Home

EventTracker v6.3 User's Guide

Contents

1. 1 X K K El Bx E El Bx E E E Ed EE E Bx 4 DX E Bd E E E 2 2 E E x E 4 K El EE E Ed E Bd Bx E E Ed E E EE E Bd 4 El EEE EX E El E Ed
2. XIX RX RRA RRA DX Dx AX DX x XX DX 2 2 2 2 2 2 Z Z 2 2 2 2 2 Z 2 2 ZA zzz O 0 0 z zzzzzzzzzzzzzzzzzzzzzzzzz O25 0 0 0 00o0o0o0o0o0ooo0o0o0o0o0o0o0o0ioi jooo 4 Bx amp x Rele E E EJ E Bx E ISO EX Bd E E E E E E E
3. X BI Bx EX IT EX EX Bx E E EX 4 Kx EEE E E Ed Bx El Bd E E E E 4 EEE EX EE El EX 2 E EEE 4 K x Ed EJ E BX E E E 2 E 1 KX K Bx E E EEE E E El E Bd E E E E E Bd 4 x Bx EEE E E amp E E E E E 2 E E E E Bd X X X X X x X x X x X X X X X X X MA sj
4. Bd Bx KE E I XX XX K x EX
5. EventTracker Collection Point Error EventTracker DLA No files found for pro EventTracker DLA file processing failed EventTracker Remedial action failed EventTracker Remedial action ignored EventTracker Remedial action Success EventTracker USB device disabled Event ault CAB integrity checksum failure Excessive access failures an user o Cask sae so EE Bx Bx E EX EX Ed EX EEE 4 Kx amp EEE E Bd El E Ed E E E E EJ Bd E E E E E Bd Ex 4 KX KX KX K K El Bx E El E El E E E E E 4 x E E
6. EEE x EEE IO EX E EX 4 EEE Bd Bx E Ed EJ E El E XX E Bx E E E E Bd 1 K K K K K EEE E 2 EX EJ E E 4 KX x K x Bx EX E E BX E Bx E E Bx E E 4 K EEE E E El Bx E E E E E EE E Bd 4 x KX K EEE El E E E El E E E 2 E E E E E Bd X X A X X X X X X X X X X X X X x X X X X X X X X X X x x X X RA i 107 Alerts 5 Click Save to save the settings 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 129 EVENTTRACKER VER 6 4 USER S GUIDE ADDING ALERTS FROM THE DASHBOARD In this example the Administrative log on Alert has been selected and configured to Beep whenever the Administrator or a user with Administrator s privilege logs in to your system Note the tick mark in
7. Z Z Z ZZ zZ zZ 0000000 4 K EX E EII E E E E E E Bx 4 K El KIKK K E EX E EX 2 EX E E 4 KX BX EX E x E Bx EX 4 x Bx EEE El E Ed E E E Bd E E E E Bd 4 x K EEE E E El E Ed E E E Bd E E E E E Ex X Dx Tz zZZZZZZ lt 107 Alerts 6 Click Save on the toolbar EventTracker displays the EventTracker Management Console Message 7 Click OK 8 Restart the Management Console 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 120 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE Executing Remedial Action at EventTracker Manager Console System This option enables you to configure custom action to be executed on receipt of an event at the Manager system To execute
8. 1 K Bx x El REE E Ed amp E Bd E E E Ed EE E E E E E Bd E No 4 KX K K K E El E E EX E E El E El EEE E uy Forward as SNMP No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No 4 K K 2 E Bx EX E 2 E E E E E Bd CONFIGURING ALERTS Forward as SYSL No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No Al Right click the Category that you want to set as Alert EventTracker displays the shortcut menu From the shortcut menu choose Add As Alert OR Click New on the toolbar
9. 4 E EE EEE E E Bx E E E E EJ E E E Bd E EventTracker displays the Alert Group Configuration window 4 the Alert name in the Enter Alert Name field 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 5 Rss Notification No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No Console side reme 4 x KX K K K EEE E E El E E E E E E E E E E E Bd 86 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING ALERTS Figure 57 Alert Group Configuration Alert Name tab Mi Alert Group Configuration EventTracker Console Alert Mame Event Details Event Filters Custom Systems Actions Alerts can be configured to produce Beep fram the speaker to send E mail to send a Console message across the network to execute a Custom action ar the combination of all an the occurence of specified events Enter Alert Mame My Alert Cancel 5 Click the Event Details tab OR Click Next
10. 4 K EX Bd Bd E Ex E E Bd E No No No No No No No No No No No No No No No No No No No o S222 222222 x E PASE BX Bx 2 Bx No No No No No No No No No No No No o 22 2 2 2 2 1 x K EEE El E El E E E E E E E Bx E E E Bd 105 Alerts 6 Click Save on the toolbar EventTracker displays the EventTracker Management Console Message 7 Click OK 8 Restart the Management Console Forwarding Events as SNMP Traps All incoming events are compared with the configured Alert Whenever there is a match between an event and the alert criteria a copy of the ev
11. TE 155 Removine Computers Manual MOdGde ux onore tere ais 157 Removing Unmanaged Systems usen in nin arret artes euer inh ein def od 158 Logical System Groups at edite tla 163 Creatine a New Logical Group System Type ces 163 Creating a New Logical Group IP Supine Lacie 167 Creatine a New Logical Group Manual 5 1 tai carios 169 Moditvin e A OU CEDE 172 IBI EGIT a AA 175 Chansons System Pe aos 177 Chapter 8 Managing Windows Agenlis ccccccccccsssssssssssssssssssssccsccccccccccscccssssssssssssssccscccsssssssseees 180 Assent For WiIBdOWS SV SICINS cutres 181 luo DM X C 181 CONS aladas 182 DE PlOy 1S AS ems E 182 Pre imstallaBon US 182 Tnstalline MIS AS A 182 Wii Sealine Nado ws A OC NUS e ici asas 191 Up sradine Windows A EA A EIA AS a AA 194 Removing Windows Agent Components 198 Switching Windows Agent Mods ii di 200 NTC WO T ilb debutant da Pe paa Pus 204 A a VIC O 204 Admin Account AAA 204 Systemi Report ts 207 Mati
12. dentata dd 112 Conticutine RSS lett Nocilla 114 Forwarding Events as SNMP Paps nuda A AA beis 116 Fotwardine SYSLOG Mess aces ds 118 Executing Remedial Action at EventTracker Manager Console 121 MIN O 123 Executing Remedial Action at EventTracker Agent System coooonccccccononcncnononononnnonnnnnnnnnnnnnnnnnnnnoss 126 Conticunne Alert Actions Tor predetmed Alertan ii 129 Adding Alerts trom tlie Dashboard tas in cds 130 Chapter 5 Configuring RSS amp 132 RSS EEC 133 O O AN 133 SS Perdi aa e asa acte A ES 136 Chapter 6 Maintenance Tools vecccccccsscaceassscvacestesccccececcsccanasassvsvacessussscecevascassscsvedsvacssseosceacessapecsaies 139 Creaune Index Tor ArChie da o 140 Compactine the Database STZe son uide E e E e lom E 142 Chapter 7 Manasino System Groups iii dicas 146 EVENTTRACKER VER 6 4 USER S GUIDE DOCUMENT REVISION CONTROL Discover oi 147 IOUS T 147 hune Lc PC CO En AE T 147 C 148 Adde as COMPU A A A di iii 148 a orou OL nt did 150 Adding a group of Computers from an IP 152 Removing Computers mE 155 Removing Computers Auto Discover Mode
13. 75 Upgrading Agent Sys3 from Manager 5 1 75 Corne lation ReCeTVel s dd do 76 Ditect LOS Pile ATOBIVIO A A 76 Enabling Alert Notification Status Fr Alert Events Je lle oot A EU cate tle tania cated Deana eect 71 Show Only Active Alert events in Console cccccccccccceccccccceaceeeessssseseeecccccececesecaaaeessssseeeeeeeeess 78 Store Only Active Alen Cy CNIS ii A EE E A 78 Enabling Remedial ACHOTS ui A E 79 Supbressimp Duplicate ad 80 Whatdoes Duplicate Alert Suppression oa 80 How do I use the feature Duplicate Alarm 10 80 Configuring Manager to Alert Suspicious Network Activity 81 Chapter 4 Configuring Alerts and Alert Notifications ccccccccssssssssssssssssssssssssccccccccccssscssees 94 A A da arta 85 Contisurino Ade e ort tero i Peto rette peo adem e RA 85 Manas mo Cato rones ii eee av bee tea 97 Modityme Alert Detalla aan 103 Deletine Alert Detalla iaa ies 104 Contisurine Alert Actions Manager Side ua 105 Contisurime Audible Alert Acton ot A A A A etie A AI 105 Conders E mail Aler CHO caia 108 Contigurins Console Message Alert ACU OM tt
14. o cosi r 394 Importine Schedule REPOSO 396 Inipostino RSS ECOS ta 397 Chapter 14 Collection Point Model 2 400 W atis Collection Pomt model 401 ser Abs YI En aea o 401 EVENTTRACKER VER 6 4 USER S GUIDE DOCUMENT REVISION CONTROL Real WO Conos a 402 Chapter I Collection Master p ni inem bii iiid 405 Starting Collection Master Console scans 406 Views Collection ica did E ia 407 CAB onsectetuer e tedio ia lactato nc doi 408 Configuring Collection Master listening 411 Merging Collection Points default Archives folder oooooonnnnnnnncnnnnncncnnnnnnnnononnnnnnncnnnnnnnnononoos 412 412 SCNT perc 414 Se SIMON ERU ss 415 Merging Collection Points modified Archives folder ooooonnnnccnnnnnnnnnnnnnnnonononnnccnnncnnnnonnnnos 416 AA HM 418 EMO 422 Reguestins CAB E
15. EventTracker Collection Point Console 192 168 1 38 16BCHAPTER 16 COLLECTION POINT 4 8 2009 5 19 07 PM 4 9 2009 5 12 09 1921681 38 1 53 57 PM 4 3 2009 Success etar1239163086 1 lt 4 8 2008 9 26 24 AM 4 8 2009 5 19 07 PM hoz 192 168 1 38 etar1239115255 1 4 7 2009 8 09 57 PM 4 8 2009 9 26 24 AM Success 192 168 1 38 1 54 28 PM 4 9 2009 ln Progre etar1239099644 1 4 7 2009 3 49 40 PM 4 7 2009 8 09 57 PM 192 168 1 38 Queued etar1 2390554281 4 7 2009 6 17 38 AM 4 7 2009 3 49 40 PM 192 168 1 38 Queued etar1239024699 1 sail 4 6 2009 7 00 38 PM 4 7 2009 6 17 38 AM 19216813 38 Queued _ etarl 23899944241 4 6 2009 11 58 26 AM 4 6 2009 7 00 37 PM 192 168 1 38 Queued etar1238979079 1 4 6 2009 6 17 57 AM 4 6 2009 11 59 26 AM 182 158 1 38 Queued etar1238950737 1 T 4 5 2009 10 27 56 PM 4 6 2003 6 18 00 AM 182 158 1 38 Queued etar1 238830575 1 etarl 238910439 1 4 5 2009 4 51 55 PM 4 5 2009 10 27 56 PM 192 168 1 38 4 5 2009 11 16 15 AM 4 5 2009 4 51 54 PM Queued 192 168 1 38 Queued etarl 23888992341 4 5 2009 5 32 35 AM 4 5 2009 11 16 15 AM 192 168 1 38 Queued etar1238866570 1 4 4 200
16. 348 adding categories 352 Creating cccceececceeeecceeeeeseeeeeeees 348 deleting coccooonccncccconnoncconononnnnos 358 358 modifying MENTERNE 357 Choosing Columns 41 Collection Master 5 veses 408 Collection Point details 407 configuring Alerts 432 configuring port 411 deleting CABS 428 deleting Collection Point details 430 merging Collection Points 412 416 requesting CABs 424 giro Ae 406 Collection Point adding Collection Masters 436 deleting Collection Master settings PE 441 editing Collection Master settings 440 sending 443 SAN WAG A 435 viewing CAB status 442 Collection Point model 401 scalability NR DR DE 401 Scenarios 4 402 Command line mode multiple systems 301 Command Line Mode A A 298 install on single system 299 471 EVENTTRACKER VER 6 4 28BINDEX USER S GUIDE 298 uninstall from single system 301 Compliance A 464 A PCT 465 E Rae ucts staan T 459 cs 456 PG DS
17. No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No Administrative log on failure Altiris Audible Alert Audit Log Cleared CISCO Access Denied CISCO Authentication Failed CISCO PIX Failover Message CISCO PIX IDS intrusion detection CISCO VPN Admin Access Authenticati CISCO VPN Admin Access Authorizatio CISCO VPN Admin Access Access Contr CISCO VPN Memory Allocation Failed Citrix Console Message Alert Critical service could not be started Critical service is not running Crystal Enterprise Detected high memory usage Detected software Some S w has bee Directory permission change Disk space is critically low Domain policy changed E mail Alert No No Events as SNMP Traps Yes No Yes EventTracker agent service failed No No EventTracker Agent configuration changed No No EventTracker Collection Master Error No No EventTracker Collection Point Error No No EventTracker DLA No files found for pro No No EventTracker DLA file processing failed No No EventTracker Remedial action failed No No Pn mee bh Te Manen diol Ale
18. K K BX K EE 1120 Alerts Reloading the Navigation Pane Press F5 to refresh the Categories and Systems Pressing Ctrl F5 to reload and refresh the Navigation Pane with the changes made in the System Manager This option enables you to reload the Navigation Pane To add a new Group reload and refresh the Navigation pane 1 Open the Management Console EventTracker displays the Navigation pane with the existing Group s 2 Open the System Manager Click Create Group on the toolbar EventTracker displays the Create Group dialog box 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 58 EVENTTRACKER VER 6 4 USER S GUIDE RELOADING THE NAVIGATION PANE Figure 35 Create Group 0 Create Group Select Group Name amp Type Group Name Group Description none Select whether you want this group to be based on system tupe IP subnet or you like to select the group members System Type t Subnet t Select Manually Cancel 4 Type the Group Name and Description and then select the option to add members to your Group Figure 36 Create Group Create Group Select Group Mame Type Group Name My Group Group Descriptor none Select whether you want this group to be based on system type IP subnet or you like to select the group members t System Type t IF Subnet 5 Click Next gt EventTracker displays the systems available for se
19. 286 Backine up Current ConttburatiOTl 2 co a te ot ETE 280 Protectme the Current Contouratior SENS adds 290 Enabling Remedial Action ua ree eerte oi 202 Windows Agent Management Tool siii n tbe nter toe ates bor 292 ACCESSING Manasement TOO lads a eiu a iia 202 Querying Agent Service status S VSEOTIT use cot id Uo yet deu deb e MD E E edd 293 Queryimo A Sent Service status GrOU Picado 294 Query A Sent Service stat s eres A Ai 205 Restartine A Cent Service Sisa et bl ee deae e nb dieta esed 205 RESALES Ael SENICE 1 ad ld dba 296 Restartine Avent Set vice SAT st o acess 296 Queryino version of the A cent Service MM 297 Querying version of the Agent Service 297 Querying version ot the A cent Service All ad tds 298 Deploying Windows Agents in Command line m0de ccccccccceecececeeeeeeeeeessesseeeeeeeeeeeeeeeeaaas 298 Command Hie paramielefs ie 298 stalling Asenton a srible acota 299 Uninstalline Avent from asingle ML A du ae 301 Installing and Uninstalling Agents in multiple systems 301 Lo unmstall Ascent di 301 Chapter 9 Agentless Monitoring of Windows Systems ccccccccccccccccsscscsscscsscsccscccccsssssss
20. Manage Select Criteria Destination E Select CAB Status m etar1233191428 1 48 2009 5 19 07 PM 4 8 2003 5 12 09 192 168 1 38 He etar1233153086 1 4 8 2003 9 26 24 AM 4 8 2003 5 19 07 PM 192 168 1 38 Not OS 1239115255 1 4 7 2009 8 09 57 PM 4 8 2009 9 26 24 192 168 1 38 Do Not OS etari239099644 1 42722009 3 49 40 PM 4 7 2009 8 09 57 PM 192 168 1 38 Do Not etar1239065428 1 4 7 2009 6 17 38 4 7 2009 3 49 40 PM 192 168 1 38 Do Not OS etar1239024699 1 4 6 2009 7 00 38 PM 4 7 2009 6 17 38 192 168 1 38 Do Not OS 1238999442 1 4 6 2009 11 59 26 AM 4 6 2009 7 00 37 192 168 1 38 Do Not OS 1238979079 1 4 6 2009 6 17 57 AM 4 6 2009 11 59 26 192 168 1 38 Do Not etar238950737 1 4 5 2009 10 27 56 PM 4 6 2009 6 18 00 AM 192 168 1 38 Do Not OS etar1238930575 1 4 5 2009 4 51 55 PM 4 5 2009 10 27 56 PM 192 168 1 38 Do Not OS etar238910439 1 4 5 2009 11 16 15 4 5 2009 4 51 54 192 168 1 38 Do Not OS etari238889923 1 4 5 2008 5 32 35 AM 4 5 2009 11 16 15 192 168 1 38 Do Not OS etari238866570 1 4 4 2009 11 05 09 PM 4 5 2009 5 32 35 192 168 1 38 Do Not OS etar1238846396 1 4 4 2009 5 28 53 PM 4 4 2009 11 05 09 PM 192 168 1 38 Do Not OS etar1238824100 1 4 4 2009 11 17 16 AM 4 4 2009 5 28 53 PM 192 168 1 38 Do Not OS etari238801927 1
21. Total Categories 850 1BCHAPTER 1 GETTING STARTED 3 16 23 PM 1 13 2010 pac Total Events 386 Navigation Pane Dashboard 3 2 44 40 PM 1 13 2010 WEBDOCI 3 2 45 10 PM 1 13 2010 WEBDOC1 3 2 45 10 PM 1 13 2010 WEBDOC1 3 2 46 13 PM 1 13 2010 WEBDOC1 3 2 46 58 PM 1 13 2010 WEBDOC1 3 2 47 22 PM 1 13 2010 WEBDOC1 3 2 47 32 PM 1 13 2010 SYS5 3 2 48 57 PM 1 13 2010 WEBDOC1 3 2 49 42 PM 1 13 2010 WEBDOC1 3 2 49 42 PM 1 13 2010 WEBDOC1 3 2 49 42 PM 1 13 2010 WEBDOC1 4 2 52 16 PM 1 13 2010 WEBDOCI 4 2 52 21 PM 1 13 2010 4 2 52 46 PM 1 13 2010 WEBDOC1 3 2 52 46 PM 1 13 2010 WEBDOCI 3 2 53 05 PM 1 13 2010 WEBDOCI 3 2 55 19 PM 1 13 2010 WEBDOCI 2 2 56 47 PM 1 13 2010 WEBDOCI 2 2 56 47 PM 1 13 2010 WEBDOCI 3 2 56 47 PM 1 13 2010 WEBDOCI 3 2 58 33 PM 1 13 2010 SPIDER 3 2 58 44 1 13 2010 SYS5 3 2 59 00 PM 1 13 2010 SYS5 3 2 59 09 PM 1 13 2010 WEBDOC1 3 2 59 59 PM 1 13 2010 WEBDOCI 3 3 11 01 1 13 2010 SYS5 3 3 14 36 PM 1 13 2010 5755 3 3 14 56 PM 1 13 2010 WEBDOC1 3 3 15 22 PM 1 13 2010 WEBDOC1 3 3 15 55 1 13 2010 SYS5 3 3 15 57 PM 1 13 2010 WEBDOC1 EventTracker App Oper Exe A amp crobat exe Name Adobe Acrobat Description Adot EventTracker App Close Exe WINWORD EXE Name Microsoft Office XP PID 40 EventTracker App Close Exe Acrobatexe Name Adobe Acrobat PID 1784 EventTracker App Oper Exe WINWORD EXE Name Microsof
22. Dum Ehre T Sac Gone acide Tobie bate PEUH Flan Tari Amur Trump piy rge Tiir Liya a rr Maria Hari iyon Secta Feces popi Tech Mie hii tepuBp Traj dor created ai amp E dad bal pepe dal po ose pepe pes ege pev pes ev ndn To merge these two Sites Open Collection Master Console click Collection Point Detail on the toolbar select both the Collection Points and click Merge Collection Master displays the confirmation message box Eventlracker Collection Master Console vou sure vou wank to merge collection point ALICE 11 192 168 1 53 into collection point ALICEBAMGALORE 192 168 1 53 Mo Click Yes to merge the Collection Points 423 EVENTTRACKER VER 6 4 USER S GUIDE REQUESTING CAB FILES Collection Master displays the Collection Point Detail after merging the Collection Points Figure 417 Collection tren racker Colleciion Master Console Points after merging Pie Configure Heb Status A Colector Part Deisi Cam Request Colector set ad Collection Pori Vernon irdo Last CAR Lasi Receved Time Anche Path amp LICEBANGAL DREN SS 158 1 53 63 a AO ian Ti PW AS When you merge the Collection Points Collection Master will retain the CAB files intact in the default Archives folder m Moves the C
23. To continue click Next Cancel EventTracker Filtering Events from View Fine grain filtering for meaningful monitoring support for both view and source filters based on wildcard matches of id type source user event description m Filter non essential events collect and manage only important events minimum traffic 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 43 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING EVENT FILTERS Filter any event s for display only these are still logged into the event database Monitor only specific events examples Log all events into the database but display only Audit Failure Create a separate monitoring window for Exchange Server events Filter any specific category of events example Monitor all events except information events Exclusive filters according to your own criteria examples Filter all Information events except defined list A few specific events are frequently generated but you wish to exclude these and monitor all other events BOOLEAN operators in filter policy definitions provides the ability to match multiple strings in fields to create sophisticated filter policy definition Configuring Event Filters 2BCHAPTER 2 This option enables you to filter events of minor significance from the view Events are filtered from the view alone and EventTracker keeps logging those events into the database To configu
24. 4 x X x EE PLC E E E E E E El x E E Bd E Bd E Ex 1 K K x EXE E E E Bd E EE E E E E E Bd E Ex X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X RA 4 x X K K K El ERE E BX EJ E Ex X 4 x x Bx E E E Bx E E E Bx E E EX E 4 Bx Bx XC 4 106 Alerts 6 Click Save on the toolbar EventTracker displays the EventTracker Management Console Message Click OK 8 Restart the Management Console Forwarding Events as SYSLOG Messages All incoming events are compared with the configured Alert Whenever there is a match between an event and the alert criteria a copy of the event is forwarded as an SYSLOG message to the specified destination To forward events as Syslog messages 1 Click the Actions tab EventTracker displays the Actions tab CONFIGURING ALERTS AND ALERT NOTIFICATIONS 118 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE 2 Select the Forward Events as SYSLOG message check box EventTracker displays the Actions Forward dialog box Figure 91 Actions Forward as SYSLO
25. 5 the computer you want add the Group 6 Click OK System Manager displays the EventTracker System Manager message box Figure 126 Add EN Computers message Event Tracker System Manager A Search was successFul 7 Click OK 8 Edit the appropriate Domain and add the Computer to that Domain Adding a group of Computers This option enables you to add a group of Computers Note that it is possible to add Computers only with available Domains As mentioned earlier System Manager will be in Auto Discover Mode by default Later on you switched the Discover Mode to Manual and added Computer s to a particular Domain say Domain A Since the System Manager is Manual Discover Mode it cannot discover newly added Computer s by itself In this scenario you can utilize this option to add those new Computer s to Domain A To add a group of computers 1 Select the Add a group of Computers from available Domains option in the Add Computer s window 7BCHAPTER 7 MANAGING SYSTEM GROUPS 150 EVENTTRACKER VER 6 4 USER S GUIDE ADDING COMPUTERS Figure 127 Add Computer s window 2 Add Computer s Add a group of computers Do vau want t t Add a single Computer By name ar IP address t Add Computers belonging to an IP subnet 2 Click Next gt System Manager displays the Select Criteria dialog box Figure 128 Select T Criteria Add a group pn Select Criteri
26. EEE E E El E Ed EJ E E E E No No No 4 K E ER EX Eee El 2 E No No No No No No No No No No No No No No No No No No No No No No No No No No No 4 K 2 EJ KI K 2 E E E E E E No No No No No No No No No No No No No No No No No No No No No No No Yes No No No No No No x K Bx Bx IE Bx E Dx Ex Bx No No No No No No No No No No No No No No No No No No No No
27. 104 Alerts 6 Click Save on the toolbar EventTracker displays the EventTracker Management Console Message Click OK 8 Restart the Management Console Configuring RSS Alert Notification This option helps you to get notified via RSS Alerts raised by EventTracker for configured events To configure RSS Alert notification 1 Click the Actions tab EventTracker displays the Actions tab CONFIGURING ALERTS AND ALERT NOTIFICATIONS 114 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE 2 Select the Update RSS Feed check box EventTracker displays the Actions RSS dialog box Figure 87 Actions RSS Actions Res Feed Details Feed Name AWE Description Feed for All Warning Events Lancel 3 Select RSS Feed from the Feed Name drop down list Click OK 5 Click OK on the Alert Group Configuration dialog box EventTracker displays the Alert Groups console with the newly created console message alert 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 115 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE Figure 88 Alert Groups console Eek Alert Groups Event Tracker Console Edt Delete save Proactive notification of events meeting certain criteria can be configured Notifications include a combination of Beep E mail Messages or any other Custom Action LS Forward as SNMP Forward a
28. D Bx Bx EX 5 Bx D EX lx Xj X Bx B Dp Ex Bx Ex EI EX Bx Ex Ex Dx x Bx Bx 4 Bx 103 Alerts 11 Click Save on the toolbar EventTracker displays the EventTracker Management Console Message 12 Click OK 13 Restart the Management Console I SETUP AN EMAIL ALERT AND IT IS NOT WORKING WHAT SHOULD I DO Please crosscheck the following m he SMTP server mentioned must be accessible from the Console system That is either the system must be able to access Internet or the SMTP server must be reachable over the LAN m Ensure valid email ids are provided in both To Address and From Address Note the email ids MUST be valid m Try out the Test E mail option provided where you are configuring the email Configuring Console Message Alert Action This option enables you to configure a console message Alert A notification message will be sent to the selected machine 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 112 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE To configure console message Alert action 1 Click the Actions tab EventTracker displays the Actions tab 2 Select the Send net message check box EventTracker displays the Actions Message dialog box Fi
29. Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Managed Standard Unmanaged Unmanaged 8 Systems 166 EVENTTRACKER VER 6 4 USER S GUIDE LOGICAL SYSTEM GROUPS Creating a New Logical Group IP Subnet This option enables you to create a new logical Group of systems based on IP subnet To create a new logical group and add systems based on IP subnet 1 Select the IP Subnet option in the Create Group dialog box Figure 153 Create Group Subnet 3X4 Create Group Select Group Mame amp Type Group Mame Apps Database Group Group Descriptions Machines running Database Select whether you want this group to be based on system tupe IP subnet or you like to select the group members C System Type Select Manually Cancel lt Previous 2 Click Next gt System Manager displays the Create Group dialog box Figure 154 Create Group IP Subnet ite Create Grou Enter Subnet Enter subnet below S ubMet Address food 000 000 000 Cancel lt Previous 3 the SubNet Address 4 Click Finish 7BCHAPTER 7 MANAGING SYSTEM GROUPS 167 EVENTTRACKER VER 6 4 USER S GUIDE LOGICAL SYSTEM GROUPS System Manager displays the EventTracker System Manager message box Figure 155 Create Group message box Eventlracker System Manager 1 ISMAR Tset Management Console will now start populating the newly created group IF va
30. Website http kb prismMicroSys com Check Status Ping EventTracker Agents every 5 minutes IF ping frequency is set to 0 this feature will be disabled Edit Ports Correlation Receiver Send results of all correlation rules to port 11 4509 Direct Log Archiver Direct log file archiving from external sources Syslog W Enable SYSLOG receiver Virutal Collection Points Multiple processing stacks Alert Events Iv Enable Alert Notification Status Enable Alert Events Cache for Alerts Analysis Purge events from cache older than days Show only Active Alert events in Console Store only Active Alert events Enable Remedial Action Suppress Duplicate Alerts Suspicious Network Actryity Suspicious Network Activity Alerts Ex Check for knowledge base updates 3 Type or select the number of events that you want to display in the Dashboard from the Max events view limit Console spin box 4 Click OK EventTracker displays the confirmation message box 5 Click Yes to save the changes EventTracker Knowledge Base Web site This option enables you to configure EventTracker Knowledge Base Web site 3BCHAPTER 3 CONFIGURING MANAGER To configure EventTracker knowledge Base Web site 1 Open the Management Console 64 EVENTTRACKER VER 6 4 SYSLOG Receiver 3BCHAPTER 3 CONFIGURING MANAGER USER S GUIDE SYSLOG RECEIVER Clic
31. BX E 2 E 2 E EX 1 Kx Bx EEE E E El E Ed E E E E E E 4 x 4 EEE EE El E E E 2 E E E E Ex Ex x x X X X XI x X X X X x x x X X X XI x X X X X x x X X X XI X X X 100 Alerts 3 Double click EventTracker Collection Master Error EventTracker displays Alert Group Configuration console 15BCHAPTER 15 COLLECTION MASTER 432 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING ALERTS Figure 429 Alert Group Configuration Mi Alert Group Configuration EventTracker Console console Events can be added edited and removed from this Alert Group Event Type Log Type Source Categor Event ID Match In Event Descr Es Add Event Edit Event Remove Event Back Next gt Finish Cancel 4 Select appropriate options in Event Filters Custom Systems Actions tabs and then click Finish 5 Click Save on the Alert Groups console EventTracker displays the EventTracker Management Console Message Click OK Restart the Management Console 15BCHAPTER 15 COLLECTION MASTER 433 Chapter 16 Collection Point In this chapter you will learn how to m Starting Collection Point Console m Add Collection Master
32. System Manager removes the selected systems from all the Groups if those systems exist in more than one Group Logical System Groups Logical System Groups help you to monitor the Computers you are interested in You can choose Computers based on the O S type IP subnet or pick them manually Creating a New Logical Group System Type This option enables you to create a new logical Group of systems based on system type 7BCHAPTER 7 MANAGING SYSTEM GROUPS 163 EVENTTRACKER VER 6 4 USER S GUIDE LOGICAL SYSTEM GROUPS To create a new logical group and add systems based on System Type 1 Open the Management console 2 Click the Configure menu and select the Manage Systems option OR Click Manage Systems on the toolbar System Manager displays the System Manager 3 Click the File menu and select the Create Group option OR Click Create Group on the toolbar System Manager displays the Create Group dialog box Figure 147 Create Group System Type 2 Create Group Select Group Mame amp Type Group Name T Group Description none Select whether you want this group be based system tupe IP subnet or you like to select the group members f System Type t Subnet t Select Manually Cancel Table 33 Group Name Type the group name in this field The group name should be unique Group Type the group description in this field Description Group Type Select the group t
33. EX 1 64 150 P3 Bel Dx B3 Bx B3 11BCHAPTER 11 ANALYSIS 346 Chapter 12 Managing Category Groups and Ca In this chapter you will learn how to m Configure amp Manage Category Groups Configure amp Manage Categories EVENTTRACKER VER 6 4 USER S GUIDE ANALYZING ALERTS Managing Category Groups A set of relevant Categories can be organized under a Group Creating Category Groups This option enables you to organize Category groups where by you can add delete and modify categories in that Group To create a Category Group 1 Open the Management Console 2 Click the Configure menu and select the Manage Categories option OR Right click any of the Groups or Categories on the left pane EventTracker displays the shortcut menu From the shortcut menu choose Manage Categories EventTracker displays the Manage Categories console Figure 326 Manage Manage Categories Categories window Mew Edit Delete Categories are used to organize events in an ordered and user friendly manner Category Management is used extensively in Reports showing only the events that you find interesting This interface can be used to create manipulate and manage Categories Categories zu All Categories Category Event ID gt cuasca Decca tata emere encer
34. EventTracker displays the Event Details tab 6 Click Add Event EventTracker displays the Event Configuration dialog box 7 Type appropriately in the relevant fields 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 87 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING ALERTS Figure 58 Event Configuration m Event Configuration EventTracker E Please take care to enter the correct details for effective resulta Event Details empty Field implies all matches Event Type Log Type Match in Source Category Event ID Match in User Match in Event Descr Event Descr Exception Match in Event Descr held can take multiple strings seperated with amp amp or amp amp stands for AND condition stands for OA condition Hote IF want to make match on any of the special characters like etc then in the search string this char with a backslash Example 5 for a and s fora Far mare information click here teca 8 Click OK EventTracker displays the Event Details tab with newly added Event details 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 88 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING ALERTS Figure 59 Alert Group Configuration Event Alert Group Configuration EventTracker Console PEZ bd Details tab Alert Mame Event Details Event Filters Custom Systems Actions Events can b
35. weh Source Match in Event Descr a Match in Event Descr field take multiple strings seperated with 5 amp ar he stands for SHO condition stands for OR condition Mote IF want to make match on any of the special characters NU then in the search stinn nrefis this For more information click here Example for a and s fora 8 8BCHAPTER 8 MANAGING WINDOWS AGENTS 117 010 Click OK EventTracker displays the Filter Exception dialog box with the newly added filter exception 226 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 223 Filter Exception window Filter Exce ption can choose to monitor specific events if they match a filter Specify the details of the events that pon would like to monitor Example Pou may want to filter aut all Information events other than those received fram the Service To do this set the Information filter and add a Filter Exception with Event Source as Web Service Log Type Event Type Information Web Sour E Edit Delete 9 modify the settings select the event in the list and click Edit Modify the details in the Event Details dialog box and click OK 10 To delete the settings select the event in the list and click Delete 11 Click Close on the Filter Exception dialog box All information events will be filtered out with one except
36. 456 User A E 456 LOONE O mn iy cuf piter 456 Audit LOS access E ia 456 APpendix SOX a 457 Sarbanes Oxley Compliance nennen nennen nnn nn nnne nnn nn nn nennen nns 457 User LoS TOPOL dual AAA AAA AAA AAA AS 457 User PO 457 Loson Palito Epo ranae A a 457 TSO CS ACC CSS A A A 457 LoC Archiv me UNO E AE AA 457 Track Man ase CHANCES rd a odas 458 Track Audit polc CHANGES toto 458 viii EVENTTRACKER VER 6 4 USER S GUIDE DOCUMENT REVISION CONTROL THIS GUIDE Jrackindividual User actions MEER 458 ITrackapphcation a 6OOBS QNT T MU 458 Track directory TE AOS A A aded A 458 Append 459 GLBA Complidiico eS ENES 459 E 459 User BOO Te PO Usa AAA ASA AAA 459 TOG ON Maite Tepo esi e E A A A aaa 459 Aut De S ACCESS AO A E 459 Appendix Security Reports urinar
37. AGENTLESS MONITORING 3 1 1 Chapter 10 EventVault Warehouse Manager In this chapter you will learn how to Configure EventTracker Scheduler Service account settings Configure EventVault Warehouse Manager Backup EventVault Data Save EventBox Information Verify EventBox Integrity Extract EventBox Data Delete EventBox Append CAB files View CAB files for a specific period Move Archives to a new location EventTracker stores all received events in EventVault an optimized and high performance event warehouse that is purpose built for efficient storage and retrieval of event logs EventVault reliably and efficiently archives event logs from across the enterprise without the need for any DBMS licenses or the overhead of Database Administrators All collected events are compressed over 90 compression ratio encrypted and sealed with a SHA 1 signature to prevent potential tampering EVENTTRACKER VER 6 4 USER S GUIDE EVENTTRACKER SCHEDULER SERVICE EventTracker Scheduler service 10BCHAPTER 10 The functionality of legacy EventTracker Scheduler service has been enhanced to align with Collection Point architecture The functionality varies with respect to the Console type you select while installing EventTracker v5 6 If you select Standard Console then the functionality of EventTracker Scheduler service remains unaltered as in earlier versions of EventTracker If you select Collection Master or Collection Point C
38. App Close Exe OUTLOOK EXE Name Microsoft Office Outlook PID 1696 App Close Exe Alerts Dashboard exe Name EventTracker PID 2452 App Open Exe OUTLOOK EXE Name Microsoft Office Outlook Description QUTLOOK E App Open Exe Alerts Dashboard exe Name EventTracker Description Alerts Dashboard e App Close Exe Alerts Dashboard exe Name EventTracker PID 5532 EventTracker Agent on ELCSERVER has not sent the heartbeat message for the past mi App Open Exe YAHOOM 1 EXE Name Yahoo Messenger Description Yahoo Messenge Detected free space in drive E is less than 10 percent Drive E Disk Size 20002 MB Free Detected free space in drive D is less than 10 percent Drive D Disk Size 20002 MB Free Detected free space in drive F is less than 10 percent Drive F Disk Size 16308 MB Free App Open Exe SmcGui exe Name Symantec Client Management Component Description Detected free space in drive is less than 10 percent Drive Disk Size 20002 MB Free App Open Exe Explorer EXE Name Microsoft Windows Operating System Description Configuration MndifiedVversinrrR 4 Ruild 314nent Sustem Nene SP NS Source EventTracker toons mirmal EventTracker toons nirmal EventTracker EventTracker toons nirmal EventTracker kalyani EventTracker toons nirmal EventTracker toons nirmal EventTracker SYSTEM EventTracker deepak EventTracker N EventTracker N EventTracker EventTracke
39. Monitor Syslog The process to monitor Syslog being sent by an UNIX system The process to view the summary of event statistics such as Total events received Total alerts received Total systems monitored and so on SNMP Event Manager An application called TrapTracker used to monitor and manage critical traps emitted by network devices in your enterprise SNMP Traps The process to receive trap messages generated by local or remote SNMP agents and forwards the messages to third party vendor software such as an NOC StatusTracker An application used to monitor the status of your IT resources and provides you various reports Syslog Receiver The process to set the SYSLOG receiver After setting this option the Manager will receive any SYSLOG being sent by an UNIX system System Information The process to collect and view the system configuration information You can view the information of System Summary Hardware Resources Components Software Environment Internet Settings and Applications System Manager A console helps you to manage groups systems and Agents System Performance The process to monitor the system performance in graph histogram or report form System Statistics A window that displays the system statistics in EventTracker Management console TCP Transmission Control Protocol TCP is responsible for verifying the correct delivery of data from Agent to server TCP adds support to detect errors or lost data
40. etar1 253275582 14 etar1 253278250 14 etarl 263288411 14 etarl 263290702 14 etar1 263293708 14 etar1 263296599 14 etarl 263356982 14 etarl 263359441 14 etarl 263362459 14 etarl 263365940 14 etarl 263373018 14 etarl263374499 14 Move EVENTTRACKER COMPONENTS Append Archives C Program Files Prism Microsystems E ventT rackerArchives 17772000 7 2004 FM To 1752 72000 PM r Available EventBoxes Checksum 6F722E 1544291F1F8B7D20596DC254D 92D394117844622957B45818211F A525 6048 18E 4F4844149EB 7EDAE5FBE 4822 F49F97D02484ECDE814981218BEA7 2B 271D6D84608F64531 76E 7 4686CFABBF145377B6BE 737EE 7874497 E256 98747FD25B8E 4284F29C0D 8D 268 74C46CC89D 306691 SDCC7D94B547BF8 FD251D5CE04BE112B841CD6DEEAESA 8DA5BDC0262343F 7B 78945C729E 70452 22FFBCF781 7EF7FAF3CD9871 09BD5BB 74B5D4D99923B 97E 801 SE B5E SF 3FB2 14BA63DFE464F557072E 85E 10945D7E5 43723888E 40669CC4B82CC592CACBOFSY CA4BB3BOASESBOSDBABCSSEFSFSE 04 F3043BCC75453BF 838 74B 4500946 34048 EDC4B443579760144965D 8846 2F 455E 2275BD1F9CD511E8013D14381D21 348 3644F914401918F6468ED18D428478E 2B5C5AF1B855AB95313D8BA747E 1455 77D84471B84C447F884D93595F4A 360 644627BB50D89329F 74F9EF11E 465453 591F41C462199B5C2B238195DE62665C C Program Files Prism Microsystems E ventT rackers amp rchivesN1 4505 C Program Files Prism Mic
41. hot fixes by computer 462 invalid logons by date 460 Uu O last logon by Domain Controller 462 successful and failed file access 460 Understaing filers and filter successful and logons preceded by EXCedllOnS ad o 55 failed logons 460 Upgrade naa iii 29 user account locked Out 403 USB an 295 SOX User Activily 340 account management changes 458 application access 458 audit logs 457 audit policy changes 458 directory file access Vues E wide E xau Es 458 Viewing and editing Alert details 56 individual user actions 458 show 56 logon fall r aia 457 MEO security log archiving utility 457 tail Points a ud Ru configuring EventTracker Receiver 67 Suspicious Connections 273 5 c 20 Windows events 71 ids Vista Agent 209 managed system 208 um TEE 210 unmanaged system 209 VistaAgent event consumers 210 event logs and channels 210 event publisher 209 451 A A TE 212 Trusted List 28BINDEX 474
42. 2 Edit Delete Ll save Froactive notification of events meeting certain criteria can be configured Notifications include a combination of Beep E mail Messages any other Custom Action Administrative lag an Administrative log on Failure Altiris Citrix Critical service could not be started Critical service is not running Crystal Enterprise Detected high memory usage Detected software lt Some 54 has bee Directory permission change Disk space is critically low Domain policy changed Event racker agent service failed Event racker Collection Master Error EventTracker Collection Point Error Eyentyault CAB integrity checksum Failure Excessive access failures by an user Excessive access failures in your enterprise Excessive access failures on a specific 75 Alerts 2 El E El E Bx Bel E Gel Bel E E EJ E E E El E Bx Bel E Bel Be E El EJE E E E El Be E E El E E E Ef E E El Be E E El E E E E E 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 372 Chapter 13 Export Import Utility In this chapter you will learn about m Export Import Utility EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UT
43. 8BCHAPTER 8 MANAGING WINDOWS AGENTS 204 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS To the admin account 1 Open the System Manager 2 Click the Options menu and select the Agent Properties option System Manager displays the EventTracker Agent Properties window Figure 209 Client Properties Account EventIracker Client Properties tab This utility wall change the account under which the EventTracker Agent service runs Account System Log on as f Local System account C Thi Account Table 38 Local System Select this option to set the system account as the default logon account for the service This Account Select this option to change the logon account This Account Password and Confirm Password fields are enabled Type the domain name and the user name in the This Account field For example CELEBRATE administrator Type the password in the Password field Type the same password for confirmation in the Confirm Password field Local System account is selected by default 3 Select the This Account option and then enter valid user credentials Click Next oystem Manager displays the EventTracker Agent Properties window 8BCHAPTER 8 MANAGING WINDOWS AGENTS 205 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Figure 210 Client Properties System Event Iracker Client Properties tab This utility will change the account under which the EventTracker amp aent
44. Alerts based on Event count New modify and delete Log Volume Analysis schedules RSS Feeds m Analyze Admin user activities Non Admin user activities Alert notification status Disk space availability status and usage variation EventTracker Services and Ports Event Correlates Automatic Local System Correlator events and account performs rule set based actions 1BCHAPTER 1 GETTING STARTED 16 EVENTTRACKER VER 6 4 USER S GUIDE EVENTTRACKER SERVICES AND PORTS EventTracker Sends Automatic Local System Yes Alerter configured alert account notifications Beep Email Message amp RSS EventTracker Compresses Automatic Local System Yes EventVault and securely account stores the raw log data EventTracker Agent Relays local log data lf uninstalled locally corresponding changes should be made at the Management Console May be restarted to pick up new configuration Local System account EventTracker Receives log Automatic Local System Receiver data from the account configured sources lf stopped EventTracker becomes inoperative May be restarted to pick up new configuration EventTracker Manages report Automatic Local System Reporter generation account EventTracker Initiates Automatic Local System Scheduler scheduled account actions including report generation log backup etc 1BCHAPTER 1 GE
