Eventlog Analyzer User Guide
Eventlog Analyzer User Guide
2. Introduction 2
2.1. Overview 2
3.3. Prerequisites 9
4.19. How to monitor logs from an Amazon Web Services (AWS) Windows instance 66
6.20. Configuring the Syslog Service on Barracuda Web Application Firewall 103
6.21. Configuring the Syslog Service on Barracuda Email Security Gateway 104
6.28. Configuring the Syslog Service on Symantec Endpoint Protection devices 111
6.31. Configuration steps for Syslog forwarding from F5 devices to EventLog Analyzer 114
6.32. Configuration steps for Syslog forwarding from Trend Micro - Deep Security devices to EventLog Analyzer 116
11.5. Creating Correlation custom rules with the Correlation Rule Builder 298
16.1. Integrating and using the MITRE ATT&CK framework with EventLog Analyzer 367
21.4. Migrate EventLog Analyzer Data from PGSQL to MS SQL Database 534
21.5. Migrate EventLog Analyzer Data from MySQL to MS SQL Database 538
21.6. Moving the EventLog Analyzer MSSQL Database to a Different Directory in the Same Server 542
Collect log data from sources across the network infrastructure including servers, applications, network devices, and
more.
Analyze log data to extract meaningful information in the form of reports, dashboards, and alerts.
Monitor user behavior, identify network anomalies, system downtime, and policy violations.
Detect internal and external security threats.
Generate predefined reports to meet the requirements of regulatory compliance mandates such as PCI DSS,
HIPAA, FISMA, SOX, GLBA, SOX, ISO 27001, and more.
How to add devices and applications, and get logs into EventLog Analyzer?
What are the reports available?
How to generate custom rerports?
How to search logs for specific information?
How to extract additional fields from the logs?
How to generate and send alert notifications?
How to customize the web client?
Overview
EventLog Analyzer is a web-based, real-time, log monitoring and compliance management solution for Security Information
and Event Management (SIEM) that improves network security and helps you comply with the IT audit requirements. Using
an agent less architecture, EventLog Analyzer can collect, analyze, search, report on, and archive logs received from systems
(Windows, Linux/UNIX), network devices (routers, switches, firewalls, and IDS/IP), applications (Oracle, SQL and Apache). It
provides important insights into user activities, policy violations, network anomalies, system downtime, and internal threats.
It can be used by network administrators and IT managers to perform audits for regulations such as SOX, HIPAA, PCI DSS,
GLBA, etc.
Monitor activities of servers, workstations, devices, and applications spread across geographies.
Monitor user activities like logons/logoffs and objects accessed.
Generate reports for security events of interest.
Generate compliance reports for PCI DSS, HIPAA, FISMA, SOX, GLBA and other regulatory mandates.
Perform log forensics by swiftly searching the log database and save the search results as reports.
Configure automatic e-mail or SMS alerts for indicators of compromise, such as network anomalies or compliance
threshold violations.
Execute workflows upon alert generation to respond to security threats automatically.
Secure and tamper-proof archival of log data for forensic analysis and compliance audits.
For real-time Windows event log collection, DCOM, WMI, and RPC have to be enabled in the remote windows
machine for the logs to be collected by EventLog Analyzer.
For real-time syslog collection ensure that the syslog listener ports in EventLog Analyzer are configured to listen to
the port where the syslog or syslog-ng service is running on that particular (Cisco device, UNIX, HP-UX, Solaris or
IBM AIX) machine.
For application logs, EventLog Analyzer can be scheduled to import logs (HTTP or FTP) periodically from the
application devices. You can also import and analyze the older logs from Windows and Linux machines.
Enhancements
Custom Pattern enhancements:
The Custom log parsing UI has been enhanced for better user experience
You can now use delimiters to extract additional fields while parsing logs.
An Auto-Identify option has been included to detect standard fields and key-value pair logs.
Application & Windows Reports Enhancements :
The Application and File Monitoring device drill down can now be viewed under Reports.
Reports for Windows File Monitoring have been added.
You can now get All Events and Important Reports for Applications.
Windows Reports have now been regrouped to provide significant information.
The packet capture tool for troubleshooting in Syslog Viewer has been enhanced for better filtering.
The performance of the log collector has been enhanced to ensure optimum utilization of resources.
The service pack installation has been made secure by checking the PPM file for any tampering.
EventLog Analyzer now supports vCenter version 7.
EventLog Analyzer now supports SMB version 3.
Fixes
This release includes fixes for issues related to:
Issue with incorrect or null field values being sent via SMS notification has been fixed.
It was observed that Archives were being wrongly flagged as tampered during unanticipated shutdowns of
EventLog Analyzer. This has been fixed.
A memory issue while loading archived logs with parsed fields has been fixed.
The incorrect log count issue in device drill down of Application and File Integrity Monitoring in log sources has
been fixed.
The issue of excessive storage consumption of databases has been fixed.
Issue in HSTS and XSS has been fixed.
SQL injection and RCE vulnerabilities have been fixed.
Note: The enhancements and fixes for the Distributed Edition are the same as that of the Standalone edition.
Hardware Requirements
Windows�
Linux
VMware
VMware environment
Note :
With its Universal Log Parsing and Indexing (ULPI) technology, EventLog Analyzer can support any log and
data source that is in human-readable format.
For analyzing logs from Windows NT machine, WMI core should be installed on the Windows NT machine.
Syslogs received from SNARE agents for Windows will be displayed as Windows devices.
Log Records Rate (or) Volume RAM Size Hard Disk Space Requirement Per Month to Archive Logs
PostgreSQL
External Databases
Run EventLog Analyzer on a separate, dedicated PC or server. The software is resource-intensive, and a busy
processor may cause problems while collecting event logs.
Use the PostgreSQL bundled with EventLog Analyzer that runs on port 33335. You need not start another separate
instance of PostgreSQL.
As mentioned in the prerequisites, for better performance, you can modify the existing PostgreSQL parameters.
Enable Disc encryption for better security.
Port
Ports Usage Description
Numbers
8400 This is the default web server port used by EventLog Analyzer. This port is used
Web server port
(TCP) for connecting to EventLog Analyzer using a web browser.
513, 514 These are the default Syslog listener ports for UDP. Ensure that devices are
Syslog listener port
(UDP) configured to send Syslogs to any one of these ports.
514 This is the default Syslog listener port for TCP. Ensure that devices are configured
Syslog listener port
(TCP) to send Syslogs to this port.
33335 PostgreSQL/MySQL This is the port used for connecting to the PostgreSQL/MySQL database in
(TCP) database port EventLog Analyzer.
EventLog Analyzer uses the following ports for WMI, RPC, and DCOM:
Incoming traffic ports in EventLog Analyzer server. The same ports will be
49152-65534 used as outgoing traffic ports in the devices and must be opened. DCOM
WMI,DCOM,RPC
(TCP) uses callback mechanism on random ports between 49152-65534 for
Windows Server 2008 and 1024-65534 for previous versions.
EventLog Analyzer uses the following ports for local agent to server UDP communication:
UDP ports for EventLog Analyzer uses these UDP ports internally for agent to server
EventLog communication. Ensure that the ports are free and not occupied by other
5000,5001,5002(UDP) Analyzer local local applications running in the machine. Some additional higher range
agent-server ports (1024-65534) will be opened to connect with these ports for
communication internal communication.
EventLog Analyzer uses the following ports for remote agent to server TCP communication:
Port
Ports Usage Description
Numbers
446-449, 8470-8476, 9470-9476 (TCP) Keep the mentioned ports opened for access to IBM AS/400 machines.
445 (TCP) The Server Message Block (SMB) protocol uses this port to read the log files.
> url=jdbc:postgresql://localdevice:33335/eventlog?stringtype=unspecified
to
device all all <IP address of the remote machine to be used to troubleshoot>/32 trust
Before installing EventLog Analyzer, make the installation file executable by executing the following commands in
Unix Terminal or Shell,
Upon starting the installation you will be taken through the following steps:
Agree to the terms and conditions of the license agreement. You may print it for offline reference.
Select the folder to install the product. Use the Browse option. The default installation location
is C:\ManageEngine\EventLog Analyzer. If the new folder or the default folder does not exist, it will be created and
the product will be installed.
Enter the web server port. The default port number is 8400. Ensure that the default port or the port you have
selected is not occupied by some other application.
Enter the folder name in which the product will be shown in the Program Folder. The default name
is ManageEngine EventLog Analyzer.
Enter your personal details to get assistance.
At the end of the procedure, the wizard displays the ReadMe file and starts the EventLog Analyzer server.
With this the EventLog Analyzer product installation is complete.
How to uninstall?
The procedure to uninstall for both 64 Bit and 32 Bit versions is the same.
Windows:
1. Navigate to the Program folder in which EventLog Analyzer has been installed. By default, this is Start > Programs >
3. You will be asked to confirm your choice, after which EventLog Analyzer is uninstalled.
Linux:
3. You will be asked to confirm your choice, after which EventLogAnalyzer is uninstalled.
Select the desktop shortcut icon for EventLog Analyzer to start the server. (or)
Select Start > Programs > ManageEngine Log360 <version number> > Log360to start the server.
If the server is started and you wish to access it, you can use the tray icon in the task bar to connect to EventLog
Analyzer.
Windows Service:
During installation, you would have chosen to install EventLog Analyzer as an application or a service. If you installed it as
an application, you can carry out the procedure to convert the software installation to a Windows Service .
Once the software is installed as a service, follow the steps given below to start EventLog Analyzer as a Windows Service:
Linux Application:
Navigate to the <EventLog Analyzer Home>/bin directory and execute the run.sh file.
When the respective run.sh file is executed, a command window opens up and displays the startup information of
several EventLog Analyzer modules. Once all the modules are successfully started, the following message is
displayed:
Server started.
The 8400 port is replaced by the port you have specified as the web server port during installation.
Note: If the default syslog listener port of EventLog Analyzer is not free then EventLog Analyzer displays "Can't Bind
to Port <Port Number>" when logging in to the UI.
Linux Service:
During installation, you would have chosen to install EventLog Analyzer as an application or a service. If you installed it as
an application, you can carry out the procedure to convert the software installation to a Linux Service.
Once the software is installed as a service, execute the command given below to start Linux Service:
Check the status of the EventLog Analyzer service by executing the following command (sample output given
below):
Windows Application:
Navigate to the Program folder in which EventLog Analyzer has been installed. By default, this is Start > Programs >
ManageEngine Log360 <version number>. Select the Shut Down EventLog Analyzer option.
Alternatively, you can navigate to the <EventLog Analyzer Home>\bin folder and execute the shutdown.bat file.
You will be asked to confirm your choice, after which the EventLog Analyzer server is shut down.
Windows Service:
Linux Application:
Navigate to the <EventLog Analyzer Home>\bin directory. Execute the shutdown.sh file.
You will be asked to confirm your choice, after which the EventLog Analyzer server is shut down.
Linux Service:
Execute the commands given below to stop the Linux service (sample outputs are given):
Windows
(or)
Linux:
Direct Call:
Direct Call:
(or)
Note: You can also execute run.bat but this is not preferred.
Open a supported web browser. Type the URL address as http://<devicename>:8400 (where <devicename> is the
name of the machine in which EventLog Analyzer is running, and 8400 is the default web server port)
You can also open EventLog Analyzer from the EventLog Analyzer shortcut available in the desktop.
Log in to EventLog Analyzer using the default username/password combination of admin/admin.
If you import users from Active Directory or add RADIUS server details, you will find that the options are listed in
the Log on to field (below the Password field). In this case, enter the User Name, Password, and select one of the
three options in Log on to (Local Authentication or Radius Authentication or Domain Name). Click the Login
button to connect to EventLog Analyzer.
EventLog Analyzer provides two external authentication options apart from the local authentication. They are Active
Directory and Remote Authentication Dial-in User Service (RADIUS) authentication. The Log on to field will list the
following options:
Local Authentication - If the user details are available in the local EventLog Analyzer server user database.
Radius Authentication - If the user details are available in a RADIUS server and dummy user entries are available in
the local EventLog Analyzer server user database.
Domain Name(s) - If the user details of a domain are imported from Active Directory into the local EventLog
Analyzer server user database.
Once you log in, you can start collecting logs, generating reports and more.
Note: Before starting the backup process, stop EventLog Analyzer service.
go
sp_helpfile
go
go
sp_detach_db 'eventlog'
go
Backup the data file and log file from the current location <MSSQL Home>\data\eventlog.mdf and
<MSSQL_Home>\data\eventlog_log.LDF to the new location <New Location>\eventlog.mdf and
<New Location>\eventlog_log.LDF.
Re-attach the database and point to the old location by using the following commands:
go
go
EventLog Analyzer comes in two editions: Standalone and Distributed. The solution is licensed based on the number of
Windows Workstations, Windows Servers, and Syslog devices along with add-ons such as Application Auditing for IIS and
SQL servers , Linux File Server Auditing and Advanced Threat Analytics.
Available Editions
Standalone Edition
If your company is a Small or Medium Business (SMB), the network is in a single geographical location, and the number of
devices and/or applications to be monitored is less than 1000, the Standalone edition is suitable for your company. Also, the
log reception rate should be well within 20,000 logs/second. If your log rate increases, then you can easily switch over to
Distributed Edition to handle the capacity.
Distributed Edition
If your company is a Large Business or Managed Security Service Provider (MSSP), and the network is spread
across multiple geographical locations, the Distributed edition is suitable for your company. You can monitor 50 to virtually
unlimited number of hosts/applications with this edition.
License Models
Perpetual model
In this model, the licensing is perpetual and a nominal amount is charged as Annual Maintenance and Support (AMS) fee to
provide the maintenance, support, and updates.
In this model, the license is valid for one year and after that the license expires. To continue the license should be renewed
every year. Annual Maintenance and Support (AMS) fee is included in the subscription price and not charged separately.
Note: The new license is applied with immediate effect. You do not have to shut down and restart the server after the
license is applied.
Home
The Home tab provides dashboards that allow you to gain a high-level overview of important security events in the
network. You can view the severity levels of events, trends in logs, network traffic, and security threats that have been
flagged.
Reports
The Reports tab displays audit reports. EventLog Analyzer provides over 1000 pre-built reports for a wide range of devices,
networking equipment, and applications. You can view, add, manage, schedule, and filter reports from the reports tab. To
learn more about EventLog Analyzer's reports, click here (attach link here).
Compliance
EventLog Analyzer simplifies IT compliance and regulatory audit(s). The Compliance tab in the UI helps you export
comprehensive compliance reports in any format, tweak the existing report templates, and create new compliance reports.
Click here (attach link to learn more about compliance here) to learn more about compliance reports.
Search
The Search tab allows you to search through your logs and extract relevant information about a security incident. The click-
based search engine makes it easy to drill-down to the root cause of an incident. The search results can then be saved as a
report for auditors.
Correlation
EventLog Analyzer's real-time correlation engine helps you detect and mitigate security threats at an early stage. You can
leverage the predefined rules that address a wide range of use cases and set custom rules based on the requirements of
your organization. Click here (attach link here) to learn more about correlation feature in EventLog Analyzer.
Alerts
The Alerts tab in the UI helps you view all alerts that have been triggered in your network. You can leverage the built-in
alert profiles and configure custom alerting criteria as per your requirements. Furthermore, critical capabilities for incident
response such as ticketing tool integrations and response workflows can be configured here.
Settings
The Settings tab can be used to access the configuration settings (attach link here), admin settings (attach link here) and
system settings (attach link here).
LogMe
The LogMe tab in the UI displays the different log sources supported by EventLog Analyzer and describes how to configure
them for auditing.
Support
The Support tab allows you to get in touch with our technical support team and gives you access to resources that help you
learn more about the solution. You can also request for a new feature and create support logs from this tab.
+Add
The +Add button in the UI is a shortcut that helps you add log sources for auditing and configure alerts, reports and log
filters without having to use the settings tab.
Adding Devices
Add a device in the user interface using any one of the following menu options:
2. Select the device(s) by clicking on the respective checkbox(es). You can easily search for a device using the search box
Note: You have the option to update, reload and delete a workgroup by clicking on the respective icons next to
the Select Domain drop down window. Optionally, you can manually add the device as shown below by clicking
checkbox.
2. Enter the Username and Password with administrator credentials, and click on Verify Credential.
Caution: If EventLog Analyzer has been installed on a UNIX machine, it cannot collect event logs from Windows
devices. However, third party applications can be used to convert the Windows event logs to Syslogs and forward
them to EventLog Analyzer.
In the Manage Devices page, navigate to the Syslog Devices tab and click on the +Add Device(s) button.
Enter the device name or IP address in the Device(s) field and click on the Add button. Follow the steps below to discover
and add the Syslog devices in your network automatically:
1. Click on the Discover & Add link in the Add Syslog Devices window. You can discover the Syslog devices in your
2. Enter the Start IP and End IP or the CIDR range in order to discover the Syslog devices and click on Next.
4. You may also add an SNMP credential by clicking on the +Add Credential button. Once you pick the SNMP credential,
click on the Scan button to automatically discover the Syslog devices in the specified IP or CIDR range.
5. Select the device(s) by clicking on the respective checkbox(es). You can easily search for a device using the search box
6. Click on the Add Device(s) button to add the devices for monitoring.
Once a Unix device has been added, you will be prompted to Configure Auto Log Forward.
4. In the Syslog Server IP address field, enter the <EventLog Analyzer IP address>.
In the Manage Devices page, navigate to the Other Devices tab and click on the Add Device(s) button. This will open the
Add Device(s) window.
2. Use the Device Name box to type a single device name, or a list of device names separated by commas.
3. Specify the Monitor Interval to configure the frequency at which EventLog Analyzer should fetch logs from the IBM
AS/400 machines. The default (and minimum) monitor interval is 10 minutes.
4. Enter credentials (Login Name and Password) with admin privileges. Verify the details using the Verify Credential link
5. Select the Date Format and the Delimiter. This is the date format used in the logs that will be collected from the IBM
AS/400 devices.
6. Click Add and Close to add this device and return to the list of device monitored, or click Add to add this device and
3. Run the command keytool -importcert -alias myprivateroot -keystore ..\lib\security\cacerts -file C:\test.cer
4. Now provide the password when prompted. The default password is Changeit
6. Restart the EventLog Analyzer server. The certificate will be successfully added.
Note: The credentials provided must have an authority level of 50. Otherwise, EventLog Analyzer will not be able to
login to fetch History logs from these devices.
2. Select the Device Type as ESXi and add the VMware device as a Unix device as per the steps given here.
3. Configure the syslog daemon in the VMware device as per the steps mentioned here.
1. In the Application Source Management page, click + Add SQL Server Instance. The SQL server instances are
1. Select the SQL Server instance(s) you wish to monitor and click Next. You will be taken to the Credential
2. If you wish to use the default credentials, select the check-box (default credentials could be the device or domain or
logged on credentials). Alternatively, you can enter a username and password in the credentials field and click Save.
+ Add Manually and you will be prompted to enter details for Windows Server configuration and SQL Server instance
configuration.
Select the Windows server and enter valid credentials. Alternatively, you can use the default credentials.
SQL Server instance configuration
Enter the instance name, port number, and credentials in the given fields
Enable or disable Advanced Auditing.
Note: Enabling advanced auditing will create an audit policy and disabling advanced auditing will remove
the audit policy on the selected SQL Server instance.
Select the instance authentication method (Windows or SQL authentication) from the available dropdown menu.
Click Add.
DDL/DML monitoring A Server Audit is created with a Server Audit Specification for the following audit action types:
1. FAILED_LOGIN_GROUP
2. SUCCESSFUL_LOGIN_GROUP
3. DATABASE_OBJECT_CHANGE_GROUP
4. DATABASE_PRINCIPAL_CHANGE_GROUP
5. SCHEMA_OBJECT_CHANGE_GROUP
6. SERVER_PRINCIPAL_CHANGE_GROUP
7. LOGIN_CHANGE_PASSWORD_GROUP
8. SERVER_STATE_CHANGE_GROUP
9. SCHEMA_ACCESS_CHANGE_GROUP
Note:
The minimum permission required for a user for advanced auditing is CONTROL SERVER.
EventLog Analyzer supports DDL/DML auditing for the following editions:
Prior to Microsoft SQL Server 2012 - Enterprise and Datacenter editions.
Microsoft SQL Server 2012 and later - Enterprise, Datacenter, and Standard editions.
Only enabled SQL Server instances will be audited. Data presented in the reports is retrieved and updated at the last hour
of each day.
1. The Column Integrity Monitoring report provides information on the changes in a monitored column including who
changed the value, at what time the value was changed, and the database table in which the value was changed.
2. Data types such as text, ntext, and images will not be monitored.
3. Columns to be monitored must be chosen carefully, as triggers are used to monitor changes and is a performance
intensive operation.
Events Collected
The following are the IDs of events that are collected when advanced auditing is enabled:
SQL Server DBCC Information Reports - 211, 427, 610, 8440, 9100, 15612, 15615, 2509, 2510, 2514, 17557
SQL Servers Logins Reports - 18453, 18454, 18455, 28046, 15537, 15538, 18401, 18451, 18456, 18461, 18462, 18463,
18464, 18465, 18466, 18467, 18468, 18470, 18471, 18486, 18487, 18488, 28048
SQL Server Permission Denied Reports - 229, 300, 230, 262, 916, 5011
2. In the Application Source Management page, click the + Add IIS server button.
4. If you wish to use the default credentials, select the check-box (Default credentials could be the device or domain or
logged on credentials). Alternatively, you can enter a username and password in the credentials field.
5. Select the time-zone from the dropdown menu and enter the desired monitoring interval.
Note:
The time-zone selected must be the same as that of the IIS server. Also, EventLog Analyzer uses port 445 (TCP)
to read IIS log files using the Server Message Block (SMB) protocol.
Alternatively, you can manually add a site by entering the site name, protocol, and log file path in the pop-up that
appears. Choose the file encoding scheme and schedule the log file rollover.
Troubleshooting steps:
2. The device that has been configured must be enabled. This can be done in the Manage Devices tab.
3. Ensure that the Microsoft-IIS-Configuration/Operational option is enabled in the configure event source file for the
Enter the name of the device or click on the + icon to choose from the list of discovered MySQL servers.
Enter the port number of the MySQL server.
Note: If the name of the MySQL server is manually entered, the port number has to be filled. For the MySQL
servers selected from the list of discovered servers, the port number will be filled in automatically.
To make changes to the time zone and file encoding, click on the Advanced button and choose the relevant option from the
drop downs provided.
The MySQL server configuration file is found using the mysqld process.
The Secure Shell protocol is used to access the mysqld process to get the configuration file path.
The SFTP protocol is used to read configuration file.
The MySQL server configuration file is found using the mysqld.exe process.
WMI API is used to access mysqld.exe process to get the configuration file path.
SMB protocol is used to read the configuration file.
--defaults-extra-file
--defaults-file
If the MySQL configuration file is not found with the mysqld or mysqld.exe process, then the following occurs:
/etc/my.cnf
/etc/mysql/my.cnf.
From the command line parameters and the configuration file, the MySQL server General log path and Error log path are
discovered.
For Windows devices, credentials for discovery is picked in the following order:
1. Domain/workgroup credential if a device is under a domain or a workgroup.
3. Logon credential.
For Linux devices, the credentials used while configuring auto log forward will be used for MySQL discovery.
Note: In Linux installations, MySQL server discovery on Windows devices is not possible.
Reference: http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#CEGBIIJD
2. Manually add and set the AUDIT_SYSLOG_LEVEL parameter in the initialization parameter file, initsid.ora.
The AUDIT_SYSLOG_LEVEL parameter is set to specify a facility and priority in the format
AUDIT_SYSLOG_LEVEL=facility.priority.
facility: Describes the part of the operating system that is logging the message. Accepted values are user, local0?local7,
syslog, daemon, kern, mail, auth, lpr, news, uucp, and cron.
The local0?local7 values are predefined tags that enable you to sort the syslog message into categories. These
categories can be log files or other destinations that the syslog utility can access. To find more information about these
types of tags, refer to the syslog utility MAN page.
priority: Defines the severity of the message. Accepted values are notice, info, debug, warning, err, crit, alert, and
emerg.
The syslog daemon compares the value assigned to the facility argument of the AUDIT_SYSLOG_LEVEL parameter
with the syslog.conf file to determine where to log information.
For example,the following statement identifies the facility as local1 with a priority level of warning:
AUDIT_SYSLOG_LEVEL=local1.warning
4. Add the audit file destination to the syslog configuration file /etc/syslog.conf.
For example: assuming you had set the AUDIT_SYSLOG_LEVEL to local1.warning, enter the following:
local1.warning /var/log/audit.log
$/etc/rc.d/init.d/syslog restart
Now, all audit records will be captured in the file /var/log/audit.log through the syslog daemon.
6. Restart the Oracle server so that the changes take effect.
Note: When logged in as SYSDBA/SYSOPER, Oracle database provides limited information on database activity
monitoring.
Hence, to get the complete audit trail activities of Oracle database, we suggest that you log in as a user with privilege
other than SYSDBA/SYSOPER.
Navigate to Settings > Configuration > Manage Application Sources. You can also click on the +Add button on the
top right corner of the Home page and select Application.
Next, select the Other Application Sources tab and click on the +Add Application button.
Choose the Application Type as Printer and enter the name of the device.
Click on the Add button.
After adding an Print Server in EventLog Analyzer, you can configure logging as instructed below.
Enable Print Server Log: Go to Event Viewer > Application and Service Logs > Print Service. Right click on this and select
'Enable Log'. This will enable logging for the corresponding 'Admin', 'Debug' or 'Operational' processes. The logs can be
viewed in Event Viewer.
Note: If the print server device is a 64-bit Windows OS machine (i.e., Windows Vista and above), carry out the
following registry configuration:
Open the registry editor ' regedit' of the print server machine in the Command Line Window.
Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\
To create a new key, right click on eventlog, click new > key. You can name the key as Microsoft-Windows-
PrintService/Operational or Microsoft-Windows-PrintService/Admin or Microsoft-Windows-
PrintService/Debug as per your logging process requirement.
For instance, if you need to enable logging for the Operation process, create a new key with the name Microsoft-
Windows-PrintService/Operational.
This will convert the log type to 'Administrative' thus enabling you to perform searches and generate reports out of these
logs.
In order to obtain the document name, you have to enable the audit policy:
If syslogs are simultaneously forwarded from a device that has already been configured as a Windows Device, EventLog
Analyzer server will ignore the syslogs in order to maintain a single base log source. If you want to configure EventLog
Analyzer server to receive syslogs too from a Windows device, follow the procedure given below:
In Search
Navigate to Search. You can search for Syslog Application logs by clicking the drop down box and scrolling down. You will
find a specific logtype categorization for Syslog Application.
Devices that have Sysmon installed in them can be added as Sysmon Application to categorize the events into different
reports.
In Search
Navigate to Search. You can search for Syslog Application logs by clicking the drop down box and scrolling down. You will
find a specific logtype categorization for Sysmon Application.
Please note that these configurations will be added automatically when the device gets added as a Sysmon Application,
provided the credentials have the privilege to access the registry and add the key. If not configured automatically, this key
has to be added and enabled for logging to take place.
Using the Command Line window, open the registry editor ' regedit' of the print server machine.
Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\
To create a new key, right click on eventlog, click new > key. You can name the key as Microsoft-Windows-
Sysmon/Operational.
Configuring Terminal Server: Open Event Viewer > Application and Service Logs > Microsoft > Windows >
TerminalServices-Gateway > Operational and right click and select ' Enable Log'. This will enable logging for the
corresponding 'Gateway' or 'Operational' processes. The logs can be viewed in Event Viewer.
Note: If the terminal server device is a 64-bit Windows OS machine (i.e., Windows Vista and above), carry out the
following registry configuration::
Open the registry editor ' regedit' of the Terminal Server machine in the Command Line Window.
Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\
To create a new key, right click on eventlog, click new > key. You can name the key as Microsoft-Windows-
TerminalServices-Gateway/Operational.
This will convert the log type to 'Administrative' thus enabling you to perform searches and generate reports out of these
logs.
2. In the Application Source Management page, navigate to Other Servers > Add application.
4. Enter the device's name in the given field. Alternatively, you can select the device by clicking the + button.
5. Click Add.
Troubleshooting tips
If you are unable to add a SQL Server or other applications, ensure the following:
1. The credentials used are valid and have the necessary permissions.
This solution provides you the capability to import log files. The supported log formats include Windows and syslog device
formats, application log formats and archived files log formats.
Note: To import .evt logs (Windows XP and Windows 2003), you will need to convert the .evt to .evtx using the
command wevtutil export-log application.evt application.evtx /lf in your EventLog Analyzer installation.
With this option, you can import log files from any device that has access to EventLog Analyzer.
2. Click on Browse to select the necessary file(s) from your local device. Alternatively, you can enter the device name (or)
IP address of the device (or) specify the full UNC path, then click on Open. The necessary file(s) is selected.
3. If you know the log format of the log file, select the log format from the given drop-down. If you do not know the log
Note: You can view a preview of the selected log file and extract the desired fields, by clicking on the View
symbol of the attached log file and enabling the pop-up window option in your browser.
4. Click on the + button and OK to select the device that the log file is associated to. You can also enter the name of the
5. If you wish to store the imported logs for 2 days, enable the Store logs for a short term option. By default, the log
6. Click on Import.
The log file import via Universal Naming Convention (UNC) path allows you to access shared network folders on a local area
network (LAN).
1. From the File Location option, select Shared Path.
2. Enter the device name or IP address from which you wish to upload the log file. Alternatively, you can click on Browse
3. Select the desired file from the device and click OK. The necessary file is selected.
4. If you know the log format of the log file, select the log format from the given drop-down. If you do not know the log
Note: You can view a preview of the selected log file and extract the desired fields, by clicking on the View
symbol of the attached log file and enabling the pop-up window option in your browser.
