported versions are listed here).

You can configure a set of common credentials for executing workflows in all Cisco devices using EventLog Analyzer by
following the steps given below:

Click on the Workflow Credentials link present in the Manage Workflow page.
Click on the Edit link provided for Cisco devices.
Enter the username and password.
Click on Update to store and use these credentials to execute workflows in all Cisco devices.

If the common credentials do not work for certain Cisco Devices, you need to configure the credentials for those devices
by following the steps given below:

Navigate to Settings ? Configuration ? Manage Devices ? Syslog Devices.


Hover your mouse pointer near the device on which you want to execute workflows and click on the edit icon.
In the Update Device pop-up menu, click on Advanced.
Select the Configure REST API Credentials check box.
Enter a username and password.
Click on Verify Credential to send a REST API call to the Cisco device to verify if the credentials are valid.
Click on Update to store and use the specified credentials for executing workflows.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 366


Chapter 16 Framework Integration

Integrating and using the MITRE ATT&CK framework


with EventLog Analyzer
EventLog Analyzer helps spot adversaries, classify attacks, and single out attack tactics and techniques by integrating the
MITRE ATT&CK framework to robustly monitor network security.

What is the MITRE ATT&CK framework?


The MITRE ATT&CK framework is a matrix of attack tactics mapped with various attack techniques that are constantly
updated to serve as the attack encyclopedia for IT security professionals all across the globe.

The tactics signify the objectives of an attacker such as:

Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact

Various attack techniques such as account manipulation, access token manipulation, and brute force to name a few are
associated with the tactics to help identify adverse events and anomalies. The framework is adopted globally to facilitate
easier communication among cyber security enthusiasts about the latest attack patterns.

Pre-configurations required for integrating MITRE ATT&CK


framework in EventLog Analyzer
Closely monitoring and tracking network events is of paramount importance to detect adversaries. You need to enable the
advanced audit policy settings given under the following categories in your network to cohesively gain insights from the
framework:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 367


Account Logon
Account Management
Directory Service Access
Logon/Logoff Events
Object Access
Policy Change
Privilege Use
Detailed Tracking
System Events
App Locker Auditing
Windows Defender Attack Surface Reduction

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 368


Chapter 17 Configurations

Configurations
Carry out the necessary configurations required for EventLog Analyzer functioning. You can carry out the following
configurations:

Manage Devices
Manage Device Groups
Manage Applications
File Integrity Monitoring
Threat Management
Threat whitelisting
Manage Threat Source
Manage vCenter
Manage Vulnerability Data

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 369


Device Management
All the devices added to EventLog Analyzer for monitoring can be viewed under Settings > Configuration > Manage
Devices.

In this page, you can find three tabs: Windows Devices, Syslog Devices and Other Devices. Under Windows Devices, you
can use the Select Category drop-down menu to select a domain or workgroup.
1. Devices are displayed with the following icons: Search, Enable, Disable, Filter Change Monitor time interval, and

Delete. The Filter option lets you choose the devices for reports by their status (enabled/disabled), state

(active/inactive) and device group.

2. The table displays the following columns:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 370


a. Checkbox against all devices

b. Actions: Configure event source file and Update icons.

c. Device Name

d. Device IP address

e. Last Message Time

f. Last Event Collected On

g. Next Scan On: Shows when the next scan is scheduled. The Scan Now link against each device will scan the

device instantly.

h. Monitoring Interval: The period for collection of logs.

i. Device Group

j. Status: Status of log collection.

Quick Links

Configuring Auto Log Forward for Unix machines


Configure domains and workgroups
Manage Device Groups

Manage Devices
How to add a device?

Refer to Add Device.

How to delete a device?

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 371


1. Go to Settings > Configuration > Manage Devices.

2. Select the appropriate tab from Windows Devices, Syslog Devices, Other Devices.

3. Select the checkbox(es) against the respective device(s).

4. Click the delete icon in the action menu.

5. Click Yes in the delete confirmation pop-up.

How to disable/enable a device?

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 372


1. Navigate to Settings > Configuration > Manage Devices.

2. Select the appropriate tab from Windows Devices, Syslog Devices, Other Devices.

3. Select the device(s) by selecting the respective check box(es).

4. Click the disable or enable icons in the action menu.

How to change the monitoring interval?

1. Navigate to Settings > Configuration > Manage Devices > Windows Devices

2. Select the device(s) by selecting the respective check box(es).

3. Click the Change monitor interval icon in the action menu.

4. In the box that opens, select the time interval in hours or minutes as needed.

5. Click Update.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 373


How to update a device's configuration?

1. Go to Settings > Configuration > Manage Devices > Windows Devices.

2. Click the edit icon for the device. For Syslog Devices and Other Devices,hover over the device for edit icon to appear.

3. This opens the Update Device box where you can edit Device Type, Device IP Address, Display Name, and Monitor

Interval.

4. Click Advanced to edit Encoding Type and Time zone.

5. Click Update.

How to configure event source files in a device?

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 374


1. Go to Settings > Configuration > Manage Devices > Windows.

2. Click the Configure Event Source Files icon for the device.

3. In the Event source files dialog box, select the type(s) of event source files.

4. Click Configure.

Note: The registry is accessed for configuring event source files. Modifications to a registry entry will reflect
only when reloaded. This feature supports Windows XP Pro and above.

Configure Auto Log Forward for Unix devices

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 375


1. Go to Settings > Configuration > Manage Devices > Syslog Devices.

2. Select the Unix device by ticking the checkbox.

3. Click Configure Auto Log Forward in the Actions menu.

4. Enter the root login credentials for the Unix device and SSH port number.

5. For configuring syslog forwarding , enter the IP address of the EventLog Analyzer server.

6. Select the protocol ? TCP/UDP.

7. Specify the Syslog Port number. Note that the default port numbers are 513 and 514 for UDP and 514 for TCP.

8. Click Verify & Update.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 376


Manage Applications
This module lets you manage the applications being monitored by EventLog Analyzer. Applications such as IIS Servers,
Microsoft SQL Servers, Oracle databases, print servers, and terminal servers can be added, deleted, and viewed.

Viewing all other monitored servers


EventLog Analyzer lists all the other servers being monitored, with details of the device associated with the application, type
of the application, total files imported, and an option to view the relevant reports.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 377


File Integrity Monitoring (FIM)
File Integrity Monitoring is a feature that helps you monitor all changes (addition/deletion/modification) made to files and
folders in Windows and Linux systems.

Important Note:It is recommended that FIM be implemented for strictly necessary files and folders so as to

avoid disk space issues that may rise due to the high volume of generated logs.

Prerequisites for File Integrity Monitoring


Windows:

When you enable File Integrity Monitoring for Windows, certain access policies will be automatically enabled on
the file server. If there are overriding GPOs for audit policy in your domain, follow the below procedure to manually
enable them
In administrator command prompt enter the command,
auditpol/get/category:"Object Access"
Then proceed to enable the following access policies
Audit file share
Audit file system
Audit handle manipulation
Audit detailed file share
Audit other object access events.
SACLs should be enabled for the monitored file/folders. These are automatically enabled by the product. If not,
manually update SACLs with the following permissions (see how)
Execute files/ traverse folder
Write data/create files
Append data/create folders
Write attributes
Write extended attributes
Delete subfolders and files
Delete read permissions
Change permissions
Take ownership

Linux:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 378


The SSH server should be installed in the Linux machine (mandatory only for installation).
Ensure that the audit daemon is installed and configured on your Linux machines. Also ensure that the
Linux kernel version is 2.6.25 or higher
Linux audit framework version is higher than 1.8
If the syscall block rule and immutable rule are enabled rules from
/etc/audit/audit.rules, please remove them using the following commands :
Syscall block rule, -a never,task
Immutable rule, -e 2
If you are enabling auditing for SUSE machines, set the following rule:
Navigate to /etc/sysconfig/auditd
Set AUDITD_DISABLE_CONTEXTS = no
If Security-Enhanced Linux (SELinux) exists then it must either be in the permissive mode or disabled:
Check SELinux status using the command: getenforce.
If the status is 'Enforced', navigate to file/etc/selinux/config and make this edit: SELINUX = permissive.
Restart the server.

Note: Configuring FIM for Linux audits the following actions on Linux files:

Read
Write
Execute
Attribute change

Configuring File Integrity Monitoring


To configure File Integrity Monitoring, go to

Navigate to Settings > Configurations > Manage File Integrity Monitoring.


Depending on which device the files and folders that you wish to monitor are located in, click on either the
Windows or Linux tab.
Click Add FIM.
Pick the device in which the files/folders are located, enter correct credentials, browse and select the files and
folders you wish to monitor. Alternatively, you can enter the location of the files/folders.

Note: For Linux devices, in addition to entering the details mentioned above, you will also be prompted to enter

the SSH port number.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 379


The Exclude Filter gives you an option to exclude
a. Certain file types.

b. Certain sub-locations within the main location.

c. All sub-locations within the main location.

If you want to know who has made the change to the file or folder, check the Audit Username checkbox.

Note: For Linux devices, username is audited by default.

Click Configure.

Configuring Bulk File Integrity Monitoring


If the same files and folders located in multiple devices need to be added for monitoring, then the Bulk File Integrity
Monitoring feature can be used.

Navigate to Settings > Configurations > Manage File Integrity Monitoring.


Depending on which device the files and folders that you wish to monitor are located in, click on either the
Windows or Linux tab.
Click Add FIM. Select Configure multiple devices on the top right corner.
Pick the device in which the files/folders are located, enter correct credentials, and select the file template(s).

Note: For Linux devices, in addition to entering the details mentioned above, you will also be prompted to enter

the SSH port number.

Click Configure.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 380


Notes:
If an agent is already installed in the device whose files you want to monitor, file monitoring will
automatically be enabled in the agent.
If no agent is installed in the device for which you want to monitor the files, then an agent will be
installed and file monitoring will be enabled in the agent.
Please note that the volume of logs generated for each change occurring on the folders can affect the
performance of the file server. It is a recommended practice to limit file/folder monitoring to the
required files/folders.

Manage File Integrity Monitoring (FIM) Templates


If the same file or folder needs to be monitored in a number of devices, then a template can be created and assigned to
these devices. To create a FIM template follow the steps below:

Navigate to Settings > Configurations > Manage File Integrity Monitoring > FIM Templates.
Depending on which device the files and folders that you wish to monitor are located in, click on either the
Windows or Linux tab.
Click Add FIM.
Enter a name for the template and select the locations of the files and folders.
Alternatively, you can enter the location of the files/folders.
The Exclude Filter gives you an option to exclude
a. Certain file types.

b. Certain sub-locations within the main location.

c. All sub-locations within the main location.

If you want to know who has made the change to the file or folder, check the Audit Username checkbox.
Click Configure.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 381


All the created templates are listed in a tabular column with an option to edit / delete them.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 382


Manage Threat Source
This dashboard lets you manage all threat solutions monitored by EventLog Analyzer.

Settings > Configurations > Manage Threat Source

How to add a threat source?


How to add a threat source? Add Threat Source .

How to view a threat analysis report?


1. Go to Settings > Configurations > Manage Threat Source.

2. Click on the View Report icon on the right corresponding to the threat source.

How to delete a threat source?

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 383


1. Go to Settings > Configurations > Manage Threat Source.

2. Hover over the threat source and click on the red cross icon that appears.

3. Click OK in the delete confirmation pop-up.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 384


Threat Management
This page elaborates the steps to manage the threat sources of EventLog Analyzer.

Adding TAXII server


Editing TAXII server configuration
Deleting TAXII server
Managing TAXII feeds
Advanced threat analytics

How to add a new STIX/TAXII server?


1. Go to Settings > Threat Management > STIX/TAXII Threat Feeds..

2. Click Add Server .

3. In the Add Server box, enter the Display name, URL, Username and Password..

4. In the Poll from box, specify the date from when feeds should be collected.

5. In the Schedule drop down list, select the schedule frequency and the time for syncing data from the TAXII server.

6. To save the server configuration, click Add Server.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 385


How to edit TAXII server configuration?

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 386


1. Go to Settings > Threat Management.

2. Click the edit icon against the server.

3. You can make the required changes such as the schedule to sync data from the TAXII server.

4. To save the changes made, click the Update Server button.

How to delete TAXII server?


To delete an existing TAXII server,

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 387


1. Go to Settings > Threat Management.

2. Click the delete icon corresponding to the server to be deleted.

3. Click Yes in the delete confirmation pop up box.

How to manage TAXII server feed?

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 388


1. Go to Settings > Threat Management > STIX/TAXII feeds..

2. Click Manage Feeds corresponding to the server to be managed.

The Manage Feeds window opens as shown below

3. Click the enable/disable icon under Actions to enable/disable polling for the corresponding feed. Click Yes in the pop-

up to confirm.

4. Click Poll now poll the feed immediately.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 389


www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 390
Threat Whitelisting
Threat whitelisting helps you to specify an index of approved IPs, URLs, and Domains.

How to whitelist a new source?

Navigate to Settings > Threat Management > Whitelisted Sources.


Click the Whitelist Source option. (top right corner of Threat Management page).

Select the source type from the drop-down list.

IP Details

The value(s) entered should either be an IP address, CIDR, or an IP Range.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 391


The CIDR value can be entered using the '/' symbol. For instance, 192-198-111-0/220.

IP Range can be entered by mentioning the Start and End IPs. For instance, 192-198-111-0 should be the Start IP
and 192-198-111-220 should be the End IP, if you want the IPs in-between the range to be whitelisted.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 392


URL

The URL can be whitelisted by mentioning the address in the text box. For instance, http://sampleURL.com

Domain

A domain can be whitelisted by mentioning the domain address. For instance, 'mydomain'.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 393


Enter an appropriate value in the Description field. (Optional)

Import CSV

To import an existing CSV file containing the source(s) to be whitelisted, click the Import CSV option on the top-
right corner of the pop-up window.

Refer the sample CSV for the file format.

Note: Only CSV files are supported.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 394


The imported source(s) will be displayed in the list.
To delete an existing source, click the bin icon displayed near the respective source(s) under Actions. Click
the Yes button in the confirmation box that appears.

Threat Alerting
Threat Whitelisting has been integrated with Advanced Threat Analytics with the aim of reducing false positive alerts.

Navigate to Alerts > Threat Alerts.

To whitelist a particular source, select the desired source from the list (using checkbox) and click on the ellipsis
(three dots stacked vertically) and select the Whitelist Source option.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 395


Click the Whitelist button. Click the Yes button in the confirmation box that appears.

Note: The whitelisted sources will be excluded from threat alerts and external threat reports.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 396


Manage Vulnerability Data
The vulnerability scanners to be monitored by EventLog Analyzer can be managed in this section. Vulnerability scanners can
be added, deleted, and all the vulnerability scanners that are being monitored can be viewed.

Settings > Configurations > Manage Vulnerability Data

How to add a vulnerability scanner?


To add a vulnerability scanner, click the Import Vulnerability Data button.

View Vulnerability Imports


After you have imported a vulnerability log, navigate to View Vulnerability Imports to view its details. Here,
the vulnerability scanners are displayed along with the name of the scanner, type, family, last import time, and status.

How to delete a Vulnerability Scanner?


To delete a threat solution, hover your mouse over the vulnerability scanner and click the Delete icon that appears.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 397


Device Group Management
Device groups allow you to perform initial configuration for multiple devices simultaneously with the help of configuration
templates, schedule maintenance and downtime for multiple devices, suppress events on multiple devices, etc.

How to add a device group?


You can add a new device group using the following menu option:

Settings tab>Configurations>Manage Device Groups >+Add Group

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 398


1. Enter a unique name for the device group to be added.

2. Write a description for the device group.

3. Click on the +Add Device(s) button to add devices to this device group. You can then select the devices you wish to

add by clicking on the respective check box(es).

4. Click OK.

5. Click on the + Add Device(s) button to add devices to this device group, and select the devices by clicking on the

respective check box(es). Click OK to complete adding the required devices.

6. Click the Add button to create the device group with the devices listed.

How to edit a device group?


On the table row of a specific device group, Update icon is available to edit the selected device group. Here, you can edit
the Group Name, Description, and Device List.

How to delete a device group?


On the table row of a specific device group, the Delete icon will delete the selected device group.

Device Groups

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 399


In the Device Groups table, all the device groups added to EventLog Analyzer are displayed with description and number of
devices.

By clicking on the number under the Number of Devices link, you can view all the devices present in the device group.

The More Options drop down menu allows you to:

Change Monitor Interval

Update Credentials

Update Port No

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 400


Manage vCenter
The vCenter servers to be monitored by EventLog Analyzer can be managed in this section. vCenter servers can be added,
deleted, and all the vCenter servers that are being monitored can be viewed.

Settings > Configurations > Manage vCenter

View vCenter
After you have added a vCenter server, navigate to View vCenter to view its details. Here, you can view the added vCenter
servers along with log collection status, last message time, and next scan.

How to edit a vCenter server?


To edit a vCenter server, hover your mouse over the vCenter and click the Edit icon that appears. You can modify values
such as the port, protocol, and more.

How to delete a vCenter server?


To delete a vCenter server, hover your mouse over the vCenter and click the Delete icon that appears.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 401


Log Forwarder
EventLog Analyzer's syslog forwarder sends logs from syslog devices as raw data and logs from other sources are converted
to RFC 3164 or RFC 5424 and forwarded to the destination server.

Steps to start forwarding logs

1. Navigate to Settings > Configurations > Log Forwarder.

2. Enable the Syslog forwarder.

3. Enter the destination server to which the logs have to be forwarded to and the port number(Default port:513).

4. Select the protocol (UDP only), RFC standard (RFC 3164 or RFC 5424), and the source devices from which logs have

to be forwarded.

Enter the destination server to which the logs have to be forwarded, and the protocol (UDP only) to be used.

Select the port number (Default port: 513), RFC standard (RFC 3164 or RFC 5424), and the source devices

(i.e.) logs from these devices will be forwarded.

5. Click Save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 402


Chapter 18 Admin Settings

Admin Settings
The Admin Settings helps you to configure the Eventlog Analyzer and to tweak it's functioning as required.

You may carry out the following operations using the admin settings tab:

Agent Administration
Archive Settings
Technicians and Roles
Database Storage Settings
Log Collection Filter
Working Hour Settings
Product Settings
Log Collection Alerts
Report Profiles
Resource Grouping
Custom Log Parser
Tags

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 403


Privacy Settings
Using Privacy Settings, you can enable or disable the GDPR configuration settings, enable or disable password protection
for exported reports and allow or deny permission for EventLog Analyzer to collect your product usage statistics.

GDPR Configuration settings.


To enable or disable the GDPR configuration settings,
1. Go to Settings > Admin Settings > Enable GDPR compliance checks.

2. Click on Save.

Password protection settings for exported reports.


To enable password protection for exported reports,
1. Go to Settings > Admin Settings > check on the " Enable password protection option for redistributed and

exported reports" checkbox.

2. Enter the desired password in the "Password" and "Confirm Password" box.

3. Click on Save.

To disable the password protection for exported reports,


1. Go to Settings > Admin Settings > uncheck on the " Enable password protection option for redistributed and
exported reports" checkbox.
2. Click on Save.

Product usage statistics collection settings.


To allow or deny permission for EventLog Analyzer to collect your product usage statistics,

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 404


1. Go to Settings > Admin Settings > check or uncheck the Allow EvenLog Analyzer to collect your product
usage statistics checkbox and click on Save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 405


Agent Administration
In EventLog Analyzer, an agent might be required in one of the following two scenarios:

If you want to monitor the files in Windows file servers.


If there are any RPC connectivity issues between the log source and the EventLog Analyzer server.

Installing the EventLog Analyzer agent


The following are the different ways in which you can deploy the EventLog Analyzer agent in devices:

Using the EventLog Analyzer console


Using GPOs
Using Microsoft System Center Configuration Manager (SCCM) or some similar software deployment tool
Manual installation

Using EventLog Analyzer console:


To install the EventLog Analyzer agent using the product console,

In the Settings tab, navigate to Admin Settings ? Manage Agents.


Click + Install Agent and then the + icon corresponding to Device(s).

Select the devices on which you want to install the agent.


Enter the login name and password to access the device(s). This account should have admin privileges to install the
agent successfully. Or you can also choose the Use Default Credentials option.

Note: If multiple devices are selected, ensure that the credentials are valid for all the devices.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 406


Use the Verify Credential link to validate the credentials entered.
Finally, click Install Agent to initiate agent installation.

Using GPOs:
Before beginning to install the EventLog Analyzer agent using GPOs, place the following files in a network-shared folder of
the server:

InstallEventLogAgent.vbs (Path: <Installation Directory>\ManageEngine\EventLog Analyzer\tools\scripts)


EventLogAgent.msi (Path: <Installation Directory>\ManageEngine\EventLog Analyzer\tools\scripts)

To install the agent via GPOs:

Step 1: Creating a GPO

Create a new GPO as follows (based on the Windows Server version):


Open Group Policy Management.

In the left pane, right-click the Group Policy Objects container and select New.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 407


Give the GPO a suitable name and click OK.

Step 2: Configuring script settings


Right-click the newly created GPO and click Edit.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 408


For Windows Server 2003, in the right pane of the GPO editor, double click Computer Configuration and navigate

to Windows Settings ? Scripts (Startup/Shutdown) ? Startup.