45. CISCO VPN Admin Access Authorizatio CISCO YPN Admin Access Access CISCO VPN Memory Allocation Failed Citrix Critical service could not be started Critical service is not running Crystal Enterprise Detected high memory usage Detected software Some 5445 has bee Directory permission change Disk space is critically low Domain policy changed E mail Alert EventTracker agent service failed EventTracker Agent configuration changed EventTracker Collection Master Error EventTracker Collection Point Error EventTracker DLA No files found for pro EventTracker DLA file processing failed EventTracker Remedial action failed EventTracker Remedial action ignored EventTracker Remedial action Success A Tem mle me IICN J 2 2 Se lt I X XK X X DX DX DX x x DX DX
46. Computer Groups Al Domain TET E T Groups Eme p Tne ___ Desorption _ System Status 2000 Professional none Unmanaged none Unmanaged Windows 2000 Professional none Unmanaged Windows 2000 Server none Unmanaged Windows 2000 Professional none Unmanaged Windows 2003 Server none Unmanaged Windows XP none Unmanaged Windows 2000 Server none Unmanaged Windows 2000 Professional none Unmanaged Windows lt P none Unmanaged Windows 2000 Professional none Unmanaged Windows 2000 Professional 586 osver 5 Ser Managed Standard M Windows 2000 Professional none Unmanaged Windows none Unmanaged none Unmanaged none Unmanaged Windows xP none Unmanaged Agent mode switched Windows XP 586 osver 5 Ser Managed High Perfor from Standard Mode to Windows 2000 Professional none Managed Standard M High Performance Mode IBwINSTDTEST Windows 2003 Server Unmanaged LS WINYISTA Windows XP Unmanaged LI WORKS Windows 2000 Professional none Unmanaged lt Displaying Windows Systems Auto Discover 37 Systems Monitoring System Health Monitoring CPU memory performance and disk usage of a system enables the administrator to keep tabs on the general health of a system You can configure general health thresholds for CPU and Memory Usage All thresholds are measured in percent terms 8BCHAPTER 8 MANAGING WINDOWS AGENTS 232 EVENTTRACKER VER 6 4 USE
47. EEE E 4 K x K Ed E Ed E E BX E Bx Ex Bd EX 4 E KX K EEE E E E E E E E E E E E E Bd Ex 1 x KX K K K EEE EE E El E E E EE E E E E E EE E Bd E 102 Alerts 6 Click Save on the toolbar EventTracker displays the EventTracker Management Console Message 7 Click OK 8 Restart the Management Console CONFIGURING ALERTS AND ALERT NOTIFICATIONS 107 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE Configuring E mail Alert Action This option enables you to configure E mail Alert action To configure E mail Alert action 1 Click the Actions tab EventTracker displays the Actions tab 2 Select the Send E mail to specified recipient check box EventTracker displays the Actions Email dialog box Figure 79 Actions e Email Actions E mail pecifu the SMTP server for outgoing mails E mail Configuration SMTP Server Proper SMTP address From Proper e mail address Ta Proper e mail address Subject SMTP Authentication Enable Authentication User Mame fT O O Password Test E mail Cancel 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 108 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE You can also
48. Eventlracker User s Guide Copyright Trademarks Disclaimer MICROSYSTEMS All intellectual property rights in this work belong to Prism Microsystems Inc The information contained in this work must not be reproduced or distributed to others in any form or by any means electronic or mechanical for any purpose without the prior permission of Prism Microsystems Inc or used except as expressly authorized in writing by Prism Microsystems Inc Copyright 1999 2010 Prism Microsystems Inc All Rights Reserved All company brand and product names are referenced for identification purposes only and may be trademarks or registered trademarks that are the sole property of their respective owners Prism Microsystems Inc reserves the right to make changes to this manual and the equipment described herein without notice Prism Microsystems Inc has made all reasonable efforts to ensure that the information in this manual is accurate and complete However Prism Microsystems Inc shall not be liable for any technical or editorial errors or omissions made herein or for incidental special or consequential damage of whatsoever nature resulting from the furnishing of this manual or operation and performance of equipment in connection with this manual EVENTTRACKER VER 6 4 USER S GUIDE CONTENTS Contents DOUE TDS GU deu tdo A Purpose 0de A A E X Who should read this GU 6 i e emet ease eati futu eget
49. Export Import Utility 1 Successfully exported all the Schedule Reports 8 Click OK If the file already exists EventTracker displays the Export Import Utility message box Export Import Utility 2 File already exists do you want to append the existing File Yes Cancel Exporting RSS Feeds To export RSS Feeds 1 Open the Export Import Utility 2 Select the RSS Feeds option EventTracker displays the Export Import Utility 3 Click Export EventTracker displays the Select Export File dialog box 4 Click the Save in drop down box and select the path where you want to export the filters 5 the file name in the File name field The valid file extension is issrss 6 Click Save 384 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY EventTracker displays the Export Import Utility message box Figure 370 Export m Scheduled Reports Export Import Utility message box n 1 Successfully exported all the Schedule Reports 7 Click OK If the file already exists EventTracker displays the Export Import Utility message box Figure 371 Export Filters message box Export import Utility 2 File already exists do you want to append the existing File Yes Mo Cancel Importing Categories To import Categories 1 Open the Management Console 2 Click the Tools menu and select the Import and Export Utility option OR Double click Main
50. Import Scheduled Export Import Reports 1 Provide the path amp fle name of Schedule Report Use the button to browse amp locate the import 2 Chick the Import button Category Import without System names Reports will be configured for all systems From issch Filters f From evtrpt ini Alerts Source Groups El Systems f Scheduled Reports 655 Feeds 4 Select the Import without System names check box to import the configuration settings without system names The settings will be applied to all systems in the target environment 5 Select the issch option to import the issch type files OR Select the Custom option to import evt rpt ini file 6 Click El located adjacent to the Source field EventTracker displays the Select issch File dialog box if you select the issch option 13BCHAPTER 13 EXPORT IMPORT UTILITY 396 EVENTTRACKER VER 6 4 Figure 391 Import Systems message box 13BCHAPTER 13 EXPORT IMPORT UTILITY USER S GUIDE EXPORT AND IMPORT UTILITY 7 Navigate and locate the scheduled reports file you want to import and click Open EventIracker displays the Select evtrptini File dialog box if you select the evirpt ini option 8 Navigate and locate the systems file you want to import and click Open EventTracker displays the Import tab on the Export Import Utility dialog box 9 Click Import Event Tracker displays the Exp
51. Local port Remote port Description Trusted Port Details Iw Enable Type appropriate details in the relevant fields and then click OK You can use wild cards to search processes For example had you configured Virtual Collection Points and wish to add all EventTracker Receiver processes it is enough to provide the Process name as EtReceiver exe You can also use browse button to locate the process Select a process from the list and then click Edit EventTracker displays Trusted Port Details window Trusted Port Details E3 Process name Local port Remote port Description Echo Simple TCP IP Services m tee OF Cancel Edit details in the relevant fields and then click OK Delete Select a process from the list and then click Delete EventTracker displays confirmation message box CONFIGURING WINDOWS AGENT 276 EVENTTRACKER VER 6 4 USER S GUIDE Add Program Add programs installed in your computer to the trusted list a le Add programs included in the Firewall Exceptions list to the trusted list Close the Trusted Suspicious Connections List window 8BCHAPTER 8 MANAGING WINDOWS AGENTS Eventlracker Agent Configuration 1 Are sure you want to delete Yes Click Yes to delete the selected entry In some rows in the list you might notice Process Name field is empty this signifies that any process that communicate through the defined
52. Name Windows Internet Explorer PID 3200 11 34 17 AM EvertTracker App Open Exe notepad exe Name Microsolt Windows Operating System Descnpbon A 11 31 20 AM 01 EventTracker App Operc Exe OUTLOOK EXE Name Microsoft Office Outlook Description OUTLOOK E 11 31 20 AM 01 EventTracket App Close Exe taskmgr exe Name Microsoft Windows Operating System PID 240 i 06 AM 01 EventTracket Oper Exe taskmot exe Name Microsoft Windows Ooeratina Sustem Description w Y Refreshed 1 8 2010 11 01 404M Double cick on the graphs to view detads 10 Double click a row to view the details in Quick View 11 Right click a row to edit the Alert rule EventTracker displays the shortcut menu 12 Form the shortcut menu choose Tune this alert EventTracker displays the Alert rule details Figure 325 Alert Alert Groups EventTracker Console d New d Edit X Delete save Proactive notification of events meeting certain criteria can be configured Notifications include a combination of Beep E mail Messages or any other Custom Action Xj Rss Notification x Cisco Catalyst Memory allocation failed Cisco Catalyst Module failed to come online Cisco Catalyst Module inserted Cisco Catalyst Module power up failed Cisco Catalyst Module removed Cisco Catalyst Module self test failed Cisco Catalyst Module was reset Cisco Catalyst Operational port in port ch Cisco Catalyst Port shutdown due to secu Cisco C
53. Showing max 100 records per page Selected 1 of 71 Page of 1 Refine From Log Type Event Type User 01 13 2010 10 27 24 C Application C AuditSuccess C Administrator T C Security C Information O SYSTEM mm 01 13 2010 12 00 33 PM ES Event Id Systems Source Description C 3208 a C WEBDOC1 C EventTracker 3221 C Security 3222 E 1 540 ES Refine Title Refine Description field can take multiple strings seperated with amp amp or amp amp stands for AND condition stands for OR condition Example open amp amp Microsoft 9 Click the Total alerts hyperlink in the upper pane to view all Alert event details occurred in all monitored systems EventTracker displays the latest 20 Alerts in the bottom pane that occurred in all monitored systems irrespective of the options you have selected in the System Group and Top drop down lists EventTracker highlights the Warning events in Blue Figure 323 Alerts Dashboard Bottom 105344 AM TT A qemypm rial o Oper Exec Alte Nar E ver rackes P 10 53 44 AM 01 WEBDOCI Evert racket App Close Exe Alerts Das exe Name Event rackes PID 3788 ane 10 58 53 01 WEBDOC1 EventTracker App Oper Exe Alerts Dashboard exe Name EventT rackes Description Aleets Dashboard e 10 57
54. 2 Select the Group option to view Managed systems by group 3 Select a group from the Group Name drop down list 4 Click Show Report All System Report This option helps to generate O S wise group wise and port wise Managed Unmanaged system report Event Publishers in Windows Event Log An event publisher creates an event and delivers it to an event log An event publisher is typically an application service or driver There can be multiple publishers for large MANAGING WINDOWS AGENTS 209 EVENTTRACKER VER 6 4 8BCHAPTER 8 USER S GUIDE VISTA AGENT applications and the publishers should be distinguished by the major components of an application Event Logs and Channels in Windows Event Log A channel is a named stream of events that transports events from an event publisher to an event log file where an event consumer can get an event Event channels are intended for specific audiences and have different types for each audience While most channels are tied to specific event publishers they are created when publishers are installed and deleted when publishers are uninstalled there are a few channels that are independent from any event publisher System Event Log channels and event logs such as System Application and Security are installed with the operating system and cannot be deleted A channel can be defined on any independent Event Tracing for Windows ETW session Such channels are not controlled by Window
55. 4 4 2009 5 06 13 4 4 2009 11 17 16 AM 192 168 1 38 Do Not OS etar1238779391 1 4 3 2009 10 52 10 4 4 2009 5 06 13 192 168 1 38 Do Not OS etar1238759423 1 4 3 2008 5 19 21 4 3 2009 10 52 10 PM 192 168 1 38 Do Not OS etar1238739289 1 4 3 2008 11 43 47 4 3 2009 5 19 21 PM 192 168 1 38 Do Not etarl 2387192401 4 3 2003 6 09 31 AM 4 3 2003 11 43 46 AM 192 168 1 38 Do Not U 990000099 1 ANNA 19 90 99 Akd 4 9729000 C NO 90 1909100 4 20 Ra Select all Success In Progress O Queued Total Cab Files 51 Failed O DoNot Send Start 443 EVENTTRACKER VER 6 4 Table 86 Figure 440 Manage CAB console 16BCHAPTER 16 COLLECTION POINT SENDING CAB FILE S TO COLLECTION USER S GUIDE MASTER S Select Criteria Select Select Destination from the drop down list All configured Destination Collection Masters are listed in this drop down list Select CAB Select the status of the CAB files from this drop down list and Status then click Show Available options are All Success Failed Do Not Send In Progress and Queued Select this check box to mark all the CAB files to send to the selected Collection Master s 2 Select the Destination from the Select Destination drop down list Default is All which means Collection Point will send the selected CAB files to all the configured Collection Masters 3 Select the CAB file s that you want to send to
56. 92793 F352AF43EF7BS8FSCCE QAA4FE 0C43E E5 DDS3C1E17B28DAQ0FC CBEADS 23E 4 2960 8693EC1C56693C88038177A49CD 4 C9IB162886FA6FF5B 7DEASEC1 70635391 72E4BD19CFE686271E44250691EC5437 7 2464 03995BB CBF21FDDFES3CBSAEBAAFCFBA54CAE 99 C Program FilesPrism Microsystems E ventT racker amp rchives 14505 C Program Files Prism Microsystems E ventT rackersArchivess14505 C Program Files Prism Microsystems E ventT rackerArchivesN14505 C Program Files Prism Microsystems E ventT rackertArchives 14505 C Program Files Prism Microsystems E ventT racker Archives 14505 C Program FilessPrism Microsystems E ventT racker4rchives 1 4505 C Program Files Prism Microsystems E ventT racker4rchives 1 4505 C Program Files Prism Microsystems E ventT racker 4rchives 1 4505 C Program Files Prism Microsystems E ventT rackerArchives 14505 C Program Files Prism Microsystems E ventT racker Archives 14505 C Program Files Prism Microsystems E ventT racker4rchives lt 1 4505 C Program Files Prism Microsystems E ventT rackerArchives 1 4505 Y Verify Extract Delete us Move EventVault Enabled EVENTVAULT WAREHOUSE MANAGER Number of EventBoxes 12 329 Chapter 11 Analysis In this chapter you will learn how to Search Log m Analyze Event Traffic m Analyze User Activity m Analyze ROI EVENTTRACKER VER 6 4 USER S GUIDE EVENTTRACKER LOG SEARCH E
57. Alerts Dashboard Event Monitoring Log Search x amp Reports Console System Manager Manager Agent Configuration Configuration Event Knowledge Event ault Maintenance Tools Diagnostics Base Warehouse Manager About EventTracker Event racker Plugins Download EventTracker Web Interface E mail support iprismmicrosys com Table 5 Open Enterprise Activity Dashboard Enterprise Activity Open Alerts Dashboard Alerts Dashboard y Open EventTracker Management Console Event Monitoring Open simplified event log search interface Log Search 1BCHAPTER 1 GETTING STARTED 23 EVENTTRACKER VER 6 4 USER S GUIDE CONTROL PANEL ne Open Advanced Reports console Reports Console il ji Open System Manager AS System Manager Open Collection Master Configuration console Collection Master Configuration Open Collection Point Configuration console Collection Point Configuration Open Manager Configuration window Manager Configuration Open Agent Configuration window Agent Configuration Go to events Knowledge Base Web site This Web site provides in depth details about events Event Knowledge Base nen Open EventVault Warehouse Manager console Event ault Warehouse Manager Open Maintenance Tools window Click to create Index file Maintenance Tools ss e for Archives Click to compact database Compaction Utility 1BCHAPTER 1 GETTING STARTED 24 EVENTTRACKE
58. Archives window with actual physical files present in the Archives folder Search in Sub Folders check box is selected by default Clear this check box to append archives in the root folder alone and not in the sub folders 3 Click EN and select the path of the folder where you have stored the CAB files 10BCHAPTER 10 EVENTVAULT WAREHOUSE MANAGER 324 EVENTTRACKER VER 6 4 Figure 307 Choose Directory window 1OBCHAPTER 10 USER S GUIDE APPENDING CAB FILES Choose Directory Select archives folder IRSE LK Lancel 3 Program Files Prism Microsystems _ Common Event racker TrapT racker WLM indo Drives E 4 Click OK EventVault Warehouse Manager displays the Append Archives window EVENTVAULT WAREHOUSE MANAGER 325 EVENTTRACKER VER 6 4 USER S GUIDE APPENDING CAB FILES Figure 308 Append Archives window Append Archives Source archives path CAE T rchives Search in Sub Folders Destination C Program FilessPrism Microsystems E ventTrackersArchives _ CabName Cab Path etar 228821 205 1 4505 cab etar 228883435 1 4505 cab etar 20341574 74505 cab etar 220999 700 1 4505 cab etar 2230591 29 14505 cab etar 229114935 14505 cab etarl 2291 75521 14505 cab etar 22923646 7 1 4505 cab etarl 223315531 14505 cab etar 2294036 9 14505 cab etar 229461 224 1 4505 cab CANE T Archives CANE T Archives CAE TArchives CAE TArchives CANE Archives C
59. Custom Alerts Source Groups E Systems Scheduled Reports ASS Feeds Import 4 Select the issys option to import the issys type file OR 13BCHAPTER 13 EXPORT IMPORT UTILITY 392 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY Select the Custom option to import other type of files such as txt files 5 Click El located adjacent to the Source field EventTracker displays the Select issys File dialog box if you select the issys option 6 Navigate and locate the domains file you want to import and click Open The valid file extension is issys EventTracker displays the Select File dialog box if you select the Custom option 7 Navigate and locate the domains file you want to import and click Open EventTracker displays the Import tab on the Export Import Utility Figure 385 Export Import Utility window Import Domains Export Import Export Import Utility 1 Provide the path amp file name of the groups file Use the button to browse amp locate the import File 2 Chick the Import button Category fe sss Filters Custom Alerts Source Groups C Program Filez Prism Microsystems E ventTrackers Systems Scheduled Reports ASS Feeds 8 Click Import EventTracker displays the Export Import Utility message box 13BCHAPTER 13 EXPORT IMPORT UTILITY 393 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT U
60. Log hype Computer Source Category Event IO User Description Notes TY Table 24 Custom Script Type the name of the script in Script Name field Script files are stored in the default EventTracker Agent installation path typically Program Files Prism Microsystems EventTracker Agent Type appropriate description in the Notes field for future reference Restart Type the name of the service that you want to restart in Service Service Name field Type appropriate description in the Notes field for future reference Restart EventTracker disables the Script Name field Type appropriate System description in the Notes field for future reference Shut Down EventTracker disables the Script Name field Type appropriate System description in the Notes field for future reference Stop Service Type the name of the service that you want to stop in Service Name field Type appropriate description in the Notes field for CONFIGURING ALERTS AND ALERT NOTIFICATIONS 127 4BCHAPTER 4 NG REMEDIAL ACTION AT EVENTTRACKER VER 6 4 USER S GUIDE RACKER AGENT SYSTEM future reference Terminate EventTracker enables this option only when you set an alert for Process the specified Events As said earlier you ought to enable Remedial Action in the Manager Configuration window Had you not enabled EventTracker will display Actions window with appropriate message to enable Remedial Action Figure 99 Actions Remed
61. No No No No No XX E BX III BX EX No No No No No No No No No No No No No No No No No No No No No No No No No No 108 Alerts 6 Click Save on the toolbar EventTracker displays the EventTracker Management Console Message Click OK 8 Restart the Management Console Editing Alert Actions This option enables you to edit Alert actions To edit Alert actions 1 Select the Alert for which you want to modify the action in the Alert Groups EventTracker Console 2 Click Edit OR Double click the Alert EventTracker displays the Alert Group Configuration EventTracker Console 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 123 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE 3 Click the Actions tab EventTracker displays the Actions tab 4 Click Edit Actions EventTracker displays the Actions dialog box Figure 96 Editing e Actions Actions Remedial Action at Console Configuration Select a file to execute when an event occurs The order of command line arguments to the is as shown in the example given bel
62. SYST in C Program Files EventTracker directory use the following command Agentinstaller exe I CN SYS1 P C Program Files EventTracker 2 To uninstall an Agent from system SYS1 use the following command Agentinstaller exe U N SYS1 3 To install Agent in multiple systems create a file systems txt with system names or IP addresses and use the following command Agentinstaller exe l F systems txt P C Program files EventTracker Installing Agent on a single system This option helps you install EventTracker Agent on a single system by specifying the system name or IP address To install Agent in a single system 1 Open the command prompt 2 Type the path of the Agentinstaller exe ex c program files prism Microsystems EventTracker Remotelnstaller 3 Type Agentinstaller exe in the command prompt Type the switch 5 the switch N followed by the name or IP address of the system where you want to install the Agent 299 DEPLOYING WINDOWS AGENTS IN EVENTTRACKER VER 6 4 USER S GUIDE COMMAND LINE MODE Figure 289 Agent installation Command line mode WINDOWS system3 cmd exe CirProgram Files Prism Microsystems EventTracker Remotelnstaller Agent Installer exe I Niwinny 6 Press Enter on your keyboard Remotelnstaller installs the Agent on the target computer Open the System Manager Press F5 on your keyboard to refresh the console System Manager displays th
63. Service Restart List Eventl racker Alerter Add Event racker Eventy aul lt Il Remove Choose Add Remove option to select services that da not need to monitored Example i a scheduled job such as a Disk Defragmenter Service Monitor Exceptions oe Add E BITS Remove Services This check box is selected by default to monitor all Windows Monitoring services Add and Remove buttons of Service Restart List and Service Monitor Exceptions are disabled if you clear this check box Service Restart By default EventTracker Alerter EventTracker Scheduler List EventTracker Receiver EventTracker EventVault and 8BCHAPTER 8 MANAGING WINDOWS AGENTS 243 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT WewService services are monitored Click Add to add selected services to restart when they Stop Click Remove to remove the services from the list Service Monitor Click Add to add services that you do not want to monitor Exceptions Click Remove to remove the services from the list Click Add next to Service Restart List EventTracker displays the EventTracker Agent Configuration dialog box Type the name of the service in the Enter Service Name field Click OK EventTracker adds the service to the Service Restart List Click Save on the Agent Configuration window You can apply the current settings to other specified Agents For more information refer Applying Configuration Settings to
64. TRAPTRACKER 451 Chapter 19 Add in Software Modules In this chapter you will learn about m WhatChanged StatusTracker m EventLogCentral Solaris Agent 19BCHAPTER 19 ADD IN SOFTWARE MODULES EVENTTRACKER VER 6 4 USER S GUIDE WHATCHANGED WhatChanged This tool helps you understand the occurred changes on a computer s file system and registry and provides you with a lifeline to restore it back to a working configuration WhatChanged architecture is completely centralized and provides you with the control to manage all systems on your network from one console WhatChanged console consists of the following options Status Tracker Snapshots After the installation is completed WhatChanged initiates a snapshot that is called baseline snapshot You can schedule the snapshots by using the configuration option By default it is scheduled for 2 auto snapshots per day You can change the timing and frequency Agent Installation Distribution You can install WhatChanged Agents on any system that is present in any trusted domains All Agents installed from a WhatChanged console can be managed from the WhatChanged console Full View Change View In the Full View WhatChanged console displays all the items in the file system and registry while highlighting only the changed items In the Change View WhatChanged console displays only the items that have undergone some changes Registry Restore Undo Restore WhatChanged provid
65. To remove select the application and click Remove Click Close 240 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT 10 Click Save on the Agent Configuration window You can apply the current settings to other specified Agents For more information refer to Applying the Settings to Specified Agents on page 285 Filtering applications that need to be monitored To filter out specific applications to monitor 1 Open the Agent Configuration window 2 Select the system from the Select Systems drop down list 3 Select the Monitor App Usage option EventTracker displays the Monitor Apps tab 4 Click Monitor Specific Apps EventTracker displays the Monitor Specific Apps dialog box 5 Click Add EventTracker displays the EventTracker Agent Configuration dialog box Type the application name with exe extension that you want to monitor Click OK EventTracker displays the Monitor Specific Apps dialog box a Monitor Specific Apps 10 8BCHAPTER 8 List of 4pp Executables explore exe To remove select the application and click Remove Click Close Click Save on the Agent Configuration window You can apply the current settings to other specified Agents For more information refer Applying Configuration Settings to Specified Agents on page 285 MANAGING WINDOWS AGENTS 241 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Monitoring Services By default EventTracker monitors all Windows
66. Usually Domain Admin account 1 required Please enter the account name in DOM AINSLISER format Account Password 13 Type valid user credentials and then click Login System Manager starts installing the Agent and displays the progress bar After installing the Agent System Manager displays the EventTracker System Manager message box 8BCHAPTER 8 MANAGING WINDOWS AGENTS 189 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Figure 188 System Manager message Eventlracker System Manager box E 1 The process is complete Please check the status against each computer 14 Click OK System Manager displays the successful installation message Figure 189 Add Agent Successful installation message Add Agent Completed installing Agent software Latest Status D Installed successfully Completed successfully Finish 15 Click Finish 16 To refresh the System Manager click the View menu and select the Refresh option or press F5 on your keyboard System Manager displays the newly added system 8BCHAPTER 8 MANAGING WINDOWS AGENTS 190 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Figure 190 System EventTracker System Manager ajaja Manager E newly added File View Options Help system y q Configure Agents search Computers 4 Create Group Delete Group i Add System Remove System S Upgrade Agent Computer Groups AI Domain Computers
67. and D states that user accesses to the system be recorded and monitored for possible abuse Logon Failure report The security logon failure includes logging all unsuccessful login attempts The user name date and time are included in this report Audit Logs access report SOX requirements Sec 4 and D review and audit access logs calls for procedures to regularly review records of information system activity such as audit logs Security Log Archiving Utility Periodically the system administrator will be able to back up encrypted copies of the log data and restart the logs 457 EVENTTRACKER VER 6 4 USER S GUIDE R 21BAPPENDIX SOX SARBANES OXLEY COM m r Track Account management changes Significant changes in the internal controls sec 302 a 6 Changes in the security configuration settings such as adding or removing a user account to an administrative group These changes can be tracked by analyzing event logs Track Audit policy changes Comply with internal controls sec 302 a 5 by tracking the event logs for any changes in the security audit policy Track individual user actions Comply with internal controls sec 302 a 5 by auditing user activity Track application access Comply with internal controls sec 302 a 5 by tracking applications process Track directory file access Comply with internal controls sec 302 a 5 for any access violation 458 Appendix
68. gt Press any key to exit If an index already exists in the selected folder EventTracker displays the DOS window Figure 116 Archive Index command pepe etvarindex bin already exist can not Process 22 Indexing process terminated with Error gt Press any key to exit Compacting the Database size This option enables you to compact the database size T m mS RS A ol m im de m a fs 1 E Double click Maintenance Tools on the EventTracker Control Panel EventTracker displays the Maintenance Tools splash screen Double click Compaction Utility 6BCHAPTER 6 MAINTENANCE TOOLS 142 EVENTTRACKER VER 6 4 USER S GUIDE COMPACTING THE DATABASE SIZE EventTracker displays the Compact Files dialog box Figure 117 Compact Files Collection Master Console Fa EventTracker Compact Files Tools Help Select Compact to start compaction _ FileName SizeflmMB L issdb 3 mdb C iss amp lertsDB mdb ETReports mdb Compact Figure 118 Compact Files Collection Point Console Fa EventTracker Compact Files Tools Help Select Compact Now to start compaction __ FileName Size lmMB C izsdbw3 mdb iss amp lertsDB mdb C ETReports mdb O CollectionPointinfo mdb Compact 6BCHAPTER 6 MAINTENANCE TOOLS 143 EVENTTRACKER VER 6 4
69. m Edit Collection Master Settings m Delete Collection Master Settings View CAB Status Send CAB files to Collection Masters m Set Purge Frequency 16BCHAPTER 16 COLLECTION POINT 434 EVENTTRACKER VER 6 4 USER S GUIDE STARTING COLLECTION POINT CONSOLE Starting Collection Point Console This option helps you open Collection Point Console To open Collection Point Console 1 Open the Control Panel Collection Point 2 Double click Configuration OR Click Start point to Programs point to Prism Microsystems point to EventTracker and then select EventTracker Collection Point Configuration option EventTracker displays the Collection Point Console Figure 430 Collection EventTracker Collection Point Console 5 Of Point Console File Configure Help Manage A Configure Manage Select Criteria Se sino ja Select CAB Status Queues Show Name Period Destination Transmission Start Time Transmission Sec 12 Select all Success In Progress O Queued O Failed O DoNot Send Start Table 80 Add Collection Masters View status of all CAB files Configure Managers Manage CAB 16BCHAPTER 16 COLLECTION POINT 435 EVENTTRACKER VER 6 4 USER S GUIDE ADDING COLLECTION MASTERS Table 81 Select Criteria Select Select the Collection Master from this drop down list Collection Destination Masters that you have a
70. sed E tl t Utilit Import Utility window Export Import Utility Import Filters Export Import 1 Provide the path amp file name of the filters file Use the button to browse amp locate the import file 2 Click the Import button Category Filters Alerts Source Groups C Program Files Prism Microsystems EventTracker Systems Scheduled Reports ASS Feeds Import Close 7 Click Import EventTracker displays the Export Import Utility message box Figure 377 Import Filters message box Export Import Utility 1 Successfully imported Filter 7 Filters From File C Documents and Settingsinirmal My Documents My Filters isil To view the imported Filters please to Edit view Filters 8 Click OK EventTracker displays the Export Import Utility message box Figure 378 Import Filters message box Expo rt Im port Uti lity m 9 The EventTracker Management Console needs to be restarted For settings to take effect 9 Click OK and restart the Management Console 13BCHAPTER 13 EXPORT IMPORT UTILITY 389 EVENTTRACKER VER 6 4 Figure 379 Export Import Utility window Import Alerts 13BCHAPTER 13 EXPORT IMPORT UTILITY USER S GUIDE EXPORT AND IMPORT UTILITY Importing Alerts To import Alerts 1 Open the Export Import Utility 2 Click the Import tab 3 Select the Alerts option on the Import tab EventTracker dis
71. 1 59 58 4 9 2009 8 Send OS etari238846396 1 4 4 2009 5 28 53 PM 4 4 2009 11 05 09 192 168 1 38 2 00 28 PM 4 9 2009 8 Success 08 etari238824100 1 4 4 2009 11 17 16 AM 4 4 2009 5 28 53 PM 192 168 1 38 2 00 58 PM 4 9 2009 9 Success OS etar238801927 1 4 4 2008 5 06 13 AM 4 4 2009 11 17 16 192 168 1 38 2 01 28 PM 4 9 2009 8 Success OS etar238779391 1 4 3 2008 10 52 10 PM 4 4 2009 5 06 13 192 168 1 38 2 01 58 PM 4 9 2009 9 Success OS etar238759423 1 4 3 2009 5 19 21 PM 4 3 2009 10 52 10 PM 192 168 1 38 Do Not OS etari238739289 1 4 3 2009 11 43 47 AM 4 3 2009 5 19 21 PM 192 168 1 38 Do Not etar1238719240 1 4 3 2009 6 09 31 AM 4 3 2009 11 43 46 192 168 1 38 Do Not akari 990000099 1 19 90 99 472 0n CNAIN 1909100190 Ma of Select all Success In Progress O Queued Total Cab Files 51 Failed O DoNot Send Start 7 Click Start EventTracker displays the message box T EE A0 EventTracker Collection Point Console x Point Console message box Queued 13 CAB Files to the Collection Master at 192 168 1 38 Collection Point resends the selected CAB files to the selected Collection Master s When you resend a CAB file Collection Master backs up the older one with the same name but appends timeticks Timeticks is the time when the Collection Master received the new CAB 16BCHAPTER 16 COLL
72. 1238866570 1 4 4 2009 11 05 09 PM 4 5 2009 5 32 35 AM 192 168 1 38 Send 1238846396 1 44 2009 5 28 53 PM 4 4 2009 11 05 09 PM 192 168 1 38 Send Q eta1238824100 1 4 4 2009 11 17 16 4 4 2009 5 28 53 PM 192 168 1 38 Send 1238801927 1 4 4 2008 5 06 13 AM 4 4 2009 11 17 16 192 168 1 38 Send Q 1238779391 1 4 3 2009 10 52 10 PM 4 4 2009 5 06 13 AM 192 168 1 38 Send OS etari238759423 1 4 3 2009 5 19 21 4 3 2009 10 52 10 PM 192 168 1 38 Do Not OS ea1238738289 1 4 3 2009 11 43 47 AM 4 3 2009 5 19 21 PM 192 168 1 38 Do Not etar1238719240 1 4 3 2009 6 09 31 AM 4 3 2009 11 43 46 192 168 1 38 Do Not k d 990000099 1 4 9 9000 19 90 99 472 0n C n 0 AKA 1909100190 Na har A Select al Success In Progress O Queued Total Cab Files 51 Failed O DoNot Send Start Select the Select check box to send all the CAB files 4 Click Start 444 EVENTTRACKER VER 6 4 Figure 441 Collection Point Console message box Figure 442 Manage CAB console 16BCHAPTER 16 COLLECTION POINT SENDING CAB FILE S TO COLLECTION USER S GUIDE MASTER S EventTracker displays the message box EventTracker Collection Point Console X Queued 17 CAB Files to Ehe Collection Master at 192 168 1 38 5 Click OK EventTracker displays the Manage CAB console with the new status of selected Cabs EventTracker Collection Po
73. 168 1 38 Queued OS etar1238846396 1 4 4 2009 5 28 53 PM 4 4 2009 11 05 09 PM 192 168 1 38 Queued OS etar1238824100 1 4 4 2009 11 17 16 4 4 2009 5 28 53 PM 192 168 1 38 Queued OS etar1238801927 1 4 4 2009 5 06 13 4 4 2009 11 17 16 192 168 1 38 5 Queued OS etar1238779391 1 4 3 2009 10 52 10 PM 4 4 2009 5 06 13 192 168 1 38 S Queued OS etar1238759423 1 4 3 2008 5 19 21 PM 4 3 2009 10 52 10 PM 192 168 1 38 Do Not OS etar1238739289 1 4 3 2008 11 43 47 AM 4 3 2009 5 19 21 PM 192 168 1 38 Do Not etarl 23871924041 4 3 2009 6 09 31 4 3 2009 11 43 46 AM 192 168 1 38 Do Not U 990000099 1 422 5000 19 90 99 4 9729000 Cn 20 199 100 4 20 Ra Select all Success In Progress Queued Total Cab Files 51 Failed O Do Not Send 6 Select an appropriate option from the Select CAB Status drop down list to view the status of CAB files When CAB files are sent successfully EventTracker displays the Manage CAB console 445 SENDING CAB FILE S TO COLLECTION EVENTTRACKER VER 6 4 USER S GUIDE MASTER S gt EventTracker Collection Point Console Figure 443 Manage CAB console 132 168 1 38 Figure 444 Manage CAB console Oe etarl 239191 429 1 4 8 2009 5 19 07 PM 4 9 2009 5 12 03 1 53 57 PM 4 9 2009 192 1681 38
74. 4 10 28 36 1 13 2010 WEBDOCI EventTracker App Open Exe Agentlnstallerexe Name EventTracker Description E 10 28 36 AM 1 13 2010 wEBDOCT EventTracker App Open Exe EtwControlPanelexe Name EventTracker Descriptio 10 28 36 AM 1 13 2010 wEBDOCT EventTracker App Close Exe MSIEXEC EXE Name Windows Installer Unicode P 10 29 05 AM 1 13 2010 WEBDOC1 EventTracker Close Exe Agentinstaller exe Name EventTracker PID 2340 4 10 29 20 1 13 2010 WEBDOC1 EventTracker App Close Exe EtwControlPanelexe Name EventTracker PID 5848 y 10 29 56 1 13 2010 WEBDOC1 EventTracker App Close Exe ETReport_Migration exe Name ETReport_Migration 10 29 56 1 13 2010 WEBDOC1 EventTracker App Oper Exe EtwControlPanelexe Name EventTracker Descriptio 10 29 56 1 13 2010 wEBDOCT EventTracker App Oper Exe ETConsole3 exe Name EventTracker Description E 10 31 09 1 13 2010 wEBDOCT EventTracker App Oper Exe ArchiveAppender exe Name EventTracker Descriptic 4 10 31 09 1 13 2010 WEBDOC1 EventTracker Open Exe ETArchive exe Name EventTracker Description Eve 10 36 31 AM 1 13 2010 WEBDOC1 EventTracker App Close Exe ETConsole3 exe Name EventTracker PID 5824 4 10 36 31 AM 1 13 2010 WEBDOC1 EventTracker App Close Exe ArchiveAppender exe EventTracker PID 2401 y 10 36 31 1 13 2010 WEBDOC1 EventTracker App Close Exe ETArchive exe Name EventTracker PID 3808 4 10 37 31 AM 1413 2010
75. 4 CAB Request CAB Status Select Criteria Select Collection Point All v Select CAB Status All Collection Point Name Size Kb Transmission Start Time Transmi Status OS etan239159185 1 4 8 2009 8 22 00 AM 4 8 2009 7 15 08 NEWYORK 192 168 2731 11 53 22 4 3 2008 In Progress OS etar239082116 1 4 7 2009 10 57 43 AM 4 8 2009 8 21 59 AM NEWYORK 192 168 2985 11 49 52 4 3 2003 36 Success Select all Total Cab Files 2 Success Failed In Progress Delete Deleting CAB files This option helps you delete CAB files To delete CAB files 1 Click CAB Status on the Collection Master Console EventTracker displays CAB Status 15BCHAPTER 15 COLLECTION MASTER 428 EVENTTRACKER VER 6 4 USER S GUIDE DELETING CAB FILES Figure 422 CAB Status EventTracker Collection Master Console File Configure Help CAB Status a Collection Point Detail CAB Request CAB Status Select Criteria Select Collection Point Select Status L 9 etari239159185 1 4 8 2009 8 22 00 AM 4 8 2009 7 15 08 PM NEWYORK 192 168 2731 11 53 22 AM 4 8 2003 40 Success OS ea1233082116 1 4 7 2009 10 57 43 AM 4 8 2009 8 21 59 AM NEWYORK 192 168 2985 11 54 02 AM 4 8 2003 44 Success Select all Total Cab Files 2 Success Failed In Progress Delete 2 Select the Select All check box to select all CAB files for deletion OR Select the check box against
76. 46 PM 4 28 2009 3 6 13 46 PM 4 28 2009 3 5 13 23 PM 4 28 2009 6 12 22 PM 4 28 2009 A 6 11 45 PH 4720 2009 lt Total Events 107 Local EBDOC1 Local EBDOC1 LacalwEBDU LT1 LacalwEBDU LCT Loca WwEBDDOCT LacalwEBDDOCI LacalwEBDDOCI LacalwEBDU LC LacalwEBDU LC LocalbiwEBDOC1 LocalbiwEBDOC1 Local wEBDOC Local wEBDOC Localh EBDOC1 lara FEDAC Selected Event 11 ADDING ALERTS FROM THE DASHBOARD Refresh Date Computer Description E ventT racker EventTracker EventTracker EventTracker EventTracker EventTracker EventT racker E ventT racker EventT racker E ventTracker E ventT racker E ventTracker EventTracker EventTracker E ventTracker E ventTracker EventTracker EventTracker EventTracker EventTracker E ventT racker E ventT racker E ventT racker E ventTracker Event racker EventTracker EventTracker E ventTracker EventTracker EventT racker F ent Tracl er App Open App Cloze App Cloze App Open App Close App Open Open App Close App Open App Open App Cl App Open App Open App Cloze App Open App Open App Open App Open App Open App Open App Close App Close App Close Close App Close App Close App Open App Close App Close App Open dnn Omer Rows 500 ET Consoles exe ET Consoles exe ET Consoles exe ET Consoles exe ET Consoles exe ET Cons
77. COLLECTION POINT DETAILS in the source or CAB files that are failed to transfer Select Criteria Select Select Collection Point from this drop down list All clients Collection reporting to the Collection Master are listed in this drop down list Point Select CAB Select the status of the cab files from this drop down list and Status then click Show Available options are All Success Failed and In Progress Select this check box to mark all the CAB files for deletion and then click Delete You can also select individual file for deletion Viewing Collection Point Details This option helps you view details of the Collection Points that are forwarding CAB files to the Collection Master To view Collection Point Details 1 Click Collection Point Detail on the Collection Master Console EventTracker displays the Collection Point Detail 15BCHAPTER 15 COLLECTION MASTER 407 EVENTTRACKER VER 6 4 USER S GUIDE VIEWING CAB STATUS Figure 399 Collection EventTracker Collection Master Console Point Detail File Configure Help Ml CAB Status Collection Point Detail CAB Request Collection Point Detail Collection Point Name Last Received CAB Na Last Received CAB Time Archive Path O NEwYORK 192 168 1 6 3 Build 78 etar1233153185 14505 10 03 18 AM 4 9 2009 C Program FilessPrism Microsystems E ventT racker rchivesiNE Merge Delete Table 73 Collection Displays the name of the Collection Poi
78. Category Description All Information Events 4 Click Next gt EventTracker displays the Confirmation message box Figure 335 Confirmation message Confirmation box Modifications done to category will affect all the category groups where this category exists Are vou sure you want bo save Ehe changes Yes 5 Click Yes EventTracker displays the Create Event Category Wizard 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 354 EVENTTRACKER VER 6 4 Figure 336 Create Event Category Wizard 12BCHAPTER 12 USER S GUIDE ANALYZING ALERTS Create Event Category Wizard Event Details Enter or select event details information Enter comments ar recommended action Far the event Click 4dd to save and continue click Finish to save and exit Seventy S Event Details Event Type Category Log Type EventID Source User Hatch in Event Descr Event Descr Exception Match in Event Descr field can take multiple strings seperated with 5 amp ar amp amp stands for AND condition stands For OR condition Mate want to make a match on any of the special characters like xr nn 9 ete then in Ehe search string prefix this char with a backslash Example fora and fora For mare information click here information Lancel 6 Type appropriately in the relevant fields MANAG
