Manual - FrugalBrothers Software
Contents
1. i a Import from file Import data as part of the data centralization process The file to import from needs to be created by the Export to file job C Export to file Export data from this instance to files in order to import them at another location as part of the data centralization process You can also burn the exported files for safekeeping Import from SOL Server database Imports data from a SOL Server database created with an older version of the product Import from legacy files Import data from files created with an older version of the product Import from legacy file storage Imports data from an older file storage cos Screenshot 124 Import from File 3 Click Next at the wizard welcome screen and select Import from file as the job type Click Next 4 Specify the full path or browse for the file to import Click Next Only files exported from GFI EventsManager can be imported New job wizard Data protection Decrypt the protected data If the files are password protected select the option below and enter the password that will be used to decrypt the files Decrypt the files using the following password Password TTT iitt Confirm password TTT iri Screenshot 125 Imort from file Decrypt 5 If the exported events are encrypted select Decrypt the files using the following password and specify the encryption password Click Next 146 Database Opera2. O Windows Communication Foundation OOOORUOUOUOUO U Windows Firewall Remote Management a OOOORVOUOUOO Allow another program Cancel Screenshot 148 Allowed programs in Microsoft Windows Vista or later 2 From Allowed programs and features list enable the following rules Remote Event Log Management File and Printer Sharing Network Discovery Select Domain Private and Public for each rule mentioned above WJ 4 Click OK to apply changes Step 2 Enable additional auditing features 1 From command prompt key in secpol msc and press Enter 2 From the Security Settings node expand Local Policies Audit Policy 164 Miscellaneous GFI EventsManager h Local Security Policy File Action View Help gt af X a E Security Settings Policy Security Setting b gt a Account Policies 4 4 Local Policies b CA Audit Policy t EA User Rights Assignment t ad Security Options ta Ka we b Windows Firewall with Adwanced Security an Audit object access Success Failure vie Audit account logon events Success Failure bio Audit account management Success Failure io Audit directory service access Success Failure bi Audit logon events Success Failure Bl Network List Manager Policies al Audit policy change Success Failure b Public Key Policies k Audit privilege use Success Failure i Software Restriction Policies b Audit process tracking Success Failure t O Application Control
3. Reporting General Event Sources Event Processing Rules Fis Options Configurations a a Default Classification Actions cl el Users and Groups Eig Console Securty and Audit Options Hth Anonymization Audit Options 4 Auto discovery Credentials a E Alerting Options dy SNMP Traps Options Gy Performace Options 8 File storage Database Operations Gy Custom Event Logs dey Auto update Options Common Tasks Create new job Edit database operations options Open Quick Launch Console 3 maintenance job s S Send us feedback a Open Quick Launch Console Help W Database Operations Here you can define maintenance jobs to import export data from Events Manager storage and to import from SQL Server or legacy export files legacy file storage The maintenance jobs will be executed sequentially in the priority order labs Creat imi ml k a Increase Priority Ctrl Up Decrease Priority Ctrl Down A Specify data encryption options ff the files are password protected select the option below and enter the password that will be used to decrypt the files Decrypt the files using the following password Password PT Tiiiiit Contin password TTT III ttt Screenshot 140 Example dialog to edit a scheduled job 156 Database Operations GFI EventsManager 4 Configure the tabs described in the table below Table 82 Database operations Schedule options TA
4. cc ccc cece cece eee eeeceeceeeeeeceeceeeceeceees 91 7 3 Collecting Text LOGS ccc cece scence ccs cenccesceeceescesceeccescesceess 93 TA SOWSCCHING SVS OOS E wie cece O N EE A A 95 Too LOOC SNMP TAOS rair EEEE EEN SE EEEE 98 7 6 Collecting custom events ssesssesossseesoeesoseceesceesoeeceesceeseseoe 102 7 7 Triggering a manual event source Scan ssssscssscesceesoeeceesceesceeee 104 8 Manage rule sets 105 Oat MMEPOQUCTION aeree dont caedooeccawe E canccauedontsnedoaeteaeedeeteanetcas 105 8 2 Adding a rule set TOLGED ss dandsccncacdesantenteowsdendacestenncesetenteaeetense 106 8 3 Creating new events Processing rULES cecceeceeceecceeceeceecceecees 106 8 4 Creating a new rule from an existing event cece cece ec ee cece ceecees 111 8 5 Advanced event filtering parameters ceccecceeceecceeceeceecceecees 112 9 Customizing alerts and actions 114 O24 NLFOCUGCUION oee merrer E EERE T O OER 114 9 2 Configuring Default Classification Actions ssssssseescesseesceesceeee 115 9 3 Configuring Alerting Options ssessseseesceesceeseesoeesoreceesceesoeeee 116 10 Configuring users and groups 123 TOT WALKOGUGHION aeir R A E E E E E E E R E OAE 123 10 2 Managing user ACCOUNLS ccc cece cence cee ceeceeceeceeceeceeeeseeeeeees 123 10 3 Managing CLOUDS xc106c cc cc concdemasdtedenee denser esdce dune seaecusesscetenoeenecns 128 10 4 Managing Console Security and Audit Options
5. Screenshot 113 Login window If a password is forgotten or lost 1 Key in your username 2 Click Forgot your password Link GFI EventsManager will send an email containing your login password 10 4 3 Anonymization In some countries privacy laws state that it is against the law not to encrypt personal information retrieved by monitoring applications for privacy protection GFI EventsManager enables you to encrypt personal information when exporting and or viewing event logs Enable anonymization to encrypt all personal information The Events Browser and Dashboard can recognize such information and do not display it Instead they display lt encrypted gt or Anonymized data messages To configure anonymization 1 From Configuration tab click Options 2 Expand Console Security and Audit Options node right click Anonymization and click Edit anonymization options GFI EventsManager Configuring users and groups 131 Anonymization General Erk Configure anonymization protection level J Enable Anonymization Protection key Use a secondary protection key Protection key Contim key eassessessessessesa a Secondary protection key is optional Pp Archive storage might be changed ff you enable anonymization a Goniateeel Screenshot 114 Anonymization options 3 Select Enable Anonymization and enter the encryption password 4 Optional Select Use a secondary protection key
6. Screenshot 91 Create new events processing rule Configure the rule conditions 5 Click Add to select a field from the list of available fields Specify the Field Operator and Field Value and click OK Click Next For more information refer to Defining restrictions Repeat this step until all conditions have been configured To create a rule that applies to all events do not specify conditions To filter events that refer to an administrator user events having the security identifier SID that identifies a logon administrator session ensure that if the event source is a domain member the domain controller must also be added as an event source For more information refer to Managing event sources groups 108 Manage rule sets GFI EventsManager New Processing Rule Wizard Select event occurence and importance Filter the events on which part of the day the event happen and select their dassification level The rule applies if the event happens Outside of the Normal Operational Time N 0 T Classify the event as Critical importance event Screenshot 92 Create new events processing rule Select the event occurance and importance 6 Specify the time when the rule is applicable Example anytime during working hours or outside working hours B 7 Select the classification critical high medium low or noise that will be assigned to events that satisfy the conditions in this rule Click Next
7. Use this option to customize GFI Events Manager settings e g enable Syslog and SNMP Trap processing key event notifications etc Tell me more show this dialog on next startup W Service is running 113917 events processed so far on 1 event source s Click here to go to the status to find out more Screenshot 10 GFI EventsManager Quick Launch Console To analyze events e i i e 1 Click we pee eeee from the top right corner of the GFI EventsManager user interface The table below describes the options available in the Quick Launch Console Table 11 Quick Launch Console options ICON DESCRIPTION Browse events Access the built in events and forensic tools that will help you to locate analyze and filter key events For more information refer to Event browsing chapter in this manual Generate reports gr Access reporting features including instant scheduled report generations and automated report distribution For more information refer to Reporting chapter in this manual View dashboard A Access GFI EventsManager status dashboard This enables you to view graphical representations bi of the most important events collected and processed by GFI EventsManager For more information refer to Status monitoring section in this manual Customize tr Customize GFI EventsManager settings such as enabling Syslog SNMP Trap processing key events notifications and more For more information refer to Manage even
8. eeeeccoe Apart eA bad jp ere a Thanks The GFI EventsManager team Screenshot 39 Daily digest emai SECTION DESCRIPTION The start and end date of the report The report displays the most important events collected by GFI EventsManager between the start and end date The number of Critical and High events collected in the last 24 hours This graph provides statistical information about critical events collected from all event sources in the last 24 hours 5 9 Settings report GFI EventsManager enables you to generate settings reports on event source groups The provided information is described in the table below Table 26 Settings report heading information HEADING DESCRIPTION Group name The name of the group the report is based on Computer name A list of every event source in the selected group Scan intervals Scanning interval for every event source in the selected group shown in Days Hours Minutes Seconds Rules folder Provides a list of rule categories applied to the selected group such as Noise reduction Security System health PCI DSS requirements Rule sets A granular list of rules applied on the selected group To generate settings report 1 Click Configuration tab Event Sources GFI EventsManager Reporting 53 GFI EventsManager File Configure Help Status Configuration Ewents Browser Reporting General Event Sources Event Processing Rules air O
9. GFI Product Manual GFI EventsManager User Manual http www gfi com info gfi com The information and content in this document is provided for informational purposes only and is provided as is with no warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose and non infringement GFI Software is not liable for any damages including any consequential damages of any kind that may result from the use of this document The information is obtained from publicly available sources Though reasonable effort has been made to ensure the accuracy of the data provided GFI makes no claim promise or guarantee about the completeness accuracy recency or adequacy of information and is not responsible for misprints out of date information or errors GFI makes no warranty express or implied and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document If you believe there are any factual errors in this document please contact us and we will review your concerns as soon as practical All product and company names herein may be trademarks of their respective owners GFI EventsManager is copyright of GFI SOFTWARE Ltd 1999 2011 GFI Software Ltd All rights reserved Document Version ESM UM EN 03 00 00 Last updated December 5 2011 Contents 1 Introduction 1 Pel
10. Oracle Database General tab options Table 49 Oracle Database General tab options Table 50 Oracle Database Audit by Objects Table 51 Oracle Database Audit by Statements Table 52 Windos Event Logs collected by GFI EventsManager Table 53 Configuring Windows Event Log processing Table 54 Configuring W3C processing Table 55 Configuring Syslog processing Table 56 Configuring SNMP Traps processing Table 57 Events Processing Rules Table 58 Rule set folders available in GFI EventsManager Table 59 Configuring new events processing rules Actions Table 60 Create rule from event dialog options Table 61 Parameters available in the Event ID field Table 62 Parameters available in the Source Category and User fields Table 63 Parameters available in the Message and Process fields Table 64 Alerting methods Table 65 Supported alering actions Table 66 Alerting Options dialog Email Table 67 Alerting Options dialog SMS Table 68 Alerting Options dialog SNMP Table 69 Alerting Options dialog General Table 70 Status monitoring General view Table 71 Status monitoring Job activity view Table 72 Status monitoring Statistics view Table 73 Avalable database operations Table 74 Configuring database operations Table 75 Database operations Schedule options Table 76 Database operations Schedule options Table 77 Table 78 Database operations Export file name structure Table 79 Dat
11. lt string gt lt CDATA OVAL 6899 Adobe Flash Player and AIR Unspecified Memory Corruption Vulnerability gt lt string gt lt topT enVulnerabilities gt lt LANquardEvent gt Log Name Application Source GFI LANguard Logged 8 27 2010 3 29 45 PM Event ID 0 Task Category None Level Information Keywords Classic User N A Computer LuciMain OpCode More Information Event Log Online Help Screenshot 73 Event generated by GFI LanGuard B GFI EventsManager can process events generated by GFI LanGuard version 9 5 or later GFI EventsManager Manage event sources 85 6 7 1 How to enable GFI LanGuard event logging To start monitoring Application log entries generated by GFI LanGuard 1 Add the machine where GFI LanGuard is installed as an event source E For information refer to Manage event sources 2 Once GFI LanGuard machine is added as an event source GFI EventsManager will remotely and automatically enable the event logging feature in GFI LanGuard by creating and setting the following registry value on the GFI LanGuard machine HKEY LOCAL MACHINE SOFTWARE GFI LNSS n Config EventLog 1 dword n is the major version number of GFI LanGuard Example HKEY LOCAL MACHINE SOFTWARE GFI LNSS9 Config EventLog 1 dword En To stop GFI LanGuard from generating Application Log entries remove the registry value described above or change the registry value to 0 6 7 2 Monitorin
12. AD utthis Manual sccccceacecatecsaeesdeeaatentersaceadeesneessersseenseaaacesseess 1 1 2 Conventions used in this manual cc ccc cece cec cece ceccecceeceeececceees 2 1 3 About GF EventSManager ccesceccceccecccvccescescceccesceeccescesceecs 2 14 Key Features occasion saciecneeraaeetensacncaanisuetivaceeusasanseuseseeteunGeaeeeuceess 3 1 5 How does GFI EventsManager workK ssssssssseesoeescesecesoeescesceesoeee 6 1 6 Navigating the GFI EventsManager management console eeceee 8 2 Getting Started 9 25M NIMCPOGUCHION scccavenaseaaseans lt sasesasnaroovsasavosasenarsousaqevosasener seueaqevous 9 2 2 What is a Computer log ccc cece cee ces cee ccnccesceeccescesceeccesceecees 9 2 3 What are Windows Event Logs cece cece cee ccecceeceeeeecceeceecceecees 9 2 4 What are W3C logsS sssesseeseesceesoseceesceesorsceesoresorsceesceeseeeoe 10 2 5 What are Syslogs ssssssesceeseesceesosecoesoeesoseceesoresoesceesoeeseeeoe 10 7 6 Wiha are SNMP Traps sccescovecccosscenncesesntcorsncesacessecaaewerseccoreeaeees 11 2 7 What are SQL Server audit logs eee ee cece cece cece eeceeceeeceeceees 11 2 8 What are Oracle Server audit lOGS cece eee cece cence ee ceeceeeceeceees 11 3 Installation 12 31 MMUOdUCUON serrar renses EREE EE EEEE OIO EENES 12 3 2 Where can install GFI EventsManager on my network eeceee 12 3 3 SystemieguremMeNtS aseccccdendstosncnccese
13. Configuring User settings 2 Expand the Users and Groups node and select User sub node 3 From the right pane right click EventsManagerAdministrator and click Properties 2 Specify the general details for this user User name Events ManagerAdministrator Description N A Email jsmith domain com 11122272334 132 168 11 11 192 168 0 6 Multiple emails or computers can be specified by using semicolons as separator Network message alerts are sent to the computers specified Screenshot 105 EventsManager Administrator properties 4 Specify the contact details such as email address and mobile number as required 5 Specify the computers on which network alerts addressed to the administrator will be sent 124 Configuring users and groups GFI EventsManager 12h 15h Wh 2th 24h Marked time intervals are considered as work time Unmarked times will be considered as outside working time Screenshot 106 Configuring the typical working hours of an alert recipient 6 Click Working Hours tab and specify the typical working hours of the administrator B Specify the types of alerts this user is to receive Specify the types of alerts this user should receive for events which happen during working hours or outside working hours hours hours Email alerts Network message alerts 5M5 alerts F Send daily report via email at 13 00 00 H Telme more Screenshot 107 Selecting alerts to b
14. From the right pane click Buy now This takes you to GFI website where you can view further information about licensing and purchase a valid key E For more information about GFI EventsManager licensing please visit http www gfi com page 13789 products gfi eventsmanager pricing licensing licensing z For more information about GFI EventsManager pricing please visit http www gfi com products gfi eventsmanager pricing 13 7 Version information To check your version information details 1 Click General tab 2 Click the Version Information option The version information details will be displayed in the right pane GFI EventsManager Miscellaneous 183 13 7 1 Checking for newer builds To check for newer builds of GFI EventsManager 1 Click General tab 2 From the left pane right click Version Information and select Check for newer builds 184 Miscellaneous GFI EventsManager 14 Troubleshooting 14 1 Introduction The troubleshooting chapter explains how you should go about resolving any software issues that you might encounter The main sources of information available to users are The manual most issues can be solved by reading this manual GFI Knowledge Base articles Web forum Contacting the GFI Technical Support This chapter contains information about Common issues Knowledge Base Web Forum Request technical support Build notifications 14 2 Common issues
15. GFI EventsManager will return this error when trying to export data which is larger than 4GB Solution In order to export the data required use the GFI EventsManager Advanced Filters to reduce the number of Events exported Therefore eventually reducing the size of the data which is being compressed For more information refer to Configuring data filter conditions section in this manual Description This error may occur if The remote computer may be shut down There may be a network hardware problem There may be no common transports The remote computer does not exist A DNS entry does not exist for the remote computer in the DNS server Try pinging the remote machine from another computer by using its host name and not its IP Investigate each possible problem and make the necessary changes Then try to collect events from target computers For more information refer to http kbase gfi com showarticle asp id KBID002820 Troubleshooting 187 ISSUE DESCRIPTION AND SOLUTION GFI EventsManager reports Description ani iron namoen When installed GFI EventsMananger asks for a valid username and password This error is encountered when an invalid password is submitted in the installation wizard Solution 1 Click Start gt Run key in services msc and click Ok This will launch Services window 2 Double Click GFI EventsManager service Select the Log On tab Ensure that the This account radio box is s
16. SNMP Traps Specify the logs to collect and configure archive settings for SNMP Traps This tab is only available when creating a server group For more information refer to Collecting SNMP Traps 5 Click OK to save changes 62 Manage event sources GFI EventsManager 6 2 1 Edit synchronization options GFI EventsManager enables you to synchronize domains with event sources groups When the synchronization is configured every new domain member is added automatically to GFI EventsManager event sources To edit synchronization options 1 From Configuration tab gt Group Type select Event Sources Groups 2 Select All event sources node From Actions click Edit synchronization options Synchronization Properties General Exclusions we Configure Synchronization options Configure synchronization between GFI EventsManager event sources and network domains Domain My Domain Group Default Domain Remove Selected Screenshot 50 Synchronization properties General tab 3 Select General tab and configure the options described below Table 33 Synchronization properties General tab Domain Select the domain name from the list or key in a valid domain name Group Select the GFI EventsManager group name where to add the discovered event sources Source type Select the type of computers discovered in the selected domain that will be added to the selected GFI EventsManager group 4 To include the s
17. Secure Word Wide Web Services HTTPS Simple Mail Transfer Protocol SMTP Telnet server Remote Administration Screenshot 159 Predefined rules 6 Click Next 7 Select all rules and click Next 8 Select Allow the connection and click Finish 9 Repeat steps 5 to 8 for each of the following rules Remote Event Log Management Network discovery 10 From Group Policy Management Editor expand Computer Configuration gt Policies gt Windows Settings gt Security Settings gt Windows Firewall with Advanced Security right click Outbound Rules and select New Rule 11 Repeat Steps 5 to 9 while at step 9 enable only Network Discovery 12 Close Group Policy Management Editor 13 From Group Policy Management expand Group Policy Management gt Forest gt Domains gt lt Domain name gt gt Default Domain Controllers Policy 14 Repeat steps 4 to 13 15 Close Group Policy Management 174 Miscellaneous GFI EventsManager The group policy will be applied the next time each client machine is started 13 3 Disabling UAC to scan event sources When GFI EventsManager is configured to collect events using a local account target machines must have User Account Control UAC disabled To disable UAC on Microsoft Windows Vista machines or later 1 Click Start gt Run key in secpol msc and press Enter 2 From the Security Settings expand Local Policies and click Security Options 3 Right click User A
18. The information provided in this view is divided into the following dedicated sections Table 71 Status monitoring Job activity view SECTION DESCRIPTION The Active Jobs section provides a list of all event collection jobs currently taking place on every event source machine The information provided includes the job progress as well as the Log Source from which events are being collected The Operational History section shows an audit trail of the event collection operations performed by GFI EventsManager The information provided includes errors and information messages generated during the event collection process as well as the name of the log file that was being processed on the event source NOTE Operational history logs can be exported using the Export data button For more information refer to Operational History created through Database Operations The information provided includes the job description start time and state The Queued Jobs section provides a list of all pending event collection jobs on a machine by machine basis The information provided includes the event source from which events will be collected as well as the queuing time and type of log to collect The Maintenance Jobs section displays the progress of maintenance jobs that have been Syslog that were received by GFI EventsManager The information provided includes the total number of messages sent by every event source message count and the date
19. This is the neutral network which sits between the internal corporate network and the outside world Internet The deployment of GFI EventsManager on a DMZ helps you automate the management of events generated by DMZ hardware and software systems such as Table 4 Benefirts of installing GFI EventsManager in DMZ DMZ AUTOMATION DESCRIPTION Automate management of Web DMZ networks are normally used for the running of hardware and and Mail server events software systems that have internet specific roles such as HTTP servers FTP servers and Mail servers Hence you can deploy GFI EventsManager to automatically manage the events generated by Linux Unix based web servers including the W3C web logs generated by Apache web servers on LAMP web platforms Windows based web servers including the W3C web logs generated by Microsoft Internet Information Servers IIS Linux Unix and Windows based mail servers including the Syslog auditing services messages generated by Sun Solaris v 9 or later Automate management of DNS If you have a public DNS server there s a good chance that you are server events running a DNS server on the DMZ Hence you can use GFI EventsManager to automatically collect and process DNS server events including those stored in your Windows DNS Server logs 14 Installation GFI EventsManager DMZ AUTOMATION DESCRIPTION Automate management of Routers and firewalls are two network applian
20. cee ceeeceeceees 130 10 5 Managing Database and Files Backend security cceceecceeceees 134 11 Status monitoring 135 Tied WALFOGUCEION lt s2scceceseonctseseancesatenctseseoncesateeceseseooce sabe ncceseseeos 135 11 2 General status VIEW sssessessessessessessessessesoessessessessessesoeo 135 113 JOD activity VIEW si2cectenssvesneseteeeh cnwtive soncseeseesise neersteeoswessseune 138 TLA SSEAUISEICS VICW co rearcie cos atcwainc ev ewacauieenwesanek sw acieciesewaciecis E 139 12 Database Operations 141 P25 OUCH seccancscen dane sanesaeesaus dan esaeetareseendaneodeesaceseeedanesaeeuas 141 12 2 Why database Maintenance cee ccec cece eecceeceecceeceeceeececceees 141 12 3 Creating a new database Dackend ccc ceecceccceccecceeceeccecceees 142 12 4 Configuring Database Operations ccc cee c cee ceeccecceeceecceeceees 144 12 5 Creating MAINTENANCE JODS ccc cee cence eee eee cee ceeeeeeceeceeeceeceees 145 12 6 Editing existing maintenance JODS cece cece eeceec cee ceeceeeceeceees 155 13 Miscellaneous 158 13 1 Enabling permissions on event sources Manually ccceeeceeceees 158 13 2 Enabling permissions on event sources automatically eeee 170 13 3 Disabling UAC to scan event SOUICES cece cece cece ccecceeceeeceeceees 175 13 4 Command line tools cccancsaeccanconeeseccsteesactsie serssieesastsaeeseruseeesar 175 13 5 Auto updating GFI Ev
21. fos Eam Ania Ey BEAOF393 Import legacy files from folder C Users Wohn Smith Desktop wea a Performace Options 8 File storage Database Operations vee Custom Event Logs Create new job ty Auto update Options Common Tasks Create new job 2 maintenance job s Screenshot 126 Creating a new Database Operation 2 From Configurations right click Database Operations and select Create new job GFI EventsManager Database Operations 147 New job wizard Select the job type Job Type A Please select the type of action that this job should perform Import from file Import data as pa of data ei aaah process The file to import from needs to Export to file Export data from this instance to files in order to import them at another location as part of the data centralization process You can also burn the exported files for safekeeping Imports data m a SQL Server database created with an older version of the product Import from legacy files Import data from files created with an older version of the product Import from legacy file storage Imports data from an older file storage cia Screenshot 127 Export to File 3 Click Next at the wizard welcome screen and select Export to file as the job type Click Next 4 Specify or browse for the location where the exported file will be saved Click Next New job wizard Data protection Password protect the exporte
22. lil j Screenshot 72 Oracle Database Audit by statements tab 7 Select Audit by Statements and configure the options described in Table 51 below Table 51 Oracle Database Audit by Statements OPTION DESCRIPTION Statements User Options Audit Stop Audit Current audited statements 8 Click OK Click browse button to launch a list of available SQL statements Select the SQL statements to audit and click OK NOTE Amongst others Oracle statements can be ALTER CREATE and SELECT SQL statements Oracle enables you to audit statements for a specific user Click browse button to launch a list of available users Select the user and click OK Select audit options By Access Creates one audit log for each statement execution By Session Creates one audit log per user and per schema object A session is the time between a connection and a disconnection to from the database Success Processes only successful audits Failure Select option to process only failed audits Oracle will create an audit log if an audit fails to complete Both Select option to process all audit logs Choose this option to instruct the Oracle server to start auditing the server activities corresponding to the selected parameters like users statements etc Choose this option to instruct the Oracle server to stop auditing the server activities corresponding to the selected parameters like users statements e
23. lt maindb backupdb gt specify the database to import events from dbauth lt SQL WIN gt specify the authentication mode username lt username gt specify the SQL Server username password lt password gt specify the SQL Server password jobld lt id gt optionally specify a unique job ID Command Esmdlibm exe importFromSql logTypes application w3c server 192 168 11 11 database main dbauth SQL username sa password 1234 jobld 987 Import from Dlib This function enables you to import exported data from GFI EventsManager database 2012 It is made up of the following parameters gt gt gt gt gt gt gt gt importFromDlib function name path lt path gt specify the path of the import file name lt name gt specify the name of the import file anonpass1 lt password gt optionally specify the primary decryption password anonpass2 lt password gt optionally specify the secondary encryption password jobld lt id gt optionally specify a unique job ID Command Esmdlibm exe importFromDlib path C Events name importFile txt anonpass1 1234 jobld 987 Import from Legacy File This function enables you to import data exported or archived from an older version of GFI EventsManager It is made up of the following parameters gt gt importFromLegacyFile function name path lt path gt specify the path of the import fi
24. normally used 72 Manage event sources GFI EventsManager Genera Logon Credential Operational Time SOL Server Aud Select the processing you want to perform on the Microsoft SQL Server logs collected 9 Archive all logs without any further processing Process the logs with the rules selected below before archiving El e vila SGL Server Audit v L Noise reduction va Remove query duplicate entries Database changes Server changes e Logon Logoff SOL Server emors a Database access oe B E E uy Screenshot 60 Microsoft SQL Database group SQL Server Audit tab 6 Select SQL Server Audit tab and configure the options described below Table 39 Microsoft SQL Database group SQL Server Audit DESCRIPTION Archive all logs without further Archive events in GFI EventsManager database backend without processing processing Process the logs with the rules Specify the rules to perform before archiving events in GFI selected below before archiving EventsManager database backend Archive all scanned events in Archives collected events into GFI EventsManager storage folder For folder storage more information refer to Configure storage folder 7 Select Settings tab and configure the options described in below Table 40 Microsoft SQL Database group Settings Scan all the events for all All Microsoft SQL Server events are collected and processed by GFI databases E
25. 162 UDP and TCP Used by GFI EventsManager to receive SNMP traps Ensure that this port is open on the machine where GFI EventsManager is installed 514 UDP and TCP Used by GFI EventsManager to receive SYSLOG messages 1433 UDP and TCP Used by GFI EventsManager to communicate with the SQL Server database backend Ensure that this port is enabled on Microsoft SQL Server and on the machine where GFI EventsManager is installed 1521 UDP and TCP Used to collect Oracle Server audit logs Port 1521 is the default port for this connection If the port is changed manually in the Oracle Listener s configuration adjust firewall settings accordingly 49153 UDP and TCP Used by GFI EventsManager to collect events from event sources with Microsoft Windows Vista or Microsoft Windows 7 The table below specifies the Firewall Permissions required by GFI EventsManager Table 10 System requirements Firewall permissions FIREWALL MICROSOFT MICROSOFT PERMISSIONS AND MICROSOFT MICROSOFT MICROSOFT WINDOWS WINDOWS WINDOWS SERVER 2008 Server 2003 W NDOWS XP WINDOWS 7 VISTA AUDIT POLICIES Remote Event Log Management Enable Not applicable Not applicable Enable Enable ile ane Fenter Enable Enable Enable Enable Enable sharing Network discovery Enable Not applicable Not applicable Enable Enable Audit policy Object access Enable Not applicable Not applicable Enable Enable AE eE Enable Not applicable Not applicable Enable Enable Pr
26. 5260 4624 Vista Longhorn successful logon and event 540 4636 Vista Longhaorn successful network logon The report shows all successful logons enabling you to monitor the users successfully accessing the computers using various logon Actions el p Screenshot 27 Preview Report Analyzing The reporting system of GFI EventsManager comes with dedicated tools to help you analyze and export reports Once a report is generated select it from the list of Generated Reports and use the common controls which help you run common report analysis commands The available tools are described below Table 19 Analyzying reports tools OPTION DESCRIPTION Use the Print option to view a print preview configure printer settings and print the selected report Use the Open button to open the selected report in a browser GFI EventsManager uses your default browser to view reports in HTML Open File Location Ca The Open File Location button enables you access the folder containing the report for backup or archiving purposes Export to POF E Use Export to PDF to export the selected report to Portable Document Format Delete im Click Delete to remove a generated report from the list 5 Creating custom reports Creating custom reports requires attention while setting up conditions Conditions are set to determine what is filtered and presented in the report Failing to configure conditions properly generates unwanted noise and i
27. Access Components MDAC 2 8 or later A mail server when email alerting is required Microsoft Data Access Components MDAC 2 8 can be downloaded from http www microsoft com Downloads details aspx familyid 6CO50FE3 C795 4B7D B037 185D0506396C amp displaylang en 3 3 3 Event source settings The below table describes the configuration required for event sources Table 8 System requirements Event source settings LOG TYPE DESCRIPTION Windows event log processing Enable remote registry W3C log processing The source folders must be accessible via Windows shares GFI EventsManager Installation 15 LOG TYPE DESCRIPTION Syslog and SNMP Traps processing Configure sources senders to send messages to the computer IP where GFI EventsManager is installed Scanning machines with Windows Install GFI EventsManager on a computer running Windows Vista or Vista or later later System auditing Enable auditing on event sources For information refer to Miscellaneous 3 3 4 Ports and permissions The table below specifies the Ports required by GFI EventsManager Table 9 System requirements Ports and protocols 135 UDP and TCP Target machines use this port to publish information regarding available dynamic ports GFI EventsManager uses this information to be able to communicate with the target machines 139 and 445 UDP and TCP Used by GFI EventsManager to retrieve the event log descriptions from target machines
28. Archive events in database to archive all the events collected Screenshot 62 Microsoft SQL Database properties General tab 4 In the General tab configure the options described below Table 41 Microsoft SQL Database General tab options OPTION DESCRIPTION Inherit SQL Server post collecting Inherits all settings from the parent group processing from parent group Archive events in database Archive all events in GFI EventsManager database backend without processing Process using these rule sets Archive all events using the specified rules Select the rules to apply GFI EventsManager Manage event sources 75 MS512002 SQLSERVER Connection Settings Specify the connection parameters which GFI Events Manager ine will use to access and collect events from the SQL server Logon credentials E Inherit the logon credentials from the parent group By default GFI Events Manager pefoms event collection using the secunty contest of the account under which GFI EventsManager service is running You may specify an altemate set of credentials to access the computers contained within this computer group O Use Windows authentication Use SQL Server credentials Usemame sa Password s 000800008008 Screenshot 63 Microsoft SQL Database properties Connection Settings tab 5 Select Connection Settings and configure the options described below Table 42 Microsoft SQL Database Connection Settings tab OPTIO
29. Available profile actions include Archive the event Send email alerts to Send network message to Send SMS message to Run file Send SNMP Message 9 Click Finish to finalize your settings 110 Manage rule sets GFI EventsManager B Once the new event processing rule is created GFI EventsManager will display the new rule in the Event Processing Rules tab To change the rule priority right click the rule and select Increase Decrease priority 8 4 Creating a new rule from an existing event GFI EventsManager enables you to create new rules based on the information of existing events To create a new rule from an existing event 1 From Events Browser locate the event log that you want to base the rule upon al GH EventsManager File Configure Help Status Configuration Wiews i Al Events E Microsoft SQL Server Audit Messac nE Oracle Audit Messages ff Text Logs H E Windows Events Hi Syslog Messages fiat SNMP Traps Messages H All critical and high importance evei 4 il Common Tasks Customize browser layout Open Quick Launch Console Switch database Actions Create root view Create view Edit view Delete view Find events Export events to CS file Main database All Events 29 666 event s Events Browser Reporting General Look for Send us feedback g All Events 29 666 events Database Main databas
30. EventsManager Devices connected and disconnected on your network Access allowed or denied by GFI EndPointSecurity to users Pee eee eee Access allowed User Marne biones Device USB DISK 2 0 USB Device File Path Volume se9c6 15 b23d lide b013 0021 asf baf A CUSTOMER AREA XCAPI FREE LINE APPLICATION FORM COPY POR ENCR Device Information Description Port 0001 Hub 0007 Category storage Devices oywstern Class Volume Conmecthity Port USB Vendor Id 13FE Product Id 1400 Access information Requested Accessi Read only Application DeviceHarddiskVolumes Windows explorer exe Process ID 3460 Access Mask 1179785 Log Name GFI EndPointSecurity Source EndPointSecurity Logged 114 102010 12 37 34 PM Ewent ID 2000 Task Category Read Only Access Level Information Keywords Classic Audit Success User bjones Computer winselva OpCade More Information Event Log Online Help Screenshot 74 Event generated by GFI EndPointSecurity To configure the logging options in GFI EndPointSecurity 1 From the GFI EndPointSecurity machine launch GFI EndPointSecurity management console 2 Click Configuration tab Protection Policies 3 From the left pane select the protection policy and click Set Logging Options 4 Customize the settings available in Logging Option dialog For more information on how to configure GFI EndPointSecurity logging options refer to the GFI EndPoin