5. Click on the + button and OK to select the device that the log file is associated to. You can also enter the name of the
6. If you wish to store the imported logs for 2 days, enable the Store logs for a short term option. By default, the log
7. If you want to automate a log file import at regular time intervals, enable the Schedule log import option.
8. With the Schedule drop-down menu you can customize the time interval between each log file import.
9. Additionally, you can build a file name pattern for the imported log files, using the time format options given. The name
of the file stored at the specified time is updated in accordance to the file name pattern.
To import log files from a remote path you will need the credentials of the device you are trying to access (username and
password).
1. From the File Location option, select Remote Path.
2. Enter the device name or IP address from which you wish to upload the log file. Alternatively, you can click on the +
3. Select the desired file from the device and click OK. The necessary file is selected.
4. Choose the required protocol (Ethernet, FTP and SFTP) and enter the port number.
5. Enter the credentials in the given fields (ie) username and password for the remote device.
6. If you know the log format of the log file, select the log format from the given drop-down. If you do not know the log
Note: You can view a preview of the selected log file and extract the desired fields, by clicking on the View
symbol of the attached log file and enabling the pop-up window option in your browser.
7. Click on the + button and OK to select the device that the log file is associated to. You can also enter the name of the
8. If you wish to store the imported logs for 2 days, enable the Store logs for a short term option. By default, the log
9. If you want to automate a log file import at regular time intervals, enable the Schedule log import option.
10. With the Schedule drop-down menu you can customize the time interval between each log file import.
11. Additionally, you can build a file name pattern for the imported log files, using the time format options given. The name
of the file stored at the specified time is updated in accordance to the file name pattern.
File Encoding
EventLog Analyzer supports different encoding types for log files. You can choose the encoding type of the log files that you
import. The default encoding type is UTF-8.
Time Zone
EventLog Analyzer gives you the option of choosing the time zone based on which the imported log had been recorded. The
default time zone would be the one with which the EventLog Analyzer server has been configured with.
To import logs from AWS S3 buckets, you first need to create an IAM user with access to the S3 bucket(s). You can also
grant users access to only specific S3 buckets by following the steps given in this link.
In the Cloud tab, click the link displayed to configure the AWS account.
Enter the Display Name, Access Key, and Secret Key of the AWS account and click Add.
MySQL Logs
EventLog Analyzer supports only error logs and general logs from MySQL. MySQL logon failures are taken into account
from MySQL general query logs.
Open the my.cnf file (in case of Linux) or my.ini file (in case of Windows) and add the below entries to the file.
For error logs: log_error=<error-log-file-name>
For general logs:
>= v5.1.29:
general_log_file=<general-log-file-name>
general_log=1 (or) ON
< v5.1.29:
log=<log-file-name>
Restart the MySQL instance for the changes to take effect.
To import MySQL logs in EventLog Analyzer,
You can import MySQL log files from a local path, a shared path , or a remote path.
To import MySQL log files, you need to manually choose the log format. Once you've selected the right file, select
MySQL Logs from the Log Format drop-down list in the Selected File(s) section.
Click Import to initiate the log importing process.
Note: The user should have permission to read this audit file while importing.
EventLog Analyzer also supports diagnostic logs. Click here to learn how to generate the diagnostic logs report.
The configure parameter modifies the db2audit.cfg configuration file in the instance's security subdirectory. All updates to
this file will occur even when the instance is stopped. Updates occurring when the instance is active will dynamically affect
the auditing being done by the Db2 instance. To know more on all possible actions on the configuration file, refer source
Note: Replace the given paths with the paths of your choice for data path and archive path respectively.
> db2audit configure scope all status both error type normal
Note: Replace the given parameters with the parameters of your choice.
Run the following command to create an audit policy for the database:
Note: Replace policy_name with the policy name of your choice. Replace the given parameters with the
command parameters of your choice. To know more on the allowed command parameters, refer source.
Note: Replace policy_name with the name of the audit policy that you created.
You can archive the active logs from both instance and database. The logs will be archived to the archive path that you
configured in the first step.
Now the logs will be archived to a new file with a timestamp appended to the filename. An example of the filename is given
below.
Instance Log file: db2audit.instance.log.0.20060418235612
Database Log file: db2audit.db.your_database.log.0.20060418235612
Both files have to be extracted into a human-readable format to be imported into EventLog Analyzer.
Note: Replace the instancelog with the filename of your choice. Replace
db2audit.instance.log.0.20060418235612 with the filename of the archived instance logs.
Both files will be extracted to the given archive path and can be imported into EventLog Analyzer.
Diagnostic Logs
EventLog Analyzer also provides a report for diagnostic logs. To generate the diagnostic logs report, follow the given steps.
Run the following command to find the location of the diagnostic log file.
or
or
Note: The path corresponding to Current member resolved DIAGPATH is the path to the diagnostic log file.
Navigate to the specified path and import the file named db2diag.txt to EventLog Analyzer. Here is a
comprehensive guide on how to import log files in EventLog Analyzer .
4. The log file format selected from the drop-down matches the log format of the chosen file.
After five minutes you can view the reports rolling out for the AWS instance.
Note:
Install one agent on each AWS Windows server instance.
You should not associate other AWS server instances with an AWS agent.
sources
For EventLog Analyzer to collect Windows Firewall logs, modify the local audit policy of added Windows devices and enable
firewall related events. Follow the steps below to carry this out.
1. Open the command prompt.
3. Restart the device (or) force a manual refresh by using the following command: gpupdate /force
For EventLog Analyzer to collect Hyper V logs, follow the steps below in the respective Windows device:
1. Open your Event Viewer.
Hyper-V-Config
Hyper-V-High-Availability
Hyper-V-Hypervisor
Hyper-V-Integration
Hyper-V-SynthFC
Hyper-V-SynthNic
Hyper-V-SynthStor
Hyper-V-VID
Hyper-V-VMMS
This will enable logging of Hyper V Logs and the logs can be viewed in Event Viewer.
To perform searches and generate reports out of these logs, carry out the following registry configuration on the respective
Windows machine:
1. Open the registry editor, 'regedit' in a Command Line Window.
2. Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog
3. Right click on 'eventlog' and create new keys with the following names:
Microsoft-Windows- Hyper-V-Config
Microsoft-Windows-Hyper-V-High-Availability
Microsoft-Windows-Hyper-V-Hypervisor
Microsoft-Windows-Hyper-V-Integration
Microsoft-Windows- Hyper-V-SynthFC
Microsoft-Windows-Hyper-V-SynthNic
Microsoft-Windows- Hyper-V-SynthStor
Microsoft-Windows- Hyper-V-VID
Microsoft-Windows- Hyper-V-VMMS
Note: EventLog Analyzer supports log collection from any device which has remote logging capability, via UDP or TCP
protocol. The default UDP ports are 513,514 and the default TCP port is 514 in EventLog Analyzer.
Depending on the requirements of your environment, you can choose the appropriate protocol for log collection.
3. Specify the audit logs that are to be stored in the journal receiver .
Once the journal receiver is created and the logs specified are collected in it, EventLog Analyzer will fetch those logs for
monitoring, report generation and alert notification.
Note: For setting up Security auditing in AS 400/iSeries machines, you must have the *AUDIT special authority.
Note: This example uses a library called JRNLIB for journal receivers.
Place the journal receiver in any library of your choice. Ensure that it is not placed in the QSYS library, which is a
system library.
Enter a name for the journal receiver.
When you want the naming convention to be applied to naming all journal receivers, use the *GEN option.
Specify an appropriate threshold level that suits your system size and activity. The size you choose should be based
on the number of transactions on your system and the number of actions you choose to audit. For system change
journal management support, the threshold must be at least 5000KB.
To limit access to the information stored in the journal, specify *EXCLUDE on the AUT parameter.
JRNRCV(JRNLIB/AUDRCV0001)+
MNGRCV(*SYSTEM) DLTRCV(*NO)+
Specify the journal receiver name that you created, using the JRNRCV parameter.
Specify *EXCLUDE on the AUT parameter to limit access to the information stored in the journal.
(*SYSTEM) is passed as the parameter for Manage Receiver (MNGRCV). Thus when the attached journal receiver
reaches its threshold size, the system itself detaches this receiver and creates and attaches a new journal receiver.
Avoid detaching receivers and creating & attaching new receivers manually, using the CHGJRN command.
To retain the detached journal receivers, specify (*NO) as the value for DLTRCV. This will prevent the automatic
deletion of detached receivers by the system.
QAUDJRN receivers are your security audit trail. Hence, ensure that they are adequately archived.
To specify which actions are to be logged into the audit journal for all the users on the system, you need to set the
audit level to the QAUDLVL system value using the WRKSYSVAL command.
If you want to set action and object auditing for specific users, use the CHGUSRAUD command.
You can also set object auditing for specific objects as per your requirement, using
the CHGOBJAUD and CHGDLOAUD commands.
Setting the QAUDENDACN system value helps you determine the systems action when it is unable to write an
entry to the audit journal.
With the QAUDFRCLVL system value parameters, you can control the transfer of audit records from memory to
auxiliary storage.
To start auditing set the QAUDCTL system value to any value other than *NONE.
Once this security auditing set up is completed, EventLog Analyzer will automatically fetch the logs collected in the journal
receiver of the AS400/iSeries device that is added for monitoring. If the AS400/iSeries machine is not added to EventLog
Analyzer server, add the device to begin collecting its logs.
Example:
$kato config set logyard drainformats/systail-ela-local[{<13>{{.Text}}]
By default, EventLog Analyzer uses 513 and 514 as default UDP ports. In case you have changed the UDP port
number, specify the same here.
Logyard will now drain all logs in the format name as specified to EventLog Analyzer's UDP port number as given. EventLog
Analyzer can now collect all the stackato logs as syslogs and analyze them with special reports.
2. Enable the required TLS port. Settings > System Settings > Listener ports
3. Configure your McAfee ePO server to use the newly created syslog server.
4. Add a new registered server and select Syslog for the type of server.
6. Enter 6514 for the port number. If the listener port number was changed in the TLS, enter that port number.
9. Click on save.
Once the threat source is added, EventLog Analyzer will start parsing the fields in the logs. This log data can now be viewed
in the form of reports.
1. In the EventLog Analyzer console, navigate to Settings > Configurations > Manage Threat Source > Add Source
2. Click on Existing Host and select the device you had added from the list of existing devices.
4. Click on Add.
McAfee Events
McAfee Threat Reports
McAfee Virus Reports
2. Navigate to Audit -> Resource Audit -> Audit Actions -> Configure Resource Audit. Enable the Generate Syslog option
for all operations and click Save.
3. Navigate to Audit -> User Audit -> Audit Actions -> Configure User Audit. Enable the Generate Syslog option for all
operations and click Save.
4. Navigate to Admin -> Integration -> SNMP Traps / Syslog Settings and click Syslog Collector.
Enter the EventLog Server name and a port that the EventLog Analyzer instance is listening to.
3. Click Add.
Profile Type
Destination Port - Any port that the EventLog Analyzer instance is listening to.
Severity and Facility must be the default values i.e. $severity and kernel.
For EventLog Analyzer to parse logs from OpManager, the message variables in the syslog profile of OpManager
should be entered in the following format:
ALARM_MESSAGE:$message
ALARM_ID:$alarmid
ALARM_CODE:$alarmid
ALARM_CATEGORY:$category
ALARM_SEVERITY:$stringseverity
ALARM_TRIGGER_TIME:$strModTime
ALARM_EVENT_TYPE:$eventType
Entity: $entity
4. Click Next.
Criteria
Device Selection
Select the By Device option and select all the devices listed under Remaining Devices and click Next.
Schedule
Preview
Note: If the same machine is running two or more ManageEngine products, ensure the following:
The EventLog Analyzer port receiving logs from OpManager and Password Manager Pro is not used by other
ManageEngine products.
2. Enter 514 as the SIEM TCP Port. If you have changed the default TCP port, then specify the changed port number
here.
4. Append <96> at the start of the Feed Output Format before "%s... which specifies to EventLog Analyzer that the log
2. 514 TCP
3. 513 TLS
Login as root user and edit the syslog.conf/rsyslog.conf/syslog-ng.conf file in the /etc directory.
You can check the logger in the device by executing 'sp -aux | grep syslog' command in the Terminal or Shell.
For UDP based log collection, append:
*.*<space/tab>@<eventloganalyzer_server_name>:<port_no> at the end, where <eventloganalyzer_server_name>
is the name of the machine on which EventLog Analyzer is running. Save the configuration and exit the editor.
For TCP based log collection, append:
Prerequisites:
Enable HTTPS and configure a valid certificate in server.xml. Click here to know how to configure a
valid SSL certificate.
Only pfx format is supported for storing certificate, if you use keystore format, please convert it to pfx.
After applying a self-signed certificate, a file named ca.crt will be created in the location
<EventLogAnalyzer_Home>/Certificates.
Use this file as the root certificate while configuring log forwarding in clients.
For configuring log forwarding, get the root certificate from the certificate vendor.
After checking the prerequisites, append the below comments in the syslog.conf/rsyslog.conf/syslog-ng.conf file in
the /etc directory.
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer <hostname>
*.*<space/tab>@@<eventloganalyzer_server_name>:<port_no>
Note: If you want to use a different port other than the default ports as specified above, please specify it in the port
management settings.
/etc/rc.d/init.d/syslog restart
Note: To configure the syslog-ng daemon in a Linux device, append the following entries at the end of /etc/syslog-
ng/syslog-ng.conf
Note: Ensure that EventLog Analyzer server that you provide is reachable from the Syslog device.
Note: The above configuration will only enable forwarding of machine logs to the EventLog Analyzer server.
The below given configurations have to be done in Linux devices under rsyslog.conf (or) syslog.conf :
input text file into a syslog message,which can then be forwarded to the EventLog Analyzer Server.)
2. The following directives contain the details of the external log file:
$InputFileName <Monitored_File_Absolute_Path>
$InputFileStateFile <State_Filename>
$InputRunFileMonitor
3. To forward the logs we must provide this line: <Facility>.<Severity> @Host-Ip:Port
Example:
$InputFileName /var/log/sample.log
$InputFileStateFile sample
$InputFileSeverity info
$InputFileFacility local6
local6.info @eventloganalyzer-Server:514
Note:
1. These instructions can be applied to all Linux devices.
3. When forwarding audit logs, sometimes default policies in Red Hat systems with Security enhancement (SElinux)
won't allow the audit logs to be read. In that case, the audit logs can be forwarded by adding "active=yes" in
etc/audisp/plugins.d/syslog.conf:
2. Append *.*<tab>@<server_IP> at the end, where <server_IP> is the IP Address of the machine on which EventLog
Analyzer is running.
Note: Ensure that the EventLog Analyzer server IP address is reachable from the MAC OS device.
where <ela_server_name> is the name of the machine where EventLog Analyzer is running. Ensure that there is only a
tab separation in between *.debug and @< ela_server_name>.
5. Change the syslog service port number to 514, which is one of the default listener of EventLog Analyzer. But if you
choose a different port other than 514 then remember to enter that same port when adding the device in EventLog
Analyzer.
Neither vSphere Client nor vicfg-syslog can be used to configure syslog behavior for an ESX device. To configure syslog for
an ESX device, you must edit the /etc/syslog.conf file.
On ESXi devices, you can use the vSphere Client or the vSphere CLI command vicfg-syslog to configure the
following options:
1. Log file path: Specifies a datastore path to the file where syslogd logs all messages.
2. Remote host: Specifies a remote device to which syslog messages are forwarded. In order to receive the
forwarded syslog messages, your remote host must have a syslog service installed.
3. Remote port: Specifies the port used by the remote host to receive syslog messages.
Configuration using vSphere CLI command: For more information on vicfg-syslog, refer the vSphere Command-
Line Interface Installation and Reference Guide.
Configuration using vSphere Client:
1. In the vSphere Client inventory, click on the host.
5. In the Syslog.Local.DatastorePath text box, enter the datastore path to the file where syslog will log messages.
If no path is specified, the default path is /var/log/messages.
The datastore path format is [<datastorename>] </path/to/file> where the path is relative to the root of the
volume backing the datastore.
3. Configure the Switch as below to send the logs to the Eventlog Analyzer Server
Arista(config)# logging host < Eventlog_Server_Ip > < port_number > protocol [tcp/udp]
3. Configure the switch as below (here, we have used Catalyst 2900) to send the logs to the EventLog Analyzer server:
We can also configure logging facility and trap notifications with the below commands:
Note: The same commands are also applicable for Cisco Routers.
Please refer Cisco� documentation for detailed steps on configuring the Syslog service in the respective routers or
switches. Contact [email protected] if the Syslog format of your Cisco devices are different from
the standard syslog format supported by EventLog Analyzer.
3. Configure the switch as given below (here, we have used Catalyst 2900) to send the logs to the EventLog Analyzer
server:
Cisco-ASA# config terminal
To configure a Syslog Server for traffic events, navigate to Configuration > ASA Firepower Configuration > Policies >
Actions Alerts and click the Create Alert drop-down menu and choose option Create Syslog Alert. For web interfaces,
navigate to Policies > Actions Alerts. Enter the values for the Syslog server.
Name: Specify the name which uniquely identifies the Syslog server.
Host: Specify the IP address/hostname of Syslog server.
Port: Specify the port number of Syslog server.
Facility: Select any facility that is configured on your Syslog server.
Severity: Select any Severity that is configured on your Syslog server.
Tag: Specify tag name that you want to appear with the Syslog message.
Connection Events are generated when traffic hits an access rule with logging enabled. In order to enable the
external logging for connection events, navigate to ASDM Configuration > ASA Firepower Configuration > Policies
> Access Control Policy. For web interfaces, navigate to Policies > Access Control Policy. Edit the access rule and
navigate to logging option.
Select the logging option either log at Beginning and End of Connection or log at End of Connection. Navigate
to Send Connection Events to option and specify where to send events.
In order to send events to an external Syslog server, select Syslog, and then select a Syslog alert response from the
drop-down list. Optionally, you can add a Syslog alert response by clicking the add icon.
Intrusion events are generated when a signature (snort rules) matches some malicious traffic. In order to enable the
external logging for intrusion events, navigate to ASDM Configuration > ASA Firepower Configuration > Policies >
Intrusion Policy > Intrusion Policy. For web interfaces, navigate to Policies > Intrusion Policy > Intrusion Policy.
Either create a new Intrusion policy or edit an existing one. Navigate to Advanced Setting > External Responses.
In order to send intrusion events to an external Syslog server, select option Enabled in Syslog Alerting then click
the Edit option.
Logging Host: Specify the IP address/hostname of Syslog server.
Facility: Select any facility that is configured on your Syslog server.
Severity: Select any Severity that is configured on your Syslog server.
Note: From Version 6.3 and above, make sure to enable timestamping in the RFC 5242 format in Firepower
Use a web browser to connect to the SonicWall management interface and login with your username and
password.
1. Click on the Log button on the left menu. This will open a tabbed window in the main display.
3. Under Sending the Log, enter the IP address of the machine running the Kiwi Syslog Server into the field Syslog Server
1. If you are listening on a port other than 514, enter that value in the field Syslog server port 1.
5. Under Categories > Log, check all the types of events that you would like to receive Syslog messages for.
4. From the Add Syslog Server window, enter the IP address or host name of the Eventlog Analyzer server.
5. Enter the port number and set the Server Type to Syslog.
7. Click OK to configure.
A reboot of the SonicWall may be required for the new settings to take effect.
3. Expand CLI Tools on the left pane, click on CLI editor in the subtree, and navigate to syslog under system.
4. For standard logs, insert the host node with the required values such as the host name, severity, facility and log prefix.
This will forward the log data in standard format. You can customize the syslog severity level by editing the command.
5. For structured logs, mention 'structured-data' in the command line. Consider the following command.
host ela-server{
any any;
port 513;
structured-data;
}
2. Navigate to Device > Server Profiles > Syslog to configure a Syslog server profile.
3. Configure Syslog forwarding for Traffic, Threat, and WildFire Submission logs. First, navigate to Objects > Log
5. Configure Syslog forwarding for System, Config, HIP match, and Correlation logs.
If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where this
profile is available.
For the EventLog Analyzer server, click Add and enter the requested information.
Click OK.
3. Configure syslog forwarding for Traffic, Threat, and WildFire Submission logs.
Select Objects > Log Forwarding, click Add, and enter a Name to identify the profile.
For each log type and each severity level or WildFire verdict, select EventLog
Analyzer's Syslog server profile and click OK.
4. Configure syslog forwarding for System, Config, HIP Match, and Correlation logs.
For System and Correlation logs, click each Severity level, select EventLog Analyzer's syslog server
For Config, HIP Match, and Correlation logs, edit the section, select EventLog Analyzer's syslog server
Source: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/monitoring/configure-syslog-monitoring
Once you have completed the configuration steps, the logs from your Palo Alto device will be automatically forwarded to
the EventLog Analyzer server.
2. Define the Syslog Servers either through the GUI System Settings > Advanced > Syslog Server or with CLI commands:
3. Enable sending FortiManager local logs to the EventLog Analyzer server via CLI.
set severity <emergency | alert | critical | error | warning | notification | information | debug> (Least severity level to log)
end
Once you have completed the configuration steps, the logs from your Fortinet device will be automatically forwarded to
the EventLog Analyzer server.
For more details and for other versions, refer source: http://kb.fortinet.com/kb/documentLink.do?externalID=FD35387
2. To override the lock, click on the lock icon on the top-left corner of the screen.
6. In the Add Remote Server Logging Entry window, enter the IP address of the remote server (EventLog Analyzer
server).
7. From the Priority drop-down, select the severity level of the logs to be sent to the remote server.
8. Click OK.
4. Select the Trust Interface as Source IP and enable the Include Traffic Log option.
5. Enter the IP address of the Eventlog Analyzer server and Syslog port (514) in the given boxes. All other fields will have
default values.
> Netscreen > set syslog config <ip address> facilitates local0 local0
3. Enable the Send log messages to the syslog server at this IP address checkbox.
4. Type the EventLog Analyzer server's IP address in the box provided for IP address.
7. If you want to include date and time in the log message details, enable the Time stamp checkbox.
8. If you want to add serial numbers in log message details, enable Serial number of the device checkbox.
9. Select a syslog facility for each type of log message in the Syslog settings section drop-down list.
To assign priorities for other types of log messages select Local1 - Local7.
2. Navigate to Logging & Reporting > Log Settings >Remote Syslog Server
6. Click on Apply
2. Navigate to System > System Services > Log Settings > Syslog Servers > Add
5. Navigate to System > System Services > Log Settings> select the logs that has to be sent to the EventLog Analyzer
Server.
2. Navigate to Logs & Reports > Configuration > Syslog Server > Syslog Servers > Add
5. Navigate to Logs & Reports > Configuration > Log Settings> select the logs that has to be sent to the EventLog
Analyzer Server.
Navigate to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
Click on Lock.
Navigate to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
In the Data Selection table, add the log files to be streamed. (e.g. Fatal_log, Firewall_Audit_Log, Panic_log)
In the Affected Box Logdata section, define what kind of box logs are to be affected by the Syslog daemon
In the Affected Service Logdata section, define what kind of logs created by services are to be affected by the
Navigate to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
Expand the Configuration Mode > Switch to Advanced View > Lock.
Enter the EventLog Analyzer server IP address as destination IP address in the Loghost IP address field.
Enter the destination port for delivering syslog message as 513, 514.
Click OK
Navigate to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
Expand the Configuration Mode menu and select Switch to Advanced View.
2. In the Add Export Log Server, enter the following details, and click OK
2. Enter the IP address of the EventLog Analyzer server to which syslog data related to mail flow should be sent.
3. Specify the protocol TCP or UDP, and also port (513,514) over which syslog data should be transmitted.
2. Navigate to System view > Log monitoring > Firewall log stream
3. To export traffic monitoring logs to EventLog Analyzer server, enter the following details in the space provided:
Info-center loghost <EventLog Analyzer server IP address> 514 facility <facility>
2. Move to the Admin pane and open the Syslog Settings tab.
4. To export traffic monitoring logs to EventLog Analyzer server, enter the following details in the space provided:
Port <513/514>
Protocol
5. Click OK to save.
3. Click on the Add a syslog server link. In the given fields enter the EventLog Analyzer server IP address and UDP port
number.
Note: If the Flows role is enabled on a Meraki security appliance then logging for individual firewall rules can be
enabled/disabled. This can be done by navigating to the Security appliance > Configure > Firewall and editing the
Logging column.
5. Click Save.
2. Navigate to Settings > Notifications, select rsyslog and the Event type.
4. In the dialog box that opens, enter the EventLog Analyzer server IP address in the given field. Choose UDP as the
5. Click Save.
6. Click Save.
4. Uncomment the systemevent.syslog.host= line and specify the EventLog Analyzer server IP address as follows:
systemevent.syslog.host=xxx.xx.xx.xxx
5. Uncomment the systemevent.syslog.port= line and specify 514 as the port to accept connections from the Symantec
6. After making the above mentioned changes, save and close the properties file.
2. Navigate to Admin > Servers. Select the local site or remote site from which log data must be exported.
4. In the General tab, from the Update Frequency list, choose how often log data should be sent to the file.
5. In the Master Logging Server list, select the management server to which the logs should be sent.
Destination Port - Select the protocol to use and enter the destination port that the Syslog server should use
to listen for Syslog messages.
Log Facility - Enter the number of the log facility that you want the Syslog configuration file to use. Valid
values range from 0 to 23. Alternatively, you could use the default.
8. Click OK.
3. Click on the Notification button. Select Enable to start the Syslog service.
5. Click Save.
Enter the remote IP. The remote IP in this case would be EventLog Analyzer server's IP address.
Enter the remote port number. The default remote port for EventLog Analyzer is 514.
Click on "Add".
Click on "Update".
3. Click on "Create."
7. Enter the listening port of the EventLog Analyzer server. The default listening port is 514.
9. Click on "Finish".
1. Now navigate to System > Logs > Configuration > Log Destinations.
2. Click on "Create".
5. Under syslog settings, set the syslog format as "syslog" and select the forward to management Port as
the syslog destination.
6. Click on "Finish".
2. Click on "Create".
4. In the available list, click the previously configured remote syslog destination name and move it to the
selected list.
5. Click on "Finish".
2. Click on "Create".
5. Under the network firewall settings, enter the publisher. Enter the previously configured Syslog publisher.
6. Under log rule matches, click on "Accept, Drop, and Reject." ( Note: If you do not want any logs, you can
disable it).
2. Select your virtual server to which you want to apply logging profile
3. On the top, tap on the security tab and click on the policy.
4. Go to Network Firewall.
6. Under Log Profile, Enable the log profile and select previously configured logging profile.
Select Forward System Events to a remote computer (via Syslog) in the SIEM section.
4. Syslog Facility
Go to Policies.
Double-click the policy you want to use for computers to forward security events via the Deep Security
Manager.
Go to Settings > SIEM and select Forward Events To > Relay via the Manager for each applicable protection
module.
Specify the following information that is required for relaying events via the Deep Security Manager and then
click Save:
4. Syslog Facility
Home tab
The home tab contains multiple dashboards that give you insights into important network activities. The below dashboards
are present by default when you click on the Home tab:
Events Overview
Network Overview
Security Overview
VPN Overview
Events Overview
This tab presents a high-level overview of security events by generating graphical reports such as Logs Trend, Syslog
Severity Events, Windows Severity Events, and Recent Alerts. These reports are generated for events that occur in a
specific time frame (which can be customized). Hovering your mouse pointer over the charts or graphs will give you
information about the Event Count of a particular device, its IP address, and the Severity of the event (Information, Notice,
Debug, Warning, Alert, Error, Critical, and Emergency).
Network Overview
This tab gives you information about network traffic in your environment. It provides details on the traffic trend, allowed
and denied network connections, and more to help you track events of interest.
Security Overview
The security overview dashboard consolidates events from network devices such as IDS/IPS, endpoint security solutions,
vulnerability scanners, and other threat detection solutions. This dashboard contains reports that help security teams keep
tabs on crucial security events such as vulnerabilities and threats. It also has an interactive widget on IDS/IPS attacks, which
helps you identify the type of attack, number of attack attempts, and the time when the attack happened.
VPN Overview
You can customize the Home tab to include the VPN Overview tab by navigating to Settings ? Add Tab ? VPN Overview.
EventLog Analyzer monitors VPN session activities and generates reports to help you visualize events of interest. The VPN
Overview dashboard will give you insights on VPN user and session activities by displaying widgets such as Live Sessions
Count, Total Logon Hours, Average Login Time, Closed Sessions, and Top Users and Status. You can also customize the VPN
dashboard by adding and reordering widgets by navigating to Settings ? Add Widgets and Settings ? Reorder Widgets
respectively.
The Home tab also contains the Log Sources, date and time selection, and settings icons.
Devices
Applications
File Integrity Monitoring
Devices
The Devices section displays the entire list of systems (Windows, Linux, IBM AS/400, HP-UX, etc.) and devices (routers,
switches, etc.), from which EventLog Analyzer is collecting logs. The device list displayed is categorized based on the Device
group selected from the drop-down list (default: All Groups). You can add a new device ( +Device), or add and schedule new
reports (+Schedule) from this section. You can search for a particular device based on its IP Address or Device Name, delete
a device or set of devices, and disable/enable log collection from a particular device or set of devices.
The device list table displays details like device type, event summary (error, warning, failure, others), connection status of
the device, time when the last log message was fetched, and device group to which the device belongs. Moving the mouse
over any device brings up some options:
You can even customize the columns you would like to display in the device table by clicking the column selector icon or
increase the number of devices that are displayed per page (from a minimum of 5 devices per page to a maximum of 200
devices per page). Using the drop down menu, you can list out only the Active devices or Enabled devices and have the
option to exclude synced devices from Active Directory Audit Plus.
Applications
The Applications section provides an overview pie-chart (which can be drilled down to raw log information) and lists the
devices from which application logs for IIS W3C Web Servers, IIS W3C FTP Servers, MS SQL Servers, Oracle Live Audit,
DHCP Windows/Linux Servers, Apache Web Servers or Print Servers, have been received or imported into EventLog
Analyzer. The device list displayed is categorized based on Application Type selected from the drop-down list. Applications
logs can be imported into EventLog Analyzer by selecting +Import from the Actions drop-down list.