79. Click Close 13 Click Save on the Agent Configuration window Suspicious Connections This feature is an enhancement of the existing Network Connection Monitoring This option enables you to monitor the suspicious usage of TCP or UDP ports and their connection states By default all the connections are suspicious and you can exempt applications and ports from monitoring EventTracker is shipped along with a list of applications and ports which are not harmful to any enterprise environment As discussed EventTracker Agent will not monitor these White listed applications and ports Prior to enabling EventTracker Agent to monitor Suspicious Traffic apply all the latest Microsoft patches hotfixes if the operating system is Windows 2000 Monitoring Suspicious Connections This option helps you to monitor suspicious connections and to view predefined trusted connections list EventTracker does not monitor the connections listed in Trusted List You can also edit predefined trusted connection list and define your own set of trusted connection list To view Trusted List 1 Open the Agent Configuration window 2 Select the system from the Select Systems drop down list 3 Click the Network Connection Monitor tab EventTracker displays the Network Connection Monitor tab 4 Select the Suspicious Traffic Only SNAM option EventTracker displays the Agent Configuration window MANAGING WINDOWS AGENTS 273 EVENTTRACKER VER 6 4 USER S
80. Click OK 10 Open Alert Groups console 11 Double click My Alert e v EventTracker displays the Event Details tab with event details unaltered 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 100 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING ALERTS Figure 74 Alert Group Configuration Mi Alert Group Configuration EventTracker Console E E Events can be added edited and removed from this Alert Group Match In Event Descr Es 0 0 Add Event Edit Event Remove Event Back Next gt Finish Cancel However when you edit the event details of My Alert in Alert Group Configuration window it will be reflected in Alerts Category in the Manage Categories console 12 Double click the event or click Edit Event EventTracker displays the Event Configuration window 13 Type appropriately in the relevant fields 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 101 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING ALERTS Figure 75 Event Configuration Event Configuration EventTracker E Please take care to enter the correct details for effective results 14 15 16 17 18 19 4BCHAPTER 4 Event Details empty field implies all matches Event e Log Type Security Match in Source NEN Category AA EventID Match in User PS Match in Event Descr Event Descr Exception Match in Event Descr held tak
81. Collection Master EventTracker Collection Point Console E 4d Of xj File Configure Help 8 Manage CAB Configure Manage Select Criteria Destination y Select CAB Status Show Period Destination Transmission Start Time Transmission Time ln Sec Status M etar1233131429 1 4 8 2009 5 19 07 PM 4 9 2009 5 12 09 192 168 1 38 Send CO etar1239163086 1 4 8 2009 9 26 24 AM 4 8 2009 5 19 07 PM 192 168 1 38 Send CO etar1239115255 1 4 7 2009 8 09 57 PM 4 8 2009 9 26 24 AM 192 168 1 38 Send CO 1239099644 1 4 7 2009 3 49 40 4 7 2009 8 09 57 PM 192 168 1 38 Send CO 1239065428 1 4 7 2009 6 17 38 AM 4 7 2009 3 49 40 PM 132 168 1 38 Send etar1239024699 1 4 6 2009 7 00 38 PM 4 7 2009 6 17 38 AM 192 168 1 38 Send 1238999442 1 4 5 2009 11 59 26 AM 4 6 2009 7 00 37 PM 192 168 1 38 Send 1238979079 1 4 6 2009 6 17 57 AM 4 6 2009 11 59 26 192 168 1 38 Send 1238950737 1 4 5 2009 10 27 56 PM 4 6 2009 6 18 00 AM 192 168 1 38 Send 1238930575 1 4 5 2009 4 51 55 PM 4 5 2009 10 27 56 PM 192 168 1 38 Send 1238910439 1 4 5 2009 11 16 15 4 5 2009 4 51 54 192 168 1 38 Send 1238889923 1 4 5 2009 5 32 35 AM 4 5 2009 11 16 15 AM 192 168 1 38 Send
82. Defined 3289 Modification of report saving options EventLogCentral All events logged by 3290 Addition of a new Role config EventLogCentral when user adds role in EventLogCentral changes a new role modifies or deletes a 3291 Modification of a role role in EventLogCentral 3292 Deletion of a role in EventLogCentral 17BCHAPTER 17 EVENTTRACKER CONFIGURATION TRACKING 450 Chapter 18 TrapTracker TrapTracker is an integral component of EventTracker which helps you monitor and manage critical traps emitted by network devices TrapTracker for Windows TTW consists of 2 components the TTW Manager and a built in MIB Compiler Browser TTW Manager is the heart of the architecture You should install the TTW Manager on the system where you require all SNMP Traps to be monitored You can configure Alerts and Trap Severity Alerts include E mail beep console message and other custom notifications MIB Compiler Browser is provided to compile Custom MIBS into the TTW system TrapTracker for Windows TTW console consists of the following options m Alerts After the installation is completed you can configure TTW to send you alerts based on the type of events that are received The types of Alerts supported are E mail beep console message and custom action Multiple Window View Displays multiple windows to view a distinct set of events You can set the selection criteria for viewing events 18BCHAPTER 18
83. EX cB MN fon O O Chart Type Duration Line Show data for Last 1 Hour EventTracker Icons EventTracker Icons represent EventTracker objects These icons help you identify various objects used in EventTracker Table 7 a Category Groups Events of Audit Success Event Type Events of Audit Failure Event Type Events of Information Event Type Aa Events of Warning Event Type View and print the generated report 1BCHAPTER 1 GETTING STARTED 28 EVENTTRACKER VER 6 4 USER S GUIDE LICE HT Open the Online Help Export the displayed page into Word or PDF file Search a string or phrase in the displayed page Upgrading EventTracker Manager License This option helps you upgrade EventTracker Manager license from trial version to registered version To upgrade license 1 Open the Management Console 2 Click the Help menu and select the Upgrade License option EventTracker displays the Upgrade License dialog box Figure 9 Upgrade License EventI racker Upgrade License 1 Demo Key 2 Demo Serial 1 NB72451 4920 AZLEBJQDKY 12298 Serial 2 M rr 2 TUERTO 000000 This evaluation version our current evaluation license supports 1 Clusters 0 Servers workstations 0 SYSLOG Systems BSHM Solaris Systems and SNMP Systems 1BCHAPTER 1 GETTING STARTED 29 ACCESSING ABOUT EVENTTRACKER EVENTTRACKER VER 6 4
84. Event Details Event Filters Custom Systems Actions Alerts are valid only during this Time Interval Time Interval f Apply at all times f Apply between this time frame From 12 00 00 AM Ta 7 00 00 this alert only if the same event occurs for the specified count within the specified duration Alert based on Count alert for event count 12 Duration 68400 SBCs This alert can be optionally stored in Alert Archives for Alert analysis Archive Alert Iw Store this alert in Alert Archives Back Next gt OF Cancel 20 Click the Systems tab OR Click Next gt EventTracker displays the Systems tab 21 Select the System Groups Systems 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 93 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING ALERTS Figure 64 Alert Group Configuration Systems tab Mi Alert Group Configuration EventTracker Console Alert Name E vent Details Event Filters Custom gt stems Actions This alert is applied to the list of selected computer s or groups Apply to all Systems Apply to selected Systems System Groups System Groups All S ustems List of selected systems Add All gt gt WEBDOCA lt Remove lt lt Remove All Back Hest gt OF Cancel 22 Click the Actions tab OR Click Next gt EventTracker displays the Actions tab 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NO
85. EventTracker Agent Event Tracker Agent Configuration Configuration message box You have enabled the High Performance Mode of the EventTracker Agent This mode is suitable For servers that generate more than 700 events min such as Domain Controllers or Active Directory servers This mode is separately licensed Are ou sure Click Yes Click Save Click Close on the Agent Configuration window O N O Q To refresh the System Manager select the View menu and select the Refresh option or press F5 on your keyboard System Manager displays the upgraded system Figure 207 System EventTracker System Manager Ja tx Manager console with File View Options Help newly added system Configure Agents 88 Search Computers 4 Create Group Delete Group 8 Add System Remove System 8 Upgrade Agent Computer Groups All Domain Computers EEN Groups Computer Description System Status Por ALICE Windows 2000 none Unmanaged Jar NOLD m none Unmanaged BALOO Windows 2000 none Unmanaged ig CACOFONIX Windows 2003 none Unmanaged CHARLIE Windows 2000 Unmanaged Windows 2003 none Unmanaged none Unmanaged Windows 2003 none Unmanaged Windows 2003 none Unmanaged Windows 2003 none Unmanaged Windows xP none Unmanaged Windows 2000 none Unmanaged Windows 2003 none Unmanaged Windows xP none Unmanaged Windows 2000 none nmanage Wind
86. EventTracker Console message box had you misconfigured the settings Figure 81 EventTracker Console Eventlracker Console message box n 1 Test E mail could not be sent to Ehe specified recipient Please verify E mail configuration 6 Click OK 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 110 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE EventTracker displays the EventTracker Console message box had you properly configured the settings Figure 82 EventTracker Console message box EventTracker Console h 1 Test E mail has been sent to the specified recipient Please verify whether the test E mail has been received or not Click OK Click OK on the Actions Email dialog box Click OK on the Alert Group Configuration dialog box EventTracker displays the EventTracker Console message box if alert notification has been set previously for the same event details Figure 83 EventTracker Console Eventlracker Console message box These details have already been included in the Following Alerts Audible Alert Do you want to continue adding these details Ma 10 Click Yes to continue or No to abort EventTracker displays the Alert Groups console with the newly created E Mail alert 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 111 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE Figure 84 Alert Alert
87. GLBA GLBA Compliance Reports 22BAPPENDIX GLBA Section 501 of the GLBA documents specific regulations require for financial institutions to protect non public personal information As part of the GLBA requirements it is necessary that a security management process exist in order to protect against attempted or successful unauthorized address use disclosure modification or interference of customer records The organization must be able to monitor report and alert on attempted or successful access to systems and applications that contain sensitive customer information User Logon report GLBA Compliance requirements state that user accesses to the system be recorded and monitored for possible abuse User Logoff report GLBA requirements state that user accesses to the system be recorded and monitored for possible abuse Logon Failure report The security logon feature includes logging all unsuccessful login attempts The user name date and time are included in this report Audit Logs access report GLBA requirements review and audit access logs call for procedures to regularly review records of information system activity such as audit logs 459 Appendix Security Reports Security Reports Successful and failed file access Auditors are generally concerned with knowing who did what and when Monitoring file access can provide that information This will be especially useful as companies attempt to c
88. GUIDE CONFIGURING WINDOWS AGENT Figure 273 Agent Configuration window EventIracker Agent Configuration A Network Connection Monitor tab File Help Select Systems AWEBDOCT Agent based system Apply the following settings to specified clients Manager destinations WINN WEBDOCT Managers Event Filters System Monitor Monitor Apps Services Log Backup Processes Network Connection Monitor Logfile Monitor Suspicious Network Activity Monitoring SNAM provides pour enterprise the ability to monitor security beyond Firewall Every organization will have a firewall policy as the first line of security The Event Tracker SNAM feature provides you with a second level option For intrusion detection and identification of internal threats Connection iw iw UDF C All Network Traffic MEM Trusted List Connection States iw Open Changed w Close 5 Click Trusted List 8BCHAPTER 8 MANAGING WINDOWS AGENTS 274 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT The trusted list contains a list of known good applications and ports through which the usual network connections between the processes happen This option helps you to view enable and disable predefined trusted connections list EventTracker exempts enabled connections listed in Trusted List from monitoring You can also edit predefined trusted connection list and define your own set of trusted connecti
89. Groups EventTracker Console Groups console Edit Delete save Proactive notification of events meeting certain criteria can be configured Notifications include 4 combination of Beep E mail Messages or any other Custom Action Console side reme X No No No No No No Administrative log on failure Altiris Audible Alert Audit Log Cleared CISCO Access Denied CISCO Authentication Failed CISCO PIX Failover Message CISCO IDS intrusion detection CISCO VPN Admin Access Authenticati CISCO VPN Admin Access Authorizatio CISCO YPN Admin Access Access Contr CISCO VPN Memory Allocation Failed Citrix Critical service could not be started Critical service is not running Crystal Enterprise x KK Detected high memory usage Detected software Some 5 gt has bee Directory permission change Disk space is critically low Domain policy changed EventTracker agent service failed E
90. Hardware feature of Windows to always return Device in Use This message can be ignored the USB device is not affected Click OK to continue Select this check box to disable USB devices This button is enabled when you select the Disable USB Devices check box Click this button to add USB devices that you wish to enable Set the thresholds appropriately Set the tracking and monitoring options Click Save You can apply the current settings to other specified Agents For more information refer Applying Configuration Settings to Specified Agents on page 285 USB Exception List While disabling USB Devices on a particular computer you can also exempt and enable USB devices from monitoring To configure USB exception list 1 Click USB Exception List EventTracker displays the USB Exception List dialog box 8BCHAPTER 8 MANAGING WINDOWS AGENTS 235 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 231 USB Exception List USB Exception List The EventTracker will not disable USB devices with the following serial numbers USE Serial Numbers Decimal format Format le Dec 6 Enter USB Serial Lancel Save amp Close Type the serial no in decimal format in the Enter USB Serial No field To type the serial no in hexadecimal format select the Hex option and then type the serial no in the Enter USB Serial No field 4 Click Add EventTracker adds the newly
91. In Progre OS etar238979079 1 4 6 2009 6 17 57 AM 4 6 2009 11 59 26 AM 192 168 1 38 Queued etari239950737 1 4 5 2009 10 27 56 PM 4 6 2009 6 18 00 AM 192 168 1 38 Queued OS etar238930575 1 4 5 2009 4 51 55 PM 4 5 2009 10 27 56 192 168 1 38 Queued OS etar238910439 1 4 5 2009 11 16 15 AM 4 5 2009 4 51 54 PM 192 168 1 38 Queued OS etar238889923 1 4 5 2009 5 32 35 AM 4 5 2009 11 16 15 AM 192 168 1 38 Queued OO etar238866570 1 4 4 2009 11 05 09 PM 4 5 2009 5 32 35 AM 192 168 1 38 Queued OS etari238846396 1 4 4 2009 5 28 53 4 4 2009 11 05 09 192 168 1 38 2 00 28 PM 4 9 2009 8 Success OS 1238924100 1 42472009 11 17 16 AM 4 4 2009 5 28 53 PM 192 168 1 38 2 00 58 PM 4 9 2009 9 Success etar238801927 1 4 4 2009 5 06 13 4 4 2009 11 17 16 AM 192 168 1 38 2 01 28 PM 4 9 2009 8 Success O etari238779391 1 4 3 2009 10 52 10 PM 4 4 2009 5 06 13 AM 192 168 1 38 2 01 58 PM 4 9 2009 9 Success OS etari239759423 1 4 3 2009 5 19 21 4 3 2009 10 52 10 192 168 1 38 Do Not OS 1238739289 1 4 3 2009 11 43 47 AM 4 3 2009 5 19 21 192 168 1 38 Do Not etar1238719240 1 4 3 2009 6 09 31 AM 4 3 2009 11 43 46 AM 192 168 1 38 Do Not 990000099 1 Sana 19 90 99 C n 0 19091001 20 Due ill Select all Success In Progress O Queued Total Cab Files 51 Failed O Do Not Send Start 16BCHAPTER
92. Microsoft 15 log file format generated by 15 Enter Search String WE BOOT crcl 16 Click OK EventTracker displays the Search String dialog box 8BCHAPTER 8 MANAGING WINDOWS AGENTS EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 251 Search String window Search String Search Stings for CAWINOOW S SI log Use a in column to match every entry in the File Search String Host ame WEBDOC Edit String OF Cancel 17 Click OK EventTracker displays the Agent Configuration window with the newly added Logfile entry 8BCHAPTER 8 MANAGING WINDOWS AGENTS 252 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 252 Agent r3 Configuration window EventIracker Agent Configuration Logfile Monitor tab File Help Select Systems WEBDOCI Agent based system Apply the following settings to specified clients Manager destinations WEBDOCT Managers Event Filters System Monitor Monitor amp pps Services Log Backup Processes Network Connection Monitor Logfile Monitor v Logfile Monitor Search log files various formats supported for matching patterns specified here Bath individual files as well as folders can monitored for matching entries Matches cause an event to be generated Lagfile Name CW NDW S eb log Mew File Details Delete File Search Strings 18 Click Save You can apply
93. NE Monitor VMware logs m Archive event logs for up to 7 years in EventVault R m Configure EventTracker Receiver to listen on multiple ports m Configure SYSLOG Receiver to listen on multiple ports m Execute Remedial Actions at Agent systems m Monitor file transactions that occur in the inserted media USB or other devices m Analyze trend of events through Event O Meter m Monitor consolidate and analyze Windows event log 2000 XP 2003 Vista 2008 Unix Linux Cisco SYSLOG Web sites http https and SNMP based network devices m Comply with audit requirements for GLBA HIPAA FISMA Sarbanes Oxley California Senate Bill 1386 the USA Patriot Act NISPOM Chapter 8 and PCI Data Security Standard m Deploy Vista Agent m Maintain Vista Log Backup m Monitor Check Point logs m Generate Check Point reports EVENTTRACKER VER 6 4 1BCHAPTER 1 GETTING STARTED USER S GUIDE ABOUT EVENTTRACKER Enable Alert Notification Status Tracking Purge Alert Events Cache Monitor WSC Extended Log EVTX Log Files Disk space Memory CPU usage Runaway processes Device changes Application install uninstall Application usage Any standard log file Automatically restart stopped services TCP UDP network traffic Connection states of ports Generate audit reports based on Sites This feature is available only when you install Collection Master Console Configure Agent to monitor All Network Traff
94. No Ale No No No No No No No No No No No No No No No No No No No No No No No Yes No No No No No No No No ha No No No No No No No No No No No No No No No No No No No No No No No No Yes No No No No No No No Ale No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No
95. No No No No No No No No No No No No No No No No No No No No No No Administrative log on failure No Altiris No Audible Alert Md Yes Audit Log Cleared No CISCO Access Denied No CISCO Authentication Failed No CISCO PIX Failover Message No CISCO PIX IDS intrusion detection No CISCO VPN Admin Access Authenticati No CISCO VPN Admin Access Authorizatio No CISCO YPN Admin Access Access No CISCO VPN Memory Allocation Failed No Citrix No Critical service could not be started No Critical service is not running No Crystal Enterprise No Detected high memory usage No Detected software Some 5445 has bee No Directory permission change No Disk space is critically low No Domain policy changed No EventTracker agent service failed No EventTracker Agent configuration changed No EventTracker Collection Master Error No EventTracker Collection Point Error No EventTracker DLA No files found for pro No EventTracker DLA file processing failed No EventTracker Remedial action failed No EventTracker Remedial action ignored No EventTracker Remedial action Success No EventTracker USB device disabled No Event ault CAB integrity checksum failure No Pionssonso anno Al lx Dx
96. No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No Administrative log on failure Altiris Audit Log Cleared CISCO Access Denied CISCO Authentication Failed CISCO PIX Failover Message CISCO IDS intrusion detection CISCO VPN Admin Access Authenticati CISCO VPN Admin Access Authorizatio CISCO VPN Admin Access Access Contr CISCO VPN Memory Allocation Failed Citrix Critical service could not be started Critical service is not running Crystal Enterprise Detected high memory usage Detected software Some 5445 has bee Directory permission change Disk space is critically low Domain policy changed EventTracker agent service failed EventTracker Agent configuration changed EventTracker Collection Master Error
97. Open the EventVault Warehouse Manager 2 Click the Options menu and select the Configuration option OR Click Configuration on the toolbar EventVault Warehouse Manager displays the Configuration window Configuration Vault Storage Folder C Program FilessPrism Microsystems E vent rackerarchives i Event auk Integrity Check Schedule Enable D e ao Purge Archives will be purged after the configured number of days Purge Archives older than days Cancel Vault Storage Type or browse the path of the folder where you want to archive Folder the event data EVENTVAULT WAREHOUSE MANAGER 315 EVENTTRACKER VER 6 4 10BCHAPTER 10 USER S GUIDE CONFIGURING EVENTVAULT EventVault Integrity Check Schedule Select this check box to schedule EventVault Integrity check When you select this check box EventVault Warehouse Manager will enable Log errors only and Log all actions options EventVault Integrity check schedule and Event Traffic Analysis schedule are taken care by EventTracker Scheduler service EventTracker logs two events 2020 and 2021 for the start and end of Integrity check processes respectively in the Windows Application log Frequency Select the frequency from this drop down list The available options are Daily Twice Daily and Weekly Log errors Select this option to log only error events only Log all actions Select this option for logging both success and failed Integrity check
98. Port feted e Request M 4 Enleri Pond Tot ad e Veron inin Lasi Fecesed CAB Last Fiscewed Time Archive Path _ 1 Budd 8 si a AAA EPR MAA ir ALLE 41142 188 1 53 When you merge the Collection Points m Collection Master will retain the CAB files intact in the default Archives folder Program Files Prism Microsystems WEventTracker Archives ALICE 11 1192 168 1 53 m Moves the CAB files from the default Archives folder to the new Archives folder d Archives ALICE II 192 168 1 53 m Updates the Index file m Extracts the CAB files from the new Archives folder so that the report schedules remain intact Points to remember 1 Old folder merges with the new folder 2 While merging Collection Master prompts you whether to overwrite the redundant CAB files or not Scenario 2 Collection Master WEBDOC1 IP Address 192 168 1 88 Collection Point ALICE II Consider this is the Site or group name that you have entered while installing the Collection Point IP Address 192 168 1 53 422 EVENTTRACKER VER 6 4 Figure 415 Advanced Reports Console Figure 416 Collection Master Console message box 15BCHAPTER 15 COLLECTION MASTER MERGING COLLECTION POINTS USER S GUIDE MODIFIED ARCHIVES FOLDER Collection Master creates a folder Program Files Prism Microsystems EventTracker Archives ALICE II 192 168 1 53 and stores all the CAB files in th
99. S GUIDE ANALYZING ALERTS qnem ras d cab war rims Log CISCO Dira IDO a phd ce Fall Mirage OOO Pts 004 nissan detector DISCO WPR cen Haifa DIOC WPN dde bicem rc C00 WPR cdo Cord ELDO WPR A x Cima Cr cal merece could rol ba siad Cria arene m unre mi DELL GESA Chim lassus ple DELL Chas dir DELL CESE DELL DELL enia Corfu DELL limbus diet DELL Peste tajir DELL ii DELL Dirie Led DELL CHIE Eres Sariyer inb DELL Bay merry E Deter charge t r iig Doran policy Estilo d m DM EEES e ASS HANA ISSR RD e 22 RSS FEEEEEEEEEEFEEEEEEEEFEEEEFEEEEEEFEF AAA QEXEXEEEXEEXEZEX HAMAS EEE EEE EEE EAS X NEEmExeEmEE FESEEEEEREEEEEEEERRER EEE ERR EEE EEE XEENENEEEGXENENu
100. S GUIDE DEFAULT ARCHIVES FOLDER Merging Collection Points default Archives folder 15BCHAPTER 15 COLLECTION MASTER To store the CAB files received from the Collection Points Collection Master creates a new folder locally in the default EventTracker installation folder typically Program Files Prism Microsystems EventTrackerArchives with the respective name you type in Site Name field while installing Collection Points Scenario 1 Collection Master WEBDOC1 IP Address 192 168 1 88 Collection Point NEWYORK Consider this is the Site Name that you have entered while installing the Collection Point IP Address 192 168 1 38 Collection Master creates a folder Program Files Prism Microsystems EventTracker Archives NEWYORK 192 168 1 38 and stores all the CAB files in that folder Now uninstall the Collection Point and install it again on the same computer however this time with the Location Name NY Send the Cab files to the Collection Master Collection Master creates a folder Program Files Prism Microsystems EventTracker Archives NY 192 168 1 38 and stores all the CAB files in that folder Although the CAB files are received from the same IP address Collection Master creates different folders with the Site Name of the Collection Point and treats them as two different Sites To merge these two Sites Open the Collection Master Console click Collection Point Detail on the toolbar select both the Collection Poi
101. Specified Agents on page 285 Filtering Services that need not be monitored To filter out services that need not be monitored 1 2 3 8BCHAPTER 8 MANAGING WINDOWS AGENTS Open the Agent Configuration window Select the system from the Select Systems drop down list Click the Services tab EventTracker displays the Services tab Click Add next to Service Monitor Exceptions EventTracker displays the EventTracker Agent Configuration dialog box Type the service that you do not want to monitor in the Enter Service Name field Click OK EventTracker adds the service to the Service Monitor Exceptions list Click Save on the Agent Configuration window You can apply the current settings to other specified Agents For more information refer Applying Configuration Settings to Specified Agents on page 285 244 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Monitoring Logfiles This option enables you to monitor multi vendor log files with matching keyword entries EventTracker generates an event if any matching record is found To add a log file to monitor 1 Open the Agent Configuration window 2 Select the system from the Select Systems drop down list 3 Click the Logfile Monitor tab EventTracker displays the Logfile Monitor tab 8BCHAPTER 8 MANAGING WINDOWS AGENTS 245 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 239 Agent Configuration window EventTracker Agent Configur
102. Success Enable SID Translation Audit Failure Enable High Performance mode Filter Exception Advanced Filters The filters are now set and all events with log type event type Information will be filtered out and will not be sent to EventTracker Manager 5 Click Save You can apply the current settings to other specified Agents For more information refer to Applying Configuration Settings to Specified Agents on page 285 8BCHAPTER 8 MANAGING WINDOWS AGENTS 224 EVENTTRACKER VER 6 4 US 5 GUIDE CONFIGURING WINDOWS AGENT Filtering Events with Exception This option helps you filter events with exception To filter events with exceptions 1 2 3 4 8BCHAPTER 8 MANAGING WINDOWS AGENTS Open the Agent Configuration window Select the system from the Select Systems drop down list Click the Event Filters tab Select the check boxes near the event types to filter out the events EventTracker displays the Event Filters tab Click Filter Exception EventTracker displays the Filter Exception dialog box Click New EventTracker displays the Event Details dialog box Type appropriately in the relevant fields 225 EVENTTRACKER VER 6 4 US Figure 222 Event m Details window OR 5 GUIDE CONFIGURING WINDOWS AGENT Event Details Event Details empty Field implies all matches Log Event Type Event ID Information Category Match in User Match in Source
103. TYPE Figure 176 System Details EventI racker System Manager 2 Modifying system type incorrectly could create conflict while applying Agent configurations au Are vau sure the selected type is proper For ELR 4 Click Yes to change the type 5 Refresh the System Manager 7BCHAPTER 7 MANAGING SYSTEM GROUPS 179 Chapter 8 Managing Windows Agents In this chapter you will learn about m Deploying Agents m Agent Configuration m Agent Management Tool m Deploying Agents in Command Line Mode EVENTTRACKER VER 6 4 USER S GUIDE AGENT FOR WINDOWS SYSTEMS Agent for Windows Systems As part of the Windows event log management infrastructure a configurable high performance tiny footprint executable agent can be deployed to run locally on the managed machine The agent is usually remotely deployed directly from the System Manager application which is part of EventTracker In addition to sending entries from the Event Log this agent offers many useful features including monitoring application log files threshold events CPU memory disk utilization application start stop software install uninstall service start stop amp runaway processes and monitor TCP UDP network activities It can send events with guaranteed delivery TCP offers a sophisticated set of filters to limit event transmittal and performs automatic backup and clearing of the Windows Event Log XP and 2003 This smart agent offer
104. To configure Alert actions 1 2 Open the Management console Click the Configure menu and select the Configure Alerts option EventTracker displays the Alert Groups console Click New on the toolbar EventTracker displays the Alert Group Configuration dialog box Type appropriately in the Alert Name Event Details Event Filters Time Interval and Computers tabs Configuring Audible Alert Action This option enables you to configure audible Alert action To configure audible Alert action 1 4BCHAPTER 4 Click the Actions tab EventTracker displays the Actions tab Select the Generate sound from my PC speaker check box EventTracker displays the Actions Beep dialog box CONFIGURING ALERTS AND ALERT NOTIFICATIONS 105 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE Figure 77 Actions Actions 4 Beep Enter a brief description about beep configuration Beep Configuration Description Beep Count Duration Delay Frequency Cancel You can also access the Actions Beep dialog box by selecting the corresponding check box under Beep column on the Alerts Group dialog box Beep Configuration Type the beep alert description in this field Beep Count Type the number of beeps in this field This field supports numeric data type only 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 106 EVENTTRACKER VER 6 4 Figure 78 Alert Gr
105. USER S GUIDE CONSOLE You can get the upgrading license information from sales prismmicrosys com Table 8 Type key1 in this field Type key2 in this feld Seraldi Type Serial No 1 in this field Seriald2 Type Serial No 2 in this field 3 Click OK EventTracker displays the EventTracker Console message box Figure 10 EventTracker Console Eventlracker Console message box Your license has been upgraded Please upgrade the remote agent s license using Client Manager Click OK 5 Upgrade all remote agents license as instructed in the message box EventTracker displays the EventTracker Console message box Click OK Restart the Management Console Accessing About EventTracker console This option helps you view Available Features License Usage License Info Patch Info and System Info To access About EventTracker console 1 Double click About EventTracker on the Control Panel 1BCHAPTER 1 GETTING STARTED 30 ACCESSING ABOUT EVENTTRAC S ER EVENTTRACKER VER 6 4 USER S GUIDE CON LE K O EventTracker displays the About EventTracker console Figure 11 About EventTracker console About EventTracker 6 EventTracker Console Type Collection Master 6 419 005 logs processed since install on Jan 02 2010 b 4 Build 46 292 622 logs processed today Figure 12 Available Features 1BCHAPTER 1 GETTING STARTED This product is licensed ABC 123 AW Coll
106. Windows 2000 Professional none Unmanaged Windows 2003 Server none Unmanaged pitbull Windows none Unmanaged Windows 2000 Professional none Unmanaged Windows 2003 Server none Unmanaged Windows 2000 Professional none Unmanaged Windows XP SRINATH SS Unmanaged Windows 2003 Server none Unmanaged Windows 2003 Server none Unmanaged Windows 2000 Professional none Unmanaged Windows lt P Support Brahma Unmanaged Windows 2003 Server Support Team R Unmanaged PNPLSERVER Windows 2003 Server Unmanaged PNPL TESTLA Windows 2003 Server Unmanaged la PNPL TESTLA Windows 2003 Server none Unmanaged PNPL TESTLA Windows 2003 Server Unmanaged PNPL TESTLA Windows 2003 Server none Unmanaged Y PNPL TEST S none Unmanaged Displaying W indows Systems Manual 53 Systems 9 Click Edit System Manager displays the Edit Group window 7BCHAPTER 7 MANAGING SYSTEM GROUPS 162 EVENTTRACKER VER 6 4 USER S GUIDE LOGICAL SYSTEM GROUPS Figure 146 Edit Group 0 Edit Group Group Groups Description F nterprise Domain Systems marked for deletion Group Members 132 158 1 35 ALICE ARNOLD BALOO CACOF NIE CHAPLIN lt Remove CHARLIE DONALD II EXLHTEST HAGAR 5 JERRY LEO MICKEY ho Save Cancel 10 Select the systems from Group Members and then click lt Remove 11 Click Save
107. XS X DX DX X DX DX XT X 4 K KX K K EEE x EZ ZE zm m oj ojojejojojojojo ajojojo jojo O X X X X X X X X X X X X X X X X X X X X X X X X X x X X X X RA EZ am ZZ Z mmm zz ZZZZZZZZZZZZZZZZZZZZZ JO 2212222222 lt 50000000000 1 K Bx x ERE Bd Bx Rd E Bd E E E EJ E E E E E E Bd E 4 K K x EEE El E 4 Bx E E El E Ed E EEE E EEE No No No No No No No No No No No No No No No No No No No o ZZZZZZZZZZ 000000000
108. access the Actions Email dialog box by selecting the corresponding check box under Email column on the Alerts Group dialog box E mail Configuration SMTP Server Type the SMTP Server name or select a SMTP Server from the down list From Type a valid sender E mail address a valid sender a valid sender E mail address mail address Type a valid recipient E mail address or select recipient E mail address from the drop down list Subject Type the subject in this field SMTP Authentication Provides an access control mechanism It can be used to allow legitimate users to relay mail while denying relay service to unauthorized users such as spammers Enable Select this check box to enable the SMTP Server authentication Authentication m Type a valid username in this field Type the password in this field 3 Type appropriately in the relevant fields 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE Figure 80 Actions Email Actions E mail subject of E Mail message E mail Configuration SMTP Server belis From ETAdminG3prismmicrosys com To Useripnsmrmicrosys com Subject SMTP Authentication Iw Enable Authentication User A Test E mail Cancel Click OK 5 Totest the E mail configuration click Test Email EventTracker displays the
109. active Alerts on the Management Console Since all Alert events are stored in the database analysis could be done on all Alert events Active Alerts are Alert events that have at least one action set To show only active Alert events in Console 1 Open the Management Console 2 Click the Configure menu and select the Configure Manager option EventTracker displays the Manager Configuration window 3 Select the Show Only Active Alert events in Console check box Click OK EventTracker displays the confirmation message box 5 Click Yes to save the changes Store Only Active Alert events 3BCHAPTER 3 CONFIGURING MANAGER To store only active Alerts select the Store only Active Alert events check box When this check box is selected EventTracker stores only the active Alerts events in the database Analysis could be done only on active Alert events Show only Active Alert events in Console option is enabled by default if you select this check box To store only active Alert events 1 Open the Management Console 78 EVENTTRACKER VER 6 4 USER S GUIDE ENABLING REMEDIAL ACTIONS 2 Click the Configure menu and select the Configure Manager option EventTracker displays the Manager Configuration window 3 Select the Store only Active Alert events check box Click OK EventTracker displays the confirmation message box 5 Click Yes to save the changes Enabling Remedial Actions It is mandatory to enable remedial action a
110. and to trigger transmission until the data is correctly and complete received 27BGLOSSARY 469 EVENTTRACKER VER 6 4 USER S GUIDE GLOSSARY User Datagram Protocol A connectionless protocol that like TCP runs on top IP networks Unlike TCP IP UDP IP provides very few error recovery services offering instead a direct way to send and receive datagrams over an IP network WhatChanged An application that used to track the occurred changes on a computer s file system and registry and provides you with a lifeline to restore it back to a working configuration 27BGLOSSARY 470 Index 28BINDEX PD OUT RR X Available features 31 License Info 32 License 31 AUCH MiO 32 System 33 Add in Software Modules EventLogCentral 454 Solaris Agent 454 StatusTracker 453 WhatChangged 453 Agent advanced filters 227 applying settings 286 backup configuration 289 basic configuration 214 changing account 204 event delivery mode 218 filtering events 221 filtering events with except
111. are added automatically 3 Click OK continue removing the computers System Manager displays the Remove Computer s dialog box 4 Select the computer s that you want to remove 7BCHAPTER 7 MANAGING SYSTEM GROUPS 155 EVENTTRACKER VER 6 4 USER S GUIDE REMOVING COMPUTERS Figure 137 Remove Computer s ARNOLD BSLOO LACOFON Is CHAPLIN DONALD ELC ECH E LHTEST GARFIELD HAGAR JENIFFER JERRY LH PHS4E Vy lobos MICKEY MOUGLI s Remove Cancel 5 Click Remove System Manager removes the selected Computer 6 Refresh the System Manager System Manager discovers the removed computer s 7BCHAPTER 7 MANAGING SYSTEM GROUPS 156 EVENTTRACKER VER 6 4 Figure 138 System Manager USER S GUIDE Ui EventTracker System Manager File View Options Help Configure System 28 Search Computers 4 Create Group Delete Group 4 Add System Computer Groups EEN Groups Windows 2000 Server Windows 2000 Professional Windows 2000 Professional Windows 2003 Server Windows 2000 Professional Windows 2003 Server Windows 2003 Server Windows 2000 Professional Windows 2000 Professional Windows 2000 Professional Windows Windows 2000 Server Windows 2003 Server Windows XP Windows 2003 Server Windows 2000 Professional Windows 2000 Server Description REMOVING COMPUTERS Se System Status Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged U
112. based on This option lets you to receive Alert notification only when the Count specified events occur for a specified number of times within the specified duration EventTracker disables Raise alert for event count and Duration fields by default To enable select the Enable check box below The default value for Raise Alert for event count is 2 and Duration is 3600 secs When you select the Apply between this time frame option and type From and To times EventTracker automatically updates the Duration seconds You are not permitted to set the seconds beyond this limit If you try EventTracker displays the EventTracker Console message and insists you to Type valid duration seconds Eventlracker Console A Invalid entry For Event duration Ewent duration should less than Alert duration 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 92 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING ALERTS Archive Alert Select this check box to store the Alert in the Alerts Archive for Alert analysis 15 Select the Apply between this time frame option 16 Select From and To time from the spin boxes 17 Select the Alert based on Count check box 18 Type the count in the Raise alert for event count field 19 Type the secs in the Duration field EventTracker displays the Custom tab with newly added custom settings Figure 63 Alert Group Configuration Custom tab Mi Alert Group Configuration Eventlracker Console Alert Name
113. box Figure 169 Edit Group message box Eventlracker System Manager 1 Please note that in Auto Discover mode editing auto groups e g groups based on domains 05 Type etc is mot recommended as they are populated automatically 7 Click OK to continue modifying the group Deleting a Group This option enables you to delete an existing Group To delete a Group 1 Open the System Manager 2 Click the File menu and select the Delete Group option OR Click Delete Group on the toolbar 7BCHAPTER 7 MANAGING SYSTEM GROUPS 175 EVENTTRACKER VER 6 4 USER S GUIDE LOGICAL SYSTEM GROUPS System Manager displays the Delete Group window Figure 170 Delete Group oa Delete Group Select the Group you want to delete TOONS CELEBRATE TESTING Apps Database Group gue 3 Select the Group that you want to delete in the displayed list Click Delete System Manager displays the EventTracker System Manager confirmation message box Figure 171 Delete Group Confirmatory EventIracker System Manager message box i Are vau sure vau want to delete group Apps Database Group 5 Click Yes The selected Group is deleted from the list 7BCHAPTER 7 MANAGING SYSTEM GROUPS 176 EVENTTRACKER VER 6 4 USER S GUIDE CHANGING SYSTEM TYPE Figure 172 Delete Group Delete Group Select the Group you want to delete CELEBRATE TESTING gue 6 Click Close Had you