31. ISSUE DESCRIPTION AND SOLUTION Error message Not Description connected to the database o necon a lock This error is encountered when GFI EventsManager is unable to connect with the SQL Database or the database connection was interrupted Solution The following links contain information on how this issue can be solved How do debug Failed to connect to database http kbase gfi com showarticle asp id KBID002855 How do configure SQL Server 2005 2008 to accept SQL Authentication http kbase gfi com showarticle asp id KBID002804 How do configure SQL Server 2000 to accept SQL Authentication http kbase gfi com showarticle asp id KBIDO02805 Enabling TCP IP on Microsoft SQL Server 2005 http kbase gfi com showarticle asp id KBID002920 How to create a new database in Microsoft SQL Server http kbase gfi com showarticle asp id KBID003379 Error message Primary Description Filegroup Full E RTOU This error is encountered when GFI EventsManager database backend has a maximum file size limitation and is unable to store any further data Solution Configure the database backend to allow larger file size This can be done on both Microsoft SQL Server and Microsoft SQL Server Express edition For more information on how to change the maximum file size refer to http kbase gfi com showarticle asp id KBID003670 GFI EventsManager Troubleshooting 185 ISSUE DESCRIPTION AND SOLUTION Error message Could not comp
32. Licensing Type Server Inherited Inherit licensing type from group Exclude from synchronization Web Servers 0 t File Servers 0 Linux Hosts 10 a Cisco PIA amp ASA devices 0 E mail Servers 0 t Archive all Windows logs Non DC 0 Common Tasks Delete Scanning options Properties Report on settings Report on rules Create group Add new event source Scan local domain Open Quick Launch Console 2 event source s Screenshot 42 Generate configuration report 2 Right click an event source and click Report on rules 5 11 Operational history GFI EventsManager s operational history can be exported for further analysis and archiving purposes Operational history messages provide administrators with information as described in the table below Table 28 Operational history reports HEADING DESCRIPTION Date Time Date and time when the message was generated Machine Event source that generated the message Source Source operation that cause the message to be generated Amongst others these include EvtCollector message generated while collecting event logs gt SNMP TrapsServer message generated while collecting SNMP Traps Messages EnetrpriseMaintenance message generated during database maintenance jobs Job ID An internal ID associated with the job Log file name Type of logs collected Amongst others Application Security Logs generated by othe
33. NETWORK SERVICE Events Count By Database Fill Up 2 8 e SYSTEM F 8 Administrator Windows events i p John Smith Text Events 12 John Smith 9 Syslog Messages n SNMP Traps Messages SQL Server Messages Orecle Server Messages Critical and High Importance Events o y Q Top Services Status Events Q Top Network Activity Events y Screenshot 118 GFI EventsManager Status General view To access the General view go to Status tab gt General This view is used to View the status of the GFI EventsManager event processing engine GFI EventsManager Status monitoring 135 Access statistical information such as the number of logon events critical events and service status events The General view of the Status tab is made up of the sections described below Table 70 Status monitoring General view SECTION DESCRIPTION Use this section to select the chart type for top events The Top Important Log Events section provides statistical information about Top 10 successful Logon events outside working hours Top 10 important Logon events during working hours Top 10 failed Logon events Events in this section are filtered by Machine Select a machine or key in a machine name in the drop down list Period The time period when the events occurred Last hour Last 24 hours Last 7 days or a specific date The Critical and High Importance Events section provides statis
34. Next 150 Database Operations GFI EventsManager New job wizard Anonymized data Decrypt anonymized data Decrypt anonymized data Enable decryption Decryption key tees Confirm key senrarne ses Use secondary decryption key Decryption key BS Confirm key HEH Screenshot 132 Import from SQL Server database Decrypt anonymized data 5 If the target database to import is anonymized select Enable decryption and specify the encryption password used to protect the database 6 Optional If the database is protected by two encryption passwords select Use secondary decryption key and specify the second encryption password Click Next 7 Optional Specify filtering conditions to filter out unwanted data Leave it blank to export all the data in the database Click Next 8 Select when the job is executed The table below describes the available options Table 79 Database operations Schedule options Schedule job The job will be saved and executed according to the database operations schedule For more information refer to Configuring database operations Run the job now Job is executed immediately Unscheduled jobs only run once 9 Click Finish 12 5 4 Import from legacy files To create an import from legacy files job 1 Click Configuration tab and select Options GFI EventsManager Database Operations 151 wl GFI EventsManager File Configure Help Status Configuration Events Browser Reporting G
35. Policies io Audit system events Success Failure gt 3 IP Security Policies on Local Computer b H Advanced Audit Policy Configuration Screenshot 149 Local security policy window 3 From the right panel double click Audit object access 4 From the Audit object access Properties select Success and Failure and click OK A This setting might not be enforced if other policy is configured to d ovemide category level audit policy For more information see Audit object access 0921468 Screenshot 150 Audit object access Properties 5 From the right pane double click Audit Process tracking 6 From the Audit process tracking Properties select Success and Failure and click OK GFI EventsManager Miscellaneous 165 Audit process tracking Properties Audit process tracking A This setting might not be enforced if other policy is configured to d ovemide category level audit policy For more information see Audit process tracking 2921468 Screenshot 151 Audit process tracking Properties 7 From the Audit process tracking Properties select Success and Failure and click OK 8 From the right panel double click Audit account management 9 From the Audit process tracking Properties select Success and Failure and click OK 166 Miscellaneous GFI EventsManager Audit account management Properties Local Security Setting Audit account management A This setting might not be enforced if other polic
36. Properties GFI EventsManager Using event processing rules 93 Servers Windows Event Log s Syslog SNMP Traps Audit Specify the t t logs files to collect from archive and process Specify the text logs files to collect from BB C TextLogs Log Folders Cear collected events after completion Process subdirectories Parsing schema w3e Select Log Type See ee ae csv Post collection processing ESM Logs sample O Archive all logs without any further processing Process the logs with the rules selected below before archiving c MEA Text Logs Rule Sets to H v HTTP protocol logs apply g FTP protocol logs M ll a SMTP nmtncnl lanes Screenshot 79 Computer group properties Configuring W3C event processing parameters 2 Click Text Logs and configure the options described below Table 54 Configuring W3C processing Specify the files in W3C format to collect Click Add to specify the log file name and location Wildcards such as are supported Clear collected events after completion Select this option to clear events collected from event sources Process subdirectories This option enables you to recursively scan the specified path that contains W3C logs Parsing schema Select the schema in which W3C logs are interpreted Select from gt W3C CSV EMS Logs Archive all logs without further processing Select this option to archive the processed W3C logs without applyi
37. SNMP traps from target machines a select Computers Doman a TCDOMAIND Computer Mp WINSERVD iw POI W Po Cancel Screenshot 53 Browse the network for connected computers 6 Optional Click Import to import computers from a text file Ensure that the text file contains only one computer name or IP per line 7 Click Finish to finalize your settings GFI EventsManager will attempt to collect logs from the configured sources immediately GFI EventsManager Manage event sources 65 If synchronization is not enabled you can use the Network Discovery Wizard to automatically search and add events sources To launch Network Discovery Wizard right click All event sources from the event sources tree and select Scan local domain For more information refer to Processing events from the local domain 6 4 Configuring event source properties GFI EventsManager allows you to customize the event source parameters to suit the operational requirements of your infrastructure You can configure these parameters on a Computer by computer basis Group by group basis To configure event source properties 1 From Configuration tab gt Group Type select Event Sources Groups 3 To configure the parameters of DESCRIPTION Computer group Right click on the computer group to be configured and select Properties Particular computer in a group Right click on the required computer and select Pro
38. Start Guide Reset filter E Has Chat Has Schedule 1 Generate a 2 Selecta 3 Preview Report Generated Export Print Common Tasks Create Root Folder Create Root Report 4 m t Screenshot 25 Generating a report 1 From Reporting tab gt Reports right click a report and select Generate Report 2 Wait for the report to generate and view results in Preview Report section E Reports can also be generated by selecting a report from the list and clicking A Generate Report at the top of the reporting page GFI EventsManager Event log monitoring management and archiving Successful Logons Grouped By Users Found 103 matching records The report is based on event 526 4624 Vista Longhorn successful logon and event 540 4636 Vista Longhorn successful network logon The report shows all successful logons enabling you to monitor the users successfully accessing the computers using various logon types and at the same time achieve compliancy with the legal acts which require monitoring of access to the company s resources The report is grouped by users thus providing a quick view of the computers used by each user eee ieee John Smith TEMP 4624 An account was successfully logged on ANONYMOUS LOGON Network 20 09 05 2011 12 05 TEMP 4624 An account was successfully logged on John Smith Network 20 11 21 2011 12 05 TEMP 4624 An account was successfully logged on John Smith Network 20 11 21 2071 12
39. Working and non working hours are based on the operational time parameters configured for your event sources For more information refer to Configure operational time GFI EventsManager Manage rule sets 109 New Processing Rule Wizard Select what action to be taken when this rule is triggered The following actions will be taken Ignore the event Use the default dassification actions Use the following actions profile lt New actions profile gt New actions profile Action Profile Name Edit actions Send email alerts to C ese Send network message to E Send SMS message to CIDE C i Run file No File Configured gt C exh Send SNMP Message a In order to change SNMP forwarding settings go to the Alerting Options Configuration Screenshot 93 Create new events processing rule Select the action 8 Specify which actions are triggered by this rule and click Next Available actions are Table 59 Configuring new events processing rules Actions ACTION DESCRIPTION Ignore the event Select this option so that GFI EventsManager will ignore the event and not trigger any actions or notifications Use the default classification Select this option to use the preconfigured Default Classification actions Actions For more information refer to Configuring Default Classification Actions Use the following actions Click Edit and select an action from the New actions profile
40. and export data to and from GFI EventsManager version 8 x installations without data inconsistencies Import and export events to and from a storage folder minimizing data loads from the database This chapter includes sections containing information about Why database maintenance Creating a new database backend Configuring Database Operations Creating maintenance jobs Editing existing maintenance jobs 12 2 Why database maintenance Periodical database maintenance is essential in preventing excessive data growth in the database backend A database which is large in size drastically affects the performance of GFI EventsManager events browsing will be slower and queries will take longer to execute Through GFI EventsManager a number of database operations referred to as maintenance jobs can be carried out on the database backend These include Table 73 Avalable database operations DATABASE OPERATION DESCRIPTION Import from file The Import from file job enables you to import data as part of the data centralization process Only files created from an Export to file job are supported for import Export to file The Export to file job enables you to export data into a file to import into another instance of GFI EventsManager or to archive in an external storage media for safekeeping Import from SQL Server database The Import from SQL Server database job enables you to import events collected from an older
41. can configure remove or add custom event logs sel hy Performace Optians T File storage a Database Operations Screenshot 86 Custom event logs setup 2 From Configurations right click Custom Event Logs and select Edit custom logs 102 Using event processing rules GFI EventsManager Custom Event Logs Custom Event Logs fea Add custom event logs from which GFI EventsManager can j retieve and process event records 14 Windows PowerShell E LOGbndSP E GFI EndPoint Security Remove Add custom log Log name New Custom Event Log Name Screenshot 87 Custom event logs dialog 3 Click Add button and specify the name of your custom event log 4 Click OK to finalize settings 5 Optional Click Edit to rename the selected custom event or click Remove to delete the selected custom event 7 6 1 Configure storage folder GFI EventsManager can be configured to archive events in a storage folder after applying processing rules This feature allows the system to store all the events retrieved from event sources on the local host where GFI EventsManager is installed To configure the storage folder 1 Click Configuration tab gt Options 2 From Configurations right click Database and Files Backend and select Configure file storage GFI EventsManager Using event processing rules 103 Archive storage folder General Specify the storage folder path where to sto
42. configure Windows Event Log collection and processing parameters 1 From Configuration tab gt Event Sources right click an event source group and select Properties 2 Click Windows Event Log and configure the parameters described below Table 53 Configuring Windows Event Log processing OPTION DESCRIPTION Specify the logs to collect Clear collected events after completion Archive all logs without any further processing 92 Using event processing rules Click Add to select the Windows Logs and or Applications and Services Logs to collect You can also add custom logs to be collected by event sources in this group For information refer to Collecting custom events Optional Select this option to clear the collected events from event sources after they have been processed Select this option to archive the process W3C logs without applying further checks GFI EventsManager OPTION DESCRIPTION Process the logs with the rules Select this option and select the events processing rules you want to selected below before archiving run against the collected events Write extended tags to database Add extended fields to the database Extended fields contain data from event descriptions and are added by a common name Servers zener yedenti Operational Time Windows Event Log SNMP Traps_ _ Audt idl Specify the Windows event logs to collect archive and process Specify the logs to collect i Securty Events t
43. describes how to configure permissions and ports that are required by GFI EventsManager manually This process has to be done on each machine to scan This section contains information about Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 including R2 B In a Windows 2003 or 2008 Active Directory environment settings can be deployed automatically via Group Policy Object GPO For more information refer to Enabling permissions on event sources automatically 13 1 1 Microsoft Windows XP To enable permissions and open the required ports on Microsoft Windows XP target machines 1 Click Start gt Control Panel gt Windows Firewall gt Exceptions tab 158 Miscellaneous GFI EventsManager fizz Windows Firewall General Exceptions Advanced Windows Firewall is tumed off Your computer is at risk of attacks and intrusions from outside sources such as the Internet Wwe recommend that you click the General tab and select On Programs and Services Hame C EventsM anager File and Printer Sharing Network Diagnostics for Windows sF Remote Assistance Remote Desktop LJ UPnP Framework Add Program Add Pott Display a notification when Windows Firewall blocks a program what are the nske of allowing exceptions Screenshot 142 Firewall rules on Microsoft Windows XP 2 Enable File and Prin
44. events Oracle audit events are stored in a specific table on the Oracle server GFI EventsManager collects and process these events GFI EventsManager can also alert you via email network or SMS notifications when specific events occur Database operations WAN The Database Operations module enables you to collect events data from Connector GFI EventsManager installations on multiple sites and locations across your network into a central database This add on integrates and centralizes events collected and processed and allows you to backup restore events on demand Through Database Operations you can manage the size of the database without the need for manual intervention not only through centralization but by also being able to export events and back them up as needed Management Information Base Management Information Base MIBs contains definitions and device information that are provided by device manufacturers GFI EventsManager ships with MIB definitions for the following vendors Cisco 3Com IBM HP Check Point Alcatel Dell Netgear SonicWall Juniper Networks Arbor Networks Oracle Symantec Allied Telesis and others GFI EventsManager also allows you to edit the MIB tree Anonymization GFI EventsManager has built in security features that help you encrypt your data for legal compliance purposes Anonymizing your data helps you hide personal information from the Dashboard Events Browser and exported events To view these
45. events a decryption password is required GFI EventsManager Introduction 5 1 5 How does GFI EventsManager work WC Log Format Windows EventLog SOL Server Oracle server Syslog Format Support Trace messages audits Support Windows Servers and Workstations Windows Servers and Workstations W3C log EVT log SQL trace Oracle SNMP log format format message audit sialon GFI EventsManager Stage 1 Linux Hosts Event Collection l Pa Log Recieving EE RE eo SQL Server Listener eo Engine Engine Engine Syslog Server Event Processing Classify events Archive settings configured Trigger actions Generate Archive Alerts Events storage Folder Email Alert lt TA Events Database SMS Alert Q Netsend message lt Figure 2 The GFI EventsManager operational stages The operational functionality of GFI EventsManager is divided into two stages described below 1 5 1 Stage 1 Event Collection During the Event Collection stage GFI EventsManager collects logs from specific event sources This is achieved through the use of two event collection engines The Event Retrieval Engine and the Event Receiving Engine 6 Introduction GFI EventsManager Table 2 GFI EventsManager engines The Event Retrieval Engine The Event Retrieval Engine is used to collect Windows Event Logs and W3C logs from networked event sources During the Event Collection pr
46. granular level Rules allow you to configure and trigger actions whenever an event fits one or more specific conditions Example you can create a rule which archives only events having event ID 231 regardless their classification GFI EventsManager supports the following actions Table 65 Supported alering actions ACTION DESCRIPTION Archive the event Send e mail SMS network or SNMP notifications to Run File 114 Customizing alerts and actions Archives the classified event into the GFI EventsManager database back end Sends email SMS network or SNMP alerts to specific recipients Runs an executable file Files that can be executed include VBScripts VBS Batch files BAT or another executable type of file EXE You can also specify any command line parameters to pass on to the executable file GFI EventsManager 9 2 Configuring Default Classification Actions File Configure Help Status Configuration Events Browser Reporting General a Event Sources Event Processing Rules uty Options Configurations i Send us feedback W Open Quick Launch Console Help me s a Defaut Classification Actions df Users and Groups Default Classification Actions E M Console Security and Audit Options 31 Alerting Options yy Syslog Server Options p Edit defaults a SNMP Traps Options Here you can configure the default classification actions yy Performace Options a File
47. importance monitored machine event id Screenshot 101 Configuring Network alerts Format message dialog 3 Click Insert tag to select from a list of tags to include in the message 4 Click Save and OK to finalize your settings 118 Customizing alerts and actions GFI EventsManager 9 3 3 Configuring SMS alerts To configure SMS alerts Alerting Options Network SMS la specify settings for available SMS systems through which SMS Ey alerts will be sent Select SMS In buit GSM SMS Server Set properties for the selected SMS system Property Service Center Nu COM Port Baud Rate initialisation String Optional settings Format SMS message Screenshot 102 Configuring SMS alerts 1 From the Alerting Options dialog click SMS tab 2 Configure the options described below Table 67 Alerting Options dialog SMS Select SMS Select the SMS service used to send SMS alerts Available services include in built GSM SMS Server FaxMaker SMS service provider template Clickatell Email2SMS Service Generic SMS service provider template Set properties for the Configure the properties for the selected SMS service type Amongst selected SMS system others property settings include Service center number COM Port Baud Rate SMTP Server SMTP Port Click Edit to configure the selected property Format SMS message Optionally from the Format Email Me
48. or db_extended db extended on latest versions of Oracle 4 Save and restart the Oracle server 6 6 2 Adding a new Oracle Server group To add a new Oracle Database group 1 Click Configuration gt Event Sources and from the Group Type select Database Servers Groups Group Type amp Event Sources Groups x i Event Sources Groups fe Database Servers Groups Screenshot 65 Database Servers Groups 2 From the right panel right click Oracle Servers and select Create group Oracle Servers General Logon Credentials Operational Time Oracle Audit Enter a group name and description for the database servers you 3 gt Want to include in this group Group Name New Oracle Group Description Default group for computers running Oracle Servers Collects logs from the database servers included in this group Schedule scanning Once every 15 Minutes Maintenance Delete audit logs older than days from the Oracle Server Cleanup old entries every hours Screenshot 66 Oracle Database group General tab 78 Manage event sources GFI EventsManager 3 In the General tab configure the options described in below Table 46 Oracle Database group General tab OPTION DESCRIPTION Group Name Key in a group name to identify the Oracle Database group Description Optional key in a description Collects logs from the database Collects events from the event sources in the Oracle group
49. or SNMP alerts are enabled This may also be problematic when archiving is enabled on Low importance events 9 3 Configuring Alerting Options Alerting options enable you to configure what alerts are triggered when particular event s are captured For example you can configure GFI EventsManager to send an email and SMS alert to one or more recipients when a Critical event is processed To configure Alerting Options E GH EventsManager File Configure Help Status Configuration Events Browser Reporting General Event Sources Event Processing Rules uty Options Configurations T T Send us feedback W Open Quick Launch Console Help eM Default Classification Actions ee e Users and Groups Alert ng O ptlons l Me Console Securty and Audit Options Hl Alerting Options Me Syslog Server Edit alerting options a Edit alerting options od Sy SNMP Traps C Ses eaten ao eee Here you can configure the SMTP server that will be used to send email F y Performace O Edit alerting recipients alerts the SMS gateway that will be used to send alerts by SMS or SNMP a eee eee traps alerting settings g File storage 2 a Database Operations flys Custom Event Logs Edit alerting recipients idles Auto update Options d Select this option to configure the contact details of the alerting recipients and to manage user accounts Screenshot 98 Configuring Alerting Options 1 Click Configuration tab and select
50. order to import them at another location as part of the data centralization process You can also burn the exported files for safekeeping Import from SOL Server database npo ts data froma SOL Server database created with an older version of the product Import from legacy files Import data from files created with an older version of the product Import from legacy file storage Imports data from an older file storage Screenshot 134 Import from legacy files 3 Click Next at the wizard welcome screen and select Import from legacy files as the job type Click Next 4 Specify the location or browse for the legacy file to import Click Next 5 Optional If the legacy files are encrypted select Decrypt the files using the following password and specify the encryption password Click Next 152 Database Operations GFI EventsManager 6 Optional If the legacy files were anonymized select Enable decryption and specify the decryption password 7 Optional If the legacy file is protected by two anonymization passwords select Use secondary decryption key and specify the second password Click Next 8 Optional Specify filtering conditions to filter out unwanted data Leave it blank to export all the data in the database Click Next 9 Select when the job is executed The table below describes the available options Table 80 Database operations Schedule options OPTION DESCRIPTION Schedule job The j
51. product and receive a free 30 day trial Once the trial period is expired all event log monitoring and management services are disabled and a full license key is required To register and receive a 30 day trial license key 1 Click General tab 2 Click the provided link This will take you to GFI website where you are able to enter you details and receive the license key by email The email address you provide in the registration form is where your free 30 day trial key will be sent If you have a spam filtering system make sure the email is not blocked as spam 13 6 3 Viewing license details 1 Click General tab 2 From the left pane click Licensing option Licensing details will be displayed in the right pane of the management console 3 To view license distribution details click on Show Details This will show the number of event sources configured and respective license type such as Workstation or Server 13 6 4 Updating license type To change the type of license allocated to a specific event source 1 Launch the computer computer group properties dialog and click the Licensing Type tab 2 By default event sources inherit their licensing type from parent group use the license type configured in parent group properties To change license type select the Server License or Workstation option accordingly 13 6 5 Purchasing a license key 1 Click General tab E erom Screenshot 163 Buy now Button 2
52. storage wla Database Operations tg Custom Event Logs a Auto update Options Common Tasks Edit defaults Screenshot 96 Configuring default classification actions To configure default classification actions 1 Click the Configuration tab and select Options 2 From Configurations right click on the Default Classification Actions node and select Edit defaults This dialog provides the definition of default alerting and archiving options These options are referenced by rules which process the collected logs depending on the classification applied by the rule fE Critical events actions Send email alerts to Events ManagerAdministrators C gee Send network message to No Recipients Configured C E Send SMS message to Events ManagerAdministrators 4 un t Configure i Unclassified events are all the events sent for processing which do not tigger any of the selected rules Screenshot 97 Default Classification Actions dialog GFI EventsManager Customizing alerts and actions 115 3 From the drop down menu select the event classification to be configured 4 From Action list select actions to be triggered for the selected classification 5 Click Configure to specify any parameters required by the selected action 6 Click OK to finalize your settings AN Running default actions on events classified as Low events actions may cause a lot of network traffic when email SMS network
53. time when the last message was received The Server Message History section displays a list of all server messages SNMP Traps and 138 Status monitoring GFI EventsManager 11 4 Statistics view al GFI EventsManager gt o File Configure Help Status Configuration Events Browser Reporting General General MB Job Activity i Statistics Send us feedback E Upean Guck Launch Console Heb wl Statistics The Statistics view shows a graphical representation of the events collected today Select the event source for which to view the statistics 1 All Sources 2 Today s Events Count 2 M Windows Events E Text Logs m Syslog Messages fn SNMP Traps Messages CJ SQL Server Messages F Oracle Server Messages 00 00 04 00 08 00 12 00 16 00 20 00 00 00 3 Events Count By Log Type IP Activity Overview amp Epot data 4 S Windows Events Text Logs Syslog Messages SNMP Traps M SQL Server Mes Orac Windows Events 1 0 0 0 0 0 Text Logs 1 158 466 0 0 0 0 Sysiog Messages T 12 434 0 0 0 0 SNMP Traps Messages T 48 355 0 0 0 0 SOL Server Messages T 457 444 0 0 0 0 Oracle Server Messages w 0 0 0 0 0 w 43 416 0 0 0 0 0 400000 800000 y 8 040 lt 9 9 200000 600000 A Screenshot 120 GFI EventsManager Status Statistics view To access the Statistics view go to Status tab Statistics The Statistics view is used to display the daily event activity trends and statistics of a part
54. to specify the rules to perform before archiving events selected below before archiving in the database backend 7 Click OK GFI EventsManager Manage event sources 79 6 6 3 Adding anew Oracle Server event source To add a new Oracle Database to a database group 1 Right click the database group and select Add new Oracle Server on Ee ee Select the Oracle Servers Select from which Grade Servers you want to collect events Add the following Orade Server 192 168 11 11 Oracde Server f 192 168 4 17 F 10 0 0 15 Screenshot 68 Add new Oracle server 2 Key in the server name or IP and click Add To import a server list from a text file click Import and locate the text file Click Configuration Event Sources and from the Group Type select Database Servers Groups 80 Manage event sources GFI EventsManager 192 168 11 11 E Inherit Oracle Server post collection processing from parent group Specify the post collection processing for the events collected from the configured Oracle Server s O Archive events in database Process using these rule sets i E Noise reduction H Database changes O Server changes i wg Logon Logoff i Choose Archive events in database to archive all the events collected Screenshot 69 Oracle Database General tab 3 From Groups select Oracle Servers Double click the Oracle Database instance from the right pane
55. which meets the minimum system requirements irrespective of the location on your network If you want to collect event logs from Microsoft Windows Vista or later GFI f EventsManager must be installed on a machine running Microsoft Windows Vista 7 or Server 2008 Use GFI EventsManager to manage the events generated By the same computer where it is installed By all the computers that are reachable from the computer on which it is installed A ay GFI EventsManager i i a l sey Workstations oo a Nos ae Servers ie a Computers with Linux Unix operating systems Figure 3 GFI EventsManager deployment scenario GFI EventsManager can be deployed in a LAN Monitor the activity of internal servers and workstations end points DMZ Monitor and manage the events generated on your servers 12 Installation GFI EventsManager 3 2 1 Deploying GFI EventsManager Local Area Network GFI EventsManager can be deployed on Windows based networks as well as on mixed environments where Linux and UNIX systems are being used as well Figure 4 Deployment of GFI EventsManager in LAN When installed on a Local Area Network LAN GFI EventsManager can manage Windows events W3C event logs Syslog messages SNMP Trap and SQL Server audit messages generated by any hardware or software that is connected to the LAN including Table 3 Devices supported by GFI EventsManager Workstations and lap
56. your entire network The event details shown in these reports include changes in user and computer accounts as well as changes in security group policies Use the reports in this category to identify policy changes effected on your network Use the reports in this category to identify object access issues The event details shown in these reports include successful failed object access and objects that have been deleted Use the reports in this category to identify faulty applications and application installation and removal issues The event details shown in these reports include applications that have been installed or removed as well as applications which are crashing and hanging Use the reports in this category to display details related to printing events Details provided in these reports include documents that have been printed the users that triggered the printing event and the date time when the printing operation took place Use the reports in this category to identify audit failures and important Windows event log issues Details provided in these reports include the starting and stopping of event log services clear log operations as well as errors generated during event logging Use the reports in this category to display statistical information related to event generation Charts provided enumerate the 10 computers and users with most events Other reports provide event counts on a network wide basis as well as on a compute
57. 05 Screenshot 26 Report sample 40 Reporting GFI EventsManager 5 6 Analyzing reports E GFI EventsManager a a File Configure Help Status Configuration Events Browser Reporting General Reports a Account Usage a fee Successful Logons Groupi J Successi Loquae Gng Successful Logons Grouped By Users a ee Fn Logans The report is based on event BAM 46244 Vista Longhorn successful logon and event 540 4636 Vista Longhorn pT Logoff Events 3uccessful network logon The report shows all successful logons enabling you to monitor the users successfully ie O Account Lockouts accessing the computers using various logon types and atthe same time achieve compliancy with the legal acts hfe Successful Logon Count tall Failed Logon Count on ez Generated Reports Show HTMLs Clear All eof Top 10 Accounts which F eof Accounts which Failed to Name Creation Date _ GHC Account Logons 20111205 203404 html 05 12 2011 20 34 10 a Account Management a Policy Changes eam Object Access 9 Application Management H E Print Server eae Windows Event Log System H Events Trend h ES A ee ea 4 il Send us feedback W Open Quick Launch Console Help Event log monitoring management and archiving Reset filter Has Chat C Ha Successful Logons Grouped By Users Common Tasks Found 103 matching records Create Root Folder Create Root Report Generate Report The report is based on event
58. 11 Click OK 1 Adding Event Sources manually to a synchronized group is not allowed in GFI EventsManager 6 3 Adding event sources To add a new event sources to a computer group 1 Click Configuration tab Event Sources 2 From Group Type select Event Sources Groups 3 Right click a computer group of your choice and select Add new event source 64 Manage event sources GFI EventsManager Add New Event Sources Select the event sources Specify the computers from where GFI EventsManager will collect logs In GFI EventsManager event sources are organized into event source groups The event sources specified below will be added to the Workstations group Add the following computers Computer JE WINSERVA xXPo1 JE xPo4 a In order to scan a Microsoft Vista or Microsoft Server 2008 machine you must install GFI EventsManager on a Microsoft Vista or Microsoft Server 2008 machine Screenshot 52 Add new event source wizard 4 Specify the name or IP of the new event source and click Add Repeat until you have specified all the event sources to add to this group B 5 Optional Click Select to browse the network for existing domains and computers Select the domain from the Domain drop down list and select the computers to add Since Syslog and SNMP traps use the IP address to determine the source of an event it is recommended to use the source IP instead of the domain name when retrieving Syslog and
59. 2 Both port settings are however customizable via the GFI EventsManager management console 1 5 2 Stage 2 Event Processing During this stage GFI EventsManager will run a set of Event Processing Rules against collected events Event Processing rules are instructions that Analyze the collected logs and classify processed events as Critical High Medium Low or Noise unwanted or repeated events Filter events that match specific conditions Trigger email SMS and network alerts on key events Trigger remediation actions such as the execution of executable files or scripts on key events Optionally archive collected events in the database backend GFI EventsManager can be configured to archive events without running Event Processing rules In such cases even though no rules will be applied against collected logs archiving will still be handled by the Event Processing stage After processing the rules GFI EventsManager can be configured to store the collected events in a storage folder The administrator can configure the path of the storage folder and configure which events are stored This function will minimize database growth and allows the administrator to store only important events in the database Some of the key modules in GFI EventsManager must run under administrative privileges For more information on these modules refer to http kbase gfi com showarticle asp id KBIDO01122 GFI EventsManager Introducti
60. 24 hours To configure a user to receive Daily Digest emails 1 Launch GFI EventsManager and select Configuration tab gt Options Expand Users and Groups and select Users 2 Right click a user from the right pane and select Properties 3 Select General tab and ensure that a valid email address is configured 4 Open Alerts tab and select Send daily report via email EventsManagerAdministrator Properties Working Hours Member Of Privileges 2 Wid Specify the types of alerts this user is to receive Specify the types of alerts this user should receive for events which happen during working hours or outside working hours During working Outside of working hours hours Email alerts Network message alerts i SMS alerts Screenshot 38 Daily Digest email settings 5 Configure the time when the Daily Digest email is sent 6 Click OK Ef For more information refer to Configuring users and groups 52 Reporting GFI EventsManager GFI EventsManager Daily Report You are receiving this email from GFI EventsManager The following report contains an overview of the most important events collected and processed by GFI EventsManager Report startdate 13 03 2010 11 30 AM T Report end date 14 03 2010 11 30 AM Critical 00 2 High Take gener em bee on ote ec ee Tuem Gna changed lt 9 io woh encrypiesd bey Morat No scie Pie policy ound ee POO Cee Guede wor hoe Machene doesnt respond io PING