The application device list displays details like device name, application type, total events, recent records, time imported,
start time and end time. Click on the device name or the corresponding section in the pie chart to get the complete
overview of the application event data, and generate corresponding reports. You can even customize the columns you
would like to display in the application device table by clicking the column selector icon.
The File Integrity Monitoring dashboard gives information about changes made to files and folders of Windows, Linux, and
Unix machines. It tabulates and reports on the files and folders created, deleted, modified, and renamed. It also displays
changes made to file and folder permissions.
At the top of this dashboard, you can find the Manage File Integrity Monitoring tab which allows you to add, delete, and
manage devices for File Integrity Monitoring. The FIM Alert tab allows you to configure alerts for anomalous file and folder
modifications. The FIM Scheduled Reports tab helps you view and export scheduled reports.
Settings icon
The settings icon displays multiple options to customize all dashboards by adding, managing, and ordering the widgets and
tabs that are displayed. You can also refresh the changes made to the time frame in the product using the Refresh Interval
option.
Reports tab
This tab displays a dashboard that contains reports for all events taking place in your network. At the top left corner, you
can find a drop-down menu that allows you to choose and view reports based on Devices, Applications, File Monitoring,
Threats, Vulnerability, and Virtual Machines. You can also view Custom Reports, User Based Reports, and Top and Trend
reports by clicking on the required option from this drop-down menu. The Export As drop-down menu enables you to
export reports in either the CSV or PDF formats. You can schedule reports by clicking on the +Add option present in the
Schedule Reports tab.
Compliance tab
The Compliance tab provides the set of canned reports as required by various compliance policies, namely, FISMA, PCI-DSS,
SOX, HIPAA, GLBA, GPG, and ISO 27001:2013. The +Add option allows you to create and select the reports required for a
new compliance policy of your choice. The Edit option allows you to customize the reports available under each compliance
policy.
Search tab
The Search tab provides two options to search the raw logs: Basic Search or Advanced Search. The search result is
displayed in the lower half of the page and the final search result can be saved as a report (in PDF or CSV format) and can
also be scheduled to be generated at predefined intervals and be automatically mailed to a set of configured users.
You can use Basic search if you are interested in manually constructing the search query. Here you can use phrase search,
Boolean search, grouped search, and wild-card search to build your search query. You can use Advanced search to
interactively build complex search queries easily with field value pairs and relational operators. New fields can be extracted
from the search result and regular expression (regex) patterns can be constructed to easily identify, parse and index these
fields in new logs received by EventLog Analyzer.
Correlation tab
The Correlation engine analyzes logs collected from different parts of the network and generates alerts for suspicious
patterns of events. The dashboard, by default, displays the report on Recent Incidents. You can create and modify
correlation rules by clicking on the Manage Rules tab present in the dashboard.
Alerts tab
This tab displays the number of Active Alerts in the dashboard along with their severities. You can view tabulated
information about the alerts, their time of generation, the status, and their corresponding response workflow (if configured)
in the dashboard.
Settings tab
This section allows you to configure EventLog Analyzer as per your requirements. It has three sub-sections as given below:
Configuration Settings
This section allows you to Manage Devices, Device Groups, Application Sources, Import Log Data, Threat Sources, File
Integrity Monitoring, Vulnerability Data, FIM Templates, and vCenter. You can also configure threat management and log
forwarding from this section.
Admin Settings
This section allows you to perform various administrative activities by managing Alert Profiles, Archives, Technicians and
Roles, DB Retention Settings, Log Collection Filters, Working Hour Settings, Product Settings, Log Collection Failure Alerts,
Dashboard profiles, Privacy Settings, Logon Settings, Domain and Workgroups, Report Profiles, Resource Grouping, Custom
Log Parsers, Tags, and Log360 Cloud platform.
This section can allow you to configure various settings including Notification Settings, Server Diagnostics, Database
Access, Re-branding, NT Service, Connection Settings, and Listener Ports.
Add tab
This tab allows you to easily add log sources from Devices and Applications. It also has the provision to let you import logs
from other sources. You can add Alert Profiles, Log Filters and create custom Reports from this tab.
Dashboard tabs:
The EventLog Analyzer dashboard comes with the following default subtabs:
Events Overview
Network Overview
Security Overview
Events Overview
This tab presents an overview of various security events monitored by EventLog Analyzer. The widgets in this dashboard
provide insights on the various critical events generated in the network during the specified time frame.
All This widget presents the total number of events/logs collected by EventLog
Events Analyzer during the given time frame.
This widget presents the total number of Syslog events collected during the
Syslog
given time frame. Furthermore, the pie chart splits the syslog events into
Events
warning, error and critical events.
This widget provides a count of all the enabled devices from which log data
is being collected. The server image in the corner will have a green tick if all
All logs are being collected successfully. A warning icon indicates that logs aren't
Devices being collected from some of the devices. Additionally, this widget has a
View All Devices link. Clicking on the link will redirect you to the device
dashboard page which will provide detailed information of each device.
Widget
Function Widget image
Name
This widget presents a time-based log count trend of all events/logs ingested
into EventLog Analyzer. The X-axis represents the time range, which is based on
Logs Trend the calendar range you choose. If you choose the time range as less than 24
hours, then the graph will present you with hourly log trend data. The Y-axis
represents the Event Count.
Top 5
This widget presents the top 5 devices based on event count.
Devices
Security This widget shows a summary of various security events such as Logon,
Events Account Logon, Account Management, and Object Access.
Windows
This widget displays a graph in which the X-axis represents the Severity of a
Severity
Windows Event and the Y-axis represents the Event Count.
Events
Syslog
This widget displays a graph in which the X-axis represents the Severity of a
Severity
Syslog Event and the Y-axis represents the Event Count.
Events
Top 5 File
This widget presents a 3D graph which displays the details of the top 5 file
Integrity
servers based on the log count. Each row contains additional data of various file
Monitoring
based events.
Events
Application This widget displays a pie chart of the top 10 applications like IIS, DHCP etc
Events based on event count.
Network Overview
This tab gives an overview of various network-related events monitored by EventLog Analyzer by generating graphical
reports. The widgets in this dashboard provide insights on the various critical events generated in the network during the
specified time frame.
This widget presents the count of all the connections that were allowed by
Allowed the network device. The pie chart highlights the allowed connections from
Connections the total number of connections that occurred in the network during the
specified time period.
This widget presents the count of all the connections that were denied by
Denied the network device. The pie chart highlights the denied connections from
Connections the total number of connections that occurred in the network during the
specified time period.
Network This widget provides a total count of network devices that are added for
Devices monitoring.
This widget presents a 3D graph that shows a time based trend of allowed traffic
and blocked traffic. The X-axis represents the time range. It will be based on the
Traffic calendar range you choose. If the calendar range is less than 24 hours, then this will
Trend show hourly ranges. If it is less than 1 hour, it will show 1 minute ranges. If it is less
than 30 days, it will show 1 day ranges. If it is more than 30 days, it will show 1
month ranges. The Y-axis represents the Event Count.
Top
This widget displays the top 10 network devices based on the log count. Each row is
Network
further split into allowed traffic and blocked traffic.
Devices
Top 5
Denied
This widget displays the top 5 sources for which connections were denied.
Connections
by Source
Recent
This widget shows the recent interface status for each interface in each network
Interface
device. The red downwards arrow indicates that the interface is down. The green
Status
upwards arrow indicates that the interface is up.
Changes
Top
This widget categorizes the top 10 websites accessed based on the number of times
Websites
the site was accessed.
Accessed
Top VPN
Logons by This widget lists the top 10 users based on VPN logons.
User
Security Overview
This tab provides an overview of the key security events monitored by EventLog Analyzer. The widgets in this dashboard
provide insights on the various critical events generated in the network during the specified time frame.
Correlative This widget refers to the number of incidents detected via EventLog
Incidents Analyzer's correlation engine.
This widget presents the total number of threats detected during the
Threats
chosen time frame from the Threat Sources (such as Symantec, McAfee,
Detected
Malwarebytes etc) added in the EventLog Analyzer.
This widget presents the total count of IDS/IPS events during the
IDS/IPS
chosen time frame.
Threats
detected by
This widget displays the count of threats detected by "Advanced Threat
Advanced
Analytics" feature in EventLog Analyzer.
Threat
Analytics
Recent
This widget displays the most recent 50 threats based on the
Threats
calendar range.
Identified
Top Affected
This widget shows the Top 5 endpoint devices in which
Endpoints
threats were detected by Threat Sources (Symantec, McAfee,
from Threat
etc)
Sources
Top
Vulnerabilities This widget includes a pie chart that displays the top 5
from vulnerabilities (selected on the basis of event count) detected
Vulnerability in endpoint devices by the vulnerability scanner.
Scanners
To customize the dashboard according to your preferences, the following options are available to you:
In EventLog Analyzer's dashboard, click the icon on the top-right corner and select Add Tab.
In the pop-up box that appears, you can see the following:
1. Three default tabs: Events Overview, Network Overview, and Security Overview
2. Three predefined templates: Cisco Overview, IIS Overview, and SQL Server Overview
Click Add Custom Tab. Enter a name for the tab in the given field and click Add.
Navigate to the new tab in your dashboard and click Add Widget to start adding widgets of your choice.
In EventLog Analyzer's dashboard, navigate to the tab to which you want to add a new widget and click the icon
on the top-right corner.
Click Add Widget. In the pop-up box that appears, select the widget, widget type, chart type, chart color, and enter
a display name for the widget.
You also have the option of pinning a report as a new widget. To know how, click here.
In the Manage Tab dialog box that appears, click the icon corresponding to that tab that you want to delete.
In the pop-up confirmation box, click Yes to complete the deletion of the tab
In EventLog Analyzer's dashboard, click the icon on the top-right corner and click Manage Tabs.
Click the icon and drag and drop the tabs in the order of your choice.
In EventLog Analyzer's dashboard, navigate to the tab whose widgets you want to reorder, click the icon on the
top-right corner and click Reorder Widgets.
Click and drag the widgets wherever you want to place them.
You can also resize widgets by dragging them from their bottom-right corner and adjusting their sizes as required.
Click on the Save button present on the top-right corner.
In EventLog Analyzer's dashboard, click the icon corresponding to the widget that you want to edit.
Select Edit Widget. Update the necessary information and click Update.
In EventLog Analyzer's dashboard, click the icon corresponding to the widget that you want to delete.
Select Delete Widget and click Yes in the pop-up box that appears.
In the full screen view, you can view a slideshow of the tabs by clicking the play icon located at the top of the
screen.
You can switch to different tabs by clicking on the drop-down button located at the top of the screen.
You can also remove a particular tab from the slideshow by clicking the toggle button next to the name of the tab in
the drop-down list.
You can also switch to dark mode by clicking the toggle button at the top-right corner of the screen.
To go back to the normal viewing mode, click the icon.
In EventLog Analyzer's dashboard, click the icon on the top-right corner and click Refresh Interval.
In the pop-up box that appears, select the refresh interval?Never, 30 Secs, 1 Min, 5 Mins, 10 Mins, and 1 Hr.
Note: If you choose Never for the refresh interval, the dashboard will never be refreshed automatically. You will
Check out our video for a step by step demonstration of customizing the EventLog Analyzer dashboard here.
The reports can be accessed from the Reports tab of the UI. The event counts shown in the reports can be drilled down to
the raw logs. The logs can be further filtered based on various log fields. EventLog Analyzer also allows you to schedule
reports to be automatically generated and emailed periodically. The custom report profiles can be exported as XML files and
later imported if needed.
Types of reports
EventLog Analyzer offers a wide category of reports. Some of them are listed below.
Windows
The Windows reports allow you to get an overview of the events happening in your Windows environment. A few examples
are given below:
Unix
The Unix reports allow you to get an overview of the events happening in your Unix environment. A few examples are given
below:
Applications
The application reports allow you to get an overview of the events happening in the applications installed in your network.
ManageEngine EventLog Analyzer supports a wide range of applications including Terminal Server, DHCP Windows and
Linux Servers, MS IIS W3C FTP Server, MS IIS W3C and Apache Web Servers, MS SQL and Oracle Database Servers,
Sysmon, and Print Server. These reports also help you to identify the performance and security status of the above
applications.
Network Devices
The network devices reports allow you to get an overview of the events happening in your networking devices. A few
examples are given below.
Custom Reports
The custom reports that you have created will be listed in this section.
In this help document, you will learn to set up Windows report generation.
There are certain reports, mentioned in the table below, that will require manual creation of keys in your Windows Registry.
To set up the generation of these reports, follow the steps given below.
Please make sure event logging has been enabled by right clicking on the event source > Properties > checking the
Enable logging box, in Event Viewer.
Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Service >
EventLog. Here, create the keys given in the New keys column of table below.
Next, open Local Group Policy Editor and navigate to Computer Configuration > Windows Setting > Security
Setting. Further paths and steps to enable the generation of reports are given in the Audit policies column.
Enable Audit
MPSSVC
Rule - Level
Policy
Windows
change,
Firewall Microsoft-Windows-Windows Firewall
under
Auditing With Advanced Security/Firewall
Advanced
Reports
Audit Policy
Configuration
> Policy
Change.
Enable Audit
Handle
Manipulation
and Audit
Removable
Removable
Microsoft-Windows-DriverFrameworks- Storage, Set SACL for the removable disk by right-clicking on the required folder and navigating to Property > Security tab > Advanced >
Disk
UserMode/Operational under Auditing.
Auditing
Advanced
Audit Policy
Configuration
> Object
Access.
Enable Audit
Registry,
under
Registry Advanced Set SACL for the registry key by right-clicking on the required registry and navigating to Permission > Advance > Auditing in
changes Audit Policy Registry Editor.
Configuration
> Object
Access.
Windows
No
Backup &
Microsoft-Windows-Backup modification
Restore
required.
Reports
Microsoft-Windows-Hyper-V-Worker-
Hyper-V
Admin Microsoft-Windows-Hyper-V-
Server
VMMS-Storage Microsoft-Windows- No
Events
Hyper-V-VMMS-Networking Microsoft- modification
Hyper-V VM
Windows-Hyper-V-VMMS-Admin required.
Management
Microsoft-Windows-Hyper-V-
Reports
Hypervisor-Operational
Program No
Microsoft-Windows-Application-
Inventory modification
Experience/Program-Inventory
Reports required.
No
IIS Microsoft-IIS-Configuration/Operational modification To access IIS reports, open EventLog Analyzer and navigate to Reports > IIS W3C web server > IIS Admin Configuration Reports.
required.
Microsoft-Windows- No
Print service PrintService/Operational, Microsoft- modification
Windows-PrintService/Admin required.
No
Microsoft-Windows-TerminalServices-
Terminal modification
Gateway/Operational
required.
EventLog Analyzer will now start generating the reports mentioned in the table.
To change the order of devices, hover the mouse pointer on the space to the left of the device name. A icon will
appear.
Use the icon to drag and drop the devices in the required order.
You can also enable or disable reports by clicking on the toggle button under the Enable/Disable Format column
corresponding to the required device.
Similarly, you can also rearrange the reports inside each report group by clicking on the report group and following
the steps mentioned above.
In this help document, you will learn to perform the following operations.
Choose the required report and click on the (Manage Custom Views) icon present on the right corner.
Enter a suitable name for the view and choose the required parameters on which the view should be based. You can
choose up to four different parameters.
Click on Add.
The new view will be added as a separate tab in the report.
Choose the report whose views you want to edit and click on the (Manage Custom Views) icon present on the
right corner.
In the pop-up that appears you can see a list of views for that report.
To edit a report view, click the icon corresponding to the view that you want to modify. Make the required
changes and click on Update.
To delete a report view, click the icon corresponding to the view that you want to delete.
To enable/disable a report view, check/uncheck the checkbox under the Enable/Disable column, corresponding to
the required view.
2. In the Create Custom Report dashboard, enter a name for your report.
under Custom Reports. Select one of these or create your own group and click '+'. If not specified, the custom report
5. Select the type of view for your report (see types of view).
6. Set the criteria for the report. You can add multiple criteria and perform AND or OR operations between them. You
can also add criteria to groups and perform AND or OR operators between the groups.
2. To edit a custom-made report, click on the adjacent edit icon and make the necessary changes. Click Update.
3. To delete a custom-made report, click on the adjacent delete icon. Click Yes in the pop-up box that appears.
4. To disable a custom-made report, click on the corresponding tick box in the Status column.
Types of views
Tabular View
This view displays the data in the form of a simple table. You just need to frame the criteria for selecting logs for the report.
You can generate different views of the same tabular view report. To create a new view, refer the Manage Report Views
section.
This view gives you a more granular representation of the log data. It allows you to select multiple criteria based on which
data wil lbe displayed. After framing the report criteria, you need to select the fields based on which the summary view
report will be generated.
graph would not get generated, but the data would be displayed in a table.
Pivot View
This view is useful when you have to monitor particular values of the field based on which the report is generated. After
selecting the report criteria, you can select the field and the values in the field that you want to monitor. Each of those
values will be displayed as separate columns with the'count'.
This view is useful to monitor numerous reports at one glance. It will give you a holistic view of the reports that you have
added to the multi report. In this view, each report has a View Report button that navigates to the original report.
New Schedule button on the top right corner of the Scheduled Reports page. This will open the Create New Schedule
page.
Enter the name of the schedule, devices for which the schedule is for, and the reports which are to be included
in the schedule.
Schedule Frequency: Specify the frequency at which reports need to be exported. The frequency can be 'Only
Export Time Range: Select the time range for which the report needs to be created and later exported.
Report Format: Choose the file format in which the report needs to be exported i.e. PDF or CSV.
Email Address: Configure the email address to which the reports need to be sent.
Email Subject: Enter the subject of the mail that contains the exported reports.
3. Once you've entered the necessary details for the schedule, click Save to complete creating the report schedule.
2. In the left pane, click Scheduled Reports present at the bottom. You can now see a list of report schedules.
To edit a report schedule, click the edit icon corresponding to the report schedule and make the necessary
changes.
To delete a report schedule, click the corresponding delete icon. Click Yes in the pop-up box that appears.
To disable a report schedule, click on the corresponding tick in the Actions column.
On the right top corner of the tab, click on More and select Add to Favorites.
The selected report will be added to the Favorites section.
This can now be accessed quickly by clicking on ''Favorites'' in the top right corner.
Note: While upgrading to the latest build of EventLog Analyzer, favorite reports in Builds 11212 and below will
not be retained.
To pin a report,
For instance, a misconfigured router, switch, or firewall can lead to the entry of malicious traffic. Monitoring network
activity along with the changes in perimeter network devices can spot and help seal such loopholes.
EventLog Analyzer helps you collect, analyze, and conduct forensic investigation on perimeter devices' log data.
This solution offers built-in support for different types of networking and security devices such as routers, switches,
intrusion detection and prevention systems, and firewalls.
These reports provide insights into events such as successful logons, failed logons, VPN logons, etc.
These reports ensure that all the changes made to your network's configuration are authorized and don't create any
loopholes in your network security.
The reports in this category provide critical insights into the key events taking place in your routers and switches such as
the commands executed, the fan status, the system temperature, etc.
Keep track of router transmission errors such as occurrences of too many fragments, fragment overlap, or invalid fragment
length.
IDS/IPS Activity
The reports in this category help you to understand what type of attacks your network is susceptible to, which network
devices need to be secured further, how to decide which malicious traffic sources to target, and more.
Firewall Threats
These reports give detailed information on possible security threats to the network.
These reports provide insights into the allowed and denied traffic with details on the source, destination, port, and protocol.
With these reports, you can monitor the successful and failed firewall logons.
Reports on the common attacks that can be detected by monitoring events in the Windows Firewall will be listed here.
Threat Detection
This section contains reports on some common threats to the Windows environment which can aid in the detection,
analysis, and forensic investigation of vulnerabilities. The attacks in this category are primarily focused on weakening the
defenses of a system. Conducting a deeper analysis of the threats captured in these reports can help prevent an attack at a
later stage.
DoS Attack Subsided - Possible denial of service attack that have ended.
DoS Attack Entered Defensive Mode - This report is generated when the Windows Filtering Platform has
discovered a potential DoS attack and entered into a defensive mode.
DoS Attacks - This report captures information on the denial of service attacks in a system where legitimate users
will be deprived of a service due to a high volume of malicious traffic.
Downgrade Attacks - This report captures instances of Downgrade Attacks. In this attack, advanced security
features of a system will be downgraded to adopt older legacy security features thereby making it vulnerable to
attacks.
Replay Attack - This report captures instance of legitimate data or requests that are captured and replayed by an
attacker to bypass authentication or for other malicious purposes.
Defender Malware Detection - Instances of malware detection in Windows defender will be listed in this report.
Defender Real Time Protection Detection - This report contains information on anti-virus data from Windows
Defender.
Terminal Server Attacks - This report captures data on attacks to the terminal. server that enables multiple clients
in a network to communicate.
Terminal Server Exceeds Maximum Logon Attempts - Information of multiple failed logon attempts in the terminal
server will be available here.
IP Conflicts - If more than more than one host is assigned the same IP address, an IP conflict that inhibits
communication between hosts will occur.The information on such IP conflicts in a network will be listed here.
User Account Locked Out Error - Instances of user account lockouts will be listed here. This report will aid in the
investigation of the probable cause leading up to the account lockout.
Application Whitelisting
EXE or DLL File Allowed to Run- This event is generated when certain apps blocked by the organization are
allowed to run.
EXE or DLL Files Not Allowed to Run due to Enforced rules-This event is generated when certain apps are not
allowed to run due to enforced rules.
EXE or DLL File Not Allowed to Run- This event is generated when certain apps blocked by the organization is not
run.
MSI or Script File Allowed to Run-This event is generated when certain scripts or MSI files blocked by the
organization are allowed to run.
MSI or Script Files Not Allowed to Run due to Enforced rules- This event is generated when certain scripts or MSI
files are blocked due to enforced rules.
MSI or Script File Not Allowed to Run- This event is generated when MSI files or automated scripts blocked by the
organization are not allowed to run in a system.
Software Restricted to Access Program - Any software that is restricted from making changes to systems or files.
Domain Events
Reports on crucial Active Directory events will be listed here. Monitoring these critical changes is essential to ensure that
the security features in Active Directory have not been compromised or downgraded.
Special groups assigned to new logon - This report captures instances of logons to special groups designated by the
administrators.
SID History added to account - If a user is migrated to a new domain, the security identifier history will be added to
the new domain. This report essentially helps in tracking users across domains by recording instances where SID
history has been added to an account.
Failed SID History addition - Instances of failed additions of SID history to a user account will be listed here.
Kerberos policy changes - This report will contain a history of policy changes made to the Kerberos authentication
protocol in a network. Monitoring these policy changes is essential to ensure that authentication standards in a
network are not downgraded.
Special groups logon table modifications - This report captures all instances of modifications to special groups.
Application Crashes
This report group helps monitor issues related to performance of applications installed in Windows devices.
Application Errors - This report captures instances of errors in the loading of applications installed in Windows
devices.
Application Hanged - This report captures instances of applications hanging in Windows devices.
Windows Error Reporting - This report will have information on the frequently occurring errors in Windows
devices.
Blue Screen Error (BSOD) - This report contains instances of blue screen errors in Windows devices.
System Errors - This report contains reports of the system errors in Windows devices.
EMET Logs - Information from Microsoft Enhanced Mitigation Experience Toolkit will be available in this report.
Windows File Protection - This report captures instances of attempts to replace critical Windows system files.
EventLog Analyzer can collect log data from antivirus solutions such as Kaspersky, Sophos, and McAfee. The reports in this
category give an overview of all the threats detected by these solutions.
Registry Changes
This report group helps in monitoring the Windows registry changes, and records attempts to modify it.
This report group gives an overview of removable disk activity in Windows devices. This also includes instances of USB or
removable disks that have been plugged in and removed even if no files are copied.
USB Plugged In
USB Plugged Out
Removable Disk Reads
Removable Disk Failed Reads
Removable Disk Creates
Removable Disk Failed Creates
Removable Disk Modifications
Removable Disk Failed Modifications
Removable Disk Deletes
Removable Disk Failed Deletes
Device Based Removable Disk Changes
Top Successful Users on Removable Disk Auditing
Top Failed Users on Removable Disk Auditing
Removable Disk Changes Trend
This report group provides an overview of Windows System Events such as start-up, shut-downs, and restarts.
Service Audit
These reports help you track all the services installed in your Windows devices.
Program Inventory
These reports provide information on software, services, or updates that happen in your Windows environment.
Software Installed
Software Updated
Failed software installations
Failed software installations due to privilege mismatches
Software Uninstalled
Windows Updates - Installed
Windows update process failed
Failed hot patching
Update Packages Installed
Non valid Windows license
Failed Windows license activations
Non activated windows products
New kernel filter driver installed
These reports help you closely monitor your wireless network events.
Eventlog Reports
These reports help you track the status of your event logging service in Windows devices.
Eventlog Reports
These reports capture instances of the logging service shut down to prevent recording logs of any change including
malicious or inadvertent activity.
System Events
These reports can help you monitor some critical system events in your Windows infrastructure.
Windows Event
This report group gives the overall trends in Windows reports based on all recorded events, important events, and user
based events.
All Events
Important Events
User Based Report
Trend Report
This report group gives an overview of the trends detected in the logs collected from Windows devices. This report group
helps identify the events that are generated the most and the frequency of those events.
Weekly Report
Hourly Report
Success Events
Information Events
Failure Events
Warning Events
Error Events
This report group gives an overview of all the backup and restoration events in Windows devices.
The Windows Firewall Auditing report group helps in auditing critical changes in Windows Firewall such as the addition,
deletion, or modification of Firewall rules and settings.
Rule Added
Rule Modified
Rule Deleted
Settings Restored
Settings Changed
Group Policy Changes
This report group helps in the monitoring of the Network Policy server in Windows devices.
This report group helps mitigate data theft with reports to monitor printer activity, removable disks, and databases.
A record of different logon types specific to Unix devices such as SU, SSH, and FTP logons will be available here. In
addition, the top logon reports classify these logons based on users, devices, remote devices, and method of logon. The
logon trend report gives real-time insights on the general trend detected in Unix logons. This can help detect sharp
deviations in general trend which could be indicative of malicious activity.
User Logons
SU Logons
SSH Logons
FTP or SFTP Logons
Logons Overview
Top logons based on users
Top logons based on devices
Top logons based on remote devices
Top Unix Logon Method
Logon Trend
A record of different logoffs specific to Unix devices such as SU, SSH, FTP, and user logoffs will be available here. The
Logoffs overview report gives real-time insights on the general trend.
User Logoffs
SU Logoffs
SSH Logoffs
FTP or SFTP Logoffs
Logoffs Overview
This report group can help in the monitoring of failed logons in any Unix device. The top failed reports based on users,
devices, and remote devices will help identify an unusual number of logon failures which could be indicative of an attack. In
addition, devices with repeated logon failures will be listed separately.
This report group can help monitor critical changes to user accounts, groups, and passwords such as creations, deletions,
modification of groups, user accounts, and passwords.
These reports can help track removable disk activity in Unix devices.
USB Plugged In
USB Plugged Out
SUDO Commands
The reports in this group can help ensure that security privileges of the super user are not misused.
Trend report
The reports in this group give an overview of the trend in activity in Unix devices.
These reports help in monitoring Unix mail servers. The 'Top' reports give the usage statistics of Unix mail servers. Reports
to monitor mailbox usage, general trends, mail deliveries and the execution of commands are also available in this report
group.
Unix Threats
The reports in this group and their corresponding alert profiles help discover and mitigate some of the threats common to
Unix devices.
These reports help monitor the storage of file in remote systems using the Network File Share (NFS) protocol.
This report group contains reports to monitor Unix events such as timed out or denied connections, failed updates, name
and address mismatch errors for devices, and more. This group also contains reports to monitor cron jobs or the scheduling
of commands to be executed later.
Cron Jobs
Cron Edit
Cron Job Started
Cron Job Terminated
Connection aborted by a software
Receive identification string
Session Connected
Session Disconnected
Deactivated services
Unsupported Protocol Version
Timeout While Logging
Failed Updates
Device Name Mismatch Error
Device Address Mismatch Error
Top cron jobs based on users
This report group has a range of reports to monitor the usage of the File Transfer Protocol (FTP) in Unix devices. Monitoring
this protocol is crucial for data security.
File downloads
File Uploads
Data transfer stall timeouts
Login Timeouts
Session idle timeouts
No transfer timeouts
Connection timeouts
FTP Reports Overview
Top FTP operations based on user
Top FTP operations based on remote device
Crucial Unix system events such as Yum installs, stopping and restarting of the Syslog service, system shutdowns, and low
disk space can be monitored with these reports.
This report group classifies and presents Unix events in eight different levels of severity. This classification can help
prioritize events and alerts.
Emergency Events
Alert Events
Critical Events
Error Events
Warning Events
Notice Events
Information Events
Debug Events
This report group helps analyze critical events further based on the level, event, device, and also the general trends.
VMWare Logons/Logoff
This report group helps in the monitoring of logons/logoffs of the virtual machines installed in Unix devices. The reports in
this group categorize the events based on the type, status, and the number of events.
The reports in this group deal with monitoring system events in the virtual machines installed in Unix devices. Creation and
modification of user accounts, logging activity, disk space availability, and password changes can be tracked with these
reports.
Critical events specific to VMs such as creation, deletion, and the modification of VMs and guest logins can be monitored
with these reports.
Guest Login on VM
VM Created
VM Deleted
VM State Changes
Top VM Changes
VM Events Overview
This report group contains reports to monitor changes in AS400 devices. All critical system changes, logon events, hardware
errors, configuration changes and more can be tracked with this report.