114. default configuration Apply configuration After events are collected they are processed at the Manager To apply a predefined configuration select Custom and specify that eg C etacontig ini can select Default and configure this later Default Custom Config File Table 36 Default Select this option to set the default agent configuration The default configuration will track all events Select this option to apply a different configuration The File field is enabled Click Browse navigate and select the file The file extension should be in the EventTracker Agent ini format and would be a previously saved configuration file 11 Click the appropriate agent configuration settings 8BCHAPTER 8 MANAGING WINDOWS AGENTS 188 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Figure 186 Add Agent r3 configuration Apply configuration After events are collected they are pracessed at the Manager To apply a predefined configuration select Custom and specify that eg C Setacenfig ini can select Default and configure this later Default f Custom Config File C Program Files Prism MicrospatemetE ventTrackersH ematelnstaller etacanfig ini 12 Click Install System Manager displays the Login dialog box Figure 187 Add Agent Login a Logi n Please provide an account with sufficient privileges to access the network
115. details in the syslog conf file to forward Syslog messages to the EventTracker Manager computer 5 Save and close the syslog conf file 6 Stop and restart the Syslog daemon syslogd Example To forward syslog error messages to the IP address 192 192 150 150 add the following detail to the syslog conf file err 192 192 150 150 For more information refer the syslog conf or syslog MAN pages Syslog configuration may be platform dependent and it is recommended that you check the platform documentation Virtual Collection Points Virtual Collection Points VCP enable the existing receiver to behave like a collection master without having the physical Collection Points installed The Existing Collection Point CP CM model requires physically organized Collection Points reporting to a Collection Master CP CM model requires a number of hardware facilities and a large degree of deployment difficulty VCP provides the solution to break down the huge volume of input events using the existing set up with minimal configuration changes thus helps to process the received data in a short time at the reporting end VCP Architecture 3BCHAPTER 3 CONFIGURING MANAGER 6 6 EVENTTRACKER VER 6 4 Figure 43 VCP Architecture Table 15 3BCHAPTER 3 CONFIGURING MANAGER USER S GUIDE VIRTUAL COLLECTION POINTS Event Correlator Windows Syslog Solaris BSM Routers Switches ey Real Time atabases Security Events Logs Leg
116. displays the Event Details 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 57 EVENTTRACKER VER 6 4 USER S GUIDE RELOADING THE NAVIGATION PANE Figure 34 Alert t Alert Groups EventTracker Console Groups Ai Edit Delete save Proactive notification of events meeting certain criteria can be configured Notifications include a combination of Beep E mail Messages or any other Custom Action Description Emal s Message 9 Forward as SNMP Forward as SYSL Rss Notification 4 Console side reme No No No No Administrative log on Administrative log on failure Altiris Audit Log Cleared CISCO Access Denied CISCO Authentication Failed CISCO PIX Failover Message CISCO IDS intrusion detection CISCO VPN Admin Access Authenticati CISCO YPN Admin Access Authorizatio CISCO VPN Admin Access Access Contr CISCO VPN Memory Allocation Failed Citrix Critical service could not be started Critical service is not running Crystal Enterprise DELL OMSA Chasis Intrusion alert DELL OMSA Chassis management contr DELL OMSA Device added or removed a DELL OMSA Memory device error alert DELL OMSA Pluggable device configurat DELL OMSA Power supply failure alert DELL OMSA Processor sensor alert DELL OMSA Redundency failure alert DELL OMSA Sensor failed DELL OMSA Storage management critica DELL OMSA System battery fa
117. event when the set threshold value crosses the limit for more than 3 minutes You can apply the current settings to other specified Agents For more information refer Applying Configuration Settings to Specified Agents on page 286 Removing processes from List of Filtered Processes To remove processes from List of Filtered Processes 1 2 3 8BCHAPTER 8 MANAGING WINDOWS AGENTS Open the Agent Configuration window Select the system from the Select Systems drop down list Click the Processes tab EventTracker displays the Processes tab Select the process you do not want to monitor from the List of Filtered Processes list Click Remove EventTracker displays the EventTracker Agent Configuration confirmation message box 282 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT 6 Click Yes EventTracker removes the selected process Click Save on the Agent Configuration window Maintaining Log Backup This option enables you to backup event logs automatically in the EventTracker Agent directory whenever the event logs are full EventTracker automatically performs event log backup or archival in the standard Windows event log format evt evtx format To backup event logs automatically 1 Open the Agent Configuration window 2 Select the system from the Select Systems drop down list 3 Click the Log Backup tab EventTracker displays the Log Backup tab 8BCHAPTER 8 MANAGING WINDOWS AGENTS 283 EV
118. events fram VMware Select Log File Type 70777235 Example https my Center 5443 edk vinService https mye S server d43 sdk vims ervice URL User Mame Password Timeout seconds 8BCHAPTER 8 MANAGING WINDOWS AGENTS 262 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT VMware URL Type a valid URL e g https esxvcserver sdk vimService You can also replace the server name with the IP address User Name Type valid user name Type valid password Time connection timeout Type appropriately in the relevant fields Click Test Connection to check if the configuration parameters you have entered are correct 8 Click OK EventTracker displays the Agent Configuration window 8BCHAPTER 8 MANAGING WINDOWS AGENTS 263 EVENTTRACKER VER 6 4 Figure 264 EventTracker Agent Configuration window 8BCHAPTER 8 MANAGING WINDOWS AGENTS USER S GUIDE CONFIGURING WINDOWS AGENT EventTracker Agent Configuration File Help Select Systems AWEBDOCT Agent based system Apply the following settings to specified clients Manager destinations WEBDOCT Managers Event Filters System Monitor Monitor amp pps Services Log Backup Processes Network Connection Monitor Logtle Monitor i Logfile Monitor Search log files various formats supported for matching patterns specified here Both individual files as well as folders can be monitored For
119. found Netscreen System configuration erased Netscreen USB storage device attached Oracle Mate acol stos 4 K PL XIX EX E EX Ed Bx EX Ex Bx 1 KX KX K K E KKK El EJ E E EJ E E E E Bd IX EE Bx E E E Ex Bx Ex Bx Ex Ex E Ex Bx 4 2 BX Dx 2 XX Bx Bx gt x x Dx Bx xj x Bx Bx ZZZZZZZ 0000000 101 Alerts 25 Click Save on the toolbar EventTracker displays EventTracker Management Console Message 26 Click OK 27 Restart the Management Console EventTracker displays the EventTracker Console message box have you not chosen any actions in the Alert Group Configuration EventTracker Console 4B
120. individual CAB files that you want to delete 3 Click Delete EventTracker displays the confirmation message box Figure 423 Confirmation message EventIracker Collection Master Console box You have chosen to delete 2 CAB Files From Collection Client HEWYORE 192 1868 1 38 This will delete both physical File s as well as all references Are vou sure vou want bo proceed with this operation 4 Click Yes EventTracker deletes the selected CAB file 15BCHAPTER 15 COLLECTION MASTER 429 EVENTTRACKER VER 6 4 USER S GUIDE DELETING COLLECTION POINT DETAIL Deleting Collection Point Detail This option helps you delete Collection Point details To delete Collection Point detail 1 Click Collection Point Detail on the Collection Master Console EventTracker displays the Collection Point Detail Figure 424 Collection EventTracker Collection Master Console Point Detail File Configure Help i CAB Status Collection Point Detail CAB Request Collection Point Detail __ Collection Point Name Version Info Last Received CAB Na Last Received CAB Time Archive Path O NEWYORK 192 168 1 6 3 Build 78 etarl239082116 14505 11 54 46 AM 4 9 2009 c Program Files Prism Microsystems E ventT rackersArchives NE Merge Delete 2 Select the Collection Point detail that you want to delete and then click Delete EventTracker displays the confirmation message box Fi 425 i o Event Tracker Coll
121. lt Remove ELA EXCHTEST GARFIELD lt lt Remove All 5 Click Next gt System Manager displays the Add Agent window 9BCHAPTER 9 AGENTLESS MONITORING OF WINDOWS SYSTEMS 305 EVENTTRACKER VER 6 4 USER S GUIDE AGENTLESS MONITORING Figure 292 Add as System window 6 Add Agent Agent Type selection Please select the type below Agent Type Agent based Full featured f Agentless limited features The following Features will nat be applicable for agent less Log file monitoring Guaranteed Event Delivery Gustem monitoring CPU Disk Memory Process monitoring Memory Network Connection Monitoring Application monitoring Software Install 7 Uninstall Service Monitoring Table 55 Agent Type Agent based This option enables you to install an agent in the remote system Full featured in the Standard mode For more information refer Installing Agents Standard mode on page 182 Agent less Select this option to add the system with limited EventTracker limited Agent features features In the Agent less type the following features not available Log file Monitoring System Monitoring Network Connection Monitoring Software Install Uninstall Guaranteed Event Delivery Process Monitoring Application Monitoring Service Monitoring 6 Select the Agent less limited features option 9BCHAPTER 9 AGENTLESS MONITORING OF WINDOWS SYSTEMS 3
122. m This would highlight to the administrator or security officer all accounts that were locked during the overnight period Careful review of the report could help to determine if sleepy users caused the lockouts or someone trying hack into the network at night Another business use of this information can be to provide some insight into Help Desk call volumes If on a given day there was a large increase in calls to the Help Desk a quick perusal of the account lockout report might provide at least part of the explanation for the increase 23BAPPENDIX SECURITY REPORTS 463 Appendix BASEL ll BASEL 24BAPPENDIX BASEL II In the financial services industry nothing is more than the trust of customers shareholders partners and regulators The risk management officer s primary task is to ensure trust is sustained through a systematic risk management program BASEL II defines operational risk one of the pillars of the Accord as the risk of direct or indirect loss resulting from the inadequate or failed internal process or systems or from external events If your company eventually intends to adopt the Advanced Measurement Approach AMA then you are required to measure aspects of operational risk such as IT security 464 Appendix FISMA FISMA 25BAPPENDIX FISMA FISMA requires detailed annual E Government security reports of all federal agencies As to fulfill FISMA requirements the agencies should i
123. manually uninstalled from the remate computers can be cleaned Use this option to cleanup Pre Installed agents from the database Select the and click Hemowe EventTracker SLIPPSERVER 3 Select the computer for which you want to remove the Agent from the list Click Remove System Manager displays the EventTracker System Manager confirmation message box Figure 203 System Manager message box Eventlracker System Manager 2 vou sure vou want to remove the console side components of the selected computer s agent Yes Ma 5 Click Yes System Manager displays the EventTracker System Manager message box Figure 204 System Manager message box Eventlracker System Manager so 1 Selected computer s console side entries and agent components were successfully deleted 6 Click OK 8BCHAPTER 8 MANAGING WINDOWS AGENTS 199 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS 7 Click Close on the Remove Client Components dialog box Switching Windows Agent Modes This option enables you to switch Windows Agent mode from Standard mode to High Performance mode and vice versa This can be done either the Microsoft Network or over the IP Network To switch Windows Agent modes 1 Open the System Manager 2 Click the Options menu and select the Configure System option System Manager displays the Agent Configuration window 3 Select the system that you want to switch t
124. more recipients Send network message to specific devices are connected to the network Forward events as Traps to specific devices Console side remedial action All these actions are performed at the system where EventTracker Manager is installed Agent side remedial action helps to perform remedial actions at the system where EventTracker Agent is installed You cannot execute remedial actions at non Windows and Agentless systems To execute remedial action 1 2 4BCHAPTER 4 Click the Actions tab EventTracker displays the Actions tab Select the Execute remedial action at EventTracker Agent check box EventTracker displays the Remedial Action at Agent dialog box CONFIGURING ALERTS AND ALERT NOTIFICATIONS 126 NG REMEDIAL ACTION AT EVENTTRACKER VER 6 4 USER S GUIDE RACKER AGENT SYSTEM Figure 98 Actions Remedial Action at Actions Agent Remedial action will be executed at the selected system Apples only to Agent based Windows systems Configuratior Remedial Actions f Custom Script t Restart Service C Restart System t Shut Down System t Stop Service ij Applies only tor Event ID 3217 3218 desee 3226 Script Mame Enter the Custom script This remedial action will be initiated on the Agent system when the specified event occurs on the Agent system The event details will be passed to the script the order of parameters being passed is as in the following example Eg script bat EventT ype
125. of 5 DUPLICATE alerts to be triggered within a timeframe of 300 seconds An alert is considered a duplicate only if it is triggered by the same event This option helps you suppress duplicate Alerts To suppress duplicate Alerts 1 Open the Management Console 2 Click the Configure menu and select the Configure Manager option EventTracker displays the Manager Configuration window Select the Suppress Duplicate Alerts check box EventTracker displays Alert suppression interval and Maximum number of alerts allowed fields Type appropriately in the relevant fields 5 Click OK EventTracker displays the confirmation message box 6 Click Yes to save the changes Configuring Manager to Alert Suspicious Network Activity 3BCHAPTER 3 CONFIGURING MANAGER This option helps you receive Alert notification via different modes EventTracker Manager generates and logs events whenever it detects suspicious network activity To be notified of these events you have to enable Suspicious Network Activity Alerts feature in the Manager Configuration console CONFIGUR EVENTTRACKER VER 6 4 USER S GUIDE SUSPICI To configure Manager to alert Suspicious Network Activity 1 Open the Management Console 2 Click the Configure menu and select the Configure Manager option EventTracker displays the Manager Configuration window 3 Select the Suspicious Network Activity check box EventTracker displays the Suspicious Network Alert Configuration conso
126. opened or closed These events are received at the Console and helps in tacking the application usage EventTracker monitors all applications specified in Monitor Specific Apps and ignores applications specified in App Exception The Monitor Specific Apps takes precedence over App Exception Hence if an application is specified in both the sections it will be monitored To monitor application installation and un installation 1 Open the Agent Configuration window 2 Select the system from the Select Systems drop down list 3 Click the Monitor Apps tab EventTracker displays the Monitor Apps tab MANAGING WINDOWS AGENTS 238 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 235 Agent Configuration window EventIracker Agent Configuration Monitor Apps tab BE File Help Select Systems AWEBDOCT Agent bated system Apply the following settings to specified clients Manager destinations spider WEBDOL Log Backup Processes Network Connection Monitor Logfile Monitor Managers Event Filters System Monitor Monitor Apps Services Select to monitor app installations and usage Iw Monitor App Install Uninstall Ww Monitor App Usage App Exceptions Monitor Specific Apps Table 42 Monitor App Select this check box to monitor installation and un installation of Install applications Uninstall Monitor App Select this check box
127. option if you select the Unmanaged option Managed System Report This option helps you generate O S wise group wise and port wise report To generate system type wise report 1 Select the Managed option 2 Select System Type option to view Managed systems by operation systems Select an O S type from the System Type drop down list 4 Click Show Report System Type Unknown represents non Windows operating systems To generate group wise report 1 Select the Managed option 2 Select the Group option to view Managed systems by group 3 Select a group from the Group Name drop down list All monitored enterprise system groups are listed in this drop down list 8BCHAPTER 8 MANAGING WINDOWS AGENTS 208 EVENTTRACKER VER 6 4 USER S GUIDE VISTA AGENT Vista Agent 8BCHAPTER 8 4 Click Show Report To generate port wise report 1 Select the Managed option 2 Select the Port Number option to view Managed systems by port All configured ports are listed in this drop down list 3 Select a port from the Port Number drop down list 4 Click Show Report Unmanaged System Report This option helps you generate O S wise and group wise report To generate system type wise report 1 Select the Managed option 2 Select System Type option to view Managed systems by operation systems 3 Select an O S type from the System Type drop down list 4 Click Show Report To generate group wise report 1 Select the Managed option
128. ought to have Domain Admin privilege to use this utility Accessing Agent Management Tool To access the Agent Management Tool 1 Open the System Manager 2 Click the Options menu and select the Agent Management Tool option 8BCHAPTER 8 MANAGING WINDOWS AGENTS EventTracker displays the Agent Management Tool 292 EVENTTRACKER VER 6 4 USER S GUIDE WINDOWS AGENT MANAGEMENT TOOL Figure 286 Agent Management Tool Event Tracker Agent Management Tool Use this utility to manage EventTracker amp gents installed an remote machines in the network will be prompted for a username password of an account to use usually Domain Admin privileges are required C Group All System Name 132 168 1 6 m Acton Query for Agent service status Restart Agent service C Query for Agent version Querying Agent Service status System This option enables you to query agent service status in the selected system To query agent service status in the selected system 1 Select the System option which is selected by default 2 Select the system from the System Name drop down list 3 Select the Query for Agent service status option which is selected by default 4 Click Next gt EventTracker displays the Enter Privileged account information dialog box 8BCHAPTER 8 MANAGING WINDOWS AGENTS 293 EVENTTRACKER VER 6 4 USER S GUIDE WINDOWS AGENT MANAGEMENT TOOL Figure 287 Enter um privileged a
129. ports are deemed to be legitimate Trusted Connections List diwang H a bet of trushed connections El E E El E EJ E El El El EA 4 Echa pum Sereicet Discard Simple TCP IP Services syilal Active Users Daime Simple Seraces Quad Sample Chargen Simple TCP IP Services FTP default dala FTP Publishing Service FTP cortral FTP Publizhirsg Serice 7 Application Layar Gat Telnet SMTP Simple Transfer Probecal rap Route Access Protocol Fesaurce Location Protocol WINS Rep cation Windows Hnlemet Name Service DHS DNS Serve DHCP Sener nieme Correchon Frewad Inbernet Cone TETE Tala ETE PI romar Carina Similarly in some rows you might notice that the Local and Remote ports are 0 zero This signifies that the processes listed could use any available ports to communicate EventTracker considers that traffic to be legitimate and exempts from monitoring CONFIGURING WINDOWS AGENT 277 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Trusted Connections List _ Echo Simple TCP IP Services Discard Simple Senices Active Users Dahme Simple Services Quotd Simple Services Chargen Sinple TCPAP Services FTP default data FTP Publishing Service FTP contral FTP Publishing Service 7 Application Laper Gal Telnet SM
130. selected the Automatically find and add Computers Recommended for small networks e g lt 100 Computers option in the Auto Discover Mode option System Manager displays the EventTracker System Manager message box Figure 173 Delete Group message box Eventlracker System Manager 7 Please note that in Auto Discover mode it is recommended nat to delete groups based on domains as they are created automatically 7 Click OK to continue deleting the Groups Changing System Type This option helps to change the type of systems To change system type 1 Open the System Manager 2 Double click the system that you want to change the system type 7BCHAPTER 7 MANAGING SYSTEM GROUPS 177 EVENTTRACKER VER 6 4 USER S GUIDE Figure 174 System Details a Details Sistem WEBOOC IP Address Type Port Tracking Status Description Figure 175 System Details a Details System ELA IP Address Type Port Tracking Status Descriptors CHANGING SYSTEM TYPE 132 165 1 50 windows AF Professional 14505 Managed Standard Mode E Unidentified Unmanaged If the System Manager could not identify the O S type then it will display Unidentified in the Type drop down list 3 Select an O S type from the Type drop down list and then click OK System Manager displays the warning message 7BCHAPTER 7 MANAGING SYSTEM GROUPS EVENTTRACKER VER 6 4 USER S GUIDE CHANGING SYSTEM
131. settings from their machines Enter IP Select this check box to protect the current configuration settings Address for other machines Type the IP address in the displayed dialog box You can configure the current configuration settings up to five IP addresses Remedial Enable Remedial Action Action Select the Enable protection for Agent configuration check box Select enter appropriately in the relevant fields Click OK EventTracker displays the EventTracker Agent Configuration confirmation message box 7 Click Yes 8BCHAPTER 8 MANAGING WINDOWS AGENTS 291 EVENTTRACKER VER 6 4 USER S GUIDE WINDOWS AGENT MANAGEMENT TOOL Enabling Remedial Action After enabling remedial actions at the Manager Console you have to individually enable Remedial Action on all the Agent systems You can also include or exclude Agents from taking remedial actions 1 2 3 Open the Management Console Click the Configure menu and then select the Configure Agents option Select a system where you want to execute remedial actions from the Select Systems drop down list Click the File menu and then select the Security option EventTracker displays the Security window Select the Remedial Action check box Click Save Click Close Windows Agent Management Tool Agent Management Tool is a diagnostic tool to check the healthy status of remote agents restart the failed agent services and to check the version of remote agents You
132. softw TT EventTracker Spyware 1 SYS5 SPIDER TT SOX EventTra TT SOX EventTra 50X EventTra Disk spaceis TT Critical servi IT SOX EventTra T Administrative TT EventTracker Spyware 3 3 Click a legend or a pie to view exploded view of the pie chart 4 Double click a legend or a pie on the chart to view Alert details of that particular Alert rule EventTracker displays the Alert details in Quick View Figure 320 Alerts Alerts Quick View Details Quick View Event Details Send via E mail Date 11 57 20 AM 01 13 2010 Description App Open Exe Alerts Dashboard exe Name EventTracker Description Event ld 3221 User toons nirmal Alerts Dashboard exe Version 6 4 0 0 Vendor Prism Microsystems Inc PID 3388 Source EventTracker Event Type Information Systems WEBDOCT Alert Rule SOX EventTracker EXE tracking http kb eventlogmanager com Latest 32 Alerts Date Time Eventld System Event Type Log Type Source User Description 11 57 20 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open Exe Alerts Dashboard exe Name EventTracker Description Ale 11 47 40 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmmal App Open Exe Alerts Dashboard exe Name EventTracker Description Ale 11 46 07 01 13 2010 3221 WEBDDCIT In
133. to be searched iw Get All Existing Lag Files Select Log Fie ESI This i the Microsoft 15 log file format generated by 15 Enter File name 7 Type the path in the Enter File Name field OR Click to locate and select the log file EventTracker displays the Select Folder File Name dialog box when you click 8 Goto the appropriate folder select the Show all the files check box to view all files with different file extensions 9 Select an appropriate file that is associated with the Log File Type selected MANAGING WINDOWS AGENTS 247 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 241 Select b Folder File Name Select Folder File Mame dialog box Select Drive EF select Folder I Show all the files ie log main lag addins AppPatch imsinz assembly Imsing log Cache IsUningtexe 10 Click OK EventTracker displays the Enter File Name dialog box Figure 242 Enter File i Fil Enter File name Name dialog box can configure the complete path of the log file or folder that needs to be monitored along with the strings that need to be searched v Get All Existing Log Files Select Log File Type IIS This i the Microsoft 115 log file format generated 15 Enter File name IC WINDOWS sis log Lancel 11 Click OK You can also select multiple files with the same or different file extension by using wildcard chara
134. to store cache Type the path of the cache folder in the Configure cache folder field Set Minimum Amount of Free space to be left on Storage Device Click OK Click Save on the Agent Configuration window You can apply the current settings to other specified Agents For more information refer Applying Configuration Settings to Specified Agents on page 286 Removing Managers This option helps you remove Managers To remove Managers 1 Open the Agent Configuration window 2 Select the system from the Select Systems drop down list 8BCHAPTER 8 MANAGING WINDOWS AGENTS 220 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT 3 Select the Manager Name from the list in the Managers tab 4 Click Remove 5 Click Save on the Agent Configuration window Filtering Events This option enables you to filter events being sent to the Manager Select appropriate check boxes under Basic Logs Special Logs and Event Types To filter events 1 Open the Agent Configuration window 2 Select the system from the Select Systems drop down list 3 Click the Event Filters tab EventTracker displays the Event Filters tab 8BCHAPTER 8 MANAGING WINDOWS AGENTS 221 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 220 Agent Configuration window 22 EventIracker Agent Configuration Event Filters tab a File Help Select Systems AWEBDOCT Agent bated system Apply the followi
135. window Figure 158 Create Group Select Systems Manually Create Group Select Group Mame amp Group Apps Database Group Group Description running Apps Database application Select whether you want this group to be based on system tupe IP subnet or you like to select the group members C Type C Subnet 2 Click Next gt System Manager displays the Create Group dialog box 7BCHAPTER 7 MANAGING SYSTEM GROUPS 169 EVENTTRACKER VER 6 4 USER S GUIDE LOGICAL SYSTEM GROUPS Figure 159 Create Group Select Systems Manually Create Group Select Systems Select systems that you want to add ELC ELCSERYER EXCHTEST GIJOE las 3 Select the Show managed systems only check box to view the systems managed by this manager 4 Select the systems you want to add to the group from the list Figure 160 Create Group Select Systems Manually Create Group Select Systems Select systems that you want to add Show managed systems only ELCSERVER EXLHTEST GIJOE los Cancel Previous Finish 5 Click Finish System Manager displays the EventTracker System Manager message box 7BCHAPTER 7 MANAGING SYSTEM GROUPS 170 EVENTTRACKER VER 6 4 Figure 161 Create Group message box Figure 162 Create Group message box Figure 163 EventTracker System Manager
136. y Groups Computer Type Description System Status Port E Unmanaged Unmanaged Unmanaged Unmanaged Windows 2000 Unmanaged Windows 2003 Unmanaged Unmanaged Windows 2003 Unmanaged Windows 2003 Unmanaged Windows 2003 Unmanaged Windows xP Unmanaged Windows 2000 Unmanaged Windows 2003 Unmanaged Windows lt P Unmanaged Windows 2000 Unmanaged Windows 2000 none Managed Sta 14505 Windows 2003 none Unmanaged Windows lt P Raj Unmanaged Windows xP none Unmanaged Windows 2000 none Unmanaged Windows 2003 none Unmanaged Windows 2000 none Unmanaged Windows XP SRINATH SS Unmanaged Displaying Windows Systems Auto Discover 57 Systems Uninstalling Windows Agents This option enables you to uninstall Windows Agent from the remote computer To uninstall Windows Agents 1 Open the System Manager 2 Select the Options menu and select the Remove System option OR Click Remove System on the toolbar OR Right click the system from where you want to uninstall the agent System Manager displays the shortcut menu From the shortcut menu choose the Remove System option System Manager displays the Uninstall Remote Agent s window 8BCHAPTER 8 MANAGING WINDOWS AGENTS 1 9 1 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Figure 191 Uninstall Remote Agent s Computer selection 1 Uninstall Remote Apent s Select c
137. you tried to solve the problem xii Chapter 1 Getting Started In this chapter you will learn about m Starting EventTracker m EventTracker Control Panel m Management Console User Interface m EventTracker Icons m Upgrading License m Accessing About EventTracker Manager Console m EventTracker Components EVENTTRACKER VER 6 4 USER S GUIDE ABOUT EVENTTRACKER About EventTracker 1BCHAPTER 1 GETTING STARTED EventTracker framework is Prism Microsystems Inc s flagship event log monitoring and management product EventTracker is a reliable and practical software only solution to monitor track and manage critical events that occur in Windows 2000 2003 XP Vista 2008 MSCS systems and UNIX style Syslog in your enterprise Installation of EventTracker is quick simple and intuitive EventTracker comes with a thorough resource kit with several nifty utilities which alleviates the pain of day to day administration of your enterprise network Log Volume Analysis is similar to Log Analysis but with more bells and whistles which gives you an incisive insight into the event traffic flow in your enterprise EventTracker gives you the ability to WS Alerts Dashboard 5 Enhanced Enterprise Activity console m View and Edit Alert details 0 Search Category based events in the Management Console E Store Only Active Alert events 5 Suppress duplicate Alerts NE Forward events as raw SYSLOG messages
138. zd ISATEST PNPL SUPPORT System associated with the new Group SEM New Group Displaying Windows Systems Auto Discover 1 Systems Although the Management Console is in Auto Refresh mode the Navigation pane is not updated with the new Group 10 Click the View menu and select the Refresh Systems option or press Ctrl F5 on the keyboard EventTracker refreshes the Navigation pane by fetching the latest data from the database Auto Scrolling Option Enabling the auto scroll option will cause the Events window on the Management Console to automatically scroll down and select the latest event By default EventTracker enables this option To select the latest event automatically m Click the View menu and select the New Events Auto Scroll option A tick mark appears before the New Events Auto Scroll option Clear the tick mark to disable this option 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 6 1 PRINTING CURRENT VIEW EVENT EVENTTRACKER VER 6 4 USER S GUIDE DETAILS Figure 41 Auto Scroll Configure Reports Tools Win w Mew Events Auto Scroll Event Details Refresh Systems Printing Current View Event details This option enables you to print current view event details To print current view event details 1 Open the Management Console 2 Select the System or the Category in the Navigation pane Example System WEBDOC1 Click on the toolbar OR Click the File
139. 06 EVENTTRACKER VER 6 4 USER S GUIDE AGENTLESS MONITORING Figure 293 Add System window 6 Add Agent Agent Type selection Select the polling frequency Poll Every 11 hour Start From oo 00 Hour Provide an account with sufficient privilege to collect events remotely Usually a Domain Admin account is reguired Account Edit Account Password Contirm Password Selected Systems use lt Back to edit system list BAL Select Install to proceed Cancel lt Back Advanced Table 56 Polling frequency Poll Every Select the time frequency for which you want to get the events from the system from the drop down list Type the starting time from when you want to get the events from the system This field supports HH MM format Domain Admin Type valid user name and password in Account Password and account Confirm Password fields respectively Edit Account Click this button to modify the admin account details this button to Click this button to modify the admin account details the admin account details E E This field displays the selected system list Systems Type appropriately in the relevant fields To set a more specific configuration click Advanced OR click Install to track the system s 8 Click Advanced 9BCHAPTER 9 AGENTLESS MONITORING OF WINDOWS SYSTEMS 307 EVENTTRACKER VER 6 4 USER S GUIDE AGENTLESS MONITORING Figure 294 Add as System wi
140. 1 Provide the path amp file name of Ass Feed file Use the button to browse amp locate the import file 2 Click the Import button Category Filters Alerts Source Groups C Program Files Prism Microsystems E vent Trackers Systems Scheduled Reports ASS Feeds 7 Click Import EventTracker displays the Export Import Utility message box Figure 394 Import Systems message box Export Import Utility To view the imported R55 Feeds please go to Management Console Configure Rss Feeds 1 Successfully imported RSS Feeds From C Program Files Prism Microsystems EventTracker My Feeds issrss 8 Click OK 13BCHAPTER 13 EXPORT IMPORT UTILITY 399 Chapter 14 Collection Point Model In this chapter you will learn about Collection Point model Real World Scenarios 14BCHAPTER 14 COLLECTION POINT MODEL 400 EVENTTRACKER VER 6 4 USER S GUIDE WHAT IS COLLECTION POINT MODEL What is Collection Point model Scalability 14BCHAPTER 14 As the volume of event logs and the complexity of corporate network infrastructure grow day by day at an unfathomable rate mining the esoteric event log data becomes a taxing task for the network administrator Prism recognized the gravity of the issue and came up with a holistic and single view management model which is called Collection Point model Collection Point model facilitates you to collect cab files from geog
141. 1 ETA ETAn ETA ETA ETAn In this scenario SITE 1 does exist physically in the same premises which runs n number of EventTracker Managers Each EventTracker Manager running Collection Point client will send the respective cab files to the Collection Master server The crux of the matter is that the Collection Master treats every individual EventTracker Manager running Collection Point client and the constellation of EventTracker Agents as different entities no matter whether they exist in the same campus or on the same floor COLLECTION POINT MODEL 403 EVENTTRACKER VER 6 4 USER S GUIDE REAL WORLD SCENARIOS Figure 397 Scenario 3 14BCHAPTER 14 CORPORATE HEADQUARTERS EN Collection Master ETA1 ETA ETAn Branch office ug Collection Master VE a XA Internet ata A ELC i t L SITE 1 ETA2 ETAn SITE 2 Q QU QU i ES Q 19 ETM2 n ENS Pir ETCor X ELCETCor 1 ELCETCor 1 amp ELC 1 1 4 i i i 2 1 2 ETA ETA ETAn 1 ETA2 ETAn The scenario above corroborates the statement that one Collection Point client could be configured to report up to five Collection Masters servers COLLECTION POINT MODEL 404 Chapter 15 Collection Master In this chapter you will learn how to m Start Collection Master Console m View Collecti
142. 12 Total Cabs 12 Cabs Selected 12 After the successful completion EventVault Warehouse Manager displays the ArchiveAppender message box Figure 310 ArchiveAppender Append Archives X message box J Cabs merging completed 6 Click OK EventVault Warehouse Manager displays the Append Archives window 10BCHAPTER 10 EVENTVAULT WAREHOUSE MANAGER 327 EVENTTRACKER VER 6 4 USER S GUIDE APPENDING CAB FILES Figure 311 Append Archives window Append Archives Source archives path CAE T rchives Search in Sub Folders Destination C Program FilessPrism Microsystems E ventTrackersArchives Cab Path 1OBCHAPTER 10 Total Cabs 12 etar 228821 205 1 4505 cab etar 228883435 1 4505 cab etarl 20341574 14505 cab etar 220999 700 1 4505 cab etar 2230591 29 14505 cab etar 229114935 14505 cab etarl 2291 75521 14505 cab etar 229236467 1 4505 cab etarl 229316631 14505 cab etar 2294036 9 1 4505 cab etar 229461 224 1 4505 cab etar 223575 21 14505 cab Select all missing files EVENTVAULT WAREHOUSE MANAGER Cabs Selected 0 CANE T Archives CANE T Archives CAE TArchives CAE TArchives CANE Archives CAVE Archives CAE TArchives CANE T Archives CAE TArchives CAE Archives CANE TArchives CME Archives 43 Cab Present Cab Missing OF Cancel EventVault Warehouse Manager appends the cab files to the appropriate folders 328 EVENTTRACKER VE
143. 16 COLLECTION POINT 448 Chapter 17 EventTracker Configuration Track In this chapter you will learn about m EventlTracker Configuration Audit Tracking Events 17BCHAPTER 17 EVENTTRACKER CONFIGURATION TRACKING 449 EVENTTRACKER CONFIGURATIO T N EVENTTRACKER VER 6 4 USER S GUIDE TRACKING EVENTS EventTracker Configuration Tracking Events EventTracker logs the following events when configuration changes are made to EventTracker Windows Agent Custom Column Eventlracker amp Report Analysis EventTracker amp ELC and Roles in ELC Table 87 EventTracker Il events logged by EventTracker Agent configuration when any configuration changes changes made to the EventTracker Windows Agent EventTracker All events logged by 3286 Addition of a Custom column EventTracker EventLogCentral custom column config changes when user adds a new custom 3287 Modification of a column modifies or deletes a custom column custom column 3288 Deletion of a custom column EventTracker All events logged by 3283 Addition of a Report Analysis EventTracker EventLogCentral Report Analysis config changes when user adds a Scheduled On demand Report Analysis modifies or Queued Defined deletes a Report Analysis 3284 Modification of a Scheduled On demand Report Analysis Queued Defined Scheduled On demand Queued Defined 3285 Deletion of a Report Analysis Scheduled On demand Queued
144. 168 1 38 15BCHAPTER 15 COLLECTION MASTER 414 EVENTTRACKER VER 6 4 15BCHAPTER 15 COLLECTION MASTER MERGING COLLECTION POINTS USER S GUIDE DEFAULT ARCHIVES FOLDER Collection Point BOSTON Consider this is the Site Name that you have given while installing Collection Point IP Address 192 168 1 100 Collection Master creates a folder Program Files Prism Microsystems EventTracker Archives NEWYORK 192 168 1 38 and stores all the CAB files received from NewYork in that folder Collection Master creates a folder Program Files Prism Microsystems EventTracker Archives BOS TON 192 168 1 100 and stores all the CAB files received from Boston in that folder To merge these two Sites Open the Collection Master Console click Collection Point Detail on the toolbar select the Collection Points and then click Merge Points to remember 1 Old folder merges with the new folder 2 While merging Collection Master prompts you whether to overwrite the redundant CAB files or not Scenario 3 Collection Master WEBDOC1 IP Address 192 168 1 88 Collection Point NEWYORK Consider this is the Site Name that you have given while installing Collection Point IP Address 192 168 1 38 Collection Point creates a folder Program Files Prism Microsystems EventTracker Archives NEWYORK 192 168 1 38 and stores all the CAB files in that folder Now uninstall the Collection Point and install it again on the same computer
145. 3 2010 WEBDOCI EventTracker App Close Exe Actobatexe Name Adobe Acrobat PID 1448 Cisco PIX 2 52 16 PM 1 13 2010 WEBDOCT EventTracker App Oper Exe Acrobatexe Adobe Acrobat Description Adot 81 Cisco VPN i 2 52 21 PM 1 13 2010 EventTracker New activity found IP Address 192 168 1 43 System SUPPSERVER Citrix 4 2 52 46 PM 1 13 2010 WEBDOCI EventTracker App Close Exe WINWORD EXE Name Microsoft Office PID 51 Crystal Enterprise 4 2 52 46 PM 1 13 2010 WEBDOCI EventTracker App Close Exe Actobatexe Name Adobe Acrobat PID 1612 d wes 3 2 53 05 PM 1 13 2000 WEBDOCI Eventitacker App Exe WINWORD EXE Name Microsoft Office xP Descripi P 3 2 55 19 PM 1 13 2000 WEBDOCI EventTracker App Oper Exe Acrobatexe Adobe Acrobat Description Adot Fortigate 3 2 56 47 PM 1 13 2010 WEBDOC1 EventTracker App Oper Exe WINWORD EXE Name Microsoft Office XP Descript Juniper SBR 2 56 47 PM 1 13 2000 WEBDOC1 EventTracker App Close Exe WINWORD EXE Name Microsoft Office XP PID 41 Linux Cracking D 2 56 47 PM 1 13 2010 WEBDOC1 EventTracker App Close Exe Actobatexe Name Adobe Acrobat PID 4412 Linux Violation 4 2 58 33 1 13 2000 SPIDER EventTracker App Open Exe MSTSC EXE Name Microsoft R Windows 2000 Of Microsoft Windows Hyper Y 3 2 58 44 PM 1 13 2010 SYS5 EventTracker App Open Exe DUTLOOK EXE Name Microsoft Office Outlook Desi Netscreen 2 59 00 1 13 2010 5Y55 EventTra
146. 3 In Progress f Collection Point Detail CAB Request Select all Total Cab Files 2 Success Failed In Progress Delete EventTracker Collection Master Console File Configure Help CAB Status CAB Status f Collection Point Detail CAB Request Select Criteria Select Collection Point All l All y Name Collection Point Size Kb Transmission Start Time Transmi Status t 0 etari239159185 1 4 8 2009 8 22 00 4 8 2009 7 15 08 PM NEWYORK 192 168 2731 10 02 51 AM 4 3 2008 27 Success etar1239082116 1 4 7 2008 10 57 43 AM 4 8 2009 8 21 59 AM NEWYORK 192 168 2985 10 01 51 AM 4 9 2009 30 Success Select CAB Status Select all Total Cab Files 2 B Success Failed 8 In Progress 409 EVENTTRACKER VER 6 4 USER S GUIDE VIEWING CAB STATUS Select Criteria Select Select Collection Point from this drop down list All Collection Collection Points reporting to the Collection Master are listed in this drop Point down list Select CAB Select the status of the CAB files from this drop down list and Status then click Show Available options are All Success Failed and In Progress Table 75 Displays name of the CAB files Displays the start time and end time Start time is the date and time of the first event and end time is the date and time of the last event in the CAB file Collection Displays name of the Collecti