For Windows Server 2008 and later, navigate to Computer Configuration ? Policies ? Windows Settings ? Scripts

(Startup/Shutdown) ? Startup.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 409


Right-click Startup and in the dialog box that appears, click Add.

In the Add Script dialog box, click Browse and select InstallEventLogAgent.vbs from the shared location.

In the Script Parameters field, enter the following parameters:

/MSIPATH:"< share path of msi file>" /SERVERNAME:" <ELA server name>" /SERVERDBTYPE:"< database of server>"

/SERVERIPADDRESS:" <IP address of server>" /SERVERPORT: "<port occupied by server>"

/SERVERPROTOCOL:" <protocol (http/https)>" /SERVERVERSION:"<ELA version>"

/SERVERINSTDIR:"<ELA installed directory>"

Click OK to return to the Startup Properties dialog box.

Click Apply and then OK.

Step 3: Configuring Administrative Template Settings


In the left pane of the Group Policy Management Editor, navigate to Computer Configuration ? Administrator

Templates ? System.

Under System, select Scripts.

In the right pane of the GPO Editor, double-click Run logon scripts synchronously and enable it.

Click Apply and then OK.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 410


Similarly, enable Maximum wait time for Group Policy scripts.

Then, navigate to Logon under System.

In the right pane, double-click Always wait for the network at startup and logon and enable it.

Click Apply and then OK.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 411


Then, navigate to Group Policy under System.

In the right pane, double-click Group Policy slow link detection and enable it.

Click Apply and then OK.

Step 4: Applying the GPO

Tip: For installing the agent on multiple computers at one go, create an AD group and add all the computers on
which the agent needs to be installed to the group. Then, apply the GPO to that group.

On the left pane of the Group Policy Management Editor, right-click the GPO you are working on and select Properties.

Navigate to the Security tab and unselect the Apply Group Policy permissions for Authenticated Users.

Click Add and in the dialog box that appears, click Object Types.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 412


If you want to apply the GPO to computers directly, ensure Computers is selected and then click OK. For applying it to

a group, ensure Groups is selected and then click OK.

Enter the name of the desired computer(s) and/or group(s) and click Check Names.

Select the desired computer(s) and/or group(s) and click OK to return to the properties dialog box.

In the Security tab, apply the following permissions to the selected group(s) and/or computer(s):

(i) Read > Allow

(ii) Apply Group Policy > Allow

Click Apply and then OK.

Restart the computers to complete applying the GPO and wait for the reset password / unlock account link to appear

on the Windows logon screen.

Using Microsoft System Center Configuration Manager (SCCM) or


some similar software deployment tool:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 413


Place Eventlogagent.msi in a network-shared folder.
In the device(s) on which the agent needs to be installed, execute the following command:

> msiexec.exe /i "EventLogAgent.msi" /qn /norestart /L*v "Agent_Install.log" SERVERNAME=


<eventlog_server_name> SERVERDBTYPE=<postgres|mssql|mysql> SERVERIPADDRESS=
<eventlog_server_ip> SERVERPORT=<eventlog_server_port> SERVERPROTOCOL=
<eventlog_server_protocol> SERVERVERSION=<eventlog_server_version>
AGENTVERSION=<eventlog_agent_version> ENABLESILENT=yes ALLUSERS=1

Note: Values assigned to SERVERNAME, SERVERDBTYPE, SERVERIPADDRESS, SERVERPORT,


SERVERPROTOCOL, SERVERVERSION, and AGENTVERSION should be in double quotes.

Manual installation:
For Windows devices:

In the agent machine, open any browser and execute the following command.

> <everlog_server>:<eventlog_server_port>/event/downloadMsi.nms?platform=windows

EventLogAgent.msi will be downloaded automatically. Double-click EventLogAgent.msi to start installation.


After clicking Next in the welcome screen and the Confirm Installation dialog box, the following dialog box will be
displayed. Enter the details and click OK.

Installation will be completed.

For Linux devices,

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 414


The agent has to be configured in Manage File Integrity Monitoring page of EventLog Analyzer. Refer Configuring File
Integrity Monitoring to configure the agent in Linux devices. If installation fails due to permission denial, you can manually
install it by executing the following command.

> eval "wget <eventlog_server_protocol>://<eventlog_server>:


<eventlog_server_port>/downloadMsi.nms?platform=agentInstaller -O AgentInstaller && sh
AgentInstaller <eventlog_server_protocol>://<eventlog_server>:<eventlog_server_port> lesssecure"

Managing EventLog Analyzer agents


Using EventLog Analyzer's console, you can uninstall, upgrade, and force the agent to restart.

Uninstalling the EventLog Analyzer agent

To uninstall the EventLog Analyzer from device(s),

In the Settings tab, navigate to Admin Settings > Manage Agents.


Select the device(s) from which you want to remove the agent.
Click Uninstall and select Yes in the pop-up box that appears.

Another method to uninstall the EventLog Analyzer from device(s) is by using add or remove programs,

Navigate to Windows start menu > Add or remove programs in your desktop.
Select the "ManageEngine EventLog Analyzer Agent".
Click Uninstall.

Forcing restart of the EventLog Analyzer agent

To force the EventLog Analyzer to restart,

In the Settings tab, navigate to Admin Settings > Manage Agents.


Select the device(s) on which you want to restart the agent.
Select More Actions and click Force restart in the drop-down box that appears.
In the pop-up box that appears, select Yes.

Forcing upgrade of the EventLog Analyzer agent

Upgrading the EventLog Analyzer agent through Force Upgrade,

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 415


In the Settings tab, navigate to Admin Settings > Manage Agents.
Select the device(s) on which you want to restart the agent.
Select More Actions and click Force upgrade in the drop-down box that appears.
In the pop-up box that appears, select Yes.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 416


Archive
The log files processed by EventLog Analyzer are archived periodically for internal, forensic, and compliance audits. You can
configure the following as per your requirements:

Archiving interval
Type of logs that need to be archived
Storage location of the archived files
Retention period

The archived files can be encrypted and time-stamped to make them secure and tamper-proof.

How to view archived logs ?


To view your archives, in the Settings tab of EventLog Analyzer, navigate to Admin Settings > Manage Archives.

The Archived Logs page loads and it provides information on:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 417


List of devices from which the logs are being collected
Device type (Format)
The time frame ('From' and 'To') denotes the time period during which the logs are collected by EventLog Analyzer
and stored in an archive file
Size of the archived log data from each of the devices
Integrity column indicates whether the archived logs are intact or have been tampered with. The integrity of the
archived files is denoted by four states:
a. Verified - Archived logs are intact.

b. Archive file is missing - When the flat file is not found during the compression/zipping process.

c. Archive file not found - When an archive file is not found in the location where it is stored in the DB.

d. Archive file is tampered - When the original archive file is edited/some part of the file is deleted externally. In
case a file has been deleted or tampered with, an email notification will be sent immediately and the message

"Archive file is tampered" will be displayed on the screen.

Status of the archival is indicated by four different states:


a. Loaded - The archived files are already loaded to the database. Click 'View' to view the archive file

b. Data already available - If the archive file is in Elastic Search database

c. Data partially available - If some of the archive data is in ElasticSearch database

d. Not Loaded - If the archive file is not in ElasticSearch database.

How to view a specific archival file?

To view a specific archival file, click on the check box corresponding to the device.

You can also view the archived log files that are created during a specific time period. To do so, click on the calendar icon on
the top right corner of the page and specify the desired time period.

How to filter and view a set of archive files?

If you want to view a set of files based on the size or status of the archive data, you can do so by clicking on the filter icon
next to Size or Status and setting the appropriate values. The files will be filtered based on the given values.

How to sort the list of archive files?

By clicking on the drop down icon next to Devices/From/To, you can sort the list in ascending order. It will be sorted on
the basis of the respective column values. By clicking again, you can sort the list in descending order.

How to load archive files?


To load your archived files, in the Settings tab of EventLog Analyzer, navigate to Admin Settings > Manage Archives.
1. Check the status of the archived file corresponding to the device. If it is Not Loaded, click the Load Archive button to

load the file to the database and search the logs.

2. Once the status of the file changes to Loaded, click on the corresponding View button.

Note: To drop a file, select the file and click on the Unload Archive button.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 418


Note: If the status of the file says "Data partially available" and if you proceed to load the archive, there could
be a duplication of the data.

How to delete archive files ?


To delete your archived files, in the Settings tab of EventLog Analyzer, navigate to Admin Settings > Manage Archives.
1. Select the archived file(s) by selecting the respective check box(es).

2. Delete the archived file(s) by clicking on the Delete icon .

How to configure archive settings?


To configure archival settings,

Click on Settings link at the top right corner of the screen.

Configure the archive interval, retention period, option to encrypt, time-stamp of the archive files, location to save the
archive files and location to save the index files in this screen.

Note: The Archive and Database storage are asynchronus operations. These operations are unrelated.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 419


1. Ensure that archiving is enabled. By default, it is enabled. Unselect the toggle button to disable archiving.

2. To secure the archive files, enable encryption of the files. By default, it will be disabled.

3. Enter the Archive retention period for the archived files. The default period is Forever.

4. Logs can be archived in two formats; ?Raw Logs with Parsed Fields? and ?Raw Logs?. "Raw Logs with Parsed Fields"

will be stored with the metadata and "Raw Logs" will be stored without metadata. The storage space for Raw Logs will

be lesser but only basic reports can be generated using this data.

5. Enter the storage location for the archived files in the Archive Location box. Click on "Verify Location" to validate the

location.

6. Enter the Notification Email Address. Notification emails regarding file integrity will be sent to the specified email ID(s).

For multiple email IDs, use commas in-between.

7. Enter the log retention period for the loaded archive files. The default period is 7 days.

8. Click on Advanced . Enter the values for the following three parameters that is displayed on the screen:

a. Choose the required time interval for file creation. The logs are written to flat files at the specified time period.

The default value is 8 hours.

b. Choose the required time interval for creating a zip file.The flat files are compressed (20:1 ratio) and zip files are

created at the specified time period. The default value is 1 day.

c. Enable Archive Timestamping if required. By default, it is disabled.

9. Save the settings and close the window. For instant archiving, click the Zip now button next to Zip Creational Interval.

Steps to move EventLog Analyzer's Elasticsearch indices to a new


location

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 420


Note:
ES\repo folder contains temporary files for ES archives

ES\data folder contains data

ES\archive folder contains ES archives

ES\repo, ES\data and ES\archive should never point to the same folder

Examples:

For remote network path use the following format:

path.data : ["//remote machine name/shared folder/data"]


path.repo : ["//remote machine name/shared folder/repo"]

For windows local storage use the following format:

path.data : ["C:\\ManageEngine\\EventLog Analyzer\\ES\\data"]


path.repo : ["C:\\ManageEngine\\EventLog Analyzer\\ES\\repo"]

For linux local storage use the following format :

path.data : ["/opt/ManageEngine/EventLog Analyzer/ES/data"]


path.repo : ["/opt/ManageEngine/EventLog Analyzer/ES/repo"]

Case 1: EventLog Analyzer as a standalone setup (Not integrated with Log360)

1. Shutdown EventLog Analyzer.

2. Navigate to <Eventlog home>\ES\config\elasticsearch.yml, update path.data to include the new location and save the

file.

3. Move the files from <ManageEngine>\<Eventlog>\ES\data folder to the new location.

Case 2: EventLog Analyzer is integrated into Log360 and is installed with Log360 installer (Bundled):

In this case, EventLog Analyzer uses a common ES that's shared with other modules

Note:
With Log360, the integrated module will have only one ES and it can be located in the Admin > Administration
and Search Engine Management page. By clicking on details we can see that it is running from
<ManageEngine>\elasticsearch\ES folder.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 421


1. Shutdown EventLog Analyzer and Log360.

2. Shutdown common ES.

i. Open Command Prompt as the Administrator in <ManageEngine>\elasticsearch\ES\bin

ii. Run stopES.bat

3. Navigate to <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml, update path.data to include the new

location and save the file.

4. Move the files from <ManageEngine>\elasticsearch\ES\data folder to the new location.

Case 3: EventLog Analyzer is manually integrated into Log360:

In this case, EventLog Analyzer will be using its existing (before integration) local and the common ES (after integration with
Log360).

Note:
By default, the integrated module will have two ES and it can be located in the Admin > Administration and
Search Engine Management page. By clicking on details we can see that one is running from EventLog Analyzer,
<Eventlog home>\ES folder and other from <ManageEngine>\elasticsearch\ES folder.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 422


1. Shutdown EventLog Analyzer and Log360.

2. Shutdown common ES.

i. Open Command Prompt as the Administrator in <ManageEngine>\elasticsearch\ES\bin

ii. Run stopES.bat

3. Navigate to <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml, update path.data to include the new

location and save the file.

4. Move the files from <ManageEngine>\elasticsearch\ES\data folder to the new location.

5. Navigate to <ManageEngine>\<Eventlog>\ES\config\elasticsearch.yml, update path.data to include the new location

(different from the one given for common ES) and save the file.

6. Move the files from <ManageEngine>\<Eventlog>\ES\data folder to the new location.

Steps to move EventLog Analyzer's Elasticsearch data to a new


location

Note:
ES\repo folder contains temporary files for ES archives

ES\data folder contains data

ES\archive folder contains ES archives

ES\repo, ES\data and ES\archive should never point to the same folder

Examples:

For remote network path use the following format:

path.data : ["//remote machine name/shared folder/data"]


path.repo : ["//remote machine name/shared folder/repo"]

For windows local storage use the following format:

path.data : ["C:\\ManageEngine\\EventLog Analyzer\\ES\\data"]


path.repo : ["C:\\ManageEngine\\EventLog Analyzer\\ES\\repo"]

For linux local storage use the following format :

path.data : ["/opt/ManageEngine/EventLog Analyzer/ES/data"]


path.repo : ["/opt/ManageEngine/EventLog Analyzer/ES/repo"]

Case 1: EventLog Analyzer as a standalone setup (Not integrated with Log360)

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 423


1. Shutdown EventLog Analyzer.

2. Navigate to <Eventlog home>\ES\config\elasticsearch.yml, update path.data to include the new data location and

save the file.

3. In <Eventlog home>\ES\config\elasticsearch.yml, update path.repo to include the new repository location (parallel to

data directory) and save the file.

4. Move the files from <ManageEngine>\<Eventlog>\ES\data folder to the new location.

5. Create a folder with the name archive (parallel to the new data directory).

6. Move the files from <ManageEngine>\<Eventlog>\ES\archive folder to the new folder named archive.

Case 2: EventLog Analyzer is integrated into Log360 and is installed with Log360 installer (Bundled):

In this case, EventLog Analyzer uses a common ES that's shared with other modules

Note:
With Log360, the integrated module will have only one ES and it can be located in the Admin > Administration
and Search Engine Management page. By clicking on details we can see that it is running from
<ManageEngine>\elasticsearch\ES folder.

1. Shutdown EventLog Analyzer and Log360.

2. Shutdown common ES.

i. Open Command Prompt as the Administrator in <ManageEngine>\elasticsearch\ES\bin

ii. Run stopES.bat

3. Navigate to <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml, update path.data to include the new data

location and save the file.

4. Also update path.data in <Eventlog home>\ES\config\elasticsearch.yml to include the new data location (same data

location as mentioned in step 3).

5. Update path.repo in <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml to the new repository location

(parallel to the new data path).

6. Update path.repo in <Eventlog home>\ES\config\elasticsearch.yml to the new repository location (same repository

location as mentioned in step 5).

7. Move the files from <ManageEngine>\elasticsearch\ES\data to the new location.

8. Create a folder with the name archive (parallel to the new data directory).

9. Move the files from <ManageEngine>\<Eventlog>\ES\archive folder to the new folder named archive.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 424


Case 3: EventLog Analyzer is manually integrated into Log360:

In this case, EventLog Analyzer will be using its existing (before integration) local and the common ES (after integration with
Log360).

Note:
By default, the integrated module will have two ES and it can be located in the Admin > Administration and
Search Engine Management page. By clicking on details we can see that one is running from EventLog Analyzer,
<Eventlog home>\ES folder and the other from <ManageEngine>\elasticsearch\ES folder.

1. Shutdown EventLog Analyzer and Log360.

2. Shutdown common ES.

3. Open Command Prompt as the Administrator in <ManageEngine>\elasticsearch\ES\bin

4. Run stopES.bat

I. Change in common ES
1. Navigate to <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml, update path.data to include the new

location and save the file.

2. Update path.repo in <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml to include the new repository

location (parallel to path.data).

3. Move the files from <ManageEngine>\elasticsearch\ES\data to the new location.

II. Change in local ES (the path here should be different from the one given for common ES)
1. Navigate to <ManageEngine>\<Eventlog>\ES\config\elasticsearch.yml, update path.data to include the new location

(this should be different from the one given for common ES) and save the file.

2. Update path.repo in <ManageEngine>\<Eventlog home>\ES\config\elasticsearch.yml to the same repository location

as that of common ES.

3. Create a folder with the name archive (parallel to the new data directory).

4. Move the files from <ManageEngine>\<Eventlog>\ES\data to the new location.

5. Move the files from <ManageEngine>\<Eventlog>\ES\archive folder to the new folder named archive.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 425


Technicians and Roles
EventLog Analyzer supports authorization and authentication at a local level and is compatible with third-party applications
like Active Directory and RADIUS server. It allows adding users in three realms (user groups) viz., Admin, Operator, and
Guest. The Admin realm has the highest order of privilege in the EventLog Analyzer server and UI. The Operator has limited
privileges that enables access to perform create and delete operation on the allotted resources. The Guest has read-only
privilege on the allotted security resources (device groups).

How to add a new EventLog Analyzer technician?


To add new users, use the following menu option:

Settings tab > Technicians and Roles > Add Technician

You can either add a user from AD or add a local technician in EventLog Analyzer.

To add a local technician, click on the Add local technician link.

1. Enter a name for the technician in the Technician Name field.

2. Enter a new password and confirm it in the respective fields.

3. Enter the email address of the technician in the Email field.

4. In the Roles drop-down box, choose the role(s) you want to assign to the technician. You can assign more than one

role to the technician and permissions of all the selected roles will be assigned to the technician.

5. Assign device group(s) to provide segmented view to the user and limit the privilege on security resources. Select the

device group(s) checkbox(es) and click OK.

6. Complete the add user operation using the Add button.

How to manage (delete, assign role to, assign group to) EventLog
Analyzer technicians?

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 426


In the Manage Technician screen, all the users of EventLog Analyzer are listed along with user's login name, delegated roles,
the domain in the network to which the users belong to, and the link to view their audit details. You can delete, enable or
disable users and re-assign roles and device groups for technicians.

1. To monitor the users of EventLog Analyzer, click on the User Audit icon. This will give you the report of all EventLog

Analyzer user activity. You can view the user audit data for the required username, type of user(administrator,

operator, guest), resource and action. The report can be extracted into PDF/CSV format.

2. Delete, enable or disable users by selecting the users and clicking on the respective icons.

3. Click on the edit icon to update the technician details such as the roles assigned, device groups, email and password.

How to import users from Active Directory into EventLog Analyzer?


Settings tab > Admin Settings: Technicians and Roles > Add Technician
EventLog Analyzer will automatically discover and display Active Directory users from the selected domain. You
have two options - basic and advanced.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 427


Basic Options: The AD users are displayed along with their Login Name and Organizational Unit. Select the user(s)
by clicking on the respective checkbox(es) and click on the Next button. You can easily search for a device using the
search option or by filtering based on the OU using OU Filter.

1. In the Roles drop-down box, choose the role(s) you want to assign to the technician. You can assign more than

one role to the technician and permissions of all the selected roles will be assigned to the technician.

2. Assign device group(s) to provide segmented view to the user and limit the privilege on security resources.

Select the device group(s) checkbox(es) and click OK.

3.

Click on the Add button.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 428


Advanced Options: By clicking to the switch to advanced options link, you can add users based on their Domain
Groups and Domain OUs. The domain groups/OUs will be automatically discovered and displayed for the selected
domain. Select the Domain Groups or Domain OUs by clicking on the respective checkbox(es) and click on the Next
button.
Configure Schedule: To synchronize users in Active Directory with the users in EventLog Analyzer, you can
configure a schedule for periodically importing users from domain groups and OUs.

1. Enter a name for the schedule.

2. Specify the interval (in days) for running the scheduled automatic import.

3. Click on the Save button or the Save and Run Now button if you wish the run the scheduled import right

away.

Creating custom user roles


EventLog Analyzer allows you to create custom user roles in addition to the default Admin, Operator, and Guest roles.
Custom user roles enable you to have multiple user groups depending on the level of control and access that users need in
EventLog Analyzer. Custom user roles help you adopt the principle of least privilege (POLP) while adding users and assigning
roles to them.

Steps to create a Custom User Role

1. In EventLog Analyzer, navigate to Settings ? Admin Settings ? Technicians and Roles.

2. Click on the Manage Roles button.

3. To create a new role, click on +Add New Role.

4. In the Add New Role page, enter an appropriate role name in the Role Name field.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 429


5. Click on the Description link next to the Role Name field to enter a description for the role you want to create.

6. You will see multiple tabs such as Home, Reports, Compliance, Correlation, Alerts, Settings, and Others. You can click

on the checkbox provided for each of these tabs to allow the role to have all the permissions associated with the

selected tabs. You can also navigate to each of these tabs individually and select the required permissions.