Logons
Failed Logons
Logoff
Failed Authorization
Authority changes
User Profile changes
Objects deleted
Job changes
Ownership changes
Logon failure due to invalid passwords
System value changes report
Successful Job Start
Successful Job End
Job Logs
Device Configuration
System time changes
Subsystem varied off workstation
ASP storage threshold reached
ASP storage limit exceeded
Disk Unit Errors
Expired system IDs report
Unable to write audit record
Disabled user profiles due to maximum number of sign-on attempts
Report on weak battery
Report on battery failures
System password bypass period ended
Storage directory threshold reached
Report on serious storage conditions
Report on battery cache expiry
Report on i5 grace period expiry
Temporary IO Processor errors
System Processor Failure
Hardware Errors
Top logons based on users
Top failed logons based on users
Top jobs based on users
These reports help in the monitoring of successful and failed connections in terminal servers. You can also track access to
your critical resources using these reports.
These reports help determine which gateways, clients, and resources in your terminal servers have the highest usage.
These reports help monitor all critical activities in your DHCP Windows based servers such as lease granted, denied, or
released, DNS updates, and critical requests. Since DHCP server auditing reports can track client-server exchanges that
occur when IP addresses are allotted, these reports can be essential in detecting suspicious network activity.
Each step in the exchange of client-server messages in DHCP Linux based servers can be viewed using these reports. With
these you can get information on the most active IP addresses, MAC addresses, gateways, and operations with the top N
reports.
The DHCP Linux overview report will summarize all DHCP log events.
Discovers
Offers
Requests
Acknowledges
Releases
Negative Acknowledges
Abandoning IP
Information Report
DHCP Linux Overview
Top Operation
Top IP Address
Top MAC Address
Top Gateway
Logons
Failed Logons
Login attempts
File downloads
File uploads
Disconnects
File Transfer Aborts
File Deletions
Make Directories
Remove Directories
Rename Operations
List Directory Contents
Password Changes
Bad Sequence of Commands
Successful Commands
Command Syntax Errors
Transfer Incomplete due to insufficient space
Security Data Exchange
Top File Types Downloaded
Top File Types Uploaded
Top Users
Top Clients
Top Methods
Top Status
FTP Reports Overview
With these reports, you can detect the problems users might be facing on your website and closely track all error alerts.
These reports can help you detect some of the most common and dangerous web server attacks instantly, including SQL
injection attacks or denial of service attacks.
This report group can help you track several common HTTP error codes. It also has consolidated reports for both client
errors and server errors. These reports help you identify which errors are occurring most frequently in your Apache web
servers.
These top reports can help you discover the most frequently occurring errors and rectify them. With these, you can also
identify the most popular pages in your website and see who's accessing your site most often to get insights on user
behavior.
Top Visitors
Top Users
Top URL
Top Browsers
Top Errors
Top Referrers
Apache Server Trend
Apache Reports Overview
These reports can help you detect some of the most common and dangerous attacks in Apache web servers such as SQL
injection attacks or cross-site scripting errors.
These reports can help database administrators to monitor, track, and identify any operational issues. They can also help in
tracking unauthorized access to confidential data and user permissions. When a password is changed or the login
information is altered for users or user groups, the Logins Information Report displays the details about their login
information.
The reports in this group can help monitor and track the changes happening at the database structural level, such as
changes to the tables, views, procedures, triggers, schema, and more.
Created Databases
Dropped Databases
Altered Databases
Created Tables
Dropped Tables
Altered Tables
Created Views
Dropped Views
Altered Views
Created Stored Procedures
Dropped Stored Procedures
Altered Stored Procedures
Created Index
Dropped Index
Altered Index
Created Triggers
Dropped Triggers
Altered Triggers
Created Schemas
Altered Schemas
Dropped Schemas
The reports in this group can help you figure out when functional queries are executed, who executed them, and from
where. You can also track activities such as data being viewed, updated, deleted, or new entries being added to your
confidential data.
These reports can help you track changes made to any account with respect to the users, logons and logoffs, and
passwords. You can also track the creation, deletion, or modification of privileged accounts to ensure that unauthorized
privilege escalations don't take place. In addition, you can audit logon and logoff activities, and learn the reasons behind
logon failures and instantly know when the password of a critical account gets changed, and more.
User Created
User Dropped
User Altered
Login Created
Login Dropped
Login Altered
Database Role Created
Database Role Dropped
Database Role Altered
Application Role Created
Application Role Dropped
Application Role Altered
Credential Created
Credential Dropped
Credential Altered
Own Password Changes
Failed Own password changes
Password changes
Password changes Failed
Password resets
Password resets Failed
Own password resets
Failed Own password resets
Unlocked accounts
Enabled users
Disabled users
These reports help audit MS SQL Server activities such as startups, shutdowns, logons, logon failures, database backup,
restoration, audit, audit specifications, administrator authorities, and a lot more.
This report group gives detailed information on SQL injection and denial of service attacks, to help you conduct detailed
forensic analysis on how the attack happened.
You can also track account lockouts, privilege abuses, and unauthorized copying of sensitive data with these reports.
Privilege abuses
Unauthorized copies of sensitive data
Account Lockouts
Storage media exposure
SQL Injection
Denial of Service
These reports help you track the execution of DBCC commands in your SQL servers.
This report help you track host activity in your SQL servers.
These reports help you ensure that the integrity of your data is not tampered with.
Audit integrity
Failure followed by success events
The SQL server permissions denied reports can help you track unauthorized access attempts on critical data.
SQL server violation report can give you details on the access violations which could be indicative of an attack or data theft.
Access violation
These report can help you consolidate the information from SNMP traps and help you manage your network better.
Cold Start
Warm Start
Link Down
Link Up
Authentication Failure
EGP Neighbor Loss
Enterprise Specific
These reports can help you track the error and information events to ensure that critical issues are brought to your notice.
These reports provide insights into Oracle database access, command execution, critical task performance, and more,
including who did what, when, and from where.
Created Databases
Dropped Databases
Altered Databases
Created clusters
Dropped clusters
Altered Clusters
Created Tables
Dropped Tables
Altered Tables
Selected Tables
Inserted Tables
Updated Tables
Deleted Tables
Created functions
Dropped functions
Altered functions
Created Schemas
Created procedures
Dropped procedures
Altered procedures
Executed procedures
Created triggers
Dropped triggers
Altered Triggers
These reports can help track the creation, modification, and deletion of user accounts and roles. With these reports, you can
also monitor who accessed a user account or role, from where, and when the event occurred.
Created profiles
Dropped profiles
Altered profiles
Users created
Dropped users
Altered users
Roles created
Dropped roles
Altered roles
Granted roles
Revoked roles
System Grant
System Revoke
These reports give insights on Oracle database access to monitor all user activity within the database. These reports help
you audit user logons, remote logons, and user logoffs.
Connect Events
Server Startup
Server Shutdown
Logons
Failed Logons
Top logons based on users
Top logons based on remote devices
Top failed logons based on users
Top failed logons based on remote devices
Logon Trend
Failed logon trend
Oracle Events Trend
These reports help you detect attacks on Oracle databases such as SQL injections and Denial of Service attacks. With these
you can also track expired passwords and account lockout to ensure that legitimate uses have uninterrupted access to
resources.
These reports will help you track logons in your MySQL database to ensure that there is not unauthorized access to your
MySQL database.
Logon Success
Logon Failures
These reports help you track DDL and DML statements to make sure that there is no unauthorized modification or access
to sensitive data.
DDL Statements
DML Statements
Transactional and Locking Statements
Utility Statements
Replication Statements
These reports can help you track database administrative statements including account management and resource group
management statements in MySQL servers.
This report helps you track startup and shutdown events in your MySQL server.
Printer Auditing
The printer auditing reports help you keep track of the documents that get printed within your network. These reports can
also help you identify which documents get printed the most and by whom. This can help ensure that sensitive information
is not indiscriminately printed which can increase the risk of data theft.
Documents Printed
Deleted documents
Timed out documents
Moved Documents
Resumed Documents
Paused documents
Corrupted documents
Documents' priority changes
Insufficient Privilege to Print Documents
Top printed documents based on users
Top printed documents
Printer Activity trend
Failed Printer Activity Trend
Process Created
Process Terminated
Remote Thread Creation
Process Access
Pipe Created
Pipe Connected
File Created
File Stream Creation
File Time Change
Raw Access Read
Drivers Loaded
Image Loaded
Network Connection
DNS Query
Cluster created
Cluster destroyed
Cluster renamed
Cluster reconfigured
Datacenter changes
Datacenter created
Datacenter deleted
Datacenter renamed
Datastore changes
Datastore created
Datastore destroyed
Datastore renamed
Datastore file copied
Datastore file moved
Datastore file deleted
Folder changes
Folder created
Folder deleted
Folder renamed
Inventory objects moved into a folder
Permission changes
Permission created
Permission removed
Permission updated
Role changes
Role added
Role removed
Role updated
VM created
VM deployed
VM removed
VM renamed
VM reconfigured
VM power state changes
Device changes
Device added
Device added failure
Device IP changed
Device shutdown
Device removed
Device connection overview
Device powered down to standby
EventLog Analyzer also provides predefined alert criteria for all the above mentioned vCenter events. Setting up vCenter
alert profile is same as setting up a predefined alert profile , except that you need to choose ' vCenter' type in alert criteria.
All Events
Important Events
Allowed Traffic
Top Traffic based on source
Top Top Traffic based on destination
Allowed Traffic Trend
Denied Traffic
Top Denied Connections based on Source
Top Denied Connections based on Destination
Denied Connections Trend
Logon Reports
Successful Logons
Successful Logon Trend
Failed Logons
Failed Logons attempts
Failed Logons Trend
Rules Added
Rules Deleted
Rules Modified
DHCP Reports
Allocated IP address
Conflicting IP Address
Lease Extend IP Address
Interface Up
Interface Down
All Attacks
Attacks Trend
Web Filtering
Anti-virus reports
System Events
Configuration Changes
Clock Update
System Reboot
Fan Failure
Memory Status
CPU Status
Temperature Status
High Availability Status
Severity Reports
Emergency Events
Alert Events
Critical Events
Error Events
Warning Events
Notice Events
Information Events
Debug Events
All Events
Important Events
Logon Reports
Successful Logon
Top Source
Top Users
Logoff Events
Top Source
Top Users
Successful Logons Trend
Failed Logons
Top Source
Top Users
Failed Logons Trend
Allowed Traffic
Allowed Traffic
Top Source
Top Destination
Top Protocol
Top Port
Allowed Traffic Trend
Denied Connections
Denied Connections
Top Source
Top Destination
Top Protocol
Top Port
Denied Connections Trend
Interface Status
Interface Up
Interface Down
System Events
Severity Reports
Emergency Events
Alert Events
Critical Events
Error Events
Warning Events
Notice Events
Information Events
Debug Events
All Events
Important Events
Logon Reports
Successful Logon
Failed Logons
Logon Overview
Traffic Reports
Allowed Traffic
Denied Connections
Traffic Overview
Rule Added
Rule Modified
Rule Deleted
Admin Added
Admin Modified
Admin Deleted
System Event
Clock Updated
System Shutdown
System Reboot
IDS/IPS Reports
Attack Overview
Severity Report
Select the Period for which you want the data to be displayed and click Apply.
The graphs can be viewed in different formats.
To quickly export the report, click Export as and choose the format. Once done, you can download the report.
3. Pin to dashboard, to pin this report to the main dashboard in the Home page.
Go to the Reports section. Select Barracuda from the displayed list of vendors.
In the left panel, all the available out-of-the-box reports for Barracuda will be listed. Select the report you want to
view.
Click Select Device and choose the Barracuda devices for which you need the reports. Click Add.
Select the Period for which you want the data to be displayed and click Apply.
To quickly export the report in view, click Export as and choose the format. Once done, you can download the
report.
3. Pin to dashboard, to pin this report to the main dashboard in the Home page.
Go to the Reports section. Select CheckPoint from the displayed list of vendors.
In the left panel, all the available out-of-the-box reports for CheckPoint will be listed. Select the report you want to
view.
Click Select Device and choose the CheckPoint devices for which you need the reports. Click Add.
Select the Period for which you want the data to be displayed and click Apply.
To quickly export the report in view, click Export as and choose the format. Once done, you can download the
report.
3. Pin to dashboard, to pin this report to the main dashboard in the Home page.
Go to the Reports section. Select FirePower from the displayed list of vendors.
Click Select Device and choose the FirePower devices for which you need the reports. Click Add.
Select the Period for which you want the data to be displayed and click Apply.
The graphs can be viewed in multiple formats. To switch to a different graph format, click the drop down button.
This panel lists all the available out-of-box reports for FirePower. Select the report you want to view.
Click Schedule to have this report automatically generated, exported and emailed to the specified users in the
desired format, at the specified times.
3. Pin to dashboard, to pin this report to the main dashboard in the Home page.
Fortinet Events: These reports provide valuable information on all events including important events such as
logons, failed logons, possible attacks, users added/deleted etc., on Fortinet devices.
Firewall Allowed and Denied Traffic: The reports in this category provide insights on traffic based on the source,
destination, protocol and port, and traffic trends.
Successful and Failed Logons: These reports provide information on source, user-based, and trends reports.
Firewall IDS/IPS Events: The reports in this category provide insights on possible attacks, and attacks based on the
source and destination IP address. They also provide reports on attack trends.
Firewall Security Events: These reports provide valuable information on applications, email and web filters. They
also provide reports on antivirus and DLP.
Firewall Accounts Management: This category provides reports on administrators and users added, deleted or
modified.
Firewall Policy Management: The reports in this category provide useful information on policies added, deleted or
modified.
Successful and Failed VPN Logon Reports: These reports provide insights on VPN logons and logouts based on
success, failure, remote devices, users and trends.
System Events: These reports provide valuable information on configuration changes, license expiration, power
restores and failures, system shutdowns and reboots and failed commands.
Device Severity Reports: The reports in this category provide insights into emergency, alerts, critical, error, warning,
notice, information and debug events.
VPN lP Assigned Reports: These reports provide information on private IP assigned, IP assigned users, remote IP
and VPN IP assigned.
Click Select Device and choose the Fortinet devices for which you need the reports. Click Add.
Select the Period for which you want the data to be displayed and click Apply.
To export the report being viewed, click Export as and choose the format. Once done, you can download the
report.
3. Pin to dashboard, to pin this report to the main dashboard in the Home page.
Huawei Events: These reports provide valuable information on all events including important events such as logons,
failed logons, policies added/deleted, users added/deleted etc., on Huawei devices.
Successful and Failed Logons: These reports provide information on source and user-based reports, and trend
reports.
Firewall Allowed and Denied Traffic: The reports in this category provide insights on traffic based on the source,
destination, protocol and port, and traffic trends.
Firewall Accounts Management: This category provides reports on users and groups added, deleted or modified.
Firewall Policy Management: This category of reports provide valuable information on policies added, deleted,
modified, enabled or disabled.
Firewall IDS/IPS events: This category of reports provide useful insights on attacks based on the source and
destination IP address. They also provide reports on attack trends.
Firewall Security Events: These reports provide information on application, email and web filters. They also provide
reports on antivirus and DLP.
Successful and Failed VPN Logon Reports: This category of reports provide insights into VPN logons and logouts
based on source, users and trend reports.
System Events: This category provides reports on power status, command executed, CPU status, clock update,
interface status, temperature status and fan status.
Device Severity Reports: The reports in this category provide insights into emergency, alerts, critical, error, warning,
notice, information and debug events.
Go to the Reports section and click on the Devices option in the drop down menu. Select Huawei from the
displayed list of vendors.
Click Select Device and choose the Huawei devices for which you need reports. Click Add.
Select the Period for which you want the data to be displayed and click Apply.
The All Events panel lists all the available out-of-the-box reports for Huawei. Select the report you want to view.
3. Pin to dashboard, to pin this report to the main dashboard in the Home page.
Juniper Events: These reports provide valuable information on all events including important events such as logons,
failed logons, possible attacks, configuration errors, interface up/down, etc., for Juniper devices.
Successful and Failed Logons: These reports provide insights on source and user-based reports, trends reports.
They also provide information on firewall, web, and CLI logons.
Configuration Reports: The reports in this category provide information on interface settings, commands executed,
and configuration errors.
Firewall Allowed and Denied Traffic: This category of reports provide valuable insights on traffic based on the
source, destination, protocol and port, and traffic trends.
Firewall IDS/IPS Events: These reports provide insights on possible, critical, top attacks; attacks based on source,
destination IP address, and severity; and attack trends.
Application Tracking Reports: The reports in this category provide useful information on applications accessed
based on username and reports on applications started and stopped.
System Events: These reports provide information on process and fan status, and system reboots.
Device Severity Reports: The reports in this category provide insights on emergency, alerts, critical, error, warning,
notice, information, and debug events.
Go to the Reports section and click on the Devices option in the drop down menu. Select Juniper from the
displayed list of vendors.
Click Select Device and choose the Juniper devices for which you need the reports. Click Add.
Select the Period for which you want the data to be displayed and click Apply.
The left panel lists all the available out-of-the-box reports for Juniper. Select the report you want to view.
3. Pin to dashboard, to pin this report to the main dashboard in the Home page.
Malwarebytes Events: The reports in this category provide valuable information on detected threats and exploits based on
source and users. Additionally, granular reports on blocked, allowed exploits, quarantined threats, and websites blocked
based on source and users are available.
Go to the Reports section and click on the Threats option in the drop down menu. Select Malwarebytes from the
displayed list of vendors.
Click Select Device and choose the Malwarebytes devices for which you need the reports. Click Add.
Select the Period for which you want the data to be displayed and click Apply.
In the left panel, under Malwarebytes Reports, you can view all the available threat reports for Malwarebytes.
Select the report you want to view.
3. Pin to dashboard, to pin this report to the main dashboard in the Home page.
Meraki Events: The reports in this category provide information on all events including important events such as
allowed traffic, denied connections, possible attacks etc., on Meraki devices.
Firewall Allowed and Denied Traffic: This category of reports provide valuable insights on traffic based on the
source, destination, protocol, port, and traffic trends.
Logon Reports: These reports provide valuable information on user logons and its trends.
Firewall Website Traffic: This category provides reports on traffic based on the source, destination IP address,
website, and traffic trends.
Firewall IDS/IPS Events: The reports in this category provide insights on possible attacks, and top attacks based on
source and destination IP address. They also provide reports on attack trends.
Firewall Security Events: This category provides reports on web filtering.
Successful and Failed VPN Logon Reports: These reports give you valuable insights on VPN logouts and logons
based on remote devices, users and trend reports.
Device Severity Reports: The reports in this category provide insights on , alerts, critical, error, warning, notice,
information and debug events.
Go to the Reports section and click on the Devices option in the drop down menu. Select Meraki from the
displayed list of vendors.
Click Select Device and choose the Meraki devices for which you need to generate the reports. Click Add.
Select the Period for which you want the data to be displayed and click Apply.
The All Events panel lists all the available out-of-the-box reports for Meraki. Select the report you want to view.
3. Pin to dashboard, to pin this report to the main dashboard in the Home page.
Go to the Reports section. Select NetScreen from the displayed list of vendors.
In the left pane, all the available out-of-the-box reports for NetScreen will be listed. Select the report you want to
view.
To generate reports for a specific NetScreen device, click Select Device drop down list on the right pane and
choose the needed NetScreen devices. Click Add.
If you want to generate the reports for a specific time period, select the Period calendar option from the top right
corner, specify the time period, and then click Apply.
To generate and redistribute the reports over email at periodic time intervals, you can use the Schedule Reports
option.
3. Pin to dashboard: Pins the selected report to the dashboard in the Home page.
Palo Alto Events: Provides information on all the events associated with Palo Alto devices.
Firewall Allowed and Denied Traffic: Provides insights on traffic based on source, destination, protocol and port,
and also generates a report on traffic trends.
Firewall Website Traffic: Provides traffic reports based on source, destination, and website traffic trend.
Successful and Failed Logons: Provides source and user based reports, trend reports.
Firewall Accounts Management: Provides reports on administrator added, deleted or modified.
Firewall Policy Management: Provides information on policies added, deleted, or modified.
Firewall IDS/IPS Events: Provides insights on attacks based on source and destination IP address, also provides a
report on attack trends.
System Events: Provides reports on configuration changes, clock update, system status, start and stop of services,
features and license status.
Failed VPN Logon Reports: Monitors the VPN activities from Palo Alto logs and offers out-of-the-box reports for
failed VPN logons.
Device Severity Reports: Provides reports on emergency, alerts, critical, error, warning, and notice events.
Go to the Reports section. Select Palo Alto from the displayed list of vendors.
In the left pane, all the available out-of-the-box reports for Palo Alto will be listed. Select the report you want to
view.
To generate reports for a specific Palo Alto device, click Select Device drop down list on the right pane and choose
the needed Palo Alto devices. Click Add.
If you want to generate the reports for a specific time period, select the Period calendar option from the top right
corner, specify the time period and then click Apply.
To generate and redistribute the reports over email at periodic time intervals, you can use the Schedule Reports
option.
3. Pin to dashboard: Pins the selected report to the dashboard in the Home page.
Go to the Reports section. Select pfSense from the displayed list of vendors.
In the left panel, all the available out-of-the-box reports for pfSense will be listed. Select the report you want to
view.
To generate reports for a specific pfSense device, click Select Device drop down list on the right panel and choose
the needed pfSense devices. Click Add.
If you want to generate the reports for a specific time period, select the Period calendar option from the top right
corner, specify the time period and then click Apply.
To generate and redistribute the reports over email at periodic time intervals, you can use the Schedule Reports
option.
3. Pin to dashboard: Pins the selected report to the dashboard in the Home page.
Go to the Reports section. Select SonicWall from the displayed list of vendors.
In the left pane, all the available out-of-the-box reports for SonicWall will be listed. Select the report you want to
view.
To generate reports for a specific SonicWall device, click Select Device drop down list on the right pane and choose
the needed SonicWall devices. Click Add.
If you want to generate the reports for a specific time period, select the Period calendar option from the top right
corner, specify the time period and then click Apply.
To generate and redistribute the reports over email at periodic time intervals, you can use the Schedule Reports
option.
3. Pin to dashboard: Pins the selected report to the dashboard in the Home page.
Sophos Events: Provides information on all the events associated with Sophos devices.
Firewall Allowed and Denied Traffic: Provides insights on traffic based on source, destination, protocol and port,
and also generates a report on traffic trends.
Firewall Website Traffic: Provides traffic reports based on source, destination, and website traffic trend.
Successful and Failed Logons: Provides source and user based reports, trend reports.
Firewall Accounts Management: Provides reports on administrator added, deleted or modified.
Firewall Policy Management: Provides information on policies added, deleted, or modified.
Firewall IDS/IPS Events: Provides insights on attacks based on source and destination IP address, also provides a
report on attack trends.
System Events: Provides reports on configuration changes, clock update, system status, start and stop of services,
features and license status.
Failed VPN Logon Reports: Monitors the VPN activities from Sophos logs and offers out-of-the-box reports for
failed VPN logons.
Device Severity Reports: Provides reports on emergency, alerts, critical, error, warning, and notice events.
Go to the Reports section. Select Sophos from the displayed list of vendors.
In the left pane, all the available out-of-the-box reports for Sophos will be listed. Select the report you want to
view.
To generate reports for a specific Sophos device, click Select Device drop down list on the right pane and choose
the needed Sophos devices. Click Add.
If you want to generate the reports for a specific time period, select the Period calendar option from the top right
corner, specify the time period and then click Apply.
To export a report, click Export as and choose the format. The solution allows you to export the reports in PDF and
CSV formats.
To generate and redistribute the reports over email at periodic time intervals, you can use the Schedule Reports
option.
The More link at the top right corner provides you the below customization options:
1. Set as Default: Allows you to set the selected report as the default report.
3. Pin to dashboard: Pins the selected report to the dashboard in the Home page.
2. Firewall Allowed and Denied Traffic: The reports in these categories provide information on traffic based on source,
3. Firewall Website Traffic: This category has traffic reports based on source, destination, and website traffic trend
reports.
4. Successful and Failed Logons: The reports in these categories provide information on successful and failed logins based
on source and user. It also provides insights on logon trends.
5. Firewall Accounts Management: The reports in this category provides information on added, deleted, or modified
firewall administrator accounts.
6. Firewall Policy Management: These reports provide information on added, deleted, or modified firewall policies.
7. Firewall IDS/IPS Events: The reports in this category provide information on attacks based on source and destination
8. System Events: These reports provide information on configuration changes, clock updates, system status, start and
9. Failed VPN Logon Reports: These reports provide information on the VPN activities from WatchGuard logs and offers
10. Device Severity Reports: The reports in this category provide information on emergency, alerts, critical, error, warning,
1. Go to the Reports section. Select WatchGuard from the displayed list of devices.
2. Click Select Device and choose the WatchGuard devices for which you need the reports. Click Add.
4. Select the Period for which you want the data to be displayed and click Apply.
7. To quickly export the report in view, click Export as and choose the format. You can thendownload the report.
1. Set as Default, to set this report as the default for WatchGuard reports.
3. Pin to dashboard, to pin this report to the main dashboard in the Home page.
2. Logon Reports: These reports provide information on successful firewall logons and logoffs, and also gives insights into
logon trends.
3. Failed Logon Reports: The reports in this category provide information on failed firewall logons and insights into failed
logon trends.
4. LTM Health Monitoring: The reports in this category let you track recent changes made to monitor status, node status,
pool status, pool member status, and virtual server status.
5. Connection Monitoring: These reports let you view all CMI events and monitor connection limits.
6. Interface Events: The reports in this category let you monitor interface events such as Interface Up, Interface Down,
7. Firewall Allowed Traffic: The reports in this category provide information on all connections allowed through the
8. Firewall Denied Traffic: These reports provide information on all denied connections and insights on trends in firewall
traffic.
9. Firewall Policy Changes: These reports let you track all policy changes.
10. Firewall IDS/IPS Reports: The reports in this category let you monitor attacks and attack trends.
11. System Events: The reports in this category provide information on configuration changes and errors, reports on
license, policy, and memory status. Monitor status of hardware such as chassis module, temperature, fan, and sensor.
12. Application Security Reports: These reports provide an overview of application security, information on requests
13. Device Severity Reports: These reports provide information on emergency, alert, critical and error events.
F5 reports dashboard
2. Click Select Device and choose the F5 devices for which you need the reports. Click Add.
3. Select the Period for which you want the data to be displayed and click Apply.
4. The panel on left lists all the available out-of-the-box reports for F5. Select the report you want to view.
5. To quickly export the report in view, click Export as and choose the format. You can then download the report.
1. Set as Default, to set this report as the default for WatchGuard reports.
3. Pin to dashboard, to pin this report to the main dashboard in the Home page.
2. User activity: These reports offer insights into user profile changes, authority changes, logons and logoffs, objects
deleted, ownership changes, disabled user profiles due to maximum number of sign-on attempts.
3. Logon failures: The reports in this category provide information on failed logons and authorization, and logon failure
due to invalid passwords.
4. System events: These reports provide information on system value changes and time changes, expired system IDs,
password bypass period, and information on subsystem varied off workstation.
5. Job logs: These reports provide information on top jobs based on users, successful job start and end, and changes made
to jobs.
6. Storage events: These reports provide information on breach of ASP storage threshold, storage directory threshold,
7. Battery condition: These reports provide information on battery cache expiry, weak battery and battery failures.
9. Configuration and hardware: These reports provide information on device configuration, hardware errors, disk unit
2. The panel on the left lists all the available out-of-box reports for IBM AS/400. Select the report you want to view.
AS400 device from Select Device drop down list. Click Add.
4. You can further filter and view the security events based on Source, Severity and Device. To do this, click on the filter
icon.
This opens the Create Filter dialog box. Select the appropriate criteria.
6. To quickly export the report in view, click Export as and choose the format. You can then download the report.
1. Set as Default, to set this report as the default for IBM AS/400 reports.
3. Pin to dashboard, to pin this report to the main dashboard in the Home page.
EventLog Analyzer can automatically analyze data from the above solution and gives you insights on commonly found
severities, source and destination IP addresses, and the most targeted ports in the form of security analytical reports.
These reports can also be exported in the PDF, CSV, and HTML formats. Report generation can also be automated using
the Schedule report option. These are the solutions that EventLog Analyzer supports.
EventLog Analyzer can process log data from FireEye and present the data in the form of graphical reports. For the solution
to start collecting log data from FireEye, it has to be added as a threat source.
Navigate to Settings > Notifications, select rsyslog and the Event type.
3. In the dialog box that opens, enter the EventLog Analyzer server IP address in the given field. Choose UDP as the
4. Click on Save.
Once the device is added in EventLog Analyzer, it should then be listed as a threat source. This can be done in a few simple
steps.
1. In the EventLog Analyzer console, navigate to Settings > Configurations > Manage Threat Source > Add Source
2. Click on Existing Host and select the device you had added from the list of existing devices.
4. Click on Add.
Domain matches
Malware infections
Callbacks
Malware objects
Web infections
EventLog Analyzer also provides reports that give information on the top:
Severities
Source IPs of infections
Target IPs
Target ports
Malware
Active sensors
EventLog Analyzer collects log data from Symantec Endpoint Solutions and presents it in the form of graphical reports. For
the solution to start collecting this log data from, it has to be added as a threat source.
2. Navigate to Admin > Servers. Select the local site or remote site from which log data must be exported.
4. In the General tab, from the Update Frequency list, choose how often log data should be sent to the file.
5. In the Master Logging Server list, select the management server to which the logs should be sent.
Destination Port - Select the protocol to use and enter the destination port that the Syslog server should use
Log Facility - Enter the number of the log facility that you want the Syslog configuration file to use. Valid
values range from 0 to 23. Alternatively, you could use the default values.
8. Click on OK.
2. Click on Existing Host and select the device you had added from the list of existing devices.
4. Click on Add.
Once the threat source is added, EventLog Analyzer will start parsing the fields in the logs. This log data can now be viewed
in the form of reports.
Security risks
Virus detected
Port cans
Installation of commercial applications
Threat activities
HIPS activities
Affected devices
Source devices
Risks
Problems
EventLog Analyzer collects log data from Symnatec DLP Applications and presents it in the form of graphical reports. For
the solution to start collecting this log data, the it has to be added as a threat source.