147. 59 AM 01 NEMO EventTracker 10 57 10 AM 01 SPIDER j EventTracker 10 56 31 01 SPIDER Secunty 10 56 31 AM 01 SPIDER Secunty 10 56 22 AM 01 SPIDER EventTracker 10 56 13 01 SPIDER EventTracker 10 55 45 AM 01 SPIDER EventTracker 10 54 58 AM 01 SPIDER EventTracker 10 54 58 AM 01 SPIDER EventT racket 10 54 11 AM 01 SPIDER EventTrackel 10 54 11 AM 01 SPIDER EvertTracker 20 54 11 AM 01 SPIDER i EventTracker E ventTracker Agert Configuration ModifiedVersioe amp 4 Build Agent System Name App Open Exe OUTLOOK EXE Name Microsoft Office Outlook Descripbon OUTLOOK E Object Open Object Server SecuntyObiect Type FlleObject Name F HeidiS QOL Nanins0DO ex Object Open Object Server SecuntyObyect Type FlleObiject Name F HeidiS QL 000 ex App Close Exe exe Name Windows Live Messenger PID 3672 App Oper Exe msnmsgr exe Name Windows Live Messenger Description Windows Live App Exe taskmgr exe Name Microsoft Windows Operating System Description V App Operc Exe Explores EXE Name Microsoft Windows Operating System Descriptior App Oper Exe SmcGui exe Name Symantec Client Management Component Description Detected free space in dive D is less than 10 percent Dive D Disk Size 20002 MB Free Detected free space in drive E is less than 10 percent Dreve E Disk Size 20002 MB Free Detected free pace in drive F it less than 10 percent Drive F Dick Size 16308 F
148. 7055 2008 516 0 CISCO 105 MSExchange CISCO PIX EventTracker CISCO VPN EventTracker Citrix EventTracker Crystal Enterprise MSSOLServer DoubleT ake MSSOLServer EventTracker EventTracker Fortigate Linux Cracking 2025 Linux Violation 025 Netscreen Security 540 lt x Delete Cat Edit Cat Add Events Remove Event Edit Event Close Total Categories 575 telnet So o Soom aoe CODOS o ED E E E v 2E g aa The advantages of adding new Alert Group s event details along with the event details of pre defined Alerts Category are as follows Apart from alert notifications reports can be generated for the new Alerts along with the pre defined Alerts Category Event analysis can be done for the newly added Alerts Event severity for the new Alerts can be viewed in the Navigation pane etc Modifying Alert Details This option enables you to modify the Alert details To modify Alert details 1 Open the Alert Groups console EventTracker displays the Alert Groups console 2 Select the Alert from the list ex My Alert 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 103 EVENTTRACKER VER 6 4 USER S GUIDE DELETING ALERT DETAILS 9 Click Edit on the toolbar OR Double click the Alert EventTracker displays the Event Details tab on Alert Group Configuration dialog box
149. 8 Filtering applications that need not be monitored 240 Filtering applications that need to be monitored 24 MONOMO SCENICO Sirac neo dodo ebore 242 Eilterme Services that need NOCDE MIOMILOLC Osos iaa que veo 244 Monitorim Lose S sesine AS AS EA ANS 245 Views le Deals T EV 254 Los Tile Monitoring SEMA ra A A A 255 A 255 Montotine Check 5er eset ias 257 Montoto bird bou R 261 Monitoring Network Comec HONS vesical 264 Excluding Network Connections from monitoring sess nnne nennen nns 267 Including Network Connections caos t ta 271 SUSPICIOUS COMME CHONG A A Cu oe 273 Montormo SUspiciOUS Connections siae N A 273 Addins pro srams to the trusted A tl dis AE AA EA 278 Adding Firewall Exceptions to the Trusted 156 279 a utu di das 280 Removing processes from List or Filtered Processes ia ia 282 Maintaimne Los BAC A A E A A 283 NAIC WINS LOS dat A wa tay ed A A M P 285 Applying Configuration Settings to Specified
150. 8 11 05 09 PM 4 5 2003 5 32 35 AM 192 168 1 38 Queued lt 4 4 2009 5 28 53 PM 4 4 2009 11 05 09 PM amp tar1238824100 1 i 4 4 2009 11 17 16 AM 4 4 2009 5 28 53 PM 192 158 1 38 192 168 1 38 E Queued Queued etarl 238801927 1 4 4 2008 5 06 13 4 4 2009 11 17 16 AM 192 168 1 38 Queued 1238779391 1 4 3 2009 10 52 10 PM 4 4 2003 5 06 13 AM 182 158 1 38 Queued etar1238759423 1 4 3 2008 5 13 21 PM 4 3 2009 10 52 10 PM etar1238739289 192 168 1 38 4 3 2009 11 43 47 AM 4 3 2009 5 18 21 PM 192 168 1 38 A amp tar1238719240 1 4 3 2009 6 09 31 AM 4 3 2009 11 43 46 AM 192 168 1 38 atari 990000099400 4 2 000012 20 202 Add 4 2 00nO CNAIN Aki 10241C01 20 You can also resend the CAB files that are already sent to the Collection Master s EventTracker changes the status of the selected CAB files and displays the CAB Status console 446 SENDING CAB FILE S TO COLLECTION EVENTTRACKER VER 6 4 USER S GUIDE MASTER S EventTracker Collection Point Console Figure 445 Manage CAB console File Configure Help g Manage CAB Configure Select Criteria ES Destination y Select CAB Status Show Nam Pe iod 5 5 Destination Transmi
151. AB Status Select Destination from the drop down list All configured Collection Masters are listed in this drop down list Select the status of the CAB files from this drop down list and then click Show Available options are All Success Failed Do Not Send In Progress and Queued Select this check box to mark all the CAB files to send to the selected Collection Master s 442 SENDING CAB FILE S TO COLLECTION EVENTTRACKER VER 6 4 USER S GUIDE MASTER S Table 85 CAB files not successfully sent to the Collection Master s files not CAB files not successfully sent to the Collection Master s sent to the Collection Master s CAB files in queue CAB files being sent to the Collection Master s CAB files that were created prior to adding the Collection Master destination are marked as Do not send You have to select the CAB files explicitly to send to the Collection Master s by clicking Start Sending CAB file s to Collection Master s This option helps you select Collection Master s and CAB file s that are to be sent to the selected Collection Master s To send CAB file s 1 Click Manage CAB on the Collection Point Console EventTracker displays the Manage CAB Console EventTracker Collection Point Console a oj xj Figure 439 Manage CAB console File Configure Help fe Manage A Configure 16BCHAPTER 16 COLLECTION POINT
152. AB files from the default Archives folder to the new Archives folder m Updates the Index file m Extracts the CAB files from the new Archives folder so that the report schedules remain intact Points to remember 1 Old folder merges with the new folder 2 While merging Collection Master prompts you whether to overwrite the redundant CAB files or not Requesting CAB files This option helps you send a request to the Collection Point s for the CAB files missing in the archives or the CAB files that were failed to transfer The files are missing may be you would have inadvertently deleted them 15BCHAPTER 15 COLLECTION MASTER 424 EVENTTRACKER VER 6 4 Figure 418 CAB Request Table 77 Table 78 15BCHAPTER 15 COLLECTION MASTER USER S GUIDE REQUESTING CAB FILES To request CAB files 1 Open the Collection Master Console 2 Click CAB Request EventTracker displays the CAB Request window EventTracker Collection Master Console File Configure Help ill CAB Status f Collection Point Detail Request Request Select Criteria Select Collection Point All y Select CAB Status All Nam Period 1 1 1 Collection Point Name Size Status Select all Send Request The CAB Request screen is empty since there is no missing or failed to transfer CAB files Select Criteria Select Select Collection Point from this drop down list All Collection Collection Points re
153. ALERTS Figure 331 Add Group dialog box Add Group Parent node iz Group Enter Group name Cancel 8 the Group name in the Enter Group name field and then click OK EventTracker displays the Manage Categories console with the newly created subgroup Figure 232 Manage Manage Categories X Categories dialog box New Edit Delete with newly created Group Categories are used to organize events in an ordered and user friendly manner Category Management is used extensively in Reports showing only the events that you find interesting This interface can be used to create manipulate and manage Categories Categories es Linux Cracking Event Log Source Category EventID User Event Deso es Linux Violation 1 Netscreen Oracle Snort es Solaris BSM 2 50x 8 Suspicious Network Activity SYSLOG Veritas WhatChanged Windows Microsoft Windows Hyper V All error events All information events All warning events My Sub Group Create Cat Total Categories 575 9 Click OK 10 Open the Management Console EventTracker add the newly added Category Group to the All Categories tree 11 Open the Reports Console 12 Click Operations tab in the Tree pane 13 Expand User Defined Category Group EventTracker adds the newl
154. ARIS AGENT Purchase To purchase Solaris Agent contact us by E mail at sales prismmicrosys com 19BCHAPTER 19 ADD IN SOFTWARE MODULES 455 Appendix HIPAA HIPAA Compliance Reports 20BAPPENDIX HIPAA The Health Insurance Portability And Accountability HIPAA regulation impacts those in healthcare that exchange patient information electronically HIPAA regulations were established to protect the integrity and security of health information including protecting against unauthorized use of disclosure of the information As part of the requirements HIPAA states that a security management process must exist in order to protect against attempted or successful unauthorized access use disclosure modification or modification with system operations The organization must be able to monitor report and alert on attempted or successful access to systems and application that contain sensitive patient information EventTracker provides the following reports to help comply with the HIPAA regulations User Logon report HIPAA requirements 164 308 a 5 log in log out monitoring states that user accesses to the system be recorded and monitored for possible abuse User Logoff report HIPAA requirements clearly states that user accesses to the system be recorded and monitored for possible abuse Remember this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users In most ca
155. AVE Archives CAE TArchives CANE T Archives CAE TArchives CAE Archives CANE TArchives etarl 2295761 21 14505 cab CAE TArchives Select all missing files Cab Present BY Cab Missing OF Cancel Total Labs 12 Cabs Selected 0 You can select individual files by selecting the check boxes against the respective CAB files or collectively by selecting the Select all missing cabs 5 Click OK EventVault Warehouse Manager displays the progress of appending process 1OBCHAPTER 10 EVENTVAULT WAREHOUSE MANAGER 326 EVENTTRACKER VER 6 4 USER S GUIDE APPENDING CAB FILES Figure 309 Append Archives window Append Archives Source archives path CAE T rchives Search in Sub Folders Destination C Program FilessPrism Micrasystems E ventTrackersArchives tabName Cab Path 8 etarn228821205 14505 cab CAE T Archives oetar 229893495 1 4505 cab CANE T Archives etan220941574 14505 cab C E TArchives crar 228393700 14505 cab C E TArchives star 2290581 29 1 4505 cab CANE Archives eta 229114935 1 4505 cab CANE Archives eta 2291 75521 14505 cab CANE TArchives UR etarn229236467 14505 cab CAE TArchiwez etar229316631 14505 cab C E TArchives etar229403679 14505 cab C E TArchives star 229461224 1 4505 cab CANE Archives eta 229576121 14505 cab CANE Archives i Select all missing files Cab Present BY Cab Missing Microsystems EventTracker4rchives 14505 etari229576121 14505 cab Cab Wo
156. Advanced Reports Console Scheduled Reports EventTracker displays the Export Import Utility 13BCHAPTER 13 EXPORT IMPORT UTILITY 382 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY Figure 367 Export Export Import Utilit Import Utility window Export Import Utility Export Scheduled Export Import Reports 1 Click the Export button 2 Choose the folder amp provide the file name Click OF Category Export without System names Filters Alerts Groups Systems ASS Feeds Export Close 3 Select the Export without System names check box to export the schedule configuration without system names Exporting schedule configurations without the system names helps to apply the settings to any environment If exported with system names and the systems do not exist in the target environment then the scheduled reports fail 4 Click Export EventTracker displays the Select Export File dialog box 5 Click the Save in drop down box and select the path where you want to export the filters 6 Type the file name in the File name field The valid file extension is issch 7 Click Save EventTracker displays the Export Import Utility message box 13BCHAPTER 13 EXPORT IMPORT UTILITY 383 EVENTTRACKER VER 6 4 Figure 368 Export Scheduled Reports message box Figure 369 Export Filters message box 13BCHAPTER 13 EXPORT IMPORT UTILITY USER S GUIDE EXPORT AND IMPORT UTILITY
157. Agents m View logs To work with EventTracker System Manager effectively a thorough understanding of its graphical user interface is necessary 33 EVENTTRACKER VER 6 4 USER S GUIDE Figure 17 System Manager User Interface Table 9 1BCHAPTER 1 GETTING STARTED File View Optidhs Help q Configure Agents search Corfputers 4 Create Group Computer Groups Domain Computers Windows 2000 Displaying Windows Systems EVENTTRACKER COMPONENTS Delete Group Windows 2000 Windows 2003 Windows 2000 Windows 2003 Windows 2000 Windows 2003 Windows 2003 Windows XP Windows 2000 Windows 2003 Windows XP Windows 2000 Windows 2000 Windows 2003 Windows XP Windows XP Windows 2000 Windows 2003 Remove System S Upgrade Agent Unmanaged Unmanaged Managed Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Managed Sta Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Auto Discover Status Bar Title Bar The top strip of System Manager is the Title Bar Title Bar displays the name of the application You cannot move or drag the Title Bar Menu Bar The strip next to Title Bar is the Menu Bar Menu Bar contains menus Each Menu contains a list of commands and shortcut keys to carry o
158. Audit Policy History report will show each systems audit policy for ach date it was collected This way compliance to the audit policy is documented and can be tracked Accounts that were never logged on Part of an administrator s job is to deal with the clutter that collects in the NT4 SAM or Active Directory or perhaps better stated preventing it entirely One of the more common sources of this clutter is redundant user accounts In an effort to provide efficient service those tasked with account creation often create new user accounts ahead of time for new employees or contractors That way when the new employee or contractor arrives they can login and start to work immediately In some organizations this may mean dozens of accounts Inevitable job offers are declined or contractors start dates postponed The result is accounts that exist but have never been used These accounts potentially represent a security risk because 1 They usually have a well known default password ser and 2 They may already have been placed in security groups pertaining to their job function An unscrupulous individual could login as the new account set password to one of their own choosing and gain access to sensitive data by way of the accounts group memberships The Accounts that were never logged on report can highlight these risky redundant accounts Armed with this information follow up e mails can then sent to the appropriate managers to
159. CHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 96 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING ALERTS Figure 67 EventTracker Console Eventlracker Console message box i 2 Do vau want to continue without setting any actions 28 Click Yes to set the actions later EventTracker displays EventTracker Console message box have you not added Event Details Figure 68 EventTracker Console Eventlracker Console message box A You must add at least one event to an alert group Managing Categories 1 Right click any Category Group in the All Categories hive in the Management Console EventTracker displays the shortcut menu From the shortcut menu choose the Manage Categories option EventTracker displays the Manage Categories console Expand the All Categories hive Expand the Alerts Group Click the Alerts Category 2 Scroll the right pane EventTracker adds the events configured for the new Alert My Alert along with the predefined events 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 97 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING ALERTS da Manage Manage Categories fef Categories console ee New Edit Delete Categories are used to organize events in an ordered and user friendly manner Category Management is used extensively in Reports showing only the events Ithat vou find interesting This interface can be used to create manipulate and manage Categories ALERTS ev
160. D EventTracker App Close Exe WINWORD EXE Name Microsoft Office XP PID 37 EventTracker AppOpen Exe WINWORD EXE Name Microsoft Office XP Descript EventTracker App Open Exe OUTLOOK EXE Microsoft Office Outlook Des EventTracker App Close Exe OUTLOOK EXE Microsoft Office Outlook PID EventTracker Oper Exe Acrobat exe Name Adobe Acrobat Description Adot EventTracker App Close Exe Acrobatexe Name Adobe Acrobat PID 1172 EventTracker App Oper Exe DUTLOOK EXE Name Microsoft Office Outlook Des EventTracker App Open Exe EtwControlPanel exe Name EventTracker Descriptio EventTracker App Open Exe RoboHTML exe Name RoboHelp HTML 11 Descript 3 16 25 PM 1 13 2010 EventTracker App Close Exe OUTLOOK EXE Name Microsoft Office Outlook Selected Event 384 Max Rows 500 Status Bar 25 MANAGEMENT CONSOLE USER E EVENTTRACKER VER 6 4 USER S GUIDE INTERFAC Table 6 1BCHAPTER 1 GETTING STARTED Title Bar The strip at the top of the Management Console is the Title Bar Title Bar displays the name of the application You cannot customize move or drag the Title Bar Menu Bar The strip next to Title Bar is the Menu Bar Menu Bar contains menus Each Menu contains a list of commands and shortcut keys to carry out a specific task You cannot customize move or drag the Menu Bar Toolbar The third strip is the Toolbar Toolbar contains command buttons with images Frequent
161. DING COLLECTION MASTERS Destination dia Destination dialog box Add Destination Destination 158 1 38 Test Connection Port 14507 jw Active Encrypt Data No Description Forwarding LAB to NEWYORK EventTracker accepts only numeric data type in Port field 4 Click Test Connection to check connectivity between the Collection Point and the Collection Master EventTracker displays the message box om EventTracker Collection Point Console L x Collection Point x Console message box Connected to Collection Master at 192 168 1 38 Click OK Click OK on the Add Destination dialog box EventTracker displays the Configure Managers console with the newly configured Manager 16BCHAPTER 16 COLLECTION POINT 439 EDITING COLLECTION MASTER EVENTTRACKER VER 6 4 USER S GUIDE SETTINGS Figure 435 Configure EventTracker Collection Point Console lol xl Managets console File Configure Help fe Manage CAB A Configure Configurations Configure Managers Up to 5 Master Consoles can be configured Destination Name Active 7 Inactive Encrypt Data Descripti 192 168 1 38 14507 Active No Forwarding CABs to NEWYORK Remove 7 Click Close to close the window Editing Collection Master Settings This option helps you edit Collection Master configuration settings To edit Collection Master configuration settings 1 C
162. Deleting RSS Feeds This option helps you delete RSS feeds To delete RSS feeds 1 Open the Management Console 2 Click the Configure menu and select the RSS Feeds option EventTracker displays the RSS Feeds window 136 EVENTTRACKER VER 6 4 USER S GUIDE RSS FEEDS Figure 107 RSS Feeds E RSS Feeds Avallable Feeds Added B Added Date Feed fo Summary mort nirmal Of Mapa 2008 Ac E Feed for Detail Report nirmal OF Map 2008 Active Show only Active feeds New Feed Delete Feed Close ASS feed UAL http lt this server gt eventrsszwml EntFeed zfeed name xml To subscribe these feeds point your ASS reader to the UAL shown above Replace lt this servero with the name or IP address of this server and feed name with name of the ASS feed To know more about ASS feeds please click here 3 Select the Feed that you want to delete from the pool 4 Click Delete Feed EventTracker displays the EventTracker Reports Console message box Figure 108 EventTracker Console Eventlracker Console message box 2 Are you sure you want bo delete this Feed Mo 5 Click Yes EventTracker deletes the selected RSS feed 5BCHAPTER 5 CONFIGURING RSS FEEDS 137 EVENTTRACKER VER 6 4 USER S GUIDE RSS FEEDS Figure 109 RSS Feeds GY RSS Feeds Available Feeds Added B Added Date Status Summhpt Feed for Summary Report nirmal OM ay 2008 Active Show only Active fe
163. Directory or NT domain as the agent Encrypted traffic between Agent and Console IPSec techniques can be applied to all traffic between agent and Console for highest security 8BCHAPTER 8 MANAGING WINDOWS AGENTS 181 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Service monitoring The agent is capable of detecting reporting and restarting failed services Monitoring external log files Many applications write a separate log file e g 15 Antivirus Oracle etc New matching entries in such log files can be detected and reported by the agent Host based intrusion detection The agent can detect and report network activity This is useful as for capacity analysis or intrusion detection Cons Deploying Agents The agent must be installed and configured on the target machine This requires planning Managing product upgrades must also be considered Deployment and configuration can be done from the Console to minimize this effort Possible interaction effects with other software Since the agent is an EXE and does get installed on the target machine there is always a finite probability of negative interaction effects with other software The product has operated at many customers in many different environments for many years so this highly unlikely Agent consumes local resources The agent like any application uses some amount of system resources on the target The EventTracker agent is highly o
164. ECTION POINT 447 SENDING CAB FILE S TO COLLECTION EVENTTRACKER VER 6 4 USER S GUIDE MASTER S For example CAB etar1238866570 14505 cab is already sent and you have selected them to resend Collection Master backs up the files received earlier with the same name but appends timeticks to the file name etar1238866570 14505 cab 1239266608 where 1239266608 is timeticks EventTracker displays the CAB files with In Progress status with blue indicators EventTracker Collection Point Console Figure 447 Manage CAB console File Configure Help g Manage CAB Configure 1 Select Criteria Destination 192168138 y Select CAB Status y 1 etar1238191429 1 4 8 2009 5 19 07 PM 4 9 2009 5 12 09 192 168 1 38 2 07 28 4 9 2009 Success etar239163086 1 4 8 2009 9 26 24 4 8 2009 5 19 07 PM 192 168 1 38 2 07 58 PM 4 9 2009 5 Success etan239115255 1 4 7 2009 8 09 57 PM 4 8 2009 9 26 24 AM 192 168 1 38 2 08 28 PM 4 9 2009 5 Success OS etari239099644 1 4 7 2009 3 49 40 PM 4 7 2009 8 09 57 192 168 1 38 2 08 58 PM 4 9 2009 4 Success 0 etari239065428 1 42722009 6 17 38 AM 4 7 2009 3 49 40 PM 192 168 1 38 2 09 28 PM 4 9 2009 6 Success etar239024699 1 4 6 2009 7 00 38 4 7 2009 6 17 38 AM 192 168 1 38 2 09 58 PM 4 9 2009 7 Success etar238999442 1 4 6 2009 11 59 26 AM 4 6 2009 7 00 37 192 168 1 38
165. EMEEXEXXEXEXENEXEEEEXXXX ARIAS oppor 2 Click the collapsible splitter controls to hide the bottom pane to view full view of the graphs EventTracker Alerts Dashboard File Configure System Group ALL w Top Systems Interval Last 1 Day WEBDOC1 TT SOX EventTra 50X EventTra TT Administrative TT Detected softw SYS5 TT SOX EventTra SOX EventTra TT Critical servi TT Administrative Spyware 3 Refreshed 1 13 2010 11 56 46 Double click on the graphs to view details NEMO Administrative EventTracker EventTracker Spyware 1 SPIDER SOX EventTra Disk spaceis TT SOX EventTra TT EventTracker Refresh once in s m mins aj Last Refreshed at 11 56 46 AM Total alerts 176 Alert Config By default EventTracker displays the summary of events of top 5 Alert rules of the in the top pane 342 EVENTTRACKER VER 6 4 USER S GUIDE ANALYZING ALERTS Figure 319 Alerts EventTracker Alerts Dashboard Dashboard Top File Configure Last Refreshed at 11 56 46 AM Pane System Group 5 Systems Interval Last 1 Day v Refresh once in 5 mins Total alerts 176 Alert Config WEBDOC1 NEMO TT SOX EventTra Administrative SOX EventTra EventTracker TT Administrative TZ Critical servi TT Detected
166. ENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 279 Agent Configuration window EventTracker Agent Configuration Log Backup tab File Help Select Systems AWEBDOCT Agent based system Apply the following settings to specified clients Manager destinations WEBDOCT Managers Event Filters System Monitor Monitor amp pps Services Processes Network Connection Monitor Logfile Monitor EventTracker automatically performs event log backup archival in the standard windows event log format evt 7 evtx format This automatic backup occurs whenever an event log is Full The will be backed up inta the EventTracker Client directory with the following name Log file name Timeticks gt evt 7 Example amp ppE ventl0 34333555 evt C Clear logs as needed Backup event logs Iw Clear log after backup Backup path C Program Files sPrism Microsystems E ventTrackers egent Keep backup files For day s Table 52 Clear logs as If selected EventTracker Agent clears log file if and only if offset needed error is encountered After clearing Agent inserts 3241 event to notify the user In this case no backup is taken This is true for any setting of the Windows Event Log s When maximum log size is reached option i e Overwrite events as needed Overwrite events older than N days Do not overwrite events clear log manual EventTracker log
167. ER 6 4 USER S GUIDE CONFIGURING ALERTS Figure 61 Alert Group e Configuration Event IFi Alert Group Configuration EventTracker Console Filters tab Alert Name Event Details Event Filters Custom Systems Actions A list of events which will be ignored during alert processing 45 Edit Event Remove Event lt Back Next gt uk Cancel 14 Click the Custom tab OR Click Next gt EventTracker displays the Custom tab 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 9 1 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING ALERTS Figure 62 Alert Group Configuration Custom tab Mi Alert Group Configuration EventTracker Console a 4 Alerts valid only during this Time Interval Time Interval fe Apply at all times Apply between this time frame From To this alert only if the same event occurs for the specified count within the specified duration Alert based on Court Enable Raise alert for event count Duration secs This alert can optionally stored in Alert Archives Far Alert analysis Archive Alert Iv Store this alert in Alert Archives Table 18 Apply at all EventTracker selects this option by default and sends Alert times notification whenever the specified events occur Apply between Select this option when you want Alert notification on the this time frame occurrence of specified events within a specified time frame Alert
168. EventTracker Agent Management Tool message box Click OK EventTracker displays the result in the Notepad Querying version of the Agent Service Group This option enables you to Query the version of the agent service in the selected Group To query the version of the agent service in the selected Group 1 2 3 4 a 8BCHAPTER 8 MANAGING WINDOWS AGENTS Select the Group option Select the Group from the Group Name drop down list Select the Query for Agent version option Click Next gt EventTracker displays the Enter privileged account information dialog box Type valid username and password Click Execute EventTracker displays the EventTracker Agent Management Tool message box Click OK EventTracker displays the result in the Notepad 297 EVENTTRACKER VER 6 4 DEPLOYING WINDOWS AGENTS IN USER S GUIDE COMMAND LINE MODE Querying version of the Agent Service All This option enables you to Query the version of the agent service in all the systems and Groups To query the version of the agent service in all the systems and Groups 1 Select the All option 2 Select the Query for Agent version option 3 Click Next gt EventTracker displays the Enter privileged account information dialog box Type valid username and password 5 Click Execute EventTracker displays the EventTracker Agent Management Tool message box 6 Click OK EventTracker displays the result in the Notepad 7 Click Close to clo
169. EventTracker displays the Network Connection Details dialog box 8 appropriately in the relevant fields 8BCHAPTER 8 MANAGING WINDOWS AGENTS 271 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 271 Network Connection Details Network Connection Details window Network Connection Details empty held implies all matches Local Address Details Host name or IP Address Local WEBDOCT telnet 23 telnet service Remote Address Details Host name IP Address or UAL Remote Port OBELIX ltelnet 23 telnet service Select IP Address ES Process Mame e g lexplore exe Connection State telnet exe ESTAB Cancel 9 Click OK EventTracker displays the Include List dialog box Figure 272 Include IF Include List List of connections that will always be monitored This is opposite of exclude list List window Monitor only the ports that are in this list Local Address Remote Address Remote Port Process CLOSED ES TAB WEBDOC OBELI 23 telnetexe a Edit Delete Cloze 10 To modify the network connection details click Edit Type the information in the Network Connection Details window and then click OK 8BCHAPTER 8 MANAGING WINDOWS AGENTS 272 EVENTTRACKER VER 6 4 8BCHAPTER 8 USER S GUIDE CONFIGURING WINDOWS AGENT 11 To delete the network connection details select the network connection details you want to delete from the list and then click Delete 12
170. File Edit Format View Help Product prod name A prod_ver prod_serial End EvtRxer Er aps_port 4505 comments ystems 5 2 5 3 syslog_port 514 arcsync_status 0 port 0 dbname 15506 temp archive name C Program Files Prism Microsystems EventTracker Ccache Etwar chivell73276994 mdb traplog_days_to_keep 7 evtlog days to keep 7 applog days to keep 7 peop og ace ers 12 ackfreq hrs 12 etw agent ping min O etwevent countfreg hrs etwevent count max imit sysevent count maxlimit logsize 512 syslog 1 etrx_evtwcache_folder etrx trtwcache folder dup suppr interval 0 max alerts allowed 0 EventTracker creates EtaConfig_14515 ini amp EtaConfig_14525 ini files in Remotelnstaller folder Program Files Prism Microsystems Event Tracker Remotelnstaller 9 Restart the EventTracker Receiver service 3BCHAPTER 3 CONFIGURING MANAGER 74 EVENTTRACKER VER 6 4 Table 17 3BCHAPTER 3 CONFIGURING MANAGER VIRTUAL COLLECTION POINTS FOR USER S GUIDE WINDOWS EVENTS You need to add these ports to the Firewall exceptions list EventTracker 14505 14515 14525 Receiver Incoming User Activity 14556 14557 14558 Incoming Correlator 14656 14657 14658 Incoming EventTracker 32001 32002 32003 Receiver Outgoing for viewers Upgrading Agent Sys2 from Manager Sys1 Open the System Manager console Click Upgrade Agent on the toolbar Select
171. G Actions Forward as SYSLOG Forward Events as SYSLOG message Select a destination and port to which an event will be sent as SYSLOG message Trap Destination address or host name oP UDP Part Lancel You can also access the Actions Forward dialog box by selecting the corresponding check box under Forward column on the Alerts Group dialog box Table 23 Forward Events as SYSLOG messages Type the IP address or host name OR select a trap destination 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 119 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE from the drop down list Mode Select the transport mode and then select the port corresponding to the mode of transport selected 3 Type appropriately in the relevant fields Click OK 5 Click OK on the Alert Group Configuration dialog box EventTracker displays the Alert Groups console with the newly created alert Figure 92 Alert Alert Groups Console Groups console new Edit Delete save Proactive notification of events meeting certain criteria can be configured Notifications include a combination of Beep E mail Messages or any other Custom Action 2 Forward as SNMP Forward as SYSL Ej Rss Notification amp 2 Console side reme No No No No Administrative log on
172. GURING WINDOWS AGENT systems To control this problem the option Minimum Amount of Free space to be left on Storage Device is provided to stop storing events when the disk space 15 less than the configured number of Example when you configure 20 Agent will stop writing events to disk when the free space goes down beyond 20 All these apply only to TCP mode 5 Type the name of the manager in the Destination field 6 Click OK EventTracker displays the Agent Configuration window with the newly added manager 7 Click Save You can apply the current settings to other specified Agents For more information refer Applying Configuration Settings to Specified Agents on page 285 Event Delivery modes EventTracker Agents send the event logs garnered to the Manager either in High Performance mode UDP or in Guaranteed Delivery Mode TCP Since UDP is a connectionless network service there is no guarantee that the Manager will receive all the data blocks transported by the UDP In TCP mode is a connection oriented network service there is a guarantee that the Manager will receive all the data packets transported by the TCP Modifying Event delivery modes This option helps you modify event delivery modes To modify Event delivery mode 1 Open the Agent Configuration window 2 Select the system from the Select Systems drop down list 3 Select the Manager Name from the list in the Managers tab 4 Click Edit
173. ILITY Export and Import Utility Export and Import Utility enables you to export import custom Categories Filters Alerts Schedule Reports Domains Systems and RSS Feeds during migrate upgrade process and to transfer Eventlracker data from one system to the other in your enterprise Suppose you have configured Schedule Reports in System and want to configure Schedule Reports in System B with same configuration settings You need not configure again in System B just export the Schedule Reports configured in System and then import those iscat files into System B Exporting Categories To export Categories 1 Open the Management console 2 Click the Tools menu and select the Import and Export Utility option OR Double click Maintenance Tools on the Control Panel Double click Import and Export Utility EventTracker displays the Export Import Utility Figure 356 Export Import Utility window Export Category Error Import Utility 1 Select the EventTracker Categories to be exported 2 Click the Export button 3 Choose the folder amp provide the file name Click OF Category Categories Selected t Filters Se All audit events Pa events erts A 05 server events Add All gt gt All error events All file replication events Add gt Groups FTF service events All IMAP interface events All information events e x Systems Al SYSLOG events 9 All warning events E e
174. ING CATEGORY GROUPS AND CATEGORIES 355 EVENTTRACKER VER 6 4 USER S GUIDE ANALYZING ALERTS Figure 337 Create Event Category Create Event Category Wizard Wizard Event Details Enter or select event details information Enter comments ar recommended action Far the event Click 4dd to save and continue click Finish to save and exit Severity Infarmatian Event Details Event Information Category Log Type Application vw EventID Source EventTracker 0 User Match in Event Descr Event Descr Match in Event Descr field take multiple strings seperated with 5 amp ar amp amp stands for AND condition stands For OR condition Mate want to make a match on any of the special characters like myn ete then in Ehe search string prefix this char with a backslash Example fora and fora For mare information click here information to 7 Click Add 8 Click Finish EventTracker displays the Confirmation message box Figure 338 Confirmation message Confirmation box Modifications done to a category will affect all the category groups where this category exists Are vou sure you want bo save Ehe changes Mo 9 Click Yes 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 356 EVENTTRACKER VER 6 4 USER S GUIDE ANALYZING A
175. ING WINDOWS AGENTS 193 EVENTTRACKER VER 6 4 Figure 195 Uninstall Remote Agent s Successful uninstall message 8BCHAPTER 8 USER S GUIDE DEPLOYING AGENTS Uninstall Remote Agent s Completed uninstalling Agent software Latest Status E Agent uninstalled successfully Completed successfully 8 Click Finish Upgrading Windows Agents This option enables you to upgrade Windows Agents that are within the domain by selecting Windows Domain Network option and Upgrade over IP option that are outside the domain To upgrade Agents 1 Open the System Manager 2 Click the Options menu and select the Upgrade Agent option OR Click Upgrade Agent on the toolbar OR Right click the system to upgrade the agent installed in it System Manager displays the shortcut menu From the shortcut menu choose the Upgrade Agent option System Manager displays the Upgrade Remote Agent s window MANAGING WINDOWS AGENTS 194 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Figure 196 Upgrade Remote Agent s as Upgrade Remote Agent s Select computers to upgrade Agent software Computers AddAb Selected Computers LEO SUPPSERYER Add gt lt Remove lt lt Remove All Cancel 3 Select the computer for which you want to upgrade the Agent 4 Click Next gt Figure 197 Upgrade Remote Agent s as Upgrade Remote Agent s Agent s will be upgraded on the following remote compu
176. IP address t Add group of Computers from available Domains 3 Click Next gt oystem Manager displays the Add Subnet dialog box Figure 132 Add i Add Subnet Subnet subnet Address 1000 1000 1000 Add Systems f in the background want to continue working as Computers are added inthe foreground I will wait as Computers are searched for and added Cancel Table 32 Subnet Type the IP address in these fields Address Add Systems The options are in the background want to continue working as Computers are added and in the foreground will wait as Computers are searched for and added 4 appropriately in the relevant fields 5 Click OK 7BCHAPTER 7 153 MANAGING SYSTEM GROUPS EVENTTRACKER VER 6 4 USER S GUIDE ADDING COMPUTERS If you select the in the background want to continue working as Computers are added option System Manager displays the EventTracker System Manager message box Figure 133 Add Computers Add m from an IP 1 yo EwentTracker System Manager will Find Computers in the background while you can continue working You can safely subne close EventTracker System Manager before the background processing is complete but systems will not be added EventTracker System Manager When the background processing is complete a notification message will pop up 6 Click OK System Manager displays the EventTracker System Manager message box after ad
177. K You can also configure the monitoring options through the Agent Configuration window after installing EventTracker Forwarding Events to Multiple Destinations This option enables you to configure Windows Agent to simultaneously report log events to more than one manager To configure Windows Agent to forward Events to multiple managers 1 Open the Agent Configuration window 2 Select the system from the Select Systems drop down list EventTracker displays the following messages if the client is not running on the selected system or may have older version or the client could not be contacted 8BCHAPTER 8 MANAGING WINDOWS AGENTS 215 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 215 Agent F Configuration error EventIracker Agent Configuration bd message Failed to read configuration This may be due Client is not running on the system or Sistem may have older version of client Figure 216 Agent Configuration error EventIracker Agent Configuration message Client service could not be contacted on the system This system configuration will nat be available 3 Click the Managers tab 4 Click Add on the Managers tab EventTracker displays the Add Destination dialog box 8BCHAPTER 8 MANAGING WINDOWS AGENTS 216 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 217 Add Destination window La Add Destination Destination Port 1 4505 C
178. LERTS EventTracker displays the Manage Categories console 10 Click OK EventTracker displays the EventTracker Management Console with newly created Category and its associated events Modifying Category Groups This option enables you to modify a Category Group To modify a Category Group 1 Open the Management Console 2 Click the Configure menu and select the Manage Categories option OR Right click any of the Groups or Categories on the left pane EventTracker displays the shortcut menu From the shortcut menu choose Manage Categories EventTracker displays the Manage Categories console 3 Expand the tree in the left pane Right click the Group that you want to modify EventTracker displays the shortcut menu From the shortcut menu choose Edit Group OR Click the Edit menu and select the Edit Group option EventTracker displays the Edit Group name dialog box Figure 339 Edit Group name dialog box Edit Group name Parent node iz Group Enter Group Mame Cancel 5 appropriate Group name in the Enter Group name field and then click 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 357 EVENTTRACKER VER 6 4 USER S GUIDE 105BMANAGING EVENT CATEGORIES Deleting Category Groups This option enables you to remove a Category Group To remove a Category Group 1 Open the Management Console 2 Click the Configure menu and select the Manage Categories option OR Right click any of
179. Maintain a policy that addresses information security 466 Glossary Advanced Report The report for any period for which events have been collected based on the selection criteria You can generate Summary Report and Detailed Report Agent Configuration Process of configuring the system for reporting to multiple managers to filter events to monitor services software installations processes system health and to archive the events database Alert Configuration Process of configuring alert notifications in the form of Sound E mail Console message or any Custom action A feature that instructs programs that notify timely information about the events Analyzing Event Traffic process to analyze the event traffic patterns The data can be used to filter out irrelevant events and perform other operation tasks Audible Alert A feature that instructs programs that usually notifies information by sound Auto Discover Mode Process of adding computers from your network automatically Auto Scrolling Process of selecting the latest event automatically in the content area Change Management The process that enables the user to monitor analyze understand and recover from change Console Message Alert feature that instructs programs that usually notifies information to the selected machine CPU Performance A term used to monitor the CPU performance Custom Alert A feature that instructs programs to execute custom actio
180. NDOWS AGENT Deleting Log file monitoring settings This option helps you delete log file monitoring settings To delete log file monitoring settings Open the Agent Configuration window Select the system from the Select Systems drop down list Click the Logfile Monitor tab Select the log file from the Logfile Name list Click Delete File Name OQ O a Q NH a Click Save on the Agent Configuration window Searching Strings This option helps you search strings To search string 1 Open the Agent Configuration window Select the system from the Select Systems drop down list Click the Logfile Monitor tab Select the log file from the Logfile Name list Q A ND Click Search Strings 8BCHAPTER 8 MANAGING WINDOWS AGENTS 255 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 255 Search String window Search String Search Strings for CAWINOOW S is6 log Use a in column to match every entry in the File WEBDOC Previously entered search string Edit String Delete Sting Cancel 6 Click Add String EventTracker displays the Enter Search String dialog box Select the file name from the Select Field Name drop down list Type the string that you want to search in the Enter Search String field EventTracker displays the Enter Search String dialog box with newly added search string entry Figure 256 Enter r3 Search String dialog Enter Search String Dos oy c