61. 29 Creating a report General 2 From General tab configure the options described below Table 20 Create Report dialog General options Name Enter a name for the new report Description Optionally enter a report description Select sort column Specify sorting column name Ascending Select Ascending to sort you report content from A to Z as opposed to Z to A Add Edit Delete Clear Use buttons to configure your report conditions For more information refer to Defining Restrictions Copy report restrictions from existing reports from Reporting tab gt Reports Right click a report and select Copy Report Restrictions B GFI EventsManager Reporting 43 Check the columns that you wish to be visible and their names in the list view Also you can customize the order of their appearance Column Headings T log format in log name g event id g in work hours Template path C Program Files GFI EventsManager2012 Data Templates Del m Open location Screenshot 30 Creating a report Layout 3 Click Layout to add column headings that you want to be visible in your report Use the Up and Down arrow buttons to arrange the order of their appearance For more information refer to Defining Column Headings 44 Reporting GFI EventsManager Create Report Use graphical charts Place chart at Begining of Repot Properties dte dte Show table Queydata data Top 10 S
62. 7 141 185 Database Operations 5 141 142 145 147 149 152 153 155 157 Demilitarized Zone 13 14 DNS server 9 14 91 92 187 E Email Alerts 89 114 191 Event classification 4 90 114 116 191 Event color coding 1 3 4 27 31 Event finder tool 1 3 4 27 32 Event processing rules 1 3 4 7 70 86 87 89 90 105 106 136 191 192 Event query 3 4 Events Browser 1 3 8 28 31 32 111 142 EventsManagerAdministrator 123 127 Export events to CSV 33 F firewall 17 G GFI EndPointSecurity 61 86 87 GFI LANguard 61 85 86 136 Installation wizard 188 L License type 61 182 183 Licensing 2 8 18 62 158 182 183 GFI EventsManager Logon credentials 62 67 68 72 76 79 82 Management Information Base 5 99 192 N Network alerts 7 105 124 191 192 Noise Reduction 4 O Operational time 62 68 69 72 79 109 Oracle database 3 61 77 78 79 80 81 82 83 84 P Performance Options 188 Q Quick Start Dialog 21 22 24 R Rule set 1 89 90 105 106 107 192 S SMS alerts 191 192 SNMP traps 3 7 9 11 16 62 65 71 89 98 99 100 101 137 138 139 191 192 SQL Server audit 5 9 11 13 73 89 191 Storage Folder 7 73 103 141 Syslog messages 7 10 13 15 16 95 97 98 192 Syslog server 10 15 95 97 98 192 V version information 158 183 184 W W3C logs 3 7 9 10 62 71 89 93 94 112 186 191 193 WAN C
63. B DESCRIPTION Export Import Folder Select the folder from where to import or where to export data Data Configure conditions to filter event logs Data Protection Enable disable encryption Specify a password to protect exported imported data 12 6 2 Changing maintenance job priority al GFI EventsManager File Configure Help Status Configuration Events Browser Reporting General a Event Sources Event Processing Rules acy Options Configurations W Send us feedback W Open Quick Launch Console Help my Default Classification Actions o BE Users and Groups g Database Operations Console Securty and Audit Options a A Security Options Here you can define maintenance jobs to import export data from Events Manager storage and to A pa zaion import from SOL Server or legacy export files legacy file storage The maintenance jobs will be P aa i executed sequentially in the priority order Options t Auto discovery Credentials ID Job description ae E Jertin lotion a a D mom Bj E1275AD Import files from folder C Users Wohn Smith jena aia cae E BEAOF393 Import legacy files from folder C Users John i SNMP Traps Options p hes Fle i Mg Pesfommace Options t B1C53A5D Export to file in C Users John Smith Desktop Enabled T File storage ar l Z e Custom Event Logs odd Auto update Options Common Tasks Create new job Edit database operations options Ope
64. Browser Reporting Look for General In Column Type Send us feedback g All Events 4 585 events Database Main database Create rule from event Create view from field a Findle a success a Succe a Success Audit a Success Audit a Success Audit a Success Audit a Success Audit a Success Audit Success Aidt Tl Manage columns Find Close W Open Quick Launch Console Help Fields Importance Low Rule Name Windows Services status change Monitored machine TEMP Log Format windows Log Name Event ID In Work Hours isadmin system 7036 NO NO The Multimedia Class Scheduler service entered the running State Online information http waw eventid net display a spreventid 0264 source Ssystem Loading view finished Click here for details GFI EventsManager enables you to build your own a custom report with graphs and Statistics based on a selected View from Events Browser B To report from a view 1 From Events Browser gt Views select a view Send us feedback W Open Quick Launch Console E All Events 4 585 events Database Main database Screenshot 21 Report from view button GFI EventsManager ships a selection of predefined reports We recommend that you check the available reports prior to creating new ones to avoid having duplicate reports Help 2 Click Report from view from the top right cor
65. Configure Help Status Configuration Events Browser Reporting General EventSources Event Processing Rules it Options a Configurations Send us feedback W Open Quick Launch Console Help nM Default Classification Actions l H E Users and Groups SNMP Traps Server Options H a Console Security and Audit Options veel Alerting Options ig Sides Geter Ode ie Edit SNMP Traps options to SNMP Traps Options Here you can configure the SNMP Traps server options Ta Performace Options fil File storage Database Operations vee a Custom Event Logs des Auto update Options Common Tasks Edit SNMP Traps options Screenshot 84 Configuring SNMP Traps To change the default SNMP Trap Server settings 1 Click Configuration tab gt Options 2 Right click SNMP Traps Options and select Edit SNMP Traps options General Specific Trap Type a Configure the in build SNMP Traps server options To receive messages from SNMP Traps clients enable the GFI EventsManager SNMP Traps server and specify the port an which the server will run Enable in built SNMP Traps server onthe TCP pot 162 Enable in built SNMP Traps server onthe UDP port 162 1 Configure SNMP Traps clients to send messages to this server 2 Specify the client name P addresses in a computer group which is configured to accept SNMP Trap
66. Database Operation 2 From Configurations right click Database Operations and select Create new job GFI EventsManager Database Operations 149 New job wizard Job Type Select the job type Please select the type of action that this job should perform Import from file Import data as part of the data centralization process The file to import from needs to be created by the Export to file job Export to file Export data from this instance to files in order to import them at another location as part Import from SOL Server database Import data from files created with an older version of the product Import from legacy file storage Imports data from an older file storage cad Screenshot 130 Import from SQL Server database 3 Click Next at the wizard welcome screen and select Import from SQL Server database as the job type Click Next New job wizard Import from SQL Select the database from which the events will be imported Database settings Please specify the name or IP of the machine containing the SOL Server MSDE database to use Server Machine SQLSERVER Database EventsManager Use Windows authentication Use SQL Server authentication User 23 Password PTT ITILiiiiit Screenshot 131 Import from SQL Server database Select the database to import 4 Select the SQL Server and the respective database to import and specify the SQL Server login credentials Click
67. EventsManager requires a valid administrator email address in order to distribute automatic alerts when particular events are discovered For every user including the administrator you can configure the following parameters Contact details including email address and phone number The typical working hours The type of alert to send during and outside working hours The notification group to which the user belongs To configure the GFI EventsManagerAdministrator account 1 Click Configuration tab and select Options GFI EventsManager Configuring users and groups 123 File Configure Help Status Configuration Ewents Browser Reporting General Event Sources Event Processing Rules a Options Configurations T Send us feedback W Open Quick Launch Console Help votes Default Classification Actions g T Users and Groups sA Users ki Define the recipient information of each user which will be alerted by Events Manager when ei 4 oe z ty and Audit Options specific rules are triggered It is recommended to assign users into groups and set groups for alerts i Alerting Options oy Syslog Server Options Name Description Effective Rights a SNMP Traps Option 5 k P paie cay amp Events Manager N A This user has full privileges File storage Database Operations y Custom Event Logs es a Auto update Options Common Tasks Create user Screenshot 104
68. K You can click Add to specify a path and database name Click Edit to edit the A specified information GFI EventsManager Event browsing 35 5 Reporting 5 1 Introduction GFI EventsManager provides a fully fledged reporting system It ships with a number of reports including technical and executive level reports showing graphical and statistical information based on hardware and software audited by GFI EventsManager This chapter contains the following sections Navigating the Reports tab Available reports Managing reports Generating reports Analyzing reports Creating custom reports 5 2 Navigating the Reports tab a GFI EventsManager coe C faa File Configure Help Status Configuration Events Browser Reporting General Send us feedback w Open Quick Launch Console Help 3 Account Usage a Successful Logons Grouped B Successful Logons Grouped By Users 3 rated Log The reportis based on event 528 4624 Vista Longhorn successful logon and event 540 4636 Vista Longhorn Logoff Events successful network logon The report shows all successful logons enabling you to monitor the users successfully Y Account Lockouts accessing the computers using various logon types and at the same time achieve compliancy with the legal acts pI Successful Logon Count on ez til Failed Logon Count on each C Generated Reports Generate Report r Show HTMLs gt Cle
69. ML2PDF exe Imports configuration from a data folder or from a configuration export file and is used when preserving configuration For more information refer to Using Importsettings exe Exports configuration settings from GFI EventsManager installation to a configuration file For more information refer to Using ExportSettings exe Use this tool to manually sync all event sources with GFI EventsManager Use this tool to launch GFI EventsManager troubleshooter module Use this tool to manually check for GFI EventsManager program updates 13 4 1 Using ESMCmdConfig exe To use ESMCmdConfig exe 1 Click Start Run and key in CMD 2 Click Ctrl Shift Enter to run CMD with elevated privileges 3 Change the directory to the GFI EventsManager install directory CD lt C Program Files GFI EventsManager 2012 gt 4 Key in ESMCmdConfig exe followed by any of the following functions Table 84 CMD ESMCmdConfig exe functions FUNCTIONS DESCRIPTION Register Services Enable services Disable services Set license key 176 Miscellaneous This function registers GFI EventsManager services using an administrator account It is made up of op registerService parameter name user lt username gt specify username pass lt password gt specify password Command ESMCmdConfig exe op registerService user Administrator pass 1234 This function enables events log management features Command ESMCm
70. N DESCRIPTION Inherit the logon credentials from Select this option to inherit login settings from the parent group the parent group Use Windows authentication Connect to Microsoft SQL Database using windows authentication Use SQL Server credentials Connect to Microsoft SQL Database using a Microsoft SQL Database user account Key in a username and password 76 Manage event sources GFI EventsManager MS12002 SQLSERVER Connection Settings Settings is Specify the source of the events E Inherit the settings from the parent group Please specify whether to collect the events from the SQL Server system databases and whether to collect events from other databases Scan all the events for all databases Sean only the security events for all databases Scan all the events that are related to the following databases only F Main DB g Backup DB F Sales Screenshot 64 Microsoft SQL Database properties Settings tab 6 Select Settings tab and configure the options described below Table 43 Microsoft SQL Database Settings tab options DESCRIPTION Inherit the settings from the parent Inherits settings from the parent group group Scan all the events for all databases Scan all databases and collect all events from the Microsoft SQL Server Scan only the security events for all Scan all databases and collect only security events from the databases Microsoft SQL Server
71. Once servers included in this group this option is enabled configure the Schedule scanning and Maintenance options Schedule scanning Specify the frequency to collect events on a pre defined schedule Maintenance Oracle audit events are stored in a specific audit table on the Oracle server To prevent excessive audit table growth configure the options in this section to delete audit logs and old entries on a pre defined time 4 Select Logon Credentials tab and key in a valid username and password to connect to the Oracle server 5 Select Operational Time tab and configure the normal operational time of the Oracle Database servers in this group Oracle Servers Logon Credentials Operational Time Oracle Audit Select the processing you want to perform on the Oracle Server z o logs collected 9 Archive all logs without any further processing Process the logs with the mules selected below before archiving E MO Oracle Audit E v Noise reduction Egle User based noise Database changes Server changes in w pe 0 Logon Logoff E Securty changes Screenshot 67 Oracle Database group Oracle Audit tab 6 Select Oracle Audit and configure the options described below Table 47 Oracle Database group Oracle Audit OPTION DESCRIPTION Archive all logs without further Enable to archive events in the database backend without processing processing Process the logs with the rules Select option
72. Options 2 From Configurations right click on the Alerting Options node and select Edit alerting options option Select Edit alert recipients to configure the contact details of the alerting recipients and to manage user accounts For more information refer to Managing user accounts 3 Configure the alerting method of your choice The following sections describe how alerting is configured Configuring email alerts Configuring network alerts Configuring SMS alerts Configuring SNMP alerts Configuring General alerts 116 Customizing alerts and actions GFI EventsManager 9 3 1 Configuring email alerts To configure email alerts Alerting Options Eaa z Specify the mail server settings to use when sending email alerts Specify one or more mail servers to use when sending email alerts in order of prionty The atemative mail servers will only be used when mail servers with higher pronty cannot be contacted or retum errors Format Email Message_ i Waming Sending email alerts as unicode text will not work on some mail servers Screenshot 99 Configuring Email options 1 From the Alerting Options dialog click Email tab 2 Configure the options described below Table 66 Alerting Options dialog Email OPTION DESCRIPTION Add Remove Edit Click Add to specify the mail server details including the server name IP logon credentials and recipient email address Use the Remove or Edit b
73. Reporting 57 HEADING DESCRIPTION Date Time Date and time when the message was generated Machine Event source that generated the message Source Source operation that cause the message to be generated Amongst others these include EvtCollector message generated while collecting event logs gt SNMP TrapsServer message generated while collecting SNMP Traps Messages gt EnetrpriseMaintenance message generated during database maintenance jobs Job ID An internal ID associated with the job Log file name Type of logs collected Amongst others Application Security Logs generated by other applications such as GFI LanGuard and GFI EndPointSecurity Message The actual message generated while performing the job To export Activity Overview 1 From GFI EventsManager Management Console click Status Statistics Source Windows Events Text Logs Syslog Messages SNMP Traps M SQL Server Mes Oracle Server M Last Activity J 192 168 11 11 0 0 0 jE TECHCOMSE 0 0 0 0 0 0 l jE TEMP 0 0 0 0 0 0 l jE wre 0 0 0 0 0 0 l jE w705 0 0 0 0 0 0 l i 192 168 11 11 N A N A N A N A 0 0 l a h j Screenshot 46 Activity overview Export button 2 Click Export data Export Activity Overview Data w Export messages to html csv format Fama Specify data alltime fora specific date 08 June 2011 only computers with erors not scanned in
74. S server log Application and Services Logs This log contains events generated by the Active Directory including successful or failed attempts to make to update the Active Directory database This log contains events recorded by the Windows File Replication service These including file replication failures and events that occur while domain controllers are being updated with information about Sysvol This log contains events associated with the process of resolving DNS names to IP addresses These logs contain events associated with Windows VISTA and the relative services functionalities it offers Operational Time Windows Event Log l Tet Logs SNMP Traps Specify the logs to collect ia Security Events idl Application Events id System Events il Specify the Windows event logs to collect archive and process iemove Events to be collected Cear collected events after completion Post collection processing O Archive all logs without any further processing Archive logs without processing Process the logs with the mules selected below before archiving E Process logs E m Windows Events PE v O Noise Reduction H va System Health H A PCI Requirements Windows OS _ Rule sets to be applied to the collected logs V Add generic fields e g Field 00 Field 017 to Security Events Screenshot 77 Computer group properties Configuring Windows Event Logs parameters To
75. Scan all the events that are related to Collect all events from the selected databases Use Add Edit the following databases only and Remove to manage database sources 7 Click OK 6 6 Oracle Server sources GFI EventsManager enables you to collect and process events generated by Oracle Relational database management systems The following audits are collected and processed by GFI EventsManager Table 44 Oracle Server supported audits Session auditing Audit user sessions and database access Statements auditing Audit SQL statements Object auditing Audit queries and statements related to specific objects The following Oracle Database versions are supported Oracle Database 9 i Oracle Database 10g Oracle Database 11g GFI EventsManager Manage event sources 77 6 6 1 Pre configuration settings for Oracle servers Table 45 Oracle Server configuration stages PRE CONFIGURATION STEP DESCRIPTION Step 1 Before collecting events from Oracle servers ensure that the account used to connect set audits and access the audit table has the necessary permissions Step 2 Enable auditing on the Oracle server by changing startup parameters To enable auditing 1 Startup parameters for the Oracle servers are stored in lt Oracle Home Directory gt admin lt Oracle SID gt pfile init ora 2 Locate and open the parameters file using a text editor 3 Locate AUDIT_TRAIL parameter and change the default value to db
76. TION Name of the applied rule Rule name Importance Logfile monitored Conditions Actions To generate rules report The classified importance level of the collect event log such as Critical High Medium Low Noise event Provides the category name of the collected event log such as Security System Health Application System The processing condition s for the selected rule This includes Event IDs Source Category User Type Advanced Describes the actions taken when the event is processed including Archiving settings Mail to settings Threshold settings 1 Click Configuration tab Event Sources GFI EventsManager Reporting 55 E OF EventsManager File Configure Help Status Configuration Events Browser Reporting General Event Sources Event Processing Rules aa Options Group Type a Event Sources Groups Groups El All event sources Default 2 Workstations 0 Laptops 0 a Infrastructure Servers 0 Database Servers 0 Print Servers 0 Send us feedback W Open Quick Launch Console Help amp Servers Group Add your member standalone servers to this group The logs scanned are the Windows security log Windows application log and Windows system log The scanning will use the appropriate processing rules Computer Name State TECHCO Mi Credentials ji TEMP
77. TION DESCRIPTION Use the Generated Reports section to view the history of a selected report from Section 1 This enables you to regenerate the report and export the report to HTML and or PDF The Preview Report section provides a view of a selected generated report Use the control buttons to Print Open Export or Delete reports directly from this section 5 3 Available reports GFI EventsManager s extensive report list contains reports for various requirements designed to facilitate reporting as much as possible The following report categories are included in GFI EventsManager by default Each category contains a number of reports that can be used out of the box or customized to fit your requirements Table 16 Available reports REPORT CATEGORY DESCRIPTION Account Usage Account Management Policy Changes Object Access Application Management Print Server Windows Event Log System Events Trend All Critical Miscellaneous Customizable PCI DSS Compliance GCSx Code of Connection Requirements SOX Compliance HIPAA Compliance GLBA Compliance General and Security Requirements LOGbinder SP reports GFI EventsManager Use the reports in this category to identify user logon issues The event details shown in these reports include successful failed user logons and locked user accounts Use the reports in this category to generate a graphical overview of important events that took place across
78. a Application Events i System Events Remove Select event logs Specify the logs to collect one i e 7 fl Applications and Services Logs H a an Microsoft ent Service a gio DFS 5 Replication E Hardware Events E Intemet Explorer Screenshot 78 Selecting the events to be collected 3 Click OK to finalize your settings Deleting event logs without archiving may lead to legal compliance issues 7 3 Collecting Text logs W3C is another log format supported by GFI EventsManager W3C logs are text based flat files containing various event details delimited by special characters The W3C log format is mostly commonly used by hardware systems Example servers and appliances which have internet specific roles Microsoft Internet Information Server IIS service and Apache web servers for example can collect web related events such as web logs in the form of W3C formatted text files In GFI EventsManager the configuration process of W3C log parameters is identical to that performed for Windows event processing with one exception Unlike Windows Event Logs there is no standard which dictates a specific or centralized folder location where W3C log files are stored on disk Therefore in order to collect W3C logs you must specify the complete path to these text based log files To configure W3C log collection and processing parameters 1 From Configuration tab gt Event Sources right click an event source group and select
79. abase operations Schedule options Table 80 Database operations Schedule options Table 81 Database operations Schedule options Table 82 Database operations Schedule options Table 83 CMD tools Table 84 CMD ESMCmdConfig exe functions Table 85 CMD Esmdlibm exe functions Table 86 Auto update options Table 87 Terms used in this manual List of screenshots Screenshot 1 The GFI EventsManager management console Screenshot 2 Screenshot 3 Screenshot 4 Screenshot 5 Screenshot 6 Screenshot 7 Screenshot 8 Screenshot 9 Screenshot 10 Screenshot 11 Screenshot 12 Screenshot 13 Screenshot 14 Screenshot 15 Screenshot 17 Screenshot 21 Screenshot 23 Screenshot 24 Screenshot 26 Screenshot 27 Screenshot 28 Screenshot 30 Screenshot 31 Screenshot 32 Screenshot 33 Screenshot 36 Screenshot 37 Screenshot 40 Screenshot 41 Screenshot 42 Screenshot 43 Screenshot 44 Screenshot 45 Screenshot 46 Screenshot 47 Screenshot 48 Screenshot 49 Screenshot 51 Screenshot 52 Screenshot 53 Screenshot 57 Screenshot 60 Screenshot 61 Screenshot 62 Screenshot 63 Pre requisite check Customer and License detail screen Logon information screen Quick Start Dialog Events processed from local machine Select the type of event source Select computers from result Process events from selected machines GFI EventsManager Quick Launch Console Events Browser Custom view build
80. alog General OPTION DESCRIPTION Email alerts are sent upon database errors such as backup failure Send email alerts on database errors data corruption size exceeds maximum size specified and other database operation errors 120 Customizing alerts and actions GFI EventsManager OPTION DESCRIPTION Send email alerts on completion of Email alerts are sent when a database rollover is complete database rollover 3 Click OK to finalize settings GFI EventsManager Customizing alerts and actions 121 10 Configuring users and groups 10 1 Introduction Use the Users and Groups node to assign different console access privileges to GFI EventsManager users Through this node users and groups can be configured amended or deleted Working hours and alerts can also be configured and assigned to groups Refer to the following sections for more information Managing user accounts Managing groups Managing console security and audit options Managing Database and Files Backend security 10 2 Managing user accounts This section contains information about Configuring the administrator account Creating a new user Changing user properties Deleting users 10 2 1 Configuring the administrator account GFI EventsManager will automatically create an EventsManagerAdministrator account However you must still configure details such as the email address and mobile number of the GFI EventsManager administrator GFI
81. and configure the options described below Table 48 Oracle Database General tab options Inherit Oracle Server post collecting Select to inherit all settings from the parent group processing from parent group Archive events in database Archive all events in the database backend without processing Process using these rule sets aie all events using the specified rules Select the rules to apply GFI EventsManager Manage event sources 81 192 168 11 11 Connection Settings Audit by Objects Specify the connection parameters which GFI Events Manager in will use to access and collect events trom the Oracle server Logon credentials L Inherit the logon credentials from the parent group By default GFI Events Manager pertomms event collection using the secunty contest of the account under which GFI EventsManager service is running You may specify an altemate set of credentials to access the computers contained within this computer group Usemame administrator Password S 008080080000088 nnection parameters Host 192 168 11 11 SID Service Name ora Screenshot 70 Oracle Database Connection Settings tab 5 Select Connection Settings and configure the options described in the table below Table 49 Oracle Database General tab options OPTION DESCRIPTION Inherit the logon credentials from the Select to inherit login settings from the parent group parent group Port Key in the port to use to connect
82. ar All Top 10 Accounts which Failed Accounts which Failed to Loge Name Size Creation Date File loc Account Logons 20111114 024623 html 4528 bytes 14 11 2011 02 46 26 CAP 4 H Account Management H Policy Changes H Object Access H Application Management 4 mt H Print Server i ae Log System Preview Report Print aj Open b Open File Location P Export to PDF Delete eE FPE T x 4 m r E Riter Reports 2 Quick Start Guide i 5 Reset filter Has Chat Has Sch 1 Generate a 2 Selecta 3 Preview 2 Common Tasks i EPI Report Generated Export Print the Create Root Folder Create Root Repor Report Report pry weer ae artes a they Generated Reports utes 310 10 9909 gt Super 3 hen ceo ee Ei i e nan Ve RAG TY oveper ie Create Folder lt le m gt Pranta Dannst Screenshot 23 Navigating the Reporting UI The Reporting tab consists of the sections described below Table 15 Navigating the Reporting tab SECTION DESCRIPTION The Reports section contains all the predefined reports that ship with the product Use this section to organize and generate various reports from technical to executive type The Common Tasks section enables you to quickly launch typical operations such as creating folder and report views to organize reports and generating reports From the Actions sections you are able to create edit or delete reports according to your needs 36 Reporting GFI EventsManager SEC
83. argets targets You can create an inventory of wanted and or unwanted applications and configure GFI LanGuard to automatically uninstall applications categorized as unwanted For more information about GFI LanGuard refer to http www gfi com network security vulnerability scanner B Event 0 GFI LANguard General Details lt Txml version 1 0 gt lt LANguardEvent xmins xsi http www w3 org 2001 XMLSchema instance xmins xsd http www w3 0rg 2001 XMLSchema gt lt computer gt lt CDATA LUCIMAIN gt lt computer gt lt highVulnerabilities gt 30 lt highVulnerabilities gt lt mediumVulnerabilities gt 21 lt mediumVulnerabilities gt lt lowVulnerabilities gt 13 lt lowVulnerabilities gt lt potentialVulnerabilities gt 1 lt potentialVulnerabilrties gt lt missingServiceP acks gt 1 lt messingServicePacks gt lt missingPatches gt 2 lt missingPatches gt lt openTCPDangerousPorts gt 0 lt openTCPDangerousPorts gt lt openUDPDangerousPorts gt 0 lt openUDPDangerousPorts gt lt passwordMinimunLength gt 0 lt passwordMinimunLength gt lt passwordMinimumAge gt 0 lt passwordMinimumAge gt lt passwordMaximumAge gt 3628800 lt passwordMaamumAge gt lt installedApplications gt 192 lt installedApplications gt lt unauthorizedApplications gt 0 lt unauthonzedApplications gt lt antivirusApplications gt 1 lt antivirusApplications gt lt antivirusApplicationsUpT oDate gt 0 lt antivirusApp
84. arting a new audit check Audit checks are executed before scanning windows events if the audit check is successful a windows log event is created on the target machine This may create a large number of events and it is recommended to configure and use the Auditing threshold When using the Auditing threshold GFI EventsManager will wait for a pre defined interval before Starting a new audit check 4 Click OK to save changes 6 4 5 Configuring event processing parameters To configure event processing parameters W3C Logs SNMP Traps Logon Credentials Operational Time Enter a group name and description for the computers you want az to include in this group Group Name Servers Description Add your memberstandalone servers to this group The logs scanned are the Windows secunty log Windows application log and Windows system log The scanning will use the appropriate processing rules Enable collection of logs from this computer group Schedule scanning 6 Real Time i e once every 5 seconds Once 15 Minutes Next scan 80 2010 ely 3 5657AM Screenshot 58 Event processing configuration tabs 1 Click Configuration tab gt Group Type Event Sources Groups 2 From the Groups list right click the group to configure and select Properties 3 Use the Windows Event Log tab W3C Logs tab Syslog tab and SNMP Traps to configure the required event processing parameters For more information refer to U
85. ased systems and manage them through one console Archive collected events in a centralized SQL Server based database backend for future analysis and forensic studies Automatically transfer events from the database to external files Filter unwanted events and classify key events through the use of powerful default or custom built event processing rules Automate alerting and remedial actions such as the execution of scripts and files on key events Monitor your network activity and the status of your GFI EventsManager scanning engine through a built in graphical dashboard Analyze events through a built in events browser as well as export these events to CSV files for further processing and report customization Simplify event forensics through specialized tools which include a built in event query builder an event finder tool and an event color coding tool Increase event processing power through a high performance event scanning engine Generate schedule as well as email event activity and trend reports through GFI EventsManager ReportPack the powerful reporting companion tool which ships by default with GFI EventsManager Monitor the operational health status of your SQL Servers in real time by processing the activity logs messages generated by day to day SQL Server operations Monitor Oracle database servers GFI EventsManager collects and process events generated by Oracle Relational databa
86. base Operations Options dialog configure the tabs described below Table 74 Configuring database operations TAB DESCRIPTION General Specify the unique identifier by which this instance of GFI EventsManager will be identified on the network This identifier is used as part of the export file name during Export to file operations Schedule Through the Schedule tab configure specify gt Hours of the day during which maintenance jobs can be executed The interval in hours days with which maintenance jobs will be executed The scheduled date time when maintenance jobs will start being executed 4 Click OK to save your settings 144 Database Operations GFI EventsManager 12 5 Creating maintenance jobs With GFI EventsManager you can schedule maintenance jobs to be executed on a specific day at a specific time and at specific intervals E Database maintenance operations may require high utilization of resources This _ can degrade server and GFI EventsManager performance Schedule maintenance jobs to be executed after office hours to maximize the availability of your system resources and avoid any possible workflow disruptions to workflow GFI EventsManager supports five types of database operations For more information refer to the following sections in this chapter Import from file Export to file Import from SQL Server database Import from legacy files Import from legacy file storage 12 5 1 Impo
87. ble firewall rules in Microsoft Windows Server 2003 2 From Programs and Services list enable File and Printer Sharing 3 Click OK to apply changes and close 13 1 5 Microsoft Windows Server 2008 including R2 Enable firewall permissions To manually enable firewall rules on Microsoft Windows Server 2008 including R2 1 Click Start Control Panel gt Security and Allow a program through Windows Firewall under Windows Firewall category 2 In the list of programs enable the following File and Printer Sharing Vv gt Network Discovery Remote Event Log Management GFI EventsManager Miscellaneous 169 Allowed Programs Allow programs to communicate through Windows Firewall To add change or remove allowed programs and ports dick Change settings What are the risks of allowing a program to communicate By change settings For your security some settings are managed by your system administrator Allowed programs and features Names Doman L iSCSI Service Kerberos Key Distributi LJ Key Management Service C Netogon Service Network Discovery LJ Performance Logs and LJ Remote Administration 000000 K Oz K B Remote Event Log Man LJ Remote Scheduled Tas LJ Remote Service Manag C Remote Volume Manag C Routing and Remote A m er Leafa ot Sat m d d Screenshot 155 Firewall rules on Microsoft Windows Server 2008 3 Click OK to apply chang
88. ccount Control Run all administrators in Admin Approval Mode and select Properties Local Security Policy File Action View Help i X E s h a Ba Security Settings Poli Security Settin s CA Account Policies x Ca Local Policies EA Audit Policy EA User Rights Assignment System objects Require case insensitivity for non Windows Enabled System objects Strengthen default permissions of internals Enabled System settings Optional subsystems Posix i Security Options System settings Use Certificate Rules on Windows Executabl Disabled l Windows Firewall with Advanced Secur User Account Control Admin Approval Mode for the Built i Disabled Network List Manager Policies User Account Control Allow UlAccess applications to prom Disabled Public Key Policies User Account Control Behavior of the elevation prompt for Frompt for consent for f Software Restriction Policies User Account Control Behavior of the elevation prompt for Prompt for credentials l Application Control Policies User Account Control Detect application installations and p Enabled R IP Security Policies on Local Computer User Account Control Only elevate executables that are sign Disabled Advanced Audit Policy Configuration User Account Control Only elevate ULAccess applications th Enabled Ga User Account Control Run all administrators in Admin User Account Control Switch to the secure desktop whi Use
89. ces commonly found in a network appliance events DMZ Specialized routers and firewalls e g Cisco IOS series routers not only help protect your internal network but provide specialized features such as Port Address Translation PAT that can augment the operational performance of your systems By deploying GFI EventsManager on your DMZ you can collect the events generated by such network appliances For example you can configure GFI EventsManager to act as a Syslog Server and collect in real time the Syslog messages generated by Cisco IOS routers 3 3 System requirements 3 3 1 Hardware requirements Table 5 Hardware requirements HARDWARE COMPONENT SPECIFICATION Processor 2 5 GHz dual core or higher RAM 3 GB Hard disk 10 GB free space Hard disk size depends on your environment the size specified in the requirements is the minimum required to install and archive events 3 3 2 Software requirements Table 6 Software requirements Operating system OPERATING SYSTEM X86 OR X64 Windows Server 2008 Standard or Enterprise Windows Server 2008 R2 Standard or Enterprise Windows Server 2003 SP2 Standard or Enterprise Windows 7 Enterprise Professional or Ultimate Windows Vista SP1 Enterprise Business or Ultimate Windows XP Professional SP3 Windows SBS 2008 Windows SBS 2003 Table 7 Software requirements Other components OTHER COMPONENTS Microsoft NET framework 4 0 Microsoft Data
90. clude eror messages Save filesto Program Files GFI Events Manager Reports Status i You can also automate generation of these reports using esmreport exe command line tool Screenshot 47 Activity overview dialog 3 Configure the options described in and click Export 58 Reporting GFI EventsManager Table 31 Export operational history options OPTION DESCRIPTION Format The report output format Available formats are HTML and CSV All time Export all messages displayed Activity Overview From a specific date Specify a date to export all messages generated on that date Only ee with Export only data of computers with scanning issues errors Include error messages Select this option to include the generated error message Save files to Displays the default export location GFI EventsManager Activity Overview for period 2011 11 01 Source Windows Events W3C Events Syslog Messages SNMP Traps Messages SQL Server Messages Orade Server Messages Last Activity pe 285075 0 0 0 0 0 01 11 2011 19 21 04 17705 0 0 0 0 0 01 11 2011 19 22 14 8050 0 0 0 0 0 01 11 2011 19 21 10 a 12961 0 0 0 0 0 01 11 2011 19 21 04 Screenshot 48 Activity overview report sample GFI EventsManager Reporting 59 6 Manage event sources 6 1 Introduction Event sources are networked computers and devices that are accessed and processed by GFI EventsManager The Events Sources sub tab Configuration gt Event Sources enable