2. Uncomment the systemevent.syslog.host= line and specify the EventLog Analyzer server IP address as follows:
systemevent.syslog.host=xxx.xx.xx.xxx
3. Uncomment the systemevent.syslog.port= line and specify 514 as the port to accept connections from the Symantec
Enforce Server as follows:
systemevent.syslog.port=514
4. After making the above mentioned changes, save and close the properties file.
2. Click on Existing Host and select the device you had added from the list of existing devices.
4. Click on Add.
Once the threat source is added, EventLog Analyzer will start parsing the fields in the logs. This log data can now be viewed
in the form of reports.
Senders
Recipients
Targets
Protocols
Data Owners
Severities
EventLog Analyzer collects log data from Malwarebytes and presents it in the form of graphical reports. For the solution to
start collecting this log data, the device has to be added as a threat source.
2. Navigate to the Admin pane and open the Syslog Settings tab.
4. To export traffic monitoring logs to the EventLog Analyzer server, enter the following details in the space provided:
Port <513/514>
Protocol
5. Click on OK to save.
Once the threat source is added, EventLog Analyzer will start parsing the fields in the logs. This log data can now be viewed
in the form of reports.
2. Click on Existing Host and select the device you had added from the list of existing devices.
4. Click on Add.
Detected Threats
Quarantined Threats
Allowed Threats
Top Threats based on source
Top Threats based on user
Top Threats Types
Top Websites blocked based on source
Detected Exploits
Blocked Exploits
Allowed Exploits
Top Exploits based on source
Top Exploits based on user
Top Exploits types
Malicious Websites Blocked
Top Websites Blocked
EventLog Analyzer collects log data in the CEF format and presents it in the form of graphical reportsFor the solution to
start collecting this log data, the device has to be added as a threat source.
4. In the Syslog Server IP address field, enter the <EventLog Analyzer IP address>.
Once the threat source is added, EventLog Analyzer will start parsing the fields in the logs. This log data can now be viewed
in the form of reports.
1. In the EventLog Analyzer console, navigate to Settings > Configurations > Manage Threat Source > Add Source
2. Click on Existing Host and select the device you had added from the list of existing devices.
4. Click on Add.
EventLog Analyzer also has predefined alert criteria corresponding to the above categories. Setting up an alert profile for
vulnerability scanners is similar to a predefined alert profile. The only difference is that you need to choose Vulnerability as
the type from the predefined list and then choose the appropriate alert condition.
4. Click on Import.
Available reports:
GHOST in Linux - This report lists any detected instance of the GHOST vulnerability in Linux.
Shellshock Report - This report contains information on the detected instances of the Shellshock privilege
escalation vulnerability in Linux systems in your network.
Admin Discovery Report - An overview of all the admin accounts in a network will be available in this report.
Top exploitable vulnerabilities - An overview of the vulnerabilities in your network that are most prone to attacks
will be available here.
Credential failures report - An account of all instances of credential failures in your network will be displayed here.
Elevated privilege failures report - Failed attempts at privilege escalation will be displayed here.
Registry access failures - Failed attempts at accessing the Windows Registry will be recorded here.
Patch report - A report of all the patches applied in the device will be displayed.
Overall Nessus report - An overview of events in Nessus vulnerabilty scanners in your network will be available
here.
For instance, the risk assessment (ID.RA) section of NIST compliance that states,
The data from vulnerability scanners that can be used to ensure compliance to regulations are also categorized according to
the device types, in EventLog Analyzer. The solution categorizes the reports as follows based on the devices' data that
Nessus analyzes.
Windows devices
Unix devices
Databases
Cisco IOS
Huawei
Unix file contents
IBM iSeries
SonicWall, SonicOS
Citrix XenServer
VMware, vCenter, and vSphere infrastructure
Once the Nessus vulnerability scanner is added, this data from Nessus can be manually imported into EventLog Analyzer or
automated imports can be scheduled. This data is then collated into comprehensive reports to comply with PCI DSS
requirements.
The information on potential vulnerabilities in a network including service vulnerabilities and potential vulnerabilities
gathered from Qualys will be provided in these reports. This information is also presented in the graphical format for
improved insights.
Available reports:
Available reports:
Top Vulnerable Service - From NMAP data, the services in the system most prone to be exploited will be available
here.
Top Vulnerable OS - From NMAP data, the services in the operating systems most prone to be exploited will be
available here.
Top Open Ports - A list of all the open ports in the system will be available here.
Open Ports - A list of all the open ports in the system will be available here.
Top Vulnerable Devices - A list of the most vulnerable devices, according the the NMAP data will be available here.
Top Vulnerable protocol - The most vulnerable protocols used in the system will be available in this report.
Top Vulnerable ports - A list of the most vulnerable ports according to the NMAP data will be available here.
Top Vulnerabilities High Threat - Vulnerabilities that pose the highest risk of attacks will be listed here.
Top Vulnerabilities Medium Threat - Vulnerabilities that pose a moderate risk of attacks will be listed here.
Top Vulnerabilities Low Threat - Vulnerabilities that do not pose a high risk of attacks will be listed here.
Data from OpenVas is also segregated based on severity, CVS score, and group.
Top CVS Score by Count - This report identifies the most frequent vulnerabilities categorized based on the CVS
score.
Top Vulnerable Group - This report lists the most vulnerable workgroups in your network based on the
Top Vulnerabilities - This report lists the most common vulnerabilities in the network.
EventLog Analyzer collects data from Nexpose and categorizes the vulnerability information based on the level of severity.
Available reports:
Critical threats - Vulnerabilities that pose the highest risk of attacks will be listed here.
High threats - Vulnerabilities that pose a considerably high risk of attacks will be listed here.
Medium threats - Vulnerabilities that pose a moderate risk of attack will be listed here.
Low threats - Vulnerabilities that do not pose a high risk of attacks will be listed here.
Vulnerability trend - The general trend that can be inferred based on the vulnerabilities in your network will be
listed here.
Understanding correlation
What is correlation?
Correlation is the process of identifying a sequence of multiple events, across one or more devices, which are all related, and
form a single large incident. The main reason correlation is so useful is because, in many cases, the individual events may
not seem suspicious on their own, but when taken in relation to the other events, a larger picture emerges which points to
a potential security incident.
For instance, the two events "employee logs on to Device A" and "employee logs on to Device B" seem perfectly normal.
However, "same employee logs on to two different devices (Device A and Device B) at almost the same time" may indicate
a possible account sharing incident.
For more information on constructing a correlation rule using these parameters, see Constructing custom correlation rules.
Example:
A brute force attack occurs when an attacker tries to gain access to a device in your network, by trying several
logon credentials until one succeeds. It is characterized by several failed logons on a device, followed by a
successful logon:
General pattern: Failed logon -> Failed logon -> Failed logon -> (...) -> Successful logon (all within a few minutes,
to the same device)
Specific pattern: At least 10 failed logons to a single device within 2 minutes -> (within the next 1 minute) ->
Successful logon to the same device
Threshold: None.
Filters: The device name should be the same as the device name from Action 1.
2. Session activity
Some examples
A series of application crashes on a device over a short time-frame may point to a faulty device. Further, this
check should not be applied to a specific device named "Device-1234" as it is used for application crash testing
purposes and may generate too many false positives.
General action flow: Application crash -> Application crash -> (...) -> Application crash (all within few hours on a
single device, not applicable to Device-1234)
Specific action flow: At least 5 application crashes on a single device within 180 minutes (except for Device-
1234)
Threshold: This action should occur a minimum of 5 times within 180 minutes.
Filters:
The device name should be the same for all occurrences of Action 1.
The device name should not equal Device-1234.
A ransomware attack typically progresses with a newly started process modifying several files on a network
devices (in order to encrypt them). It can be identified with a process being started, shortly followed by multiple
file modifications.
General action flow: Process started -> File modified -> File modified -> (...) -> File modified (all within a few
minutes, on the same device)
Specific action flow: Process started -> (within the next 5 minutes) -> At least 15 file modifications on the same
device, by the same process
Threshold: None.
Filters: None
You can also perform several reporting actions, empowering you to gain maximum value from your log data. To know more
about what correlation is, how correlation rules are structured, and more, see understanding correlation.
Incident reports
An incident report provides the details of the various occurrences of a specific incident type (or correlation rule). It displays
the count of correlated events over time.
To view the report for a specific rule, go to the Correlation tab, navigate to the rule name on the left menu, and click on it.
You can also go to the incident report from the incidents overview report by clicking on the corresponding entry in the
graphical or tabular parts of the report.
To view the details of each log, click on the Details next to each event.
To export a report, navigate to the required report, and click on the Export as option.
Select the format in which you would like to export the report from the drop down list.
The status of all previous and ongoing exports can be viewed by clicking on the Report export history icon
2. Schedule reports
An incident report schedule allows you to generate incident reports at regular periods, and optionally receive them via
email.
To view the list of existing schedules for a specific report, navigate to the required incident report and click on
Schedule Report.
You can enable/disable or edit the schedules by clicking on the respective icons. To create a new schedule,
You can choose what information must be displayed in your incident report by adding or removing the required fields as
columns in the report.
Select the fields to be displayed in the report by choosing the respective checkboxes under each action.
You can also specify the below options for each field by clicking on the edit icon next to the required field.
Display name: This is the name of the field as displayed in the report. This is useful if you would like to display the
same field (e.g. username) from more than one action. You can distinguish between similar fields by changing their
display names. For instance, 'Failed logon username' and 'Successful logon username'.
Show value of: When you have specified a threshold value for the action and it occurs more than once, you can
choose to display the field value from either the first, last or all occurrences of the action. Once you have specified
the required information to be displayed, click Save.
The Incidents Overview window provides you with the list of 10 previous correlation incidents, in raw log format.
?
Users can toggle between the List and Grid ?report views.
To open the activity rule builder, navigate to Correlation > Manage Rules > Activity Rules > Create Activity Rule.
1. Select the individual actions that make up the rule, from the categorized list of actions on the left of the screen.
You can also search for actions using the search bar on top of the list.
You can drag and drop the actions to rearrange their order, or delete the action by clicking on the delete icon
on its right.
To detect repetition of the same action within a particular time interval, tick the Threshold limit check box and
2. For each action, specify the time interval within which it is to be followed by the next action, under the Followed by
within label. You can specify the time interval in seconds or minutes by using the provided dropdown.
3. To configure advanced options for any of the selected actions, click Filters on the top right corner of the action.
4. The first rule starts the session and the last rule ends the session. The duration of the session is the time-interval
Advanced options
Each action in a activity rule corresponds to a log. Logs contain various fields, and each field has a specific value. With
advanced options (found under Filters on the right of the action), you can provide filter criteria for each field of the
log/action and specify a threshold limit on the minimum number of repetitions of the action.
2. You can select the comparison type as equals, not equals, contains, starts with, ends with, link to, or is constant, from
Note: When you provide more than one value for an equals comparison, the set of values provided are
treated as a list of possible values and the action is accepted if any one value from the list is true. The same
holds true for the contains, starts with, and ends with comparisons.
When you provide more than one not equals comparison, the set of values provided need to hold true for the action to
be accepted.
Link to
The link to comparison type is used to check the value of the selected field against the value of a field in another action
(belonging to the same rule or the primary action of the other rule). For instance, if the field Device type of Action 1 is
linked to Action 2's Device type value, then Action 1 would get triggered only if the value of both the linked fields are the
same.
When you choose link to, the icon appears at the end of the filter. Clicking on the icon will present a new tab.
Note: At least one field of the starting rule should be linked to a field in the ending rule.
Is constant
The is constant option is used to treat the specific field as constant. By selecting this option, a set of repeated actions are
accepted by the rule only if this field's value remains constant throughout all the iterations. For instance, if the Target User
field is kept as constant, then the action gets triggered only when the value of this field remains constant in all the
iterations. The action doesn't get triggered if the event is generated with different values.
Interactive Sessions, Remote Interactive Sessions, and PMP Sessions for Windows machines.
Unix Session Reports to provide you all details about all the Unix sessions.
VPN Session reports such as Cisco VPN Sessions, Fortinet VPN Sessions, Sonicwall VPN Sessions, Huawei VPN
Sessions, H3C VPN Sessions, Meraki VPN Sessions, PaloAlto VPN sessions, and WatchGuard VPN sessions for the
respective VPN devices.
Custom reports are also displayed under the activity monitoring section, if any.
To know more details of a particular session, you can click on View History. This tab displays all the details as given below:
This page contains the Configure Fields and Advanced View tabs. The Configure Fields tab allows you to view similar logs
generated in a session by extracting logs that have the same field value (Domain, Device Name, Logon ID, and Username).
You can choose the field by which you want to retrieve logs by clicking on the desired options from the drop-down box. By
clicking on the Advanced View tab, you can drill down and view the raw logs of that session.
In the User-based view, you can analyze the weekly login and logout activities of a particular user. You can hover your
mouse pointer over a generated user-based report in the table to find the Weekly Login View tab. Clicking on this tab
displays a timeline graph for every day of the week in which you can view a particular user's active session duration, login
time, and logout time for any given day. This view also provides the number of hours the user was active per day and for
the entire week. The Weekly Login View report is available only for all system-generated reports.
To open the correlation rule builder, click on the Correlation tab of the product. Click on Manage Rules on the top right of
the tab and select +Create Correlation Rule on the top right. Creating a custom rule involves:
To know more about what correlation is, how correlation rules are structured, and more, see Understanding correlation.
1. Select the individual actions that make up the rule, from the categorized list of actions on the left of the screen.
You can also search for actions using the search bar on top of the list.
You can drag and drop the actions to rearrange their order, or delete the action by clicking on the delete icon (
) on its right.
To detect repetition of the same action within a particular time interval, tick the Threshold limit check box and
2. For each action, specify the time interval within which it is to be followed by the next action, under the ' Followed by
within' label. You can specify the time interval in seconds or minutes by using the provided dropdown.
3. To configure advanced options for any of the selected actions, click Filters on the top right corner of the action.
Advanced options
1. You can select a filter field from the dropdown list provided. It is to be noted that the filters provided in the dropdown
2. From the dropdown list provided, you can select the comparison type as one among the
following: equals, contains, starts with, ends with, less than, greater than, between, is malicious, not equals, not
contains, not starts with, not ends with, not between, link to, is constant, or is variable.
Note: When you provide more than one value for an equals comparison, the set of values provided are
treated as a list of possible values and the action is accepted if any one value from the list is true. The same
holds true for the contains, starts with, ends with, less than, greater than, and between comparisons.
When you provide more than one not equals comparison, the set of values provided need to hold true for the action to
be accepted. The same holds true for the not contains, not starts with, not ends with, and not between comparisons.
Less than, greater than, between, and not between conditions are applicable only for IP, port number, and privilege
fields.
Link to
The link to comparison type is used to check the value of the selected field against the value of a field in another action
(belonging to the same rule). For instance, if the field Device type of Action 1 is linked to Action 2's Device type value,
then Action 1 would get triggered only if the value of both the linked fields are the same.
When you choose link to, the icon appears at the end of the filter. Clicking on the icon will present a new tab.
Note: Using the link to condition, you cannot link a field to another one having the is variable condition.
Is constant
The is constant condition is used to treat the specific field as constant. When you select this condition, this action will
get triggered when the field's value remains constant in all the iterations. For instance, if the is variable condition is
applied for the 'Target User' field in an action, the action would get triggered when the value of this field is the same in
all iterations. The action doesn't get triggered if events get generated with different values for that field.
Is variable
The 'is variable' condition is used to treat a field as a variable. When you select this condition, this action will get
triggered when the field's value keeps changing each time it is checked. For instance, if the is variable condition is
applied for the 'Target User' field in an action, the action would get triggered when the value of the field is different in
each iteration.
Note: A field having the is variable condition cannot be linked to another one using the link to condition.
Is malicious
The 'is malicious' condition is available only for IP address fields. It can be used to check if the detected IP address is
present in the predefined list of malicious IP addresses that the product has stored in the internal database.
3. Values which are to be compared against the selected field can be provided directly in the textbox. Specify the value to
You can choose if the two filters are to be logically ANDed or ORed with the previous one, by selecting AND
or OR from the dropdown list present on the left side of the second filter.
2. Filters can be collected together by creating groups. This would help to create correlation rules for complex scenarios.
To create a new group, click +Add group on the bottom right corner of a log/action.
Select the criteria for the filter in the new group. You can also add more filters to the new group.
You can delete a group by clicking the Remove group icon on the top right of the group.
3. You can choose if two groups are to be logically ANDed or ORed, by selecting AND or OR from the dropdown list
Note: If the action is the first action in the rule, then you should also provide a time window within which the
repetitions have to be observed (as it is the first action and there is no preceding action or time window).
Along with the rule definition, you can also provide some descriptive information to finish configuring the rule:
Once you have built the rule pattern and specified the configurations, click Create so that the rule gets saved and EventLog
Analyzer can start correlating logs to check for this rule pattern.
You can use the search bar ( ) on the top of the table to search for a specific rule. You can use the dropdown on the top
right of the table to select the number of rules to be displayed per page.
Rule actions
You can perform a several managerial actions on the rules, by clicking on the respective icons, as described below:
Enable/disable rule ( / ): The icon implies that a rule is currently enabled, and the icon implies that it is
disabled. You can toggle between enabling/disabling the rule by clicking on these icons. When a rule is disabled,
EventLog Analyzer does not check for the pattern and does not report on the rule.
Update rule ( ): You can modify the rule definition and configurations by selecting this icon, which takes you to
the correlation rule builder page. You can modify all details except for the rule name.
Delete rule ( ): You can delete any of the custom rules created by clicking on this icon. Predefined rules cannot
be deleted.
Enable/disable notification ( ): You can enable or disable notifications/alerts for the correlation rules by using
this option. You can view and manage correlation alerts under the Alerts tab of the product:
View correlation alerts, assign owners and track their status under Correlation Alert Profiles.
You can update notification settings for each correlation alert profile on the Manage Alert Profile page.
You can also enable or disable a group of rules by selecting the rules and clicking on the enable or disable icon on the top of
the table. You can enable or disable all rules by using the More Options dropdown.
Compliance Reports
Organizations must maintain audit reports to demonstrate compliance. EventLog Analyzer provides predefined audit
reports for IT regulations such as FISMA, PDPA, CCPA, PCI DSS, SOX, HIPAA, GLBA, GPG13, Cyber Essentials, ISO
27001:2013, ISLP, NRC RG 5.71, GDPR, FERPA, NERC, CoCo, and NIST. The predefined audit reports are automatically
generated and can only be disabled, not deleted.
3. In the Add Compliance page, enter a name for the compliance mandate in the Compliance Name field.
4. Click on the Description link to enter a brief description about the compliance mandate.
6. Select the devices for which you want to generate reports by clicking on the + icon present in the Select Devices field.
7. Select the reports to be generated for this compliance mandate from the list of reports displayed.
8. Click Save.
3. Select the compliance for which you want to schedule reports from the drop-down menu.
4. In the Schedule Frequency field, select the frequency and the date and time at which the reports have to be scheduled.
5. You can generate the report for a specific time frame by selecting an option from the Report For drop-down menu.
6. Select the format of the report from the Report Format drop-down menu.
7. Select the type of report you want to generate: Only Summary or Summary and Details.
8. Enter the mail IDs to which the report has to be sent in the Email ID field. Use a comma (,) to separate multiple mail
IDs.
EventLog Analyzer provides basic and advanced search functionalities. Types of search queries supported are wild-card,
phrase, boolean, grouped searches.
2. Click Pick device and select the devices across which you want to search. Click Add. If nothing is specified in this field,
5. Search Help Card is a built-in guide that lists the types of search queries you can perform in the search box. You can
Type the field name and value into the Search box.
7. To build complex search expressions with the interactive search builder, click Advanced.
Click Add.
Note: The result graph is displayed for a period of two weeks only.
You can use the following boolean operators: AND, OR, NOT.
Comparison operators:
You can use the following comparison operators: =, !=, >, <, >=, <=.
Wild-card characters:
You can use the following wild-card characters: ? for a single character, * for multiple characters.
Phrases:
Use round brackets () to enclose groups of search criteria and relate them to other groups or search criteria using boolean
operators.
4. To save as search, click Save Search. Enter a name without space. Click Save.
6. To save as an alert, click Save as Alert. In the window that opens, click Save (see Create alert profile).
2. Click Search.
4. View the report export history by clicking on the icon, which can then be downloaded if required.
EventLog Analyzer allows administrators to create custom (new) fields or extract fields from raw logs by using the
interactive Field Extraction UI to create regular expression (RegEx) patterns to help EventLog Analyzer to identify, parse
and index these custom fields from new logs it receives from network systems and applications.
Note: Alternatively, you can also extract additional fields while importing the log file.
You can view the extracted field details in the Event Information window. If the required value is not parsed, you
can extract further fields by clicking the Extract Additional Fields.
Regex method
Delimiter method
Provide a name for this field. Optionally, specify the prefix and suffix to the field value.
Click on Create Pattern to generate a parser rule pattern.
Validate link is used to test the generated pattern against the previous search results. You can manually check the suitability
of the pattern by analyzing the 'Matched Log Messages' and 'Unmatched Log Messages' displayed.
Click on Choose another pattern to choose a pattern from the list of patterns generated by the application.
You can define any existing field matching criteria to apply the pattern for this specific log type.
Save the pattern to extract the field(s) from the upcoming logs.
2. Click on the tag icon on the right side of any log entry in the displayed search result.
Select the tag criteria from the predefined list. The list is based on the fields available in the search result. If it
does not have the field you are looking for, then add those fields to the search results using the column
Specify the user name. By default, the current user name (logged on to the EventLog Analyzer web client), is
displayed.
Note: Typing # provides you with a list of all created tags for ease of selection.
2. Click on the delete icon beside the tag name in the tag table. Click Yes in the pop-up.
The tag name and the notes added to the tag should contain only alphanumeric characters.
Tag criteria can be edited only by the user who created the tag and EventLog Analyzer users with
Administrative privilege.
Any user of EventLog Analyzer can add a note to a tag, irrespective of the creator of the tag.
Event Alerts
EventLog Analyzer keeps you informed about security events of interest with its alerting feature. The solution audit logs
identifies indicators of compromise (IoCs) and notifies you via SMS or email as required.
The alerts are categorized on three severity levels: Attention, Trouble, and Critical. The severity level indicates the degree of
importance associated with the alert. This helps you prioritize alerts and remediate them quickly.
EventLog Analyzer offers a powerful real-time event response system with which you can generate:
You can also designate a workflow for a triggered alert to automatically initiate responses such as disabling the affected
Active Directory user account, shutting down a system, and killing a process.
2. Assign a criticality to the alerts generated using this profile. Choose from Critical, Trouble and Attention.
3. Click on the icon to select device(s) and/or device groups(s) which should generate this alert.
Predefined Alerts - choose from a vast collection of predefined alert criteria. This saves time and you can set
Compliance Alerts - Contains a list of pre-defined alert criteria to help you comply with all the IT regulations.
Custom Alerts - customize your own alert conditions based on log message, type, and more. This option is
6. You can customize your alert message by adding information such as User Account Name and more.
7. Clicking on +Add near the Alert Format Message section will open another pop-up. There you can set the variables by
clicking on the drop down and enter the required message format in the space provided.
8. Click the Save Profile button once you have set all the necessary fields.
Select the log type and then choose the desired category.
Among the reports, select the desired report by clicking on the radio button next to it.
Append new criteria to predefined alert by clicking + Add Criteria.
You can use the Advanced settings to tweak the alert trigger conditions in order to reduce alert noise. Here you
can set the threshold (number of occurrences of an event within a specific time frame) and time range (working
hours) for the alert profile.
You can then specify the notification type for the alert profile .
Compliance Alerts
Compliance alerts contain sets of pre-defined compliance related alerting criteria to notify you of any violation of IT
regulations. EventLog Analyzer provides granular audit reports to help you comply with compliance regulations such as PCI
DSS, SOX, HIPAA, GLBA, PDPA, NIST, CCPA, GDPR, ISO 27001:2013, and more. The compliance alerts detects anomalies
such as policy changes, privilege escalations, sensitive file access and modification events, and unauthorized logons to help
you mitigate internal and external threats.
You can then specify the notification type for the alert profile created .
Custom Alerts
You can define 'n' number of criteria and group them with AND/OR operations.
To define alert criteria, choose desired attributes from the predefined list.
Specify the values for the attributes. Select the comparator and then provide the value for the attributes.
With drag and drop, you can group and ungroup the alert criteria.
You can then specify the notification type for the alert profile created .
You can edit, enable, disable, and delete the default alert profiles.
Note: When you edit a default custom alert profile, auto-addition will be stopped. For example, if you manually
add devices to an alert profile, devices will not be automatically added to that alert profile from then on.
By clicking on the filter icon in the top right corner, you can select the appropriate filter options.
You can select one or more options from the categories provided to customize your view of alerts. For instance, if you want
to view your open, unassigned, and critical alerts, you can simply select the respective criteria by clicking on the check
boxes. All you open, unassigned, and critical alerts will be displayed on the screen.
Additionally, clicking on Critcal Alerts, Trouble Alerts, Attention Alerts, and All Alerts will give you the respective alerts.
The custom views can only be viewed by the respective users who created the views. Hover your mouse pointer over the
created view in the Select View drop-down menu to edit and delete the created views.
Alert Configurations
You can access the following options from the top right corner of the Alerts page:
The Export As drop-down menu allows you to export alert messages in the CSV and PDF formats.
The +Add Alert Profile link allows you to add a new alert profile.
Click the settings icon on the top right corner of the page to view the following options:
Manage Profiles: You can view, enable, disable, edit, and delete alert profiles using this option.
Workflow: This option allows you to assign workflows to alert profiles to execute a logical action in your network
when an adversity is detected.
Ticketing tool Integration: This option allows you to configure an external help desk software (ServiceDesk Plus,
ServiceNow, Jira Service Desk, Zendesk, Kayako, and BMC Remedy Service Desk) to forward the alerts to.
Click on the check boxes to select the required alerts. Once the alerts are selected, the options Assign, Status, Delete, and
More will appear. You can assign the alert to an administrator, change the status, or delete the alerts by choosing the
appropriate options.
Clicking on More will give you the option to Whitelist the Source. In case an alert is raised by Advanced Threat Analytics
and you are convinced that the source is not malicious, you can whitelist it by choosing the option here.
Details such as SL Event ID, Logon Type and more can be obtained by clicking on More Details.
Workflow status
In case a workflow is configured for the alert, the status of the workflow can be viewed in the Alert Format Message pop-
up.
Threshold alerts
For Threshold based alerts, you can now view each instance by clicking on the alert. There will be a section called
Threshold.
Note: The default columns cannot be removed and rearranged. The default columns are Time, Notes, and Alert
Format message.
These alerts are raised when malicious domains, URLs, and IPs intrude into your network. Clicking on this alert will give you
a reputation score, the number of times it had appeared on a threat list and more.
Further, you can also remediate the alert condition by creating incident workflows.
2. Specify the receiver's email address and for multiple emails, separate the addresses with commas (,).
3. Add a subject line for the email notification. You can also append the alert argument(s) to the subject line. Select the
4. The default mail content is shown above, you can modify this and also add arguments from the Macros list. Click Save
Profile.
Note: The email content of correlation alerts can be customized to include the rule name, correlated time,
and the action. Furthermore, you can select and add specific fields of the action by choosing them from the
list that appears when the action is clicked. Please refer to the image below.
5. If the mail server is not configured in EventLog Analyzer, you will be prompted to when Notify by Email option is
selected.
3. You can customize the SMS content by clicking Add More Fields next to SMS Message field.
If SMS settings is not configured in EventLog Analyzer, you will be prompted to set it when Notify by SMS option is
selected.
Note: Notification using Run Program can now be configured with Incident Management Workflows.
Navigate to Alerts ? Alert Configurations ? Manage Alert Profiles ?Select the update
For ServiceNow:
2. Enter the login name and password of a valid account in the ticketing tool.
3. Enter a short description and a description for the alert. You can select them from a predefined list available under
4. Click the Test and Save button to establish communication and complete configuration.
1. Enter the API key in the appropriate column. If you do not have an API key click on Steps to Generate API Key for
2. Enter a subject for the alert. You can choose the subject from a predefined list available under Macros or type your
own.
Enter a subject for the alert. You can choose the subject from a predefined list available under Macros or type your
own.
Click the Test and Save button to establish communication and complete configuration.
To configure EventLog Analyzer with Jira Service Desk, you would first need to get a few details from your Jira ticketing
tool.
1. After logging into your Jira Service Desk account, click the settings icon on the top right corner and select Projects.
2. In the project list, note down the Key corresponding to the project in which you want your tickets to be raised.
3. Navigate to the Issues tab and reenter your username and password when prompted.
4. Note down the type of issues that the particular project can hold. The issues raised from EventLog Analyzer should have
the same type for a ticket to be successfully raised in Jira Service Desk.
5. Close Jira Service Desk and open EventLog Analyzer to complete the configuration process.
4. Enter the login name and password of the account having admin privileges.
5. Enter the project ID. This is the Key of the particular project noted from the ticketing tool.
6. Enter the type of issue. This needs to be same as the issue type that the project has been configured to hold.
7. Enter a summary for the alert. You can select it from a predefined list available under Macros or type your own
summary.
8. Click the Test and Save button to establish communication and complete configuration.
For Zendesk
To configure EventLog Analyzer with Zendesk, you would first need to get a few details from your Zendesk ticketing tool.
1. After logging into your Zendesk account, click the settings icon on the leftmost pane.
3. In the right pane, move to OAuth Clients and click the + icon to create a new OAuth Client.
4. Enter the client name, description, and name of the company. Select a logo.
5. The value that appears corresponding to Unique Identifier needs to be saved in a separate document. This would be
6. Once you click Save, a secret code will appear above the Save button. Click Copy and save it in a separate document.
7. Click Close and open EventLog Analyzer to complete the configuration process.
2. Enter the login name and password of a valid account in the ticketing tool.
3. Enter the client ID. This is value of Unique Identifier noted from the ticketing tool.
4. Enter the client secret ID. This is the value of the secret code obtained from the ticketing tool.
5. Enter a subject and a message for the alert. You can select them from a predefined list available under Macros or type
your own.