Under the Home tab, you can see two sections: Dashboard and View the Log Sources. In the Dashboard

section, you can allow users to view, and create and manage the dashboard. In the View the Log Source

section, you can assign permissions to view device, application, and file integrity monitoring logs. You can also

click on the checkboxes next to the Dashboard and View the Log Sources section to select all the options

present under them.

Under the Reports tab, you can specify if the user can view, schedule, and create reports by selecting the
appropriate checkboxes. You can select all permissions associated with the Reports section by choosing

General.

Similarly, under the Compliance tab, you can choose if the user can view, create, and schedule compliance

reports. You can click on the General checkbox if you want the user to have all permissions related to the

Compliance tab.

Under the Search tab, you can choose if you want to allow the user to perform search operations on the

collected logs.

Under the Correlation tab, you can find the Correlation and Activity Monitoring sections. In the Correlation

section, you can choose if you want the role to view correlation reports, schedule them, and create and

manage correlation rules and custom correlation actions. In the Activity Monitoring section, you can choose if

the role can view and schedule activity monitoring reports, and create and manage activity monitoring rules.

Under the Alerts tab, you can find three sections: Alerts, Incident Workflows, and Ticketing Tools. In the

Alerts section, you can specify if you want the role to view generated alerts, and manage alert profiles and

alert assigning rules by clicking on the appropriate checkbox. In the Incident Workflows section, you can select

if the role can manage incident workflows. In the Ticketing Tools section, you can allow the role to configure

ticketing tools.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 430


Under the Settings tab, you can find three tabs on the left pane: Log Source Configuration, Admin Settings,

and System Settings. The Log Source Configuration tab contains multiple sections -- in which you can choose if

you want the user to have permissions to configure and manage devices, applications, databases, virtual

machines, and the File Integrity Monitoring component. In the Admin tab, you can choose whether the user

can configure and manage domains, workgroups, and agents. In the System Settings tab, you can specify the

permissions for managing general and system settings.

Under the Others section, you can specify if the user can view product support related information, supported

log sources, and notifications.

7. After choosing all the required permissions, click on Create to create the custom user role.

Viewing the created Custom User Role

In EventLog Analyzer, you can view all the default and custom user Roles by navigating to Settings ? Admin Settings ?
Technician and Roles ? Manage Roles. The role names, descriptions, and the number of technicians associated with each
role will be displayed in a table. The Actions column of the table contains Click to Copy, Edit, and Delete icons to enable
you to perform the required management actions. The Click to Copy option allows you to copy the permissions associated
with an existing role to a new role -- which you can later edit as per your needs.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 431


www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 432
Logon Settings
Learn how to configure the following logon settings.

General: Learn how to configure CAPTCHA and block users after a certain number of invalid login attempts.
Two-factor Authentication: Learn how to enable two-factor authentication for users logging into EventLog
Analyzer.
Smartcard Authentication: Learn how to configure EventLog Analyzer to authenticate users through smart cards,
bypassing other first-factor authentication methods.
External Authentication: Learn how to configure EventLog Analyzer to authenticate users through Active Directory
and RADIUS server.

General
Under the General tab of Logon Settings, you can configure the following.

CAPTCHA Settings
Block User Settings

CAPTCHA Settings

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Login CAPTCHA
serves as a security measure against bot-based brute force attacks. Enabling this setting will display a CAPTCHA image on
the login page. End-users must enter the characters shown in the CAPTCHA image to log into the EventLog Analyzer web
portal.

You can configure whether to show CAPTCHA always or after a certain number of invalid login attempts. Apart from the
CAPTCHA image, you can also enable Audio CAPTCHA.

Steps to enable CAPTCHA:

Log into EventLog Analyzer as an administrator.


In the Settings tab, navigate to Admin Settings > Logon Settings > General.
Tick the Enable CAPTCHA on login page checkbox.
Select Always show CAPTCHA if you want users to go through CAPTCHA verification every time they login.
Select Show CAPTCHA after invalid login attempts if you want only those users who failed at login to go through
the CAPTCHA verification process.
Enter the number of invalid login attempts after which the CAPTCHA verification should appear.
Enter the threshold (in minutes) to reset the invalid login attempts. After the specified duration, the invalid login
attempts will be reset.
Select Enable Audio CAPTCHA to assist visually impaired users.
Note: When Audio CAPTCHA is enabled, only digits will be shown in the CAPTCHA image. If a browser doesn't
support audio CAPTCHA, then the default CAPTCHA image (with letters and digits) will be shown.
Click Save Settings.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 433


Block User Settings

Using this option you can block users from accessing EventLog Analyzer after a certain number of invalid login attempts for
a defined duration. A blocked user cannot log into EventLog Analyzer until the threshold for reset is reached.

Steps to block users:

Log into EventLog Analyzer as an administrator.


In the Settings tab, navigate to Admin Settings > Logon Settings > General.
Select the Block user after invalid login attempts checkbox.
Set the number of invalid login attempts after which users should be blocked and the number of minutes the user
should be blocked by entering the appropriate values in the given fields.
Set the threshold (in minutes) to reset the invalid login attempts. After the specified duration, the user will be
allowed to attempt login.
Click Save Settings.

Two-Factor Authentication

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 434


To strengthen logon security, EventLog Analyzer supports two-factor authentication (TFA).

If TFA is enabled, EventLog Analyzer will require its users to authenticate using one of the following authentication
mechanisms in addition to Active Directory or RADIUS authentication.

Email Verification
SMS Verification
Google Authenticator
RSA SecurID
Duo Security

Note: As a preventive measure against lockout, it has been made possible for an administrator to skip two-

factor authentication during logon.

Setting up Two-factor Authentication

To enable two-factor configuration,

Login to EventLog Analyzer as an administrator.


Move to the Settings tab and click Admin Settings > Logon Settings.
Switch the Two-factor Authentication toggle button to the Enabled position.

Click on the authentication mechanism of your choice and enter the necessary details.

Note: If multiple authentication options are enabled, the user will be asked to choose one at the time of logging

in.

Email Verification

When email verification is enabled, EventLog Analyzer sends a verification code to the configured email address. That
verification code would need to be entered to successfully login.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 435


To configure email verification as the second authentication mechanism,

Click the Enable Email Verification check box to enable it.


Enter the subject and body of the email containing the verification code.
Set the priority of the mail according to your requirement.
Click the Macros button at the bottom to include them in the email.
Click Save to save the email verification settings.

SMS Verification

When SMS verification is enabled, EventLog Analyzer sends a verification code via SMS to the configured mobile number.
That verification code would need to be entered to successfully login.

To configure SMS verification as the second authentication mechanism,

Click the Enable SMS Verification check box to enable it.


Enter the body of the message containing the verification code.
Click the Macros button at the bottom to include them in the SMS.
Click Save to save the email verification settings.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 436


Google Authenticator

When verification via Google Authenticator is enabled, a six-digit security code will be generated in the Google
Authenticator application in the configured mobile. This code would need to be entered to successfully login.

To configure Google Authenticator as the second authentication mechanism,

Click the Enable Google Authenticator button.


Enroll for two-factor authentication using the Google Authenticator application. For setting up Google
Authenticator, go to Google Authenticator setup.

Note: Ensure that the client time and device (mobile) time are syncronized.

RSA SecurID

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 437


When verification via RSA SecurID is enabled, the security codes generated by the RSA SecurID mobile app, hardware
tokens, or tokens received via mail or SMS would need to be entered to successfully log in.

To configure RSA SecurID as the second authentication mechanism,

Login to your RSA admin console.


Navigate to Access >Authentication Agents and click Add New.
Add the EventLog Analyzer server as an authentication agent and click Save.
Navigate to Access > Authentication Agents and click Generate Configuration File.
Download AM_Config.zip (Authentication Manager config) and extract sdconf.rec from the ZIP file.
In the EventLog Analyzer two-factor authentication menu, select the Enable RSA SecurID check box.
Click Browse and select the sdconf.rec file.
Click Save to save the configuration.

Duo Security

When verification via Duo Security is enabled, a six-digit security code will be generated in the Duo Security application in
the configured mobile. This code would need to be entered to successfully login.

Note: Ensure that the server time and internet time are syncronized.

To configure Duo Security as the second authentication mechanism,

Login to your Duo Security account or sign up for a new one and login. For self enrollment steps, go to Duo Self
Enrollment.
Go to Applications and click Protect an Application.
Search for Web SDK and click Protect this Application.
Note the Integration Key, Secret Key, and API Hostname.
In the EventLog Analyzer two-factor authentication menu, select the Enable Duo Security check box and enter the
noted down values in appropriate fields.
Click Save to save the configuration.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 438


Backup Verification Codes

As a backup mechanism against user lockout because of two-factor authentication failure, EventLog Analyzer has backup
verification codes. Each user can generate a set of backup verification codes, which will have five, and use one code each
time they are unable to login by authenticating using the configured mechanism.

To allow users to login using backup verification codes, enable the Backup Verification Code check box.

To generate backup verification codes, go to Two-factor Authentication in My Account.

Managing Enrolled Users

As an admin, you can view the authentication method users have enrolled for and also remove users? enrollment for two-
factor authentication. To manage enrolled users,

In the Settings tab, navigate to Admin Settings > Logon Settings.


Click Enrolled Users at the bottom of the authentication mechanisms list to view the list of users enrolled for two-
factor authentication and the authentication method they have chosen.
To remove a user, select the user and click the delete icon.

Managing Account Two-factor Authentication

To manage the two-factor authentication settings of the logged in account, check Manage Account TFA .

Smart card Authentication


If you have a smart card authentication system enabled in your environment, you can configure EventLog Analyzer to
authenticate users through it, bypassing other first-factor authentication methods.

This feature provides an additional authentication option for EventLog Analyzer login by enabling the use of smart
cards/PKI/certificates to grant access to the tool. Smart card authentication strengthens the security further because
getting access to EventLog Analyzer shall then require the user to possess the smart card and know the personal
identification number (PIN) as well.

Steps to configure smart card authentication settings:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 439


Login to EventLog Analyzer as an administrator.
SSL port must be enabled for configuring smart card authentication settings. To check your SSL port settings, select
the Settings tab and navigate to System Settings > Connection Settings > General Settings. If not enabled already,
select the checkbox against Enable SSL [HTTPS], and specify the port number in the field. Click Save.
In the Settings tab, navigate to Admin Settings > Logon Settings > Smart Card Authentication.
Click the +Add a New Smartcard button at the top-right corner of the screen.
In the Import CA Root Certification field, click Browse and import the required Certification Authority root
certification file from your computer.
In the Mapping Attribute in Certificate field, specify the certificate attribute for mapping.
The user details need to be mapped between the smart card certificate and the EventLog Analyzer database. This
denotes that the attribute in the smart card certificate that uniquely identifies the user should match with the
corresponding value in the EventLog Analyzer user database. This mapping involves specifying which attribute in
the certificate should be taken up for comparison with which attribute in EventLog Analyzer user store.
EventLog Analyzer provides the flexibility to specify any attribute of the smart card certificate that you feel
uniquely identifies the user in your environment. You may choose any attribute among SAN.OtherName,
SAN.RFC822Name, SAN.DirName, SAN.DNSName, SAN.URI, email, distinguishedName, and CommonName. In
case if any other attribute is used to uniquely identify the user in your environment, contact EventLog Analyzer
support to add that attribute.
In the Mapping Attribute in AD field, specify the LDAP attribute that should be matched with the specified
certificate attribute. Here you need to specify the particular LDAP attribute that uniquely identifies the user in
EventLog Analyzer user store, e.g., sAMAccountName. During authentication, EventLog Analyzer reads the value
corresponding to the certificate attribute that you specified in Mapping Attribute in Certificate and compares it
with the specified LDAP attribute in Mapping Attribute in AD.
In the Linked Domains field, select the appropriate domains from the drop-down menu.
Click Save.

After you have added a smart card for authentication, you can perform any of the following functions:

Edit a configured smart card


Enable/Disable a smart card
Delete a configured smart card

Edit a configured smart card

To edit a configured smart card, follow the steps given below:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 440


In the Settings tab, navigate to Admin Settings > Logon Settings > Smart Card Authentication.
Click the Edit icon located in the Action column of the particular smart card.
Modify the settings you wish to change.
Click Save.

Enable/Disable a smart card

To enable/disable a configured smart card, follow the steps given below:

In the Settings tab, navigate to Admin Settings > Logon Settings > Smart Card Authentication.
To enable/disable a configured smart card, click on the Enable/Disable icon located in the Action column of the
particular smart card.

Delete a configured smart card

To delete a configured smart card, follow the steps given below:

In the Settings tab, navigate to Admin Settings > Logon Settings > Smart Card Authentication.
Click the corresponding Delete icon corresponding to the smart card which you wish to delete.
Click Yes to confirm the deletion.

Enabling external authentication


Technicians can logon to EventLog Analyzer with their Active Directory and RADIUS server credentials.

Steps to enable Active Directory authentication in EventLog Analyzer

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 441


Navigate to Settings ? Admin Settings ? Logon Settings.
Click on the External Authentication tab.
Under the Active Directory section, you will see the Enable Active Directory Authentication button.
Click on the button to enable all the users imported from Active Directory to logon to EventLog Analyzer using
their domain credentials.

Steps to enable RADIUS server authentication in EventLog Analyzer

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 442


Navigate to Settings ? Admin Settings ? Logon Settings.
Click on the External Authentication tab.
Click on the RADIUS server section.
Select the Enable RADIUS server Authentication check box.
Enter the RADIUS server IP and the Authentication port number.
Choose the authentication protocol from the Protocol drop-down menu.
Enter the RADIUS shared secret password in the RADIUS server secret field.
Specify the maximum number of authentication attempts that can be made from the Automatic Retries drop-down
menu.
Click on Save to enable the users to logon to EventLog Analyzer by authenticating with the configured RADIUS
server.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 443


Domains and Workgroups
Domains and Workgroups page lists all the Active Directory domains and workgroups discovered by EventLog Analyzer.
You have the option to update, reload and delete a domain by clicking on the respective icons.

Settings > Admin Settings > Domains and Workgroups

Adding a Domain
To add a new domain, click on the Add new domain button. This will open the Add Domain window.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 444


1. Enter the domain name.

2. Click on the discover link to discover the domain controllers. Alternatively, you may also key in the domain controllers

in the Domain Controllers field, separated by commas.

3. Enter the credentials (Login Name and Password) with admin privileges. Note that the machine login credentials are

used when no authentication credentials are provided.

4. Click on the Add button.

Update a Domain
To update a domain, click on the Update icon in the Actions column.

1. Click on the discover link to discover the domain controllers. Alternatively, you may also key in the domain controllers

in the Domain Controllers field, separated by commas.

2. Modify the authentication credentials. Note that the machine login credentials are used when no authentication

credentials are provided.

3. Click on the Update button.

Update a Workgroup
To update a workgroup, click on the Update icon in the Actions column.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 445


1. Modify the authentication credentials. Note that the machine login credentials are used when no authentication

credentials are provided.

2. Click on the Update button.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 446


Working Hour Settings
EventLog Analyzer generates trend reports to analyze network patterns. This depends on the working hours and non-
working hours of each organization. You can configure the working hours in EventLog Analyzer, so that it recognises and
generates trend reports for the configured time period. You also have the option of configuring multiple working hour
ranges.

To configure working hours,

In the Settings tab, go to Admin Settings >Working Hour Settings.

Configure your organization's working hours by selecting appropriate From and To values.
To configure multiple time ranges, click the + icon and select the next working hour range.
Once the necessary working hours have been selected, click Save.

Note: If two working hour ranges with overlapping hours are configured, EventLog Analyzer will set the working
hours to be the entire range, from the least to the highest value. For example, if the configured time ranges are

8 to 12 and 5 to 11, EventLog Analyzer's working hours will be set as 5 to 12.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 447


Product Settings
EventLog Analyzer offers numerous customization capabilities, including limits for emails and SMSs, alert email formats,
correlation permissions, and notification settings. The Product Settings tab has two sections, each having certain
customization options:

Product Configurations
To configure settings such as views per page, number of rows displayed in reports, and so on in EventLog Analyzer,
navigate to Settings > Admin Settings > Product Settings > Product Configurations.

A description of each of the settings is given below:

Default
Configurations Description
Values

Select the number of records to be displayed in the pages of the


Records Per Page 10 user interface. The options available are: 5, 10, 20, 25, 50, 75, 100,
150, and 200.

Set the maximum permissible number of emails that can be sent per
day. Enable or disable the mail limit alert by selecting the
Daily Email Limit 500
Enable/Disable Mail Limit Alert checkbox. There could be a mail
server or client limitation for sending the emails.

Set the maximum permissible number of SMS messages to be sent


Daily SMS Limit 50 per day. The telecom service provider often sets a limit to the
number of SMSs that can be sent per day.

Alert Email Format HTML Select whether the alert emails are sent in HTML or plaintext format.

Historic Log Configure whether the logs generated prior to the configuration of a
Disabled
Collection device needs to be collected by the product.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 448


Configure the types of users who can access the correlation feature
of the product. You can choose to grant or deny access to users who
are admins, operators, or guests.
Allow Correlation For All users

Configure whether access to the product's database is allowed or


Database Query
Enabled denied. The product's database can be queried to access product
Access
data stored in it.

Set the format of date and time that needs to be displayed


throughout the product. Other than the few predefined formats
available, you can also create formats of your own. There are a few
rules to be followed while creating your own date and time format:

The permitted separators are hyphen(-), slash (/), full stop(.),


yyyy- colon(:), comma(,), and space.

Date and Time Format MM-dd A space is the only separator that can be used between the date
HH:mm:ss and the time.
There should not be any separators at the beginning or at the
end.
Two continuous separators are not allowed.
Entering two digits for the month will display the month in
numbers, whereas entering three digits will display it in words.
Ex. 'MM' will display June as 06 and 'MMM' will display it as Jun.

Direct Export Report Set the maximum number of records to be included in a directly
20000
Limit exported report.

Rows in Top N Set the number of rows to be displayed for reports under the Top N
10
Reports Reports section.

Custom Report Set the maximum number of records to be included in a Scheduled


1000
Record Limit Custom Report.

Compliance Report Set the maximum number of records to be included in a Scheduled


500
Record Limit Compliance Report.

Report Time Out 25 mins Set the maximum time allowed to generate a report.

ZIP Select the report format to be attached in email. The available


Attach Report As
Report options are: PDF/CSV Report and ZIP Report.

Configure whether you want to save the reports in a folder in the


machine or send them as mail attachments or both. For Save To and
Send Mail & Save To Folder options, you have to enter the location
Send Email 25 mins
to save the reports in the text box. The reporting mode options
available are: Send Mail, Save To Folder, and Send Mail & Save To
Folder.

After making the necessary changes, click Save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 449


Product Notifications
To configure the scenarios for which you want to receive notifications from EventLog Analyzer, navigate to Settings >
Admin Settings > Product Settings > Product Notifications..

The different scenarios for which you have the option of enabling or disabling alerts have been listed below:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 450


Configurations Description

You will be notified that your EventLog Analyzer license is about to


License Expiry expire exactly 30 days, 7 days, and 1 day prior to the expiry date, as
well as on the day of expiry.

You will be notified when the EventLog Analyzer service crashes or


EventLog Analyzer Down
stops.

You will be notified when EventLog Analyzer has been successfully


EventLog Analyzer Upgrade
upgraded.

When EventLog Analyzer is unable to process the incoming logs fast


enough, the unprocessed logs will be added to files. They will be
processed one after the other once EventLog Analyzer is able to
process logs. You can set a limit on the number of files which get
Unprocessed Log Files filled with unprocessed logs. You will be notified once the limit is
exceeded.

In a new installation of EventLog Analyzer, default value for


Unprocessed Log Files is 30.

You will be notified when the free space available in the disk on
which EventLog Analyzer is installed goes below a certain value. You
Low Disk Space
can set the limit in terms of GB of free disk space and give a suitable
subject for the email which will get triggered.

You will be notified when EventLog Analyzer's log collector is unable


Log Collector Failure to collect logs. You can configure the subject of the email which will
get triggered.

Note: In a new installation of EventLog Analyzer, notifications will be turned on by default for License Expiry,

EventLog Analyzer Down, EventLog Analyzer Upgrade, and Unprocessed Log Files.

After configuring the necessary notification settings, select if those notification emails need to be sent to all
EventLog Analyzer Admins or only to specific email addresses -- which you can enter in the corresponding text box.
Then, click Save to complete configuration.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 451


DB Retention Settings
EventLog Analyzer retains log data in its database for a customizable time period. The database contains two sets of log
data: raw logs and formatted logs. You can customize separate time periods for both the log data. After this period, the data
will be permanently deleted from the database. Keeping the logs in the database forever will consume memory and increase
overhead costs.

Note: The archive and database storage are asynchronous operations i.e. they are unrelated.

To customize database retention settings,

In the Settings tab, navigate to Admin Settings > DB Retention Settings.

In the Current Storage Size box, enter the number of days for which the raw logs need to be retained in the
database. The default value is 32 days.
In the Correlation Retention Period box, enter the number of days for which the formatted logs need to be retained
in the database. The default value is 90 days.
In the Alert Retention Period box enter the number of days for which the alerts need to be retained in the
database. The default value is 90 days.
After having entered both the values, click Update to save settings.