91. creenshot 13 Edit view restriction 3 Select a field from the list of available fields and specify the Field operator and Field value Click OK B GFI EventsManager Event browsing 29 Repeat until all required query conditions are specified For more information refer to Defining Restrictions Check the columns that you wish to be visible and their names in the list view Also you can customize the order of their View columns Type Importance Event ID Date Time Rule Name Log Format Monitored machine Log Name In Work Hours Column information Database field name type Screenshot 14 Customize View tab 4 Click Customize view tab to select the columns to show in the new custom view You can also arrange their order of appearance using the Up and Down arrow buttons 5 Click OK to finalize your settings 28 Microsoft SQL Server Audit Messages dpr Oracle Audit Messages 2 gt Text Logs 2 SMTP protocol messages ie Critical and high importance events A F HTTP protocol messages protocol messages Hd SNMP Traps Messages FG All critical and high importance events Screenshot 15 Sample New Root Views and Views 30 Event browsing GFI EventsManager 4 3 1 Deleting a view 1 From Events Browser gt Views select the view to delete 2 Right click on the view and click Delete view 4 3 2 Editing a view 1 From Events Browser gt Views select the view to edit 2 From Actions click Edit
92. creenshot 31 Createing a report Chart 4 Optional Click Chart tab and configure the options described below Table 21 Create Report dialog Chart options OPTION DESCRIPTION Use graphical charts Place chart at Chart type Properties Chart data GFI EventsManager Include a graphical chart to present your data as well as a text based table Select between Beginning of Report and End of Report to place the chart at the selected location Use the Chart type drop down menu to select the type of chart to include in your report Select from Pie chart Bar chart Line chart Select the information to display in the X and Y axis The available options are the column headings selected in Step 3 This is the data used to construct the chart It is a smaller table that contains counts and grouped data useful for charting Reporting 45 Create Report Layout Chat Schedule E Inherit from Parent Use schedule Generation Time 20 51 48 Recurance pattem Weekly Recurevery gt week s an Tee Sunday Monday O Sunday Wednesday E Thursday Friday Saturday Send report by email to Events ManagerAdministrators Screenshot 32 Createing a report Schedule 5 Click Schedule tab and configure the options described below Table 22 Create Report dialog Schedule options OPTION DESCRIPTION Inherit from Parent Select this option when the new folder is part of a root folde
93. crosoft com en us library cc737542 WS 10 aspx Generates events when important system events happen such as user restarts or shuts down the target computer or when an event occurs that affects the security log For more information refer to http technet microsoft com en us library cc782518 WS 10 aspx Enable this firewall permission to allow client machines to access applications or services that resides on the server This allows GFI EventsManager to access resource from all servers For more information about this permission refer to http technet microsoft com en us library cc731967 aspx Email notifications which inform recipients that a particular event has occurred To enable email alerts you must have access to an active mail server The categorization of events as Critical High Medium Low or Noise A collection of entries which describe events that occurred on the network or on a computer system GFI EventsManager supports different types of event logs including Windows Event Log W3C Logs Syslog SNMP Traps and SQL Server audit events A set of instructions which are applied against an event log Enable this firewall permission to allow GFI EventsManager to access events definitions on target machines For more information refer to http technet microsoft com en us library cc779133 WS 10 aspx A framework of open standards used to encrypt and authenticate network packets during a communication session between comp
94. d not respond to the start or control request in a timely fashion Error message The maintenance job failed Error message Event Log Records could NOT be retrieved The RPC server is unavailable GFI EventsManager Description The GFI EventsManager executables are digitally signed by default When trying to start the service the application must download the Certificate Revocation List to authenticate If the download fails due to network connectivity or security reasons the service will fail to start by timing out Possible solution 1 Increase the default service timeout settings as described in the following Microsoft knowledgebase article http support microsoft com kb 941990 Possible solution 2 Disable Certificate revocation list CRL 1 Download Microsoft Setreg application from http ftp gfisoftware com support setreg zip 2 Login to the GFI EventsManager server using the GFI EventsManager service user 3 Open command prompt 4 Change the directory to the directory storing setreg exe 5 Run the following command setreg exe 3 FALSE Note The setting above can be reverted by running the following command setreg exe 3 TRUE For more information refer to http kbase gfi com showarticle asp id KBID003365 Description GFI EventsManager uses an ASP Net Library called GZipStream to compress and export data from the GFI EventsManager databases GZipStream is unable to compress data larger than 4GB
95. d data In order to protect your data you can password protect the exported files by selecting the option below Encrypt exported data using the following password Password eeeneene Confirm password eeeneeee AY Warning Please note that you will have to use the same password when you import the data Screenshot 128 Export to File Encrypt exported data 5 Optional Select Encrypt exported data using the following password and specify an encryption key to protect your exported data Click Next 6 Optional Specify filtering conditions to filter out unwanted data Leave it blank to export all the data in the database Click Next 148 Database Operations GFI EventsManager 7 Select when the job is executed The table below describes the available options Table 76 Database operations Schedule options OPTION DESCRIPTION Schedule job The job will be saved and executed according to the database operations schedule Run the job now Job is executed immediately Unscheduled jobs only run once 8 Click Finish Export filename The convention used by GFI EventsManager to name the export file is shown and described below ESM ID Job ID Date From Date To EXP Table 77 Table 78 Database operations Export file name structure SECTION DESCRIPTION ESM ID Refers to the unique identifier given to each GFI EventsManager instance running in the organization Job ID Refers to the unique identifier given
96. d specifically with their device Notifications alerts generated and transmitted by active network components Example hubs routers and bridges to SNMP server s whenever important events such as faults or security violations occur Data contained in SNMP Traps may contain configuration status as well as statistical information such as number of device failures to date Notifications alerts most commonly generated and transmitted to a Syslog server by UNIX and Linux based systems whenever important events occur Syslog messages can be generated by workstations servers as well as active network devices and appliances such as Cisco routers and Cisco PIX firewalls to record failures and security violations amongst other activities Events that did not satisfy any of the event processing conditions configured in the event processing rules GFI EventsManager TERM DEFINITION W3C logs W3C is a common log format developed by the World Wide Web Consortium W3C logs are text based flat files used mainly by web servers including Microsoft Internet Information Server IIS to record web related events such as web logs Windows Event Logs A collection of entries which describe events that occurred on a computer system running Windows OS GFI EventsManager Glossary 193 Index A Account Usage Reports 37 anti virus 17 Archiving events 73 79 D Daily Digest 1 52 53 Database Backend 1 2 3 4 7 8 16 73 75 79 81 103 13
97. dCOnfig exe op setAdminEmail email administrator domain com Create program group Enables you to create group shortcuts uarias Command ESMCmdCOnfig exe op CreateProgramGroupShortcuts Remove program Enables you to remove group shortcuts group shortcuts Command ESMCmdCOnfig exe op RemoveProgramGroupShortcuts Get computers Enables you to get computer names by specifying a filename where the data is exported Command ESMCmdCOnfig exe op GetComputers filename ExportedNames 5 Press Enter to run the command 13 4 2 Using Esmdlibm exe To use Esmdlibm exe 1 Click Start gt Run and key in CMD 2 Click Ctrl Shift Enter to run CMD with elevated privileges 3 Change the directory to the GFI EventsManager install directory CD lt C Program Files GFI EventsManager 2012 gt 4 Key in Esmdlibm exe followed by any of the following functions GFI EventsManager Miscellaneous 177 Table 85 CMD Esmdlibm exe functions FUNCTIONS DESCRIPTION Import from SQL The Import from SQL function is used to import data from previous versions of GFI EventsManager backend database It is made up of the following parameters gt gt importFromSqdl function name logTypes lt application custom directory security dns filereplication syslog system snmp oracle sql w3c gt specify the log typs to import server lt serverName gt specify the SQL Server IP database
98. dConfig exe op enable Disables GFI EventsManager and prompts the user with a custom message It is made up of opdisable function name message lt message gt specify the message to show Command ESMCmdCOnfig exe op disable message Feature is going to be disabled in one minute This function is used to specify a license key for GFI EventsManager It is made up of op setLicense function name licenseKey lt key gt specify the license key Command ESMCmdCOnfig exe op setLicense licenseKey XXXXXXXXX GFI EventsManager FUNCTIONS DESCRIPTION Configure alerting Enable and configure alerting options It is made up of op configureAlerting function name Server lt server gt specify server IP SenderEmail lt email gt specify senders email address gt Port lt port gt specify the SMTP port i e 25 gt RequiresAuthentication lt true false gt specify a True or False value User lt username gt specify a username for the email account Pass lt password gt specify a password for the email account Command ESMCmdCOnfig exe op configureAlerting Server 192 168 11 11 SenderEmail name domain com Port 25 RequiresAuthentication True User Administrator Pass 1234 Set administrator s Enables you to configure the Administartor s email It is made up of email i op setAdminEmail function name email lt email gt specify email Command ESMCm
99. date Options Common Tasks Create new job 2 maintenance job s Screenshot 135 Creating a new Database Operation 2 From Configurations right click Database Operations and select Create new job GFI EventsManager Database Operations 153 New job wizard Job Type Select the job type J Please select the type of action that this job should perform Import from file Import data as part of the data centralization process The file to import from needs to be created by the Export to file job Export to file Export data from this instance to files in order to import them at another location as part of the data centralization process You can also burn the exported files for safekeeping Import from SOL Server database Imports data from a SOL Server database created with an older version of the product Jer yersion of the product Imports data from an older file storage Screenshot 136 Import from legacy file storage 3 Click Next at the wizard welcome screen and select Import from legacy file storage as the job type Click Next New job wizard Import data Select the folder from which to import DLib version1 data Specdfy the storage folder path from where to import data Path C Events Storage Name Exported Legacy File Storage Screenshot 137 Import from legacy file storage Select file to import 4 Specify the path and the file name of the exported legacy file Click Ne
100. dd Existing Column to add default columns 3 Click Add Custom Column to launch the Add Custom Columns dialog Add Custom Column Column name ls Visible E Is Group Column definitions Field Name Add Definition Field Name New Field Name Feed Value Special Column Occured Edit restrictions As Om date Occured OR time lt 21 03 25 AND rule name New Rule AND log format Text Logs Screenshot 37 Define custom column conditions 4 From the Add Custom Column dialog click Add 5 From the Add Definition dialog configure the options described below GFI EventsManager Reporting 51 Table 25 Add Column Definition options Field Name Specify a name for the new field Fixed Value Select Fixed Value if the value of the new field is going to be fixed Specify a value as a field name For example to check that events always occur after 5pm specify 5 as the fixed value instead of defining a time field and assign a value of 5 Special Column Special columns are predefined columns that may be used in your condition Edit restrictions This section enables you to add edit or delete field restrictions For more information refer to Defining Restrictions 6 Click OK to save your settings 5 8 Daily Digest GFI EventsManager can be configured to send a summary report by email on a daily basis The report contains a summary of the most important events collected and processed during the last
101. ddresses in a computer group which is configured to accept Syslog messages atone Screenshot 82 Syslog server options 4 Select Enable in built Syslog server on TCP port and specify the TCP port on which GFI EventsManager will receive listen for Syslog messages 5 Select Enable in built Syslog server on UDP port and specify the UDP port on which GFI EventsManager will receive listen for Syslog messages 5 Select OK to finalize settings 5 When configuring Syslog server port settings make sure that the configured a port is not already in use by other installed applications This may affect the delivery of Syslog messages to GFI EventsManager 7 5 Collecting SNMP Traps SNMP is a data logging service that enables networked devices to log events and information through data messages technically known as SNMP Traps SNMP messaging technology is similar in concept to Syslogs where unlike Windows and W3C log based environments devices that generate SNMP messages do not record events data in local logs Instead events information is sent in the form of data messages to an SNMP Trap Server which manages and saves SNMP message data in a local centralized log file 98 Using event processing rules GFI EventsManager SNMP Trap G A EventsManager SNMP Trap Messages e Network Dences Figure 8 SNMP Trap messages must be directed to the computer running GFI EventsManager GFI EventsManager nat
102. dition to configure and select OR NOT This means that the selected condition has to match the restriction parameters OR the following conditions must not Click to add an opening bracket to the selected condition Conditions enclosed in brackets are processed first Click to add a closing bracket to the selected condition Conditions enclosed in brackets are processed first Click to remove an opening bracket from the selected condition Click to remove a closing bracket from the selected condition Click Add to launch the restrictions dialog and add more fields to the condition Click Edit to access the restrictions dialog and customize the selected condition Click Delete to delete a condition The Clear button deletes all the query conditions GFI EventsManager OPTION DESCRIPTION Up arrow Use the Up arrow key to move the selected condition up in the list Down arrow Use the Down arrow key to move the selected condition down in the list 7 Click OK to save your settings 5 7 2 Defining column headings GFI EventsManager enables you to create custom columns through the Add Custom Columns dialog This dialog allows you specify conditions create a new field and add them to your report s Also based on conditions this dialog enables you to further customize existing or new reports To add custom columns 1 From Reporting tab Actions click Create Report 2 Click Layout tab gt A
103. e Importance Information Low A Waming Critical A Waming High Type Refresh Create rule from event Create view from field Find rule N Success Audit a Success Audit EN Success Audit a Success Audit Fy Soe i ndi 4 il Medium Medium Medium Medium Madi im Page 1 of 30 b Fi Screenshot 94 Creating a rule from an event 2 Right click the event and select Create rule from event GFI EventsManager In Column Type Close Find i Open Quick Launch Console 7 Help E Report from view Date O05 12 2011 Time Importance Rule Name Archive windows Filtering Platform event 5156 Monitored machine Log Format 5156 In Work Hours No isadmin No The Windows Filtering Platform has permitted a connection Application Information Process Loading view finished Click here for details Manage rule sets 111 Event equal 1000 and Category equal None Properties Busi E i Configure the general properties for this rule Name Event equal 1000 and Category equal None Description rule example using the create rule from event The rule applies f the event happens At any time of the day Classify the event as Screenshot 95 New rule from event dialog 3 Configure the options from the tabs described below Table 60 Create rule from event dialog options TAB DESCRIPTION General Use this tab to configure the general properties of the rule includ
104. e a Database Operations 2 ee Custom Event Logs poids Auto update Options Screenshot 112 Select Security Options to enable the log in system 2 Expand Console Security and Audit Options node right click Security Options node and select Edit security options 3 Select Enable EventsManager login system to enable login 4 Click OK to finalize settings The User must have a valid email address configured in GFI EventsManager to receive the password by email For more information on how to change user settings including the email address refer to Changing user properties in this chapter When the login system is enabled all users will be asked to specify their J credentials every time they launch the GFI EventsManager management console Users are granted access with administrative or user privileges according to the A user privileges set up in the privileges tab within the user setup dialogs 130 Configuring users and groups GFI EventsManager E To configure or edit a user password from Configuration tab gt Users and _ Groups gt Users right click the user account and select Change Password 10 4 2 Password recovery When GFI EventsManager login system is enabled all users are requested to enter a valid user name and password to access GFI EventsManager console Enter your usemame and password Usemame Events ManagerAdministrator Password eee Remember my password Forgot your password 7
105. e 17 Managing reports Table 18 Create folder Schedule options Table 19 Analyzying reports tools Table 20 Create Report dialog General options Table 21 Create Report dialog Chart options Table 22 Create Report dialog Schedule options Table 23 Defining restrictions Field Operators Table 24 Defining restrictions Query Condition tools Table 25 Add Column Definition options Table 26 Settings report heading information Table 27 Rules report heading information Table 28 Operational history reports Table 29 Export operational history options Table 30 Activity overview headings Table 31 Export operational history options Table 32 Event source group options Table 33 Synchronization properties General tab Table 34 Example of synchronizations Table 35 Event sources Audit policy options Table 36 Auditing options Table 37 Microsoft SQL Database group General tab Table 38 Microsoft SQL Database group Logon Credentials Table 39 Microsoft SQL Database group SQL Server Audit Table 40 Microsoft SQL Database group Settings Table 41 Microsoft SQL Database General tab options Table 42 Microsoft SQL Database Connection Settings tab Table 43 Microsoft SQL Database Settings tab options Table 44 Oracle Server supported audits Table 45 Oracle Server configuration stages Table 46 Oracle Database group General tab Table 47 Oracle Database group Oracle Audit Table 48
106. e information refer to http kbase gfi com showarticle asp id KBID00301 1 Description These errors are encountered when GFI EventsManager tries to collect events from a machine that is not accessible over the network or the credentials are invalid Possible solution 1 1 Check that the credentials are correct 2 Check that the machine name or IP address are correct 3 Try to collect events Possible solution 2 When using a personal firewall check that the required firewall ports are configured to allow traffic For more information refer to http kbase gfi com showarticle asp id KBIDO02770 When using Windows firewall check that all the required firewall permissions are enabled For more information refer to http kbase gfi com showarticle asp id KBID003688 Possible solution 3 Ensure that GFI EventsManager is installed on a supported environment For more information on where GFI EventsManager can be installed refer to http kbase gfi com showarticle asp id KBID002842 Description This issue can be caused by various factors and is dependent on the environment where GFI EventsManager is installed For a checklist on how to resolve this issue refer to http kbase gfi com showarticle asp id KBID002819 GFI EventsManager M Pears Error message 1 A timeout was reached 60000 milliseconds while waiting for the GFI EventsManager service to connect Error message 2 Error 1053 The service di
107. e name resolution downgrades overall system performance If you disable NETBIOS over TCP IP you can still use GFI EventsManager however you must specify computer name by IP GFI EventsManager Installation 17 3 7 Installation procedure To install GFI EventsManager 1 Close all running applications and log on the target computer using an account which has local administrative privileges 2 Double click GFI EventsManager setup file wal GFI EventsManager 2012 GFI EventsManager Event log monitoring management and archiving Version 12 lt GFI EventsManager setup wizard will install the following system components These are required for archiving and enhanced event log management performance Visual C 2010 redistributable Already Installed Microsoft WET Framework 2 0 Already Installed Microsoft NET Framework 4 0 Already Installed Microsoft SOL Server Compact 3 5 SP2 186 MSXML6 Already Installed Microsoft SOL Server Native Client Already Installed Microsoft SOL Server Management Objects Collection Already Installed EventsManager 2012 Click here for more information htto www gf com eventsmanager Screenshot 2 Pre requisite check 3 GFI EventsManager will check your system for components that are not already installed Click Install to begin the installation 4 Click Next at the wizard welcome step 5 Read the licensing agreement carefully Select I accept the terms in the License Agr
108. e sent during and outside working hours 5 Click Alerts tab and select which alerts will be sent during and outside working hours GFI EventsManager Configuring users and groups 125 6 Optional Select Send daily report via email to send a summary of the most important events collected and processed by GFI EventsManager by email EventsManagerAdministrator Properties 2 Select the notification groups to which this user belongs Member of 3a Events ManagerAdministrators Select groups Select the groups you want this user to belong to st Accounts 82 RAD ye Sales S32 Executive Screenshot 108 Notification groups to which a user belongs 7 Click Member Of tab and select the notification groups to which the user belongs By default the administrator is a member of the EventsManagerAdministrators notification group 126 Configuring users and groups GFI EventsManager EventsManagerAdministrator Properties 2 Specify the privileges for this user This user has full privileges This user has read only privileges i This user belongs to at least one group that has full privileges Screenshot 109 Configuring GFI EventsManager administrator privileges 8 Click Privileges to modify the user privileges By default the EventsManagerAdministrator account has full privileges 9 Click OK to finalize your settings 10 2 2 Creating a new user GFI EventsManager allows you to crea
109. e status to find out more Screenshot 6 Events processed from local machine On completion the number of events that have been processed is displayed in the information bar as illustrated in the screenshot above Processing events from the local domain The Network discovery wizard searches the entire network for computers and servers This will assist in adding network computers as GFI EventsManager event sources To launch the Network discovery wizard 1 From the Quick Launch Console click Process events Local domain The wizard can also be launched from Configuration gt Event Sources right click All event sources and select Scan local domain 2 In the Welcome screen click Next If synchronization options are configured Process events Local Domain is disabled For more information refer to Edit synchronization options 22 Installation GFI EventsManager Network Discovery Configure event sources Select the type of machines to indude while scanning Select the type of event sources from which events will be collected Domain Controllers Exchange Servers ISA Servers Screenshot 7 Select the type of event source 3 The wizard enables you to search the local network for specific types of event sources Select the type of event sources to add and click Next Z 4 The wizard will automatically start to search for connected computers On completion click Next At least one event so
110. ecify a Field Value for the selected field and field operator Some fields have predefined values while others require you to specify a value 5 Click OK to save your restriction B Copy report restrictions from existing reports from Reporting tab gt Reports Right click a report and select Copy Report Restrictions Repeat this step until all your restrictions are defined GFI EventsManager Reporting 49 Create Report General E Create new Report to organize in a simpler way the collected events Name Create Report Description _ Select sort column Ascending Screenshot 36 Customizing the condition 6 Once all the restrictions are defined use the options described below to customize the condition to further suite your requirements Table 24 Defining restrictions Query Condition tools OPTION DESCRIPTION AND OR AND NOT OR NOT Add Edit Delete Clear 50 Reporting Select the condition to configure and select AND The selected condition AND the following condition s must be met for the query to be valid Select the condition to configure and select OR The selected condition OR the following condition s must be met for the query to be valid Select the condition to configure and select AND NOT This means that the selected condition has to match the restriction parameters but the following conditions must not Select the con
111. ed on to the event processing engine as soon as the buffer fills up or at one minute intervals whichever comes first Servers Servers Figure 7 Syslog messages must be directed to the computer running GFI EventsManager To collect Syslog Messages Before you start collecting Syslogs every Syslog event source workstations servers and or network devices must be configured to send their Syslog Messages to the computer name or IP where GFI EventsManager is installed 1 From Configuration tab gt Event Sources right click an event source group and select Properties GFI EventsManager Using event processing rules 95 Syslog SNMP Traps Audit Specify if this computer group can send Syslog messages to Events Manager Syslog messages can be received from any computer or device configured to send Syslog messages to Events Manager Accept Syslog messages from this computer group Syslog parsing schema Simple syslog messa Tell me more Post message processing 9 Archive all logs without any further processing Process the logs with the rules selected below before archiving E Linue Unie hosts Juniper Networks Screenshot 80 Computer group properties Syslog processing parameters 2 Click Syslog tab and configure the options described below Table 55 Configuring Syslog processing OPTION DESCRIPTION Accept Syslog messages from Select this option to enable syslog me
112. edule to enable scheduling of the reports contained in the new folder Generation time Specify the time when reports are generated Recurrence pattern Specify the report generation frequency Select from Daily Weekly or Monthly pattern and configure the respective parameters Send report by email Select this option to enable email notifications Click Configure to select the to users from the Select users and groups dialog NOTE Configure alerting options before using this feature For more information refer to Configuring Alerting Options 4 Click OK to save your settings 5 4 2 Creating a folder To create a folder 1 From Reporting tab gt Reports right click a root or sub folder and select Create Folder 2 From the General tab specify the name and description optional for the new group 3 Optional Click Schedule tab and configure the required parameters 4 Click OK to save your settings 5 4 3 Creating root reports To create a root report 1 From Reporting tab gt Common Tasks click Create Root Report 2 From General tab specify a name and description optional for the new root report 3 Click Add to add conditions to your new report For more information refer to Defining Report Restrictions E Repeat this step until all required conditions have been specified 4 Click Layout tab and add the column headings that you want to be visible in the report For more information refer to Defining Co
113. eement Click Next 18 Installation GFI EventsManager fq GF EventsManager 2012 Setup S Customer Information Specify your licensing information GF Specify your user name and serial number You can either use the key which was sent to you by email on product download to evaluate for 30 days or dick Next to continue and specify a license key later ohn Smith Screenshot 3 Customer and License detail screen 6 Key in your name and serial number Click Next Te GF EventsManager 2012 Setup Logon Information Specify a user account and password GFI EventsManager requires administrative rights and privileges Enter domain administrator account details for GFI EventsManager service in any of the following formats Domain Administrator or Administrator DOMAIN CO Screenshot 4 Logon information screen 7 Key in a user name and password of a domain administrator account Click Next 8 Specify an alternative installation path or click Next to leave as default 9 Click Install GFI EventsManager Installation 19 3 8 Running GFI EventsManager for the first time After installing GFI EventsManager the Management Console is launched automatically To launch GFI EventsManager manually click Start gt All Programs gt GFI EventsManager gt Management Console Follow the steps outlined below to configure GFI EventsManager for first time use Step 1 Launch events processing Step 2 Analyze
114. elected Key in a valid password for the specified User account Press OK to close the Properties window NY Z Oo a A W Close Services window When collecting and Description processing events the CPU consumption stays constant This may occur when scanning multiple domain controllers Since domain 6 controllers generate a large number of events and GFI EventsManager by Ul AE default is configured to use a high performance level GFI EventsManager may use a lot of CPU resources Solution Configure GFI EventsManager to use a low performance level To configure performance level 1 Select Configuration tab 2 From the left panel right click Performance Options and select Edit Performance options 3 From the Performance Options dialog select Enable GFI EventsManager service performance and select the required level 4 Click OK Changing the performance level reduces CPU load but affect GFI EventsManager log events processing speed Low performance GFI EventsManager will Approximately process 50 events per second for each event source High performance GFI EventsManager will Approximately process from 1000 to 2000 events per second for event source 14 3 Knowledge Base GFI maintains a Knowledge Base which includes answers to the most common problems If you have a problem please consult the Knowledge Base first The Knowledge Base always has the most up to date listing of technical s
115. ely log on to the target computers This is required in order to collect log data that is currently stored on the target computers and to pass this data on to the event processing engine s To collect and process logs GFI EventsManager must have administrative privileges over the target computers By default GFI EventsManager will log on to target computers using the credentials of the account under which it is currently running however certain network environments are configured to use different credentials to log on to workstations and servers with administrative privileges As an example for security purposes network administrators can setup a dedicated account that has administrative privileges over workstations only and a different account that has administrative privileges over servers only GFI EventsManager Manage event sources 67 Workstations Windows Event Log Logon Credentials Specify the credentials you want GFI Events Manager to use to connect to the database servers specified in this group to collect events By default GFI Events Manager performs event collection using the secunty contest of the account under which GFI Events Manager service is running You may specify an altemate set of credentials to access the computers contained within this computer group Logon using credentials below Username admin Password ooeneee Screenshot 55 Configuring alternative logon credentials GFI EventsManager allow
116. ely speed up event scanning for maximum performance This engine adopts a plug in based concept that allows the plugging in of additional features modules without having to perform physical changes to the existing code hence more stability without effecting scalability GFI EventsManager identifies and removes unwanted event data such as noise and background process generated events providing you with only the relevant usable data Hence facilitates event forensics by reducing the amount of events to be analyzed GFI EventsManager can generate alerts or trigger actions such as script execution when key events are detected You can alert one or more people in various ways including email network messages and SMS notifications sent through an email to SMS gateway or service Actions can be configured to trigger on event classification or by configuring specific conditions in event processing rules GFI EventsManager ships with a number of event filtering features including Pre configured event queries and a custom event query builder The pre configured event queries allow you to sift event log data and browse only the required events without deleting any records from your database backend The built in event query builder allows you to create your own custom event queries Event color coding capabilities Through this feature you can selectively color particular events in specific colors This way during log browsing you can ea
117. eneral a Event Sources Event Processing Rules ns Options Configurations Send us feedback M Open Quick Launch Console Help my Default Classification Actions o t d Users and Groups Database Operations ty Console Security and Audit Options tel Securty Options Here you can define maintenance jobs to import export data from Events Manager storage and to import from SGL Server or legacy export files legacy file storage The maintenance jobs will miih Anonymization be executed sequentially in the priority order if Audit Options te Auto discovery Credentials ID ieia we Alerting Option i la E E1275A4D Import files from folder C Users ohn Smith Desktop aasan 5 r Serve Op ions 7 P sere Sa Ej BEAOF393 Import legacy files from folder C Users Wohn Smith Desktop ve a Performace Options File storage sl a Custom Event Logs Create new job Me Auto update Options Common Tasks Create new job 2 maintenance job s Screenshot 133 Creating a new Database Operation 2 From Configurations right click Database Operations and select Create new job New job wizard Job Type Select the job type Please select the type of action that this job should perform Import from file Import data as part of the data centralization process The file to import from needs to be created by the Export to file job Export to file Export data from this instance to files in
118. entsManager ssssseesseeseesoeescesceesoeescesee 181 t30 Product ICONS NE scr ncecseeveintasrecoucceodwoektceseceeececegecccececesacessoess 182 13 7 Version information ssessessessessesoessesoesoesoesoesoesoesoessesoesoeo 183 14 Troubleshooting 185 14 1 IMOdUCHON serersssssrereririror tentir ran EErEE EEEE rO 185 14 2 COMMON ISSUES sorserissarssranno roaka ninn EEEE EaR 185 14 3 Knowledge Base sssssesceesoesceesccescoesoeesoreseesoeesorecessceeseseee 188 1A Wob FONU ersipiseri nirre rE E N E REIN 188 14 5 Request technical sUpport sesssesseeseesceesoeeseesoeesoceceesoeeseesee 188 14 6 Build notifications ssessssssssssossoesoesoesossoesossoesoesossossoesoes 189 15 Glossary 191 Index 195 List of tables Table 1 Key features Table 2 GFI EventsManager engines Table 3 Devices supported by GFI EventsManager Table 4 Benefirts of installing GFI EventsManager in DMZ Table 5 Hardware requirements Table 6 Software requirements Operating system Table 7 Software requirements Other components Table 8 System requirements Event source settings Table 9 System requirements Ports and protocols Table 10 System requirements Firewall permissions Table 11 Quick Launch Console options Table 12 Navigating the Events Browser Table 13 Event Browser Create new view Table 14 Event Browser Create new report Table 15 Navigating the Reporting tab Table 16 Available reports Tabl
119. er Remove JE TASKMGR Select JE TCBACKUP E 1E w70 Import JEE WINSERYH a In order to scan a Microsoft Wista or Microsoft Server 2008 machine you must install GFI EventsManager on a Microsoft Vista or Microsoft Server 2006 machine Finish Cancel Screenshot 9 Process events from selected machines 2 Specify the event source name or IP and click Add Repeat until you have specified all the event sources to add to this group E To import the list of event sources from a text file click Import button To select event sources from a list click Select button 3 Click Finish to finalize settings GFI EventsManager will collect events from the configured sources immediately 24 Installation GFI EventsManager 3 8 2 Step 2 Analyze events and generate reports After collecting the event logs you can analyze the information and generate reports based on the gathered data Quick Launch Console At any time you can perform the following main actions Welcome to GFI EventsManager Browse events Access the builtin events browser and forensic tools that will help you to locate analyze and fiter key events BT Generate reports Access reporting features including instant scheduled report generation and automated report distribution Tell me more Tell me more m View dashboard Access the dashboard to view a graphical representation of the most important events Tell me more
120. er Edit view restriction Customize View tab Sample New Root Views and Views Screenshot 16 Color coding configuration Advanced Color Filter Screenshot 18 Screenshot 19 Screenshot 20 Report from view button Screenshot 22 Navigating the Reporting Ul Create Report Folder dialog Screenshot 25 Event finder tool Export events tool Find rule Switch database dialog Generating a report Report sample Preview Report Analyzing Creating a new report Screenshot 29 Creating a report General Creating a report Layout Createing a report Chart Createing a report Schedule Createing a report Options Screenshot 34 Screenshot 35 Creating a report Adding conditions Creating a report Edit Query Conditions Customizing the condition Define custom column conditions Screenshot 38 Screenshot 39 Generate configuration report Settings report sample Generate configuration report Operational history report Operational history dialog Operational history report sample Activity overview Export button Activity overview dialog Activity overview report sample Add new event source group Screenshot 50 Daily Digest email settings Daily digest emai Synchronization properties General tab Synchronization properties Schedule tab Add new event source wizard Browse the network for connected computers Screenshot 54 Screenshot 55 Screens