6. Click the Test and Save button to establish communication and complete configuration.
For Kayako:
2. Enter the login name and password of a valid user in the ticketing tool.
3. Enter a short description and a description for the alert. You can select the descriptions from a predefined list available
under Macros or type your own descriptions.
4. Click the Test and Save button to establish communication and complete configuration.
4. Enter the login name and password of the account having admin privileges.
5. Enter a description for the alert. You can choose the description from a predefined list available under Macros or type
6. Click the Test and Save button to establish communication and complete the configuration.
After configuring EventLog Analyzer with the ticketing software, you can select the alert profiles for which tickets need to
be raised.
In the ticketing tool integration page, you will have a list of existing alert profiles. Select the ones for which you want a
ticket to be raised. You can search for specific alert profiles using the search box. You can also select all the alert profiles by
ticking the Select All check box. If Select All is checked, all the alert profiles added in the future will be automatically
selected and tickets will be raised for them as well. Once you've completed selecting the alert profiles, click Update.
In the manage profiles tab, you can enable, disable, export and import alert profiles. You can also enable or disable
correlation based alert profiles.
Correlation based alert profiles and Profile based alert profiles will be in two separate tab as shown in the image above.
Alert profiles can be imported or exported by clicking on the Import option. Once you select an option, you will get the
message below.
In case an imported alert profile is similar to an existing alert profile, you will get the message below. To overwrite an
existing profile with an imported profile, select the required profile and click on Import.
To filter alert profiles based on the number of alerts raised, click on the number of alerts under the No. of Alerts column.
Incident management
EventLog Analyzer helps you streamline the process of managing and investigating security incidents.. You can track the
status of security incidents by navigating to the Alerts tab ? Incident.
The incident page displays details such as the age of the incident, who created it, and when it was created. The Actors
widget contains the list of users, entities, services, and processes responsible for the incident to help the assignee quickly
investigate the incident and take remedial action.
In the Incident page, enter a name and description for your incident in the respective fields.
Select the assignee, severity, and status of your incident from the respective drop-down menus.
Click on Create.
You can view the incident creation event being logged in the Activity Logs pane.
In EventLog Analyzer, you can map a triggered alert as an incident, assign a security technician to respond to the incident,
and track its status by following the steps given below:
You can also add an alert as evidence to an incident by selecting the alert, clicking on the +Add to Incident button, and
selecting the required incident from the list displayed. The alert can now be viewed under the Evidence tab of the selected
incident.
EventLog Analyzer allows you to map search results as incidents to help you backtrack an attack and conduct root cause
analysis by following the steps given below:
Navigate to the search tab and execute the required search query.
In the search results pane, click on the Incident button.
Now, select the search result(s) you want to add to an incident.
Click the +Add to Incident button and choose the incident to which you want to add the search result(s).
Alternatively, you can also create a new incident to map the selected search results by clicking the +Add New
Incident link.
If you're creating a new incident, enter a name and description for the incident. Select the assignee, status, and
severity from the respective drop-down menus.
Click Create.
You can now view the search results added as evidence under the Evidence tab of the incident.
Navigate to the Reports tab and click the report you want to add as an incident.
Click the Incident button and select the events of interest.
Click the +Add to Incident button and select the name of the incident to which you want to add the selected
events.
Alternatively, you can also create a new incident by clicking the +Add New Incident link.
If you're creating a new incident, enter a name and description for the incident. Select the assignee, status, and
severity from the respective drop-down menus.
Click Create.
You can now view the events of the report listed under the Evidence tab of the selected incidents.
You can configure pre-defined incident rules for devices, device groups, and alert profiles to automatically create incidents
when a specific number of alerts get triggered within a specified time span.
Note: You can create up to 10 incident rules in your EventLog Analyzer instance. The solution is capable of triggering
up to fifty incidents per incident rule in a day.
2. Click on the More tools icon present at the top-right corner of the page.
3. Click on Workflow to open the Manage Workflow page and click on the +Create Workflow button.
5. Click on the Description link next to the Workflow Name field to enter an appropriate description for the workflow.
6. Create a workflow by dragging and dropping the workflow blocks from the left pane into the space provided. Ensure
that these blocks are logically arranged to execute an event in your infrastructure.
EventLog Analyzer contains multiple workflow blocks to help you configure workflows to perform the required actions. The
logic blocks are categorized under different sections.
The list of workflow blocks and the details to be specified while configuring workflows using them are given below:
Logic actions
Decision
Allows you to branch the workflow based on the
status of the previous action.
Time Delay
Allows you to introduce a time delay in the execution The time delay in minutes.
of the workflow.
Network actions
Process actions
Service actions
Test Service The name of the device on which you want to test
Allows you to test whether a service is running on a the service.
device. The service you want to test
Windows actions
Log Off
The name of the device you want to log off from.
Allows you to log off from the currently active session
Select whether you'd like to force this action.
on a device.
Linux actions
Notification actions
Community.
Port number.
Send SNMP Trap
Enterprise OID.
Allows you to send SNMP traps to the required
SNMP Manager.
destination.
Message content.
Version.
Disable User
The name of the user account you want to disable.
Allows you to disable a user's account.
Disable Computer
The name of the computer account you want to disable
Allows you to disable a computer account.
Miscellaneous actions
To edit an existing workflow you can click on the edit icon present against the workflow name in the Manage Workflow
page.
Managing workflows
You can view and edit existing workflows in EventLog Analyzer by navigating to the Alerts tab and clicking on Workflow
from the More tools icon. The Manage Workflows page displays the list of workflows, their descriptions, the number of alert
profiles associated with each workflow, and their histories. You can enable or disable, delete, edit, and copy the workflows
by clicking on the respective icons.
If the Windows devices have already been added to EventLog Analyzer, workflows can be executed by using the devices
credentials or the domain credentials of the devices. So, you need not manually update credentials for Windows devices.
You can configure a set of common credentials for executing workflows in all Linux devices by following the steps given
below:
Click on the Workflow Credentials link present in the Manage Workflow page.
Click on the Edit link provided for Linux devices.
You can configure a set of common credentials for executing workflows in all Cisco devices using EventLog Analyzer by
following the steps given below:
Click on the Workflow Credentials link present in the Manage Workflow page.
Click on the Edit link provided for Cisco devices.
Enter the username and password.
Click on Update to store and use these credentials to execute workflows in all Cisco devices.
If the common credentials do not work for certain Cisco Devices, you need to configure the credentials for those devices
by following the steps given below:
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Various attack techniques such as account manipulation, access token manipulation, and brute force to name a few are
associated with the tactics to help identify adverse events and anomalies. The framework is adopted globally to facilitate
easier communication among cyber security enthusiasts about the latest attack patterns.
Configurations
Carry out the necessary configurations required for EventLog Analyzer functioning. You can carry out the following
configurations:
Manage Devices
Manage Device Groups
Manage Applications
File Integrity Monitoring
Threat Management
Threat whitelisting
Manage Threat Source
Manage vCenter
Manage Vulnerability Data
In this page, you can find three tabs: Windows Devices, Syslog Devices and Other Devices. Under Windows Devices, you
can use the Select Category drop-down menu to select a domain or workgroup.
1. Devices are displayed with the following icons: Search, Enable, Disable, Filter Change Monitor time interval, and
Delete. The Filter option lets you choose the devices for reports by their status (enabled/disabled), state
c. Device Name
d. Device IP address
g. Next Scan On: Shows when the next scan is scheduled. The Scan Now link against each device will scan the
device instantly.
i. Device Group
Quick Links
Manage Devices
How to add a device?
2. Select the appropriate tab from Windows Devices, Syslog Devices, Other Devices.
2. Select the appropriate tab from Windows Devices, Syslog Devices, Other Devices.
1. Navigate to Settings > Configuration > Manage Devices > Windows Devices
4. In the box that opens, select the time interval in hours or minutes as needed.
5. Click Update.
2. Click the edit icon for the device. For Syslog Devices and Other Devices,hover over the device for edit icon to appear.
3. This opens the Update Device box where you can edit Device Type, Device IP Address, Display Name, and Monitor
Interval.
5. Click Update.
2. Click the Configure Event Source Files icon for the device.
3. In the Event source files dialog box, select the type(s) of event source files.
4. Click Configure.
Note: The registry is accessed for configuring event source files. Modifications to a registry entry will reflect
only when reloaded. This feature supports Windows XP Pro and above.
4. Enter the root login credentials for the Unix device and SSH port number.
5. For configuring syslog forwarding , enter the IP address of the EventLog Analyzer server.
7. Specify the Syslog Port number. Note that the default port numbers are 513 and 514 for UDP and 514 for TCP.
Important Note:It is recommended that FIM be implemented for strictly necessary files and folders so as to
avoid disk space issues that may rise due to the high volume of generated logs.
When you enable File Integrity Monitoring for Windows, certain access policies will be automatically enabled on
the file server. If there are overriding GPOs for audit policy in your domain, follow the below procedure to manually
enable them
In administrator command prompt enter the command,
auditpol/get/category:"Object Access"
Then proceed to enable the following access policies
Audit file share
Audit file system
Audit handle manipulation
Audit detailed file share
Audit other object access events.
SACLs should be enabled for the monitored file/folders. These are automatically enabled by the product. If not,
manually update SACLs with the following permissions (see how)
Execute files/ traverse folder
Write data/create files
Append data/create folders
Write attributes
Write extended attributes
Delete subfolders and files
Delete read permissions
Change permissions
Take ownership
Linux:
Note: Configuring FIM for Linux audits the following actions on Linux files:
Read
Write
Execute
Attribute change
Note: For Linux devices, in addition to entering the details mentioned above, you will also be prompted to enter
If you want to know who has made the change to the file or folder, check the Audit Username checkbox.
Click Configure.
Note: For Linux devices, in addition to entering the details mentioned above, you will also be prompted to enter
Click Configure.
Navigate to Settings > Configurations > Manage File Integrity Monitoring > FIM Templates.
Depending on which device the files and folders that you wish to monitor are located in, click on either the
Windows or Linux tab.
Click Add FIM.
Enter a name for the template and select the locations of the files and folders.
Alternatively, you can enter the location of the files/folders.
The Exclude Filter gives you an option to exclude
a. Certain file types.
If you want to know who has made the change to the file or folder, check the Audit Username checkbox.
Click Configure.
2. Click on the View Report icon on the right corresponding to the threat source.
2. Hover over the threat source and click on the red cross icon that appears.
3. In the Add Server box, enter the Display name, URL, Username and Password..
4. In the Poll from box, specify the date from when feeds should be collected.
5. In the Schedule drop down list, select the schedule frequency and the time for syncing data from the TAXII server.
3. You can make the required changes such as the schedule to sync data from the TAXII server.
3. Click the enable/disable icon under Actions to enable/disable polling for the corresponding feed. Click Yes in the pop-
up to confirm.
IP Details
IP Range can be entered by mentioning the Start and End IPs. For instance, 192-198-111-0 should be the Start IP
and 192-198-111-220 should be the End IP, if you want the IPs in-between the range to be whitelisted.
The URL can be whitelisted by mentioning the address in the text box. For instance, http://sampleURL.com
Domain
A domain can be whitelisted by mentioning the domain address. For instance, 'mydomain'.
Import CSV
To import an existing CSV file containing the source(s) to be whitelisted, click the Import CSV option on the top-
right corner of the pop-up window.
Threat Alerting
Threat Whitelisting has been integrated with Advanced Threat Analytics with the aim of reducing false positive alerts.
To whitelist a particular source, select the desired source from the list (using checkbox) and click on the ellipsis
(three dots stacked vertically) and select the Whitelist Source option.
Note: The whitelisted sources will be excluded from threat alerts and external threat reports.
3. Click on the +Add Device(s) button to add devices to this device group. You can then select the devices you wish to
4. Click OK.
5. Click on the + Add Device(s) button to add devices to this device group, and select the devices by clicking on the
6. Click the Add button to create the device group with the devices listed.
Device Groups
By clicking on the number under the Number of Devices link, you can view all the devices present in the device group.
Update Credentials
Update Port No
View vCenter
After you have added a vCenter server, navigate to View vCenter to view its details. Here, you can view the added vCenter
servers along with log collection status, last message time, and next scan.
3. Enter the destination server to which the logs have to be forwarded to and the port number(Default port:513).
4. Select the protocol (UDP only), RFC standard (RFC 3164 or RFC 5424), and the source devices from which logs have
to be forwarded.
Enter the destination server to which the logs have to be forwarded, and the protocol (UDP only) to be used.
Select the port number (Default port: 513), RFC standard (RFC 3164 or RFC 5424), and the source devices
5. Click Save.
Admin Settings
The Admin Settings helps you to configure the Eventlog Analyzer and to tweak it's functioning as required.
You may carry out the following operations using the admin settings tab:
Agent Administration
Archive Settings
Technicians and Roles
Database Storage Settings
Log Collection Filter
Working Hour Settings
Product Settings
Log Collection Alerts
Report Profiles
Resource Grouping
Custom Log Parser
Tags
2. Click on Save.
2. Enter the desired password in the "Password" and "Confirm Password" box.
3. Click on Save.
Note: If multiple devices are selected, ensure that the credentials are valid for all the devices.
Using GPOs:
Before beginning to install the EventLog Analyzer agent using GPOs, place the following files in a network-shared folder of
the server:
In the left pane, right-click the Group Policy Objects container and select New.
For Windows Server 2008 and later, navigate to Computer Configuration ? Policies ? Windows Settings ? Scripts
(Startup/Shutdown) ? Startup.
In the Add Script dialog box, click Browse and select InstallEventLogAgent.vbs from the shared location.
/MSIPATH:"< share path of msi file>" /SERVERNAME:" <ELA server name>" /SERVERDBTYPE:"< database of server>"
Templates ? System.
In the right pane of the GPO Editor, double-click Run logon scripts synchronously and enable it.
In the right pane, double-click Always wait for the network at startup and logon and enable it.
In the right pane, double-click Group Policy slow link detection and enable it.
Tip: For installing the agent on multiple computers at one go, create an AD group and add all the computers on
which the agent needs to be installed to the group. Then, apply the GPO to that group.
On the left pane of the Group Policy Management Editor, right-click the GPO you are working on and select Properties.
Navigate to the Security tab and unselect the Apply Group Policy permissions for Authenticated Users.
Click Add and in the dialog box that appears, click Object Types.
Enter the name of the desired computer(s) and/or group(s) and click Check Names.
Select the desired computer(s) and/or group(s) and click OK to return to the properties dialog box.
In the Security tab, apply the following permissions to the selected group(s) and/or computer(s):
Restart the computers to complete applying the GPO and wait for the reset password / unlock account link to appear
Manual installation:
For Windows devices:
In the agent machine, open any browser and execute the following command.
> <everlog_server>:<eventlog_server_port>/event/downloadMsi.nms?platform=windows
Another method to uninstall the EventLog Analyzer from device(s) is by using add or remove programs,
Navigate to Windows start menu > Add or remove programs in your desktop.
Select the "ManageEngine EventLog Analyzer Agent".
Click Uninstall.
Archiving interval
Type of logs that need to be archived
Storage location of the archived files
Retention period
The archived files can be encrypted and time-stamped to make them secure and tamper-proof.
b. Archive file is missing - When the flat file is not found during the compression/zipping process.
c. Archive file not found - When an archive file is not found in the location where it is stored in the DB.
d. Archive file is tampered - When the original archive file is edited/some part of the file is deleted externally. In
case a file has been deleted or tampered with, an email notification will be sent immediately and the message
To view a specific archival file, click on the check box corresponding to the device.
You can also view the archived log files that are created during a specific time period. To do so, click on the calendar icon on
the top right corner of the page and specify the desired time period.
If you want to view a set of files based on the size or status of the archive data, you can do so by clicking on the filter icon
next to Size or Status and setting the appropriate values. The files will be filtered based on the given values.
By clicking on the drop down icon next to Devices/From/To, you can sort the list in ascending order. It will be sorted on
the basis of the respective column values. By clicking again, you can sort the list in descending order.
2. Once the status of the file changes to Loaded, click on the corresponding View button.
Note: To drop a file, select the file and click on the Unload Archive button.
Configure the archive interval, retention period, option to encrypt, time-stamp of the archive files, location to save the
archive files and location to save the index files in this screen.
Note: The Archive and Database storage are asynchronus operations. These operations are unrelated.
2. To secure the archive files, enable encryption of the files. By default, it will be disabled.
3. Enter the Archive retention period for the archived files. The default period is Forever.
4. Logs can be archived in two formats; ?Raw Logs with Parsed Fields? and ?Raw Logs?. "Raw Logs with Parsed Fields"
will be stored with the metadata and "Raw Logs" will be stored without metadata. The storage space for Raw Logs will
be lesser but only basic reports can be generated using this data.
5. Enter the storage location for the archived files in the Archive Location box. Click on "Verify Location" to validate the
location.
6. Enter the Notification Email Address. Notification emails regarding file integrity will be sent to the specified email ID(s).
7. Enter the log retention period for the loaded archive files. The default period is 7 days.
8. Click on Advanced . Enter the values for the following three parameters that is displayed on the screen:
a. Choose the required time interval for file creation. The logs are written to flat files at the specified time period.
b. Choose the required time interval for creating a zip file.The flat files are compressed (20:1 ratio) and zip files are
9. Save the settings and close the window. For instant archiving, click the Zip now button next to Zip Creational Interval.
ES\repo, ES\data and ES\archive should never point to the same folder
Examples:
2. Navigate to <Eventlog home>\ES\config\elasticsearch.yml, update path.data to include the new location and save the
file.
Case 2: EventLog Analyzer is integrated into Log360 and is installed with Log360 installer (Bundled):
In this case, EventLog Analyzer uses a common ES that's shared with other modules
Note:
With Log360, the integrated module will have only one ES and it can be located in the Admin > Administration
and Search Engine Management page. By clicking on details we can see that it is running from
<ManageEngine>\elasticsearch\ES folder.
In this case, EventLog Analyzer will be using its existing (before integration) local and the common ES (after integration with
Log360).
Note:
By default, the integrated module will have two ES and it can be located in the Admin > Administration and
Search Engine Management page. By clicking on details we can see that one is running from EventLog Analyzer,
<Eventlog home>\ES folder and other from <ManageEngine>\elasticsearch\ES folder.
(different from the one given for common ES) and save the file.
Note:
ES\repo folder contains temporary files for ES archives
ES\repo, ES\data and ES\archive should never point to the same folder
Examples:
2. Navigate to <Eventlog home>\ES\config\elasticsearch.yml, update path.data to include the new data location and
3. In <Eventlog home>\ES\config\elasticsearch.yml, update path.repo to include the new repository location (parallel to
5. Create a folder with the name archive (parallel to the new data directory).
6. Move the files from <ManageEngine>\<Eventlog>\ES\archive folder to the new folder named archive.
Case 2: EventLog Analyzer is integrated into Log360 and is installed with Log360 installer (Bundled):
In this case, EventLog Analyzer uses a common ES that's shared with other modules
Note:
With Log360, the integrated module will have only one ES and it can be located in the Admin > Administration
and Search Engine Management page. By clicking on details we can see that it is running from
<ManageEngine>\elasticsearch\ES folder.
4. Also update path.data in <Eventlog home>\ES\config\elasticsearch.yml to include the new data location (same data
6. Update path.repo in <Eventlog home>\ES\config\elasticsearch.yml to the new repository location (same repository
8. Create a folder with the name archive (parallel to the new data directory).
9. Move the files from <ManageEngine>\<Eventlog>\ES\archive folder to the new folder named archive.
In this case, EventLog Analyzer will be using its existing (before integration) local and the common ES (after integration with
Log360).
Note:
By default, the integrated module will have two ES and it can be located in the Admin > Administration and
Search Engine Management page. By clicking on details we can see that one is running from EventLog Analyzer,
<Eventlog home>\ES folder and the other from <ManageEngine>\elasticsearch\ES folder.
4. Run stopES.bat
I. Change in common ES
1. Navigate to <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml, update path.data to include the new
II. Change in local ES (the path here should be different from the one given for common ES)
1. Navigate to <ManageEngine>\<Eventlog>\ES\config\elasticsearch.yml, update path.data to include the new location
(this should be different from the one given for common ES) and save the file.
3. Create a folder with the name archive (parallel to the new data directory).
5. Move the files from <ManageEngine>\<Eventlog>\ES\archive folder to the new folder named archive.
You can either add a user from AD or add a local technician in EventLog Analyzer.
4. In the Roles drop-down box, choose the role(s) you want to assign to the technician. You can assign more than one
role to the technician and permissions of all the selected roles will be assigned to the technician.
5. Assign device group(s) to provide segmented view to the user and limit the privilege on security resources. Select the
How to manage (delete, assign role to, assign group to) EventLog
Analyzer technicians?
1. To monitor the users of EventLog Analyzer, click on the User Audit icon. This will give you the report of all EventLog
Analyzer user activity. You can view the user audit data for the required username, type of user(administrator,
operator, guest), resource and action. The report can be extracted into PDF/CSV format.
2. Delete, enable or disable users by selecting the users and clicking on the respective icons.
3. Click on the edit icon to update the technician details such as the roles assigned, device groups, email and password.
1. In the Roles drop-down box, choose the role(s) you want to assign to the technician. You can assign more than
one role to the technician and permissions of all the selected roles will be assigned to the technician.
2. Assign device group(s) to provide segmented view to the user and limit the privilege on security resources.
3.
2. Specify the interval (in days) for running the scheduled automatic import.
3. Click on the Save button or the Save and Run Now button if you wish the run the scheduled import right
away.
4. In the Add New Role page, enter an appropriate role name in the Role Name field.
6. You will see multiple tabs such as Home, Reports, Compliance, Correlation, Alerts, Settings, and Others. You can click
on the checkbox provided for each of these tabs to allow the role to have all the permissions associated with the
selected tabs. You can also navigate to each of these tabs individually and select the required permissions.
Under the Home tab, you can see two sections: Dashboard and View the Log Sources. In the Dashboard
section, you can allow users to view, and create and manage the dashboard. In the View the Log Source
section, you can assign permissions to view device, application, and file integrity monitoring logs. You can also
click on the checkboxes next to the Dashboard and View the Log Sources section to select all the options
Under the Reports tab, you can specify if the user can view, schedule, and create reports by selecting the
appropriate checkboxes. You can select all permissions associated with the Reports section by choosing
General.
Similarly, under the Compliance tab, you can choose if the user can view, create, and schedule compliance
reports. You can click on the General checkbox if you want the user to have all permissions related to the
Compliance tab.
Under the Search tab, you can choose if you want to allow the user to perform search operations on the
collected logs.
Under the Correlation tab, you can find the Correlation and Activity Monitoring sections. In the Correlation
section, you can choose if you want the role to view correlation reports, schedule them, and create and
manage correlation rules and custom correlation actions. In the Activity Monitoring section, you can choose if
the role can view and schedule activity monitoring reports, and create and manage activity monitoring rules.
Under the Alerts tab, you can find three sections: Alerts, Incident Workflows, and Ticketing Tools. In the
Alerts section, you can specify if you want the role to view generated alerts, and manage alert profiles and
alert assigning rules by clicking on the appropriate checkbox. In the Incident Workflows section, you can select
if the role can manage incident workflows. In the Ticketing Tools section, you can allow the role to configure
ticketing tools.
and System Settings. The Log Source Configuration tab contains multiple sections -- in which you can choose if
you want the user to have permissions to configure and manage devices, applications, databases, virtual
machines, and the File Integrity Monitoring component. In the Admin tab, you can choose whether the user
can configure and manage domains, workgroups, and agents. In the System Settings tab, you can specify the
Under the Others section, you can specify if the user can view product support related information, supported
7. After choosing all the required permissions, click on Create to create the custom user role.
In EventLog Analyzer, you can view all the default and custom user Roles by navigating to Settings ? Admin Settings ?
Technician and Roles ? Manage Roles. The role names, descriptions, and the number of technicians associated with each
role will be displayed in a table. The Actions column of the table contains Click to Copy, Edit, and Delete icons to enable
you to perform the required management actions. The Click to Copy option allows you to copy the permissions associated
with an existing role to a new role -- which you can later edit as per your needs.
General: Learn how to configure CAPTCHA and block users after a certain number of invalid login attempts.
Two-factor Authentication: Learn how to enable two-factor authentication for users logging into EventLog
Analyzer.
Smartcard Authentication: Learn how to configure EventLog Analyzer to authenticate users through smart cards,
bypassing other first-factor authentication methods.
External Authentication: Learn how to configure EventLog Analyzer to authenticate users through Active Directory
and RADIUS server.
General
Under the General tab of Logon Settings, you can configure the following.
CAPTCHA Settings
Block User Settings
CAPTCHA Settings
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Login CAPTCHA
serves as a security measure against bot-based brute force attacks. Enabling this setting will display a CAPTCHA image on
the login page. End-users must enter the characters shown in the CAPTCHA image to log into the EventLog Analyzer web
portal.
You can configure whether to show CAPTCHA always or after a certain number of invalid login attempts. Apart from the
CAPTCHA image, you can also enable Audio CAPTCHA.
Using this option you can block users from accessing EventLog Analyzer after a certain number of invalid login attempts for
a defined duration. A blocked user cannot log into EventLog Analyzer until the threshold for reset is reached.
Two-Factor Authentication
If TFA is enabled, EventLog Analyzer will require its users to authenticate using one of the following authentication
mechanisms in addition to Active Directory or RADIUS authentication.
Email Verification
SMS Verification
Google Authenticator
RSA SecurID
Duo Security
Note: As a preventive measure against lockout, it has been made possible for an administrator to skip two-
Click on the authentication mechanism of your choice and enter the necessary details.
Note: If multiple authentication options are enabled, the user will be asked to choose one at the time of logging
in.
Email Verification
When email verification is enabled, EventLog Analyzer sends a verification code to the configured email address. That
verification code would need to be entered to successfully login.
SMS Verification
When SMS verification is enabled, EventLog Analyzer sends a verification code via SMS to the configured mobile number.
That verification code would need to be entered to successfully login.
When verification via Google Authenticator is enabled, a six-digit security code will be generated in the Google
Authenticator application in the configured mobile. This code would need to be entered to successfully login.
Note: Ensure that the client time and device (mobile) time are syncronized.
RSA SecurID
Duo Security
When verification via Duo Security is enabled, a six-digit security code will be generated in the Duo Security application in
the configured mobile. This code would need to be entered to successfully login.
Note: Ensure that the server time and internet time are syncronized.
Login to your Duo Security account or sign up for a new one and login. For self enrollment steps, go to Duo Self
Enrollment.
Go to Applications and click Protect an Application.
Search for Web SDK and click Protect this Application.
Note the Integration Key, Secret Key, and API Hostname.
In the EventLog Analyzer two-factor authentication menu, select the Enable Duo Security check box and enter the
noted down values in appropriate fields.
Click Save to save the configuration.
As a backup mechanism against user lockout because of two-factor authentication failure, EventLog Analyzer has backup
verification codes. Each user can generate a set of backup verification codes, which will have five, and use one code each
time they are unable to login by authenticating using the configured mechanism.
To allow users to login using backup verification codes, enable the Backup Verification Code check box.
As an admin, you can view the authentication method users have enrolled for and also remove users? enrollment for two-
factor authentication. To manage enrolled users,
To manage the two-factor authentication settings of the logged in account, check Manage Account TFA .
This feature provides an additional authentication option for EventLog Analyzer login by enabling the use of smart
cards/PKI/certificates to grant access to the tool. Smart card authentication strengthens the security further because
getting access to EventLog Analyzer shall then require the user to possess the smart card and know the personal
identification number (PIN) as well.
After you have added a smart card for authentication, you can perform any of the following functions:
In the Settings tab, navigate to Admin Settings > Logon Settings > Smart Card Authentication.
To enable/disable a configured smart card, click on the Enable/Disable icon located in the Action column of the
particular smart card.
In the Settings tab, navigate to Admin Settings > Logon Settings > Smart Card Authentication.
Click the corresponding Delete icon corresponding to the smart card which you wish to delete.
Click Yes to confirm the deletion.
Adding a Domain
To add a new domain, click on the Add new domain button. This will open the Add Domain window.
2. Click on the discover link to discover the domain controllers. Alternatively, you may also key in the domain controllers
3. Enter the credentials (Login Name and Password) with admin privileges. Note that the machine login credentials are
Update a Domain
To update a domain, click on the Update icon in the Actions column.
1. Click on the discover link to discover the domain controllers. Alternatively, you may also key in the domain controllers
2. Modify the authentication credentials. Note that the machine login credentials are used when no authentication
Update a Workgroup
To update a workgroup, click on the Update icon in the Actions column.
Configure your organization's working hours by selecting appropriate From and To values.
To configure multiple time ranges, click the + icon and select the next working hour range.
Once the necessary working hours have been selected, click Save.
Note: If two working hour ranges with overlapping hours are configured, EventLog Analyzer will set the working
hours to be the entire range, from the least to the highest value. For example, if the configured time ranges are
Product Configurations
To configure settings such as views per page, number of rows displayed in reports, and so on in EventLog Analyzer,
navigate to Settings > Admin Settings > Product Settings > Product Configurations.
Default
Configurations Description
Values
Set the maximum permissible number of emails that can be sent per
day. Enable or disable the mail limit alert by selecting the
Daily Email Limit 500
Enable/Disable Mail Limit Alert checkbox. There could be a mail
server or client limitation for sending the emails.
Alert Email Format HTML Select whether the alert emails are sent in HTML or plaintext format.
Historic Log Configure whether the logs generated prior to the configuration of a
Disabled
Collection device needs to be collected by the product.
Date and Time Format MM-dd A space is the only separator that can be used between the date
HH:mm:ss and the time.