The Confirm Action box will appear. Click on Confirm.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 452


Log Collection Filter
EventLog Analyzer allows you to collect and process only the necessary logs by configuring log collection filters.

Steps to create a log collection filter


1. In EventLog Analyzer, navigate to Settings ? Admin Settings ? Log Collection Filters.

2. Click on the +Add Filter button.

3. Enter a unique name for your filter in the Filter Name field.

4. Select the log format from the Select Log Format drop-down menu. Choose any one of the following log formats

displayed:

Windows Logs

Syslogs

IBM AS/400 Logs.

5. Click on the + button present in the Select Device(s) field to select a device group.

6. In the Select Device pop-up menu, you can either search and select particular devices in your network to apply the

filter to or select entire device groups by selecting the respective check boxes on the left pane and clicking on Add.

7. In the Filter Criteria box, you will see the Exclude and Collect Only drop-down menus to configure a filter to perform
either of the following actions:

Exclude all the logs that satisfy the specified filter criteria.

Collect only the logs that satisfy the specified filter criteria.

Note: You can configure a filter to perform only one action. You need to create separate filters to collect

and exclude logs for the same set of devices or device groups.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 453


8. Click on the + sign to add multiple filter criteria by using conditional operators such as AND and OR.

9. You can also configure multiple filter groups by clicking on +Add Group and link them using AND or OR operators to

create a high-level filter.

10. Click on Finish to save the created filter.

Viewing and managing log collection filters


You can view, enable or disable, edit, and delete all the created filters in the Log Collection Filters page by clicking on the
respective icons provided. Please note that the default filters present in this page can only be disabled and not deleted.

You can see the list of devices associated with a particular filter by hovering your mouse pointer over the
Device(s)/Group(s) Configured section. The More Actions drop-down menu allows you to select and enable, disable,
export, and import multiple filter profiles.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 454


Log Collection Failure Alerts
You can configure EventLog Analyzer to generate alerts when a device is down.

Device Down
To configure alerts to notify users about devices not sending logs,

In the Settings tab, navigate to Admin Settings ? Log Collection Failure Alerts ? Device Down Alert.

If the alert is not enabled by default, click the toggle button to enable it.
Select the device(s) or device group(s) for which alerts are to be generated when the device goes down.
Select the time interval (minutes, hours, days) at which you want to be notified via email.
In the Subject box, enter the subject of the email that will be sent to users.
In the Email Address box, enter the email IDs of users to whom the alert emails should be sent.
Click Submit to complete configuring log collection failure alerts.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 455


Report Profiles
To generate a report in EventLog Analyzer, create a report profile, using the following menu option:

Settings tab > Admin Settings > Report Profiles

To create a report profile refer to the procedure given in the ? How to create custom reports ? section.

How to edit report profile?


On the table row of a specific profile, Edit icon can be used to edit the report profile.

How to delete report profile?

1. Select the report profile(s) by selecting the respective check box(es).

2. Delete the profile(s), using the Delete menu link.

3. To edit the report profile, select the respective report profile's edit icon.

My Reports

In the My Reports table, the entire user created report profiles are displayed with the name of the profile, devices assigned
to the profile, last scheduled report, and provision to add a new schedule to this profile.

Import and Export Profiles


EventLog Analyzer alert, filter, and report profiles can be exported in XML file format. This can be imported back to the
same or other EventLog Analyzer installation. The menu links for export and import of each profile is available in the screens
of the respective tabs.

Export profiles using:

Settings tab >Admin Settings: Report Profiles: My Reports: Export

Import profiles using:

Settings tab > Admin Settings: Report Profiles: My Reports: Import

How to import profiles?

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 456


1. Enter the location of the file (XML format) containing the profile to be imported.

2. Alternatively use the ?Browse? button to find the file and the location.

3. Complete the import profile operation with Import button.

Schedule
When a report profile is created, optional scheduler is created for automatic, periodical report generation and distribution.
Report profile can also be created without scheduler by choosing the option to generate report ?Only once?. For the
unscheduled report profile, a scheduler can be created later. If the report profile is already scheduled, new scheduler can be
created for that profile, superseding the previous scheduler.

To create a scheduler for a report profile, use the following menu option:

Settings tab > Admin Settings > Report Profiles > Schedule: Add

To create a schedule, follow the steps given below:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 457


1. Enter a unique name for the schedule.

2. Select a report profile to which the schedule should be associated with.

3. Enter email IDs to distribute the generated reports via email.

4. If the email server is not configured, configure the Mail server.

5. Select the time period (Hourly, Daily, Weekly, Monthly or Only once) at which the report should be generated.

6. Select the specific time at which the report is to be generated initially.

7. Select the time duration for which the report is to be generated.

1. How to disable/enable schedule?

Use the Enable/Disable icon to enable or disable the schedule.


2. How to edit schedule?

On the table row of a specific schedule Edit icon is available.

Use the Edit icon to edit the selected schedule.


3. How to delete schedule?

Use the Delete icon to delete the respective schedule.

Schedules

In the Schedules table, all the schedules created are displayed with the name of the schedule, report profile associated to
the schedule, type of the schedule, and details of the reports generated as per schedule. The enable/disable option, edit
option, delete option are also available in the Schedules table.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 458


Resource Grouping
Using Resource Grouping, you can group users/devices, in order to easily generate reports and alerts for a specific group of
users/devices.

To add a new user/device group, use the following menu option:

Settings > Admin Settings > Resource Grouping: User Groups / Remote Device Groups.

1. Enter a name for the user/device group.

2. Add the required users/devices to the group. You can use the search option to easily search for a particular
user/device.

3. Click on the Save button to create the group.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 459


Custom Patterns for Log Parsing
How to view and edit an existing field?

Navigate to Settings > Admin Settings > Custom Log Parser.

To edit a field, select the field and click on the edit icon.

Use the text box to edit the field and use the save icon to save the changes or the x icon to discard.

How to delete a custom pattern?

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 460


To delete a custom pattern, hovered over the pattern and click on the x icon.

You can delete a field by clicking the x icon next to the field.
You can also delete the log type by clicking the x icon next to the Log Type option.

How to add/edit an Open Attribute?

To add an open attribute, click on the edit icon.


In the Add Open Attribute window, enter the Field Name and the Field Value.
You can edit the Open Attributes using the editable text boxes.

How to delete an Open Attribute?

To delete an Open Attribute, click on the x icon.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 461


Tags
In this section, you can manage the tags assigned in log search. You can view all the tags created, criteria specified, and
notes for the tag. You can also edit criteria or delete the tag. To create a tag, refer to Tagging Tool.

Navigate toSettings > Admin Settings > Tags.

How to edit a tag?


To edit the critieria of the tag, click the edit icon next to the tag. You can update the criteria of the tag here.

How to delete a tag?


To delete a tag, click the delete icon next to the tag.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 462


Dashboard Profiles
EventLog Analyzer gives you the option of selecting the devices whose logs will be used to populate the dashboard and
reports. Its dashboard profiles allow you to accumulate devices groups into profiles and select one of them as the default
profile to form the basis of reports and the dashboard.

To view, create, edit, or delete dashboard profiles, navigate to Settings > Admin Settings > Dashboard Profiles.You can see
a list of existing dashboard profiles.

Creating dashboard profiles


Click Add at the top of the page.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 463


Enter a name for the profile and select the device groups that should constitute it. To know how to add a new
device group, click here.
If you want to set that as the default profile, check the Set this view as default dashboard view box.
Finally, click Add.

Setting default dashboard profile


The default dashboard profile is the one based on which the reports and the dashboard will be built. There can only be one
default profile at a time.

To set a profile as default,

Select the Default icon corresponding to the dashboard profile of your choice.
In the pop-up box that appears, click OK.

Editing dashboard profile


Click the edit icon corresponding to the dashboard profile you want to edit.
Update the necessary details and click Update.

Deleting dashboard profiles


Click the delete icon corresponding to the dashboard profile you want to delete.
In the pop-up box that appears, click OK.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 464


Chapter 19 System Settings

System Settings
Carry out the necessary configurations required for setting up EventLog Analyzer.

The following are the system settings:

Notification Settings
Manage Account TFA
NT Service
Connection Settings
Rebranding
Server Diagnostics
Database Access
Reset Log Collector
Log Level Settings
Port Management

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 465


Notification Settings
EventLog Analyzer distributes the scheduled and automatically-generated reports to users via email. It notifies users with
alerts via both email and SMS.
The email and SMS settings can be configured according to your environment's requirements.

Email Settings
To configure or change email settings,

Navigate to Settings > System Settings > Notification Settings > Mail Settings.

1. Enter the name of the outgoing mail server which EventLog Analyzer should use.

2. Enter the port number of the outgoing mail server.

3. If the option Authentication Required is selected, the mail server will ask for authentication on every login.

4. Enter the username and password of the mail server account which EventLog Analyzer will use.

5. To ensure mail communication is secure, select TLS or SSL in Use Secure Connection.

6. In Sender Address, enter the email addresses of the users to whom the reports and alert notifications need to be sent.

7. Click Send Test Email to verify if the mail server settings are correct and the email addresses are valid.

8. Click Save to complete configuring mail server settings.

If the email server is not configured here, EventLog Analyzer prompts you to configure email settings at the report profile
and alert profile creation UI.

SMS Settings
To configure or change SMS settings,

Navigate to Settings > System Settings > Notification Settings > SMS Settings.
For sending SMS alerts, you can configure EventLog Analyzer to use a GSM modem or a custom SMS gateway of
your own.

GSM Modem Configuration

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 466


Custom SMS Gateway Configuration

GSM Modem Configuration

To configure a GSM modem,


1. Go to Settings > System Settings > Notification Settings > SMS Settings.

2. In the SMS Provider drop-down field, select GSM Modem.

3. In Modem Port Number, enter the hardware port of the EventLog Analyzer server machine to which the SMS

hardware component provided by the telecom service provider is connected.

4. Click Save Settings to complete configuration.

5. If the SMS settings are not configured here, EventLog Analyzer prompts you to configure SMS settings at the Alert

Profile Creation screen.

Steps involved in configuring the modem port and modem speed:

Connect your GSM Modem to the serial communication port.


Only a serial cable must be used for connectivity.
The port number for Windows devices will be comX. For example, COM7 or COM8.
Enter the port number to which the modem is connected. For example, COM1.

Requirements for establishing SMS server connection:

The modem/mobile must have GSM functionality with a provision to insert a SIM card.
It should support 7-bit (GSM default alphabet), 8-bit, and Unicode (UCS2) encoding.
Ensure that the GSM modem configured with EventLog Analyzer is not used by any other application.
If you experience any issue in sending SMS notifications through the GSM modem, please restart EventLog
Analyzer and try again.
Matching these criteria will allow EventLog Analyzer to support your modem/mobile phone.

Custom SMS Gateway Configuration

You can configure you own custom SMS gateway, provided the gateway which is based on HTTP, SMTP or SMPP.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 467


HTTP-based SMS Provider:

Navigate to Settings > System Settings > Notification Settings > SMS Settings.
In the SMS Provider drop-down field, select SMS Service Provider.
In the Service Type drop-down field, select HTTP.
In the HTTP(S) Method field, select whether you want to use the Post or Get method for sending SMS.
In the HTTP(S) URL field, enter the URL of your SMS gateway provider.
In the HTTP(S) Parameters field, enter the HTTP parameters specific to your SMS provider.

Note: Separate the HTTP parameters with ampersand (&) symbols.

Example format: userName=xxx&password=yyy&mobileNumber=%mobNo&message=%message%

where userName = the parameter which is used to denote the API authentication username
xxx = API authentication username
password = the parameter which is used to denote the API authentication password
yyy = API authentication password
mobileNumber = recipient parameter
%mobNo% = this macro denotes the user's mobile number
message = message parameter
%message% = this macro denotes the SMS message content
More HTTP Parameters - If you SMS provider requires more parameters like unicode and apiID, include them as well using
the '&' sign

Specify the response you get from your provider to determine the success of sending the SMS.
Click Advanced Settings and enter the HTTP request headers specific to your SMS provider.
Select the check box Convert Message into Unicode to send SMS in Unicode format.
Click Save Settings to complete configuration.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 468


SMTP-based SMS Provider:

Navigate to Settings > System Settings > Notification Settings > SMS Settings.
In the SMS Provider drop-down field, select SMS Service Provider.
In the Service Type drop-down field, select SMTP.
In the From Address field, enter an email address from which you want to send the SMS. For example,
[email protected]
In the To Address field, enter the %mobNo% macro followed by the email of your provider. For example:
%mobNo%@clickatell.com. Refer to your SMS provider to know the exact values.
In the Subject field, enter either the mobile number or message, which is based on your SMS provider.
In the Content field, enter appropriate data, which varies based on the SMS provider.
In the SMTP Server/Port field, enter the name or IP address of the SMTP Server and its port number.
Enter appropriate credentials for the SMTP server in the Username and Password fields.
Click Save Settings to complete configuration.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 469


SMPP-based SMS Provider:

Navigate to Settings > System Settings > Notification Settings > SMS Settings.
In the SMS Provider drop-down field, select SMS Service Provider.
In the Service Type drop-down field, select SMTP.
In the SMPP Server/Port field, enter the name or IP address of the SMPP Server and its port number.
Enter appropriate credentials for the SMPP server in the Username and Password fields.
Click Advanced Settings and in the SMPP Source Address field, enter the appropriate IP address.
Select the type of number (TON) and numeric plan indicator (NPI) of the source address.
Select the type of number (TON) and numeric plan indicator (NPI) of the destination address.
Click Save Settings to complete configuration.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 470


www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 471
Manage Account TFA
To strengthen logon security, EventLog Analyzer supports two-factor authentication.

To manage the two-factor authentication settings of the logged in user account, click the profile icon on the top right
corner and select My Account.

You get a screen with three tabs: Personalize, Two-factor Authentication, and Change Password.

Personalize
In this tab, you change the email ID of your account and the language of the product.

Two-factor Authentication
In this tab, you can change the two-factor authentication settings of your account. For that, you would first need to
authenticate using the existing two-factor authentication mechanism.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 472


From this tab, you can also manage trusted browsers and manage backup authentication codes.

To manage your trusted browsers, click Manage Trusted Browsers.

To view the already-generated backup verification codes or to generate new ones, click Manage Backup Verification
Codes.

In the pop-up box that appears, you can see a list of backup verification codes. If all of the previously generated codes have
been used up, you can generate a new set by clicking Generate New Codes. Once new codes have been generated, it is
advisable to back them up by downloading the list, printing it, or emailing it.

Change Password
In this tab, you can change the password of your account.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 473


NT Service
Install EventLog Analyzer Service
If you wish to run EventLog Analyzer as a service, install it by navigating to:

Settings > System Settings > NT Service > Install as a Service


When prompted, enter the administrator credentials for EventLog Analyzer. The service will now be installed.

Note: Skipping this step may cause authentication issues during the collection of event logs. It is advisable to
provide the credentials when prompted.

Uninstall EventLog Analyzer Service


If you wish to uninstall the EventLog Analyzer service, go to:

Settings > System Settings > NT Service Uninstall

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 474


Configure Connection Settings
The connection settings for EventLog Analyzer can be modified in the following page:

Settings tab > System Settings > Connection Settings


The Connection Settings page appears as follows:

Enter the following details:


1. Application Port Number: Specify the http port through which EventLog Analyzer connects to the web client.

2. SSL Port Number: Specify the SSL port for a secure http connection. EventLog Analyzer also provides a tool to

generate a CSR file for SSL certification here.

Note: The http and https port numbers should be different from each other.

3. Keystore Password: If you require the keystore password to be encrypted, enable this option and provide the

required password.

4. Session Expiry Time: Mention the maximum duration for which a session of EventLog Analyzer can stay idle,

following which it expires.

Click on "Save" to save the settings.


Restart EventLog Analyzer for the settings to take effect.

SSL Certification Tool

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 475


If you wish to achieve SSL Certification, EventLog Analyzer assists you in generating the required CSR file by providing a
tool, which is accessible at:

Settings tab > System Settings> Connection Settings > SSL Certification Tool
The SSL Certification Tool Page appears as follows:
Enter the details required for the certificate as indicated by the fields on the left.
Click on "Generate CSR" to generate the .csr file which can be submitted to your CA.
Click on "Apply Selfsigned Certificate" to apply the certificate in the product.
Follow the instructions on the right to complete your SSL certification process.

If you wish to manually configure the SSL settings, refer to this page for the procedure.

Proxy Settings
Navigate to Settings > System Settings > Connection Settings > Proxy Settings.

In Proxy Settings, select the Enable Proxy Server check box.


Configure the server by entering Server Name/Port, Username and Password in provided fields.
Click on Save Settings to save the configured proxy server.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 476


Re-branding
EventLog Analyzer gives you the ability to customize logos, images, and links in the product to suit the needs of the MSSPs
(Managed Security Service Providers).

How to rebrand the EventLog Analyzer client?


Use the following menu option.

Settings tab > System Settings > Rebranding

Customize Images
Replace the default images with your company/enterprise images

Client Logs & Images Where it is used Image Size & Thumbnail New Image

Product Logo Login Page 289*59 pixels

Top Band Image Client Header 232*47 pixels

PDF Cover Image PDF Cover Page 612*820 pixels

Server Status Image Tray Icon (Windows) 400*60 pixels

Customize Strings/Links
Replace the default strings/links with your company/enterprise strings/links

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 477


Client Logs & Images Where it is used Existing String/Link New String/Link

Company Name Login Page ZOHO Corp.

Brand Name Login Page ManageEngine

Company Website Login Page www.zohocorp.com

Product Website Login Page www.eventloganalyzer.com

Support Email Login Page [email protected]

Sales Email About Popup [email protected]

Toll Free Support Page +1 844 649 7766

Click Update to update the customized images/logos and strings/texts.

Note:
You can customize ZohoCorp/ManageEngine image/links as per your requirement.
Customization takes effect only for the changed image/links, else default images/links are retained.
Size of new image should be of same size as the default image.
Images with the following file extensions are only permitted: .jpg, .jpeg and .png

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 478


Server Diagnostics
To find out the health of the EventLog Analyzer server, use the Server Diagnostics menu.

How to get the EventLog Analyzer server health details?

In the Settings tab, navigate to System Settings > Server Diagnostics

In this screen, the details of the EventLog Analyzer server machine are displayed.
The details of Java Virtual Machine (JVM) Memory Information, System Information of the machine, Installation
Information and License Information of EventLog Analyzer application are displayed.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 479


Database Access
To access the EventLog Analyzer database, use the Access Database menu.

How to query the EventLog Analyzer database?

Use the following menu option:

Settings tab > System Settings > Database Access

1. Enter the database query in the console.

2. Click the Execute Query button.

Note:
Only 'read queries' can be executed.
Create, Alter, Insert queries cannot be executed.
Table and Column names are case sensitive.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 480


Reset Log Collector
In order to reset the log collector, navigate to System Settings > Reset Log Collector, and click on Restart.
A dialogue box will appear asking for confirmation. Click OK to confirm. This will restart EventLog Analyzer's log collector.

Note: The Reset LogCollector is used for troubleshooting EventLog Analyzer. This provision is used for running

EventLog Analyzer in the debug mode. Please contact [email protected] before re-setting

log collector.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 481


Log Level Settings
Log Level Settings is used to set the granularity level of EventLog Analyzer server logs. The logs will form part of the support
information file (SIF) generated for sending to ZOHO Corp. These logs will be used for debugging EventLog Analyzer server
issues.

In the Settings tab, navigate to System Settings >Log Level Settings.

Select the Server Log Filter Settings (values from 2 to 5).


Select the Level of Log data to be stored.
Select the Logger Name from the list. For each available logger or set of loggers, you can set the log filter level and
log level independently.
Click Save Settings to save the selected log level settings.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 482


Port Management
EventLog Analyzer lets you manage UDP/TCP ports to listen for syslogs and SNMP traps from devices through this
dashboard.

Note that

For each protocol, you can add up to a maximum of six ports.


For collecting Syslog data, you can use the same port for multiple protocols.
You can also disable the existing default ports and instead can add additional listening ports.

Syslog Ports

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 483


1. Go to Settings > System Settings > Listener Ports.

2. Click Add Syslog Port button

3. In the pop-up box that appears, enter the appropriate port number.

4. Select its corresponding protocol.

5. Click Add.

6. To disable a Syslog port, click corresponding to the port you want to disable.

7. To enable a Syslog port, click corresponding to the port you want to enable.

8. Click corresponding to the port you want to delete.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 484


TCP and TLS protocols cannot share the same port number.Syslog Ports.

SNMP Traps Port Management


To edit the port using which EventLog Analyzer listens to SNMP traps,

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 485


1. Click corresponding to the SNMP trap port.

2. In the pop-up box that appears, enter the desired port number.

3. Click Update.

4. To enable/disable the SNMP trap port, click / corresponding to it.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 486


1. By default, EventLog Analyzer listens to port 162 (UDP) for SNMP traps.

2. When a device which has not been added to EventLog Analyzer starts sending SNMP traps to the product,

it would automatically be listed under Other Devices in Settings > Configuration > Manage Devices.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 487


Chapter 20 Help, Questions, and Tips

EventLog Analyzer - Troubleshooting Tips


General

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 488


Where do I find the log files to send to EventLog Analyzer Support?

For Build 8010 onwards

The log files are located in the <EventLogAnalyzer_Home>logs directory. Typically when you run into a problem, you
will be asked to send the serverout.txt file from this directory to EventLog Analyzer Support.