121. er 2008 R2 Group Policy Management Editor Predefined rules Predefined rules Configure auto update Update license key Buy now Button 1 Introduction 1 1 About this manual This user manual is a comprehensive guide aimed at assisting you in configuring and using GFI EventsManager The user manual contains the following chapters Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 GFI EventsManager CHAPTER DESCRIPTION Introduction An overview of this manual and how GFI EventsManager works Getting Started Describes how to install GFI EventsManager including system requirements pre install actions required and how to upgrade from previous versions Installation Shows how to configure GFI EventsManager for first time use including how to configure the database backend and how to process event logs for the first time Event browsing Explains how to use the built in events browser to analyze events stored in the GFI EventsManager database backend including Default event log queries and custom query builder Event color coding Event finder tool Reporting Describes how to enable the GFI EventsManager ReportPack to create reports that further analyze the events stored in the GFI EventsManager database backend In addition describes how to configure a user to receive GFI EventsManager Daily Digest email Manage eve
122. er to Processing events from the local domain Process events selected Add event sources manually without using the wizard machines For more information refer to Processing events from selected machines Customize Customize settings of Events sources and log types Event processing rules Database operations Users and groups Alerting options Processing events from the local computer To process event logs from the local machine 1 From Quick Launch Console click Process events local computer GFI EventsManager will start to collect events from the local machine immediately GFI EventsManager Installation 21 Quick Launch Console Welcome to GFI EventsManager At any time you can perform the following main actions Browse events Access the builtin events browser and forensic tools that will help you to locate analyze and filter key events Tell me more Generate reports Access reporting features including instant scheduled report generation and automated report distribution Tell me more View dashboard Access the dashboard to view a graphical representation of the most important events Tell me more Use this option to customize GFI EventsManager settings e g enable Syslog and SNMP Trap processing key event notifications etc Tell me more W Show this dialog on next startup W Service is running 113917 events processed so far on 1 event source s Click here to go to th
123. es In Windows Server 2008 R2 ensure to select Domain Private and Public for each rule mentioned above 13 2 Enabling permissions on event sources automatically 13 2 1 Windows Server 2003 To open ports and enable permissions on all domain clients using Microsoft Windows Server 2003 domain controller 1 Click Start gt Run key in mmc and click OK Click File Add Remove Snap in and click Add Locate and select Group Policy Object Editor and click Add 2 3 4 Click Browse select Default Domain Policy and click OK 5 Click Finish 6 Select Group Policy Object Editor again and click Add 170 Miscellaneous GFI EventsManager 7 Click Browse double click Domain Controllers folder and select Default Domain Controllers Policy Click OK 8 Click Finish and Close 9 From the Console Root expand Default Domain Policy Administrative Templates gt Network Network Connections Windows Firewall Domain Profile a Console Root Default Domain Policy winserva tcdomaina com Policy Computer Configuration Administrat Miel Fa J Console Root E Default Domain Policy winserva tcdomaina com Policy Computer Configuration el Software Settings H E Windows Settings Administrative Templates H E Windows Components a System J E Network _ Microsoft Peer to Peer Networking Services DNS Client Offline Files Protect all network connections al Wi
124. essseessoeesooessoseceoesecoeseooessoeescseecoeeeeoe 40 520 AMGLYZING reports srcrrrrrstr rieien nre raer e Ore RET 41 5 7 Creating custom reports sessseessoessooessoesecoeseooeseoseseseeeoeeeeoe 41 So DP DIG SSE cco core EE E EEE EIE EEE EEEE E EE EEE E 52 Dee CUR SOPO E aapa EEEO teaccaescescaereeecnes 53 DIO RULES TODO duaveesoseoseuesteoscuseteeosutetsesanecteeseaietvesencessessanweoeen 54 0 11 Operational NISlONY ssccerasasscewadesdeevatesiccenscsseeennbesedensessseenctesscewe 56 212 AGUVIEY OV CIVICW xccn ccd ices tuiscatudsaeucecuseentacuiesaedeescetecataeetecas 57 6 Manage event sources 61 Gal NERO GUCTIONY saeco ccc onc beacae cosas E EE A E N 61 6 2 Managing event sources groups ccc ce cee ccc ccecceceeceeceeceeceeceseeees 61 6 3 Adding event SOuUrCeS ssesseesceescoesceesoreccescceesoreseesoeesoreseeeee 64 6 4 Configuring event source properties sssesscesseesoeescesoceesceeseesee 66 6 5 Microsoft SQL Server SOUFCeS ssssssccsccccccccsssssssssessceccceeccosoo 72 6 6 Oracle Server Sources 6 yas cosurecuqussueseusvebesequcsbevenexeseseeeseeeseneseus 11 6 7 GFI LanGuard event SOuUrCeS ssssessescesessesscesceseeseeseeseeseeseee 85 6 8 GFI EndPointSecurity event SOUrCeS ssssseseesseesoeescesceesceeseesee 86 7 Using event processing rules 89 Hel WALFOQUGLION lt 225c02525 c000s0n0050000 be nent seaeoeae sees eat eens ceae sane reat eeneecs 89 7 2 Collecting Windows events
125. events and generate reports Add event sources Process events j A Analyze events and n generate reports Figure 6 Running GFI EventsManager for the first time 3 8 1 Step 1 Launch events processing This section contains information about Processing events from the local computer Processing events from the local domain Processing events from selected machines 20 Installation GFI EventsManager Quick Launch Console Welcome to GFI EventsManager Select an option Process events Local computer Start collecting events from the local computer where GFI Events Manager is installed Process events Local domain Launch the Automatic network discovery wizard This wizard will automatically search your domain for event sources Process events Selected machines Start collecting events from selected machines Customize Customize GFI Events Manager settings New New auditing feature Tell me how to configure Screenshot 5 Quick Start Dialog From the Quick Launch Console select one of the following options OPTION DESCRIPTION Process events local computer Start collecting events from the local computer where GFI EventsManager is installed For more information refer to Processing events from the local computer Process events local domain Launch the Automatic network discovery wizard This wizard will automatically search your network for event sources For more information ref
126. f custom reports using third party applications Interfacing events data with applications and scripts built in house To export events to CSV 1 From Events Browser gt Views right click a view and select Export events Export events Export the events to a CSW file Save the events in the following CS file C eventsmanager output csv Browse Caneel Screenshot 19 Export events tool 2 Specify or browse to where the exported events will be saved Click OK 4 7 Rule finder tool GFI EventsManager enables you to find event processing rules from event logs in Events Browser To identify the rule s used for a specific event 1 From Events Browser right click an event log GFI EventsManager Event browsing 33 We GH EventsMananer a nage File Configure Help Status Configuration Wiews a f Al Events H Microsoft SQL Server Audit Me fi Oracle Audit Messages tf Text Logs Hf Windows Events Hak Syslog Messages Hf SNMP Traps Messages All critical and high importance t q l t Common Tasks Customize browser layout Open Quick Launch Console Switch database Actions Create root view Create view Edit view Delete view Find events Export events to CS file Help Configuring and using events browser FAG Main database All Events 4 585 event s Screenshot 20 Find rule 2 Click Find rule 4 8 Reporting options Events
127. figuring default classification actions Default Classification Actions dialog Configuring Alerting Options Configuring Email options Configuring Network alerts Configuring Network alerts Format message dialog Configuring SMS alerts Configuring SNMP alerts Configuring User settings EventsManager Administrator properties Configuring the typical working hours of an alert recipient Selecting alerts to be sent during and outside working hours Notification groups to which a user belongs Configuring GFI EventsManager administrator privileges GFI EventsManager new user privileges New groups setup Select Security Options to enable the log in system Login window Anonymization options Audit Options Auto discovery credentials Dashboard View Options GFI EventsManager Status General view GFI EventsManager Status Job Activity view GFI EventsManager Status Statistics view Archive Storage Folder dialog Database Operations Options dialog Creating a new Database Operation Import from File Imort from file Decrypt Creating a new Database Operation Export to File 107 107 Screenshot 128 Screenshot 129 Screenshot 130 Screenshot 131 Screenshot 132 Screenshot 133 Screenshot 134 Screenshot 135 Screenshot 136 Screenshot 137 Screenshot 138 Screenshot 141 Screenshot 144 Screenshot 145 Screenshot 146 Screenshot 147 Screenshot 148 Screenshot 150 Screenshot 151 Screenshot 152 Screenshot 153 Screensho
128. fy the period of STATS sub type options lt ERROR MESSAGES ONLY WITH ISSUES gt specify options for STATS sub type Command 1 Esmreport exe type STATUS subtype MESSAGES period CURRENT Command 2 Esmreport exe type STATUS subtype STATS period ALLTIME options ERROR MESSAGES Miscellaneous 179 FUNCTIONS DESCRIPTION Events report This function is made up of the following parameters type events specify report type repid lt report ID gt specify report ID target lt path gt specify destination folder gt format lt HTML PDF gt specify report format scheduled specify report schedule This enables schedule and uses the default settings configured in GFI EventsManager Command Esmreport exe type events repid 11 target C Events format PDF 5 Press Enter to run the command 13 4 4 Using ExportHTML2PDF exe To use ExportHTML2PDF exe 1 Click Start gt Run and key in CMD 2 Click Ctrl Shift Enter to run CMD with elevated privileges 3 Change the directory to the GFI EventsManager install directory CD lt C Program Files GFI EventsManager 2012 gt 4 Key in ExportHTML2PDF exe followed by any of the following functions Export HTML reports to This function enables you to export pre generated HTML reports to a Portable PDF Document Format file It is made up of the following parameters source lt path to HTML files gt specify the source folde
129. g GFI LanGuard Events GFI EventsManager has built in processing rules for GFI LanGuard events that are enabled by default To monitor events generated by GFI LanGuard select Status tab General and locate the Critical and High Importance Events section E To configure GFI LanGuard event processing rules click Configuration tab gt Event Processing Rules and from the left pane select GFI Rules gt GFI LanGuard rules For more information refer to Using event processing rules 6 8 GFI EndPointSecurity event sources GFI EndPointSecurity enables you to maintain data integrity by preventing unauthorized access and transfer of content to and from the following devices or connection ports DEVICE EXAMPLE USB Ports Flash Memory card readers and pen drives Firewire ports Digital cameras and Fire wire card readers Wireless devices Bluetooth and Infrared dongles Floppy disk drives Internal and external USB floppy drives Optical drives CD DVD and Blu ray discs Magneto Optical drives Internal and external USB drives Removable storage USB hard disk drives rete drives such as Zip drives and tape Internal or External USB Serial Parallel drives rives For more information about GFI EndPointSecurity refer to http www gfi com endpointsecurity 6 8 1 Enable GFI EndPointSecurity logging By default GFI EndPointSecurity generates logs with information about The GFI EndPointSecurity service 86 Manage event sources GFI
130. ght click on the group to be configured and select Properties 3 Perform the required changes in the tabs available and click OK to finalize settings 10 3 3 Deleting user groups To delete a user group 1 From the left pane click Groups node 2 From the right viewer pane right click on the group to be deleted and select Delete GFI EventsManager Configuring users and groups 129 10 4 Managing Console Security and Audit Options This section contains information about GFI EventsManager login system Password recovery Anonymization Audit console activity Auto discovery credentials 10 4 1 GFI EventsManager login system The Security Options node enables you to configure the GFI EventsManager login system To enable the log in system 1 Click Configuration tab and select Options iw GF EventsManager File Configure Help Status Configuration Events Browser Reporting General Event Sources Event Processing Rules ula Options Configurations i Send us feedback W Open Quick Launch Console Help rly Default Classification Actions Users and Groups Console Security gy Console Security and Audit Options EN Security Option Edit security options oy Audit Options 1 Here you enable or disable the EventsManager login system 3 4 Auto discovery Credentials ef Alerting Options 2 a Syslog Server Options vee i SNMP Traps Options idles Performace Options 2 iJ File storag
131. gt lt Domain name gt gt Group Policy Objects GFI EventsManager Miscellaneous 171 E Group Policy Management Fie Action View Window Help amp ma 34 Group Policy Management El A Forest tedomainb com El Domains E aig tcdomainb com Default Domain Policy E Domain Controllers E Microsoft Exchange Security Groups El Group Policy Objects Ef Default Domain Controllers Policy fete Default Dom z WMI Filters Starter GFOS Sites jt Group Policy Modeling iz Group Policy Results Screenshot 157 Group Policy Management in Microsoft Windows Server 2008 R2 3 Right click Default Domain Policy and select Edit 4 Expand Computer Configuration gt Policies Windows Settings Security Settings gt Windows Firewall with Advanced Security right click Inbound Rules and select New Rule 172 Miscellaneous GFI EventsManager E Group Policy Management Editor E ASE BDE fault Domain Policy WINSERVB TCDO El jl Computer Configuration El 5 Policies Software Settings E C Windows Settings lt 3 Scripts Startup Shutdown Security Settings S Account Policies MAINB COM Policy Default Domain Policy WINSERVB TCDOMAINB COM Policy Select an item to view its description si Hl Computer Configuration i User Configuration E pi Event Log al Restricted Groups al System Services g Registry A File System inj Wired Network IEEE 802 3 Policies F Wi
132. he maintenance jobs will be i E executed sequentially in the priority order f Audit Options ID Job description Filter Er E1275AD Import files from folder C Users John Smith Desktop Ei BEAOF393 Import legacy files from folder C Users John Smith Desktop iy B1C53A5D Export to file in C Users John Smith Desktop ve Alerting Options dy Syslog Server Options dy SNMP Traps Options vee a Perfomace Options g File storage si a Custom Event Logs oe a Auto update Options Common Tasks Create new job gi ase o 3 maintenance job s Screenshot 138 Viewing scheduled maintenance jobs To view maintenance jobs created 1 Click Configuration tab and select Options 2 From the left pane select the Database Operations node Scheduled maintenance jobs will be displayed in the right pane 12 6 1 Job activity status To view the progress of maintenance jobs that are being processed click Status tab and select the Job Activity dashboard view The status of all maintenance jobs will be displayed in the Maintenance Jobs section You can make changes to maintenance job parameters for jobs scheduled 1 Click Configuration tab and select Options 2 From the left pane select the Database Operations node 3 From the right pane right click maintenance job to edit and select Properties GFI EventsManager Database Operations 155 File Configure Help Status Configuration Events Browser
133. hot 56 Event sources properties dialog Configuring alternative logon credentials Specify operational time Event source properties Audit tab Screenshot 58 Screenshot 59 Microsoft SQL Database group SQL Server Audit tab Add new Microsoft SQL server Microsoft SQL Database properties General tab Microsoft SQL Database properties Connection Settings tab Event processing configuration tabs Database Servers Groups Screenshot 64 Screenshot 68 Screenshot 71 Screenshot 81 Microsoft SQL Database properties Settings tab Screenshot 65 Screenshot 66 Screenshot 67 Add new Oracle server Screenshot 69 Screenshot 70 Oracle Database Audit by objects tab Screenshot 72 Screenshot 73 Screenshot 74 Screenshot 75 Screenshot 76 Screenshot 77 Screenshot 78 Screenshot 79 Screenshot 80 Database Servers Groups Oracle Database group General tab Oracle Database group Oracle Audit tab Oracle Database General tab Oracle Database Connection Settings tab Oracle Database Audit by statements tab Event generated by GFI LanGuard Event generated by GFI EndPointSecurity Rule sets folder and Rule sets Log processing classification and actions flowchart Computer group properties Configuring Windows Event Logs parameters Selecting the events to be collected Computer group properties Configuring W3C event processing parameters Computer group properties Syslog processing para
134. ic Specify a date and export all the messages generated on that date date Save file to Select checkbox to specify output location If not selected reports are saved in the default location within the GFI EventsManager directory GF EventsManager i Operational History for period 2011 11 01 Date Time Type Machine Source Job ID Log file name Message bey Information 192 168 3 1 EvtCollector N A GFI EventsManager Start executing checks on machine 192 168 3 1 31 10 2011 Information 192 168 3 1 EvtCollector N A GFI EventsManager Punia 5 diada en anihia 192 3083 1 31 10 2011 Information 192 168 3 1 EvtCollector B3789E4A Security Start the collection on machine 192 168 3 1 log Securty par fon 11 Information 192 168 3 1 ProcessorService N A windows Processing 2000 windows events from machine 192 168 3 1 a 11 Information 192 168 3 1 EvtCollector 1017473C Application Start the collection on machine 192 168 3 1 log Application pb i 11 information 192 168 3 1 ProcessorService N A windows Processing 2000 windows events from machine 192 168 3 1 31 10 2011 Information 192 168 3 1 EvtCollector 49851791 System Start the collection on machine 192 168 3 1 log System Screenshot 45 Operational history report sample 5 12 Activity overview GFI EventsManager enables you to export Activity Overview data Activity overview reports provide the information described in Table 30 below Table 30 Activity overview headings GFI EventsManager
135. icular computer or entire network The information provided in this view is divided into the following dedicated sections Table 72 Status monitoring Statistics view SECTION DESCRIPTION Use this drop down menu to select what information is displayed Select between All sources or select specific sources to view their information accordingly machine by machine basis as well as on a network by network basis A color scheme is used to differentiate between Windows W3C Syslog and SNMP Traps events Traps events collected by GFI Events Manager from a particular machine or network The Today s Events Count graphically represents the daily event collection trend ona The Events Count By Log Type represents the number of Windows W3C Syslog and SNMP O The Activity Overview section provides information about The total number of Windows W3C Syslog and SNMP Traps events processed on a machine by machine basis gt The date time of the last event collection performed from every machine GFI EventsManager Status monitoring 139 12 Database Operations 12 1 Introduction The Database Operations module in GFI EventsManager provides advanced functionality allowing administrators to Centralize events collected by other remote GFI EventsManager instances into one database backend Optimize GFI EventsManager performance by actively controlling database backend growth hence keeping it in good shape Import
136. iew Q Success Audit Medi 2000 isadmin No 3 Edit view Q Suc cess Audi 2000 Your computer was not assigned an Delete view a s address from the network by the DHCP ke papier Server for the Network Card with rind events Success Audi 200 network address 00221987431C The Export events to CSV file Q 5 TT following error occurred SUODEES FLEE Element not found 4 A S A Your computer will continue to try and obtain an address on its own from the network address DHCP server Online information http www eventid net display asp eventid 1001 sour ce System Loading view finished Click here for details Main database All Events 12 678 event s Screenshot 11 Events Browser The Events Browser is made up of the following sections Table 12 Navigating the Events Browser F SECTION DESCRIPTION Views The Views section includes a wide range of predefined views Use this section to view specific logs such as Windows Event Logs W3C logs SQL Server audits and more Common Tasks Common Tasks enable you to customize the look of the Events Browser and switch database to view exported and or archived event logs GFI EventsManager Event browsing 27 SECTION DESCRIPTION Actions Use the Actions section to run common functions related to analyzing event logs This enables you create or edit custom views export events for further analysis and more Events The Events section is used to browse thr
137. ing 189 15 Glossary Table 87 below describes all common terms used in this manual Table 87 Terms used in this manual DEFINITION TERM Audit process tracking Actions Alerts Archive Audit account management Audit system events COM Network Access Email alerts Event classification Event logs Event processing rules File and Printer sharing Internet Protocol Security IPsec GFI EventsManager Generates events which track actions such as programs which are launched closed as well as other indirect object access information which contain important security information For more information refer to http technet microsoft com en us library cc775520 WS 10 aspx The activity that will be carried out as a result to events matching specific conditions For example you can trigger actions whenever an event is classified as critical Actions supported by GFI EventsManager include Email alerts event archiving and execution of scripts Notifications which inform recipients that a particular event has occurred GFI EventsManager can generate Email alerts SMS alerts and Network alerts A collection of events stored in the SQL Server based database backed of GFI EventsManager Generates events when account management operations are done such as create delete a user account or group enable disable a user account and set change a user password For more information refer to http technet mi
138. ing the rule name and rule classification Event Logs This tab is available only for Windows event logs log rules Use this tab to specify the Windows event logs for which this rule applies Conditions Use this tab to configure event filtering conditions Actions Use this tab to configure alerts and actions triggered by this rule Threshold Use this tab to configure the event threshold value i e the number of times that an event must be detected prior to triggering alerts and remedial actions This helps reducing false positives triggered by noise repeated events in your event logs 8 5 Advanced event filtering parameters GFI EventsManager allows systems administrators to set up advanced event filtering parameters These options are available only for Windows Events and Syslogs 8 5 1 Windows events conditions The Event IDs field allows systems administrators to setup parameters described in the table below Table 61 Parameters available in the Event ID field PARAMETER TYPE EXAMPLE Single events Event IDs 575 List of events Event IDs 550 570 112 Manage rule sets GFI EventsManager Range of events Event IDs 575 600 Combination of events Event IDs 550 570 575 600 The Source Category and User fields allow systems administrators to setup parameters described in the table below Table 62 Parameters available in the Source Category and User fields PARAMETER TYPE EXAMPLE Single source name Source Useren
139. ion The Status tab is a dashboard that shows the status of GFI EventsManager as well as Statistical information related to the events collected processed and archived The status monitor consists of three different dashboard views General view Job Activity view and Statistics view File Configure Help Status Configuration Events Browser Reporting General E General Job Activity OB Statistics a a view options Screenshot 117 Dashboard View Options This chapter contains information about the following views General status view Job Activity view Statistics view 11 2 General status view Bi GF EventsManag Ces File Configure Help Status Configuration Events Browser Reporting General W General EE Job Activity I Statistics Send us feedback W Open Quick Launch Console Help WA General Status The General Status displays the primary monitoring requirements associated with EventsManager displays global log collection counts and lists the activites performed by Events Manager gt sec ve re fortov everts chats Lines Logarithmic scale Q Top Important Logon Events 2 a GFI EventsManager Service Status L722 Successful logons outade work hot bd AI computers X Last 24 hours oa Oct 27 20 View events o Y GFI EventsManager service is running 33 vV Syslog V SNMP Traps 30 ANONYMOUS LOGON W Database server is running n USR s 0 LOCAL SERVICE 24 D
140. ively supports an extensive list of SNMP devices and J Management Information Bases MIBs For a full list of supported devices visit http kbase gfi com showarticle asp id KBIDO02868 GFI EventsManager includes a dedicated SNMP Trap Server through which SNMP Traps are handled A built in buffer allows the SNMP Trap Server to collect queue and forward up to 30 SNMP Trap at a time Buffered logs are by default passed on to the event processing engine as soon as the buffer fills up or at one minute intervals whichever comes first To collect SNMP Traps Before you start collecting SNMP Traps messages every SMP event source workstations servers and or network devices must be configured to send their SNMP Traps Messages to the computer name or IP where GFI EventsManager is installed 1 From Configuration tab gt Event Sources right click an event source group and select Properties GFI EventsManager Using event processing rules 99 Specify if this computer group can send SNMP Traps messages to Events Manager SNMP Traps messages can be received from any computer or device configured to send SNMP Traps messages to Events Manager Accept SNMP Traps messages from this computer group Decrypt incoming SNMP Traps 3 messages Host key TTT TIT iii Post message processing 9 Archive all logs without any further processing Process the logs with the rules selected below before archiving SNMP Traps E Cisco 105
141. ivers Because of this Syslog can be used to integrate log data from many different types of systems into a central repository using the Syslog server as a log aggregator The Syslog daemon handles the recording of Syslog messages events in log files The Syslog message is composed of two main parts 10 Getting Started GFI EventsManager 1 The header which contains date time information as well as the IP or computer name from where the message has originated 2 The message which includes the program or subsystem name and the message itself separated by a colon The following is an example of a Syslog message Sep 4 10 10 10 10 245 2 11 foo 421 this is a message from WebSRV 2 6 What are SNMP Traps SNMP Traps are used by network management systems to monitor network devices such as routers firewalls or switches for conditions that require administrative attention This includes monitoring device uptime inventories of operating system versions and collecting interface information SNMP enabled devices do not record event messages locally but instead these transmit event details to an SNMP Trap server which analyzes these occurrences and alert systems administrators on key events GFI EventsManager includes its own SNMP Trap server that captures SNMP messages and informs systems administrators of network device failures and other critical events GFI EventsManager supports various versions of SNMP Traps including SNMP ve
142. k OK Select the audit options By Access Creates an audit log per object operation execution By Session Creates an audit log per operation and per schema object A session is the time between a connection and a disconnection to from the database Success Select to process only successful audits Failure Select to process only failed audits Oracle will create an audit log if an audit fails to complete Both Select to process all audit logs Choose this option to instruct the Oracle server to start auditing the server activities corresponding to the selected parameters like users statements etc Choose this option to instruct the Oracle server to stop auditing the server activities corresponding to the selected parameters like users statements etc A list that displays all current Oracle audited schema Manage event sources 83 19 169 3 3 Connection Settings Audit by Objects Audit by Statements B Configure the Oracle SQL statements and user activity to audit statements ADMINISTER ANY SOL TUNING SET ADMINIST User ALL USERS m Options BY SESSION BOTH Current audited statements Uzer name T ALLUSERS T ALLUSERS T ALLUSERS T ALLUSERS T ALLUSERS Audit option SUCCESS Failure ALTER SYSTEM BY ACCESS BY ACCESS SYSTEM AUDIT BY ACCESS BY ACCESS CREATE SESSION B ACCESS BY ACCESS CREATE USER BY ACCESS By ACCESS ALTER USER BY ACCESS BYyACCESS
143. k drive name and storage space Check inactive domain Checks the domain for inactive machines A machine can be inactive if no log machines in requests were sent during the previous 30 days If inactive machines are found a Windows event is created Check inactive users Checks domain for inactive user accounts A user account is inactive if no log in requests were sent during the previous 30 days If inactive accounts are found a Windows event is created GFI EventsManager Manage event sources 69 CHECK LIST DESCRIPTIONS Check IPSec policies Checks status of IPSec policies on target machines if any If IPSec policies status exist and are inactive a Windows event is created Check Microsoft firewall Checks status of any Microsoft Windows Firewall or ISA servers on target status machines If a Firewall exists and is off a Windows event is created Check slow connection The script performs a PING request and records the response time If the response time is more than 500 milliseconds the script creates a Windows event Check volumes encrypted Checks if there are volumes encrypted using Microsoft products e g Bit by Microsoft Locker on target machines If volume encryption is not used a Windows event is created To configure GFI EventsManager auditing event processing rules navigate to _ Configuration tab gt Event Processing Rules and from the Rule Folders tree select Windows Events For more information refer to Using eve
144. key in the required criteria to customize the graph results NOTE To collect services information event sources must have Audit system events policy enabled For more information refer to Step 2 Enable additional auditing features 136 Status monitoring GFI EventsManager SECTION DESCRIPTION The Top Network Activity Events section displays details of the top 10 network activities 5 inbound and outbound Network activity consists of all type of traffic that is generated by various protocols including SMTP HTTP FTP and MSN traffic The network activities displayed can be filtered by Applications Source Addresses Destination Addresses Computers Ports Users Select parameters from the drop down lists or key in the values to filter the type of chart displayed NOTE 1 The network activity shown in the chart applies only to computers running Microsoft Windows Vista or later NOTE 2 To collect network activities event sources must have Object auditing and Process tracking enabled For more information refer to Step 2 Enable additional auditing features Click the Arrange Window icon to automatically fit all graphs in the management console The GFI EventsManager Service Status is used to view The operational status of GFI EventsManager service event processing engine The operational status of the Syslog server The operational status of the SNMP Traps server The operati
145. lassify events and trigger alerts actions accordingly By default GFI EventsManager ships with a pre configured set of event processing rules that allow you to gain network wide control over computer logs with negligible configuration effort 7 1 1 Event processing rules EVENT PROCESSING RULES ARE INSTRUCTIONS CHECKS THAT Analyze the collected logs Classify the severity of processed events Classification is based on the configuration settings of the processing rule Filter events that match specific criteria Example you can create and run a rule which filters out low severity events and noise duplicate events Generate alerts and actions based on event severity Example you can configure GFI EventsManager to send both SMS and Email alerts whenever an event is classified as critical but limit the product to send only email alerts when an event is classified as high in severity For more information refer to Configuring alerting options Optionally archive filtered events Event archiving is based on the severity of the event and on the configuration settings of the event processing rules Example you can configure GFI EventsManager to archive only events that are classified as critical or high in severity and discard all the rest In GFI EventsManager event processing rules are organized into Rule sets and every rule set can contain one or more specialized rules which can be run against collected logs Post collection
146. le logTypes lt application custom directory security dns filereplication syslog system snmp oracle sql w3c gt specify the log type to import password lt password gt optionally specify the password anonpass1 lt password gt optionally specify the primary decryption password anonpass2 lt password gt optionally specify the secondary encryption password jobld lt id gt optionally specify a unique job ID Command Esmdlibm exe importFromLegacyFile path C Events logTypes dns security w3c password 1234 jobld 987 178 Miscellaneous GFI EventsManager FUNCTIONS DESCRIPTION Export to file This function enables you to export data to a file It is made up of the following parameters exportToFile function name path lt path gt specify the path where the exported file is saved password lt password gt specify a password to protect the exported file gt olderThenXDays lt number of days gt specify what data is exported based on the number of days passed since the event was generated gt olderThenXHours lt number of hours gt specify what data is exported based on the amount of hours passed since the event was generated jobld lt id gt optionally specify a unique job ID Command Esmdlibm exe exportToFile path C Events password 1234 olderThenxXDays 7 jobld 987 5 Press Enter to run the command 13 4 3 Using Esmreport exe To use Esmrep
147. lete cursor operation because the table schema changed after the cursor was declared Error message 1 Error connecting to machine MACHINENAME Error 0x35 Message The network path was not found Error message 2 Error connecting to machine MACHINENAME Error 0x52E Message Logon failure unknown user name or bad password Error message 3 Critical error encountered A network related or instance specific error occurred while establishing a connection to SQL Server The server was not found or was not accessible Verify that the instance name is correct and that SQL Server is configured to allow remote connections provider Named Pipes Provider error 40 Could not open a connection to SQL Server Error message 4 Unexpected error when connecting to machine MACHINENAME remote W3C logs path is PATH No event logs are being collected by GFI EventsManager 186 Troubleshooting Description This error is encountered when the administrator is performing maintenance tasks on the GFI EventsManager databases while the GFI EventsManager service is running Solution 1 Stop GFI EventsManager service 2 Perform the maintenance tasks in Microsoft SQL server 3 Restart GFI EventsManager Service once the Microsoft SQL maintenance tasks are finished To avoid this ensure that GFI EventsManager service is stopped whilst performing any maintenance tasks on the GFI EventsManager database For mor
148. licationsUp T oDate gt lt passwordForceLogoff gt lt CDATA 1 gt lt passwordForcelogoff gt lt passwordHistoryStr gt lt CDATA 0 gt lt passwordHistoryStr gt lt successAudit gt 1 lt successAudit gt lt failureAudit gt 1 lt failureAudit gt lt topTenVulnerabilities gt lt string gt lt CDATA AlIl Servers Brian Stanback bslist cgi gt lt string gt lt string gt lt CDATA OVAL 7191 Adobe Flash Player and AIR exception_count Integer Overflow Vulnerability gt lt string gt lt string gt lt CDATA OVAL 7465 Adobe Flash Player and AIR JPEG File Parsing Heap Buffer Overflow Vulnerability gt lt string gt lt string gt lt CDATA OVAL 7460 Adobe Flash Player and AIR Data Injection Remote Code Execution Vulnerability gt lt string gt lt string gt lt CDATA OVAL 7140 Adobe Flash Player and AIR Unspecified Memory Corruption Vulnerability gt lt string gt lt string gt lt CDATA OVAL 7011 Adobe Flash Player and AIR NULL Pointer Exception Remote Code Execution Vulnerability gt lt string gt lt string gt lt CDATA OVAL6998 Adobe Flash Player and AIR intf_count Integer Overflow Vulnerability gt lt string gt lt string gt lt CDATA OVAL 6972 Adobe Flash Player and AIR Multiple Unspecified Remote Code Execution Vulnerabilities gt lt string gt lt string gt lt CDATA OVAL 6961 Adobe Flash Player and AIR Unspecified Privilege Escalation Vulnerability gt lt string gt
149. lumn Headings E If you have a saved report template click Open location to browse and load your template 5 Optional Click Chart tab and select Use graphical charts to include graphs in your report 6 From the Place chart at drop down menu specify the location of the chart Select from Beginning of Report End of Report 7 From Properties gt X axis and Y axis configure the X and Y Axis properties GFI EventsManager Reporting 39 8 Optional Click Schedule tab and configure schedule settings 9 Click OK to save settings 5 5 Generating reports To generate a report Mel GH EventsManager File Configure Help Status Configuration Events Browser Reporting General Reports 3 j S Send us feedback W Open Quick Launch Console Help EM Account Usage Zee Successful Logons Grouped By Usem b Generate Report For Configured Interval F5 Create Report For Today For Yesterday pil Failed Logon Count on each Comp a Top 10 Accounts which Failed to Le ee 5 For The Month Accounts which Failed to Logon x lt Delete Del For Last Month 4 Account Logons H Account Management Copy Report Restrictions Ctrl Shift C For Custom Date Ctrl F5 a Policy Changes HC Object Access Copy Report Ctrl C H E Application Management cs Print Server gt daii Log System Paste Report Si Export to PDF E Delete if oS AN eed T 4 TM Filter Reports Paste Report Restrictions Ctrl Shift V Quick
150. matically Installs downloaded updates automatically Only notify me when updates are Available updates are shown in the Missing Updates section available but are not installed Shows a message at the bottom of the application page Show messages in the application Click on the displayed message to action the updates Sends an email alert on the configured GFI EventsManager Administrator account Send alerts on GFI EventsManager I Administrator user For information on configuring GFI EventsManager Administrator account refer to Configuring the Administrator account section in this manual 13 6 Product licensing GFI EventsManager is licensed by Node All devices that generate a log are considered to be a Node This section contains information about Updating license key Obtaining a free 30 day trial license key Viewing license details Updating license type Purchasing a license key 13 6 1 Updating license key 1 Click General tab 2 From the left pane right click Licensing select Update license key License Enter the license key for Events Manager below Computers limit 25 Evaluation version 10 days 13 days passed License key Screenshot 162 Update license key 3 Specify your license key details 4 Click OK to finalize settings 182 Miscellaneous GFI EventsManager 13 6 2 Obtaining a free 30 day trial license key GFI EventsManager allows you to register your version of the