There should not be any separators at the beginning or at the
end.
Two continuous separators are not allowed.
Entering two digits for the month will display the month in
numbers, whereas entering three digits will display it in words.
Ex. 'MM' will display June as 06 and 'MMM' will display it as Jun.
Direct Export Report Set the maximum number of records to be included in a directly
20000
Limit exported report.
Rows in Top N Set the number of rows to be displayed for reports under the Top N
10
Reports Reports section.
Report Time Out 25 mins Set the maximum time allowed to generate a report.
The different scenarios for which you have the option of enabling or disabling alerts have been listed below:
You will be notified when the free space available in the disk on
which EventLog Analyzer is installed goes below a certain value. You
Low Disk Space
can set the limit in terms of GB of free disk space and give a suitable
subject for the email which will get triggered.
Note: In a new installation of EventLog Analyzer, notifications will be turned on by default for License Expiry,
EventLog Analyzer Down, EventLog Analyzer Upgrade, and Unprocessed Log Files.
After configuring the necessary notification settings, select if those notification emails need to be sent to all
EventLog Analyzer Admins or only to specific email addresses -- which you can enter in the corresponding text box.
Then, click Save to complete configuration.
Note: The archive and database storage are asynchronous operations i.e. they are unrelated.
In the Current Storage Size box, enter the number of days for which the raw logs need to be retained in the
database. The default value is 32 days.
In the Correlation Retention Period box, enter the number of days for which the formatted logs need to be retained
in the database. The default value is 90 days.
In the Alert Retention Period box enter the number of days for which the alerts need to be retained in the
database. The default value is 90 days.
After having entered both the values, click Update to save settings.
3. Enter a unique name for your filter in the Filter Name field.
4. Select the log format from the Select Log Format drop-down menu. Choose any one of the following log formats
displayed:
Windows Logs
Syslogs
5. Click on the + button present in the Select Device(s) field to select a device group.
6. In the Select Device pop-up menu, you can either search and select particular devices in your network to apply the
filter to or select entire device groups by selecting the respective check boxes on the left pane and clicking on Add.
7. In the Filter Criteria box, you will see the Exclude and Collect Only drop-down menus to configure a filter to perform
either of the following actions:
Exclude all the logs that satisfy the specified filter criteria.
Collect only the logs that satisfy the specified filter criteria.
Note: You can configure a filter to perform only one action. You need to create separate filters to collect
and exclude logs for the same set of devices or device groups.
9. You can also configure multiple filter groups by clicking on +Add Group and link them using AND or OR operators to
You can see the list of devices associated with a particular filter by hovering your mouse pointer over the
Device(s)/Group(s) Configured section. The More Actions drop-down menu allows you to select and enable, disable,
export, and import multiple filter profiles.
Device Down
To configure alerts to notify users about devices not sending logs,
In the Settings tab, navigate to Admin Settings ? Log Collection Failure Alerts ? Device Down Alert.
If the alert is not enabled by default, click the toggle button to enable it.
Select the device(s) or device group(s) for which alerts are to be generated when the device goes down.
Select the time interval (minutes, hours, days) at which you want to be notified via email.
In the Subject box, enter the subject of the email that will be sent to users.
In the Email Address box, enter the email IDs of users to whom the alert emails should be sent.
Click Submit to complete configuring log collection failure alerts.
To create a report profile refer to the procedure given in the ? How to create custom reports ? section.
3. To edit the report profile, select the respective report profile's edit icon.
My Reports
In the My Reports table, the entire user created report profiles are displayed with the name of the profile, devices assigned
to the profile, last scheduled report, and provision to add a new schedule to this profile.
2. Alternatively use the ?Browse? button to find the file and the location.
Schedule
When a report profile is created, optional scheduler is created for automatic, periodical report generation and distribution.
Report profile can also be created without scheduler by choosing the option to generate report ?Only once?. For the
unscheduled report profile, a scheduler can be created later. If the report profile is already scheduled, new scheduler can be
created for that profile, superseding the previous scheduler.
To create a scheduler for a report profile, use the following menu option:
Settings tab > Admin Settings > Report Profiles > Schedule: Add
5. Select the time period (Hourly, Daily, Weekly, Monthly or Only once) at which the report should be generated.
Schedules
In the Schedules table, all the schedules created are displayed with the name of the schedule, report profile associated to
the schedule, type of the schedule, and details of the reports generated as per schedule. The enable/disable option, edit
option, delete option are also available in the Schedules table.
Settings > Admin Settings > Resource Grouping: User Groups / Remote Device Groups.
2. Add the required users/devices to the group. You can use the search option to easily search for a particular
user/device.
To edit a field, select the field and click on the edit icon.
Use the text box to edit the field and use the save icon to save the changes or the x icon to discard.
You can delete a field by clicking the x icon next to the field.
You can also delete the log type by clicking the x icon next to the Log Type option.
To view, create, edit, or delete dashboard profiles, navigate to Settings > Admin Settings > Dashboard Profiles.You can see
a list of existing dashboard profiles.
Select the Default icon corresponding to the dashboard profile of your choice.
In the pop-up box that appears, click OK.
System Settings
Carry out the necessary configurations required for setting up EventLog Analyzer.
Notification Settings
Manage Account TFA
NT Service
Connection Settings
Rebranding
Server Diagnostics
Database Access
Reset Log Collector
Log Level Settings
Port Management
Email Settings
To configure or change email settings,
Navigate to Settings > System Settings > Notification Settings > Mail Settings.
1. Enter the name of the outgoing mail server which EventLog Analyzer should use.
3. If the option Authentication Required is selected, the mail server will ask for authentication on every login.
4. Enter the username and password of the mail server account which EventLog Analyzer will use.
5. To ensure mail communication is secure, select TLS or SSL in Use Secure Connection.
6. In Sender Address, enter the email addresses of the users to whom the reports and alert notifications need to be sent.
7. Click Send Test Email to verify if the mail server settings are correct and the email addresses are valid.
If the email server is not configured here, EventLog Analyzer prompts you to configure email settings at the report profile
and alert profile creation UI.
SMS Settings
To configure or change SMS settings,
Navigate to Settings > System Settings > Notification Settings > SMS Settings.
For sending SMS alerts, you can configure EventLog Analyzer to use a GSM modem or a custom SMS gateway of
your own.
3. In Modem Port Number, enter the hardware port of the EventLog Analyzer server machine to which the SMS
5. If the SMS settings are not configured here, EventLog Analyzer prompts you to configure SMS settings at the Alert
The modem/mobile must have GSM functionality with a provision to insert a SIM card.
It should support 7-bit (GSM default alphabet), 8-bit, and Unicode (UCS2) encoding.
Ensure that the GSM modem configured with EventLog Analyzer is not used by any other application.
If you experience any issue in sending SMS notifications through the GSM modem, please restart EventLog
Analyzer and try again.
Matching these criteria will allow EventLog Analyzer to support your modem/mobile phone.
You can configure you own custom SMS gateway, provided the gateway which is based on HTTP, SMTP or SMPP.
Navigate to Settings > System Settings > Notification Settings > SMS Settings.
In the SMS Provider drop-down field, select SMS Service Provider.
In the Service Type drop-down field, select HTTP.
In the HTTP(S) Method field, select whether you want to use the Post or Get method for sending SMS.
In the HTTP(S) URL field, enter the URL of your SMS gateway provider.
In the HTTP(S) Parameters field, enter the HTTP parameters specific to your SMS provider.
where userName = the parameter which is used to denote the API authentication username
xxx = API authentication username
password = the parameter which is used to denote the API authentication password
yyy = API authentication password
mobileNumber = recipient parameter
%mobNo% = this macro denotes the user's mobile number
message = message parameter
%message% = this macro denotes the SMS message content
More HTTP Parameters - If you SMS provider requires more parameters like unicode and apiID, include them as well using
the '&' sign
Specify the response you get from your provider to determine the success of sending the SMS.
Click Advanced Settings and enter the HTTP request headers specific to your SMS provider.
Select the check box Convert Message into Unicode to send SMS in Unicode format.
Click Save Settings to complete configuration.
Navigate to Settings > System Settings > Notification Settings > SMS Settings.
In the SMS Provider drop-down field, select SMS Service Provider.
In the Service Type drop-down field, select SMTP.
In the From Address field, enter an email address from which you want to send the SMS. For example,
[email protected]
In the To Address field, enter the %mobNo% macro followed by the email of your provider. For example:
%mobNo%@clickatell.com. Refer to your SMS provider to know the exact values.
In the Subject field, enter either the mobile number or message, which is based on your SMS provider.
In the Content field, enter appropriate data, which varies based on the SMS provider.
In the SMTP Server/Port field, enter the name or IP address of the SMTP Server and its port number.
Enter appropriate credentials for the SMTP server in the Username and Password fields.
Click Save Settings to complete configuration.
Navigate to Settings > System Settings > Notification Settings > SMS Settings.
In the SMS Provider drop-down field, select SMS Service Provider.
In the Service Type drop-down field, select SMTP.
In the SMPP Server/Port field, enter the name or IP address of the SMPP Server and its port number.
Enter appropriate credentials for the SMPP server in the Username and Password fields.
Click Advanced Settings and in the SMPP Source Address field, enter the appropriate IP address.
Select the type of number (TON) and numeric plan indicator (NPI) of the source address.
Select the type of number (TON) and numeric plan indicator (NPI) of the destination address.
Click Save Settings to complete configuration.
To manage the two-factor authentication settings of the logged in user account, click the profile icon on the top right
corner and select My Account.
You get a screen with three tabs: Personalize, Two-factor Authentication, and Change Password.
Personalize
In this tab, you change the email ID of your account and the language of the product.
Two-factor Authentication
In this tab, you can change the two-factor authentication settings of your account. For that, you would first need to
authenticate using the existing two-factor authentication mechanism.
To view the already-generated backup verification codes or to generate new ones, click Manage Backup Verification
Codes.
In the pop-up box that appears, you can see a list of backup verification codes. If all of the previously generated codes have
been used up, you can generate a new set by clicking Generate New Codes. Once new codes have been generated, it is
advisable to back them up by downloading the list, printing it, or emailing it.
Change Password
In this tab, you can change the password of your account.
Note: Skipping this step may cause authentication issues during the collection of event logs. It is advisable to
provide the credentials when prompted.
2. SSL Port Number: Specify the SSL port for a secure http connection. EventLog Analyzer also provides a tool to
Note: The http and https port numbers should be different from each other.
3. Keystore Password: If you require the keystore password to be encrypted, enable this option and provide the
required password.
4. Session Expiry Time: Mention the maximum duration for which a session of EventLog Analyzer can stay idle,
Settings tab > System Settings> Connection Settings > SSL Certification Tool
The SSL Certification Tool Page appears as follows:
Enter the details required for the certificate as indicated by the fields on the left.
Click on "Generate CSR" to generate the .csr file which can be submitted to your CA.
Click on "Apply Selfsigned Certificate" to apply the certificate in the product.
Follow the instructions on the right to complete your SSL certification process.
If you wish to manually configure the SSL settings, refer to this page for the procedure.
Proxy Settings
Navigate to Settings > System Settings > Connection Settings > Proxy Settings.
Customize Images
Replace the default images with your company/enterprise images
Client Logs & Images Where it is used Image Size & Thumbnail New Image
Customize Strings/Links
Replace the default strings/links with your company/enterprise strings/links
Note:
You can customize ZohoCorp/ManageEngine image/links as per your requirement.
Customization takes effect only for the changed image/links, else default images/links are retained.
Size of new image should be of same size as the default image.
Images with the following file extensions are only permitted: .jpg, .jpeg and .png
In this screen, the details of the EventLog Analyzer server machine are displayed.
The details of Java Virtual Machine (JVM) Memory Information, System Information of the machine, Installation
Information and License Information of EventLog Analyzer application are displayed.
Note:
Only 'read queries' can be executed.
Create, Alter, Insert queries cannot be executed.
Table and Column names are case sensitive.
Note: The Reset LogCollector is used for troubleshooting EventLog Analyzer. This provision is used for running
EventLog Analyzer in the debug mode. Please contact [email protected] before re-setting
log collector.
Note that
Syslog Ports
3. In the pop-up box that appears, enter the appropriate port number.
5. Click Add.
6. To disable a Syslog port, click corresponding to the port you want to disable.
7. To enable a Syslog port, click corresponding to the port you want to enable.
2. In the pop-up box that appears, enter the desired port number.
3. Click Update.
2. When a device which has not been added to EventLog Analyzer starts sending SNMP traps to the product,
it would automatically be listed under Other Devices in Settings > Configuration > Manage Devices.
The log files are located in the <EventLogAnalyzer_Home>logs directory. Typically when you run into a problem, you
will be asked to send the serverout.txt file from this directory to EventLog Analyzer Support.
The log files are located in the <EventLogAnalyzer_Home>server/default/log directory. Typically when you run into
a problem, you will be asked to send the serverout.txt file from this directory to EventLog Analyzer Support.
I find that EventLog Analyzer keeps crashing or all of a sudden stops collecting logs. What could be the reason?
The inbuilt PostgreSQL/MySQL database of EventLog Analyzer could get corrupted if other processes are accessing
these directories at the same time. So exclude ManageEngine installation folder from
Anti-virus scans
Automatic backup softwares
Snapshots in case of VMware installation
Ensure that no snap shots are taken if the product is running on a VM.
How to create SIF (Support Information File) and send it to ManageEngine when you are not able to perform the
same from the Web client?
The SIF will help us to analyze the issue you have come across and propose a solution for the same.
If you are unable to create a SIF from the Web client UI,
You can zip the files under ' logs' folder, located in C:/ManageEngine/Eventlog/logs (default path) and upload the zip
file to the following ftp link: http://bonitas.zohocorp.com/upload/index.jsp?to=eventloganalyzer-
[email protected]
You can zip the files under ' log' folder, located in C:/ManageEngineEventlog/server/default/log (default path) and
upload the zip file to the following ftp link: http://bonitas.zohocorp.com/upload/index.jsp?to=eventloganalyzer-
[email protected]
How to register dll when message files for event sources are unavailable?
To register dll, follow the procedure given in the link below: http://ss64.com/nt/regsvr32.html
Installation
Case 1: Your system date is set to a future or past date. In this case, uninstall EventLog Analyzer, reset the
system date to the current date and time, and re-install EventLog Analyzer.
Case 2: You may have provided an incorrect or corrupted license file. Verify that you have applied the license file
obtained from ZOHO Corp. If neither is the reason, or you are still getting this error, contact
[email protected]
To bind EventLog Analyzer server to a specific interface, follow the procedure given below:
to
to
to
to
> url=jdbc:postgresql://localdevice:33336/eventlog?stringtype=unspecified
to
url=jdbc:postgresql://<binding IP address>:33336/eventlog?stringtype=unspecified
> #------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
to
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
Open the pg_hba.conf file which is under <EventLog Analyzer Home>pgsqldata directory and add the line
to
Before proceeding further, stop the EventLog Analyzer service and make sure that 'SysEvtCol.exe','Postgres.exe' and
'java.exe' are not running.
Assume xxx.xxx.xxx.xxx is the IP address you wish to bind with EventLog Analyzer.
File 1)
<ELA home>\bin\setCommonEnv.bat
File 2)
<ELA home>\bin\runSEC.bat
File 3)
<ELA home>\server\conf\wrapper.conf
wrapper.app.parameter.1=com.adventnet.mfw.Starter
#wrapper.app.parameter.2=-L../lib/AdventNetDeploymentSystem.jar
wrapper.app.parameter.2=-b xxx.xxx.xxx.xxx
wrapper.app.parameter.3=-Dspecific.bind.address= xxx.xxx.xxx.xxx
File 4)
<ELA home>\conf\server.xml
File 5)
<ELA home>\conf\database_params.conf
File 6)
<ELA home>\pgsql\data\postgresql.conf
File 7)
<ELA home>\pgsql\data\pg_hba.conf
Start EventLog Analyzer and check <ELA home>\logs\wrapper.log for the current status.
Solution: Shut down all instances of MySQL and then start the EventLog Analyzer server.
Solution: Kill the other application running on port 33335. If you cannot free this port, then change the MySQL port
used in EventLog Analyzer.
Probable cause: The default web server port used by EventLog Analyzer is not free.
Solution: Kill the other application running on port 8400. Carry out the following steps.
wrapper.java.additional.21=-Djava.net.preferIPv4Stack=true
Before adding:
wrapper.java.additional.20=-Dorg.tanukisoftware.wrapper.WrapperManager.mbean=false
After adding:
wrapper.java.additional.20=-Dorg.tanukisoftware.wrapper.WrapperManager.mbean=false
wrapper.java.additional.21=-Djava.net.preferIPv4Stack=true
If you cannot free this port, then change the web server port used in EventLog Analyzer.
EventLog Analyzer displays "Can't Bind to Port <Port Number>" when logging into the UI.
Check for the process that is occupying the syslog listener port , using netstat -anp -pudp . And if possible, try to
free up this port.
If you have started the server in UNIX machines, please ensure that you start the server as a root user.
or, configure EventLog Analyzer to listen to a different syslog listener port and ensure that all your configured
devices send their syslog to the newly configured syslog listener port of EventLog Analyzer
Solution:
Download the "Automated.zip" and extract the files "startELAservice.bat"and "stopELAservice.bat" to <ELA
home>//bin/ folder.
Create a Windows schedule as per your requirement and ensure that the path should be <ELA Home>//bin
folder.
If you would like to have the files to a different folder, you need to edit the downloaded files and give the
absolute path as below: < eg. is the application is installed on e:\ >
e:\ManageEngine\EventLog\bin\wrapper.exe -p ..\server\conf\wrapper.conf ---> to stop the EventLog
Analyzer service.
e:\ManageEngine\EventLog\bin\wrapper.exe -t ..\server\conf\wrapper.conf ---> to start the EventLog
Analyzer service.
Solution: To disable requiretty, please replace requiretty with !requiretty in the etc/sudoers file.
Note:Elasticsearch uses multiple thread pools for different types of operations. It is important for new threads to be
created whenever necessary. Please make sure that the number of threads that an elasticsearch user can create is at
least 4096 by setting ulimit -u 4096 as root before starting Elasticsearch or by adding elasticsearch - nproc 4096 in
/etc/security/limits.conf.
Configuration
While adding device for monitoring, the 'Verify Login' action throws RPC server unavailable error
Probable cause: The device machine is not reachable from EventLog Analyzer machine.
Solution: Check the network connectivity between device machine and EventLog Analyzer machine, by using PING
command.
Probable cause: The device machine running a System Firewall and REMOTEADMIN service is disabled.
Solution: Check whether System Firewall is running in the device. If System Firewall is running, execute the following
command in the command prompt window of the device machine:
netsh firewall set service type=REMOTEADMIN mode=ENABLE profile=all
When WBEM test is carried out. it fails and shows error message with code 80041010 in Windows Server 2003.
Probable cause: By default, WMI component is not installed in Windows 2003 Server
Solution: Win32_Product class is not installed by default on Windows Server 2003. To add the class, follow the
procedure given below:
2. In the Windows Components Wizard, select Management and Monitoring Tools, then click Details.
3. In the Management and Monitoring Tools dialog box, select WMI Windows Installer Provider and then click OK.
4. Click Next.
Probable cause: The object access log is not enabled in Linux OS.
server_args = -i -o -L
Solution: In Solaris 10, the commands to stop and start the syslogd daemon are:
In Solaris 10, to restart the syslogd daemon and force it to reread /etc/syslog.conf:
(or)
While configuring incident management with ServiceDesk, I am facing SSL Connection error.
This error can occur if the ServiceDesk server's HTTPS certificate is not included in EventLog Analyzer's JRE
certificate store. To import the certificate to EventLog Analyzer's JRE certificate store, follow the steps below:
1. Place the server's certificate in your browser's certificate store by allowing trust when your browser throws up
For Firefox, you can find this under Preferences > Advanced > Encryption > Servers
For IE, Internet Options > Content > Certificates > Personal > Export
For Chrome, Settings > Show Advanced Settings > Manage Certificates
3. Use the keytool utility to import the certificate into EventLog Analyzer's JRE certificate store.
keytool -import -alias SDP server -keystore EventLog Analyzer Home /lib/security/cacerts -file path-to-
certificate-file
Enter the keystore password. Note that the default password is changeit.
The following are some of the common errors, its causes and the possible solution to resolve the condition. Feel free
to contact our support team for any information.
Cause: Cannot use the specified port because it is already used by some other application.
Solution: This can be solved either by changing the port in the specified application or by using a new port.
If you use a new port, make sure to change the ports in the forwarding device either manually or using auto log
forwarding configuration.
Solution: Configure the server to use either a self-signed certificate or a valid PFX certificate.
Solution 2: If valid KeyStore certificate is used, execute the following command in the <EventLog Analyzer
home>/jre/bin terminal.
External error
Causes
Solutions
Cause
The audit daemon service is not present in the selected Linux device.
Solution
Cause
Solutions
Causes
Solutions
Causes
Solutions
Causes
The agent is installed on a host which has neither a Linux nor a Windows OS.
Solutions
Supported Linux distributions are CentOS, Debian, Fedora, openSUSE, Red Hat, and Ubuntu.
Windows versions greater than 5.2 (Windows Server 2003) are supported.
Probable cause: The device machine is not reachable from the EventLog Analyzer server machine
Solution: Check if the device machine responds to a ping command. If it does not, then the machine is not reachable.
The device machine has to be reachable from the EventLog Analyzer server in order to collect event logs.
Probable cause: You do not have administrative rights on the device machine
Solution: Edit the device's details, and enter the Administrator login credentials of the device machine. Click Verify
Login to see if the login was successful.
Probable cause: The device was added when importing application logs associated with it. In this case, only the
specified application logs are collected from the device, and the device type is listed as unknown.
Solution:
3. Provide any other required information for the selected device type.
4. Click on update.
I get an Access Denied error for a device when I click on "Verify Login" but I have given the correct login
credentials
Probable cause: There may be other reasons for the Access Denied error.
Solution: Refer the Cause and Solution for the Error Code you got during Verify login.
Check if Remote DCOM is enabled in the remote workstation. If not enabled, then enable the same in the
following way:
5. Click OK.
6. ClickOK
Check if the user account is valid in the target machine by opening a command prompt and executing the following
commands:
If these commands show any errors, the provided user account is not valid on the target machine.
Solution: Move the user to the Administrator Group of the workstation or scan the machine using an administrator
(preferably a Domain Administrator) account.
A firewall is configured on the remote computer. Such exceptions mostly occur in Windows XP (SP 2), when the
default Windows firewall is enabled.
Solution:
Click OK
2. If the firewall cannot be disabled, launch Remote Administration for administrators on the remote machine by
After scanning, you can disable Remote Administration using the following command:
also occur in higher versions of Windows if the WMI Components are not registered properly.
Solution: Install WMI core in the remote workstation.
Solution: Register the WMI DLL files by executing the following command in the command prompt: winmgmt
/RegServer
Solution:
Restart the WMI Service in the remote workstation:
3. In the Services window that opens, select Windows Management Instrumentation service.
For any other error codes, refer the MSDN knowledge base.
Probable cause: The alert criteria have not been defined properly
Solution: Please ensure that the required fields in the Add Alert Profile screen have been given properly.Check if the
e-mail address provided is correct. Ensure that the Mail server has been configured correctly.
When I create a Custom Report, I am not getting the report with the configured message in the Message Filter
Probable cause: The message filters have not been defined properly
Solution:When you are entering the string in the Message Filters for matching with the log message, ensure you
copy/enter the exact string as shown in the Windows Event Viewer.
e.g., Logon Name:John
Stop the Eventlog Analyzer Server/Service (Check the Eventlog Analyzer server machine's Task Manager to
ensure that the processes 'SysEvtCol.exe', 'Java.exe' are not running).
Connect MS SQL client (using Microsoft SQL Server Management Studio) and execute the below query:
sp_dboption 'eventlog', 'trunc. log on chkpt.', 'true'
To execute the query, select and highlight the above command and press F5 key.
After executing the above command, select and highlight the below command and press F5 key to execute it.
DBCC SHRINKDATABASE (eventlog)
Note: This process will take some time, based on the EventLog Analyzer database size.
Start the Eventlog Analyzer.
If Oracle device is Windows, open Event viewer in that machine and check for Oracle source logs under Application
type. If Linux, check the appropriate log file to which you are writing Oracle logs. If the Oracle logs are available in the
specified file, still EventLog Analyzer is not collecting the logs, contact EventLog Analyzer Support.
The user name provided for scanning does not have sufficient access privileges to perform the scanning
operation. Probably, this user does not belong to the Administrator group for this device machine
Check EventLog Analyzer's live Syslog Viewer for incoming Syslog packets.
If you are able to view the logs, it means that the packets are reaching the machine, but not to EventLog Analyzer.
You need to check your Windows firewall or Linux IP tables.
If you are not able to view the logs in the Syslog viewer, then check if the EventLog Analyzer server is reachable. This
can be done in the following ways:
2. For TCP, you can try the command telnet <ela_server_name> <port_no> where 514 is the default TCP port.
3. tcpdump
If reachable, it means there was some issue with the configuration. If not reachable, then you are facing a network
issue.
Performance
For troubleshooting, please follow the steps below:
1. Check if other applications are blocking the CPU cycle for EventLog Analyzer.
2. If a virtual machine is used, check for over provisioning or if snapshots are affecting the performance.
3. If the log flow rate is high, please check our tuning guide.
This error message pops up when the feature you tried to use is not available in the online demo version of EventLog
Analyzer. To try out that feature, download the free version of EventLog Analyzer.
This error message can be caused because of different reasons. It might be due to network issues, proxy related
issues, bad requests in the network, or if the URL is unable to locate a STIX/TAXII server.
Authorization failed.
This error message signifies that the credentials entered are wrong.
Description:
This error occurs when the common name of the SSL Certificate doesn't exactly match the hostname of the server in
which the EventLog Analyzer is installed.
Solution:
Please get a new SSL certificate for the current hostname of the server in which EventLog Analyzer is installed.
Invalid Certificate
Description:
This error occurs when the SSL certificate you have configured with EventLog Analyzer is invalid. A certificate can
become invalid if it has expired or other reasons.
Solution:
SMS Settings
Description:
This exception occurs when you configure a SMTP mail server or a web server with SSL in EventLog Analyzer, and
the server uses a self-signed certificate. The Java Runtime Environment used in EventLog Analyzer will not trust self-
signed certificates unless it is explicitly imported.
Solution:
You need to import the self-signed certificates used by the server in the JRE package used by EventLog Analyzer.
Follow the steps given below:
Note:
To download the certificate used by SMTP server, you must have OpenSSL installed. You can
download it from here.
Open the command prompt and change to the bin folder in the OpenSSL installed location.
Now run the following command,
> openssl.exe s_client -connect SMTPServer: Portno -starttls smtp > certificatename.cer
For example, openssl.exe s_client -connect smtp.gmail.com:587 -starttls smtp > gmailcert.cer
For example: Keytool -importcert -alias myprivateroot -keystore ..\lib\security\cacerts -file C:\smtpcert.cer
Enter changeit when prompted for a password.
Enter y when prompted Yes or No.
Close the command prompt and restart EventLog Analyzer.
This may happen when the product is shutdowns while the data store is updating and there is no backup available.
Troubleshooting steps:
This is a rare scenario and it happens only when the product shuts down abruptly during the first ever download
of IP geolocation data.
There is no need for a troubleshoot as EventLog Analyzer will automatically download the data in the next
schedule. Please note that the IP geolocation data gets automatically updated daily at 21:00 hours.
This occurs when there is no internet connection on EventLog Analyzer server or if the server is unreachable.
Troubleshooting steps:
The Free Edition of EventLog Analyzer is limited to handling event logs from a maximum of five devices, whereas the
Professional Edition can handle event logs from an unlimited number of devices. There is no other difference
between the two editions, with respect to features or functionality.
Yes, a 30-day free trial version can be downloaded here. At the end of 30 days it automatically becomes a Free
Edition, unless a new license is applied.
The trial version is a fully functional version of EventLog Analyzer Premium Edition. When the trial period expires,
EventLog Analyzer automatically reverts to the Free Edition.
No, you do not have to reinstall or shut down the server. You just need to enter the new license file in the Upgrade
License box.
This depends on the platform on which EventLog Analyzer is installed. If installed on a Windows machine, EventLog
Analyzer can collect event logs or syslogs from Windows and Unix devices, Cisco Switches and Routers, and other
syslog devices . If installed on a Unix machine, EventLog Analyzer can collect syslogs only from Unix devices, Cisco
Switches and Routers, and other syslog devices.
This depends only on the capacity of the server on which EventLog Analyzer is installed. The EventLog Analyzer
license does not limit the number of users accessing the application at any time.
EventLog Analyzer runs in a web browser. Does that mean I can access it from anywhere?
Yes. As long as the web browser can access the server on which EventLog Analyzer is running, you can work with
EventLog Analyzer from any location.
You can buy EventLog Analyzer directly from the ManageEngine Online Store, or from a reseller near your location.
No. EventLog Analyzer cannot work if DCOM is disabled on remote systems. You need to have DCOM enabled in
remote windows servers for the logs to get collected and shown in EventLog Analyzer.
To monitor Windows Events in ELA Linux installation, you need to convert Windows Event messages into Syslog
messages. To convert the message you have to use a separate tool.
Installation
What are the recommended minimum system requirements for EventLog Analyzer?
It is recommended that you install EventLog Analyzer on a machine with the following configuration:
2. RAM - 2GB
Look up System Requirements to see the minimum configuration required to install and run EventLog Analyzer.
EventLog Analyzer can be started as a root user, but all file permissions will be changed, and later you cannot start
the server as another user.
When I try to access the web client, another web server comes up. How is this possible?
The web server port you have selected during installation is possibly being used by another application. Configure
that application to use another port, or change the EventLog Analyzer web server port.