181. No to revert to the Create Event Category Wizard dialog box 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 364 EVENTTRACKER VER 6 4 Figure 247 Confirmation message box 12BCHAPTER 12 USER S GUIDE 105BMANAGING EVENT CATEGORIES 11 Click Finish You can create Categories without adding any events to that category which you can add later on by clicking Add Events on the Manage Categories dialog box EventTracker displays the Confirmation message box Confirmation Modifications done to a category will affect all the category groups where this category exists Are vou sure you want bo save Ehe changes Yes 12 Click Yes EventTracker displays the Manage Categories console Modifying Categories This option helps you modify Categories To modify a category 1 Open the Manage Categories dialog box OR Right click the category in the left pane of the EventTracker Management Console EventTracker displays the shortcut menu From the shortcut menu choose Edit Category EventTracker displays the Manage Categories console 2 Select the category that you want to modify in the left pane Click Edit Category OR Right click the category that you want to modify MANAGING CATEGORY GROUPS AND CATEGORIES 365 EVENTTRACKER VER 6 4 USER S GUIDE 105BMANAGING EVENT CATEGORIES EventTracker displays the shortcut menu From the shortcut menu choose Edit Category OR Click the Edit menu and sel
182. P and UDP m For constant unattended reliable monitoring of intrusion detection m Flexible configuration as per the business requirement To monitor network connections Open the Agent Configuration window Select the system from the Select Systems drop down list Click the Network Connection Monitor tab EventTracker displays the Network Connection Monitor tab 8BCHAPTER 8 MANAGING WINDOWS AGENTS 265 EVENTTRACKER VER 6 4 Figure 265 Agent Configuration window Network Connection Monitor tab Table 48 8BCHAPTER 8 MANAGING WINDOWS AGENTS USER S GUIDE CONFIGURING WINDOWS AGENT EventTracker Agent Configuration File Help Select Systems AWEBDOCT Agent based system Apply the following settings to specified clients Manager destinations WINN WEBDOCT Managers Event Filters System Monitor Monitor Apps Services Log Backup Processes Logfile Monitor Network Connection Monitoring WOM provides pour enterprise an ability to monitor security beyond Firewall should have a firewall as your first level security This option can be used as second level security for the intrusion detection and it also provides protection against internal threats Default settings are set on high security mode such that an event with all relevant details will be generated whenever a network connection ls established with this system Connectior iw iw UDF All Network Traffi
183. Point Error EventTracker DLA No files found for pro EventTracker DLA file processing failed EventTracker Remedial action failed EventTracker Remedial action ignored EventTracker Remedial action Success EventTracker USB device disabled Event ault CAB integrity checksum failure Excessive access failures by an user Pace meee mem TA eee t X X X X X X X X X X X X X X X X X X X X X X X X X X x X x X X RA 1 00 Alerts 3 Right click the Category that you want to set as alert in the Management Console EventTracker displays the shortcut menu From the shortcut menu choose Add As Alert OR Open the Manage Categories console Proactive notification of events meeting certain criteria can be configured Notifications include 4 combination of Beep E mail Messages or any other Custom Action No 4 21 E Dx Bd Bd Bx 2 E E 2 2 Bx E Bd Bx No No No No No No No
184. R 6 4 Figure 312 EventVault Warehouse Manager 1OBCHAPTER 10 USER S GUIDE Ey EventVault Warehouse Manager File Options Help APPENDING CAB FILES Select Time Range 3 Configuration Vault Storage Folder Show All ho Save EventBox Metadata E Backup Archives Append Archives C Program FilessPrism MicrosystemsNE ventTrackert rchives Show older than C Show From Available EventBoxes 0 12 9 2008 4 41 08 12 10 2008 8 57 O 12 10 2008 9 59 20 AM 12 11 2008 2 0 1 12 11 2008 2 06 47 AM 12 11 2008 6 1 O 12 11 2008 6 16 01 PM 12 12 2008 10 0 12 12 2008 10 29 14 AM 12 13 2008 2 0 12 13 2008 2 16 32 AM 12 13 2008 7 0 0 12 13 2008 7 05 58 PM 12 14 2008 12 O 12 14 2008 12 01 30 PM 12 15 2008 4 O 12 15 2008 10 07 31 AM 12 16 2008 2 O 12 16 2008 10 28 07 AM 12 17 2008 2 O 12 17 2008 2 28 57 AM 12 17 2008 6 5 O 12 18 2008 10 11 42 AM 12 18 2008 lt Select All etarl 228821 205 14 etarl 228883495 14 1228941574 14 1228999700 14 etar1229058129 14 etar1229114935 14 etar1229175521 14 etar1229235457 14 etar1223315531 14 etar1229403579 14 etar1229461224 14 etar1229575121 14 B S342E 44292F 78A2B 4DED33DBT1CAFE 611FCC7368FCC64B3973D 35354AD 3EB 56868D8066797B64725F986D84782E BB5A112522CF573A58C24C55B 3AEE 88324 2FEFCEBDD281554707E 2440 3
185. R S GUIDE CONFIGURING WINDOWS AGENT When the configured threshold is crossed an event will be generated and reported to the Manager An event will also be generated when the thresholds are back to below configured levels Care is taken not to report spikes in CPU or memory usage by a process So when an event is seen that a system is crossing thresholds you can be sure that this is for a long enough period and need to investigate The default threshold limits are 80 for all variables A configuration of 0 would disable the monitoring for that specific variable USB and other Device Changes option helps to monitor insertion or removal of USB and other media Also helps to track file transactions that occur in the inserted media To configure system performance thresholds 1 Open the Agent Configuration window 2 Select the system from the Select Systems drop down list 3 Click the System Monitor tab EventTracker displays the System Monitor tab 8BCHAPTER 8 MANAGING WINDOWS AGENTS 233 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 230 Agent Configuration window EventTracker Agent Configuration System Monitor tab File Help Select Systems AWEBDOCT Agent based system Apply the following settings to specified clients Manager destinations WEBDOCT Log Backup Processes Network Connection Monitor Logfile Monitor Managers Event Filters Monitor Apps Services
186. R VER 6 4 USER S GUIDE Diagnostics About EventTracker MANAGEMENT CONSOLE SER INTERFACE Click to open Import Export Utility Import and Export Utility Open Diagnostics tool Open About box Management Console User Interface Management Console is the first component of EventTracker This section helps you to understand the Management Console user interface To work with EventTracker effectively a thorough understanding of its user interface 15 very important Title Bar Menu Bar Figure 6 Management Console User Interface Event Tracker Ma agement Console File View Configur Reports Tools Wings 20 System Manager En EventVault Navigation Auto Refresh Correlated Alerts amp Incidents Computers Default EN TOONS All Categories Altiris Deployment Solution Antivirus es Check Point Cisco 454 Cisco Aironet isco Catalyst isco Director sco 105 y Ci Ci Ci Cisco PIX Cisco VPN gt Ci C 10 Do Workspace trix rystal Enterprise ell OpenManage ubleT ake 23 EventTracker Fortigate Juniper SBR Linux Cracking fe Linux Violation Microsoft Windows Hyper V Netscreen 5 Oracle ort laris BSM uspicious Network Activity yslog cr Veritas VMware ESX a WatchGuard Firebox lt 3 WhatChanged 3 Windows a Sn So SOx Su js E
187. R VER 6 4 USER S GUIDE VERIFYING EVENTBOX INTEGRITY Figure 303 Save As message box A C Program FilesiPrismo Microsystems EventTrackerlarchiwe info txt already exists Do you want to replace iE Verifying EventB ox Integrity This option enables you to verify contents of the EventBox are intact This will calculate a SHA1 hash value on the EventBox contents and compare with the original value If the integrity check fails re index the archive database using Archive Indexer utility available under Maintenance Tools While verifying the integrity of an EventBox EventVault Warehouse Manager performs the following actions m The SHA1 checksum of the selected archive is regenerated m This new checksum is compared with the older existing in the database checksum m two checksums do not match then an error message is displayed indicating that the data has been tampered m 1 two checksums match then it means that the data is intact To verify EventBox integrity 1 Open the EventVault Warehouse Manager 2 Select the CAB files from the Available EventBoxes list OR Select the Select All check box to select all the EventBoxes 3 Click the Options menu and select the Verify EventBox option OR Click Verify located at the bottom of the console After verifying the integrity EventVault Warehouse Manager displays the Archlntegrity report in the Notepad 10BCHAPTER 10 EVENTVAULT WAREHOUSE MANAGER 320 EVENT
188. R VER 6 4 USER S GUIDE FILTERING EVENTS FROM VIEW Figure 23 EventTracker Console Eventlracker Console message box Deep search found no matches Far EventTracker USB device disabled Possible reasons are a specific or longer time period must be specified b There are no such events in the archives Launch Log Analysis Figure 24 Reports La Console Log View Actions Favorites Tools Help M Show All Analyses EventTracker p Analysis E Pa 7 wEBDOCI Collection Point Master To dv My Favorites Alphabetical Advanced Analysis gt gt Logs Detail E Logs 5 Summary 5 Detail 5 Trend EventTracker Analysis Wizard gt Alerts lt gt Cost Savings 5 Suspicious Traffic 5 Log Volume Overview 5 New On Demand Analysis _ 49 Scheduled Analysis Ws Welcome to EventTracker Analysis Wizard Defined Analysis Published Analysis A Dashboard This wizard is designed to simplify the process of analysis and scheduling the same by guiding you through a set of steps You will be prompted for the type of analysis the systems the time period and options and the data filters if any Supported output formats are PDF HTML DOC and XLS After the criteria are selected the wizard presents an estimate of disk cost and time required for report generation The estimate is based on past data
189. RACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 225 Event Details window Event Details Event Details empty Field implies all matches Log Event Type Event ID Error Category Match in User Match in Source 5 Antivirus Match in Event Descr SYMANTEC TAMPER Match in Event Descr field can take multiple strings seperated with 5 amp ar amp amp stands for AND condition stands For OR condition Note IF you want to make match on any of the special characters NU E etc then in the search stinn nrefis this For more information click here Example for a and s for a 117 010 7 Click OK EventTracker displays the Advanced Filters dialog box with newly added filter 8BCHAPTER 8 MANAGING WINDOWS AGENTS 229 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 226 Advanced Filters window Lee Advanced Filters You can choose NOT to send specific events Specify the details of the events that would like to ignore Example au may want to view all Information events other than those recerved from the FTP Service To do this add a specific event with Event Source as FTP Service Log Type Event Type 0 0 Security AYO Security an Security pag Security pza 0 Symantec SYMANTEC T E Edit Delete Close 8 modify the settings select the even
190. S DR 466 Security Reports 460 O Cr 457 Computer EMO Vistas 155 Configuration Tracking 450 450 custom column 450 reports analyses 450 AEN E a EE HER 450 Configure Alert notification tracking 71 Audible Alerts 105 Console message Alerts 112 correlation receiver 76 Custom action 121 DA EO 76 E mail AlenS odo 108 Forwarding events as SNMP Traps P 116 118 Knowledge Base 64 Manager to alert suspicious network ACV oM 81 purge Alert events cache 77 remedial actions 79 RSS Alel nus nd 114 show only active Alert events 78 SYSLOG receiver 65 Window view limit Console 64 Control Panel Collection Master 21 Collection Point 22 Standa lacis titles eer a bt d 23 Diagnostic Support 37 Discover Modes 147 AUTO Sut abatidos 147 Maha a 147 Duplicate Alerts 80 SUDDI rico 80 GLOSSARY Event Categories A A A 370 A HS 359 deleitan iio 369 IMOGIIVING 5 RET 365 Even
191. S e31238973079 31 4 6 2009 6 17 57 4 6 2009 11 59 26 192 168 1 38 Do Not ea12389507373 4 5 2009 10 27 56 PM 4 6 2009 6 18 00 192 168 1 38 Do Not OS etar1238930575 1 4 5 2009 4 51 55 PM 4 5 2009 10 27 56 PM 192 168 1 38 Do Not OS e312389104393 4 5 2009 11 16 15 4 5 2009 4 51 54 PM 192 168 1 38 Do Not etari2388899231 4 5 2009 5 32 35 AM 4 5 2009 11 16 15 192 168 1 38 Do Not etari238866570 1 4 4 2009 11 05 09 PM 4 5 2009 5 32 35 192 168 1 38 Do Not etari238846396 1 4 4 2009 5 28 53 PM 4 4 2009 11 05 09 PM 192 168 1 38 Do Not ea123882410031 4 4 2009 11 17 16 AM 4 4 2009 5 28 53 192 168 1 38 Do Not 1238801927 1 4 4 2009 5 06 13 AM 4 4 2009 11 17 16 192 168 1 38 Do Not ea1238779391 31 4 3 2009 10 52 10 4 4 2009 5 06 13 192 168 1 38 Do Not 1238759423 1 4 3 2009 5 19 21 PM 4 3 2009 10 52 10 192 168 1 38 Do Not etari238739289 1 4 3 2009 11 43 47 AM 4 3 2009 5 19 21 PM 192 168 1 38 Do Not etar12387192401 42372009 6 09 31 4 3 2009 11 43 46 192 168 1 38 Do Not akari 220000077 1 4 9 90N0O 19 90 99 Aka 4 97 9000 20 1909100190 Ma har Select al Success In Progress O Queued Total Cab Files 51 O Failed O DoNot Send Start Table 84 16BCHAPTER 16 COLLECTION POINT Select Criteria Select Destination Select C
192. S 145 Chapter 7 Managing System Groups In this chapter you will learn about Discover Modes m Adding Computers m Removing Computers Removing Unmanaged Systems m Logical System Groups EVENTTRACKER VER 6 4 Discover Modes Figure 122 Select Auto Discover Mode 7BCHAPTER 7 USER S GUIDE DISCOVER MODES System Manager adds Domains and Computers in your enterprise in two modes You can switch discover modes anytime you wish Auto Discover Mode The Auto Discovery mode detects and adds all systems found on all trusted domains The auto discovery process includes an initial quick detection for systems and a background search for more systems On completion of the background discovery process it prompts the user to refresh the System Manager to get an updated list of systems This mode is easy to use and is recommended for networks having less than 100 systems To set auto discover mode 1 Open the System Manager 2 Click the File menu and select the Select Auto Discover Mode option System Manager displays the Select Auto Discover Mode dialog box a Select Auto Discover Mode Select how Event Tracker System Manager should add Computers from your network will choose to add and track Computers Recommended for large networks 3 Click the Automatically find and add Computers Recommended for small networks e g 100 Computers option 4 Click OK System Manager a
193. S a A AS 424 CAB TCS A A A A A A e AE 428 Deletins Collection ches 430 uu E 432 Chapter 16 C ollechion Pont iia 434 Starting Collection Poit Cons Ole as 435 Adding Collection Masters ti 436 Editing Collecaon Master sad 440 Deleting Collection Master Settings cds 441 CAB AUS 442 Sending CAB Tile s to Collection Master 443 Chapter 17 EventTracker Configuration Tracking eee ee eee eee eee eese esee eee eee eese sans 449 EventTracker Configuration Tracking Events 450 Chapter MDC dg 451 Chapter I9 Add m Software Modules 452 tare rsa elon a luc M cont S qe 453 STATS LEJOKGT usos ea 453 Even EAU ette sam ttu 454 Evaluation aid dni dado 454 SOLAS 454 Benefits of Soris ADELA ENE AA A E EE AAA T AE 454 te adrenal what O T 455 Appendix 5 HIP Ni ose EE Re EON Ee EE Ee EE OPEN E MEUS 456 HIPAA Compliance date quio peo adoret ina 456 User E onde AAA II
194. SER S GUIDE Figure 150 Create LOGICAL SYSTEM GROUPS Group message box EventIracker System Manager 1 ISMAR Tset Management Console will now start populating Ehe newly created group IF vau have a large network this may take a Few minutes 8 Click OK System Manager displays the EventTracker System Manager message box after creating a group Figure 151 Create Group message box Eventlracker System Manager 1 Completed populating the newly created group Select OK bo view 9 Click OK System Manager displays the EventTracker System Manager with the newly created Group Figure 152 System Manager console after File view Options Help creating a group Computer Groups zm Groups E TOONS i4 CELEBRATE zd ELCTEST 22 EXCHANGE zd PNPL zd TESTDEP i4 TESTDEP1 FT WORKGROUP App Database Group New logical Group Displaying Windows Systems 7BCHAPTER 7 MANAGING SYSTEM GROUPS EventTracker System Manager q Configure System search Computers 4 Create Group Delete Group Add System Seles Remove System S Upgrade Agent App Database Group Machines running Apps Database Application Denton System Status 2000 Server Windows 2003 Server Windows 2003 Server Windows 2003 Server Windows 2000 Server Windows 2003 Server Windows 2003 Server Windows 2000 Server Windows 2000 Server Members of the new Group
195. Services for stop start If a service stops an event will be sent immediately to the Manager An event will also be sent if a stopped service restarts You can also choose to automatically restart services that have been stopped There may be certain services that you may not want to monitor You can filter out such services from the monitoring list The service name that needs to be configured can be either the name as displayed in Control Panel gt Services or the display name While configuring the service name please ensure that it is spelt correctly To configure services that needs to be restarted on stopping 1 Open the Agent Configuration window 2 Select the system from the Select Systems drop down list 3 Click the Services tab EventTracker displays the Services tab 8BCHAPTER 8 MANAGING WINDOWS AGENTS 242 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 238 Agent Configuration window EventTracker Agent Configuration File Help Services tab Select Systems WEBDOCI Agent based system Apply the following settings to specified clients Manager destinations WEBDOCT Table 43 Log Backup Processes Network Connection Monitor Logfile Monitor Managers Event Filters System Monitor Monitor Apps Iw Services Monitoring By default all services will be monitored In addition you can use Add Remove option to restart selected services when they stop
196. Set performance thresholds for CPU Memory and Disk space usage Monitor device changes such as media ar USB insertion and removal An event is generated when the condition i satisfied T o stop monitoring unselect that parameter Performance i CPU Performance 2 30 Iw Memory Usage 2 30 iw Disk Space Usage 2 30 USE and other Device Changes We Report insert remove Record activity Disable USB Devices Table 41 Performance CPU Select a threshold limit to monitor CPU performance from the Performance drop down list Memory Usage Select a threshold limit to monitor memory usage from the drop down list 8BCHAPTER 8 MANAGING WINDOWS AGENTS 234 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Performance USB and other Device Changes Disk Space Select a threshold limit to monitor disk space usage from the Usage drop down list Report insert remove Record activity Disable USB Devices USB Exception List Select this check box to track insertion or removal of USB or other devices This check box is selected by default Select this check box to monitor file transactions occur in the inserted devices If you enable this option EventTracker displays the caution message box EventTracker Agent Configuration USB Tracking Caution If enabled the EventTracker Agent will passively but continously monitor USB devices thereby causing the Safely Remove
197. Start point to Programs point to Prism Microsystems point to EventTracker and then select EventVault Warehouse Manager option EventTracker displays the EventVault Warehouse Manager By default EventVault Warehouse Manager selects the Show All option and displays all the CAB files Select the Show older than option to view CAB files older than a specific period Select the date from the calendar controls and time from the spin box Click Show EventVault Warehouse Manager displays the CAB files older than the specified period Select the Show From option to view CAB files for a specific period Select the date from the calendar controls and time from the spin boxes EVENTVAULT WAREHOUSE MANAGER 314 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING EVENTVAULT 7 Click Show EventVault Warehouse Manager displays the CAB files for the specified period Configuring EventVault This option enables you to configure the EventVault Warehouse Manager to archive the events from EventTracker database By default EventTracker operates in High Performance mode In this mode EventBoxes are created automatically based on two criteria 1 When the Cache db reaches 50 MB or 2 EventVault Schedule frequency set by selecting the number of days from the Frequency drop down list in the EventVault Warehouse Manager Configuration dialog box Figure 299 Configuration dialog box Table 58 10BCHAPTER 10 To configure EventVault 1
198. T bat OR Cancel 4 Click OK 5 Click OK on the Alert Group Configuration dialog box 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 122 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE EventTracker displays the Alert Groups console with the newly created custom action alert k Alert Groups EventTracker Console New Edt Delete save Proactive notification of events meeting certain criteria can be configured Notifications include a combination of Beep E mail Messages or any other Custom Action Figure 95 Alert Groups console Forward as SNMP Forward as SYSL BJ Ass Notification 4 Console side reme No No No No Console Message Alert No No Yes No No No No Console side Remedial Action No No No No No No Yes Administrative log on Administrative log on failure Altiris Audible Alert Audit Log Cleared CISCO Access Denied CISCO Authentication Failed CISCO PIX Failover Message CISCO PIX IDS intrusion detection CISCO VPN Admin Access Authenticati CISCO VPN Admin Access Authorizatio CISCO VPN Admin Access Access Contr CISCO VPN Memory Allocation Failed Citrix Critical service could not be started Critical service is not running Crystal Enterprise Detected high memory usage Detected software Some Sw has bee Directory permission change Disk space is critically lo
199. TIFICATIONS 94 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING ALERTS Figure 65 Alert Group Configuration Actions tab Alert Group Configuration EventTracker Console Alert Name E vent Details Event Filters Custom Systeme Actions Select and configure alert actionis below Generate sound from my speaker Send E mail to specified recipient Update ASS feed Send net message Forward Events as SNMP Forward Events as SYSLOG message Execute remedial action at EventTracker Console Execute remedial action at EventTracker Agent Table 19 Generate Select this option to configure audible Alert notification sound from my PC speaker Send E mail to Select this option to configure E mail Alert notification specified recipient Update RSS Send Alerts via RSS Feeds feed Send net Select this option to configure console message notification message Forward Select this option to forward events as SNMP trap Events as SNMP trap Forward Select this option to forward events as SYSLOG message Events as SYSLOG messages Execute Select this option to configure custom action to be executed on Remedial receipt of an event at the Manager side action at EventTracker 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 95 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING ALERTS Execute Select this option to configure custom action to be executed on receipt of an event at the Agent
200. TILITY Figure 386 Import Export Import Utility b 1 Successfully imported Domains Systems From C Program FilesiPrism Microsystems EventTrackerMyToons issys AJ To view the imported Domains please ga to Configure Manage Systems 9 Click OK Importing Systems To import Systems 1 Open the Export Import Utility 2 Click the Import tab 3 Select the Systems option on the Import tab EventTracker displays the Export Import Utility Figure 387 Export Import Utility window Export Import Utility EOR Import Systems Export Import 1 Provide the path amp file name of the systern file Use the button to browse amp locate the import File 2 Chick the Import button Category Filters iran Custom Alerts Source Groupe E f Systems Scheduled Reports C ASS Feeds Import 4 Select the issys option to import the issys type file OR Select the Custom option to import other type of files such as cxt files 13BCHAPTER 13 EXPORT IMPORT UTILITY 394 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY 5 Click El located adjacent to the Source field EventTracker displays the Select issys File dialog box if you select the issys option 6 Navigate and locate the systems file you want to import and click Open EventTracker displays the Select File dialog box if you select the Cust
201. TP Simple Transfer Roube Access Protocol iip Resource Location Protocol WINS Rep cabon Windows Hnbennet Hama Semice DNS DNS Servei DHCP Sewer Connection Frewal Internet Tial ETE Mi soman Canine gt ooo gt ooo Se ol Adding programs to the trusted list This option helps you add programs installed in your computer to the trusted list You can enable or disable the entries in the trusted programs list Enable means the processes and the ports used by the processes are legitimate and disable means illegitimate and EventTracker monitors them To add programs to the trusted list 1 Click Add Program EventTracker displays the Add Program to Trusted List window Figure 275 Add Program to Trusted List window Add Program to Trusted List Application Name Process Name Description acrodish exe Adobe Acrobat 7 0 TryOut Acrobat exe Adobe Acrobat Distiller 7 0 Trout acrodist exe Adobe Designer 7 0 TreQut _ Designer exe Adobe ImageReady C5 ImageReady exe Adobe Photoshop ES Photoshop exe Microsoft Access accicona exe Create databases and programs to track and manag Microsoft Excel icons exe Perform calculations analyze information and Microsoft Outlook outicon exe Send and receive e mail manage your schedule Microsoft PowerPoint pptico exe Create and edit presentations Far sli
202. TRACKER VER 6 4 USER S GUIDE EXTRACTING EVENTBOX DATA Extracting EventBox Data This option enables you to extract the EventBox data into an MS Access database To extract EventBox data 1 2 Open the EventVault Warehouse Manager Select the CAB files from the Available EventBoxes list OR Select the Select All check box to select all the EventBoxes Click the Options menu and select the Extract EventBox option OR Click Extract located at the bottom of the console EventVault Warehouse Manager displays the Choose Directory dialog box Select the path where you want to store the event data Click OK After extracting the event data EventTracker displays the Archintegrity report in the Notepad EventVault Warehouse Manager saves the extracted file in the selected location with mdb file extension You can view the database file using MS Access Deleting an EventBox This option enables you to delete an existing EventBox To delete an EventBox 1 2 1OBCHAPTER 10 Open the EventVault Warehouse Manager Select the CAB files from the Available EventBoxes list OR Select the Select All check box to select all the EventBoxes Click the File menu and select the Delete EventBox option EVENTVAULT WAREHOUSE MANAGER 321 EVENTTRACKER VER 6 4 USER S GUIDE MOVING CAB FILES OR Click Delete located at the bottom of the console EventVault Warehouse Manager displays the Confirm Archive Delete co
203. TTING STARTED 17 EVENTTRACKER VER 6 4 USER S GUIDE STARTING EVENTTRACKER Table 4 14506 TCP Windows Receiver 14505 TCP UDP optional and can be configured up to 10 ports TCP UDP Syslog Receiver 514 UDP 1470 TCP optional and can be up to 10 port pairs Receiver Outgoing 32001 32002 up to 32020 all UDP Total 20 ports used to send information to EventTracker modules UserActivity 14556 14557 up to 14576 all UDP to connect 20 Receivers Correlator 14656 14657 up to 14676 all UDP to connect 20 Receivers Collection Master 14507 TCP optional and can be configured to any TCP port Correlation Receiver 14509 TCP Starting EventTracker Search based console helps to search amp view events occurred in a specific Category By default EventTracker displays number of events as configured in the Manager Configuration window Max events view limit Console Whenever you open the Management Console EventTracker sets the focus on Correlated Alerts and Incidents Category and displays the events associated with that Category If there are no events occurred in that particular time frame EventTracker gives you options to search farther back You can also configure EventTracker to show store only the active Alerts through the options provided in the Manager Configuration window To start EventTracker 1 Click Start point to Programs point to Prism Microsystems point to EventTrack
204. The Event Details tab selected by default and the Alert Name is non editable but you can view the Alert Name Select the event that you want to modify Click Edit Event OR Click Edit on the toolbar OR Double click the event EventTracker displays the Event Configuration dialog box Type appropriately in the relevant fields Click OK EventTracker displays the Event Details tab on Alert Group Configuration dialog box Click Finish EventTracker displays the EventTracker Console message box Click Save on the toolbar EventTracker displays the EventTracker Management Console Message Click OK Restart the Management Console Deleting Alert Details This option enables you to delete Alert details To delete Alert details 1 4BCHAPTER 4 Open the Alert Groups console CONFIGURING ALERTS AND ALERT NOTIFICATIONS 104 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE EventTracker displays the Alert Groups console Select the Alert that you want to delete from the list Click Delete on the toolbar EventTracker displays the EventTracker Console confirmation message box Click Yes Click Save on the toolbar EventTracker displays the EventTracker Management Control Message Click OK Restart the Management Console Configuring Alert Actions Manager Side This option enables you to configure Alert actions that are to be executed at the EventTracker Manager system
205. UIDE 28BINDEX event filters with exception 51 modify filter settings 50 FISMA SECOS rd 465 Sec 9044 dla 465 GLBA audit logs access 459 logon failure 459 user 459 IOC ON nu ascensu het cad leote 459 HIPAA audit logs access 456 logon Talle suso osas 456 AA 456 A 456 Import aed QM 390 Caledonia dio werde 385 OMA Srta 392 SITO satan 387 RSS Feeds ee ae etes 397 Scheduled reports 396 A eere se 394 Log SEC 331 Logical System Groups 163 IP Subnet 167 Manual selection 169 System 163 Maitenance Tools Archive Indexer nce creer 140 DB Compaction 142 Manual Mode Adding a group of computers 150 Adding a group of computers IP SUDMIGE mer 152 GLOSSARY Adding a single computer 148 Manula Mode Removing computers 157 Monitoring abpICallOfiS 238 Check Point logs 257 EVT Logfiles 212 excluding network connections 267 filtered processes 282 filtering applications not to monitor Mad eich e
206. USE MANAGER EVENTTRACKER VER 6 4 USER S GUIDE SAVING EVENTBOX METADATA Figure 302 Backup data message box Click OK EventVault Warehouse Manager displays the Archlntegrity report in the Notepad after successful completion of backup If there is no archive file to back up EventVault Warehouse Manager displays the EventTracker EventVault Manager message box Event racker EventVault Manager E 1 You do not have any archives to backup Saving EventBox Metadata This option enables you to save the archive summary in a text file It helps you to locate particular cab files to view retrieve or extract events To save EventBox information 1 2 1OBCHAPTER 10 Open the EventVault Warehouse Manager Select the CAB file s from the Available EventBoxes list OR Select the Select All check box to select all the archive files Click the File menu and select the Save EventBox Metadata option OR Click Save EventBox Metadata on the toolbar EventVault Warehouse Manager displays the Save As window EventVault Warehouse Manager saves the EventBox Info in archive info ixt file You can also type the file name in the File name field Select the path where you want to store the archive summary Click Save Open the archive info text file The contents are displayed EventVault Warehouse Manager displays the Save As message box if the file already exists EVENTVAULT WAREHOUSE MANAGER 319 EVENTTRACKE
207. USER S GUIDE COMPACTING THE DATABASE SIZE Figure 119 Compact Files Standard Console Fa EventTracker Compact Files Tools Help Select Compact to start compaction FileName Size In MB L issdby3 mdb C issAlertsDB mdb ETReports mdb Compact Table 29 Database Name Displays the name of the databases Database Size in Displays the size of the respective databases MB Select the check boxes against the databases that you want to compact Click Compact Now EventTracker starts compacting the database and displays the EventTracker Compact Database progress bar 6BCHAPTER 6 MAINTENANCE TOOLS 144 EVENTTRACKER VER 6 4 USER S GUIDE COMPACTING THE DATABASE SIZE Figure 120 Compact Files Progress bar qi Event Iracker Compact Files Tools Help Close all EventTracker components and select Yes TFieName sie in MB 3 06 C issAlertsDB mdb ETReports mdb If any EventTracker component has an open Database connection EventTracker displays the Information message box Figure 121 Information message co Information box Compaction cannot take place if any Event racker component has an open Database connection Before proceeding please ensure Event racker components are closed Do want to proceed Cancel 5 If there is no open database connection click OK to proceed 6BCHAPTER 6 MAINTENANCE TOOL
208. VENT CATEGORIES Figure 350 Edit Event s Detail dialog box Edit Event Detail Event Details Modify event details More information Change comments or recommended action for the event Click OF to save and exit formation Event Details Event Type Category 0 Log Directory Service Eventlb 0 Source User Match in Event Descr Event Descr Exception Match in Event Descr field can take multiple strings seperated with 5 amp ar amp amp stands for AND condition stands For OR condition Mate want to make a match on any of the special characters like myn ete then in Ehe search string prefix this char with a backslash Example fora and fora Far more information click here Mare information 8 Edit appropriately and the click OK EventTracker displays the Confirmation message box Figure 351 Confirmation message Confirmation box Modifications done to a category will affect all the category groups where this category exists Y Are sure you want bo save Ehe changes Mo 9 Click Yes 10 Click OK on the Manage Categories console 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 368 EVENTTRACKER VER 6 4 USER S GUIDE 105BMANAGING EVENT CATEGORIES Deleting Categories This option enables you to delete a Category To delete a Category 1 Open the Manage Categories console 2 Select the categ
209. WEBDOC1 EventTracker App Open Exe Alerts Dashboard exe Name EventTracker Descriptic 10 38 42 1 13 2010 WEBDOC1 EventTracker App Close Exe Alerts Dashboard exe EventTracker PID 234 10 39 05 AM 1 13 2010 WEBDOC1 EventTracker App Open Exe Alerts Dashboard exe EventTracker Descriptic i 10 39 21 1 13 2010 WEBDOC1 EventTracker App Close Exe Alerts Dashboard exe Name EventTracker PID 529 4 10 40 49 1 13 2010 WEBDOCI EventTracker App Open Exe Alerts Dashboard exe Name EventTracker Descriptic 4 10 41 03 1 13 2010 WEBDOC1 EventTracker App Close Exe Alerts Dashboard exe EventTracker PID 248 10 41 25 AM 1 13 2010 wEBDOCT EventTracker App Close Exe EtwControlPanel exe Name EventTracker PID 4360 10 41 25 AM 1 13 2010 wEBDOCT EventTracker App Open Exe msimn exe Name Microsoft Windows Operating Sys ef 10 42 07 1 13 2010 NEMO Security new process has been created New Process ID 2528 Image File Na 10 42 14 AM 1 13 2010 SYS5 Security new process has been created New Process ID 1200 Image File Na 4 10 42 42 AM 1 13 2010 SY55 EventTracker App Open Exe issSupport exe EventTracker Description 1925 Y lt Total Categories 850 1 Total Events 403 Selected Event 1 Max Rows 500 EventTracker opens the Alert Groups console and focuses on the Alert that caused this event Also opens the Alert Group Configuration window and
210. Warehouse Manager will schedule the first integrity check on the same day i e 26 Feb 09 10 30 P M amp the second integrity check will be done on the following day i e 27 Feb 09 10 30 A M If you enter or select future time from the current system time from the Time spin box say for instance 11 30 A M EventVault Warehouse Manager will schedule the first integrity check on the same day i e 26 Feb 09 11 30 A M amp the second integrity check will be done on the same day i e 26 Feb 09 11 30 P M Example 3 Current system date 26 Feb 09 Current system time 11 00 A M Frequency Weekly Day Friday If you enter or select past time from the current system time from the Time spin box say for instance 10 30 A M EventVault Warehouse Manager will schedule the integrity check for the following week i e 5 Mar 09 10 30 A M If you enter or select future time from the current system time from the Time spin box say for instance 11 30 A M EventVault Warehouse Manager will schedule the integrity check for the following week i e 5 Mar 09 11 30 A M Purge Select this check box and enter the number of days to retain Archives older CAB files CAB files will be purged after the specified number of than days By default EventVault Warehouse Manager retains CAB files forever 3 Tlype select appropriately in the relevant fields 4 Click OK EventIracker saves the archive files in the selected location with cab extens
211. a of computers Select Domain Add Computers from domain A Select System Type Add Computers of Add Systems f in the background want to continue working as Computers are added t inthe foreground I will wait as Computers are searched for and added Cancel Table 31 Select Domain This drop down list lists the available Domains Select a Domain from where you want to add the computers from this drop down list When you select All option System Manager will discover all the Computers and adds them up in their respective Domains Select System Select a system type from the drop down list When you select Type All option System Manager discovers all the Computers irrespective of their O S type and adds them up in their respective Domains Add Systems Search and add options can be done either in the background while you can continue with your work or in the foreground if you are interested to know about the search progress 3 Select appropriate options 7BCHAPTER 7 MANAGING SYSTEM GROUPS 151 EVENTTRACKER VER 6 4 USER S GUIDE ADDING COMPUTERS 4 Click Add If you select the in the background I want to continue working as Computers are added option System Manager displays the EventTracker System Manager message box Figure 129 Adda group of computers message box EventTracker System Manager close EventTracker System Manager before the background processing is complete b
212. a custom action 1 Click the Actions tab EventTracker displays the Actions tab 2 Select the Execute remedial action at EventTracker Console check box EventTracker displays the Remedial Action at Console dialog box Figure 93 Actions Remedial Action at Actions Console Remedial Action at Console Configuration Select a file to execute when an event occurs The order of command line arguments to the is as shown in the example given below Eg Cmyfile bat EventT Lag hype Computer Source Category Event ID User Description Browse Cancel 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 121 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE You can also access the Remedial Action at Console dialog box by selecting the corresponding check box under Remedial Action at Console on the Alerts Group dialog box 3 Click Browse under Custom Configuration navigate and select the appropriate file to execute when an event occurs and then click OK EventTracker displays the Remedial Action at Console dialog box Figure 94 Actions Remedial Action at Console Remedial Action at Console Configuration Select a file to execute when an event occurs The order of command line arguments to the is as shown in the example given below Eg C myfile bat EventT ype LogT ype Computer Source Category Event ID User Description CAMYBA
213. a triste bte ele eda AA ehe duda ae d de voee te qd X posta eoa deste vaut uestra X Document Revision Controla idad Xi How to Get In Toril xii UpDOEL ole eise stet E xii Customer SUP PO a tan xii Chapter T Getting Started ouo eoe e t ENS 14 Eventi tracker Services and POTS del oem 16 Sa CNOA PLAC q AAA 18 A danse ia RR 20 Management Console D set terrace etica 25 Event OEM Ft titi tien 27 a Eee CONG 26 Uperadine Event Fracker Manager License ternera dais 20 Accessing About EventTracker console 30 Event tracker Components cia it 33 System ANDA tr AAA AAA A A 33 EventVault Warehouse lr 35 Events Inowledee Basi 37 Eventi racker Diaenostic amp Support Tole 37 Chapter 2 EventTracker Management Console csssssssssccccccccccccccssssssssssscssssccsccssscccsssees CHOOSING COMODOS 41 Search Based Bot o 41 Events from M 43 Contisutino Event lii E 44 Modifying Event Filter setings A A A RNE 50 Delete Event PENS cad AA AAA AAA AAA 51 Configuring Event Fil
214. acy Platforms Reports amp Analysis more Collectio 8 Web Console ftp sftp http ssl Reports d Anais Configuring EventTracker Receiver to listen on multiple ports EventTracker Receiver can be configured to listen on 10 ports for Traps and 20 10 UDP amp 10 TCP ports for Unix Linux Solaris Syslogs You need to add the ports that you are using to the Firewall exceptions list EventTracker 14505 default port Receiver 14515 14525 14535 14545 14555 14565 14575 14585 Incoming 14595 max 10 ports 514 default UDP for Syslogs 1470 default TCP for Syslogs You can add max 10 UDP and 10 TCP ports The following ports are internally fixed You cannot edit these ports Communication through these ports is taken care internally which means the number of ports utilized by the respective modules will be in proportion to the number of trap ports set User Activity 14556 14557 14558 14559 14560 14561 14562 14563 14564 14 Incoming 965 14566 14567 14568 14569 14570 14571 14572 14573 1457 VIRTUAL COLLECTION POINTS FOR EVENTTRACKER VER 6 4 USER S GUIDE SYSLOGS Correlator 14656 14657 14658 14659 14660 14661 14662 14663 14664 14 Incoming 665 14666 14667 14668 14669 14670 14671 14672 14673 1467 4 14675 EventTracker 32001 32002 32003 32004 32005 32006 32007 32008 32009 32 Receiver 010 32011 32012 32013 32014 32015 32016 32017 32018 3201 Outgoing for 9 32020 viewer