151. me actions Advanced event filtering features Event centralization User access privileges 4 Introduction GFI EventsManager enables you to organize event log scanning rules into Scanning Profiles In a scanning profile you can configure the set of event log monitoring rules that will be applied to a specific computer or group of computers The benefits of these profiles include The simplification product administration tasks by providing a centralized way of tuning event processing rules Allowing administrators to create different sets of event log rules that suit the roles of scanned event sources and the corporate network environment For example you can setup a set of rules which apply only to workstations in a particular department Administrators can create an event processing profile that is generic for all computers and a number of separate profiles which complement the generic profile by providing additional and more specialized event log rules on a computer by computer basis One major drawback of Windows Event Logs is that they are not user friendly too cryptic for the user to understand In fact this is one of the main reasons why only few administrators really peer into Windows Event Logs GFI EventsManager overcomes this problem by translating event descriptions into a way that is more users friendly and easier to understand GFI EventsManager includes an event scanning engine that has been tuned to effectiv
152. meters Configuring Syslog Servercommunication port Screenshot 82 Syslog server options Screenshot 83 Screenshot 84 Computer group properties SNMP processing parameters Configuring SNMP Traps Screenshot 85 SNMP Traps options Screenshot 86 Screenshot 87 Screenshot 88 Custom event logs setup Custom event logs dialog Configure file storage dialog Screenshot 89 To create new rules rich click a rule set and select Create new rule Screenshot 90 Create new events processing rule Select the logs which the rule will be applied to Screenshot 91 Screenshot 92 Create new events processing rule Select the event occurance and importance Screenshot 93 Screenshot 94 Screenshot 95 Screenshot 96 Screenshot 97 Screenshot 98 Screenshot 99 Screenshot 100 Screenshot 101 Screenshot 102 Screenshot 103 Screenshot 104 Screenshot 105 Screenshot 106 Screenshot 107 Screenshot 108 Screenshot 109 Screenshot 110 Screenshot 111 Screenshot 112 Screenshot 113 Screenshot 114 Screenshot 115 Screenshot 116 Screenshot 117 Screenshot 118 Screenshot 119 Screenshot 120 Screenshot 121 Screenshot 122 Screenshot 123 Screenshot 124 Screenshot 125 Screenshot 126 Screenshot 127 Create new events processing rule Configure the rule conditions Create new events processing rule Select the action Creating a rule from an event New rule from event dialog Con
153. n us library cc181373 aspx Repeated log entries which report the same event Enable this auditing feature to audit events of users accessing objects example files folder and printer For more information refer to http technet microsoft com en us library cc976403 aspx Enable this auditing feature to audit tracking information example program activation process exit and indirect object access For more information refer to http technet microsoft com en us library cc775520 WS 10 aspx Required to allow GFI EventsManager to access and collect events from remote machines For more information refer to http technet microsoft com en us library cc766438 aspx The folder which contains one or more rule sets A collection of event processing rules SMS notifications which inform recipients that a particular event has occurred In GFI EventsManager SMS alerts can be sent through various sources including mobile phones with modem capabilities and email to SMS web based gateways An SNMP object identifier is an address made up of a sequence of dotted numbers Example 1 3 6 1 4 1 2682 1 These numbers uniquely identify and locate a specific device Example hub within the entire network SNMP OIDs are a key component in the assembly of SNMP messages In fact an SNMP server cannot interpret or assemble messages which don t have an OID Individual vendors often create their own MIBs that only include the OIDs associate
154. n Quick Launch Console 3 maintenance job s Screenshot 141 Maintenance job priorities By default maintenance jobs are executed according to the sequence with which the jobs are created First in First out Thus the priority of maintenance jobs is determined by the sequence in which jobs are executed To increase or decrease the priority of a maintenance job 1 Click Configuration tab and select Options 2 From the left pane select the Database Operations node 3 From the right pane right click the maintenance job and select Increase Priority or Decrease Priority accordingly 12 6 3 Deleting a maintenance job Scheduled maintenance jobs awaiting execution can also be deleted 1 Click Configuration tab and select Options 2 From the left pane select the Database Operations node 3 From the right pane right click on the maintenance job to delete and select Delete Before deleting maintenance jobs ensure that before deleting data all data is backed up GFI EventsManager Database Operations 157 13 Miscellaneous This chapter includes sections containing information about Enabling permissions on event sources manually Enabling permissions on event sources automatically Disabling UAC to scan event sources Command line tools Auto updating GFI EventsManager Product licensing Version information 13 1 Enabling permissions on event sources manually This section
155. naccurate information To create a new custom report GFI EventsManager Reporting 41 Or l EventsMan ager File Configure Help Status Configuration Events Browser Reporting General Reports a Account Usage H E Account Manag gt Generate Report ES en Policy Changes H E Object Access Create Report HE Application Mai l T E Print Server Create Folder Es Windows Even a CQ Al Critical Mess 3 Delete Del H E Miscellaneous CD PCI DSS Compl Copy Report Restrictions Ctrl Shift C H E GCSx Code of 4 fa SOX Compliance Copy Report Ctrl C H E HIPAA Complia 1 4 GLBA Complia Wi Send us feedback lw Open Quick Launch Console Help Paste Report Restrictions Ctrl Shift V Paste Report Ctrl V E Ps 7 Open B Open File Location Export to PDF m Delete Quick Start Guide Reset filter Has Chat E Has Schedule 1 Generatea 2 Selecta 3 Preview Generated Export Print Create Root Report a Screenshot 28 Creating a new report 1 From Reporting tab gt Reports right click a root folder folder root report and select Create Report 42 Reporting GFI EventsManager Create Report Create new Report to organize in a simpler way the collected events Name My New Report Description My new report description Select sort column Date M0 E ma date Occured AND time lt 20 52 11 AND importance Critical AND log format Text Logs Screenshot
156. nd select Rename or Delete accordingly E Deleting a rule set folder will lead to the deletion of all the rules and rule sets contained within the deleted folder 8 3 Creating new events processing rules To create a new event processing rule 1 Click Configuration tab and select Event Processing Rules 106 Manage rule sets GFI EventsManager GFI EventsManager File Configure Help Status Configuration Events Browser Reporting General Event Sources Event Processing Rules Tar Options Rule Folders T Send us feedback W Open Quick Launch Console Help Ta Windows Events it a Noise Reduction i All rules Windows Events Noise Reduction Us Create new rule Create new folder amp P Classification Actions FT Win pan Fiterin g OEE ed by the sys 7 Noise evert Use the default alerting and Ej 2 PCI Requirements Wi na er name not a Noise event Use the default alerting and H Securty ae ed by compu 3 Noise event Use the default alerting and H System Health Bipa ed by local s Noise event Use the default alerting and TE Security Anolications i a fa ed by networ Noise event Use the default alerting and Common Tasks Collapse all Dedie game belie Increase Priority Ctrl Up Create new rule Decrease Priority Ctrl Down Find rule Sort by name Sort by priority Properties Open Quick Launch Console Actions 5 E Screenshot 89 To crea
157. nd collect information when performing an automatic search for event sources To configure the auto discovery credentials 1 Click Configuration tab Options 2 From Configurations gt Console Security and Audit Options right click Auto discovery credentials and select Edit auto discovery credentials GFI EventsManager Configuring users and groups 133 Auto discovery Credentials General A Configure credentials used in auto discovery Specify the credentials used to collect information from network computers Usemame administrator Password 088808 8808 Screenshot 116 Auto discovery credentials 2 Key in a valid username and password Click OK 10 5 Managing Database and Files Backend security GFI EventsManager enables you protect your database with an encryption key Encrypting the database will prevent unauthorized personnel from viewing or accessing event logs Encrypting the database will cause the Status Monitor and Events Browser to stop _ viewing sensitive information To encrypt the backend database 1 Click Configuration tab gt Options 2 From Configurations click Database and Files Backend gt Configure file storage 3 From the Archive storage folder dialog select Encrypt data using the following password 4 Specify the password and click OK to save your settings 134 Configuring users and groups GFI EventsManager 11 Status monitoring 11 1 Introduct
158. ndows Firewall Do not allow exceptions i windows Firewall Define program exceptions Cal Windows Firewall Allow local program exceptions ee sled Se scald fouls ERUERA ai windows Firewall Allow ICMP Fee fy Windows Firewall Allow Remote Desktop exception Ei Windows Firewall Allow UPnP Framework exception al Windows Firewall Prohibit notifications eal Windows Firewall Allow logging Windows Firewall bee Ay Domain Profile bese E Standard Profile H L Qos Packet Scheduler al Windows Firewall Prohibit unicast response to multicast or broad al Windows Firewall Define port exceptions eal Windows Firewall Allow local pork exceptions oof J Printers E me User Configuration 4 Extended A Standard Zt Screenshot 156 Domain Policy console in Microsoft Windows Server 2003 10 From the Settings list right click Windows Firewall Allow file and printer sharing exception and select Properties 11 From the Settings tab select Enabled and click OK 12 Repeat steps 9 to 11 for Default Domain Controllers Policy 13 Click File gt Save to save the management console The group policy will be applied the next time each client machine is started 13 2 2 Windows Server 2008 including R2 Firewall permissions To enable permissions on all domain clients 1 Click Start gt Administrative Tools Group Policy Management 2 Expand Group Policy Management Forest Domains
159. ndows Firewall with Advanced Security El ga Windows Firewall with Advanced Security Oe ew 2k Connection Security Rules Network List Manager Policies al Wireless Network IEEE 802 11 Policies F Public Key Policies Software Restriction Policies Network Access Protection 4 IP Security Policies on Active Directory TCDOF aly Policy based QoS Administrative Templates Policy definitions ADMX oe F Screenshot 158 Group Policy Management Editor 5 In the New Inbound Rule Wizard select Predefined and select File and Printer Sharing GFI EventsManager Miscellaneous 173 New Inbound Rule Wizard Rule Type Select the type of firewall rule to create Steps a Rule Type What type of rule would you like to create a Predefined Rules Action Program Rule that controls connections for a program C Pot Rule that controls connections for a TCP or UDP port Active Directory Domain Services BITS Peercaching COM Network Access DFS Management DFS Replication Distributed Transaction Coordinator DNS Service File and Printer Sharing iSCSI Service Kerberos Key Distribution Center Key Management Service eda Netlogon Service Network Discovery Performance Logs and Alerts Remote Administration Remote Desktop Remote Event Log Management Remote Scheduled Tasks Management Remote Service Management Remote Volume Management Routing and Remote Access Secure Socket Tunneling Protocol
160. ner of the Events Browser 3 From the Create Report dialog configure the options from the tabs described below 34 Event browsing GFI EventsManager Table 14 Event Browser Create new report TAB DESCRIPTION General Specify the new report name and add conditions Layout Select the columns that you want to be visible in the report You can also customize the order of appearance Chart Select Use graphical charts to generate a report showing information in a chart The available chart types are Pie chart Bar chart Line graph Schedule Select Use schedule to enable report scheduling Configure the generation date and frequency for the new report E For more information refer to Creating custom reports 4 9 Switching database For event browsing purposes GFI EventsManager enables you to switch between different databases Use this feature to browse events that have been exported or archived for further analysis To switch database 1 Click Events Browser Common Tasks gt Switch database Switch DLib Database ee Select the database containing the events you wish to be displayed into the events browser Database C Program Files GFl Events Manager201 datafile St CJ DB2 C Program FilesaF Events Manager201 data FileS Archive C Program FilesaF Events Manager201 data FileS Screenshot 22 Switch database dialog 2 Select the database from the list of databases and click O
161. nes must have User Account Control UAC disabled For more information on how to disable UAC refer to Disable UAC to scan target machines section in this manual 3 4 Upgrading from a previous version Upgrading from older versions is not possible due to the underlying operational and processing technology subsystems You will still however be able to run an older version of GFI EventsManager on the same machine on which a newer version of GFI EventsManager is installed since there are no conflicts between the older and the newer versions You can also export events from an older version of GFI EventsManager and import the data in the new one using Database Operations For more information refer to Database Operations 3 5 Firewalls and Anti virus software If firewall s are enabled and anti virus software installed on the computer where GFI EventsManager is running make sure that Traffic is not blocked on the ports in use by GFI EventsManager esmui exe and esmproc exe are allowed access through the firewall s GFI EventsManager folders are excluded from real time anti virus scanning For more information on the ports and permissions that must be enabled refer to Ports and permissions 3 6 Computer identification considerations GFI EventsManager identifies computers via computer name or IP If NETBIOS compatible computer names are used ensure that your DNS service is properly configured for name resolution Unreliabl
162. nfiguring the Syslog server communications port E GFI EventsManager File Configure Help Status Configuration Events Browser Reporting General a Event Sources Event Processing Rules p Options Configurations Send us feedback W Open Quick Launch Console Help nM Default Classification Actions ee gE Users and Groups Syslog Server Options ty Console Security and Audit Options 3 Alerting Options t Syslog Server Options wy Edit Syslog options y SNMP Traps Options F Here you can configure the Syslog server options sel fq Performace Options l T File storage J Database Operations ty Custom Event Logs na eq Auto update Options Screenshot 81 Configuring Syslog Servercommunication port To change the default Syslog ports settings 1 Click Configuration tab gt Options 2 Right click Syslog Server Options and select Edit Syslog options GFI EventsManager Using event processing rules 97 Syslog Options General L F Configure the in build Syslog server options To receive messages from Syslog clients enable the Events Manager Syslog server and specify the port on which the server will run Fd A Enable in buit Syslog server on the TCF pot 514 Enable in built Syslog server on the UDF pot 574 a To configure receiving of Syslog events 1 Contigure Syslog clients to send messages to this server on the specified port 2 Specify the client name P a
163. ng further checks Process the logs with the rules selected Select additional checks to run against collected W3C below before archiving logs 3 Click OK to finalize your settings Deleting event logs without archiving may lead to legal compliance issues 94 Using event processing rules GFI EventsManager 7 4 Collecting Syslogs Syslog is a data logging service that is most commonly used by Linux and UNIX based systems The concept behind Syslogs is that the logging of events and information is entirely handled by a dedicated server called Syslog Server Unlike Windows and W3C log based systems Syslog enabled devices send events in the form of data messages technically known as Syslog Messages to a Syslog server that interprets and manages message and saves the data in a log file In order to process Syslog messages GFI EventsManager ships with a built in Syslog Server This Syslog server will automatically collect in real time all Syslog messages events sent by Syslog sources and pass them on to the event processing engine Out of the box GFI EventsManager supports events generated by various network devices manufactured by leading providers including Cisco and Juniper For more information about supported devices visit http kbase gfi com showarticle asp id KBIDO02868 A built in buffer allows the Syslog server to collect queue and forward up to 30 Syslog messages at a time Buffered logs are by default pass
164. nt processing rules To enable and configure GFI EventsManager auditing 1 Right click an event source or an event source group and click Properties Logon Credentials Licensing Type E Inherit configuration from parent group Enable GFI EventsManager auditing Tall me more Perform the following audits Audit Results Location Check audit policy Remote Machine Log Check disk space Remote Machine Log Check inactive domain Remote Machine Log n a T J a a Description Checks the audit status of all event categories in the audit policy on target machines f the audit is disabled on any category a Windows event will be generated Auditing threshold Start anew audit ony if 12 hous passed since the last audit Screenshot 57 Event source properties Audit tab 2 From the Properties dialog select Audit tab and configure the options described below Table 36 Auditing options OPTION DESCRIPTION Inherit configuration from parent group Select this option to use the settings configured in the parent group Enable GFI EventsManager auditing Select this option to enable GFI EventsManager auditing Perform the following audits Select the audits to perform on target machines 70 Manage event sources GFI EventsManager OPTION DESCRIPTION Start a new audit only if Select this option and configure the threshold time between audits GFI EventsManager will wait for the defined interval before st
165. nt sources Shows how to add and customize event sources to be monitored Using event processing rules Explains how to use event processing rules Manage rule sets Describes how to create edit and delete event processing rules Customizing alerts and actions Shows how to set the alerts and actions that will be triggered on particular events Configuring users and groups Explains how to configure alert recipient parameters including Personal details such as mobile phone number Normal working hours Type of alerts that will be sent to every recipient Status monitoring Describes how to analyze the status of GFI EventsManager as well as view statistical information and processed events Introduction 1 CHAPTER DESCRIPTION Chapter 12 Database Operations Explains how to centralize events collected by other remote GFI EventsManager instances and how to optimize database backend performance Chapter 13 Miscellaneous Describes miscellaneous options such as permissions command line operations and licensing Chapter 14 Troubleshooting Explains what main sources of information are available to help administrators troubleshoot product issues Chapter 15 Glossary Defines technical terms used within GFI EventsManager 1 2 Conventions used in this manual The following table contains a description of the common terms and conventions used in this manual DESCRIPTION Additional information and reference
166. number of reports For more information refer to Creating a folder Create Root Report Root reports behave in the same way as root folders These are created at the top level and may contain a number of sub reports For more information refer to Creating a root report Example You can create a root report which is generated once every month Then you can create daily reports covering specific topics of the root report generated on daily basis 5 4 1 Creating a root folder To create a root folder 1 From Reporting tab Common Tasks click Create Root Folder Create Folder P Create new Folder to group and better organize Reports for collected events Inhernt from Parent Use schedule Generation Time 20 29 45 Recurance pattem Weekly k Recurevery gt week s on Sunday V Monday Sunday Z Wednesday E Thursday F Friday Saturday Send report by email to Events ManagerAdministrators Screenshot 24 Create Report Folder dialog 38 Reporting GFI EventsManager 2 From the General tab specify a name and a description optional for the new folder 3 Optional Click Schedule tab and select Use schedule to configure a schedule for the reports included in this new folder Configure the options described below Table 18 Create folder Schedule options Inherit from Parent Select when the new folder is part of a root folder that already has scheduling configured Use schedule Select Use Sch
167. ob will be saved and executed according to the database operations schedule For more information refer to Configuring database operations Run the job now Job is executed immediately Unscheduled jobs only run once 10 Click Finish 12 5 5 Import from legacy file storage To create an import from legacy files job 1 Click Configuration tab and select Options l GF EventsManager File Configure Help Status Configuration Events Browser Reporting General amp Event Sources Event Processing Rules a Options Configurations 7 T Send us feedback W Open Quick Launch Console Help ny Default Classification Actions H E Users and Groups T Database Oper ations Sis Console Security and Audit Options te Secunty Options Here you can define maintenance jobs to import export data from EventsManager storage and A ares to import from SGL Server or legacy export files legacy file storage The maintenance jobs will Ae Sherpa be executed sequentially in the priority order fi Audit Options gi Auto discovery Credentials ID Job description Filter Laer evening Spions Z F5A apart files from folder C Users John Smith Desktop lara E3E1275AD Import files from folder C Users John Smith Deskt oad Syslog Server Options 2 minh i Ei BEAQF393 Import legacy files from folder C Users John Smith Desktop vee y Pefomace Options File storage 3 Sa a Custom Event Logs Create new job Me Auto up
168. ocess this engine will 1 Log on to the event source s 2 Collect events from the source s 3 Send collected events to the GFI EventsManager Server 4 Log off from the event source s The Event Retrieval Engine collects events at specific time intervals The event collection interval is configurable from the GFI EventsManager management console The SQL Server Listener The listener receives trace messages from the scanned Microsoft SQL Server in real time On receipt EventsManager processes the message immediately The Oracle Retrieval Engine The Oracle Retrieval Engine connects periodically to Oracle servers and collects audits from a specific auditing table Similar to the Microsoft Windows Event Retrieval Engine GFI EventsManager processes events generated by the Oracle server Log Receiving Engine The Event Receiving Engine acts as a Syslog and an SNMP Traps server it listens and collects Syslog and SNMP Trap events messages sent by various sources on the network As opposed to the Event Retrieval Engine the Event Receiving Engine receives messages directly from the event source therefore it does not require to remotely log on to the event sources for event collection Further to this Syslog and SNMP Trap events messages are collected in real time and therefore no collection time intervals need to be configured By default the Event Receiving Engine listens to Syslog messages on port 514 and to SNMP Trap messages on port 16
169. ocess tracking Audit policy Audit account Enable Enable Enable Enable Enable management i poy AUC Enable Enable Enable Enable Enable system events E For more information refer to Enabling permissions on events sources manually or Enabling permissions on event sources automatically 16 Installation GFI EventsManager 3 3 5 Monitoring event logs from Microsoft Windows Vista or later GFI EventsManager cannot be installed on Microsoft Windows XP to monitor events of Microsoft Windows Vista or later Microsoft Windows Vista and Microsoft Windows 7 introduced extensive structural changes in event logging and event log management The most important of these changes include Anew XML based format for event logs This provides a more structured approach to reporting on all system occurrences Event categorization in four distinct groups Administrative Operational Analytic and Debug Anew file format evtx that replaces the old evt file format Due to these changes to collect and process event logs from Microsoft Windows Vista or later GFI EventsManager must be installed on a system running Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows Server 2008 Windows XP events can be collected when GFI EventsManager is installed on Microsoft Windows Vista or later machines En When GFI EventsManager is using a non domain account to collect events from Microsoft Vista machines or later target machi
170. ollowing password and specify an encryption password Indicates that the specified passwords do not match B 6 Click OK to save your settings Encrypting the live database is not supported from the GFI EventsManager Management Console To encrypt the live database use esmdlibm exe For more information refer to Using Esmdlibm exe 12 3 1 Switching databases To switch from one database to another 1 From Archive storage folder dialog click Browse or specify the path to the database you want to load 2 From Name drop down menu select the database 3 Optional Enable Disable encryption B 4 Click OK to save your settings GFI EventsManager supports encryption of offline databases through the Management Console GFI EventsManager Database Operations 143 12 4 Configuring Database Operations To configure Database Operations 1 Click Configuration tab gt Options 2 From Configurations right click Database Operations and select Properties Database Operations Options Schedule Flease set the schedule options Mark the intervals when maintenance options can be executed m L 00h Oh Oh 09h 12h 15h 18h 21h EEEE F F F e F F j ail al all al F i ail i EEL hk kk BELLE S EE Specify the time when the maintenance options should be executed Interval Days Stat datetime 06 09 2010 G 20 01 00 Screenshot 122 Database Operations Options dialog 3 From the Data
171. om the Audit process tracking Properties select Success and Failure and click OK 162 Miscellaneous GFI EventsManager Audit system events Properties Local Security Setting EL Audit system events Audit these attempts This setting might not be enforced if other policy is configured to overmide category level audit policy For more information see Audit system events 2971468 Screenshot 147 Audit system events properties 11 Close the Local Security Policy window 13 1 3 Microsoft Windows 7 Step 1 Enable Firewall permissions To manually enable firewall rules on Microsoft Windows 7 1 Click Start gt Control Panel gt System and Security and click Allow a program through Windows Firewall under Windows Firewall category GFI EventsManager Miscellaneous 163 C eld Windows Fi Allowed Programs Allow programs to communicate through Windows Firewall To add change or remove allowed programs and ports click Change settings What are the risks of allowing a program to communicate Sp Change settings Allowed programs and features Mame HomeWork Private Public Remote Assistance Remote Desktop Remote Event Log Management aj K kaj L C Remote Scheduled Tasks Management L Remote Service Management C Remote Volume Management O Routing and Remote Access C Secure Socket Tunneling Protocol LISNMP Trap O Windows Collaboration Computer Name Registration Service
172. on 7 1 6 Navigating the GFI EventsManager management console al Gi EventsManager E eE Fil Configure Help Status Configuration Events Browser Reporting General a Event Sources 7 Event Processing Rules Puy Options Group Type i Send us feedback W Open Quick Launch Console Help T E Irra F r ee Aj All event sources Groups This view shows all the event sources which are inthe scanning list ar 7 amp Default 6 Computer Name Group Name Licensing Type State Servers 0 Ml TECHCOMSERVONE Default Server Enabled Workstations 0 Ml TECHCOMSERVTWO Default Server Enabled Laptops 0 TEMP Default Workstation Enabled ORE ES Ml vy 701 Default Workstation Enabled ee Mal W703 Defaut Workstation Enabled e e E Ml w704 Default Workstation Enabled amp Web Servers 0 amp File Servers 0 Linux Hosts 0 amp Cisco PIX amp ASA devices 0 a Emai Servers 0 amp Archive all Windows logs Non DC 0 7 Common Tasks amp Report on settings Report on mules 9g Tarn Aa Ana DATAT r SE Be e F kL j m pe ale a pr acta Pari aL Loci eo Ace ice 6 o ry j Screenshot 1 The GFI EventsManager management console SECTION DESCRIPTION Status option Use this option to view the status of GFI EventsManager and statistical information on processed logs Configuration option Use this option to access and configure the main event processing options Events Browser Use this
173. on suitable for forensic analysis The computer log may be a binary file as in the case of Windows logs or text based files as in the case of Syslog or W3C logs Such events include various details such as the date and time the event occurred and a related description Event entries are often stored in chronological order to facilitate event browsing and forensic analysis 2 3 What are Windows Event Logs Windows Event Logs are a systematic recording of computer related events that occurred within computer systems and networks running on Windows Operating Systems In systems running on Windows 2000 XP 2003 VISTA events are recorded and organized in 3 default event logs Application log Security log System log Computers with specialized network roles such as domain controllers and DNS servers allow the logging of events to additional default logs such as Directory service log File Replication service log DNS server log Windows Event Logs contain the following types of events EVENT TYPE DESCRIPTION x Error Error events indicate that a significant problem such as loss of data or functionality has occurred For example an Error event is recorded every time that a service or driver fails to load during startup it Warning Warnings indicate events that are not necessarily significant but which may possibly cause future problems For example a Warning event is recorded every time that disk space runs low
174. onal status of the database server currently in use by GFI EventsManager NOTE Click the service name to edit the service settings E The Events Count By Database Fill Up displays The horizontal bars represent the number of events stored in the database backend sorted by event log type The date and time of the last backup The date and time of the next scheduled backup The bar color turns from green to red as the database is populated with events Ef Double click the graph to open the graph in a new window When a 3D graph is selected the new window allows you to rotate zoom or resize the graph Use the Export to image button to export the graph GFI EventsManager Status monitoring 137 11 3 Job activity view al GFI EventsManager Lo x File Configure Help Status Configuration Events Browser Reporting General I General E Job Activity E Statistics Send us feedback W Oven Quick mch Console Hel wh Job Activity This view displays your current event collection and processing activity This includes active event collection jobs as well as server messaging history on a machine by machine basis Q Active Jobs R Queued Jobs R Job ID Target Progress Log Source Queued Time Target Target Log TECHC 78 27 10 2011 20 42 20 TECHC GFI EndPoint Securty AC3EEFC7 192 168 0 System 27 10 2011 20 52 47 192 168 Directory Service 7IOFSBED TCBACK 0 System 27 10 2011 20 52 47 192 168 ONS Ser
175. onnector 5 Windows 7 15 16 17 158 163 Windows Event Logs 3 4 7 9 62 89 92 93 102 106 193 Index 195 Windows Vista 15 16 17 28 92 137 158 159 164 175 196 Index GFI EventsManager USA CANADA CENTRAL AND SOUTH AMERICA 15300 Weston Parkway Suite 104 Cary NC 27513 USA Telephone 1 888 243 4329 Fax 1 919 379 3402 Email ussales gfi com UK AND REPUBLIC OF IRELAND Magna House 18 32 London Road Staines Middlesex TW18 4BP UK Telephone 44 0 870 770 5370 Fax 44 0 870 770 5377 Email sales gfi co uk EUROPE MIDDLE EAST AND AFRICA GFI House San Andrea Street San Gwann SGN 1612 Malta Telephone 356 2205 2000 Fax 356 2138 2419 Email sales gfi com AUSTRALIA AND NEW ZEALAND 83 King William Road Unley 5061 South Australia Telephone 61 8 8273 3000 Fax 61 8 8273 3099 Email sales gfiap com 2011 GFI Software All rights reserved All product and company names herein may be trademarks of their respective owners The information and content in this document is provided for informational purposes only and is provided as is with no warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose and non infringement GFI Software is not liable for any damages including any consequential damages of any kind that may result from the use of this document The info
176. option to browse the events stored in the GFI EventsManager database backend Reporting Use this option to access GFI EventsManager reporting features create new reports and schedule reports to be generated General options Use this option to check for product updates as well as view version and licensing details Tab options Use the Tab options to access and configure GFI EventsManager operational parameters Group Type Use this drop down to switch between event log source groups i e Computer and Database Servers Groups Left pane Use this pane to navigate through the additional configuration options provided in GFI EventsManager Right pane O0 000000 Event browsing and parameter configuration pane 8 Introduction GFI EventsManager 2 Getting Started 2 1 Introduction This chapter provides information about the type of different log formats supported by GFI EventsManager For more information refer to the sections below within this chapter What is a computer log What are Windows Event Logs What are W3C logs What are Syslogs What are SNMP Traps What are SQL Server audit logs What are Oracle Server audit logs 2 2 What is a computer log A computer log is a collection of event entries These entries provide an audit trail of information related to the activity of a network or computer system In fact computer logs are recorded in a certain scope to provide informati
177. or PCI Requirements Security logs System Health logs noise reduction and more SQL Server Audits Contains rules tailored for SQL Server Audit monitoring Amongst others these include Database changes Server changes Database access SNMP Traps Contains rules tailored for SNMP Traps Messaging Amongst others these include Cisco IOS 12 1 Cisco IOS 12 2 Allied Telesis Oracle Audits Contains rules tailored for Oracle Server Audit monitoring Amongst others these include Database changes Server changes Database access GFI EventsManager Manage rule sets 105 RULE SET FOLDER DESCRIPTION Syslog Messages Contains rules tailored for the processing LINUX and UNIX system logs Amongst others these include Juniper network rules gt IBM iSeries rules gt LINUX UNIX host rules Text Logs Contains rules tailored for the processing of web transfer protocols Amongst others these include HTTP rules FTP rules SMTP rules 8 2 Adding a rule set folder To create a new rule set folder 1 Click Configuration tab and select Event Processing Rules 2 From Common Tasks select Create folder 4 Specify a unique name for the new rule set folder z To create sub rule set folders right click on the parent folder and select Create new folder 8 2 1 Renaming and deleting folders To rename or delete existing rule set folders right click on the target rule set folder a
178. ort exe 1 Click Start gt Run and key in CMD 2 Click Ctrl Shift Enter to run CMD with elevated privileges 3 Change the directory to the GFI EventsManager install directory CD lt C Program Files GFI EventsManager 2012 gt 4 Key in Esmreport exe followed by any of the following functions FUNCTIONS DESCRIPTION Generate Enables you to generate reports based on GFI EventsManager configuration It is Configuration Status Ev ents Report Event source configuration report Status report GFI EventsManager made up of the following parameters type lt CONFIGURATION STATUS EVENTS gt specify report type target lt path gt specify destination folder format lt HTML CSV gt specify report format Command Esmreport exe type STATUS target C Events format HTML Enables you to generate reports on event sources configuration It is made up of the following parameters gt type configuration specify report type source lt name gt specify a single event source name Or group lt name gt specify a group name to report on multiple event sources Command Esmreport exe type configuration group Servers This function is made up of the following parameters type status specify report type gt subtype lt MESSAGES STATS gt specify the report sub type period lt CURRENT date gt specify the period for MESSAGES sub type period lt ALL TIME date gt speci
179. ough the events categorized under the selected view from section 1 controls Reporting The Report from view option enables you to generate graphical and statistical reports based on the selected view from section 1 Event The Events Description Pane provides an extensive breakdown of the selected Description event from section 4 Use this section to analyze the event details and find Pane out when the event was generated what was the cause and by whom it was generated The header color coding enables you to quickly identify the severity of the event Navigation Use the navigation controls to browse through collected events The description section enables you to switch between two views General Contains event information in the legacy format that was standard for pre Microsoft Windows Vista event logs Fields Contains a list of event information categorized by fields Use the Events Browser for forensic analysis of events All events accessible through the Events Browser are organized by log type in the Views section E The link provided in the event description gives you access to A more detailed description of the event Information and links that explain what causes this type of event Hints and tips on how to possibly solve any existing issues Event analysis is quite a demanding task GFI EventsManager is equipped with specialized tools that simplify this process as well as enable the export of event
180. our settings 10 2 4 Deleting users To delete a user 1 From the left pane click on the Users node 2 From the right viewer pane right click on the user to be deleted and select Delete 10 3 Managing groups GFI EventsManager enables you to assign users to a group Once the group properties have been configured every member of the group inherits the same settings This section contains information about Creating a group Changing user group properties 128 Configuring users and groups GFI EventsManager Deleting user groups 10 3 1 Creating a group To create a group 1 Click Configuration tab and select Options 2 Expand the Users and Groups node 3 Right click Groups sub node and select Create group New group P General Privileges ER Specity the members of this group Group name Read Users Description Users having read only access Members A Bob Jones te T John Smith Remove OK Cancel Apply Screenshot 111 New groups setup 4 Specify the name and an optional description for the new group 5 Click Add to start adding users to the group 6 From the Privileges tab select if the group has Full or Read Only permissions 6 Click OK to finalize settings 10 3 2 Changing user group properties To edit the settings of a user group 1 From Configuration tab gt Configurations expand the Users and Groups node 2 Ri