The archiving feature in EventLog Analyzer automatically stores all logs received in zipped flat files. You can
configure archiving settings to suit the needs of your enterprise. Apart from that, if you need to backup the database,
which contains processed data from event logs, you can run the database backup utility, BackupDB.bat/.sh present in
the <EventLog Analyzer Home>/troubleshooting directory.
MSSQL database
Find the current location of the data file and log file for the database eventlog by using the following commands:
go
sp_helpfile
go
go
sp_detach_db 'eventlog'
go
Backup the data file and log file from the current location ( <MSSQL Home>dataeventlog.mdf and <MSSQL
Home>dataattention-grabbing) by zipping and saving the files.
To take a backup of the existing EventLog Analyzer MySQL database, ensure that the EventLog Analyzer server or
service is stopped and create a ZIP file of the contents of <EventLog Analyzer Home>/mysql directory and save it.
Normally, the EventLog Analyzer is installed as a service. If you have installed it as an application and not as a service,
you can configure it as a service any time later. The procedure to configure as service, start and stop the service is
given below.
2. Execute the following command in the command prompt window in the <EventLog Analyzer Home>bin
directory.
Normally, the EventLog Analyzer is installed as a service. If you have installed as an application and not as a service,
you can configure it as a service any time later. The procedure to configure as service, start and stop the service is
given below.
> sh configureAsService.sh -i
Configuration
How do I add devices to EventLog Analyzer so that it can start collecting event logs?
For Windows devices, enter the device name and the authentication details, and then add the device. For Unix
devices, enter the device name and the port number of the syslog service, and then add the device. (Ensure that the
syslog service is running, and that it is using the same port number specified here.)
How do I see session information of all users registered to log in to EventLog Analyzer?
The session information for each user can be accessed from the User Management link. Click the View link under
Login Details against each user to view the active session information and session history for that user.
Please follow the below steps to move an existing EventLog Analyzer server to a new machine/server.
2. Ensure that the process 'java.exe', 'postgres.exe' and ' SysEvtCol.exe' are not running/present in the task
manager, kill these processes manually if some of them are still running
3. As a precautionary measure, copy the following complete folders (including the files and sub-folders) to another
drive or to a mapped network drive. This will help us to restore to the settings and data in-case of any issue with
the new machine installation.
4. Please download and install in the new machine/server the latest build of Eventlog Analyzer from the following
link: https://www.manageengine.com/products/eventlog/download.html
6. In the newly installed EventLog Analyzer machine/server, rename the folder pgsql located under <EventLog
Analyzer Home> as old_pgsql.
7. Copy the pgsql folder (including the files and sub-folders), which is located under <EventLog Analyzer Home> ,
from the old machine/server to the newly installed Eventlog Analyzer machine/server.
Note: Kindly take extra care that the EventLog Analyzer is not running on both the systems while performing
this operation.
8. Start the EventLog Analyzer on the new machine and check whether the data and configurations are intact.
MSSQL database
2. Download and install the latest build of Eventlog Analyzer in the new server using the following link:
https://www.manageengine.com/products/eventlog/download.html
3. Once you install the application in the new machine, kindly make sure that you do not start the application or
shutdown the Eventlog Analyzer if started.
4. Please configure the MSSQL server credentials of the earlier Eventlog Analyzer server installation as explained
in the Configuring MSSQL Database topic.
5. Start the Eventlog Analyzer server/service on the new machine and check whether the data and the
configurations are intact.
6. In-case of any issues while performing the above steps, please do not continue any further and contact
[email protected] to assist you better.
2. Ensure that the process 'java.exe', 'mysqld-nt.exe' and ' SysEvtCol.exe' are not running/present in the task
manager, kill these processes manually if some of them are still running
3. As a precautionary measure, copy the following complete folders (including the files and sub-folders) to another
drive or to a mapped network drive. This will help us to restore to the settings and data in-case of any issue with
the new machine installation.
4. Please download and install in the new machine/server the latest build of Eventlog Analyzer from the following
link: https://www.manageengine.com/products/eventlog/download.html
6. In the newly installed EventLog Analyzer machine/server, rename the folder MySQL located under <EventLog
Analyzer Home> as OldMySQL.
7. Copy the MySQL folder (including the files and sub-folders), which is located under <EventLog Analyzer Home> ,
from the old machine/server to the newly installed Eventlog Analyzer machine/server.
Note: Kindly take extra care that the EventLog Analyzer is not running on both the systems while performing
this operation.
8. Start the EventLog Analyzer on the new machine and check whether the data and configurations are intact.
The DB Storage Options box in the Settings tab lets you configure the number of days after which the database will
be purged. The default value is set at 32 days. This means that after 32 days, only the top values in each report are
stored in the database, and the rest are discarded.
Reporting
Graphs are empty if no data is available. If you have started the server for the first time, wait for at least one minute
for graphs to be populated.
Reports can be generated in HTML, CSV, and PDF formats. All reports are generally viewed as HTML in the web
browser, and then exported to CSV or PDF format. However, reports that are scheduled to run automatically, or be
emailed automatically, are generated only as PDF files.
Can't find an answer here? Check out the EventLog Analyzer user forum
License
The License page displays the existing license details such as the type of license, the number of days to expire, and the
number of device(s), and/or application(s) currently monitored. There is a link to upgrade the EventLog Analyzer license.
You can enter the name of the new license file in the text box provided, or use the Browse button to select the license file,
and apply it using the Upgradebutton.
Support
Support page displays all the information regarding the support channels available to solve any of the product issues.
About
The About page displays the knowledge information, about the product, such as the build version, build number, service
pack applied if any, database used, build date, type, installation language, support and sales email IDs.
User Guide
The User guide (this document) displays contextual help information for the particular product screen selected.
Feedback
At any time, you can click the Feedback link in the bottom right, to send any issues or comments to the EventLog Analyzer
Technical Support team.
The steps given below describe the procedure to manually setup HTTPS. To configure HTTPS using the HTTPS
configuration tool, refer to the connection settings page .
Note: The steps provided describe how to enable HTTPS functionality and generate certificates only. Depending
on your network configuration and security needs, you may need to consult outside documentation. For
advanced configuration concerns, please refer to the HTTPS resources at http://www.apache.org
Replace the value of keystoreFile 'chap8.keystore' with your .pfx file name.
Ensure that the field keystoreType is specified as pkcs12"and also replace the keystorePass value 'eventlog' with
your.pfx file password.
The entries should be as given below:
If you do not have a keystore file, follow the steps to create a new one.
1. In the command prompt go to <EventLog Analyzer Home>/jre/bin directory and execute the following command
Example: "<EventLog Analyzer Home>/jre/bin/keytool" -genkey -alias tomcat -keyalg RSA -keystore
chap8.keystore
For example, if the installation folder is C:/ManageEngine/EventLog then the above command should be
2. organizational unit
3. organization
4. city
5. state
6. country code
5. Press 'Enter' key again for password for Tomcat. Keystore file named ' chap8.keystore' will be created in the <EventLog
1. If you want to create the Certificate Signing Request (CSR) from your Keystore using the keytool, in the command
prompt go to <EventLog Analyzer Home>/jre/bin and execute the following command
> keytool -certreq -alias <your_alias_name> or [Domain Name] -file csr.txt -keystore chap8.keystore
(For example: keytool -certreq -alias tomcat -file csr.txt -keystore chap8.keystore )
2. Type the keystore password that you assigned earlier and press the 'Enter' key.
3. Your CSR file named csr.txt is now created in your current directory. Open the CSR with a text editor, and copy and
paste the text (including the BEGIN and END tags) into the Certifying Authority (CA) web order form. Be careful in
saving the keystore file (chap8.keystore) as your certificates will be installed to it later.
1. Download your Certificate files from the email from CA to the directory where your keystore (chap8.keystore) was
saved during the CSR creation process. The certificate must be installed to this exact keystore. If you try to install it to
a different keystore, it will not work. The certificates you downloaded must be installed to your keystore in the correct
order for your certificate to be trusted. If the certificates are not installed in the correct order, then the certificate will
not authenticate properly.
Each time you install a certificate to your keystore, you will be prompted for the keystore password, which you
assigned while generating your CSR.
In the command prompt go to <EventLog Analyzer Home>/jre/bin and execute the following command to install
the Root certificate file:
> keytool -import -trustcacerts -alias root -file TrustedRoot.crt -keystore chap8.keystore
3. Install the intermediate certificates if any. (Follow the instructions provided by the CA)
In the command prompt go to <EventLog Analyzer Home>/jre/bin and execute the following command to install
the Primary certificate file:
> keytool -import -trustcacerts -alias tomcat -file <your_domain_name>.crt -keystore chap8.keystore
This time you will get a different confirmation stating that the ' Certificate reply was installed in keystore'. If it asks if you
want to trust the certificate, choose 'y' or 'yes'.
Your certificates are now installed to your keystore file (keystore.key) and you just need to configure your server to
use the keystore file.
Disable HTTP
When you have enabled HTTPS, HTTP will continue to be enabled on the web server port (default 8400). To disable HTTP,
follow the steps below:
1. Edit the server.xml file present in <EventLog Analyzer Home>/conf directory.
2. Comment out the HTTP connection parameters, by placing the <!-- tag before, and the --> tag after the following lines:
Enable HTTPS
In the same file, enable the HTTPS connection parameters, by removing the <!-- tag before, and the --> tag after
the following lines:
same password is configured, in the server.xml file. Example password is configured as ' eventlog'.
2. Verify that the following message appears in the command window after the EventLog Analyzer application is started:
3. Connect to the server from a web browser by typing https://<devicename>:8400 where <devicename> is the machine
HTTPSCipherSuite="HTTPS_RSA_WITH_3DES_EDE_CBC_SHA"
<!-- HTTPS/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8400" HTTPSEnabled="true" acceptCount="100" address="0.0.0.0" clientAuth="false"
compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024"
connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"
keystoreFile="./conf/chap8.keystore" keystorePass="eventlog" maxSpareThreads="75" maxThreads="150"
minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="https"
secure="true" HTTPSProtocol="TLS" URIEncoding="UTF-8"
HTTPSCipherSuite="HTTPS_RSA_WITH_3DES_EDE_CBC_SHA"/>
In the EventLog Analyzer web client, click "?" on the top right corner of the screen and click on About. You will find the build
number mentioned below the build version. This is the build number of the currently installed EventLog Analyzer.
Note: This procedure to configure MS SQL will clear all existing data.
Here's how you can configure and run the EventLog Analyzer with MS SQL as the database.
1. From the installed MS SQL server, copy the files bcp.exe and bcp.rll to <Eventlog Analyzer Home>\bin folder.
is installed in another machine, please install the SQL native client as per the SQL version and CPU type of
MSSQL 2012
https://www.microsoft.com/en-us/download/confirmation.aspx?id=50402
MSSQL 2014
https://www.microsoft.com/en-us/download/details.aspx?id=36434
MSSQL 2016
https://www.microsoft.com/en-us/download/details.aspx?id=50420
MSSQL 2017
https://www.microsoft.com/en-us/download/details.aspx?id=53339
MSSQL 2019
After installing the required Native client/ODBC Driver, you can check if you've got the right version of
bcp.exe+bcp.rll files or the right version of the Native client/ODBC Driver by going to <EventLog Analyzer
Home>\bin folder, opening the command prompt with admin rights and executing the following command:-
bcp.exe -v
If you get an error, either your bcp files are wrong or your Native Client/ODBC Driver version in the
EventLog Analyzer machine is incorrect.
2. Invoke the <EventLog Analyzer Home>\tools\changeDBServer.bat, to configure MS SQL server credentials like Server
4. In the wizard screen, choose the Server Type as SQL Server. Enter the Host Name and the port of the SQL Server.
5. Tips:
Ensure that the server browser service is enabled as it provides information about the SQL Server instances.
Ensure that TCP/IP are enabled under protocols in the SQL Server Configuration Manager.
6. Select the authentication type using the " Connect Using:" options.
Windows Authentication
Windows Authentication
For SQL Server Authentication, enter the User Name and Password.
Start-
S.
up Required Permission(s) for Login Comments
no.
Type
1. public
2. dbcreator
'public' is the default minimum
User Mapping page ('Database role
permission
membership' for 'eventlog' DB):-
'dbcreator' is required to create
(First 1. db_datareader
1 'eventlog' database, else you'll
start) 2. db_datawriter
get "CREATE DATABASE
3. db_ddladmin
permission denied in database
4. db_backupoperator
'master' " error message
queries:-
8. Click the Test button to check whether the credentials are correct. If the test fails, the credentials might be wrong.
9. Click the Save button to save the SQL Server configuration. Note that it will take a few minutes to configure the
10. Start the EventLog Analyzer Server/Service to work with the MS SQL SERVER as the database.
If you are already using the EventLog Analyzer with PGSQL or MySQL and you want to change the database to MS SQL,
please refer the Migrating EventLog Analyzer Data from PGSQL to MS SQL Database page or Migrating EventLog Analyzer
Data from MySQL to MS SQL Database page respectively and follow the procedure given there.
This procedure is applicable only if you are already using the EventLog Analyzer with PGSQL and you want to change the
database to MS SQL.
Note:
Re-registering the Managed Server after the database has been changed:
When the Managed Server is installed, it is registered with Admin Server as Managed Server with
PGSQL.
If the database of the Managed Server is changed from PGSQL to MS SQL, the database of the Admin
server also needs to be changed from PGSQL to MS SQL.
Then, the managed server has to be re-registered with the Admin Server with the help of <EventLog
Analyzer Home>/troubleshooting/registerWithAdminServer.bat file (or registerWithAdminServer.sh
file)
After changing the database, when the Managed Server is started as a service. There will not be any prompt to
re-register. The user has to ensure that the Managed Server is re-registered with the Admin Server.
If the user is migrating a distributed setup, the user needs to migrate the entire distributed setup to MSSQL. All
Managed servers along with the admin server should be migrated to MSSQL.
If you want to configure MS SQL for a fresh installation of the EventLog Analyzer server, please refer to the Configuring
MS SQL Database page and follow the procedure given there.
The steps to migrate and run the EventLog Analyzer server with SQL SERVER as the database is given below:
1. Stop the EventLog Analyzer Server/Service.
2. Invoke the <EventLog Analyzer Home>/tools/backUpDatabase.bat in command prompt to backup the data available
in the PGSQL database and wait till the data backup is completed. By default, the backup file will be stored under
'backup_eventlog_<Build_Number>_database_MM_DD_YY_hh_mm.data'.
3. From the installed MS SQL SERVER, copy the files bcp.exe and bcp.rll to <EventLog Analyzer Home>/bin folder.
is installed in another machine, please install the SQL native client as per the SQL version and CPU type of
MSSQL 2012
https://www.microsoft.com/en-us/download/confirmation.aspx?id=50402
MSSQL 2014
https://www.microsoft.com/en-us/download/details.aspx?id=36434
MSSQL 2016
https://www.microsoft.com/en-us/download/details.aspx?id=50420
MSSQL 2017
https://www.microsoft.com/en-us/download/details.aspx?id=53339
MSSQL 2019
4. Invoke the <EventLog Analyzer Home>/tools/changeDBServer.bat in command prompt to configure the MS SQL
SERVER credentials like ServerName, Port, User Name and Password.
6. In the wizard screen, select Server Type as SQL Server. Available SQL Server Instances are listed in a combo box. Enter
the Device Name and Port of the SQL Server from the instances.
7. Select the authentication type using the " Connect Using:" option.
Windows Authentication
Note: Ensure that both EventLog Analyzer Server and MS SQL Server are in the same domain and logged in
Windows Authentication
For SQL Server Authentication, enter the User Name and Password.
9. Click the Test button to check whether the credentials are correct. If the test fails, the credentials might be wrong.
11. Invoke the <EventLog Analyzer Home>/bin/run.bat to start the EventLog Analyzer server in the command prompt.
12. After the server is started completely, stop the server by terminating the run.bat in the command prompt or invoke the
13. Invoke the <EventLog Analyzer Home>tools/restoreDatabase.bat, browse and select the created backup file. Now
Note: Executing the restoreDatabase.bat will delete the existing data, if any.
14. Start the EventLog Analyzer Server/Service to work with the MS SQL Server as the database.
This procedure is applicable only if you are already using EventLog Analyzer with MySQL and you want to change the
database to MS SQL.
Note:
Re-registering the Managed Server after the database has been changed:
When the Managed Server is installed, it is registered with Admin Server as Managed Server with
MySQL.
If the database of the Managed Server is changed from MySQL to MS SQL, the database of the Admin
server also needs to be changed from MySQL to MS SQL.
Then, the managed server has to be re-registered with Admin Server with the help of <EventLog
Analyzer Home>/troubleshooting/registerWithAdminServer.bat file (or registerWithAdminServer.sh
file)
After changing the database, when the Managed Server is started as a service, there will not be any prompt to
re-register. The user has to ensure that the Managed Server is re-registered with the Admin Server.
If the user is migrating a distributed setup, the user needs to migrate the entire distributed setup to MSSQL. All
Managed servers along with the admin server should be migrated to MSSQL.
If you want to configure MS SQL for a fresh installation of EventLog Analyzer server, please refer the Configuring MS SQL
Database page and follow the procedure given there.
The steps to migrate and run the EventLog Analyzer server with SQL SERVER as the database is given below:
1. Stop the EventLog Analyzer Server/Service.
2. Invoke the <EventLog Analyzer Home>/tools/backUpDatabase.bat in command prompt to backup the data available
in the MySQL database and wait till the data backup is completed. By default, the backup file will be stored under
'backup_eventlog_<Build_Number>_database_MM_DD_YY_hh_mm.data'.
3. From the installed MS SQL SERVER, copy the files bcp.exe and bcp.rll to <EventLog Analyzer Home>/bin folder.
installed in another machine, please install the SQL native client as per the SQL version and CPU type of
MSSQL 2012
https://www.microsoft.com/en-us/download/confirmation.aspx?id=50402
MSSQL 2014
https://www.microsoft.com/en-us/download/details.aspx?id=36434
MSSQL 2016
https://www.microsoft.com/en-us/download/details.aspx?id=50420
MSSQL 2017
https://www.microsoft.com/en-us/download/details.aspx?id=53339
MSSQL 2019
4. Invoke the <EventLog Analyzer Home>/tools/changeDBServer.bat in command prompt to configure the MS SQL
SERVER credentials like ServerName, Port, User Name and Password.
6. In the wizard screen, select Server Type as SQL Server. Available SQL Server Instances are listed in a combo box. Enter
the Device Name and Port of the SQL Server from the instances.
7. Select the authentication type using the " Connect Using:" option.
Windows Authentication
Note: Ensure that both EventLog Analyzer Server and MS SQL Server are in the same domain and logged in
Windows Authentication
For EventLog Analyzer version 8.0 (Build 8010) onwards,
9. Click the Test button to check whether the credentials are correct. If the test fails, the credentials might be wrong.
11. Invoke the <EventLog Analyzer Home>/bin/run.bat to start the EventLog Analyzer server in the command prompt.
12. After the server is started completely, stop the server by terminating the run.bat in the command prompt or invoke the
13. Invoke the <EventLog Analyzer Home>tools/restoreDatabase.bat, browse and select the created backup file. Now
Note: Executing the restoreDatabase.bat will delete the existing data, if any.
14. Start the EventLog Analyzer Server/Service to work with the MS SQL Server as the database.
3. Find the current location of the data file and log file for the database named 'eventlog' by using the following
commands:
sp_helpfile
go
sp_detach_db 'eventlog'
go
5. Copy the data file and the log file from the current location ( <MSSQL Home>\DATA\eventlog.mdf and <MSSQL
Home>\DATA\eventlog_log.ldf) to the new location ( <New location>\eventlog.mdf and <New
Location>\eventlog_log.ldf).
6. Re-attach the database and point to the new location by using the following commands:
sp_helpfile
go
EventLog Analyzer)
Note: For a Linux service, Execute the commands given below to stop the Linux service (sample outputs
are given):
/etc/init.d/eventloganalyzer stop
Stopping ManageEngine EventLog Analyzer <version number>...
Stopped ManageEngine EventLog Analyzer <version number>
2. Ensure that the processes java.exe, postgres.exe, and SysEvtCol.exe are not running in the task manager.
Note: For Linux, Ensure that the processes java, postgres, and SysEvtCol are not running.
3. Copy the entire <EventLog Analyzer Home> directory to the new server. It is strongly recommended that the new
1. If EventLog Analyzer is integrated with Log360, and only EventLog Analyzer is being moved, then integration with
Log360 needs to be removed first. You can integrate EventLog Analyzer with Log360 again after moving it to a
different server).
2. After EventLog Analyzer is moved, if new path is not the same as the previous path, path.data & path.repo in
4. Since the service has not been installed in the new server, we have to install it manually. Open the Command Prompt
with administrator privileges. Navigate to <EventLog Analyzer Home >\bin and execute the following command to
> service.bat -i
sh configureAsService.sh -i
5. The service will now be installed. Try starting the service and open EventLog Analyzer with your browser to log in.
6. EventLog Analyzer archive path has to be modified. Settings ? Admin Settings ? Manage Archives ? Settings ? Archive
Location.
1. If EventLog Analyzer is integrated with Log360, and both Log360 & EventLog Analyzer are being moved, the
integration needn't be removed. However, you would need to move the <ManageEngine Home>\elasticsearch folder
2. After Log360 & elasticsearch folders are moved along with EventLog Analyzer, if new path is not the same as the
3. Open the command prompt with administrator privileges. Navigate to <EventLog Analyzer Home>\bin and execute
4. Since the service has not been installed in the new server, we have to install it manually. Open the Command Prompt
with administrator privileges. Navigate to <EventLog Analyzer Home >\bin and execute the following command to
> service.bat -i
sh configureAsService.sh -i
5. The service will now be installed. Try starting the service and open EventLog Analyzer with your browser to log in.
6. EventLog Analyzer archive path has to be modified. Settings ? Admin Settings ? Manage Archives ? Settings ? Archive
Location.
2. Open the command prompt with administrator privileges. Navigate to <EventLog Analyzer Home>\bin and execute
3. Since the service has not been installed in the new server, we have to install it manually. Open the Command Prompt
with administrator privileges. Navigate to <EventLog Analyzer Home >\bin and execute the following command to
> service.bat -i
sh configureAsService.sh -i
4. The service will now be installed. Try starting the service and open EventLog Analyzer with your browser to log in.
5. EventLog Analyzer archive path has to be modified. Settings ? Admin Settings ? Manage Archives ? Settings ? Archive
Location.
If you are using MS SQL server as your database and if it is running on a remote computer, download and install the SQL
Native Client/ODBC Driver that is appropriate for the SQL Server version in the new Event Log Analyzer machine.
https://www.manageengine.com/products/eventlog/download.html.
4. In the Access key field, enter the security access key of Log360 Cloud and click Save.
Note:
Log sync data will be compressed up to 18 times and stored in the specified temporary location.
Database sync data will be stored in the raw format without being compressed.
When the cloud storage limit is exceeded, log sync will be stopped. Log data collected after that point
will be stored in the temporary location specified. Once space is made available, logs will be indexed
from that location and moved to the cloud storage space.
The following outbound ports should be open in the firewall of the server where EventLog Analyzer is
installed:
HTTPS - 450 and HTTP - 80 for versions lower than 12040
HTTPS - 444 and HTTP - 80 for versions higher than or equal to 12040
Log Filter
To enable Log Filters, place the cursor over the Log Sync section. Click the Log Filter option that gets displayed. In the
screen that appears, click the Enable Filter check box and set the required filters by choosing from the options displayed.
The distributed edition also caters to the needs of Managed Security Service Providers (MSSPs) since they can deploy
logically isolated managed servers for different clients.
Note: To install the distributed edition of EventLog Analyzer, you need to install the standard edition across
your organization's network and then convert the installations into an admin or a managed server. You can refer
Note: You need to back up the data of the standard edition to prevent data loss.
Converting the standard edition of EventLog Analyzer into an admin server will result in the deletion of data present in the
standard edition. You can follow the steps given below to convert the standard edition of EventLog Analyzer into an admin
server:
administrative privilege.
5. Enter the details such as the name or the IP address, web port, and web server protocol of the managed server and the
admin server.
6. If you want to configure a proxy server, enter y for the next query and then enter the proxy server details such as the
proxy server name, port number, username, and password.
7. You will see a success message if EventLog Analyzer has been converted from the standalone installation into a
8. Open the admin server console to which you've linked this managed server and navigate to Settings > Configurations >
If your managed server is unable to reach the admin server, please ensure the following:
The admin server to which you want to link the new managed server is accessible on the given port using the
mentioned protocol.
If the admin server is using a proxy server, check whether the provided proxy server details are correct.
If your organization has multiple network devices, servers, applications, and databases spread across geographical
locations, using the distributed edition of EventLog Analyzer will help you unify all your logs and gain actionable
insights from a single console. The distributed edition is also useful for Managed Security Service Providers (MSSPs).
The distributed setup of EventLog Analyzer consists of one admin server and one or more managed servers. The
managed servers can be installed at different geographical locations and must be connected to the admin server. The
admin server centralizes log management across all the managed servers. You can view and manage all the managed
servers from the admin server console.
Can I convert the existing standalone edition of EventLog Analyzer to the distributed edition?
Yes, you can. You need to install a new admin server and convert the existing installation to Managed Server. Please
refer to the steps given here. Ensure that the build number of your existing EventLog Analyzer installation is 6000 or
above.
While converting the standard edition to an admin server, I'm prompted to specify the proxy server details. Why
should I configure it?
Configuring the proxy server is optional. You need to configure the proxy server details during admin server
conversion for the admin server needs to pass through a proxy server to contact the managed servers.
I have deleted a managed server from the admin server. How do I add it again?
To add a managed server under the admin server again, follow the steps given below:
1. Register the managed server with the admin server by executing the registerWithAdminServer.bat/sh file
Where are the collected logs stored? Is it in the managed server database or in both the managed server and
admin server databases?
The logs collected by the managed server are stored only in the managed server database. You can't store the logs in
the admin server. However, you can forward the logs to the admin server to archive them.
By default, the managed and admin server communicate using the HTTP. There is also an option to convert the mode
of communication to HTTPS. To modify the mode of communication, you can refer to the steps given here.
I have changed the managed server communication mode to HTTPS after installation. How to update this change
in the admin server?
In the Admin Server, click on Settings tab > Configurations> Managed Server Settings> Editicon of specific managed
server. Select the required protocol to configure the web server port details.
Licensing
What are the licensing terms for EventLog Analyzer's distributed edition?
EventLog Analyzer's Distributed Edition license will be applied to the admin server. The number of devices and
applications for which the license has been purchased can be utilized among the registered managed servers. You can
keep adding the devices and applications in various managed servers till the total number of licenses purchased gets
exhausted. You can view the number of devices and applications managed by each managed server in the Managed
Server Settings page.
If the number of devices and applications managed by all the managed servers exceeds the number of licenses
purchased, a warning message appears in the admin server. To resolve this warning, you can:
There is no option to apply the license in the managed servers. The license must be applied to the admin server and
it will be automatically propagated to all the managed servers.
Why do I encounter the "License Restricted" alert even after reconfiguring the managed servers?
The status of devices in the managed server synchronize with the admin server during the data collection cycle,
which happens at an interval of 5 minutes. Try to add other devices and applications in the managed server after a
few minutes.
Still finding trouble? Get in touch with our technical support team:
2. In the Support Window, you can find Auto and Manual SIF creation options under the Support Info section.
3. To automatically create a SIF file, click on Auto and select Create Support Information File.
4. You will find a new link Created File which contains the SIF.
5. Clicking on this link allows you to either directly upload the SIF to ManageEngine's file upload server after providing
the required details or download the SIF by clicking on the Download link and sending it to eventlog-
To go to the Support page, click the Support tab on the menu bar. The different channels through which you can reach out
to us will be listed here. You can also click on the links below to reach our support team.
Links Description
Request Click this link or click 'Mail Us' in the Support Page of EventLog
Technical Support form Analyzer. Fill in the required fields with a detailed description of the
Support problem that you encountered. Click on Submit.
Request a
Request a personalized Click this link or click 'Personalized Demo' in the Support Page of
personalized
Demo EventLog Analyzer to schedule a personalized demo.
Demo
Click this link or click 'Training & Certification' in the Support Page of
Get training and EventLog Analyzer
EventLog Analyzer to take up a course and equip yourself with the
certification Training
knowledge required to work with EventLog Analyzer.
Feature If you'd like to see new features in the upcoming releases of EventLog
Feature requests
requests Analyzer, click this link to give us your suggestions.
Online Store - Click this link or click 'Get Quote' under Online Store in the Support
Get a Price Price Quote Page of EventLog Analyzer to get a personalized quote that best suits
Quote your requirements.
Online Store -
Click this link or click 'Buy Now'/'Pricing' under Online Store in the
Purchasing the Buy Now
Support Page of EventLog Analyzer.
product
Click this link or click 'Videos' under Knowledge Base in the support
Knowledge
Videos page of EventLog Analyzer to watch 'How to' videos based on the
Base Videos
solution and its features.
Knowledge Click this link or click 'FAQ' under Knowledge Base in the support page
FAQ
Base FAQ of EventLog Analyzer to view answers to frequently asked questions.
Contact Us:
Click the 'Events' Tab in the support page of EventLog Analyzer to sign
Free Online up for upcoming webinars, seminars and workshops. You can also
Training watch videos of completed webinars, seminars and workshops under
'Completed Events' in the Events Tab.
Click this link or click 'View All' under 'Recent Forum Posts' in the
EventLog Analyzer User Support Page of EventLog Analyzer. In this forum you can post your
User Forums
forums queries, interact with other EventLog Analyzer users and also get
answers from out support team.
Click this link or click 'View All' under 'Announcements' in the support
EventLog Analyzer page of the EventLog Analyzer solution to go to the EventLog Analyzer
Announcements
Announcements user forum announcements page for the latest announcements and
updates.
Click 'Sign into Community' on the top-right corner of the support page
Sign in to in EventLog Analyzer to join the community and collaborate with your
Community peers and our product experts on product updates and the latest IT
trends.