For Build 8000 or earlier

The log files are located in the <EventLogAnalyzer_Home>server/default/log directory. Typically when you run into
a problem, you will be asked to send the serverout.txt file from this directory to EventLog Analyzer Support.

I find that EventLog Analyzer keeps crashing or all of a sudden stops collecting logs. What could be the reason?

The inbuilt PostgreSQL/MySQL database of EventLog Analyzer could get corrupted if other processes are accessing
these directories at the same time. So exclude ManageEngine installation folder from

Anti-virus scans
Automatic backup softwares
Snapshots in case of VMware installation

Ensure that no snap shots are taken if the product is running on a VM.

How to create SIF (Support Information File) and send it to ManageEngine when you are not able to perform the
same from the Web client?

The SIF will help us to analyze the issue you have come across and propose a solution for the same.

If you are unable to create a SIF from the Web client UI,

For Build 8010 onwards

You can zip the files under ' logs' folder, located in C:/ManageEngine/Eventlog/logs (default path) and upload the zip
file to the following ftp link: http://bonitas.zohocorp.com/upload/index.jsp?to=eventloganalyzer-
[email protected]

For Build 8000 or earlier

You can zip the files under ' log' folder, located in C:/ManageEngineEventlog/server/default/log (default path) and
upload the zip file to the following ftp link: http://bonitas.zohocorp.com/upload/index.jsp?to=eventloganalyzer-
[email protected]

How to register dll when message files for event sources are unavailable?

To register dll, follow the procedure given in the link below: http://ss64.com/nt/regsvr32.html

Installation

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 489


Installation
EventLog Analyzer displays "Enter a proper ManageEngine license file" during installation

This can happen under two instances:

Case 1: Your system date is set to a future or past date. In this case, uninstall EventLog Analyzer, reset the
system date to the current date and time, and re-install EventLog Analyzer.
Case 2: You may have provided an incorrect or corrupted license file. Verify that you have applied the license file
obtained from ZOHO Corp. If neither is the reason, or you are still getting this error, contact
[email protected]

Binding EventLog Analyzer server (IP binding) to a specific interface.

For Build 8010 onwards

To bind EventLog Analyzer server to a specific interface, follow the procedure given below:

For Eventlog Analyzer running as application:

Shutdown EventLog Analyzer


Open the run.bat file which is under <EventLog Analyzer Home>bin directory and go to " RESTART Command
block", uncomment the below RESTART command line and replace <ip-address> with the IP address to which
you want to bind the application, comment the existing RESTART command line and save the file.

> rem %JAVA% %JAVA_OPTS% -cp "%CLASS_PATH%" com.adventnet.mfw.Starter


%SAFE_START% -c default -b <ip-address>

to

> %JAVA% %JAVA_OPTS% -cp "%CLASS_PATH%" com.adventnet.mfw.Starter


%SAFE_START% -c default -b <ip-address>

> %JAVA% %JAVA_OPTS% -cp "%CLASS_PATH%" com.adventnet.mfw.Starter


%SAFE_START%

to

> rem %JAVA% %JAVA_OPTS% -cp "%CLASS_PATH%" com.adventnet.mfw.Starter


%SAFE_START%

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 490


Open setcommonenv.bat file which is under <EventLog Analyzer Home>bin directory and go to " JAVA_OPTS
Setting command Block", uncomment the below JAVA_OPTS setting command line and replace <ip-address>
with the IP address to which you want to bind the application and comment the existing JAVA_OPTS setting
command.

> rem set JAVA_OPTS=-Djava.library.path=..lib;..libnative -DpdfReport=false -


Duser.country=US -Duser.language=en -DminDiskSpace=5 -Xms128m -Xmx512m -
Dspecific.bind.address=<ip-address>

to

> set JAVA_OPTS=-Djava.library.path=..lib;..libnative -DpdfReport=false -Duser.country=US


-Duser.language=en -DminDiskSpace=5 -Xms128m -Xmx512m -
Dspecific.bind.address=<ip-address>

> set JAVA_OPTS=-Djava.library.path=..lib;..libnative -DpdfReport=false -Duser.country=US


-Duser.language=en -DminDiskSpace=5 -Xms256m -Xmx1024m

to

> rem set JAVA_OPTS=-Djava.library.path=..lib;..libnative -DpdfReport=false -


Duser.country=US -Duser.language=en -DminDiskSpace=5 -Xms256m -Xmx1024m

Save the file


Open the database_param.conf file which is under <EventLog Analyzer Home>conf directory and replace
localdevice in url tag with the <binding IP address> to which you want to bind the application and save the file.

> url=jdbc:postgresql://localdevice:33336/eventlog?stringtype=unspecified

to

url=jdbc:postgresql://<binding IP address>:33336/eventlog?stringtype=unspecified

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 491


Open the postgresql.conf file which is under <EventLog Analyzer Home>pgsqldata directory and uncomment the
line '#listen_addresses = 'localdevice'' in the CONNECTIONS AND AUTHENTICATION section and replace the
'localdevice' with the '<binding IP address>' to which you want to bind the application and save the file.

> #------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------

# - Connection Settings -

#listen_addresses = 'localdevice' # what IP address(es) to listen on;

# comma-separated list of addresses;

# defaults to 'localdevice'; use '*' for all

# (change requires restart)

to

#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------

# - Connection Settings -

listen_addresses = <binding IP address> # what IP address(es) to listen on;

# comma-separated list of addresses;

# defaults to 'localdevice'; use '*' for all

# (change requires restart)

Open the pg_hba.conf file which is under <EventLog Analyzer Home>pgsqldata directory and add the line

device all all <binding IP address in IPv4 format>/32 trust

after the line

device all all 127.0.0.1/32 trust

and save the file.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 492


# TYPE DATABASE USER ADDRESS METHOD

# IPv4 local connections:

device all all 127.0.0.1/32 trust

# IPv6 local connections:

device all all ::1/128 trust

to

# TYPE DATABASE USER ADDRESS METHOD

# IPv4 local connections:

device all all 127.0.0.1/32 trust

device all all <binding IP address in IPv4 format>/32 trust

# IPv6 local connections:

device all all ::1/128 trust

Restart EventLog Analyzer

For Eventlog Analyzer running as service:

Before proceeding further, stop the EventLog Analyzer service and make sure that 'SysEvtCol.exe','Postgres.exe' and
'java.exe' are not running.

There are 7 files that must be modified for IP binding.

Note: data-doc-rid="255l9469213c93f3f4d8cb899c7bf8471fb58">Before editing the files ensure that


you have a backup copy of the files.

Assume xxx.xxx.xxx.xxx is the IP address you wish to bind with EventLog Analyzer.

File 1)

<ELA home>\bin\setCommonEnv.bat

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 493


Search for line set JAVA_OPTS=-Djava.library.path=..\lib;..\lib\native -Duser.country=US -Duser.language=en -
Xms256m -Xmx1024m
Append -Dspecific.bind.address= xxx.xxx.xxx.xxxto the line. It will now look as: set JAVA_OPTS=-
Djava.library.path=..\lib;..\lib\native -Duser.country=US -Duser.language=en -Xms256m -Xmx1024m -
Dspecific.bind.address= xxx.xxx.xxx.xxx

File 2)

<ELA home>\bin\runSEC.bat

Search for line "%SERVER_HOME%\bin\SysEvtCol.exe" -port 513 %syslogPort% -dbhome "%dbhome%" -


ELAhome "%serverHome%" -loglevel 2 %RelayIP% %IPadd% %IgnoreHost% %IPadd% %*
Add -bindip xxx.xxx.xxx.xxx to the line, so that it looks like "%SERVER_HOME%\bin\SysEvtCol.exe" -bindip
xxx.xxx.xxx.xxx -port 513 %syslogPort% -dbhome "%dbhome%" -ELAhome "%serverHome%" -loglevel 2
%RelayIP% %IPadd% %IgnoreHost% %IPadd% %*

File 3)

<ELA home>\server\conf\wrapper.conf

Search for line #wrapper.app.parameter.1=com.adventnet.mfw.Starter


Remove the # from the line, it should now look like wrapper.app.parameter.1=com.adventnet.mfw.Starter
The next line from current position should be #wrapper.app.parameter.2=-
L../lib/AdventNetDeploymentSystem.jar . Add the following two lines after this line, one after the other.
wrapper.app.parameter.2=-b xxx.xxx.xxx.xxx
wrapper.app.parameter.3=-Dspecific.bind.address= xxx.xxx.xxx.xxx
The block should now look like this :-

wrapper.app.parameter.1=com.adventnet.mfw.Starter

#wrapper.app.parameter.2=-L../lib/AdventNetDeploymentSystem.jar

wrapper.app.parameter.2=-b xxx.xxx.xxx.xxx

wrapper.app.parameter.3=-Dspecific.bind.address= xxx.xxx.xxx.xxx

File 4)

<ELA home>\conf\server.xml

Search for the following block:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 494


<Connector SSLEnabled="false" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0"
clientAuth="false" compressableMimeType="text/html,text/xml" compression="force"
compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true"
enableLookups="false" maxSpareThreads="75" maxThreads="150" minSpareThreads="25"
name="WebServer" noCompressionUserAgents="gozilla, traviata" port="8400" protocol="HTTP/1.1"
scheme="http" secure="false"/>

Replace address="0.0.0.0" with address="xxx.xxx.xxx.xxx"


It should now look like the following

<Connector SSLEnabled="false" URIEncoding="UTF-8" acceptCount="100" address="xxx.xxx.xxx.xxx"


clientAuth="false" compressableMimeType="text/html,text/xml" compression="force"
compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true"
enableLookups="false" maxSpareThreads="75" maxThreads="150" minSpareThreads="25"
name="WebServer" noCompressionUserAgents="gozilla, traviata" port="8400" protocol="HTTP/1.1"
scheme="http" secure="false"/>

File 5)

<ELA home>\conf\database_params.conf

Search for the line url=jdbc:postgresql://127.0.0.1:33335/eventlog?stringtype=unspecified


Replace the 127.0.0.1 with your xxx.xxx.xxx.xxx, the line should now look
like url=jdbc:postgresql://xxx.xxx.xxx.xxx:33335/eventlog?stringtype=unspecified

File 6)

<ELA home>\pgsql\data\postgresql.conf

Search for the line #listen_addresses = 'localhost'


Remove the # from the line.
Replace the 'localhost' with 'xxx.xxx.xxx.xxx', the line should now look like listen_addresses = 'xxx.xxx.xxx.xxx'

File 7)

<ELA home>\pgsql\data\pg_hba.conf

Search for the following block

IPv4 local connections:

host all all 127.0.0.1/32 trust

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 495


We need to replicate the host all all 127.0.0.1/32 trust line with the new IP address in place of 127.0.0.1 and add it
after that line. For replication, please copy this line itself and paste it in next line and then edit out the IP address.

It should look like this

IPv4 local connections:

host all all 127.0.0.1/32 trust

host all all xxx.xxx.xxx.xxx/32 trust

Start EventLog Analyzer and check <ELA home>\logs\wrapper.log for the current status.

Startup and Shut Down

MySQL-related errors on Windows machines

Probable cause: An instance of MySQL is already running on this machine.

Solution: Shut down all instances of MySQL and then start the EventLog Analyzer server.

Probable cause: Port 33335 is not free

Solution: Kill the other application running on port 33335. If you cannot free this port, then change the MySQL port
used in EventLog Analyzer.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 496


EventLog Analyzer displays "Port 8400 needed by EventLog Analyzer is being used by another application. Please
free the port and restart EventLog Analyzer" when trying to start the server

Probable cause: The default web server port used by EventLog Analyzer is not free.

Solution: Kill the other application running on port 8400. Carry out the following steps.

Stop the EventLog Analyzer service


Open wrapper.conf which is available under <EventLog Analyzer Home>server/conf folder.
Append the below line under # Java Additional Parameters section,

wrapper.java.additional.21=-Djava.net.preferIPv4Stack=true

Before adding:

wrapper.java.additional.20=-Dorg.tanukisoftware.wrapper.WrapperManager.mbean=false

After adding:

wrapper.java.additional.20=-Dorg.tanukisoftware.wrapper.WrapperManager.mbean=false
wrapper.java.additional.21=-Djava.net.preferIPv4Stack=true

Start EventLog Analyzer service

If you cannot free this port, then change the web server port used in EventLog Analyzer.

EventLog Analyzer displays "Can't Bind to Port <Port Number>" when logging into the UI.

Probable cause:The syslog listener port of EventLog Analyzer is not free.


Solution:

Check for the process that is occupying the syslog listener port , using netstat -anp -pudp . And if possible, try to
free up this port.
If you have started the server in UNIX machines, please ensure that you start the server as a root user.
or, configure EventLog Analyzer to listen to a different syslog listener port and ensure that all your configured
devices send their syslog to the newly configured syslog listener port of EventLog Analyzer

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 497


Start up and shut down batch files not working on Distributed Edition when taking backup.

Probable cause: Path names given incorrectly.

Solution:

Download the "Automated.zip" and extract the files "startELAservice.bat"and "stopELAservice.bat" to <ELA
home>//bin/ folder.
Create a Windows schedule as per your requirement and ensure that the path should be <ELA Home>//bin
folder.
If you would like to have the files to a different folder, you need to edit the downloaded files and give the
absolute path as below: < eg. is the application is installed on e:\ >
e:\ManageEngine\EventLog\bin\wrapper.exe -p ..\server\conf\wrapper.conf ---> to stop the EventLog
Analyzer service.
e:\ManageEngine\EventLog\bin\wrapper.exe -t ..\server\conf\wrapper.conf ---> to start the EventLog
Analyzer service.

Note:The script will work only if the application is started as a service.

EventLog Analyzer displays "Couldn't start elasticsearch at port 9300".

Probable cause: requiretty is not disabled

Solution: To disable requiretty, please replace requiretty with !requiretty in the etc/sudoers file.

Note:Elasticsearch uses multiple thread pools for different types of operations. It is important for new threads to be
created whenever necessary. Please make sure that the number of threads that an elasticsearch user can create is at
least 4096 by setting ulimit -u 4096 as root before starting Elasticsearch or by adding elasticsearch - nproc 4096 in
/etc/security/limits.conf.

Configuration

While adding device for monitoring, the 'Verify Login' action throws RPC server unavailable error

The probable reason and the remedial action is:


Probable cause: The device machine RPC (Remote Procedure Call) port is blocked by any other Firewall.
Solution: Unblock the RPC ports in the Firewall.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 498


While adding device for monitoring, the 'Verify Login' action throws 'Access Denied' error.

The probable reasons and the remedial actions are:

Probable cause: The device machine is not reachable from EventLog Analyzer machine.

Solution: Check the network connectivity between device machine and EventLog Analyzer machine, by using PING
command.

Probable cause: The device machine running a System Firewall and REMOTEADMIN service is disabled.

Solution: Check whether System Firewall is running in the device. If System Firewall is running, execute the following
command in the command prompt window of the device machine:
netsh firewall set service type=REMOTEADMIN mode=ENABLE profile=all

When WBEM test is carried out. it fails and shows error message with code 80041010 in Windows Server 2003.

The probable reasons and the remedial actions are:

Probable cause: By default, WMI component is not installed in Windows 2003 Server

Solution: Win32_Product class is not installed by default on Windows Server 2003. To add the class, follow the
procedure given below:

1. In Add or Remove Programs, click Add/Remove Windows Components.

2. In the Windows Components Wizard, select Management and Monitoring Tools, then click Details.

3. In the Management and Monitoring Tools dialog box, select WMI Windows Installer Provider and then click OK.

4. Click Next.

How to enable Object Access logging in Linux OS?

The probable reasons and the remedial actions are:

Probable cause: The object access log is not enabled in Linux OS.

Solution: Steps to enable object access in Linux OS, is given below:

In the file /etc/xinted.d/wu-ftpd, edit the server arguments as mentioned below:

server_args = -i -o -L

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 499


What are commands to start and stop Syslog Deamon in Solaris 10?

The probable reasons and the remedial actions are:

Probable cause: Unable to start or stop Syslog Daemon in Solaris 10

Solution: In Solaris 10, the commands to stop and start the syslogd daemon are:

# svcadm disable svc:/system/system-log:default

# svcadm enable svc:/system/system-log:default

In Solaris 10, to restart the syslogd daemon and force it to reread /etc/syslog.conf:

# svcadm refresh svc:/system/system-log:default

(or)

# svcadm -v restart svc:/system/system-log:default

While configuring incident management with ServiceDesk, I am facing SSL Connection error.

This error can occur if the ServiceDesk server's HTTPS certificate is not included in EventLog Analyzer's JRE
certificate store. To import the certificate to EventLog Analyzer's JRE certificate store, follow the steps below:

1. Place the server's certificate in your browser's certificate store by allowing trust when your browser throws up

the error saying that the certificate is not trusted.

2. Export the certificate as a binary DER file from your browser.

For Firefox, you can find this under Preferences > Advanced > Encryption > Servers

For IE, Internet Options > Content > Certificates > Personal > Export
For Chrome, Settings > Show Advanced Settings > Manage Certificates

3. Use the keytool utility to import the certificate into EventLog Analyzer's JRE certificate store.

keytool -import -alias SDP server -keystore EventLog Analyzer Home /lib/security/cacerts -file path-to-
certificate-file

Enter the keystore password. Note that the default password is changeit.

File Integrity Monitoring (FIM) troubleshooting

Try the following troubleshooting, if username is enabled for a particular folder.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 500


www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 501
Note: The following GUI is for the SACL entry in folder properties.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 502


Port management error codes

The following are some of the common errors, its causes and the possible solution to resolve the condition. Feel free
to contact our support team for any information.

Port already used by some other application

Cause: Cannot use the specified port because it is already used by some other application.

Solution: This can be solved either by changing the port in the specified application or by using a new port.

If you use a new port, make sure to change the ports in the forwarding device either manually or using auto log
forwarding configuration.

TLS not configured

Cause: HTTPS not configured to support TLS encrypted logs.

Solution: Configure the server to use either a self-signed certificate or a valid PFX certificate.

For more details visit Connection settings.

PFX not configured

Cause: HTTPS is configured, but the type of certificate is not supported.

Solution 1: If no valid certificate is used, it's recommended to use SelfSignedCertificate.

To find the type of certificate used,

Open Conf/Server.xml file check for connector tag.


Check the extention for the attribute keystoreFile.

Solution 2: If valid KeyStore certificate is used, execute the following command in the <EventLog Analyzer
home>/jre/bin terminal.

keytool -importkeystore -srckeystore <certificate path> -destkeystore server.pfx -deststoretype PKCS12 -


deststorepass <password> -srcalias tomcat -destalias tomcat

For more details visit Connection settings.

External error

Cause: Unknown external issue.

Solution: please contact EventLog Analyzer Technical Support

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 503


The event source file(s) configuration throws the "Unable to discover files" error.

Possible remedial actions include:

Check the credentials of the machine.


Check the connectivity of the device.
Ensure that the remote registry service is not disabled.
The user should have admin privileges.
The open keys and keys with sub-keys cannot be deleted.

Error statuses in File Integrity Monitoring (FIM).


Permission denied

Causes

Credentials maybe incorrect.


Credentials with insufficient privileges.

Solutions

Credentials can be checked by accessing the SSH terminal.


Credentials with the privilege to start, stop, and restart the audit daemon, and also transfer files to the Linux
device are necessary.

Audit service unavailable

Cause

The audit daemon service is not present in the selected Linux device.

Solution

The audit daemon package must be installed along with Audisp.

Access restriction from SELinux

Cause

SELinux hinders the running of the audit process.

Solutions

SELinux's presence could be checked using getenforce command.


Configure SELinux in permissive mode. After changing it to the permissive mode, navigate to Manage Agent
page and click on Reinstall to reinstall the agent.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 504


Agent upgrade failure

Causes

No connectivity with the agent during product upgrade.


Incorrect credentials.

Solutions

Manually install the agent by navigating to the Manage Agent page.


To install agent:
Windows device: Run the EventLogAgent.msi.

Linux device: Execute chmod +x EventLogAgent.bin, then run EventLogAgent.bin.

Agent Installation Failed

Causes

Machine may be in the offline mode.


Machine may not exist.
Network path may not be reachable.

Solutions

To confirm if the device exists, it could be pinged.


Manually install the agent by navigating to the Manage Agent page.

Agent Installation on Incompatible Platform

Causes

The agent is installed on a host which has neither a Linux nor a Windows OS.
Solutions
Supported Linux distributions are CentOS, Debian, Fedora, openSUSE, Red Hat, and Ubuntu.
Windows versions greater than 5.2 (Windows Server 2003) are supported.

Log Collection and Reporting

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 505


I've added a device, but EventLog Analyzer is not collecting event logs from it

Probable cause: The device machine is not reachable from the EventLog Analyzer server machine
Solution: Check if the device machine responds to a ping command. If it does not, then the machine is not reachable.
The device machine has to be reachable from the EventLog Analyzer server in order to collect event logs.
Probable cause: You do not have administrative rights on the device machine
Solution: Edit the device's details, and enter the Administrator login credentials of the device machine. Click Verify
Login to see if the login was successful.

Error Code 0x251C

Probable cause: The device was added when importing application logs associated with it. In this case, only the
specified application logs are collected from the device, and the device type is listed as unknown.