181. parameters GFI EventsManager ships with pre configured rule sets that can be used to process events with minor configuration effort You can also customize these default rules or create tailored ones for your organization s requirements Events processing rules are conditions which Table 57 Events Processing Rules CONDITION DESCRIPTION Classify processed events Configure GFI EventsManager to classify processed events By default events are categorized into five main categories however more categories may be added according to your requirements Filter out noise repeated events GFI EventsManager is able to filter out unwanted events This helps or unwanted events you maintain only wanted events and ignore unwanted noise Trigger email SMS and network Configure automated actions to run when specific events are alerts on key events processed For more information refer to Configuring Alerting Options Attempt remedial actions by Run executable files commands and or scripts upon detecting a executing specific scripts and specified event and or number of events executable files on key events In GFI EventsManager event processing rules are organized into rule sets which in turn are Stored in rule set folders The table below lists some of the most common rule set folders in GFI EventsManager Table 58 Rule set folders available in GFI EventsManager RULE SET FOLDER DESCRIPTION Windows Events Contains rules tailored f
182. perties 4 Click required tabs and configure the respective parameters accordingly More information on how to configure these parameters is provided in the following sections Configuring general event source properties Configuring logon credentials Configuring operational time Configuring event source auditing Configuring event processing parameters 66 Manage event sources GFI EventsManager 6 4 1 Configuring general event source properties Workstations _ Operational Time Windows General Logon Credentials Licensing kL Enter a group name and description for the computers you want _ to include in this group Group Name Description Add your workstations to this group The logs scanned are the Windows secunty log Windows application log and Windows system log The scanning will use the appropriate processing rules Enable collection of logs from this computer group Schedule scanning Real Time i e once every 5 seconds Once 30 Minutes Next scan 8 20 2010 lr 5 53 41AM Screenshot 54 Event sources properties dialog Use the General tab in the properties dialog to Change the name of a computer group Enable disable log collection and processing for the computers in a group Configure log collection and processing frequency 6 4 2 Configuring Logon Credentials During event processing GFI EventsManager must remot
183. ported folder lt folder gt Optional To export from an alternative folder Any parameter that contains spaces must be enclosed in double quotes Example exportsettings exe destination c export 13 5 Auto updating GFI EventsManager GFI EventsManager enables users to configure how to automatically check for download and install patches and updates To configure Auto Update options 1 Launch GFI EventsManager from Start gt Program gt GFI EventsManager gt Management Console 2 Click Edit updater options Configure Updater General Configure how to automatically check for download and install patches and updates Enable Disable automatic updates Check for updates automatically Daily Updates installation Install updates automatically G Only notify when new updates are available Updates installation notification Show messages in the application Send alerts to the GFI Events Manager Administrator user Screenshot 161 Configure auto update GFI EventsManager Miscellaneous 181 3 Configure the options described in Table 86 below and click OK Table 86 Auto update options OPTION DESCRIPTION If selected GFI EventsManager will check for updates AIEEE eei EMCEE automatically on a daily or weekly basis If Check for updates automatically checkbox is not Update Now selected use this option to manually check for updates and install missing updates Install updates auto
184. processing Archive all logs without any further processing Process the logs with the rules selected below before archiving Ga oe lt ________ Rule Set WJ Userbased noise hae a MD Defective logging noise le FE Overdogging noise lt __ _______ _ ___ Rule Set _ a Typical behavior x Write extended tags to database Screenshot 75 Rule sets folder and Rule sets GFI EventsManager Using event processing rules 89 Rule sets are further organized into Rule sets Folders This way you can group rule sets according to the functions and actions that the respective rules perform By default GFI EventsManager ships with pre configured folders rule sets and event processing rules that can be further customized to suite your event processing requirements 7 1 2 Event classification Event classification is based on the configuration of the rules that are executed against the collected logs Events that don t satisfy any event classification conditions are tagged as unclassified Unclassified events may also be used to trigger the same alerts and actions available for classified events GFI EventsManager classifies events in the following categories Critical High Medium Low Noise unwanted or repeated log entries 7 1 3 How event processing works The flowchart chart below illustrates the event processing stages performed by GFI EventsManager 90 Using e
185. ptions Group Type S Send us feedback W Open Quick Launch Console Help Event Sources Groups Aa Servers Group Add your member standalone servers to this group The logs scanned are the Windows security log Windows application log and Windows system log The scanning will use the appropriate processing rules ter Name State Credentials Licensing Type CHCOM Enabled Specified in event source prop Server oe Enabled Inherited Server Inherited Disable Add new event source Rename Delete Scanning options Sort by name CY Report onsetings O O Report on rules Create group Add new event source Scan local domain Open Quick Launch Console 2 event source s Screenshot 40 Generate configuration report 2 Right click an event source group 3 Click Report on settings and wait for report to generate GFI EventsManager Monitored computers Rule sets All rules Windows Events Securit Windows Fitterin Platform events Servers TEMP 00 15 00 Yes All rules Sister Events Securi olications Group Poli All rules Windows Events Security Applications Windows services Screenshot 41 Settings report sample 5 10 Rules report Rules repots provide a detailed view of applied rules on event sources The rules report is described below 54 Reporting GFI EventsManager Table 27 Rules report heading information HEADING DESCRIP
186. r Account Control Virtualize file and registry write f Opens the properties dialog box for the current selection Screenshot 160 Predefined rules 4 From the Local Security Settings tab select Enabled and click OK 5 Close the Local Security Policy window 13 4 Command line tools GFI EventsManager provides you with command line tools through which you can perform various functions These tools are located in the GFI EventsManager installation directory GFI EventsManager CMD tools include Table 83 CMD tools TooL DESCRIPTION ESMCmdConfig exe This CMD tool enables you to configure general settings for GFI EventsManager Such settings include GFI EventsManager logon credentials License key Mail server settings Administrator email Create Remove Group shortcuts Get computer names For more information refer to Using ESMCmdConfig exe GFI EventsManager Miscellaneous 175 TooL DESCRIPTION Esmdlibm exe Esmreport exe ExportHTML2PDF exe Importsettings exe ExportSettings exe SyncComputers exe Trouble exe Updater exe Use this CMD tool to Import or Export data For more information refer to Using Esmdlibm exe Generates in product reports such as configuration and job activity reports For more information refer to Using Esmreport exe This CMD tool is used to export generated reports HTML to Portable Document Format PDF For more information refer to Using ExportHT
187. r applications such as GFI LanGuard and GFI EndPointSecurity Message The actual message generated while performing the job To generate Operational history reports 56 Reporting GFI EventsManager 1 From GFI EventsManager Management Console click Status Job Activity Operational History Tellme more amp Date Time Machine Source dob ID Log format Message i 05 12 2011 20 05 11 N A SNMP Traps coll NZA NZA Stopping SNMP traps server Li 05 12 2011 20 05 11 NA SNMP Traps coll NA N A Stopping SNMP traps server D 05 12 2011 20 05 11 N A Syslog collector NA Syslog Stopping syslog server iD 05 12 2011 20 04 56 ALA Syslog collector NA Syslog Starting syslog server Screenshot 43 Operational history report 2 Click Export data Export Operation History Data D Export messages to html csv format Format Specify data curent messages erors from a specific date 01 November 2011 Save fiesto ogram Files GFI EventsManager2012 Reports Status a You can also automate generation of these reports using esmreport exe command line tool Screenshot 44 Operational history dialog 3 Specify the options described in Table 29 below and click Export Table 29 Export operational history options OPTION DESCRIPTION Format Select the report output format Available formats are HTML and CSV Current messages Export all messages displayed in Job Activity tab Errors from a specif
188. r by computer basis Reports in this category can be generated for each main time by hour day week or month Use the reports in this category to display information related to critical Windows events Syslog W3C Custom Events SNMP Traps and SQL Server Audit events The charts provided enumerate the 10 most critical events Use the reports in this category to generate reports that offer broad customization These can be used to generate reports based on any Windows event log using filtering conditions and grouping modes that are not covered by the other default reports Use the reports in these categories to generate legal compliance regulations reports Use the reports in this category to generate various reports required by several GCSx Code of Connection memos Use the reports in this category to generate reports related to Microsoft SharePoint audit events Reporting 37 5 4 Managing reports Reports are organized in a tree structure enabling you to easily find and generate the required report GFI EventsManager includes three options that allow you to maintain the report structure as the number of reports increase by time These options include Table 17 Managing reports OPTION DESCRIPTION Create Root Folder Create top level folders that may contain one or more subfolders or reports For more information refer to Creating a root folder Create Folder Create a folder within a root folder Folders may contain any
189. r path which contains the HTML reports target lt path to PDF file gt specify the PDF destination folder Command ExportHTML2PDF exe source C Program Files EventsManager 2012 target C PDFReports EventsManager 5 Press Enter to run the command 13 4 5 Using ImportSettings exe Use this tool to import GFI EventsManager configurations previously exported importsettings exe lt parameters list gt PARAMETER MANDATORY OP DESCRIPTION TIONAL operation lt operation gt Mandatory Defines the operation to perform either importfolder or importfile destination lt destination path gt Optional Defines the destination folder where the configuration is imported sourceFile lt filename gt Optional Defines the name of the file that contains the exported GFI EventsManager configuration sourceFolder lt folder name path gt Optional Defines the name of the folder that contains the exported GFI EventsManager configuration Ef Any parameter that contains spaces must be enclosed in double quotes 180 Miscellaneous GFI EventsManager Example importsettings exe operation importfolder destination c esm data sourcefolder c esm old 13 4 6 Using ExportSettings exe Use this tool to export the GFI EventsManager configuration exportsettings exe lt parameters list gt PARAMETER MANDATORY OPTIONAL DESCRIPTION destination lt filename gt Mandatory Defines the file where the configuration will be ex
190. r that already has scheduling configured Use schedule Select Use Schedule to enable scheduling of the reports contained in the new folder Generation time Specify the time when reports are generated Recurrence pattern Specify the frequency of when the report is generated Select from Daily Weekly or Monthly pattern and configure the respective parameters Send report by email to Select this option to enable email notifications Click Configure to select the users from the Select users and groups dialog NOTE Configure alerting options before using this feature For more information refer to Configuring Alerting Options 46 Reporting GFI EventsManager Options Target path C Reports This Month Last Month Screenshot 33 Createing a report Options 6 Click Options tab From Target path specify destination path where the new report is saved when it is generated 7 From Generate options gt Range pattern select the relevant pattern from which data is used to generate the new report 8 Click OK to save your settings 5 7 1 Defining Restrictions Report restrictions are used to define what is filtered and presented in your reports To configure conditions GFI EventsManager Reporting 47 date Occured AND time lt 20 52 11 AND importance Critical AND log format Text Logs Screenshot 34 Creating a report Adding conditions 1 From the Create View Create Report dialog click Add to launch
191. re archived events Name esmstg Path C Program Files WaFl Events Manager data File Stg In order to protect your data you can password protect it by selecting the option below Encrypt data using the following password Password PETIT iiiti i Contin password CLLLLLLLIT Waming Please note that you will have to use the same password when you decrypt the data Screenshot 88 Configure file storage dialog 3 Configure the options described below Name Key in the name of the storage folder Path Specify the path or browse for a storage folder Encrypt data using the following Select this option to securely encrypt the contents of the password storage folder with a password Password Confirm password Specify Hs encryption password and confirm the specified password 4 Click OK to finalize your settings 7 7 Triggering a manual event source scan In GFI EventsManager you can manually trigger event collection iteration on target computers To achieve this 1 Right click on a computer group or event source within a group 2 Select Scanning options gt Scan now 104 Using event processing rules GFI EventsManager 8 Manage rule sets 8 1 Introduction This chapter contains the following sections that will assist you in managing Event Processing Rules Adding a rule set folder Creating new events processing rules Creating a new rule from an existing event Advanced event filtering
192. release 12 1 11 MIBs E Cisco 10S release 12 1 14 MIBs E AlE Cisen IOS release 17 AAM MIs Screenshot 83 Computer group properties SNMP processing parameters 2 Click SNMP Traps tab and configure the options described below Table 56 Configuring SNMP Traps processing Accept SNMP Traps messages from this Select this option to enable SNMP Traps messages processing computer group Decrypt incoming SNMP Traps 3 This option enables you to decrypt SNMP Traps 3 messages messages Host key If Decrypt incoming SNMP Traps 3 messages is enabled key in the decryption key in this field Archiving all logs without any further Select this option to archive the processed SNMP Traps processing messages without applying further checks Process the logs with the rules selected Select additional checks to run against collected SNMP Traps below before archiving messages 3 Click OK to finalize your settings The GFI EventsManager SNMP Trap Server is by default configured to listen for 5 SNMP Trap messages on port 162 For more information refer to Configuring the SNMP Trap server settings The built in SNMP Trap Server supports SNMP version 3 Traps with encryption For encrypted SNMP messages the encryption host key must be provided in the decrypt incoming SNMP Traps 3 message field Deleting events from source logs without archiving may lead to legal compliance issues 100 Using event processing rules GFI EventsManager File
193. rmation is obtained from publicly available sources Though reasonable effort has been made to ensure the accuracy of the data provided GFI makes no claim promise or guarantee about the completeness accuracy recency or adequacy of information and is not responsible for misprints out of date information or errors GFI makes no warranty express or implied and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document If you believe there are any factual errors in this document please contact us and we will review your concerns as soon as practical
194. rsions 1 2 and 3 the encoded version 2 7 What are SQL Server audit logs Microsoft SQL Server generates event logs that allow the network administrator to monitor database activity GFI EventsManager allows you to process the activity logs generated by day to day SQL Server operations such as server startup or on key events such as failed logons Alerts can also be created when key events such as consecutive login failure is identified in Microsoft SQL Server audit logs 2 8 What are Oracle Server audit logs Oracle Servers can be configured to generate event logs that enable administrators to monitor activity GFI EventsManager can be configured to collect and process these events Oracle Server auditing includes data related to Data manipulation actions User access actions User privileges Database schema Database structure GFI EventsManager Getting Started 11 3 Installation 3 1 Introduction This chapter provides information about the different deployment scenarios supported by GFI EventsManager and information required to install and run the product for the first time It contains the following sections Where can install GFI EventsManager on my network System requirements Upgrading from a previous version Installation procedure Running GFI EventsManager for the first time 3 2 Where can install GFl EventsManager on my network GFI EventsManager can be installed on any computer
195. rt from file To create an Import from file job 1 Click Configuration tab and select Options E GF EventsManager File Configure Help Status Configuration Events Browser Reporting General a Event Sources Event Processing Rules lui Options a Configurations MH Send us feedback W Open Quick Launch Console Help nM Default Classification Actions i l Users and Groups I Database Operations E g Console Security and Audit Options _ I Security Options Here you can define maintenance jobs to import export data from Events Manager storage and i to import from SQL Server or legacy export files legacy file storage The maintenance jobs will be executed sequentially in the priority order A Anonymization fi Audit Options 1 Auto discovery Credentials ID Job description Filter LS Merting Cotion all Alerting Options Ey E1275AD Import files from folder C Users John Smith Desktop baal Syslog Server Options fia pi bah aa E BEAOF393 Import legacy files from folder C Users John Smith Desktop vee Oy Perfomace Options File storage a Custom Event Logs Create new job Ma Auto update Options Common Tasks Create new job 2 maintenance job s Screenshot 123 Creating a new Database Operation 2 From Configurations right click Database Operations and select Create new job GFI EventsManager Database Operations 145 New job wizard Job Type Select the job type
196. s Screenshot 85 SNMP Traps options GFI EventsManager Using event processing rules 101 3 Enable the required TCP UDP SNMP server Specify the TCP UDP port on which GFI EventsManager will listen for SNMP messages 4 Click Advanced tab to add edit or remove SNMP Trap object identifiers OIDs 5 Click Specific Trap Type tab to add edit or remove trap types 6 Click OK to finalize settings Ee When configuring SNMP Trap Server port settings make sure that the configured A TCP or UDP port is not already in use by other installed applications This may affect the delivery of SNMP Trap messages to GFI EventsManager 7 6 Collecting custom events GFI EventsManager is configured to collect and process standard event logs However GFI EventsManager can also be configured to manage events recorded in third party application logs such as anti virus logs software firewall logs and other security software To configure custom events 1 Click Configuration tab and select Options E GFI EventsManager File Configure Help Status Configuration Events Browser Reporting General Event Sources Event Processing Rules Fai Options Configurations T T Send us feedback W Open Quick Launch Console Help my Default Classification Actions Users and Groups Custom Event Logs H A Console Security and Audit Options a Alerting Options __ npe y Syslog Server Options El Edit custom logs ad a SNMP Traps Options a Here you
197. s A description of these tools is provided in the following sections 4 3 Creating custom Root Views Views In Events Browser GFI EventsManager enables you to create two different types of custom views The table below describes these views Table 13 Event Browser Create new view VIEW TYPE DESCRIPTION Create root view Enables you to create top level views which may contain a number of sub views This creates a new set of views beneath the ones that ship with the product Example All Events view Create view Create views within root views Custom views can be added to the default root views and views To create a Root view View 1 From Events Browser gt Actions click Create root view Create view B Both options launch the same Create view dialog and are both configured in the same way The difference is the positioning of the new custom view 28 Event browsing GFI EventsManager Create new filters to organize in a simpler way the collected events Name Custom view Description This is a custom view Edit Delete Clear Screenshot 12 Custom view builder 2 Key in a name and description for the new view 3 Click Add to add conditions to your view If no conditions are specified the view will display information from every event log type ab Log Format Monitored machine Log Name In Work Hours lt gt intemal timestamp aB isadmin Fl oper rl vale S
198. s Color Filter cc OZ Feld Ober Cancel Screenshot 17 Advanced Color Filter 3 Click Add button Specify filter name and configure event filter parameters 4 Click OK button to save filter settings 5 Repeat until all required event filter conditions have been configured Click OK to finalize your settings 4 5 Event finder tool Use the event finder tool to search and locate specific events using simple customizable filters To search for a particular event 1 Click Events Browser Actions gt Find events Send us feedback W Open Quick Launch Console Help ia All Events 0 events E VOER Database Main database Screenshot 18 Event finder tool 2 Configure the event search parameters through the options provided on top of the right pane To trigger a case sensitive search click Options and select Match whole word 3 Click Find button to trigger the search 32 Event browsing GFI EventsManager 4 6 Export to CSV tool GFI EventsManager enables you to export event data to CSV files directly from Events Browser This is extremely convenient especially when further processing of event data is required This includes Distribution of key event data via email Running automated scripts that convert CSV exported events data to HTML for upload on web company intranet Generation of graphical management reports and statistical data using native tools such as Microsoft Excel Generation o
199. s essential for the operation of GFI EventsManager encountered TERM AN Important notifications and cautions regarding potential issues that are commonly gt Step by step navigation instructions to access a function Bold text Indicate a control within the user interface such as nodes menus and buttons lt Italic text gt Replace text within angle brackets Such as file paths and custom parameters For any technical terms and their definitions as used in this manual refer to Glossary chapter in this manual 1 3 About GFI EventsManager gt e Pfinters S2 etere S SS lt Generates events Laptops ey Workstations s 2 J ai Routers Firewalls activity graphs Keyless systems Automates and centralizes event management GFI EventsManager Provides events analysis and filtering capabilities lt gt S X Domain Controllers Web Servers Mail Servers Figure 1 GFI EventsManager integrates into any existing IT infrastructure 2 Introduction GFI EventsManager GFI EventsManager is a results oriented event log management solution which integrates into any existing IT infrastructure automating and simplifying the tasks involved in network wide events management Through the features supported by GFI EventsManager you are able to Automatically collect W3C Syslog SNMP Traps and Windows event logs from network devices and Windows Linux Unix b
200. s you to configure a dedicated set of logon credentials for individual event sources and groups To configure a set of credentials for a particular computer group 1 Right click on an event source and click on Properties 2 Click Logon Credentials tab 3 Specify the login name and password and click OK 6 4 3 Configuring operational time GFI EventsManager includes an Operational Time option through which you specify the normal working hours of your event sources This is required so that GFI EventsManager can keep track of the events that occur both during and outside working hours Use the operational time information for forensic analysis to identify unauthorized user access illicit transactions carried outside normal working hours and other potential security breaches that might be taking place on your network 68 Manage event sources GFI EventsManager Workstations General Logon Credentials Licensing type Operational Time Windows Event Log al Specify the nomial operational time tor the computers specified in this group Normal operational time is the time during which the computers specified in this group are nomally used This information is used to classify events diferenti depending on whether they occur during nomal operational time or not For example failed log on attempts that occur outside of the nomial operational time will be assigned a higher risk level as 00h O3h O6h O9h 12h 15h 18h 21h 24h Marked
201. s you to organize these event sources into specific groups You can create new groups or use the default ones to distinctively configure and organize your event sources The following sections contain information about managing event sources Managing event sources groups Adding event sources Configuring event source properties Microsoft SQL Server sources Oracle Server sources GFI LanGuard event sources GFI EndPointSecurity event sources 6 2 Managing event sources groups Grouping event sources into Event Source Groups improves the speed at which you configure event sources Once an event source group is configured every member of that particular group inherits the same settings To create a new event source group 1 Click Configuration tab Event Sources 2 From Group Type select Event Sources Groups 3 Right click All event sources and select Create group 4 Select the license type Choose between Workstation and Server license GFI EventsManager Manage event sources 61 New Event Sources Group W3C Logs SNMP Traps Licensing type A Enter a group name and description for the computers you want m to include in this group Group Name New sroup Name Description New group description Enable collection of logs from this computer group Schedule scanning Real Time i e once every 5 seconds O Once every 15 Minutes Neat scan 22 10 2011 01 38 45 Screenshot 49 Add new e
202. se management systems Protect data contained in event logs so that confidential information can be encrypted and viewed only by authorized personnel 1 4 Key Features Table 1 Key features DESCRIPTION Extended event log support GFI EventsManager is able to process various event log types including Windows Event Logs W3C logs Syslog and SNMP Trap messages This allows you to collect more data from the different hardware and software systems that are most commonly available on a typical corporate network For a summary list of hardware and software systems that are supported by GFI EventsManager out of the box refer to http kbase gfi com showarticle asp id KBID003302 Rule based event log GFI EventsManager ships with a pre configured set of event processing rules management that allow you to filter and classify events collected from a variety of event log sources You can run these default rules without performing any configuration or you can choose to customize these rules or create tailored ones that suite your network infrastructure For a list of event log sources that can be processed by GFI Events out of the box refer to http kbase gfi com showarticle asp id KBIDO02868 GFI EventsManager Introduction 3 FEATURE DESCRIPTION Event log scanning profiles Allow granular configuration of rules Translates cryptic Windows events Enhanced event scanning engine Automatic noise reduction Enhanced real ti
203. seednavessnenesteseteesseneeneneecoeus 15 3 4 Upgrading from a previous version sssssssseesseesoesecesoeeseeseeeseeee 17 3 5 Firewalls and Anti virus software sssssssessesoessesoesoesoesossoeso 17 3 6 Computer identification considerations ssssescesseesceescesceeseee 17 3 7 Installation procedure sssssesssescesceesocescesocesoessersoeescesceesoeee 18 3 8 Running GFI EventsManager for the first time sssssssssesscesseeseee 20 4 Event browsing 27 ar MOGU TON ccc a E E E E EE ET ES 27 4 2 Navigating the Events BrowSer cccceccecccecceccceceeccecceecceccseees 27 4 3 Creating custom Root Views VIEWS cceceeceeceeceececcecceccecceeees 28 4 4 Event color coding Options sssssesseeseesecesoeeseesoeesoeescesoeesceeeee 31 43 Event inder U0Olccscsrwcccunetycacesstecaesoses ENa 32 40 Export to CSV TOOL novia ess cone i nA E Ea 33 A Rule Tfinder COO ssreseesrererr ier oaren ew cin EEE EEEE 33 AG iIKEDOFEING ODUIOIS s errrirresrreiitto ri idin ern ENEE EN ERE ETE 34 4 9 Switching database ssccsccscecscassaiccscocnsessecasencseesiasneiss ceasncvewsnansises 35 5 Reporting 36 Ost MOUCHO ere E ors csesciveeueue arse eeeis peeee pe eee eee a 36 5 2 Navigating the Reports tab ccc ccc ccesceeccesceecceccesceeccesceecees 36 S3 AvalaDle TOs ccreteetic cas coteeetecenecacuceameewusencuscedesea eedascqurccasees 37 DA Manada TEDOS orersrrinir iser eIn 38 5 9 Generating reports ss
204. sily identify important events through their color Event finder tool With this tool you can quickly locate important events by providing specific search criteria such as event type GFI EventsManager enables you to monitor and manage events generated by Windows Linux Unix systems network devices and software applications through a single user console GFI EventsManager enables you to assign management console access privileges on a user by user basis This means that you can allow specific users to access the GFI EventsManager console for event browsing only and at the same time allow other more privileged users to access and change the GFI EventsManager configuration settings GFI EventsManager FEATURE DESCRIPTION SQL Server audit GFI EventsManager enables you to automatically monitor the operational health status of your SQL Servers This is achieved by processing in real time the activity logs messages generated by day to day SQL Server operations SQL server activity that is monitored includes server startup login activity backups server side traces and more Additionally GFI EventsManager can also alert you via email network or SMS notifications on key events like server shutdown and consecutive failed logins Oracle Server audit GFI EventsManager enables you to automatically monitor the activity and the operational health status of your Oracle Servers Within GFI EventsManager you can configure Oracle servers to log audit
205. sing event processing rules ca GFI EventsManager Manage event sources 71 6 5 Microsoft SQL Server sources 6 5 1 Creating a new Microsoft SQL Server Group To add a Microsoft SQL Server group 1 Click Configuration tab gt Event Sources From Group Type select Database Servers Groups Group Type k Event Sources Groups a Event Sources Groups gt atab JZE 5 m EA E rows Screenshot 59 Database Servers Groups 2 From Groups right click Microsoft SQL Servers and select Create group 3 Select Microsoft SQL Server as the server type and from the General tab configure the options described in the table below Table 37 Microsoft SQL Database group General tab OPTION DESCRIPTION Group Name Key in a group name to identify the Microsoft SQL server group Description Optional Key in a description Collects logs from the database Enable option to collect database events from all servers in this servers included in this group group 4 Select Logon Credentials tab and configure the options described below Table 38 Microsoft SQL Database group Logon Credentials OPTION DESCRIPTION Use Windows authentication Connect to the Microsoft SQL Database using windows authentication Use SQL Server authentication Connect to Microsoft SQL Database using a Microsoft SQL Database user account Key in a username and password 5 Select Operational Time and configure the operational time when the database is
206. ssage drop down menu select the log type Windows W3C Syslog and customize the email content 3 Click OK to finalize your settings GFI EventsManager Customizing alerts and actions 119 9 3 4 Configuring SNMP alerts To configure SNMP alerts Alerting Options SMS_ SNMP Specify the SNMP forwarding settings that will be used to send SNMP alerts Specify the IF address where the SNMP alerts will be sent 192 168 11 11 Specify the port s which will be used to send SNMP alerts Enable forwarding of SNMP alerts on TCP pot 162 Enable forwarding of SNMP alerts on UDP pot 162 Format SNMP message Screenshot 103 Configuring SNMP alerts 1 From the Alerting Options dialog click SNMP tab 2 Configure the options described below Table 68 Alerting Options dialog SNMP Specify the IP address where the Enter the IP address of the recipient SNMP alerts will be sent Specify the port s which will be Specify TCP UDP communication port By default the assigned used to send SNMP alerts port is 162 Format SNMP message Optionally from the Format Email Message drop down menu select the log type Windows W3C Syslog and customize the email content 3 Click OK to finalize your settings 9 3 5 Configuring General alerts To configure database status alerts 1 From the Alerting Options dialog click General tab 2 Configure the options described below Table 69 Alerting Options di
207. ssage processing this computer group Syslog parsing schema Select the method that GFI EventsManager Syslog Server interprets Syslog Messages from network devices Select from Simple syslog message Standard Linux message Juniper Network Firewall Cisco ASA Advanced Click Advanced to use custom windows code page Specify the code and click OK Windows code page is used to encode international characters to ASCII strings Since Syslog is not Unicode compliant GFI EventsManager uses a code page to decode the events This is only applicable if GFI EventsManager is installed on a machine using a different language than the monitored machines For more information refer to http www microsoft com globaldev reference wincp mspx Archive all logs without any Select this option to archive the processed Syslogs without applying further processing further checks Process the logs with the rules Select additional checks to run against collected Syslogs selected below before archiving 3 Click OK to finalize your settings 96 Using event processing rules GFI EventsManager The GFI EventsManager Syslog server is by default configured to listen for Syslog messages on port 514 For more information on how to customize Syslog server port settings refer to Configuring the Syslog server communications port section in this chapter AN Deleting event logs without archiving may lead to legal compliance issues 7 4 1 Co
208. st read write capabilities even when processing high volumes of data You may have as many databases as required The Events Browser enables you to easily switch from on database to another allowing viewing events from archived databases As an example you can create a new database for every month or year depending on the volume of event logs that are processed You can also encrypt new databases before starting to use them The live database can only be encrypted though esmdlibm exe For more information refer to Using esmdlibm exe To create a new database 1 Click Configuration tab gt Options 2 From Configurations click File storage gt Configure file storage 142 Database Operations GFI EventsManager Configure file storage Specify the storage folder path where to store archived events Name New Database Path C Program Files aFl Events Manager2012 data File Stg Browse In order to protect your data you can password protect it by selecting the option below V Encrypt data using the following password Password TIT iii ii Confim password PTET IIT A Waming Please note that you will have to use the same password when you decrypt the data Cancel Apy Screenshot 121 Archive Storage Folder dialog 3 Specify or browse for the path for the new database 4 Specify the name for the new database 5 Optional Select Encrypt data using the f
209. t 161 Screenshot 162 Screenshot 163 Export to File Encrypt exported data Creating a new Database Operation Import from SQL Server database Import from SQL Server database Select the database to import Import from SQL Server database Decrypt anonymized data Creating a new Database Operation Import from legacy files Creating a new Database Operation Import from legacy file storage Import from legacy file storage Select file to import Viewing scheduled maintenance jobs Screenshot 139 Screenshot 140 Maintenance job priorities Screenshot 142 Screenshot 143 Editing a maintenance job Example dialog to edit a scheduled job Firewall rules on Microsoft Windows XP Local security policy window Audit object access Properties Audit process tracking Properties Audit account management properties Audit system events properties Allowed programs in Microsoft Windows Vista or later Screenshot 149 Local security policy window Audit object access Properties Audit process tracking Properties Audit account management properties Audit system events properties Screenshot 154 Screenshot 155 Screenshot 156 Screenshot 157 Screenshot 158 Screenshot 159 Screenshot 160 Enable firewall rules in Microsoft Windows Server 2003 Firewall rules on Microsoft Windows Server 2008 Domain Policy console in Microsoft Windows Server 2003 Group Policy Management in Microsoft Windows Serv
210. t access A This setting might not be enforced if other policy is configured to SS ovenide category level audit policy For more information see Audit abject access 0971468 Screenshot 144 Audit object access Properties Security Setting No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing 4 From the Audit object access Properties select Success and Failure and click OK 5 From the right panel double click Audit Process tracking 160 Miscellaneous GFI EventsManager Audit process tracking Properties Local Security Setting A This setting might not be enforced if other policy is configured to d ovemide category level audit policy For more information see Audit process tracking 29271468 Screenshot 145 Audit process tracking Properties 6 From the Audit process tracking Properties select Success and Failure and click OK 7 From the right panel double click Audit account management 8 From the Audit process tracking Properties select Success and Failure and click OK GFI EventsManager Miscellaneous 161 Audit account management Properties This setting might not be enforced if other policy is configured to Ss overide category level audit policy For more information see Audit account management 921468 Screenshot 146 Audit account management properties 9 From the right panel double click Audit system events 10 Fr