215. ad unes edendis deu ries 240 filtering applications to monitor 241 filtering services not to monitor 244 including network connections 271 loq DacKUlbies iie ee toot 283 o EH 245 network connections 264 Processes 280 searcing Strings sioe rai 255 SONICO oios eaan 242 suspicious connections 273 Trusted List uii eder 274 VMware logs 261 Reloading the Navigation Pane 58 Remedial Action 126 Removing unmanaged systems 158 Restarting Agent service all 296 Qi OUD iaa 296 dudit 295 RSS Feeds it indeed 133 GOON A 133 A ee 136 Scheduler service 313 Collection Master 314 Collection Point 314 Search Based Console 41 Security Reports account usage outside of normal NOU Stress 460 accounts that were never logged on 461 administrative access to computers 461 audit log cleared events by user 460 audit policy history 461 473 EVENTTRACKER VER 6 4 USER S GUIDE GLOSSARY CPU load peaks by computers 460 adding programs 278 daily reboot statistics 460 firewall exceptions 279 file access by user 462
216. agedSvstem REPO 208 Unmanased Syste m RepOTL uri e deeem AAA E 209 AS YSL RE POL ta tl redonda 209 oases OPA E OU UU 209 Event Publishers in Windows Event LO ita AA A AA id 209 Event Loss and Channels in Windows Event Log a A pd tere eid edes 210 Event Consumers in Windows Event ca 210 ETE UI al Gustin iut 210 stas Uninstall VISTA A POE shoot 211 ond ope etd ae ue 211 Montoro oh AQ Eva P MES 212 WIBDdOWS JC nina las tati 213 Accessing the Agent Configuration Wid OW rra tc 213 Baste COM MOURA OM 214 Forwatdine Events to Multiple Destinations a depo a eee Pa dea eru eaa 215 Event Delivery mode Sacado ds 218 Event delivery qfnOd6eS A E AA 218 sets unitat atte ao ero 220 US AMAN y O 221 Puteri Events With EXCUSA AA A 223 Lslterme Events witht Advanced Fitters ooo teorie pietro dere re diat rd 227 EVENTTRACKER VER 6 4 USER S GUIDE DOCUMENT REVISION CONTROL Piao line SED Translat ia E SAA 230 Enable Hich Pertormance THOGe oa 231 Montoti o System He aaa di 232 USB EXC UO Mis uste lia dua wuld sides 233 IMomtor Ap pC ALI OMS han id eure 23
217. al sources 1 Open the Management Console 2 Click the Configure menu and select the Configure Manager option 3 Select the Direct log file archiving from external sources check box 4 Select a port from the Associated Virtual Collection Point drop down list Assign an exclusive port that is not associated with any collection groups Click OK Click Yes to save the changes Q For more information refer htto Awww prismmicrosys com resources documents EventTracker 20v6 3 20D irect e20Log 20Archiver paft 3BCHAPTER 3 CONFIGURING MANAGER 76 EVENTTRACKER VER 6 4 USER S GUIDE STATUS TRACK ENABLING ALERT NOTIFICATION ING Enabling Alert Notification Status Tracking This option helps you track success failure Alert Notification status To enable Alert Notification Status Tracking 1 2 Open the Management Console Click the Configure menu and select the Configure Manager option EventTracker displays the Manager Configuration window Select the Enable Alert Notification Status check box You might receive notifications for the configured Alerts but you may not be able to track the success failure status of those notifications if you disable this option Click OK EventTracker displays the confirmation message box Click Yes to save the changes Open the Reports Console Click the Reports tab click the Operations tab and then click XYZ to configure the report Reports Console generates the report without data
218. alid user credentials and then click Login System Manager starts upgrading the Agent and displays the progress bar After upgrading the Agent System Manager displays the EventTracker System Manager message box Figure 200 Upgrade Agent s message EventIracker System Manager box 1 The process is complete Please check the status and update all remate agent s licenses using the menu Help License in System Manager 9 Click OK System Manager displays the successful upgrade message 8BCHAPTER 8 MANAGING WINDOWS AGENTS 197 EVENTTRACKER VER 6 4 Figure 201 Upgrade Remote Agent s Successful upgrade message 8BCHAPTER 8 USER S GUIDE DEPLOYING AGENTS a Upgrade Remote Agent s Completed upgrading 4gent software _ Latest Status Upgraded successtully Completed successtully Finish 10 Click Einish Removing Windows Agent Components This option enables you to remove Windows Agent components To remove Windows Agent components 1 Open the System Manager 2 Click the Options menu and select the Remove Agent Components option OR Right click any of the systems in the right pane System Manager displays the Remove Agent Components dialog box MANAGING WINDOWS AGENTS 198 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Figure 202 Remove T Agent Components Remove Agent Components Console side database entries and other components of agents that were
219. an configure the strings that need to be searched in the selected log Files IF any record matching the search string is found an event will be generated Select Field Mame CerverlP This i the Microsoft 115 log file format generated 15 Enter Search String 1 92 168 1 99 9 Click OK 8BCHAPTER 8 MANAGING WINDOWS AGENTS 256 EVENTTRACKER VER 6 4 Figure 257 Search String window Figure 258 EventTracker Agent Configuration message box 8BCHAPTER 8 USER S GUIDE CONFIGURING WINDOWS AGENT EventTracker displays the Search String dialog box with newly added search string Search String Search Strings for CAWINOOW S S Use in any column to match every entry in the File Edit String Delete String OF Cancel 10 Click OK EventTracker displays the Agent Configuration window with the modified settings 11 Click Save EventTracker displays the EventTracker Agent Configuration message box if you search strings without any log file entry Event racker Agent Configuration E so 1 Enter Logfile Mame Monitoring Check Point Logs This option helps you monitor logs generated by Check Point To monitor Check Point logs 1 Open the Agent Configuration window MANAGING WINDOWS AGENTS 257 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Select the system from the Select System drop down list Click the Logfile Monitor tab EventTracker displays t
220. and Add gt Sys2 to Selected Computers list Select an appropriate Upgrade Method Click Advanced Select Custom Config option GQ RR a Click Browse and locate EtaConfig_14515 ini file in the Remotelnstaller folder 8 Click Upgrade EventTracker overwrites etaconfig ini file with new settings Upgrading Agent Sys3 from Manager Sys1 1 Open the System Manager console Click Upgrade Agent on the toolbar Select and Add Sys3 to Selected Computers list Select an appropriate Upgrade Method Click Advanced Select Custom Config option oO GQ WO ND 75 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING CORRELATION RECEIVER 7 Click Browse and locate EtaConfig_14525 ini file in the Remotelnstaller folder 8 Click Upgrade EventTracker overwrites etaconfig ini file with new settings Configuring Correlation Receiver This option helps you configure correlation receiver port to receive results of correlation rules To configure correlation receiver port 1 Open the Management Console 2 Click the Configure menu and select the Configure Manager option By default correlation receiver receives rules through port 14509 3 Type the port number in the Send results of all correlation rules to port field Click OK 5 Click Yes to save the changes Direct Log File Archiving This option helps you archive log files collected from external sources To archive log files collected from extern
221. and Extraction of CAB files EventTracker logs four events 2016 for failed Integrity check 2017 for successful Integrity check 2018 for failed EventBox Extraction and 2014 for successful EventBox Extraction If this check box is not selected EventTracker logs two events 2016 and 2018 Select the time from this spin box Week Day This drop down list is enabled when you select the Frequency as Weekly This option facilitates on which day of the week you want to start the integrity check Next Schedule Displays the date of schedule Date depends on the time you enter or select from the Time spin box The following examples will give you a clear idea Example 1 Current system date 26 Feb 09 Current system time 11 00 A M Frequency Daily If you enter or select past time from the current system time from the Time spin box EventVault Warehouse Manager will schedule the integrity check for the following day i e 27 Feb 09 If you enter or select future time from the current system time from the Time spin box EventVault Warehouse Manager will schedule the integrity check on the same day i e 26 Feb 09 Example 2 Current system date 26 Feb 09 Current system time 11 00 A M Frequency Twice Daily If you enter or select past time from the current system time from EVENTVAULT WAREHOUSE MANAGER 316 EVENTTRACKER VER 6 4 USER S GUIDE BACKING UP EVENTVAULT DATA the Time spin box say for instance 10 30 A M EventVault
222. ane EventVault Warehouse Manager EventVault Warehouse Manager provides the capability to archive the events from the EventTracker database The EventVault provides a simple but important mechanism to securely archive event logs for future use and more specifically for auditing purposes In most enterprise networks with multiple critical servers and workstations the event log data can become huge and unmanageable Those event data may not be immediately required once the initial analysis is completed At the same time they cannot be completely discarded as they will be required for future audits EventVault solves this problem and provides mechanisms to identify if any of the EventVault data has been tampered with Archives are mdb files that are compressed into cab files called as EventBox and are stored in the Archives folder If EventTracker is installed in the default path then these files could be located in the Archives directory The range of events that each EventBox contains is stored into an index file in the archives folder These EventBoxes are sorted by period and can be viewed from EventVault Manager Window You can also sort by Name Checksum Path and Port Number 35 EVENTTRACKER VER 6 4 Figure 18 EventVault Warehouse Manager Table 10 Ey EventVault Warehouse File Options Help 22 Configuration Vault Storage Folder e Show All Select Time Range USER S GUIDE Save EventBo
223. any of the special characters like 4 00 9 etc then in the search string this char with a backslash Example fora and s fora For more information click here Event Details empty field implies all matches Computer Select a computer from the drop down list for which you want to filter out events from view Event Type FILTERS Classification of event severity Error Information Warning in the System and Application logs Success Audit or Failure Audit in the Security log Select an event type from the drop down list Log Type Select a log type from the drop down list Match in Source 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE The software that logged the event which can be either a program name such as SQL Server or a component of the system or of a large program such as a driver name For example Elnkii indicates an EtherLink ll driver Type the source in this field 46 EVENTTRACKER VER 6 4 USER S GUIDE Category Event ID Match in Event Descr Table 12 Audit Success Audit Failure EVENTTRACKER MANAGEMENT CONSOLE 2BCHAPTER 2 CONFIGURING EVENT FILTERS Classification of the event by the event source This information is primarily used in the security log For example for security audits this corresponds to one of the event types for which success or failure auditing can be enabled in Group Policy Type the category number in this field This
224. at folder Now modify the Archives folder in the Collection Master end Example D Archives Change the Collection Point Site or group name as ALICEBANGALORE and send the CAB files to the Collection Master Collection Master creates a folder D Archives ALICEBANGALORE 192 168 1 53 and stores all the new CAB files in that folder Generate an Advanced Report Advanced Reports Console displays both the Collection Points fepni Draco Cone He e diri Fin A ii Show All Ewen Tinker 7 Lar ad POG 41 1 PRL pray ree mikseihplul modas rom ing mepe Rin ie haa Cr Carl Bip hegi Pug Hp Gee oy pri appli mien chen AE V erb somi E oY umm mid Simit hanti HBI De afr itin Destined Reporte Cigehiena muds Repr Feet pe Espar pee Chea and ad aed Depts fare e 8 regm hee EMT uae eene pud Di hirme Repo Title Gl AR peed EL A hor pri Ed cmn Sry Peres Sed Fol Cee temrapip 1 pidages HA PE ney reum mer Larup y Gc semir Boi kamai peu Change eri Aug dixere Ter deeds y ar anniy dean poke chance F
225. atalyst PortChannel interface down Cisco Catalyst Power supply failed Cisco Catalyst Power supply fan failed Cisco Catalyst Runtime dignostics warning Cisco Catalyst Security violation occurred Cisco Catalyst Slot powered off Cisco 105 Border Gateway Protocol BGP Cisco 105 Hot Standby Router Protocol Cisco IOS Interface down or detached Cisco 105 Internal software error Cisco IOS IP EIGRP neighbour is up or d Cisco 105 Line protocol down Cisco 105 Runaway processes CISCO PIX Access denied CISCO Authentication failed CISCO Failover message CISCO PIX IDS intrusion detection CISCO VPN Admin Access Access cont CISCO VPN Admin Access Authenticati CISCO VPN Admin Access Authorizatio CISCO VPN Memory allocation failed Citrix Critical service could not be started Critical service is not running lt 152 Alerts Group Configuration Console side reme us No No Alert Group Configuration EventTracker Console Events can be added edited and removed from this Alert Group Event Log Type Somos Categor Event ID User Match In Event Deser E Add Edit Remove ed lt Back 1 Nest Einish l Cancel x TET BE BB x x 1 p Bx Bx E DI 5 P E 1 64
226. ation Logfile Monitor tab File Help Select Systems AWEBDOCT Agent based system Apply the following settings to specified clients Manager destinations WEBDOCT Managers Event Filters System Monitor Monitor amp pps Services Log Backup Processes Network Connection Monitor i Logfile Monitor Search log files various formats supported for matching patterns specified here Bath individual files as well as folders monitored for matching entries Matches cause an event to be generated Lagfile Add File Mew File Details Delete File Search Strings Table 44 Add File Name Add a log file that you want to monitor View File View log file details Details Delete File Delete the log file name from the list Name Search Strings Configure the strings to search 8BCHAPTER 8 MANAGING WINDOWS AGENTS 246 EVENTTRACKER VER 6 4 Figure 240 Enter File 8BCHAPTER 8 USER S GUIDE CONFIGURING WINDOWS AGENT 4 Click Add File Name EventTracker displays the Enter File Name dialog box 5 Select the Get All Existing Log Files option if you want all the existing files prior to this configuration and the files that are logged after this configuration 6 Select the logfile type from the Select Logfile Type drop down list Enter File name oy can configure the complete path of the log file or folder that needs to be monitored along with the strings that need
227. backup and clear operation 8BCHAPTER 8 MANAGING WINDOWS AGENTS 284 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Computer EXCHTEST Log file name Application Log file backup Not applicable Log file clear Success Reason Received invalid offset error while reading the event log For more information see Microsoft KB Article 177199 Backup event If the Backup event logs option is selected and If the offset is logs lost at any point no matter whether Clear log after backup check box is selected or not the respective log file will be backed up and cleared and the following 3241 event will be logged EventTracker log backup and clear operation Computer EXCHTEST Log file name Security Log file backup C Program Files Prism Microsystems EventTracker Agent EXCHTEST Eventlog Backup Security1221683647 evt Log file clear Success Reason Invalid offset error while reading the event log For more information see Microsoft KB Article 177199 Backup Path By default backed up log files are stored in the EventTracker installation folder typically Program Files Prism Microsystems WEventTracker Agent You cannot change this path Keep backup If selected backup files older than selected number of days will files for be automatically deleted by the agent 4 Select the options appropriately and then click Save on the Agent Configuration window You can apply the current settings to ot
228. c NCM 7 Suspicious Traffic Only SNAM Connection States iw Open Changed w Close Exclude List Include List This check box is selected by default to monitor TCP network connections This check box is selected by default to monitor UDP network connections Connection States This check box is selected by default to monitor opened TCP UDP connections Changed Select this check box to monitor TCP UDP connections whose 266 EVENTTRACKER VER 6 4 8BCHAPTER 8 USER S GUIDE CONFIGURING WINDOWS AGENT connection state has been changed recently Close This check box is selected by default to monitor closed TCP UDP connections All Network Traffic NCM By default EventTracker selects this option Exclude List Click this button to configure the network connections that need not be monitored Include List Click this button to configure the network connections to monitor Include Network Connections List always override the Exclude Network Connections List Suspicious Traffic Only SNAM Trusted List Click this button to view and configure trusted network connections 4 Select or clear TCP or UDP check box 5 Click Save Excluding Network Connections from monitoring To configure network connections that need not be monitored 1 Open the Agent Configuration window 2 Select the system from the Select Systems drop down list 3 Click the Network Connection Monitor tab EventTracker disp
229. ccount Enter privileged account information information Enter privileged account info usually Domain Admir privileges are required User Name Password n 5 Type valid user name in the User Name text box and valid password in the Password text box 6 Click Execute EventTracker displays the EventTracker Management Tool message box Figure 288 EventTracker Event Tracker Agent Management Tool Management Tool message box i Status of EventTracker Agents Results written to File C Program FilesiPrism MicrosystemsEventTracker Repore txt 7 Click OK EventTracker displays the result in the Notepad Querying Agent Service status Group This option enables you to query status of the agent service in the selected Group To query agent service status in the selected Group 1 Select the Group option 2 Select the Group from the Group Name drop down list 3 Select the Query for Agent service status option 4 Click Next gt EventTracker displays the Enter privileged account information dialog box 5 Type valid username and password and then click Execute EventTracker displays the EventTracker Agent Management Tool message box 8BCHAPTER 8 MANAGING WINDOWS AGENTS 294 EVENTTRACKER VER 6 4 USER S GUIDE WINDOWS AGENT MANAGEMENT TOOL 6 Click OK EventTracker displays the result in the Notepad Querying Agent Service status All This option enables you to query the agent service status runni
230. choose the Add Alert option EventIracker displays the Alert Name tab on the Alert Group Configuration console CONFIGURING ALERTS AND ALERT NOTIFICATIONS 131 hame Windom Inbermet Preninrar Chapter 5 Configuring RSS Feeds In this chapter you will learn how to m Cofigure RSS Feeds EVENTTRACKER VER 6 4 USER S GUIDE RSS FEEDS RSS Feeds RSS XML feeds can send notification to your computer upon generation of Advanced reports or Alerts raised by EventTracker Contents will fly to your desktop faster than an e mail notification EventTracker does not delete a RSS Feed permanently when you delete it rather it does make it inactive Adding RSS feeds This option helps you add RSS feeds To add RSS feeds 1 Open the Management Console 2 Click the Configure menu and select the RSS Feeds option EventTracker displays the RSS Feeds window Figure 102 RSS Feeds GY RSS Feeds Available Feeds Feed Name Description Added E Added Date Show only Active feeds New Feed Delete Feed Close ASS feed UAL http lt this server gt eventrsszwml EntFeed zfeed name xml To subscribe these feeds point your ASS reader to the UAL shown above Replace lt this servere with the name or IP address of this server and lt fheed name gt with name of the ASS feed To know more aboutAsS feeds please click here Available Feeds Displays the name of the feed Displays the description of the feed Added B
231. cker App Close Exe OLITLOOK EXE Name Microsoft Office Outlook PID Dracle 3 2 59 09 PM 1 13 2010 WEBDOCI EventTracker App Close Exe WINWORD EXE Name Microsoft Office XP 37 Snort 4 2 59 59 1 13 2010 WEBDOCI EventTracker App Open Exe WINWORD EXE Microsoft Office Descript Solaris BSM 3 3 11 01 PM 1 13 2000 SYS5 EventTracker App Open Exe OUTLOOK EXE Name Microsoft Office Outlook Des SOX 4 3 14 36 1 13 2010 555 EventTracker App Close Exe OUTLOOK EXE Name Microsoft Office Outlook PID Suspicious Network Activity i 3 14 56 PM 1 13 2010 WEBDOC1 EventTracker App Open Exe Acrobatexe Name Adobe Acrobat Description Adot Syslog 2 3 15 22 PM 1 13 2010 WEBDOCI EventTracker App Close Exe Acrobatexe Name Adobe Acrobat PID 1172 Veritas 2 3 15 55 PM 1713 2010 SYS5 EventTracker App Oper Exe OUTLOOK EXE Name Microsoft Office Outlook Desi VMware ESX 31557 1 13 2000 WEBDOCI EventTracker App Open Exe EtwControlPanel exe EventTracker Descriptio bela 3 3 16 23 PM 1 13 2010 WEBDOCI EventTracker App Open Exe RoboHTML exe Name RoboHelp HTML 11 Descript Medal g 3 16 25 PM 1 13 2010 EventTracker Exe OUTLOOK EXE Name Microsoft Office Outlook Matarals Total Categories 850 AA Total Events 386 Selected Event 384 Max Rows 500 HE AA AAA AA AA E AA AA AAA AA AA E AA AA E A A A E EE x S Control Panel EventTracker control panel consi
232. cond two numbers version of the product m Third two numbers build of the product m Last two letters document description Version Build ET 6 4 50 USGD do o Name of the Product Document Description The document revision control number for this guide is as given below Description Updated in accordance with release version 6 4 build 50 Release Date Feb 17 2010 xi EVENTTRACKER VER 6 4 USER S GUIDE HOW TO GET IN TOUCH How to Get In Touch OBABOUT THIS GUIDE The following sections provide information on how to obtain support for the documentation and the software Documentation Support Prism Microsystems Inc welcomes your comments and suggestions on the quality and usefulness of this document For any questions comments or suggestions on the documentation you can contact us by e mail at support prismmicrosys com Customer Support If you have any problems questions comments or suggestions regarding EventTracker contact us by e mail at support prismmicrosys com While contacting customer support have the following information ready m Your name e mail address phone number and fax number m The type of hardware including the server configuration and network hardware if available m The version of EventTracker and the operating system m The exact message that appeared when the problem occurred or any other error messages that appeared on your screen m Adescription of how
233. cter 8BCHAPTER 8 248 MANAGING WINDOWS AGENTS EVENTTRACKER VER 6 4 Figure 243 Select Folder File Name Figure 244 Select file extension Figure 245 Select file extension 8BCHAPTER 8 USER S GUIDE CONFIGURING WINDOWS AGENT Select Folder File Mame Select Drive EF select Folder Show the files ISALOG_ 20080614 P5 000 430 aystemp ISALOG_ 200806156 ODD wc Documents and Settings ISALOG_ 20080617 P5 ODD Sampled wc Inetpub Sample2 w3c Program Files Click OK EventTracker displays the Select File Extension window Select file extension Enter the log file s extension to be processed Cancel v wid Type the file name in field provided or leave as it is to consider all files in the selected folder with file extension w3c for monitoring If you are specifically interested in monitoring ISA Firewall log files type the file name as ISALOG Select file extension Enter the log file s extension to be processed Cancel SISALOG wac To select multiple files irrespective of file extensions type MANAGING WINDOWS AGENTS 249 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 246 Select file extension Select file extension Enter the log file s extension to be processed EventTracker displays the EventTracker Agent Configuration message box Figure 247 5 z EventTracker Agent Event Tracker Age
234. ction Points Upto 10 collection groups can be configured each using different part Recommended ports are 14505 14515 14535 14505 All Systems Edit Remove 3 Click Add 3BCHAPTER 3 CONFIGURING MANAGER Close 72 VIRTUAL COLLECTION POINTS FOR EVENTTRACKER VER 6 4 USER S GUIDE WINDOWS EVENTS EventTracker displays the Receiver Port dialog box Figure 49 Receiver post Es Receiver Port Port Humber Description OF Cancel 4 Add Receiver ports and then click OK Example 14515 14525 EventTracker adds the newly configured ports Figure 50 Virtual m x Collection Points S Virtual Collection Points Upto 10 collection groups can be configured each using a different part Recommended ports are 14505 14515 14535 Port Number Description All Systems gu pgg Click Close Click OK on the Manager Configuration window EventTracker displays the EventTracker Console confirmation message box 3BCHAPTER 3 CONFIGURING MANAGER 73 VIRTUAL COLLECTION POINTS FOR EVENTTRACKER VER 6 4 USER S GUIDE WINDOWS EVENTS Figure 51 EventTracker Console EventTracker Console confirmation message box 9 J Do you want to save the changes Mo 7 Click Yes to save the changes 8 Restart the Management Console EventTracker updates these changes in evtrxer ini file Program Files Prism Microsystems Event Tracker P ah 52 evtrxer nin E evtrxer Notepad EJ cuu
235. curity Account management e All Scheduled Reports Security Policy change Security System Security Account privileges BCS Feeds Security Account renames a Refresh Export Close 13BCHAPTER 13 EXPORT IMPORT UTILITY 374 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY Categories Select a Category Categories from this list Click Add gt to add the selected Category Categories to the Selected list Click Add All gt gt to export all the Categories All the Categories are added to the Selected list Selected Select a Category Categories from this list Click lt Remove to remove the selected Category Categories from this list Click lt lt Remove All to remove all the Categories from this list Refresh Click to update the Categories 3 Type appropriately in the relevant fields Click Export EventTracker displays the Select Export File dialog box 5 Click the Save in drop down box and select the path where you want to export the category 6 the file name in the File name field The valid file extension is iscat 7 Click Save EventTracker displays the Export Import Utility message box Figure 357 Export gmas Category message Export Import Utility box 1 Successfully exported the selected Category Categories 8 Click OK 13BCHAPTER 13 EXPORT IMPORT UTILITY 375 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY Expor
236. d Filter EventTracker displays the Add Event Filter Parameters dialog box 3 Enter select appropriately in the relevant fields 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 5 1 EVENTTRACKER VER 6 4 Figure 29 Add Event Filter Parameters 2BCHAPTER 2 CONFIGURING EVENT FILTERS WITH USER S GUIDE Add Event Filter Parameters Please take care to enter the correct details for effective results Event Details empty Field implies all matches Computer WEBDOCT Event Type Information Log Type Match in Source Category Event I Match in User Match in Event Desc Match in Event Descr field can take multiple strings seperated with amp or amp amp stands for AND condition stands for OA condition Hote IF you want to make match on any of the special characters like 4 0 9 etc then in the search string this char with a backslash Example fora and s fora Far mare information click here Click OK EXCEPTION EventTracker displays the Filter Events console with the newly added filter Click Filter Exception EventTracker displays the Filter Exception console EVENTTRACKER MANAGEMENT CONSOLE 52 CONFIGURING EVENT FILTERS WITH EVENTTRACKER VER 6 4 USER S GUIDE EXCEPTION Figure 30 Filter Exception Filter Exception lol Filter exceptions provide you with the option to monitor specific events even if they match any Fi
237. d report e via E mail gt Send report via E mail Send report wa e mail will send e mail to and recipients with selected event details Please note that this feature requires vou to configure the SMTP details at Alerts Dashboard Main menu Toals Optians Email Configurations Please find the selected Event details Alert Rule SOX EventT racker EXE tracking Event ID 322 Souce EventTracker System WEBDLULCT Event Infarmatian Description App D per Exe Alerts Dashboard ese Mame EventTracker Description Alerts Dashboard Version 6 4 0 0 Vendor Prism Microsystems Inc PID 3 388 Type appropriate details in the relevant fields and then click Send Double click the name of the system on the Alerts Dashboard to view all Alert details of that particular system EventTracker displays the Alert details in Quick View 11BCHAPTER 11 ANALYSIS 344 EVENTTRACKER VER 6 4 USER S GUIDE ANALYZING ALERTS Figure 322 Alerts E Alerts Quick View for Alerts Detail Details Quick View x 71 event s found Date Time Eventld System Event Type Log Type Source User Description N 12 00 39 PM 01 13 2010 3222 WEBDOC1 Information Application EventTracker toons nirmal App Close MExe taskmgr exe Microsoft Windows Operating 5 12 00 23 PM 01 13 2010 3221 WEBDOC1 Information Application EventTracker toonsinirmal App Open MExe taskmgr exe MN ame Microsoft Windows Op
238. dd Program Port to Trusted List window 8BCHAPTER 8 MANAGING WINDOWS AGENTS 279 EVENTTRACKER VER 6 4 Figure 277 Add Program Port Trusted List window 8BCHAPTER 8 USER S GUIDE CONFIGURING WINDOWS AGENT E Add Program Port to Trusted List E Add Program Port Number 33039 514 Select All Total Pracess 2 Select the programs or select the Select All check box and then click Add to add programs to the trusted list EventTracker adds the selected items to the Trusted Connections List Monitoring Processes Process monitoring enables the administrator to keep tabs on the general health of processes on a system You can configure general process health thresholds for CPU and Memory Usage per process CPU usage is measured in terms of percentage while Memory usage is measured in absolute terms When the configured threshold is crossed an event will be generated and reported to the Manager An event will also be generated when the thresholds are back to below configured levels Care 15 taken not to report spikes in CPU or memory usage by a process So when event is seen that a process is crossing thresholds you can be sure that this is for a long enough period and need to investigate By default all processes will be monitored and the default threshold limits are 80MB of Memory Usage and 60 of CPU You can also choose to filter out processes that you do not want to monitor By default all proce
239. dded are listed in this drop down list Select CAB Select the status of the CAB files from this drop down list and Status then click Show Available options are All Success Failed Do not Send In Progress and Queued Select this check box to mark all the CAB files to send to the selected Collection Master s Adding Collection Masters This option helps you add Collection Masters Every Collection Point can be configured to send CAB files simultaneously up to 5 Collection Masters The Collection Master may exist in the same domain or in the trusted domain To configure Collection Masters 1 Click Configure on the Collection Point Console OR Click the Configure menu and then select Manager EventTracker displays the Configure Managers console 16BCHAPTER 16 COLLECTION POINT 436 EVENTTRACKER VER 6 4 USER S GUIDE ADDING COLLECTION MASTERS Figure 431 Configure EventTracker Collection Point Console m Of Managets console Configure 8 Manage CAB Configure r Configurations Configure Managers Up to 5 Master Consoles can be configured Destination Name Active 7 Inactive Encrypt Data Description Add Remove Table 82 Configure Configured Collection Master s details are displayed in this console Destination Displays IP address of the configured Collection Master s Name Default port is 14507 You can modify the port number Port n
240. de shows meetin Microsoft Word wordicon exe Create and edit text and graphics in letters reports v MSE Explorer menb exe Explore the web read your e mail talk to your online gt Select All Total Process 176 Cancel 8BCHAPTER 8 MANAGING WINDOWS AGENTS 278 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT 2 Select the check box against the programs or select the Select All check box to select all the programs 3 Click Add EventTracker adds the selected program to the Trusted Connections List Click Close 5 Click Save on the Agent Configuration window Adding Firewall Exceptions to the Trusted List This option helps you add the processes and ports in the Firewall programs and ports Exceptions to the trusted list To add Firewall Exceptions to the Trusted List 1 Click Add Firewall List EventTracker displays the Add Program Port to Trusted List window Figure 276 Add Program Port Trusted Add Program Port to Trusted List List window Add Program Add Port Application acrodish exe segsmgr exe ET Consoles exe googletalk exe ET Console exe pretdiag exe getallevt exe getallevt exe getallevt exe O O Li lt Select All Total Process By default EventTracker selects the Add Program option and displays the programs in the exceptions list 2 Select the Add Port option EventTracker displays the A
241. default displays the Backup Current Configuration dialog box Select the path where you want to backup the current configuration settings 5 Enter the file name in the File name field The valid file extension iS ini 6 Click Open EventTracker displays the EventTracker Agent Configuration message box 7 Click OK Protecting the Current Configuration Settings This option enables you to protect the current configuration settings To protect the current configuration settings for local system 1 Open the Agent Configuration window EventTracker by default displays the Managers tab 2 Select the system from the Select Systems drop down list Click the File menu and select the Security option EventTracker displays the Security dialog box 8BCHAPTER 8 MANAGING WINDOWS AGENTS 290 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 285 Security dialog box security Client Configuration Protection Settings can be modified on the following system s Maximum of 5 IP addresses can be configured separated by comma O Remedial Action Agent Configuration Protection Enable Select this check box to enable other options in this dialog box protection for Agent configuration Settings can be modified on the following system s Local System Select this check box to protect the current configuration settings only for the local system Other users cannot modify your
242. determine what has transpired with the individuals for whom these accounts were created i e did they really start work yet or not Once the status of the employees is known these accounts may then be disabled or deleted as required Administrative Access to Computers Administrative access is required to perform many common tasks on workstations and servers Such tasks include stopping and starting services installing software and creating local groups for data permission Care needs to be taken in the assignment of local administrative rights as clearly an account with this right has a quite ranging ability to modify applications on SQL or IIS for example inappropriately assigned administrative access could lead to outages of business line applications On the other side of this equation are enterprising power users who will sometimes go out of their way to block administrators legitimate access to their machines These situations cause innumerable problems when it comes time to do remote managements hardware and software inventory software rollouts and even access control list updating In either case administrators need to get a sense of who has local administrative authority on workstations and servers in their environment The Administrator Access by Computer report can quickly provide this invaluable information 23BAPPENDIX SECURITY REPORTS 461 EVENTTRACKER VER 6 4 USER S GUIDE SECURITY REPORTS File Access by U
243. dialog box ange Address Range Setting Enter the Remote Address Range 182 158 1 1 to 51 Remote Address Subnet Range 1192 168 1 96 to Type the range until which you want to monitor the IP network connections This option is available only when you Type the address in the Host name IP address or URL field Process Type the process name in this field Connection Select a connection state from the drop down list State If a field is left blank a wildcard match for that field is assumed For example leaving the Local Port field blank implies that any value in that field 15 acceptable 6 Type appropriately in the relevant fields 8BCHAPTER 8 MANAGING WINDOWS AGENTS 269 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 268 Network Details Network Connection Details window Network Connection Details empty field implies all matches Local Address Details Host name or IP Address Local Fart WEBDOCT smtp 25 service for sending Remote Address Details Host name IP Address or UAL Remote Port OBELIX 3 1 1O0 sernvice for recevi Select IP Address E Process Mame lexplore exe Connection State msimn exe ESTAB Cancel 7 Click OK EventTracker displays the Exclude List dialog box Figure 269 Exclude Exclude List List window List of authorized connections for which na notification will be sent Include li
244. ding the computers Figure 134 Add computers from an IP Eventlracker System Manager subnet message box 1 Background processing and addition of Computers is complete yj You may want bo refresh your view and check the results 7 Click OK If you select the in the foreground I will wait as Computers are searched for and added option System Manager displays the Add Subnet message box Figure 135 Add F3 Subnet Add systems i Add Subnet in the foreground subnet Address 1192 158 EN 1000 Add Systems e e Status EventTracker System Manager is Finding Computers E 8 Refresh the System Manager The computers are added to the selected domain 7BCHAPTER 7 MANAGING SYSTEM GROUPS 154 EVENTTRACKER VER 6 4 USER S GUIDE REMOVING COMPUTERS Removing Computers You can either remove Computers when System Manager is in Auto or in Manual discover mode Removing Computers Auto Discover Mode This option enables you to remove computers when the System Manager is in Auto Discover Mode To remove computers 1 Open the System Manager 2 Click the File menu and select the Remove Computer s option System Manager displays the EventTracker System Manager message box Figure 136 Remove Computers message box EventI racker System Manager 1 Please note that in Auto Discover mode it is recommended not to remove Computers unless they are removed From the network since they
245. displays the Knowledge Base hittp kb prismmicrosys com Web site EventTracker Diagnostic amp Support Tool Windows adds the Diagnostic amp Support Tool as a Startup program after successful installation of EventTracker 1BCHAPTER 1 GETTING STARTED 37 EVENTTRACKER DIAGNOSTIC 4 EVENTTRACKER VER 6 4 USER S GUIDE SUPPORT TOOL Figure 19 Diagnostic gt amp Support Tool My ue My Computer My Network Places Recycle Bin Intermet Explorer El EventTracker Control Panel EventTracker status is normal A 12 07 Right click the Diagnostic amp Support Tool icon on the taskbar EventTracker displays the shortcut menu To set the frequency move the mouse pointer over the Run Frequency option EventTracker displays the options to set the frequency 1BCHAPTER 1 GETTING STARTED 38 EVENTTRACKER VER C6 Figure 20 Diagnostic amp Support Tool 1BCHAPTER 1 GETTING STARTED 4 USER S GUIDE NA rv My Documents My Computer Recycle Bin Internet Explorer H EventTracker Control Panel EVENTTRACKER DIAGNOSTIC amp SUPPORT TOOL Show Run now Ext Daily Twice Daily Every Hour m 12 07 PM 39 Chapter 2 EventTracker Management Console In this chapter you will learn how to Choose Columns m Filter Events from the View m Filter Events with Exception m Clear All Events from View Reload the Navigati
246. e Archintegrity report in the Notepad Appending CAB Files When you manually copy CAB files from different sources to the EventTracker archives folder you have to recreate the archives index etwarindex bin file with the help of Archive Indexer tool Control Panel gt Maintenance Tools gt Archive Indexer This is a very time consuming process if you are copying a huge volume of CAB files The Append Archives feature helps you to append the timeticks name and checksum information about the new CAB files to the existing archive index file with minimal time consumption To append CAB files 1 Open the EventVault Warehouse Manager 2 Click Append Archives on the toolbar EventVault Warehouse Manager displays the Append Archives window 10BCHAPTER 10 EVENTVAULT WAREHOUSE MANAGER 323 EVENTTRACKER VER 6 4 USER S GUIDE APPENDING CAB FILES Figure 306 Append Archives window Append Archives Source archives path Search in Sub Folders Destination C Program FilessPrism Microsystems E ventTrackersArchives 1 Cab Path T Cab Present Cab Missing OK Cancel Total Cabs Found Cabs Selected Indicates the CAB files present in the Archives folder EventVault Warehouse Manager will ignore redundant CAB files Y Indicates that the CAB files are not present in the destination folder i e EventTracker Archives folder After creating the index file EventVault Warehouse Manager displays the Append
247. e Select Sustems From 5721 2010 2 4810PM 27 t Al Systems Specific Systems To 2 22 2010 2 49 10 mee Display all records By default this option is selected All records will be displayed in the report in descending order Display only top You can select this option if you want only a specified number of records to be displayed in the report Select Event Id You can select 5 hard coded Windows security events for event traffic analysis 540 Selecting this id will generate 2 reports sorted by Username and Successful IP address Network Logon 672 Selecting this id will generate 2 reports sorted by Username and Authentication IP address Ticket Granted 673 Service Selecting this id will generate 1 report sorted by IP Address Ticket Granted 675 Pre Selecting this id will generate 2 reports sorted by Username and authentication IP address failed 11BCHAPTER 11 ANALYSIS 334 EVENTTRACKER VER 6 4 11BCHAPTER 11 ANALYSIS USER S GUIDE EVENT TRAFFIC ANALYSIS Display all records By default this option is selected All records will be displayed in the report in descending order Display only top You can select this option if you want only a specified number of records to be displayed in the report Select Event Id You can select 5 hard coded Windows security events for event traffic analysis 680 Logon Selecting this id will generate 2 reports sorted by Username and att