Solution:

1. Click on the update icon next to the device name.

2. Select the appropriate device type.

3. Provide any other required information for the selected device type.

4. Click on update.

I get an Access Denied error for a device when I click on "Verify Login" but I have given the correct login
credentials

Probable cause: There may be other reasons for the Access Denied error.
Solution: Refer the Cause and Solution for the Error Code you got during Verify login.

Error Code 00x80070005


Scanning of the Windows workstation failed due to one of the following reasons:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 506


1. The login name and password provided for scanning is invalid in the workstation. Solution: Check if the login
name and password are entered correctly.

2. Remote DCOM option is disabled in the remote workstation Solution:

Check if Remote DCOM is enabled in the remote workstation. If not enabled, then enable the same in the
following way:

1. Select Start > Run.

2. Type dcomcnfg in the text box and click OK.

3. Select theDefault Propertiestab.

4. Select theEnable Distributed COMin this machine checkbox.

5. Click OK.

To enable DCOM on Windows XP devices:

Select Start > Run

1. Type dcomcnfg in the text box and click OK

2. Click on Component Services > Computers > My Computer

3. Right-click and select Properties

4. Select the Default Propertiestab

5. Select theEnable Distributed COM in this machine checkbox

6. ClickOK

3. User account is invalid in the target machine.

Check if the user account is valid in the target machine by opening a command prompt and executing the following
commands:

> net use \<RemoteComputerName>C$ /u:<DomainNameUserName> "<password>"

net use \<RemoteComputerName>ADMIN$ /u:<DomainNameUserName> "<password>"

If these commands show any errors, the provided user account is not valid on the target machine.

Error Code 0x80041003


The user name provided for scanning does not have sufficient access privileges to perform the scanning operation.
This user may not belong to the Administrator group for this device machine.

Solution: Move the user to the Administrator Group of the workstation or scan the machine using an administrator
(preferably a Domain Administrator) account.

Error Code 0x800706ba

A firewall is configured on the remote computer. Such exceptions mostly occur in Windows XP (SP 2), when the
default Windows firewall is enabled.

Solution:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 507


1. Disable the default Firewall in the Windows XP machine:

SelectStart > Run

Type Firewall.cpl and click OK

In the General tab, click Off

Click OK

2. If the firewall cannot be disabled, launch Remote Administration for administrators on the remote machine by

executing the following command:

> netsh firewall set service RemoteAdmin

After scanning, you can disable Remote Administration using the following command:

> netsh firewall set service RemoteAdmin disable

Error Code 0x80040154


1. WMI is not available in the remote windows workstation. This happens in Windows NT. Such error codes might

also occur in higher versions of Windows if the WMI Components are not registered properly.
Solution: Install WMI core in the remote workstation.

2. WMI Components are not registered.

Solution: Register the WMI DLL files by executing the following command in the command prompt: winmgmt
/RegServer

Error Code 0x80080005


There is some internal execution failure in the WMI service (winmgmt.exe) running in the device machine. The last
update of the WMI Repository in that workstation could have failed.

Solution:
Restart the WMI Service in the remote workstation:

1. Select Start > Run

2. Type Services.msc and click OK

3. In the Services window that opens, select Windows Management Instrumentation service.

4. Right-click and select Restart

For any other error codes, refer the MSDN knowledge base.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 508


I have added an Custom alert profile and enabled it. But the alert is not generated in EventLog Analyzer even
though the event has occured in the device machine

Probable cause: The alert criteria have not been defined properly

Solution: Please ensure that the required fields in the Add Alert Profile screen have been given properly.Check if the
e-mail address provided is correct. Ensure that the Mail server has been configured correctly.

When I create a Custom Report, I am not getting the report with the configured message in the Message Filter

Probable cause: The message filters have not been defined properly
Solution:When you are entering the string in the Message Filters for matching with the log message, ensure you
copy/enter the exact string as shown in the Windows Event Viewer.
e.g., Logon Name:John

MS SQL server for EventLog Analyzer stopped

Probable cause: The transaction logs of MS SQL could be full


Solution: If the EventLog Analyzer MS SQL database transaction logs are full, shrink the same with the procedure
given below:

Stop the Eventlog Analyzer Server/Service (Check the Eventlog Analyzer server machine's Task Manager to
ensure that the processes 'SysEvtCol.exe', 'Java.exe' are not running).
Connect MS SQL client (using Microsoft SQL Server Management Studio) and execute the below query:
sp_dboption 'eventlog', 'trunc. log on chkpt.', 'true'
To execute the query, select and highlight the above command and press F5 key.
After executing the above command, select and highlight the below command and press F5 key to execute it.
DBCC SHRINKDATABASE (eventlog)
Note: This process will take some time, based on the EventLog Analyzer database size.
Start the Eventlog Analyzer.

I successfully configured Oracle device(s), still cannot view the data

If Oracle device is Windows, open Event viewer in that machine and check for Oracle source logs under Application
type. If Linux, check the appropriate log file to which you are writing Oracle logs. If the Oracle logs are available in the
specified file, still EventLog Analyzer is not collecting the logs, contact EventLog Analyzer Support.

The user name provided for scanning does not have sufficient access privileges to perform the scanning
operation. Probably, this user does not belong to the Administrator group for this device machine

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 509


The Syslog host is not added automatically to EventLog Analyzer/the Syslog reception has suddenly stopped

Check EventLog Analyzer's live Syslog Viewer for incoming Syslog packets.

If you are able to view the logs, it means that the packets are reaching the machine, but not to EventLog Analyzer.
You need to check your Windows firewall or Linux IP tables.

If you are not able to view the logs in the Syslog viewer, then check if the EventLog Analyzer server is reachable. This
can be done in the following ways:

1. Ping the server.

2. For TCP, you can try the command telnet <ela_server_name> <port_no> where 514 is the default TCP port.

3. tcpdump

> tcpdump -n dst <ela_server_name> and dst port <port_no>

If reachable, it means there was some issue with the configuration. If not reachable, then you are facing a network
issue.

EventLog Analyzer agent management


If you have trouble installing the agent using the EventLog Analyzer console, GPOs or software installation tools, you can
try to install the agent manually. Here the the steps for manual agent installation.

Performance
For troubleshooting, please follow the steps below:

1. Check if other applications are blocking the CPU cycle for EventLog Analyzer.

2. If a virtual machine is used, check for over provisioning or if snapshots are affecting the performance.

3. If the log flow rate is high, please check our tuning guide.

Error messages while adding STIX/TAXII servers to EventLog


Analyzer
While I was trying to add a STIX/TAXII server to EventLog Analyzer, I got the following error messages. What do they
mean?

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 510


This feature has been disabled for Online Demo!

This error message pops up when the feature you tried to use is not available in the online demo version of EventLog
Analyzer. To try out that feature, download the free version of EventLog Analyzer.

Connection failed. Please try configuring proxy server.

This error message can be caused because of different reasons. It might be due to network issues, proxy related
issues, bad requests in the network, or if the URL is unable to locate a STIX/TAXII server.

Failed to connect to the URL.

This error message denotes that the URL entered is malformed.

Authorization failed.

This error message signifies that the credentials entered are wrong.

SSL Troubleshooting steps


Certificate name mismatch

Description:

This error occurs when the common name of the SSL Certificate doesn't exactly match the hostname of the server in
which the EventLog Analyzer is installed.

Solution:

Please get a new SSL certificate for the current hostname of the server in which EventLog Analyzer is installed.

Invalid Certificate

Description:

This error occurs when the SSL certificate you have configured with EventLog Analyzer is invalid. A certificate can
become invalid if it has expired or other reasons.

Solution:

Please configure EvnetLog analyzer to use a valid SSL certificate.

SMS Settings

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 511


Troubleshooting SSLHandshakeException in SMS Server Settings.

Description:

This exception occurs when you configure a SMTP mail server or a web server with SSL in EventLog Analyzer, and
the server uses a self-signed certificate. The Java Runtime Environment used in EventLog Analyzer will not trust self-
signed certificates unless it is explicitly imported.

Solution:
You need to import the self-signed certificates used by the server in the JRE package used by EventLog Analyzer.
Follow the steps given below:

Step 1: Download the certificate

For SMTP servers:

Note:
To download the certificate used by SMTP server, you must have OpenSSL installed. You can
download it from here.
Open the command prompt and change to the bin folder in the OpenSSL installed location.
Now run the following command,

> openssl.exe s_client -connect SMTPServer: Portno -starttls smtp > certificatename.cer

For example, openssl.exe s_client -connect smtp.gmail.com:587 -starttls smtp > gmailcert.cer

For Web Servers:

Open the web URL in a browser.


Click the padlock icon on the address bar.
Click More Information. This opens the Certificate Viewer window showing the certificate used by that web
server.
Click View Certificate.
When the Certificate window showing Certificate Information Authority opens, click the Details tab.
Click Copy to File.
In the Certificate Export Wizard that opens, click Next.
Select the format as DRE encoded binary X.509 (.CER) and click Next.
Enter the path where you wish to save the file and click Finish.

Step 2: Import the certificates in JRE package of EventLog Analyzer.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 512


Open a command prompt and change to the \jre\bin folder. For example:
C:\ManageEngine\EventLogAnalyzer\jre\bin.
Run the following command,

> Keytool -importcert -alias myprivateroot -keystore ..\lib\security\cacerts -file

For example: Keytool -importcert -alias myprivateroot -keystore ..\lib\security\cacerts -file C:\smtpcert.cer
Enter changeit when prompted for a password.
Enter y when prompted Yes or No.
Close the command prompt and restart EventLog Analyzer.

Threat Intelligence Troubleshooting Tips


IP Geolocation data store corruption

This may happen when the product is shutdowns while the data store is updating and there is no backup available.

Troubleshooting steps:

This is a rare scenario and it happens only when the product shuts down abruptly during the first ever download
of IP geolocation data.

There is no need for a troubleshoot as EventLog Analyzer will automatically download the data in the next
schedule. Please note that the IP geolocation data gets automatically updated daily at 21:00 hours.

IP Geolocation data update failure

This occurs when there is no internet connection on EventLog Analyzer server or if the server is unreachable.

Troubleshooting steps:

Make sure you have a working internet connection.

Whitelist https://creator.zoho.com in your firewall.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 513


EventLog Analyzer - Frequently Asked Questions
What is the difference between the Free and Professional Editions?

The Free Edition of EventLog Analyzer is limited to handling event logs from a maximum of five devices, whereas the
Professional Edition can handle event logs from an unlimited number of devices. There is no other difference
between the two editions, with respect to features or functionality.

Is a trial version of EventLog Analyzer available for evaluation?

Yes, a 30-day free trial version can be downloaded here. At the end of 30 days it automatically becomes a Free
Edition, unless a new license is applied.

Does the trial version have any restrictions?

The trial version is a fully functional version of EventLog Analyzer Premium Edition. When the trial period expires,
EventLog Analyzer automatically reverts to the Free Edition.

Do I have to reinstall EventLog Analyzer when moving to the paid version?

No, you do not have to reinstall or shut down the server. You just need to enter the new license file in the Upgrade
License box.

What devices can EventLog Analyzer collect event logs from?

This depends on the platform on which EventLog Analyzer is installed. If installed on a Windows machine, EventLog
Analyzer can collect event logs or syslogs from Windows and Unix devices, Cisco Switches and Routers, and other
syslog devices . If installed on a Unix machine, EventLog Analyzer can collect syslogs only from Unix devices, Cisco
Switches and Routers, and other syslog devices.

How many users can access the application simultaneously?

This depends only on the capacity of the server on which EventLog Analyzer is installed. The EventLog Analyzer
license does not limit the number of users accessing the application at any time.

EventLog Analyzer runs in a web browser. Does that mean I can access it from anywhere?

Yes. As long as the web browser can access the server on which EventLog Analyzer is running, you can work with
EventLog Analyzer from any location.

How do I buy EventLog Analyzer?

You can buy EventLog Analyzer directly from the ManageEngine Online Store, or from a reseller near your location.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 514


Can EventLog Analyzer work if DCOM is disabled on remote systems?

No. EventLog Analyzer cannot work if DCOM is disabled on remote systems. You need to have DCOM enabled in
remote windows servers for the logs to get collected and shown in EventLog Analyzer.

How to monitor Windows Events in EventLog Analyzer Linux Installation?

To monitor Windows Events in ELA Linux installation, you need to convert Windows Event messages into Syslog
messages. To convert the message you have to use a separate tool.

Installation
What are the recommended minimum system requirements for EventLog Analyzer?

It is recommended that you install EventLog Analyzer on a machine with the following configuration:

1. Processor - Pentium 4 - 1.5GHz

2. RAM - 2GB

3. Disk Space - 5GB

4. Operating System - Windows 7, 2000, XP, 2003, Linux Ubuntu 8.0/9.0

5. Web Browser - Internet Explorer 6.0, or Mozilla Firefox 1.0

Look up System Requirements to see the minimum configuration required to install and run EventLog Analyzer.

Can I install EventLog Analyzer as a root user?

EventLog Analyzer can be started as a root user, but all file permissions will be changed, and later you cannot start
the server as another user.

When I try to access the web client, another web server comes up. How is this possible?

The web server port you have selected during installation is possibly being used by another application. Configure
that application to use another port, or change the EventLog Analyzer web server port.

Is a database backup necessary, or does EventLog Analyzer take care of this?

The archiving feature in EventLog Analyzer automatically stores all logs received in zipped flat files. You can
configure archiving settings to suit the needs of your enterprise. Apart from that, if you need to backup the database,
which contains processed data from event logs, you can run the database backup utility, BackupDB.bat/.sh present in
the <EventLog Analyzer Home>/troubleshooting directory.

How to take database backup?

PostgreSQL database - For Build 8010 onwards

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 515


To take a backup of the existing EventLog Analyzer PostgreSQL database, ensure that the EventLog Analyzer server
or service is stopped and create a ZIP file of the contents of <EventLog Analyzer Home>/pgsql directory and save it.

MSSQL database

Steps to take backup of MSSQL database:

Find the current location of the data file and log file for the database eventlog by using the following commands:

> use eventlog

go

sp_helpfile

go

Detach the database by using the following commands:

> use master

go

sp_detach_db 'eventlog'

go

Backup the data file and log file from the current location ( <MSSQL Home>dataeventlog.mdf and <MSSQL
Home>dataattention-grabbing) by zipping and saving the files.

MySQL database - For Build 8000 or earlier

To take a backup of the existing EventLog Analyzer MySQL database, ensure that the EventLog Analyzer server or
service is stopped and create a ZIP file of the contents of <EventLog Analyzer Home>/mysql directory and save it.

How to configure EventLog Analyzer as service in Windows, after installation?

Normally, EventLog Analyzer is installed as a service.

Normally, the EventLog Analyzer is installed as a service. If you have installed it as an application and not as a service,
you can configure it as a service any time later. The procedure to configure as service, start and stop the service is
given below.

To configure EventLog Analyzer as a service after installation:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 516


1. Stop the EventLog Analyzer application.

2. Execute the following command in the command prompt window in the <EventLog Analyzer Home>bin

directory.

> service. bat -i

1. Start the EventLog Analyzer service.

How to configure EventLog Analyzer as service in Linux, after installation?

Normally, the EventLog Analyzer is installed as a service. If you have installed as an application and not as a service,
you can configure it as a service any time later. The procedure to configure as service, start and stop the service is
given below.

To configure EventLog Analyzer as a service after installation:

1. Stop the EventLog Analyzer application.

2. Execute the following command:

> sh configureAsService.sh -i

1. Start the EventLog Analyzer service.

Usage of EventLog Analyzer service command

> <EventLog Analyzer Home>/bin # /etc/init.d/eventloganalyzer

Usage: /etc/init.d/eventloganalyzer { console | start | stop | restart | status | dump }

Configuration
How do I add devices to EventLog Analyzer so that it can start collecting event logs?

For Windows devices, enter the device name and the authentication details, and then add the device. For Unix
devices, enter the device name and the port number of the syslog service, and then add the device. (Ensure that the
syslog service is running, and that it is using the same port number specified here.)

How do I see session information of all users registered to log in to EventLog Analyzer?

The session information for each user can be accessed from the User Management link. Click the View link under
Login Details against each user to view the active session information and session history for that user.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 517


How to move EventLog Analyzer to a different machine/server?

Please follow the below steps to move an existing EventLog Analyzer server to a new machine/server.

PostgreSQL database - For Build 8010 onwards

1. Stop the existing EventLog Analyzer server/service

2. Ensure that the process 'java.exe', 'postgres.exe' and ' SysEvtCol.exe' are not running/present in the task
manager, kill these processes manually if some of them are still running

3. As a precautionary measure, copy the following complete folders (including the files and sub-folders) to another
drive or to a mapped network drive. This will help us to restore to the settings and data in-case of any issue with
the new machine installation.

1. The folder, pgsql located under <EventLog Analyzer Home> directory

2. The folder, Archive located under <EventLog Analyzer Home>archive directory

3. The folder, Indexes located uncer <Eventlog Analyzer Home>server/default directory

4. Please download and install in the new machine/server the latest build of Eventlog Analyzer from the following
link: https://www.manageengine.com/products/eventlog/download.html

5. Do not start the newly installed EventLog Analyzer server/service.

6. In the newly installed EventLog Analyzer machine/server, rename the folder pgsql located under <EventLog
Analyzer Home> as old_pgsql.

7. Copy the pgsql folder (including the files and sub-folders), which is located under <EventLog Analyzer Home> ,
from the old machine/server to the newly installed Eventlog Analyzer machine/server.
Note: Kindly take extra care that the EventLog Analyzer is not running on both the systems while performing
this operation.

8. Start the EventLog Analyzer on the new machine and check whether the data and configurations are intact.

MSSQL database

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 518


1. Stop Eventlog Analyzer server/service.

2. Download and install the latest build of Eventlog Analyzer in the new server using the following link:
https://www.manageengine.com/products/eventlog/download.html

3. Once you install the application in the new machine, kindly make sure that you do not start the application or
shutdown the Eventlog Analyzer if started.

4. Please configure the MSSQL server credentials of the earlier Eventlog Analyzer server installation as explained
in the Configuring MSSQL Database topic.

5. Start the Eventlog Analyzer server/service on the new machine and check whether the data and the
configurations are intact.

6. In-case of any issues while performing the above steps, please do not continue any further and contact
[email protected] to assist you better.

MySQL database - For Build 8000 or earlier

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 519


1. Stop the existing EventLog Analyzer server/service

2. Ensure that the process 'java.exe', 'mysqld-nt.exe' and ' SysEvtCol.exe' are not running/present in the task
manager, kill these processes manually if some of them are still running

3. As a precautionary measure, copy the following complete folders (including the files and sub-folders) to another
drive or to a mapped network drive. This will help us to restore to the settings and data in-case of any issue with
the new machine installation.

1. The folder, MySQL located under <EventLog Analyzer Home> directory

2. The folder, Archive located under <EventLog Analyzer Home>archive directory

3. The folder, Indexes located uncer <Eventlog Analyzer Home>server/default directory

if MySQL password is set in the old server

1. startDB.bat and configureODBC.vbs located under <Eventlog Analyzer Home>bin directory.

2. myodbc3.dll and myodbc3s.dll located under <Eventlog Analyzer Home>lib directory.

3. mysql-ds.xml located under <Eventlog Analyzer Home>server/default/deploy directory

4. Please download and install in the new machine/server the latest build of Eventlog Analyzer from the following
link: https://www.manageengine.com/products/eventlog/download.html

5. Do not start the newly installed EventLog Analyzer server/service.

6. In the newly installed EventLog Analyzer machine/server, rename the folder MySQL located under <EventLog
Analyzer Home> as OldMySQL.

7. Copy the MySQL folder (including the files and sub-folders), which is located under <EventLog Analyzer Home> ,
from the old machine/server to the newly installed Eventlog Analyzer machine/server.
Note: Kindly take extra care that the EventLog Analyzer is not running on both the systems while performing
this operation.

8. Start the EventLog Analyzer on the new machine and check whether the data and configurations are intact.

How long can I store data in the EventLog Analyzer database?

The DB Storage Options box in the Settings tab lets you configure the number of days after which the database will
be purged. The default value is set at 32 days. This means that after 32 days, only the top values in each report are
stored in the database, and the rest are discarded.

Reporting

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 520


Why am I seeing empty graphs?

Graphs are empty if no data is available. If you have started the server for the first time, wait for at least one minute
for graphs to be populated.

What are the types of report formats that I can generate?

Reports can be generated in HTML, CSV, and PDF formats. All reports are generally viewed as HTML in the web
browser, and then exported to CSV or PDF format. However, reports that are scheduled to run automatically, or be
emailed automatically, are generated only as PDF files.

Can't find an answer here? Check out the EventLog Analyzer user forum

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 521


EventLog Analyzer Help
EventLog Analyzer gives you a wide range of options to contact the Technical Support team in case you run into any
problem.

License
The License page displays the existing license details such as the type of license, the number of days to expire, and the
number of device(s), and/or application(s) currently monitored. There is a link to upgrade the EventLog Analyzer license.
You can enter the name of the new license file in the text box provided, or use the Browse button to select the license file,
and apply it using the Upgradebutton.

Support
Support page displays all the information regarding the support channels available to solve any of the product issues.

About
The About page displays the knowledge information, about the product, such as the build version, build number, service
pack applied if any, database used, build date, type, installation language, support and sales email IDs.