211. t sources chapter in this manual GFI EventsManager Installation 25 4 Event browsing 4 1 Introduction The Event Browser enables you to access and browse processed or unprocessed event logs currently stored in the database This chapter provides information about how to analyze events and contains the following sections Navigating through the Events Browser Creating custom Root Views Views Event color coding options Event finder tool Export to CSV tool Rule finder tool Reporting options Switching database 4 2 Navigating the Events Browser r wr pp yams vial m ton 7 B GFI EventsManager File Configure Help Status Configuration Events Browser Reporting General Views Send us feedback W Open Quick Launch Console Hel 1 Ef Microsoft SQL Server Audit Messa idl All Events 12 678 events C Report from view 6 Ate Oracle Audit Messages gt H A Text Logs Database Main database 2 Windows Events te Syslog Messages 2 SNMP Traps Messages H All critical and high importance eve lt l tt u i information V formation Date 11 14 2011 i information Time 02 06 02 2 G Importance High J Information Rule Name EndPointSecurity agent i Infomation stopped l E Monitored machine TECHCOMSERVONE Waming Log Format windows Actions TEE Log Name System aen Event ID 1001 Create root view Succe 88 Audi m iii In work Hours No Create v
212. tSecurity documentation available from http www gfi com products gfi endpointsecurity manual 6 8 2 Monitor GFI EndPointSecurity Events GFI EventsManager has built in processing rules for GFI EndPointSecurity events that are enabled by default To monitor events generated by GFI EndPointSecurity select Status tab gt General and locate the Critical and High Importance Events section To configure GFI EndPointSecurity event processing rules click Configuration tab gt Event Processing Rules For more information refer to Using event processing rules GFI EventsManager Manage event sources 87 Using event processing rules 7 1 Introduction This chapter includes sections containing information about Collecting Windows events Collecting W3C logs Collecting Syslogs Collecting SNMP Traps Collecting custom events Triggering a manual event source scan GFI EventsManager allows you to collect and process Windows Event Logs W3C logs Syslogs SNMP Traps and Microsoft SQL Server audit logs All supported log types record events in a different and proprietary format therefore every log type requires different configuration settings and parameters You can configure log collection and processing parameters On a computer by computer basis On a computer group by computer group basis During event processing GFI EventsManager runs a configurable set of rules against the collected logs in order to c
213. tc A list that displays all current Oracle audited statements 84 Manage event sources GFI EventsManager 6 7 GFI LanGuard event sources GFI EventsManager enables you to monitor events generated by GFI LanGuard GFI LanGuard is a network vulnerability scanner that audits your network for weaknesses that can be exploited by users for malicious purposes During network audits GFI LanGuard creates events in the Application Log of the machine where it is installed For each machine scanned by GFI LanGuard an Application log entry having Event ID 0 and Source set as GFI LanGuard will be generated These events denote network vulnerability information extracted from scanned computers including INFORMATION GATHERED BY GFI DESCRIPTION LANGUARD Threat level Gather information about the overall network threat level This rating is generated through an extensive algorithm after GFI LanGuard audits the network Missing patches and service packs Find out which machines have missing updates and which updates need to be installed to strengthen the security level Open ports Discover any unwanted open TCP and or UDP ports Antivirus operational and malware GFI LanGuard is able to check if your virus database definitions definition status are up to date If it is not you will be alerted and GFI LanGuard will attempt to update it Applications detected on scanned GFI LanGuard enumerates applications installed on scan t
214. te a custom list of users which you can organize into groups to speed up administrative tasks To create a new user 1 Click Configuration tab and select Options 2 Expand the Users and Groups node 3 Right click on the Users sub node and select Create user 4 Specify the parameters requested in the General Working Hours Alerts and Member of tabs For more information refer to Configuring the administrator account GFI EventsManager Configuring users and groups 127 New User Working Hours Alerts Member Of Privileges 2 Specify the privileges for this user Specify whether this user has full privileges or read only privileges This user has full privileges This user has read only privileges i user with full privileges can modify all the EventsManager configurations tne eo Screenshot 110 GFI EventsManager new user privileges 5 Click Privileges tab and select user privileges accordingly Example to assign administrative privileges to a user select the This user has full privileges option B 6 Click OK to finalize setup Users with administrative privileges can modify all GFI EventsManager configuration settings 10 2 3 Changing user properties To edit user properties 1 From the left pane click on the Users node 2 Right click on the user to edit and select Properties 3 Make the required changes in the tabs available and click OK to finalize y
215. te new rules rich click a rule set and select Create new rule 2 Right click the rule set where the new rule will be created and click Create new rule 3 Specify the name and a description optional for the new rule Click Next wN n Processing Rule Wizard Select the log s Please select the logis to which the rule will apply Log formats windows Log names File Replication Service Directory Service Windows PowerShell Application Security ea ap Windows Logs i 7 fal Applications and Services Logs H H Microsoft Screenshot 90 Create new events processing rule Select the logs which the rule will be applied to 4 Select the event logs to which the rule applies and click Next Optionally click Add custom log to insert an event log which you preconfigured For SQL Audit Oracle Audit Syslogs W3C logs and SNMP Traps messages specify _f the full path of the object s log folder example C W3C logs GFI EventsManager Manage rule sets 107 For more information refer to Collecting Custom Events New Processing Rule Wizard Configure the filtering conditions for the events T not date lt 25 10 2011 AND importance Critical OR type Warning Edit Query Restriction Field Mame ab log name Bsjevent id Bsjin work hours BAintemal timestamp lab monitored machine lau type lab iog tormat lab isadmin TE Field value 2 10 2011
216. ter Sharing from the Programs and Services list 3 Click OK to apply changes and close 13 1 2 Microsoft Windows Vista Step 1 Enable Firewall permissions To manually enable firewall rules on Microsoft Windows Vista 1 Click Start gt Control Panel gt Security and click Allow a program through Windows Firewall from the left panel 2 Select Exceptions tab and from Allowed programs and features list enable the following rules Remote Event Log Management File and Printer Sharing Network Discovery Click Apply to apply changes WW Step 2 Enable additional auditing features 1 From a command prompt key in secpol msc and press Enter 2 From the Security Settings node expand Local Policies gt Audit Policy GFI EventsManager Miscellaneous 159 File Action View Help e s AMB A pa Security Settings gt d Account Policies 4 _d Local Policies Cd Audit Policy b d User Rights Assignment p Security Options b C Windows Firewall with Advanced Seci Network List Manager Policies t C Public Key Policies t Software Restriction Policies gt 8 IP Security Policies on Local Compute Screenshot 143 Local security policy window Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events 3 From the right panel double click Audit objec
217. text based format permitting a wider range of data to be captured The W3C Extended log file format is the default log file format used by Microsoft Internet Information Server IIS A sample of the information typically recorded in a W3C extended type log is shown below Version 1 0 Date 04 Sep 2009 00 00 00 Fields time cs method cs uri 00 34 23 GET WebSRV Pg Snippet html 12 21 16 GET WebSRV Button _pg html 12 45 52 GET WebSRV Login Pg html 12 57 34 GET WebSRV Error msg html 2 5 What are Syslogs Syslog is the standard for logging messages such as system events in an IP network The Syslog standard is most commonly used for the logging of events by computer systems running on UNIX and Linux as well by network devices and appliances such as Cisco routers and the Cisco PIX firewall Syslog events are not directly recorded by applications running on the computer systems Whenever an event is generated the respective computer will send a small textual message known as Syslog message to a dedicated server commonly known as Syslog server The Syslog server will then save the received message into a log file Syslog messages are generally sent as clear text however an SSL wrapper can be used to provide for a layer of encryption Syslog is typically used for computer system management and security auditing While it has a number of shortcomings its big plus is that Syslog is supported by a wide variety of devices and rece
218. the Edit Query Restriction dialog 48 Reporting GFI EventsManager Edit Query Restriction Field Name importance Select field name date lae in work hours RE logoff pread Ee time EF intemal timestamp RY logoft lwrte FY importance lavltype nolsession id rule name lab isadmin au entry id lab monitored machine AS description id statement id log format EF timestamp ne retum code ab lab log name EF logott time ng Session cpu ag event id RE logoft lread fFlextended timestamp 4 Fd operator Field value Screenshot 35 Creating a report Edit Query Conditions 2 From the list of available fields select a field B 3 Specify a Field Operator for the selected field Available operators include Optionally you can key in the name in the Field Name text box to search for the required field Table 23 Defining restrictions Field Operators FIELD OPERATOR DESCRIPTION Equal To When the event field is equal to the value configured Less than When the event field is has a smaller value than the value configured Greater than When the event field is has a larger value than the value configured Occurred Related to When the event field date occurred before the value date date time fields Like When the event field has similar text as the value text Contains When the event field contains the value text Value in List When the event field is equal to one of the values in a list 4 Sp
219. tical graphical information about critical events collected from all event sources This graph shows the event processing rules that collected and processed the events for a particular period From the drop down lists select the type of information to display Select from Grouping Determines how events are grouped such as Events Computers Computer groups Events Computers or Events Computer groups Event type Select the type of data to display Windows W3C Syslog SNMP SQL and Oracle audit Alert type Specify the alert severity such as All alerts Critical or High Period Specify the time period when the events occurred Last hour Last 24 hours Last 7 days or a specific date NOTE 1 This section also displays the vulnerability results monitored by GFI LanGuard NOTE 2 For detailed information about the different types of important events shown in this graph download the Microsoft Security Monitoring and Attack Detection Planning Guide from http www gfi com ms security mointoring and attack detection planning The Top Service Status Events displays the top 10 services that caused the selected event A service can generate events when Terminated with an error Failed to load Failed to start Timed out Stopped Started The graph shows the frequency of these events sorted by service type or and by computer generating the event Select a machine or service from the drop down lists or
220. time intervals are considered normal operation time Screenshot 56 Specify operational time Operational time is configurable on computer group basis This is achieved by marking the normal working hours on a graphical operational time scale which is divided into one hour segments 6 4 4 Configure event source auditing GFI EventsManager collects additional data from the network using a checking engine If auditing is enabled on an event source the audit will be executed before collecting events and creates relative Windows events For example when executing Check slow connection the script performs a PING request and records the response time If the response time is more than 500 milliseconds the script creates a Windows event in the Application log of the target machine If an audit fails to execute due to network disconnection or insufficient f permissions no windows events are created Table 35 Event sources Audit policy options CHECK LIST DESCRIPTIONS Check audit policy Checks the status of audit policies on target machines If an audit policy is disabled a Windows event is created For more information on how to enable audit policies refer to Step 2 Enable additional auditing features section in this manual Check disk space Checks the target machine disk drives free space If a disk has less than 10 free space a Windows event is created Amongst others the Windows event contains information on dis
221. tions GFI EventsManager 6 Optional Specify filtering conditions to filter out unwanted data Leave it blank to import everything Click Next For more information refer to Defining Restrictions 7 Select when the job is executed The table below describes the available options Table 75 Database operations Schedule options OPTION DESCRIPTION Schedule job The job will be saved and executed according to the database operations schedule Run the job now Job is executed immediately Unscheduled jobs only run once 8 Click Finish 12 5 2 Export to file To create an export to file job 1 Click Configuration tab and select Options E GF EventsManager File Configure Help Status Configuration Events Browser Reporting General Event Sources Event Processing Rules a Options Configurations T h Send us feedback P Open Quick Launch Console 4 Help p By Default Classification Actions p Gd Users and Groups Lg Database Operations 4g Console Security and Audit Options a A Securty Options Here you can define maintenance jobs to import export data from Events Manager storage and 2 Dea to import from SGL Server or legacy export files legacy file storage The maintenance jobs will l S mpm a be executed sequentially in the priority order udit Options 3 A Auto discovery Credentials ID Job description E sana 3 E1275AD Import files from folder C Usere John Smith Desktop a Syslog Server Options
222. to each maintenance job created Date From Refers to the date of the earliest event exported Date To Refers to the date of the latest event exported EXP This is the file extension given to all export files 12 5 3 Import from SQL Server database To create an import from SQL Server database job 1 Click Configuration tab and select Options E GF EventsManager File Configure Help Status Configuration Events Browser Reporting General a Event Sources Event Processing Rules ais Options Configurations T Send us feedback W Open Quick Launch Console Help i a Default Classification Actions _ H E Users and Groups Database O perations 4g Console Security and Audit Options Zl Security Options Here you can define maintenance jobs to import export data from Events Manager storage and a pe to import from SQL Server or legacy export files legacy file storage The maintenance jobs will k TESA be executed sequentially in the priority order Audit Options L Auto discovery Credentials ID Job description Fitter i Aaa tere E E12754D Import files from folder C Users Wohn Smith Desktop ly Syslog Server Options oe SNMP Ej BEAOF393 Import legacy files from folder C Users John Smith Desktop Oy Fefomace Options File storage They Custom Event Logs Create new job Paan Tig Auto update Options Common Tasks Create new job 2 maintenance job s Screenshot 129 Creating a new
223. to the Oracle Database SID The SID is a unique name to identify an Oracle Database instance Key in the SID of the database to audit Service Name The Service name is the alias used to identify the Oracle Database Key in the Service name of the database to audit Test Test the connection with the Oracle Database server 82 Manage event sources GFI EventsManager 192 165 3 3 Connection Settings Sudit by Objects Audit by Statements a Configure Oracle user sessions schema objects and SQL operations to audit Object APE _030200 AFE APPLICATION _GET_PG_Tt Operations ALLALTER AUDIT COMMENT DELETE EXECUT B Options BY SESSION BOTH Current audited schema objects Object name Object type Aler Audit Corr 4 APEX _O30200 APEX_APPLICA VIEW d Ar AM Screenshot 71 Oracle Database Audit by objects tab 6 Select Audit by Objects and configure the options described in the table below Table 50 Oracle Database Audit by Objects OPTION DESCRIPTION Object Operations Options Audit Stop Audit Current audited schema objects GFI EventsManager Click Browse to launch a list of available Oracle SQL objects Select the object to audit and click OK NOTE Amongst others Oracle objects can be procedures views functions and tables Operations are actions that modify or query an object Click Browse to launch a list of available operations Select the operations to audit and clic
224. to use two passwords for event log encryption Event logs can only be decrypted by providing two decryption passwords 5 Click OK to finalize settings B 10 4 4 Audit console activity When anonymization is enabled events that are stored into the central database are encrypted For information refer to Create new anonymization job GFI EventsManager can save the console activity to external logs To configure the console activity auditing 1 Click Configuration tab and select Options 2 Expand Console Security and Audit Options node click Audit Options node and select Edit audit options 132 Configuring users and groups GFI EventsManager Audit Options General Specify whether to audit the actions done by a user and where to save the output log By default GFI Events Manager does not audit the actions done by users You can specify to audit all the changes made by a user to the application configurations and also the path where the output log will be saved W Audit all the actions done by users Save the output log to this path C Program Files WGFl Events Manager201 debuglogs esmaudit csv Screenshot 115 Audit Options 3 Select Audit all the actions done by users option and specify the location where the output log file will be saved 4 Click OK to finalize settings 10 4 5 Auto discovery credentials The Auto discovery credentials are used by GFI EventsManager to login target machines a
225. tops End user computers and systems Servers Web servers Mail servers DNS servers and more Network devices Routers switches and any other device that generates performance logs Software Including GFI EndPointSecurity GFI LanGuard and other applications that generate logs Specialized Services Microsoft Internet Information Server IIS PABXs Keyless Access Systems Intrusion GFI EventsManager enables you to monitor any device that is detections systems and more attached to the network When installed on a LAN GFI EventsManager can also be used to collect events from hardware and software systems deployed on a Demilitarized Zone DMZ Since a firewall or a router usually protects this zone with network traffic filtering capabilities you must make sure that 1 The communication ports used by GFI EventsManager are not blocked by the firewall For more information on the communication ports used by GFI EventsManager refer http kbase gfi com showarticle asp id KBID002770 2 That GFI EventsManager has administrative privileges over the computers that are running on the DMZ GFI EventsManager Installation 13 3 2 2 Deployment of GFI EventsManager on a demilitarized zone ae Internal LAN ie Router Firewall SE eT w GFI EventsManager DNS Server Web Server MailServer a Figure 5 The DMZ sits between the internal LAN and the Internet GFI EventsManager can also be deployed on a Demilitarized Zone DMZ
226. upport questions and patches To access the Knowledge Base visit http kbase gfi com 14 4 Web Forum User to user technical support is available via the web forum The forum can be found at http forums gfi com 14 5 Request technical support If you have referred to this manual and our Knowledge Base articles and you still cannot solve issues with the software contact the GFI Technical Support team by filling in an online support request form or by phone Online Fill out the support request form on http support gfi com supportrequestform asp Follow the instructions on this page closely to submit your support request 188 Troubleshooting GFI EventsManager Phone To obtain the correct technical support phone number for your region please visit http www gfi com company contact htm Before you contact our Technical Support team please have your Customer ID available Your Customer ID is the online account number that is assigned to you when you first register your license keys in our Customer Area at http customers gfi com B We will answer your query within 24 hours or less depending on your time zone 14 6 Build notifications We strongly suggest that you subscribe to our build notifications list This way you will be immediately notified about new product builds To subscribe to our build notifications visit http www gfi com pages productmailing htm GFI EventsManager Troubleshoot
227. urce type must be selected before proceeding to the next wizard dialog Select the computers to monitor Computer Domain License Type Information ll winservb tedomainb Server This machine is DC Machine wi pill xpos tedomainb il w702 tedomainb Workstation i Ml w704 nainb Workstation il w703 inb Workstation lll ww 704 nainb Workstation 4 Th Warning Licensing workstations limit is exceeded by 1 machine s To add more servers you need to review existing settings or upgrade the license key Screenshot 8 Select computers from result GFI EventsManager Installation 23 All discovered machines are selected by default If the wizard fails to login toa computer it is not selected 5 To add a computer not selected by default click the respective computer and a dialog will enable you to key in alternative credentials 6 Click Next and Finish Processing events from selected machines To collect event logs from selected machines 1 From the Quick Launch Console click Process events selected machines to launch the Add New Event Sources wizard Add Mew Event Sources Select the event sources Specify the computers From where GFI EventsManager will collect logs In GFI EventsManager event sources are organized into event source groups The event sources specified below will be added to the Default group Add the Following computers Add larar r Comput
228. uters Using cryptography services IPsec ensures data integrity authentication and confidentiality See Internet Protocol Security Glossary 191 TERM Management Information Base Network alerts Network discovery Noise Object auditing Object auditing Remote Event Log Management Rule set folder Rule sets SMS alerts SNMP Object Identifier OID SNMP Traps Syslog messages Unclassified events 192 Glossary DEFINITION A MIB is the equivalent of a data dictionary or codebook It associates object identifiers OIDs with a readable label and various other parameters related to an active network object such as a router Its main function is to assemble and interpret SNMP messages transmitted from SNMP enabled network devices The information stored in MIBs is organized hierarchically and is normally accessible using a protocol such as SNMP Network messages known as Netsend messages which inform recipients that a particular event has occurred These messages are sent through an instant messenger system protocol and are shown as a popup in the system tray of the recipient s desktop To setup network alerts you must specify the name or IP of the computers where the Netsend messages will be sent Enable this firewall permission to allow GFI EventsManager to gather information about connected machines on the network that can be scanned For more information refer to http technet microsoft com e
229. utton to remove a selected server or edit details Up Down arrow buttons Use the arrow buttons to change the position of the selected mail server GFI EventsManager attempts to deliver email alerts via the first mail server If unsuccessful it recursively checks the following mail servers Send email alerts as Unicode text Select this option to send emails as Unicode text as opposed to HTML or RTF format Format Email Message Optionally from the Format Email Message drop down menu select the log type Windows W3C Syslog and customize the email content 3 Click OK to finalize your settings GFI EventsManager Customizing alerts and actions 117 9 3 2 Configuring network alerts To configure network alerts Alerting Options k Hat Specify the network settings to use when sending network alerts Specify the network message settings to use when sending Net send _ to the os aa es the administrators of the machines which Windows Events Alerts Syslog Alerts SNMP Traps Alerts SOL Server Audit Alerts Oracle Server Audit Alerts ih computers and users In gged on so as to successfully receive the messa ge For both computers and users the messenger service must be enabled and started Screenshot 100 Configuring Network alerts 1 From the Alerting Options dialog click Network tab 2 From Format network message drop down menu select the log type and customize the format of the message ss
230. v List of sources Source Usereny SceCli Wildcards and Source SALE 8 5 2 Syslog categories The Message and Process fields allow systems administrators to setup parameters described in the table below Table 63 Parameters available in the Message and Process fields PARAMETER TYPE EXAMPLE Single message Message session opened List of messages Message session opened session closed Wildcards and Message session opened GFI EventsManager Manage rule sets 113 9 Customizing alerts and actions 9 1 Introduction This chapter sections that contain information about Configuring Default Classification Actions Configuring Alerting Options During event processing GFI EventsManager can automatically generate various actions whenever particular events are encountered Supported actions include email alerts and event archiving You can specify alerts and actions to be triggered in two ways Table 64 Alerting methods METHOD DESCRIPTION Default classification actions Creating or customizing rules and rule sets Through the configuration parameters provided in the default classification actions you can trigger alerts and actions based only on event classification Example default classification parameters can be configured to trigger email alerts for all classified events critical high medium and low but archive only critical events Rules allow you to configure actions on a more
231. vent processing rules GFI EventsManager Start logs collected Legend Archive All _ Pre processing functionality _ Rule processing engine Process C Processing alerts amp actions Use Default Classification Actions Screenshot 76 Log processing classification and actions flowchart 7 2 Collecting Windows events Windows events are organized into specific log categories by default computers running on Windows NT or higher record errors warnings and information events in three logs namely Security Application and System logs Computers that have more specialized roles on the network such as Domain Controllers and DNS Servers have additional event log categories As a minimum Windows Operating Systems record events in the following logs Table 52 Windos Event Logs collected by GFI EventsManager LOG TYPE DESCRIPTION Security event log This log contains security related events through which you can audit successful or attempted security breaches Typical events found in the Security Events log include valid and invalid logon attempts Application event log This log contains events recorded by software applications programs such as file errors System event log This log contains events logged by operating system components such as failures to load device drivers GFI EventsManager Using event processing rules 91 LOG TYPE DESCRIPTION Directory service log File Replication service log DN
232. vent source group 5 Key in a valid name and a description optional Select the tabs described below and configure the available options Table 32 Event source group options TAB NAME DESCRIPTION General Enable collection of events and schedule the scanning process For more information refer to Configuring general event source properties Logon credentials Configure the username and password used to login target machines and collect information For more information refer to Configure Logon Credentials Licensing type Select the type of license to use Select between workstation and server license Operational time Configure the operational time that computers are normally used For more information refer to Configure operational time Audit Enable GFI EventsManager auditing on target computers and configure the audit to perform For more information refer to Configure GFI EventsManager Auditing Windows Event Log Specify the logs to collect and configure archive settings for Windows event logs For more information refer to Collecting Windows events W3C Logs Specify the logs to collect and configure archive settings for W3C logs This tab is only available when creating a server group For more information refer to Collecting W3C logs Syslog Specify the logs to collect and configure archive settings for Syslogs This tab is only available when creating a server group For more information refer to Collecting Syslogs
233. ventsManager Scan only security events for all Only security events are collected and processed by GFI databases EventsManager 8 Click OK 6 5 2 Adding a new Microsoft SQL Server event source To add a new Microsoft SQL Server source 1 Right click the database group and select Add new SQL Server GFI EventsManager Manage event sources 73 Add New SQL Servers Select the Microsoft SQL Servers Select from which Microsoft SOL Servers you want to collect events Add the following Microsoft SQL Server WS 112011 5OLEXPRESS Microsoft SQL Server by WS 112011 SOLSERVER Screenshot 61 Add new Microsoft SQL server 2 Key in the server name or IP and click Add B 3 From Groups select Microsoft SQL Servers From the right pane double click the Microsoft SQL Database instance Use Select and Import to search the network for SQL Servers or import list of SQL servers from a text file respectively Click Finish when ready 74 Manage event sources GFI EventsManager M512002 SQLSERVER T Specify the SQL Servers post collecting processing E Inherit SQL Server post collection processing from parent group Specify the post collection processing for the events collected from the configured SQL Server s O Archive events in database Process using these rule sets Stale j SQL Server Audit H Ww Noise reduction H e Database changes H Lj Server changes H e Logon Logoff iD Choose
234. ver 27 10 2011 20 52 47 192 168 File Replication Service 27 10 2011 20 54 05 TCBACK Directory Service 27 10 2011 20 54 05 TCBACK DNS Server 27 10 2011 20 54 05 TCBACK File Replication Service Server Message History Date Time Type Source Machine Message Court There are no tems to show in this view t 1 2 Operational History E GB Epotdata Iai memow 2 Date Time M Source Job ID Log format Message 27 10 2011 20 44 00 W Events collector Error connecting to machine W703 The network path was not found P 27 10 2011 20 42 29 Events colector 5C2AF92 GFI EndPointSec P 27 10 2011 20 4229 Events colector C19968A1 System 27 10 2011 20 42 29 Events colector 27E4FBEE Application 27 10 2011 20 42 29 Events colector 399E3202 Secunty u 27 10 2011 20 41 40 N A Processorservice N A N A Unable to send email message to jsmth domain com 27 10 2011 20 40 59 Events collector 6C75CB47 GFI EndPoint Sec v 27 10 2011 20 40 31 Events collector D310S871 System u 27 10 2011 20 36 56 W Events colector Error connecting to machine W703 The network path was not found Maintenance Jobs y Screenshot 119 GFI EventsManager Status Job Activity view To access the Job Activity view go to Status tab gt Job Activity This view displays your current event collection and processing activity This includes active event collection jobs as well as server messaging history on a machine by machine basis
235. version of GFI EventsManager Import from legacy files The Import from legacy files job enables you to import configuration files exported from an older version of GFI EventsManager Import from legacy file storage The Import from legacy file storage job enables you to import data archived by a previous version of GFI EventsManager Archive files were exported in a special file format utilized by GFI EventsManager GFI EventsManager Database Operations 141 12 2 1 Consolidation of events in a WAN environment Site 1 Head Office GFI EventsManager GFI EventsManager Figure 9 Consolidation of events in a WAN environment In the case of organizations with remote geographical sites Database Operations can be used to consolidate all or part of the events data collected in remote sites on to one central database This is achieved using the Export to file feature through which GFI EventsManager compresses and encrypts the file as well as export the file to be processed to a central location The Import to file job is executed at the central location importing the events from the remote site into the central database Events for the remote site can then be viewed through the Events Browser Reports with information relevant to the remote site can also be generated using data from the central database 12 3 Creating a new database backend GFI EventsManager makes use of an internal storage system which allows great scalability with its fa
236. view 3 From the View Properties dialog add edit or delete conditions according to your requirements 4 4 Event color coding options Use the event color coding tool to tint key events in a particular color This way the required events are easier to locate during event browsing Customize View Desciption To view or edit your coloring and for more advanced options click on Advanced HH Colors Equal To Information in Apply Color Clear colors Advanced Screenshot 16 Color coding configuration 4 4 1 Assigning a color code to a specific event To assign a color code to a specific event 1 From Events Browser select Customize view gt Colors 2 Specify event filtering parameters including the color to be applied to the sifted events 3 Click Apply Color button to save changes Use the Clear color option to clear all color settings 4 4 2 Assigning different color codes to multiple events To assign different color codes to multiple events 1 From Events Browser select Customize view Colors Advanced GFI EventsManager Event browsing 31 Advanced Color Filters od The color fiters that are going to be applied on the current log Name Critical Events Color Filter High Events Color Filter 2 Medium Events Color Filter 3 Low Events Color Filter 4 5 Unclassified Events Color Filter Color Filter Condition Name Critical Event
237. wD Information Information events describe the successful operation of an application driver or service For example an Information event is recorded every time that a network driver loads successfully GFI EventsManager Getting Started 9 EVENT TYPE DESCRIPTION af Success Audit Success audit events indicate security access attempts that were successful For example a Success Audit event is recorded every time that a user successfully logs on to his Windows based workstation Eal Failure Audit Failure audit events indicate security access attempts that failed For example a Failure audit event is recorded every time that a user fails to access a network drive 2 4 What are W3C logs W3C logs are used mainly by web servers to log web related events including web logs W3C logs are recorded in text based flat files using any one of the two W3C logging formats currently available W3C Common Log file format W3C Extended Log File format The W3C common log file format was the first format to be released and to date it is still the default format used by a variety of popular web servers including Apache There is however one downside the information about each server transaction is fixed and does not provide for certain important fields such as referrer agent transfer time domain name or cookie information To overcome this problem the W3C Extended log file format was released This newer type of log is in customizable ASCII
238. xt 5 Optional If the data is anonymized select Enable decryption and specify the password 6 Optional If the data is encrypted by two passwords select Use secondary decryption key and key in the secondary password Click Next 154 Database Operations GFI EventsManager 7 Optional Specify filtering conditions to filter out unwanted data Leave it blank to export all the data in the database Click Next 8 Select when the job is executed The table below describes the available options Table 81 Database operations Schedule options OPTION DESCRIPTION Schedule job Job is saved and executed according to the database operations schedule For more information refer to Configuring database operations Run the job now The job will be executed immediately Unscheduled jobs only run once 9 Click Finish 12 6 Editing existing maintenance jobs E GH EventsManager File Configure Help Status Configuration Events Browser Reporting General a EventSources Event Processing Rules fui Options a Configurations S Send us feedback W Open Quick Launch Console 8 Help nM Default Classification Actions bedi Users and Groups J Database Operations Ely Console Security and Audit Options d A Securty Options Here you can define maintenance jobs to import export data from Events Manager storage and to as import from SQL Server or legacy export files legacy file storage T
239. y is configured to Ss overide category level audit policy For more information see Audit account management 921468 Screenshot 152 Audit account management properties 10 From the right panel double click Audit system events 11 From the Audit process tracking Properties select Success and Failure and click OK GFI EventsManager Miscellaneous 167 Audit system events Properties tting might not be enforced if other policy is configured to override category level audit policy For more information see Audit system events 2971468 Ap D hy Screenshot 153 Audit system events properties 12 Close the local Security Policy window 13 1 4 Microsoft Windows Server 2003 Enable Firewall permissions To manually enable firewall rules on Microsoft Windows Server 2003 1 Click Start gt Control Panel gt Windows Firewall and select Exceptions tab 168 Miscellaneous GFI EventsManager Windows Firewall General Exceptions Advanced Windows Firewall is tumed off Your computer it at risk of attacks and intrusions from outside sources such as the Internet Wwe recommend that you click the General tab and select On Programs and Services Message Queuing Message Queuing Downlewel Client Support LJ Remote Desktop O UPrP Framework Add Program Add Fort Edit Delete iW Display a notification when Windows Firewall blocks a program Lancel Screenshot 154 Ena
240. ynchronization click Add 5 Repeat steps 3 to 4 for each synchronization The table below shows some examples of possible synchronizations that can be configured Table 34 Example of synchronizations GROUP SYNC WITH Archive all Windows logs Non DC Generic Servers Workstations Workstations E mail Servers Exchange Servers Archive all Windows logs DC Domain Controllers GFI EventsManager Manage event sources 63 GROUP SYNC WITH Servers ISA Servers 6 Optional Select Exclusions tab to configure the list of computers that will be excluded from the synchronization Click Add and key in a computer name to exclude Event sources that are already part of an event source group will be _ automatically excluded from synchronization For more information refer to Manage event sources 7 Select Schedule tab to configure when the synchronization should be performed Synchronization Properties Beclusions Schedule a ae Configure Synchronization schedule e Configure the schedule used to perform the synchronization operation and the email notification Interval 5 Synchronize now Synchronize now Screenshot 51 Synchronization properties Schedule tab 8 Key in a valid interval in hours or days 9 Optional Select Send an email to the to send an email notification when event sources are changed after synchronization 10 Optional Click Synchronize now to synchronize event sources immediately
Download Pdf Manuals
Related Search