User Guide
The User guide (this document) displays contextual help information for the particular product screen selected.

Feedback
At any time, you can click the Feedback link in the bottom right, to send any issues or comments to the EventLog Analyzer
Technical Support team.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 522


Chapter 21 Additional Utilities

EventLog Analyzer - Additional Utilities


EventLog Analyzer gives you a wide range of options to contact the Technical Support team in case you run into any
problem.

Working with SSL


Configure MSSQL database
Migrate data from PostgreSQL to MSSQL database
Migrate ELA Data from MySQL to MSSQL Database
Move ELA Database to Different Directory in the Same Server
Move ELA Installation to Different Server

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 523


Working with HTTPS
Configuring Secure Communication - HTTPS
The HTTPS protocol provides several features that enable secure transmission of web traffic. These features include data
encryption, server authentication, and message integrity. You can enable secure communication between the web clients
and the EventLog Analyzer server using HTTPS.

The steps given below describe the procedure to manually setup HTTPS. To configure HTTPS using the HTTPS
configuration tool, refer to the connection settings page .

Note: The steps provided describe how to enable HTTPS functionality and generate certificates only. Depending

on your network configuration and security needs, you may need to consult outside documentation. For
advanced configuration concerns, please refer to the HTTPS resources at http://www.apache.org

Procedure to manually setup HTTPS


Use the existing keystore file to configure HTTPS
Stop the EventLog Analyzer server/service, if it is running.
If you have a keystore file to configure HTTPS, place the file under <EventLog Analyzer Home>/server/conf
directory and rename it as "chap8.keystore"
Disable HTTP
Enable HTTPS
Verify HTTPS Setup

Use the existing HTTPS certificate


You can export the Wild Card certificate to a .pfx file and then follow the instructions given below to configure the
same in EventLog Analyzer.
Stop ManageEngine EventLog Analyzer service.
Copy the .pfx file to the location <EventLog Analyzer Home>/conf
Go to the location <EventLog Analyzer Home>/conf and open the file server.xml in a text editor, and locate the
entries in the file as below:

<Connector HTTPSEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0"


clientAuth="false" compressableMimeType="text/html,text/xml" compression="force"
compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true"
enableLookups="false" keystoreFile="./conf/chap8.keystore keystorePass="eventlog" maxSpareThreads="75"
maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8400"
protocol="HTTP/1.1" scheme="https" secure="true" HTTPSProtocol="TLS"/>

Replace the value of keystoreFile 'chap8.keystore' with your .pfx file name.
Ensure that the field keystoreType is specified as pkcs12"and also replace the keystorePass value 'eventlog' with
your.pfx file password.
The entries should be as given below:

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 524


<Connector HTTPSEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0"
clientAuth="false" compressableMimeType="text/html,text/xml" compression="force"
compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true"
enableLookups="false"keystoreFile="./conf/<your pfx file name>.pfx" keystoreType="pkcs12"
keystorePass="your pfx file password here" maxSpareThreads="75" maxThreads="150" minSpareThreads="25"
noCompressionUserAgents="gozilla, traviata" port="8400" protocol="HTTP/1.1" scheme="https" secure="true"
HTTPSProtocol="TLS"/>

Restart the EventLog Analyzer service.

How to create a new keystore, generate a certificate signing request


(CSR), and install HTTPS certificate for EventLog Analyzer
Follow the instructions given below for HTTPS Installation:
1. Create a new keystore

2. Generate a CSR from the new keystore

3. How to install the HTTPS Certificate

Step 1: Create a new keystore

If you do not have a keystore file, follow the steps to create a new one.
1. In the command prompt go to <EventLog Analyzer Home>/jre/bin directory and execute the following command

> "<EventLog Analyzer Home>/jre/bin/keytool" -genkey -alias <our_alias_name>


or [Domain Name] -keyalg RSA -keystore chap8.keystore

Example: "<EventLog Analyzer Home>/jre/bin/keytool" -genkey -alias tomcat -keyalg RSA -keystore
chap8.keystore

For example, if the installation folder is C:/ManageEngine/EventLog then the above command should be

> C:/ManageEngine/EventLog/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore


chap8.keystore

Note: The absolute path of keytool should be in double quotes

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 525


2. When you execute the above command, it will ask for keystore password. Enter the password. In our case, ' eventlog'.

3. Enter the answers for the six questions,

1. first and last name

2. organizational unit

3. organization

4. city

5. state

6. country code

4. For confirmation, type 'y' and press 'Enter' key

5. Press 'Enter' key again for password for Tomcat. Keystore file named ' chap8.keystore' will be created in the <EventLog

Analyzer Home>/server/conf location

Step 2: Generate a CSR from the new keystore

1. If you want to create the Certificate Signing Request (CSR) from your Keystore using the keytool, in the command
prompt go to <EventLog Analyzer Home>/jre/bin and execute the following command

> keytool -certreq -alias <your_alias_name> or [Domain Name] -file csr.txt -keystore chap8.keystore

(For example: keytool -certreq -alias tomcat -file csr.txt -keystore chap8.keystore )

2. Type the keystore password that you assigned earlier and press the 'Enter' key.

3. Your CSR file named csr.txt is now created in your current directory. Open the CSR with a text editor, and copy and

paste the text (including the BEGIN and END tags) into the Certifying Authority (CA) web order form. Be careful in

saving the keystore file (chap8.keystore) as your certificates will be installed to it later.

Step 3: How to install the HTTPS Certificate

1. Download your Certificate files from the email from CA to the directory where your keystore (chap8.keystore) was

saved during the CSR creation process. The certificate must be installed to this exact keystore. If you try to install it to

a different keystore, it will not work. The certificates you downloaded must be installed to your keystore in the correct

order for your certificate to be trusted. If the certificates are not installed in the correct order, then the certificate will
not authenticate properly.

2. Install the Root Certificate file:

Each time you install a certificate to your keystore, you will be prompted for the keystore password, which you
assigned while generating your CSR.
In the command prompt go to <EventLog Analyzer Home>/jre/bin and execute the following command to install
the Root certificate file:

> keytool -import -trustcacerts -alias root -file TrustedRoot.crt -keystore chap8.keystore

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 526


Note: Choose 'Yes' if you get prompted with a message that says "Certificate already exists in system-wide CA
keystore under alias <entrustHTTPSca> Do you still want to add it to your own keystore? [no]:" You will get a

confirmation stating that the "Certificate was added to keystore".

3. Install the intermediate certificates if any. (Follow the instructions provided by the CA)

4. Install the Primary Certificate file:

In the command prompt go to <EventLog Analyzer Home>/jre/bin and execute the following command to install
the Primary certificate file:

> keytool -import -trustcacerts -alias tomcat -file <your_domain_name>.crt -keystore chap8.keystore

This time you will get a different confirmation stating that the ' Certificate reply was installed in keystore'. If it asks if you
want to trust the certificate, choose 'y' or 'yes'.

Your certificates are now installed to your keystore file (keystore.key) and you just need to configure your server to
use the keystore file.

Disable HTTP
When you have enabled HTTPS, HTTP will continue to be enabled on the web server port (default 8400). To disable HTTP,
follow the steps below:
1. Edit the server.xml file present in <EventLog Analyzer Home>/conf directory.

2. Comment out the HTTP connection parameters, by placing the <!-- tag before, and the --> tag after the following lines:

<Connector port="8400" HTTPSEnabled="false" acceptCount="100" address="0.0.0.0" clientAuth="false"


compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024"
connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75"
maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1"
scheme="http" secure="false" URIEncoding="UTF-8"/>

Enable HTTPS
In the same file, enable the HTTPS connection parameters, by removing the <!-- tag before, and the --> tag after
the following lines:

<Connector port="8400" HTTPSEnabled="true" acceptCount="100" address="0.0.0.0" clientAuth="false"


compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024"
connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"
keystoreFile="./conf/chap8.keystore" keystorePass="eventlog" maxSpareThreads="75" maxThreads="150"
minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="https"
secure="true" HTTPSProtocol="TLS" URIEncoding="UTF-8"/>

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 527


Note: While creating keystore file, you can enter the password as per your requirement. But ensure that the

same password is configured, in the server.xml file. Example password is configured as ' eventlog'.

Verify HTTPS Setup


1. Restart the EventLog Analyzer server.

2. Verify that the following message appears in the command window after the EventLog Analyzer application is started:

> Server started.

Please connect your client at https://localdevice:8400

3. Connect to the server from a web browser by typing https://<devicename>:8400 where <devicename> is the machine

where the server is running.

Configure HTTPS Parameters for 64 bit/128 bit encryption


If you want to configure the HTTPS connection parameters for 64 bit/128 bit encryption, edit the server.xml file present in
<EventLog Analyzer Home>/conf directory. Add the following parameter at the end of the HTTPS/TLS Connector tag:

HTTPSCipherSuite="HTTPS_RSA_WITH_3DES_EDE_CBC_SHA"

<!-- HTTPS/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8400" HTTPSEnabled="true" acceptCount="100" address="0.0.0.0" clientAuth="false"
compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024"
connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"
keystoreFile="./conf/chap8.keystore" keystorePass="eventlog" maxSpareThreads="75" maxThreads="150"
minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="https"
secure="true" HTTPSProtocol="TLS" URIEncoding="UTF-8"
HTTPSCipherSuite="HTTPS_RSA_WITH_3DES_EDE_CBC_SHA"/>

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 528


Configuring the MS SQL database for EventLog Analyzer
This page describes the various steps involved in configuring the MS SQL database in EventLog Analyzer.

How to find the build number?


For EventLog Analyzer version 8.0 onwards:

In the EventLog Analyzer web client, click "?" on the top right corner of the screen and click on About. You will find the build
number mentioned below the build version. This is the build number of the currently installed EventLog Analyzer.

Procedure for EventLog Analyzer version 8.0 (Build 8010) onwards

Note: This procedure to configure MS SQL will clear all existing data.

Here's how you can configure and run the EventLog Analyzer with MS SQL as the database.
1. From the installed MS SQL server, copy the files bcp.exe and bcp.rll to <Eventlog Analyzer Home>\bin folder.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 529


Note: If you are copying the above files from SQL server (Version 2012 and above) and EventLog Analyzer

is installed in another machine, please install the SQL native client as per the SQL version and CPU type of

the EventLog Analyzer machine.


For MSSQL version 2012, install the native client and for the remaining versions of MSSQL, install the
ODBC driver (links given below).

MSSQL 2012

https://www.microsoft.com/en-us/download/confirmation.aspx?id=50402

MSSQL 2014

https://www.microsoft.com/en-us/download/details.aspx?id=36434

MSSQL 2016

https://www.microsoft.com/en-us/download/details.aspx?id=50420

MSSQL 2017

https://www.microsoft.com/en-us/download/details.aspx?id=53339

MSSQL 2019

64bit link: https://go.microsoft.com/fwlink/?linkid=2137027

32bit link: https://go.microsoft.com/fwlink/?linkid=2137028

After installing the required Native client/ODBC Driver, you can check if you've got the right version of
bcp.exe+bcp.rll files or the right version of the Native client/ODBC Driver by going to <EventLog Analyzer
Home>\bin folder, opening the command prompt with admin rights and executing the following command:-

bcp.exe -v

If you get an error, either your bcp files are wrong or your Native Client/ODBC Driver version in the
EventLog Analyzer machine is incorrect.

2. Invoke the <EventLog Analyzer Home>\tools\changeDBServer.bat, to configure MS SQL server credentials like Server

Name, Port, User Name and Password.

3. The Database Setup Wizard will appear.

4. In the wizard screen, choose the Server Type as SQL Server. Enter the Host Name and the port of the SQL Server.

Select the instance from the available SQL Server Instances.

5. Tips:

Ensure that the server browser service is enabled as it provides information about the SQL Server instances.

Ensure that TCP/IP are enabled under protocols in the SQL Server Configuration Manager.

6. Select the authentication type using the " Connect Using:" options.

7. The options are:

Windows Authentication

SQL Server Authentication

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 530


Note: Ensure that both EventLog Analyzer server and MS SQL server are in the same domain and logged in

with the same domain administrator credentials.

Windows Authentication

SQL Server Authentication

For SQL Server Authentication, enter the User Name and Password.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 531


www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 532
Note: The product functions even if the table compression is enabled.

Start-
S.
up Required Permission(s) for Login Comments
no.
Type

Server Roles page:

1. public

2. dbcreator
'public' is the default minimum
User Mapping page ('Database role
permission
membership' for 'eventlog' DB):-
'dbcreator' is required to create
(First 1. db_datareader
1 'eventlog' database, else you'll
start) 2. db_datawriter
get "CREATE DATABASE
3. db_ddladmin
permission denied in database
4. db_backupoperator
'master' " error message

Control privilege on the created

certificate, execute following

queries:-

GRANT CONTROL ON SYMMETRIC


KEY::[##MS_DatabaseMasterKey##]
TO [user]; -- if not provided, user will
not know if a master key exists in DB 'db_backupoperator' is required
Warm
2 only if the user wishes to back-
Start GRANT CONTROL ON SYMMETRIC
KEY::[ZOHO_SYMM_KEY] TO [user]; up the 'eventlog' database

GRANT CONTROL ON CERTIFICATE::


[ZOHO_CERT] TO [user];

8. Click the Test button to check whether the credentials are correct. If the test fails, the credentials might be wrong.

Recheck and enter the correct credentials.

9. Click the Save button to save the SQL Server configuration. Note that it will take a few minutes to configure the

settings of the SQL Server database.

10. Start the EventLog Analyzer Server/Service to work with the MS SQL SERVER as the database.

If you are already using the EventLog Analyzer with PGSQL or MySQL and you want to change the database to MS SQL,
please refer the Migrating EventLog Analyzer Data from PGSQL to MS SQL Database page or Migrating EventLog Analyzer
Data from MySQL to MS SQL Database page respectively and follow the procedure given there.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 533


Migrate EventLog Analyzer Data from PGSQL to MS SQL
Database
EventLog Analyzer allows you to migrate the existing EventLog Analyzer data available in the PGSQL database to the MS
SQL database.

This procedure is applicable only if you are already using the EventLog Analyzer with PGSQL and you want to change the
database to MS SQL.

Note:
Re-registering the Managed Server after the database has been changed:

When the Managed Server is installed, it is registered with Admin Server as Managed Server with
PGSQL.
If the database of the Managed Server is changed from PGSQL to MS SQL, the database of the Admin
server also needs to be changed from PGSQL to MS SQL.
Then, the managed server has to be re-registered with the Admin Server with the help of <EventLog
Analyzer Home>/troubleshooting/registerWithAdminServer.bat file (or registerWithAdminServer.sh
file)

After changing the database, when the Managed Server is started as a service. There will not be any prompt to
re-register. The user has to ensure that the Managed Server is re-registered with the Admin Server.

If the user is migrating a distributed setup, the user needs to migrate the entire distributed setup to MSSQL. All
Managed servers along with the admin server should be migrated to MSSQL.

If you want to configure MS SQL for a fresh installation of the EventLog Analyzer server, please refer to the Configuring
MS SQL Database page and follow the procedure given there.

The steps to migrate and run the EventLog Analyzer server with SQL SERVER as the database is given below:
1. Stop the EventLog Analyzer Server/Service.

2. Invoke the <EventLog Analyzer Home>/tools/backUpDatabase.bat in command prompt to backup the data available

in the PGSQL database and wait till the data backup is completed. By default, the backup file will be stored under

<EventLog Analyzer Home>/backup directory with the file name

'backup_eventlog_<Build_Number>_database_MM_DD_YY_hh_mm.data'.

3. From the installed MS SQL SERVER, copy the files bcp.exe and bcp.rll to <EventLog Analyzer Home>/bin folder.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 534


Note: If you are copying the above files from SQL server (Version 2012 and above) and EventLog Analyzer

is installed in another machine, please install the SQL native client as per the SQL version and CPU type of

the EventLog Analyzer machine.


For MSSQL version 2012, install the native client and for the remaining versions of MSSQL, install the
ODBC driver (links given below).

MSSQL 2012

https://www.microsoft.com/en-us/download/confirmation.aspx?id=50402

MSSQL 2014

https://www.microsoft.com/en-us/download/details.aspx?id=36434

MSSQL 2016

https://www.microsoft.com/en-us/download/details.aspx?id=50420

MSSQL 2017

https://www.microsoft.com/en-us/download/details.aspx?id=53339

MSSQL 2019

64bit link: https://go.microsoft.com/fwlink/?linkid=2137027

32bit link: https://go.microsoft.com/fwlink/?linkid=2137028

4. Invoke the <EventLog Analyzer Home>/tools/changeDBServer.bat in command prompt to configure the MS SQL
SERVER credentials like ServerName, Port, User Name and Password.

5. Database Setup Wizard pops-up.

6. In the wizard screen, select Server Type as SQL Server. Available SQL Server Instances are listed in a combo box. Enter

the Device Name and Port of the SQL Server from the instances.

7. Select the authentication type using the " Connect Using:" option.

8. The options are:

Windows Authentication

SQL Server Authentication

Note: Ensure that both EventLog Analyzer Server and MS SQL Server are in the same domain and logged in

with the same Domain Administrator credentials.

Windows Authentication

For EventLog Analyzer version 8.0 (Build 8010) onwards,

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 535


SQL Server Authentication

For SQL Server Authentication, enter the User Name and Password.

9. Click the Test button to check whether the credentials are correct. If the test fails, the credentials might be wrong.

Recheck and enter the correct credentials.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 536


10. Click the Save button to save the SQL Server configuration. Note that it will take a few minutes to configure the

settings of the SQL Server database.

11. Invoke the <EventLog Analyzer Home>/bin/run.bat to start the EventLog Analyzer server in the command prompt.

12. After the server is started completely, stop the server by terminating the run.bat in the command prompt or invoke the

<EventLog Analyzer Home>/bin/shutdown.bat.

13. Invoke the <EventLog Analyzer Home>tools/restoreDatabase.bat, browse and select the created backup file. Now

click on 'OK' and wait till the database is completely restored.

Note: Executing the restoreDatabase.bat will delete the existing data, if any.

14. Start the EventLog Analyzer Server/Service to work with the MS SQL Server as the database.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 537


Migrate EventLog Analyzer Data from MySQL to MS
SQL Database
EventLog Analyzer allows you to migrate the existing EventLog Analyzer data available in MySQL database to MS SQL
database.

This procedure is applicable only if you are already using EventLog Analyzer with MySQL and you want to change the
database to MS SQL.

Note:
Re-registering the Managed Server after the database has been changed:

When the Managed Server is installed, it is registered with Admin Server as Managed Server with
MySQL.
If the database of the Managed Server is changed from MySQL to MS SQL, the database of the Admin
server also needs to be changed from MySQL to MS SQL.
Then, the managed server has to be re-registered with Admin Server with the help of <EventLog
Analyzer Home>/troubleshooting/registerWithAdminServer.bat file (or registerWithAdminServer.sh
file)

After changing the database, when the Managed Server is started as a service, there will not be any prompt to
re-register. The user has to ensure that the Managed Server is re-registered with the Admin Server.

If the user is migrating a distributed setup, the user needs to migrate the entire distributed setup to MSSQL. All
Managed servers along with the admin server should be migrated to MSSQL.

If you want to configure MS SQL for a fresh installation of EventLog Analyzer server, please refer the Configuring MS SQL
Database page and follow the procedure given there.

The steps to migrate and run the EventLog Analyzer server with SQL SERVER as the database is given below:
1. Stop the EventLog Analyzer Server/Service.

2. Invoke the <EventLog Analyzer Home>/tools/backUpDatabase.bat in command prompt to backup the data available

in the MySQL database and wait till the data backup is completed. By default, the backup file will be stored under

<EventLog Analyzer Home>/backup directory with the file name like

'backup_eventlog_<Build_Number>_database_MM_DD_YY_hh_mm.data'.

3. From the installed MS SQL SERVER, copy the files bcp.exe and bcp.rll to <EventLog Analyzer Home>/bin folder.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 538


Note: If you are copying the above file from SQL server (Version 2012 and above) and EventLog Analyzer is

installed in another machine, please install the SQL native client as per the SQL version and CPU type of

the EventLog Analyzer machine.


For MSSQL version 2012, install the native client and for the remaining versions of MSSQL, install the
ODBC driver (links given below).

MSSQL 2012

https://www.microsoft.com/en-us/download/confirmation.aspx?id=50402

MSSQL 2014

https://www.microsoft.com/en-us/download/details.aspx?id=36434

MSSQL 2016

https://www.microsoft.com/en-us/download/details.aspx?id=50420

MSSQL 2017

https://www.microsoft.com/en-us/download/details.aspx?id=53339

MSSQL 2019

64bit link: https://go.microsoft.com/fwlink/?linkid=2137027

32bit link: https://go.microsoft.com/fwlink/?linkid=2137028

4. Invoke the <EventLog Analyzer Home>/tools/changeDBServer.bat in command prompt to configure the MS SQL
SERVER credentials like ServerName, Port, User Name and Password.

5. Database Setup Wizard pops-up.

6. In the wizard screen, select Server Type as SQL Server. Available SQL Server Instances are listed in a combo box. Enter

the Device Name and Port of the SQL Server from the instances.

7. Select the authentication type using the " Connect Using:" option.

8. The options are:

Windows Authentication

SQL Server Authentication

Note: Ensure that both EventLog Analyzer Server and MS SQL Server are in the same domain and logged in

with the same Domain Administrator credentials.

Windows Authentication
For EventLog Analyzer version 8.0 (Build 8010) onwards,

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 539


SQL Server Authentication
For SQL Server Authentication, enter the User Name and Password.

9. Click the Test button to check whether the credentials are correct. If the test fails, the credentials might be wrong.

Recheck and enter the correct credentials.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 540


10. Click the Save button to save the SQL Server configuration. Note that it will take a few minutes to configure the

settings of the SQL Server database.

11. Invoke the <EventLog Analyzer Home>/bin/run.bat to start the EventLog Analyzer server in the command prompt.

12. After the server is started completely, stop the server by terminating the run.bat in the command prompt or invoke the

<EventLog Analyzer Home>/bin/shutdown.bat.

13. Invoke the <EventLog Analyzer Home>tools/restoreDatabase.bat, browse and select the created backup file. Now

click on 'OK' and wait till the database is completely restored.

Note: Executing the restoreDatabase.bat will delete the existing data, if any.

14. Start the EventLog Analyzer Server/Service to work with the MS SQL Server as the database.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 541


Moving the EventLog Analyzer MSSQL Database to a
Different Directory in the Same Server
This procedure is applicable for EventLog Analyzer version 8.0 (Build 8010) onwards.

How to find the build number?


In the EventLog Analyzer web client, click "?" on the top right corner of the screen and click on About. You will find the
build number mentioned below the build version.

This is the build number of the currently installed EventLog Analyzer.

Moving the EventLog Analyzer MS SQL database

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 542


1. Stop the EventLog Analyzer Server/Service.

2. Login to SQL Server database with system administrator permissions.

3. Find the current location of the data file and log file for the database named 'eventlog' by using the following

commands:

> use eventlog


go

sp_helpfile
go

4. Detach the database by entering the following commands:

> use master


go

sp_detach_db 'eventlog'
go

5. Copy the data file and the log file from the current location ( <MSSQL Home>\DATA\eventlog.mdf and <MSSQL
Home>\DATA\eventlog_log.ldf) to the new location ( <New location>\eventlog.mdf and <New

Location>\eventlog_log.ldf).

6. Re-attach the database and point to the new location by using the following commands:

> use master


go

sp_attach_db 'eventlog' , '<New Location>eventlog.mdf' , '<New Location>eventlog_log.ldf'


go

7. Verify the changed location by using the following commands:

> use eventlog


go

sp_helpfile
go

8. Start the Eventlog Analyzer Server/Service.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 543


Moving the EventLog Analyzer Installation to Another
Machine
If you're planning to migrate EventLog Analyzer to a different server, possible data loss could be a major concern. This
document will provide the steps to migrate your EventLog Analyzer installation to a different server without the loss of any
data.
1. Stop the EventLog Analyzer server. (Start ? Run ? Type services.msc and press OK ? Stop the service ManageEngine

EventLog Analyzer)

Note: For a Linux service, Execute the commands given below to stop the Linux service (sample outputs

are given):

Stop the service

/etc/init.d/eventloganalyzer stop
Stopping ManageEngine EventLog Analyzer <version number>...
Stopped ManageEngine EventLog Analyzer <version number>

2. Ensure that the processes java.exe, postgres.exe, and SysEvtCol.exe are not running in the task manager.

Note: For Linux, Ensure that the processes java, postgres, and SysEvtCol are not running.

3. Copy the entire <EventLog Analyzer Home> directory to the new server. It is strongly recommended that the new

location is on the same path as the previous one.

Integration with Log360:


Case 1: If only EventLog Analyzer is being moved:

1. If EventLog Analyzer is integrated with Log360, and only EventLog Analyzer is being moved, then integration with
Log360 needs to be removed first. You can integrate EventLog Analyzer with Log360 again after moving it to a

different server).

2. After EventLog Analyzer is moved, if new path is not the same as the previous path, path.data & path.repo in

<EventLog Analyzer Home>\ES\config\elasticsearch.yml needs to be updated accordingly.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 544


3. Open the command prompt with administrator privileges. Navigate to <EventLog Analyzer Home>\bin and execute

initPgsql.bat to set the permissions for the database.

Note: For Linux, initPgsql.sh has to be executed.

4. Since the service has not been installed in the new server, we have to install it manually. Open the Command Prompt

with administrator privileges. Navigate to <EventLog Analyzer Home >\bin and execute the following command to

install the EventLog Analyzer service.

> service.bat -i

Note: For Linux, the service installation command is:

sh configureAsService.sh -i

Click here to know more.

5. The service will now be installed. Try starting the service and open EventLog Analyzer with your browser to log in.

6. EventLog Analyzer archive path has to be modified. Settings ? Admin Settings ? Manage Archives ? Settings ? Archive

Location.

Previously archived files cannot be loaded. The migration is now complete.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 545


Case 2: If EventLog Analyzer and Log360 are being moved:

1. If EventLog Analyzer is integrated with Log360, and both Log360 & EventLog Analyzer are being moved, the

integration needn't be removed. However, you would need to move the <ManageEngine Home>\elasticsearch folder

(log360 & elasticsearch to same parent directory as EventLog Analyzer).

2. After Log360 & elasticsearch folders are moved along with EventLog Analyzer, if new path is not the same as the

previous path, path.data & path.repo in <ManageEngine Home>\elasticsearch\ES\config\elasticsearch.yml needs to

be updated. path.data in <EventLog Analyzer Home>\ES\config\elasticsearch.yml needs to be updated as well.

3. Open the command prompt with administrator privileges. Navigate to <EventLog Analyzer Home>\bin and execute

initPgsql.bat to set the permissions for the database.

Note: For Linux, initPgsql.sh has to be executed.

4. Since the service has not been installed in the new server, we have to install it manually. Open the Command Prompt

with administrator privileges. Navigate to <EventLog Analyzer Home >\bin and execute the following command to

install the EventLog Analyzer service.

> service.bat -i

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 546


Note: For Linux, the service installation command is:

sh configureAsService.sh -i

Click here to know more.

5. The service will now be installed. Try starting the service and open EventLog Analyzer with your browser to log in.

6. EventLog Analyzer archive path has to be modified. Settings ? Admin Settings ? Manage Archives ? Settings ? Archive

Location.

Previously archived files cannot be loaded. The migration is now complete.

If EventLog Analyzer is not integrated with Log360:


1. If EventLog Analyzer is not integrated with Log360 and if the new path is not the same as the previous path, then

path.data and path.repo in <EventLog Analyzer Home>\ES\config\elasticsearch.yml need to be updated.

2. Open the command prompt with administrator privileges. Navigate to <EventLog Analyzer Home>\bin and execute

initPgsql.bat to set the permissions for the database.

Note: For Linux, initPgsql.sh has to be executed.

3. Since the service has not been installed in the new server, we have to install it manually. Open the Command Prompt

with administrator privileges. Navigate to <EventLog Analyzer Home >\bin and execute the following command to

install the EventLog Analyzer service.

> service.bat -i

Note: For Linux, the service installation command is:

sh configureAsService.sh -i

Click here to know more.

4. The service will now be installed. Try starting the service and open EventLog Analyzer with your browser to log in.

5. EventLog Analyzer archive path has to be modified. Settings ? Admin Settings ? Manage Archives ? Settings ? Archive

Location.

Previously archived files cannot be loaded. The migration is now complete.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 547


Note:
If you have enabled log forwarding from any Linux, Unix, router, switch, firewall, or syslog devices to
EventLog Analyzer, you would need to re-point them to the new server.
If an agent has been configured for any device, check if it has been modified appropriately.
Do not delete the previous installation until you ensure the migration is successful. Verify the migration
by checking the log collection after 30 minutes.

If you are using MS SQL server as your database and if it is running on a remote computer, download and install the SQL
Native Client/ODBC Driver that is appropriate for the SQL Server version in the new Event Log Analyzer machine.

More information on SQL Native Client/ODBC Driver is available here.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 548


Log360 Cloud
To configure Log360 Cloud to receive data from your local EventLog Analyzer installation, you need to get the security
access key of Log360 Cloud and enter it in your local EventLog Analyzer installation.

To get the security access key of Log360 Cloud,


1. Login to your Log360 Cloud account.

2. Navigate to Settings ? Admin Settings ? Agent Configuration.

3. Copy the access key present in Step 3.

To enter the access key in the EventLog Analyzer console,


1. If you have not downloaded EventLog Analyzer already, visit

https://www.manageengine.com/products/eventlog/download.html.

2. Login to your local Eventlog Analyzer console.

3. Navigate to Settings ? Admin Settings ? Log360 Cloud.

4. In the Access key field, enter the security access key of Log360 Cloud and click Save.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 549


On entering the security access key, data synchronization will begin and EventLog Analyzer will start pushing logs to the
cloud.

Temporary storage location for synchronization data is the following:

Log sync: EventLog Analyzer ? data ? Log360Agent ? Queue

Database sync:EventLog Analyzer ? data ? Log360Agent ? DBSyncData

Note:
Log sync data will be compressed up to 18 times and stored in the specified temporary location.
Database sync data will be stored in the raw format without being compressed.
When the cloud storage limit is exceeded, log sync will be stopped. Log data collected after that point
will be stored in the temporary location specified. Once space is made available, logs will be indexed
from that location and moved to the cloud storage space.
The following outbound ports should be open in the firewall of the server where EventLog Analyzer is
installed:
HTTPS - 450 and HTTP - 80 for versions lower than 12040
HTTPS - 444 and HTTP - 80 for versions higher than or equal to 12040

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 550


Synchronization
To edit the access key, click the edit icon next to the access key.

Log Filter
To enable Log Filters, place the cursor over the Log Sync section. Click the Log Filter option that gets displayed. In the
screen that appears, click the Enable Filter check box and set the required filters by choosing from the options displayed.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 551


www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 552
Chapter 22 Distributed Edition

EventLog Analyzer distributed edition


What is the EventLog Analyzer distributed edition?
The distributed edition of EventLog Analyzer allows enterprises to monitor their network deployments across geographical
locations. This edition encompasses one admin server and one or more managed servers. While the managed servers that
are installed at the different locations collect and process the local network's security data, the admin server acts as the
central console for viewing all the managed servers.

The distributed edition also caters to the needs of Managed Security Service Providers (MSSPs) since they can deploy
logically isolated managed servers for different clients.

Here are a few highlights of the EventLog Analyzer distributed edition:

Centralizes log management


Supports multiple devices across different geographical locations
Ensures secured communication between the components.
Exclusive segmented and secured view for various customers of the MSSP.

Note: To install the distributed edition of EventLog Analyzer, you need to install the standard edition across

your organization's network and then convert the installations into an admin or a managed server. You can refer

to the steps given here.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 553


Convert EventLog Analyzer standard edition to an admin
server

Note: You need to back up the data of the standard edition to prevent data loss.

Converting the standard edition of EventLog Analyzer into an admin server will result in the deletion of data present in the
standard edition. You can follow the steps given below to convert the standard edition of EventLog Analyzer into an admin
server:

Shut down EventLog Analyzer.


Open the command prompt with administrative privilege and execute the ConvertToAdminServer.bat/sh file
located in <EventLog Analyzer Home>/troubleshooting.
A warning message about the deletion of data of your existing installation will be displayed.
Press y and click on the Enter key to continue.
If you want to configure a proxy server, enter y for the next query and enter the proxy server details.
You will see a success message if EventLog Analyzer has been converted from the standalone edition into an admin
server of the distributed edition.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 554


Converting EventLog Analyzer standard edition to a
managed server
You can convert your standalone EventLog Analyzer installation (Standard Edition) into a Managed Server installation of
distributed edition by following the below steps:
1. Shut down EventLog Analyzer installation.

2. Backup the database.

3. Execute the ConvertToManagedServer.bat/sh file located in <EventLog Analyzer Home>/troubleshooting with

administrative privilege.

4. Enter y and press the Enter key to continue.

5. Enter the details such as the name or the IP address, web port, and web server protocol of the managed server and the
admin server.

6. If you want to configure a proxy server, enter y for the next query and then enter the proxy server details such as the
proxy server name, port number, username, and password.

7. You will see a success message if EventLog Analyzer has been converted from the standalone installation into a

managed server installation of the distributed edition.

8. Open the admin server console to which you've linked this managed server and navigate to Settings > Configurations >

Managed Server Settings to ensure that the converted server is listed.

If your managed server is unable to reach the admin server, please ensure the following:

The admin server to which you want to link the new managed server is accessible on the given port using the
mentioned protocol.
If the admin server is using a proxy server, check whether the provided proxy server details are correct.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 555


Frequently Asked Questions - EventLog Analyzer
Distributed Edition
General

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 556


Why should you go for the distributed edition of EventLog Analyzer?

If your organization has multiple network devices, servers, applications, and databases spread across geographical
locations, using the distributed edition of EventLog Analyzer will help you unify all your logs and gain actionable
insights from a single console. The distributed edition is also useful for Managed Security Service Providers (MSSPs).

What are managed and admin servers?

The distributed setup of EventLog Analyzer consists of one admin server and one or more managed servers. The
managed servers can be installed at different geographical locations and must be connected to the admin server. The
admin server centralizes log management across all the managed servers. You can view and manage all the managed
servers from the admin server console.

How many managed servers can a single admin server manage?

One admin server is designed to manage up to 50 managed servers.

Can I convert the existing standalone edition of EventLog Analyzer to the distributed edition?

Yes, you can. You need to install a new admin server and convert the existing installation to Managed Server. Please
refer to the steps given here. Ensure that the build number of your existing EventLog Analyzer installation is 6000 or
above.

While converting the standard edition to an admin server, I'm prompted to specify the proxy server details. Why
should I configure it?

Configuring the proxy server is optional. You need to configure the proxy server details during admin server
conversion for the admin server needs to pass through a proxy server to contact the managed servers.

I have deleted a managed server from the admin server. How do I add it again?

To add a managed server under the admin server again, follow the steps given below:

1. Register the managed server with the admin server by executing the registerWithAdminServer.bat/sh file

located in <EventLog Analyzer Home>/troubleshooting.

2. Restart the managed server.

Where are the collected logs stored? Is it in the managed server database or in both the managed server and
admin server databases?

The logs collected by the managed server are stored only in the managed server database. You can't store the logs in
the admin server. However, you can forward the logs to the admin server to archive them.

Secured Communication Mode (HTTPS)

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 557


What is the mode of communication between the admin server and the managed server?

By default, the managed and admin server communicate using the HTTP. There is also an option to convert the mode
of communication to HTTPS. To modify the mode of communication, you can refer to the steps given here.

I have changed the managed server communication mode to HTTPS after installation. How to update this change
in the admin server?

In the Admin Server, click on Settings tab > Configurations> Managed Server Settings> Editicon of specific managed
server. Select the required protocol to configure the web server port details.

Licensing

What are the licensing terms for EventLog Analyzer's distributed edition?

EventLog Analyzer's Distributed Edition license will be applied to the admin server. The number of devices and
applications for which the license has been purchased can be utilized among the registered managed servers. You can
keep adding the devices and applications in various managed servers till the total number of licenses purchased gets
exhausted. You can view the number of devices and applications managed by each managed server in the Managed
Server Settings page.

If the number of devices and applications managed by all the managed servers exceeds the number of licenses
purchased, a warning message appears in the admin server. To resolve this warning, you can:

Purchase the license to manage the additional devices and applications.


Check the number of devices and applications managed by each managed server in the Managed Server Settings
page of the admin server.
Go to the individual managed server and manually manage the devices. Make sure that the number of devices
and applications are equal to the number of licenses.

Is there an option to apply the license in the managed servers?

There is no option to apply the license in the managed servers. The license must be applied to the admin server and
it will be automatically propagated to all the managed servers.

Why do I encounter the "License Restricted" alert even after reconfiguring the managed servers?

The status of devices in the managed server synchronize with the admin server during the data collection cycle,
which happens at an interval of 5 minutes. Try to add other devices and applications in the managed server after a
few minutes.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 558


Chapter 23 Technical Support

EventLog Analyzer Technical Support


EventLog Analyzer offers comprehensive, best-in-class technical assistance and documentation to support deployment and
troubleshooting.

Take a look at our resources to find the answers:

Go through the FAQ


Look up the troubleshooting tips
Browse through the EventLog Analyzer forum

Still finding trouble? Get in touch with our technical support team:

Send an email to [email protected]


Call toll free telephone number (+1 844 649 7766)
Ask for a meeting ( Zoho Meeting) ? web conference

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 559


Create an EventLog Analyzer Support Information File
(SIF)
In case you face an issue with log collection or any other aspect of EventLog Analyzer, kindly create a SIF and send it to us.
The SIF will help us to analyze the issue and propose a solution. This article gives you the steps to generate SIF in different
scenarios:

Creating SIF automatically

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 560


1. Login to the EventLog Analyzer web client and click the Support tab.

2. In the Support Window, you can find Auto and Manual SIF creation options under the Support Info section.

3. To automatically create a SIF file, click on Auto and select Create Support Information File.

4. You will find a new link Created File which contains the SIF.

5. Clicking on this link allows you to either directly upload the SIF to ManageEngine's file upload server after providing

the required details or download the SIF by clicking on the Download link and sending it to eventlog-

[email protected]

Procedure to create a SIF when the EventLog Analyzer server or


web client is not working (for Build 8010 onwards)
If you are unable to create a SIF from the EventLog Analyzer GUI, you can zip the files under ' logs' folder, which is located
in <EventLog Analyzer Home>/logs (default path) and upload the ZIP file using the following link:
https://bonitas2.zohocorp.com/#[email protected]

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 561


Procedure to create SIF when the EventLog Analyzer server or web
client is not working (for Build 8000 or earlier)
If you are unable to create a SIF from the EventLog Analyzer UI, you can zip the files under ' log' folder, which is located in
<EventLog Analyzer Home>server/default/log (default path) and upload the ZIP file using the following link:
https://bonitas2.zohocorp.com/#[email protected]

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 562


Contacting EventLog Analyzer Support
EventLog Analyzer provides a wide range of options to contact the support team, make feature requests, ask for a
personalized demo, get online training, and more.

To go to the Support page, click the Support tab on the menu bar. The different channels through which you can reach out
to us will be listed here. You can also click on the links below to reach our support team.

Links Description

Request Click this link or click 'Mail Us' in the Support Page of EventLog
Technical Support form Analyzer. Fill in the required fields with a detailed description of the
Support problem that you encountered. Click on Submit.

Request a
Request a personalized Click this link or click 'Personalized Demo' in the Support Page of
personalized
Demo EventLog Analyzer to schedule a personalized demo.
Demo

Click this link or click 'Training & Certification' in the Support Page of
Get training and EventLog Analyzer
EventLog Analyzer to take up a course and equip yourself with the
certification Training
knowledge required to work with EventLog Analyzer.

Live Chat with


Click this link or click 'Live Chat' in the Support Page of EventLog
the support Live Chat
Analyzer for a live chat with the support team.
team

Feature If you'd like to see new features in the upcoming releases of EventLog
Feature requests
requests Analyzer, click this link to give us your suggestions.

Online Store - Click this link or click 'Get Quote' under Online Store in the Support
Get a Price Price Quote Page of EventLog Analyzer to get a personalized quote that best suits
Quote your requirements.

Online Store -
Click this link or click 'Buy Now'/'Pricing' under Online Store in the
Purchasing the Buy Now
Support Page of EventLog Analyzer.
product

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 563


Click this link or click 'Documents' under Knowledge Base in the
Knowledge
Documents Support Page of the EventLog Analyzer solution to understand how to
Base
deploy, configure, and generate reports using EventLog Analyzer.

Click this link or click 'Videos' under Knowledge Base in the support
Knowledge
Videos page of EventLog Analyzer to watch 'How to' videos based on the
Base Videos
solution and its features.

Knowledge Click this link or click 'FAQ' under Knowledge Base in the support page
FAQ
Base FAQ of EventLog Analyzer to view answers to frequently asked questions.

Go to 'Support Info' in the support page of EventLog Analyzer to


create a support information file.
Create Log -
It can be done automatically if you click the ' Auto' option.
Support
Information
To do it manually, click the 'Manual' option. A set of instructions
Files
along with an upload link will be presented to you.

Note: Click here to know more about Support Information Files.

Contact Us:

Contact our Toll Free NumberUS: +1-844-649-7766


support team
Direct Dialing Number +1-408-352-9254

Mail us at: [email protected]

Click the 'Events' Tab in the support page of EventLog Analyzer to sign
Free Online up for upcoming webinars, seminars and workshops. You can also
Training watch videos of completed webinars, seminars and workshops under
'Completed Events' in the Events Tab.

Click this link or click 'View All' under 'Recent Forum Posts' in the
EventLog Analyzer User Support Page of EventLog Analyzer. In this forum you can post your
User Forums
forums queries, interact with other EventLog Analyzer users and also get
answers from out support team.

Click this link or click 'View All' under 'Announcements' in the support
EventLog Analyzer page of the EventLog Analyzer solution to go to the EventLog Analyzer
Announcements
Announcements user forum announcements page for the latest announcements and
updates.

Click 'Sign into Community' on the top-right corner of the support page
Sign in to in EventLog Analyzer to join the community and collaborate with your
Community peers and our product experts on product updates and the latest IT
trends.

www.eventloganalyzer.com | demo.eventloganalyzer.com | [email protected] 564

You might also like