248. e System Status of the computer where you have installed the Agent Figure 290 System Y fvontTracker System Manager console Fla Option Hal Configure System Search Computers P Crashes Group Delete Group Add Sister Senye Systen Licgrad Agent Compi Grouce Daman Compa ias Decunt ptes Type Status e E Li ritas Varie iv rare rraga Unas IUS MICKEY endo rame Li rarae ngon ES MOLIGLI Weno E rar Li ranges jee MOUGLIOL Di Weird rire Li rara ient nde pon Unmanaged Veins 2000 Professional Lira e indes ae LI ramis Status af the en Pio ona rare Unmanaged endo Bh rire pia system VVININT Windows 2000 Filfiessiond none vidis where vou have rane Unmanaged Wel mice Unreal installed the Ag ent Fines Pore Uranga fram tha comma nd II Pida TE LI riis dign SNOOP andes Profezionusl mangas pror pt SABER Unmanaged TOMCALISE Wind 000 Fina Urrea WEBCO Wundoen F Managed Siendad end Probe Managed M d WORKS TATI Va ryan Prode rraga Speers Decra 31 Simian 8BCHAPTER 8 MANAGING WINDOWS AGENTS 300 DEPLOYING WINDOWS AGENTS IN EVENTTRACKER VER 6 4 USER S GUIDE COMMAND LINE MODE Uninstalling Agent
249. e Tools on the EventTracker Control Panel EventTracker displays the EventTracker Maintenance Tools window Figure 111 EA M Maintenance Tools 4 EventIracker Maintenance Tools b splash screen MAINTENANCE TOOLS Archive Indexer Compaction Import and Utility Export Utility E mail supportiziprismMicro5 ys com 2 Double click Archive Indexer EventTracker displays the Archive Indexer dialog box Figure 112 Archive A hi d E indexer Indexer Specify Event Archive Folder C Program Files Prem Microspetemet Event rackervarchives Table 28 Specify Event default EventTracker displays the path in this field Archive Folder El To change the path click navigate and select the folder where the archive files are stored 3 Type the archive folder path in the Specify Event Archive Folder field 6BCHAPTER 6 MAINTENANCE TOOLS 140 EVENTTRACKER VER 6 4 USER S GUIDE CREATING INDEX FOR ARCHIVE FILES 4 Click Create Index EventTracker displays the DOS window Figure 113 Archive Index command prompt C Program Files Prism Microsystems EventTracker Archindxr exe 7777779 Do you want to log the operations Y N 5 Tohave log file click Y If you do not want to have a log file click N EventTracker starts indexing the archive files and displays the DOS window Figure 114 Archive Index command prompt C Program Files Prism Microsystems E
250. e added edited and removed from this Alert Group Event Type Log Type Categor Event ID Match In Event Descr Es 9 Select an event from the list Click Edit Event to modify and Remove Event to delete the settings 10 Click the Event Filters tab OR Click Next gt EventTracker displays the Event Filters tab 11 Click Add Event EventTracker displays the Event Configuration dialog box 12 Type appropriately in the relevant fields 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 89 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING ALERTS Figure 60 Event Configuration m Event Configuration EventTracker E Please take care to enter the correct details for effective resulta Event Details empty Field implies all matches Event el Log Type Match in Source Category Event ID Match in User Match in Event Descr Match in Event Descr held can take multiple strings seperated with 3 amp amp stands for AND condition stands For OA condition Hote IF you want to make match on any of the special characters like 0 etc then in the search string this char with a backslash Example 5 for a and s fora Far mare information click here teca 13 Click OK EventTracker displays the Event Filters tab with the newly added event filter 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 9 0 EVENTTRACKER V
251. e fowarded as SYSLOG messages Trap Destination address or hast name Mode UDP C TCP UDF Part 3 appropriate port details and then click OK EventTracker adds the newly configured ports Forwarding Raw Syslog messages This option helps you forward received Syslog messages in raw format i e forwarded with the same format as it is received to a specified destination To forward Syslog messages in raw format Select the Raw Syslog Forward check box 70 EVENTTRACKER VER 6 4 Figure 46 Forwarding raw Syslog messages VIRTUAL COLLECTION POINTS FOR USER S GUIDE WINDOWS EVENTS Es Syslog Receiver Port Port Number Description Select a destination and part to which all the incoming events Will be fowarded as SYSLOG messages Trap Destinations IP address or hast name oP UDP Port Type the name or IP address of the destination in the Trap Destination field Select an appropriate Mode of transport Select an appropriate port with respect to the mode chosen Click OK Click Close Click OK on the Manager Configuration window 9 Om A O ND Virtual Collection Points for Windows Events 3BCHAPTER 3 CONFIGURING MANAGER EventTracker Receiver can be configured to listen on 10 ports for Windows Events Example Scenario Consider EventTracker Agents in computers Sys2 and Sys3 are forwarding events to Sys1 EventTracke
252. e latest Suspicious Ports ini file by downloading from EventTracker Knowledge Base Web site Suspicious Ports ini file contains blacklisted applications and ports which are known threats to any enterprise setup When you generate Network Analysis report EventTracker fetches apt suggestions from this file and displays in the report Although selection of Check for Knowledge base updates check box is an option it is advisable to update this file 3BCHAPTER 3 CONFIGURING MANAGER 8 3 Chapter 4 Configuring Alerts and Alert Notification In this chapter you will learn how to Configure Alerts Configure Alert Actions m Configure Remedial Actions EVENTTRACKER VER 6 4 USER S GUIDE ALERTS Alerts EventTracker generates an alert when a critical event occurs such as security breaches performance problems etc Configure an unlimited number of rule based alerts with customizable event criteria including support for event fired automatic custom actions for any defined event Configuring Alerts Out of the Box Alerts for the most common predefined alert condition Ability to create your own alert conditions Reliable framework for alerts Ability to minimize false positive Firing automatic actions as a receipt of event can increase system s availability This option enables you to configure Alert Groups add events to Alert Groups and configure Alert Actions To configure Alerts 1 2 4BCHAPTER 4 Open the Ma
253. e multiple strings seperated with amp amp amp amp stands for AND condition stands for OA condition Hote IF you want ta make a match on any of the special characters like 00 then in the search string prefis this char with a backslash Example 5 for a and s fora Far mare information click here Click OK EventTracker displays the Alert Group Configuration window with the modified event details Click Finish Click Save on the toolbar EventTracker displays the EventTracker Management Console Message Click OK Restart the Management Console Open the Manage Categories console EventTracker displays the modified event details of My Alert CONFIGURING ALERTS AND ALERT NOTIFICATIONS 102 EVENTTRACKER VER 6 4 USER S GUIDE MODIFYING ALERT DETAILS Figure 76 Manage Manage Categories JE Categories console New Edit Delete ategories are used to organize events in an ordered and user friendly manner Category Management is used extensively in Reports showing only the events vou find interesting This interface be used to create manipulate and manage Categories ALERTS events that belong to pre defined Alert Ey Al Categories A User Event E MSExchange 8002 ALERTS MSExchange 1112 5 Altiris rea Solution MSExchange 5002 AntiVirus MSExchange 9559 e Check Point MSExchange 2007 MSExchange 1004 1184 3218 3217 3209 17052 1
254. e this data to filter aut irrelevant events and perform other operational tasks Select Criteria View by Category View by Eventld C View by Custom Selection Keywords Analysis Keywords Analysis Exclude following words EC Select Time Range Select Systems From 2 23 2000 21 31AM f Systems Specific Systeme To 2 23 2010 ir 10 21 31 AM xe Click Add to add keywords and then click OK on the dialog box EventTracker adds the new keyword to the list Traffic Analyzer Enter a word which needs to added in the list of keywords Select a keyword from the list and then click Edit to modify the keyword Traffic Analyzer Modify the selected word in the list of keywords Cancel Select a keyword from the list and then click Remove to delete from the list Analyze logs that contain selected keywords Select a keyword 11BCHAPTER 11 ANALYSIS 338 EVENTTRACKER VER 6 4 11BCHAPTER 11 ANALYSIS USER S GUIDE EVENT TRAFFIC ANALYSIS Keywords Analysis Helps to analyze events by keywords Specific words Excluding following words in this list and then click Analyze Traffic Analyzer Analyze the event traffic pattern being logged It is recommended that use this data to filter aut irrelevant events and perform other operational tasks Select Criteria View by Category View by Eventld C View by Custom Selection Kepwords Analysis Keywords Analysis Co
255. ect the Edit Category option EventTracker displays the Edit Event Category dialog box Figure 348 Edit Event Category dialog box Edit Event Category AD Events Category Event Category Mame Modification not available Description Enter Madify descriptive information about the Event Category Event Category Details Parent Group My Sub Group Event Category Name AD Events Category Description Active Director Events Table 66 Parent Group The parent node under which the new Category was created Event This field displays the event category name Category This field is not editable Name 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 366 EVENTTRACKER VER 6 4 USER S GUIDE 105BMANAGING EVENT CATEGORIES Type the event category description in this field 4 the description you want to modify the Description field 5 Click OK EventTracker displays the Confirmation message box Figure 349 Confirmation message Confirmation box Modifications done to category will affect all the category groups where this category exists Are vau sure you want bo save Ehe changes Mo 6 Click Yes 7 Toedit event details double click the event on the right pane OR Select an event and then click Edit Event EventTracker displays the Edit Event Detail dialog box 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 367 EVENTTRACKER VER 6 4 USER S GUIDE 105BMANAGING E
256. ected list Click Add All gt gt to export all the Domains All the Domains are added to the Selected list Selected Select a Domain Domains from this list Click lt Remove to remove the selected Domain Domains from this list Click lt lt Remove All to remove all the Domains from this list Refresh Click to update the Domains 3 Type appropriately in the relevant fields 4 Click Export 13BCHAPTER 13 EXPORT IMPORT UTILITY 379 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY EventTracker displays the Select Export File dialog box 5 Click the Save in drop down box and select the path where you want to export the domains 6 Type the file name in the File name field The valid file extension is issys 7 Click Save EventTracker displays the Export Import Utility message box Figure 364 Export Domains message Expo rt Im po rt Uti lity box s 1 successfully exported the selected Domain Domains 8 Click OK Exporting Systems To export systems 1 Open the Export Import Utility 2 Select the Systems option EventTracker displays the Export Import Utility 13BCHAPTER 13 EXPORT IMPORT UTILITY 380 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY Figure 365 Export Import Utility window Export Systems Export Import Utility Export Import 1 Select the EventT racker Systeme to be exported 2 Click the Export button 3 Choose the f
257. ection Master Console Confirmation message box The delete operation will remove all references configuration information and CAB Files of the Collection Point NEWYORK 192 168 1 30 From the database vou sure that vou want to delete the selected Collection Point Mo Click Yes to confirm bo abort 3 Click Yes 4 Click CAB Status on the Collection Master Console EventTracker displays the message box 15BCHAPTER 15 COLLECTION MASTER 430 EVENTTRACKER VER 6 4 USER S GUIDE DELETING COLLECTION POINT DETAIL Figure 426 Collection Master Console message box Event Iracker Collection Master Console E LI cab present 5 Click OK EventTracker displays the Collection Master Console Figure 427 Collection EventTracker Collection Master Console Master Console File Configure Help CAB Status Collection Point Detail CAB Request CAB Status Select Criteria Select Collection Point All Select CAB Status All Mame Collection Point Name lt Select all Total Cab Files 0 B Success e Failed 8 In Progress When you delete Collection Point details EventTracker deletes all the CAB files received from the deleted Collection Points 15BCHAPTER 15 COLLECTION MASTER 431 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING ALERTS Configuring Alerts Two new Alerts namely EventTracker Collection Master Error and EventTracker Collection Point Er
258. ection Point Edition 2 Click Available Features EventTracker displays the Available Features window Available Features Collection Point Edition Backup eventlag Alert Alert E mail Alert Message Alert Forward Alert Custom Alert Event Reports Report Console Event Reports Manage Categories Event Reports Import Categories Event Reports Export Categories Event Reports Quick Statistics Event Reports Report E mail Event varehouse Manage Archive Event varehouse Backup Filter Non essential events Filter any event s for display only Monitor only specific events Filter any specific events 3 Click License Usage Available Available 1 Available 1 Available 1 Available Available 1 Available M Available Wi Available 1 Available 1 Available 1 Available 1 Available Available 1 Available 1 Available Wi Available Available 1 Available 1 Available EventTracker displays the Availability of License window Available Features License Usage License Info Patch Info Sustem Info 1 Copyright 1999 2010 Prism Microsystems Inc All rights reserved 3 1 ACCESSING ABOUT EVENTTRAC S ER EVENTTRACKER VER 6 4 USER S GUIDE CON LE K O Figure 13 Availability of License Availability of License Available Cluster s Serveris workstationis Syslog Systemsis BSM Solaris agent s SMMP Systems 5 not
259. ed Windows 2003 Windows 2003 Windows 2003 Windows Windows 2000 Windows 2003 Windows Windows 2000 Details Add System Remove System Upgrade Agent Remove Agent Components Start Agent Service system Status Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Displaying Windows Systems Auto Discover 57 Systems From the shortcut menu choose the Add System option System Manager displays the Add Agent window 8BCHAPTER 8 MANAGING WINDOWS AGENTS 183 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Figure 178 Add Agent oh Add Agent Select system to be monitored for events System Latest Sta sYS LEO Unmanaged Select Next gt to select the install path Figure 179 Add Agent 2 Add Agent Select system to be monitored for events a Computers All gt gt Selected Computers ALICE ARNOLD BALOO Add LACOFDNES CHARLIE DONALC II lt Remove ELC ELR EXCHTEST lt lt Remove i GARFIELD Cancel lt Back gt Advanced Install 8BCHAPTER 8 MANAGING WINDOWS AGENTS 184 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Table 35 Select a group from the drop down list Computers Select a computer on which you want to in
260. ed Filters Save Close 8BCHAPTER 8 MANAGING WINDOWS AGENTS 203 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Viewing Agent Status This option enables you to view the system health status To view agent status 1 Open the System Manager 2 Select the system in the right pane 3 Click the View menu and select the System Status option OR Right click the system that you want to view the status System Manager displays the shortcut menu From the shortcut menu choose the System Status option System Manager displays the system status in the Notepad Starting the Agent Service This option enables you to restart the terminated remote client service To start the Agent service 1 Open the System Manager 2 Select the system in the right pane 3 Click the Options menu and select the Start Client Service option OR Right click the system that you want to start the client service System Manager displays the shortcut menu From the shortcut menu choose the Start Client Service option System Manager starts the client service and displays the message in the Notepad If the client is already running System Manager displays the Client status with a suitable message in the Notepad Editing Admin Account This option enables you to change the Client Service Account credentials This can be used only for Clients that can be reached by the Microsoft Domain Network and for which you have administrator privileges
261. eds New Feed R55 feed URL http lt this server gt eventrss wml EntFeed zfeed name xml To subscribe these feeds point your R55 reader to the UAL shown above Replace lt this servero with the name or IP address of this server and feed name with name of the ASS feed To know more about ASS feeds please click here 6 To view the deleted feeds select Inactive from the Show only drop down list 7 To view all Active and Inactive feeds select from the Show only drop down list EventTracker displays the RSS Feeds window Figure 110 RSS Feeds GY RSS Feeds Available Feeds Added Ey Added Date Feed for Detail Report nirmal May 2008 Inactive Show only ASS feed URL http lt this server gt eventrss wml EntFeed zfeed name xml To subscribe these feeds point your ASS reader to the UAL shown above Replace lt this servere with the name or IP address of this server and lt heed name gt with name of the ASS feed To know more about 55 feeds please click here 8 Click Close 5BCHAPTER 5 CONFIGURING RSS FEEDS 138 Chapter 6 Maintenance Tools In this chapter you will learn how to Create an Index for Archive Files m Compact the Database Size EVENTTRACKER VER 6 4 USER S GUIDE CREATING INDEX FOR ARCHIVE FILES Creating Index for Archive Files This option enables you to create index for cab files To create index for the archive files 1 Double click Maintenanc
262. ee Total Categories 575 3 Right click All Categories or any other Group in the left pane EventTracker displays the shortcut menu 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 348 EVENTTRACKER VER 6 4 Figure 327 Manage Categories window Figure 328 Add Group dialog box 12BCHAPTER 12 USER S GUIDE ANALYZING ALERTS Manage Categories New Edit Delete Categories are used to organize events in an ordered and user friendly manner Category Management is used extensively in Reports showing only the events Ithat vou find interesting This interface can be used to create manipulate and manage Categories Categories Event Type Log Event ID Delete New Group New Category Create Cat Delete Cat Esca HemoveEveni EdtEvent Close Total Categories 575 From the shortcut menu choose New Group If you select any other pre defined Group the new Group you create will be created as a sub group to that selected Group that is indicated in the Add Group dialog box against Parent node is label OR Click the New menu and select the New Group option EventTracker displays Add Group dialog box Add Group Parent node 12 All Categories Enter Group name Cancel c MANAGING CATEGORY GROUPS AND CATEGORIES 349 EVENTTRACKER VER 6 4 USER S GUIDE ANALYZING ALERTS Parent node is Name of the parent group under which the
263. elect the SSLCA file and then click Open EventTracker populates the SSLCA file field Type the Server IP This is the IP of the host where Check Point is installed 259 EVENTTRACKER VER 6 4 Table 46 8BCHAPTER 8 USER S GUIDE CONFIGURING WINDOWS AGENT 11 Type the Server Port This can any port but should be consistent with what you have entered earlier in the fwopsec conf file Active This option is selected by default Select this option to receive live Check Point logs from the point in time the configuration takes affect Select this option to read from previous logs and the current logs as well This option has two modes namely Current Logs and All Logs Select the Current Logs option to read from the first record of the current log This mode 15 selected by default Select the All Logs option to read from all the backed up logs and the current logs 12 Click OK EventTracker displays the Agent Configuration window MANAGING WINDOWS AGENTS 260 EVENTTRACKER VER 6 4 Figure 261 EventTracker Agent Configuration window 8BCHAPTER 8 USER S GUIDE CONFIGURING WINDOWS AGENT EventTracker Agent Configuration File Help Select Systems WEBDOCT Agent based system Apply the following settings to specified clients Manager destinations WEBDOCI Managers Event Filters System Monitor Monitor Apps Services Log Backup Processes Network Connection Monitor Logfi
264. em EventTracker displays the events occurred in the selected Category alone in the Dashboard pane 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 4 1 EVENTTRACKER VER 6 4 USER S GUIDE SEARCH BASED CONSOLE Figure 21 Management Event Tracker Management Console Console File View Configure Reports Tools Window Help 24 System Manager fh Eventvault Ed Log Search Enterprise Activity Wi Reports Meter 4 Knowledge Base amp Navigation Auto Refresh Dashboard All Categories EventTracker EventTracker Software install uninstall B i i Cisco VPN Category EventTracker Software install uninstall 65 Citrix LETT TTT TTT TTT Refresh in Enterpise Showing recent 2 events 25 Dell OpenManage Date Computer Source 3 DoubleT ake i 12 17 04 1 13 2010 Local SPIDER EventTracker Detected software OpenVPN AS Client 1 3 3 has been installed on this syste EventTracker 4 12 13 57 PM 1213 2010 LocalSPIDER EventTracker Detected software lt Open PN 2 0 9 gui 1 0 3 has been uninstalled from this s EventLogCentral Login failure EventLogCentral Role config changes EventLogCentral User logoff EventLogCentral User logon EventTracker Agent configuration change 4 EventTracker CAB integrity verification EventTracker Collection master error EventTracker Collection master success EventTracker Collection point error y EventTracker Collection point
265. empt Computer Type select appropriately in the relevant fields Select the systems Click Analyze EventTracker displays the report in the Notepad If you wish to display only a specified number of records in the report type the number of records in the Display only top field or click the spin box Traffic Analysis View by Custom Selection This option helps you customize the selection criteria To analyze event traffic View by Custom Selection 1 Open the Management Console 2 Click the Tools menu and select the Traffic Analyzer option Select the View by Custom Selection option 335 EVENTTRACKER VER 6 4 USER S GUIDE EVENT TRAFFIC ANALYSIS Figure 315 Traffic Analyzer Traffic Analyzer Analyze the event traffic pattern being logged It is recommended that you use this data to filter aut relevant events and perform other operational tasks Select Criteria t View by Category C View by Event 19 Select view rules O nly Events fulfilling the selected criteria will be displayed Empty field implies all matches Event Type BEEN Log Type e Event ID MA Match in Source Match in User A Match in Event Descr DO Match in Event Id Event Descr field can take multiple strings seperated with amp amp or amp amp stands for AND condition stands for OF condition Select Time Select Systems From 2 721 2810 MDMA 27 t All Systems Specific Sys
266. ent Details 8 9 10 11 Event Details Event Details empty Field implies all matches Computer Event Type WE BOOCT Information Category Log Type Match in Source Event ID EventTracker 3223 Match in Event Descr Match in User _ Match in Event Dezcr field can take multiple strings seperated with or amp amp stands for AND condition stands for OR condition Mate you want ta make match on any of the special characters like e etc then in the search string prefix this char with a backslash Example 5 for a and for a For more information click here Click OK EventTracker displays the Filter Exception console with newly added filter exception Click OK Click OK on the Filter Events console Restart the Management Console In the above scenario all events of Information Event Type will be filtered out but with one exception of event 3223 Understanding Filters and Filter Exceptions This section helps you understand how filters and filter exceptions work 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 55 EVENTTRACKER VER 6 4 USER S GUIDE VIEWING AND EDITING ALERT DETAILS To understand Filters and Filter Exceptions 1 Open the Filter Events console 2 Select the Filter and then click Remove Filter EventTracker displays the EventTracker Console message box 3 Click Yes EventTracke
267. ent is forwarded as an SNMP trap to the specified destination To forward events as SNMP traps 1 Click the Actions tab EventTracker displays the Actions tab 2 Select the Forward Events as SNMP trap check box EventTracker displays the Actions Forward dialog box 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 116 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE Figure 89 Actions Forward as SNMP Actions Forward as SNMP Forward Events as SNMP traps Select a destination and port to which an event will be sent as SNMP Trap Destination address or hast name UDF Port 162 Cancel You can also access the Actions Forward dialog box by selecting the corresponding check box under Forward column on the Alerts Group dialog box Forward Events as SNMP Traps Trap Type the IP address or host name OR select a trap destination Destination from the drop down list UDP Port Type the UDP port number in this field This field supports numeric data type only CONFIGURING ALERTS AND ALERT NOTIFICATIONS 117 4BCHAPTER 4 EVENTTRACKER VER 6 4 Figure 90 Alert Groups console 4BCHAPTER 4 CONFIGURING ALERT ACTIONS USER S GUIDE MANAGER SIDE Type appropriately in the relevant fields Click OK 5 Click OK on the Alert Group Configuration dialog box EventTracker displays the Alert Groups console with the newly created alert Ik Alert Grou
268. entTracker Description Eventar 10 31 09 01 13 2010 3221 WEBDOC1 Information Application EventTracker toonstnirmal App Open Exe ArchiveAppender exe Name EventTracker Description Arc 10 29 56 AM 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open Exe EtwControlPanel exe Name EventTracker Description Eve 10 29 56 AM 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nimal App Open Exe ETConsole3 exe Name EventTracker Description EventTr 10 28 38 AM 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open Exe EtwControlPanel exe Name EventTracker Description Eve 10 28 36 01 13 2010 3221 WEBDOCI Information Application EventTracker toonsinirmal App Open Exe Agentlnstaller exe Name EventTracker Description Eventl Showing max 100 records per page Selected 1 of 32 Page of 1 Description field can take multiple strings seperated with amp amp or amp amp stands for AND condition stands for OR condition Example open amp amp Microsoft You can e mail only one Alert detail at once 11BCHAPTER 11 ANALYSIS 343 EVENTTRACKER VER 6 4 USER S GUIDE ANALYZING ALERTS 5 Click the Next gt gt button to move to the next detail or select a row in the bottom pane 6 Click the Send via E mail hyperlink at the right upper corner EventTracker displays the Send report via E mail window Figure 321 Sen
269. entTracker Scheduler service tries to access CAB files on the remote machine the Firewall may deny access to the remote machine Allow Firewall to permit EventTracker Scheduler service to access CAB files on the remote machine Collection Master and Collection Point communicate through port 14507 You can also add EventTracker Scheduler service to Exceptions Programs and Services list in Windows Firewall by doing the following 1 Open Windows Firewall settings window 2 Click the Exceptions tab EVENTVAULT WAREHOUSE MANAGER 313 EVENTTRACKER VER 6 4 USER S GUIDE VIEWING CAB FILES 3 Click Add Program 4 Click Browse and add the EventTracker Scheduler service to Programs and Services list EventTracker Scheduler service Collection Master Console EventTracker Scheduler service at Collection Master Console behaves as a server and will always be in Listen mode Any number of Collection Points could be connected to Collection Master EventTracker Scheduler service Collection Point Console EventTracker Scheduler service at Collection Point Console wakes up once in 30 seconds and launches CollectionPointConfig exe This exe in turn will query the issdbv3 database for new CAB files to be sent to the Collection Master Viewing CAB files This option helps you view CAB files for a specific period To view CAB files 1 10BCHAPTER 10 Double click EventVault Warehouse Manager on the Control Panel OR Click
270. entered serial number 8BCHAPTER 8 MANAGING WINDOWS AGENTS 236 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 232 USB Exception List USB Exception List The EventTracker will not disable USB devices with the following serial numbers USE Serial Numbers Decimal format Format le Dec 6 Enter USB Serial Ma Figure 233 USB Exception List USB Exception List The EventTracker will not disable USB devices with the following serial numbers USB Serial Numbers Decimal format Format le Dec 6 Edit USE Serial 123 Edit Ok 6 Click Edit Ok to update the changes or Edit Cancel to cancel the changes If you click Edit Ok without making any changes EventTracker will displays a message box with appropriate message 8BCHAPTER 8 MANAGING WINDOWS AGENTS 237 EVENTTRACKER VER 6 4 Figure 234 USB Exception List 8BCHAPTER 8 USER S GUIDE CONFIGURING WINDOWS AGENT Event racker Agent Configuration E Duplicate strings are not allowed 7 Select a serial number in the list and then click Remove to delete the serial number Click Cancel to close the window without saving Click Save amp Close to save the changes and close the window Monitor Applications This option enables you to monitor installation and un installation of applications and monitor application usage EventTracker logs a custom information event whenever a monitored application is
271. ents that belong to pre defined Alert E All Categories A User Event E MSExchange 8002 ITS MSExchange 1112 8 By Akiris Solution MSExchange 5002 35 AntiVirus MSExchange 9559 2 Check Point MSExchange 2007 MSExchange 1004 CISCO 105 MSExchange 1184 CISCO PIX EventTracker 3218 CISCO VPN EventT racker 3217 Citrix EventTracker 3209 5 Crystal Enterprise MSSOLServer 17052 ral MSS LServer 17055 EventTracker 2008 516 0 2026 2028 Do EventTracker Fortigate telnet Linux Cracking Linux Violation Netscreen Sooo ogo Go E e m o 7 e x Delete Cat Edit Cat Add Events Remove Event E dit Event Close Total Categories 575 n H 1 You can edit and delete the new event details in Alerts Category These manipulations would not affect the event details of the new Alert that is My Alert in the Alert Groups console 3 Click Edit Event EventTracker displays the Edit Event Detail window 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 9 8 EVENTTRACKER VER 6 4 Figure 70 Edit Event Detail Figure 71 Confirmation message box 4BCHAPTER 4 USER S GUIDE CONFIGURING ALERTS Edit Event Detail Event Details Modify event details More information Change comments or recommended action Far the event Click OK to save and exi
272. er and select the EventTracker Management Console option OR Double click Event Monitoring on the EventTracker Control Panel EventTracker displays the Splash screen 1BCHAPTER 1 GETTING STARTED 18 EVENTTRACKER VER 6 4 USER S GUIDE STARTING EVENTTRACKER Figure 1 Splash screen 1 813 857 logs processed since install on Jan 02 2010 342 991 logs processed today Copyright 1999 2010 Prism Microsystems Inc cc ia EventTracker displays the Management Console After fresh installation of EventTracker the available agents will be displayed under Default Group in the All Computers hive To refresh the Navigation pane open the System Manager and press F5 on your keyboard The System Manager automatically discovers the Groups and Systems The Automatically find and add option is selected in the Select Auto Discover Mode dialog box EventTracker displays this dialog box when you open the System Manager for the first time after installing the Event Tracker If you select the I will choose to add and track option then you have to manually add the Groups Close the System Manager Press CTRL F5 on your keyboard EventTracker refreshes the Management Console 1BCHAPTER 1 GETTING STARTED 19 EVENTTRACKER VER 6 4 USER S GUIDE CONTROL PANEL Figure 2 Management Event Tracker Management Console console File View Configure Reports Tools Window Help System Manager fh Eventvault Eg Log Search En
273. erating Sy 11 57 20 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open e Alerts Dashboard exe MName E ventTracker MDescriptio 11 56 44 01 13 2010 3222 WEBDOC1 Information Application EventTracker toons nirmal App Close Alerts Dashboard exe MName EventTracker MPID 600 11 47 40 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open MExe Alerts Dashboard exe EventTracker MDescriptio 11 46 07 01 13 2010 3221 WEBDOC1 Information Application EventTracker toonstnirmal App Open e RoboHTML exe RoboHelp HTML 11 MDescripti 11 45 42 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open xe WIN WORD EXE MN ame Microsoft Office 11 44 52 01 13 2010 3222 WEBD OCIT Information Application EventTracker toonsinirmmal App Close IME xe Alerts Dashboard exe MName E ventTracker MPID 2452 11 44 15 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open e Alerts Dashboard exe MN ame E ventT racker Descriptio 11 43 55 AM 01 13 2010 3222 WEBDOC1 Information Application EventTracker toons nirmal App Close Alerts Dashboard exe MName E ventTracker MPID 5532 11 39 34 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open MExe Aler
274. es the event log data collected by EventTracker by consolidating events by groups systems and event categories You can generate on demand and schedule reports with the collected event data Evaluation and Purchase To evaluate WhatChanged EventTracker and EventLogCentral download the trial version from hitp www prismmicrosys com productDownloads php To purchase contact us by E mail at sales prismmicrosys com Solaris Agent EventTracker for Solaris C 2 provides administrators with a monitoring and reporting interface that provides one the most information rich sources of audit information from the UNIX kernel Using the Basic Security Module BSM the system administrator now has access to kernel auditing events Audit logs can be extremely valuable for operations security and auditors alike EventTracker manages the central repository of log data events needed for proper incident investigation or to meet regulatory compliance The platform provides insights into the actions and behaviors of users and systems This information can be used to detect insider threats security violations and other dangerous behavior patterns Benefits of Solaris Agent m Convert BSM binary data into meaningful events Real time user defined alerts m Event Correlation engine m Secure event archival Access EventTracker database and EventVault for reporting 19BCHAPTER 19 ADD IN SOFTWARE MODULES 454 EVENTTRACKER VER 6 4 USER S GUIDE SOL
275. es you with an option to make a comparison between the latest snapshot and any of the previous snapshots After comparing them you can restore any registry key to its older value You can also undo the restore in case the restoration was incorrect Reporting Reports are provided to identify the registry file and directory details Reports are available in txt format and excel format Change Reporter enables you to export reports to any popular standard This tool helps you monitor the status of your IT resources and provides you various reports You can make decisions based on the reports to enhance the availability of your critical IT resources The Status Tracker console consists of the following options 19BCHAPTER 19 ADD IN SOFTWARE MODULES Managing Resources You can add resources through Web site FTP Site Manually and IP Subnet You can also modify and delete the existing resources Managing Groups You can create a group for the selected resources You can also modify and delete the existing group Managing Alerts You can configure the alerts based on any change in resource status or any change in group status 453 EVENTTRACKER VER 6 4 USER S GUIDE EVENTLOGCENTRAL Reporting You can generate the report on Cost to Resource Availability Resource Stability Cost of Resource Downtime and Resource Availability Summary EventLogCentral EventLogCentral is a web based user interface for EventTracker ELC manag
276. f any Scheduled Reports run in the background during this migration period they might fail However the EventTracker Scheduler will pick them up for processing in the next schedule time and it will refer to the new Archives folder for CAB files 15BCHAPTER 15 COLLECTION MASTER 417 EVENTTRACKER VER 6 4 15BCHAPTER 15 COLLECTION MASTER MERGING COLLECTION POINTS USER S GUIDE MODIFIED ARCHIVES FOLDER COLLECTION POINT CAB FILES Collection Master creates a new folder in the default EventTracker installation folder typically Program Files Prism Microsystems EventTracker Archives with the respective name you enter in Site or group name field while installing Collection Points to store the CAB files received from the Collection Points Example Program Files Prism Microsystems EventTracker Archives ALICE 111192 168 1 53 Collection Master creates a new folder in the modified archives folder and stores the new CAB files received from the Collection Point in that folder you want to merge Collection Points use the Merge option in the Collection Master Console When you generate Advanced Reports EventTracker fetches the CAB files from the new Archives folder Collection Master will not delete the old Archives folder It is left to your discretion to handle the old folder Scenario 1 Collection Master WEBDOC1 IP Address 192 168 1 88 Collection Point ALICE II Consider ALICE II is the Site or group name t
277. field supports numeric data type only A number identifying a particular event The first line of the description usually contains the name of the event type For example 6005 is the ID of the event that occurs when the Event log service 15 started The first line of the description of such an event is The Event log service was started The Event ID and the Source can be used by product support representatives to troubleshoot system problems Type the event ID number in this field This field supports numeric data type only Type a sub string of the description that needs to be matched EventTracker supports multiple strings separated by the following operands amp amp stands for AND condition Il stands for OR condition If you type Successful Logon amp amp New Trusted Domain II Removing Trusted Domain EventTracker will filter out the events that are matching Successful Logon AND New Trusted Domain OR Removing Trusted Domain A significant problem such as loss of data or loss of functionality For example if a service fails to load during startup an Error will be logged An event that is not necessarily significant but may indicate a possible future problem For example when disk space 15 low a Warning will be logged In event that describes the successful operation of an application driver or service For example when a network driver loads successfully an Information event will be logged An audited
278. formation Application EventTracker toons nirmal App Open Exe RoboHTML exe Name RoboHelp HTML 11 Description 11 45 42 AM 01 13 2010 3221 WEBDOC1 Information Application EventTracker toonsinirmal App Open Exe WINWORD EXE Name Microsoft Office XP Description Ww 11 44 15 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Oper Exe Alerts Dashboard exe Name EventTracker Description Ale 11 39 34 01 13 2010 3221 WEBDOCI Information Application EventTracker toonsinirmal App Open Exe Alerts Dashboard exe Name EventTracker Description Sle 11 02 59 AM 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open Exe msimn exe Name Microsoft Windows Operating System 11 01 39 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open Exe NOTEPAD EXE Name Microsoft Windows Operating 5 11 00 40 01 13 2010 3221 WEBDOC1 Information Application EventTracker toonsinirmal App Open Exe Alerts Dashboard exe Name EventTracker Description Sle 10 58 58 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open Exe Alerts Dashboard exe Name EventTracker Description Ale _ 10 58 37 AM 01 13 2010 3221 WEBDDCIT Information Application EventTracker toons nimal App Open Exe EtwControlPanel exe Name EventTracker Description Eve 10 53 20 01 13 2010 3221 WEBDOCI Information Application EventTracker to
279. from a single system To uninstall Agent from a system 1 Type the path of the Agentinstaller 2 Agentinstaller exe in the command prompt 3 the switch U 4 Type the switch N followed by the name or IP address of the system from where you want to uninstall the Agent 5 Press Enter on your keyboard Remotelnstaller uninstalls the Agent on the target computer Installing and Uninstalling Agents in multiple systems This option helps you to install EventTracker Agent in multiple systems by specifying the system names or IP addresses in a text file To install Agents on multiple systems 1 Create a text file and save it as Systems txt in the default AgentInstaller folder 2 the names or IP addresses of the systems where you want to install the Agent and save the file Open the command prompt Type the path of the Agentinstaller exe Type Agentinstaller exe in the command prompt Type the switch 1 Type the switch F followed by the name of the text file Systems txt Press Enter on your keyboard AN O Oh Q Open the System Manager 10 Press F5 on your keyboard to refresh the console To uninstall Agents from multiple systems To uninstall Agent from multiple system 1 Type the U 8BCHAPTER 8 MANAGING WINDOWS AGENTS 301 EVENTTRACKER VER 6 4 8BCHAPTER 8 DEPLOYING WINDOWS AGENTS IN USER S GUIDE COMMAND LINE MODE 2 Type the switch F followed by the file na
280. g box 7BCHAPTER 7 MANAGING SYSTEM GROUPS EVENTTRACKER VER 6 4 Figure 167 Edit Group 7BCHAPTER 7 MANAGING SYSTEM GROUPS USER S GUIDE 0 Edit Group Group Apps Database Group Description LOGICAL SYSTEM GROUPS serving the amp pps database Available Systems SAFARI lt Remove SHEREHAM SIMBHI SIMPSON SHOOPY TOMERUISE WMORESTSTIONE WORKSTATION ZEBRA Click Save Group Members Save Cancel The modified group is displayed in the left pane of the System Manager EVENTTRACKER VER 6 4 USER S GUIDE LOGICAL SYSTEM GROUPS Figure 168 EventTracker System Manager Sele ntTracker EventT racke File View Options Help System Manager with y 8 dh Configure System Search Computers Create Group Delete Group Ws Add System X Remove System Upgrade Agent newly created Group Computer Groups Database Group Machines serving the Apps database 8 gme n System Status TOONS AR 2000 Professional Unmanaged Es CELEBRATE J Windows 2003 Server Unmanaged TESTING Windows 2000 Server Unmanaged Apps Database Group Windows 2000 Server none Unmanaged Displaying Windows Systems Auto Discover 4 Systems Had you already selected the Automatically find and add Computers Recommended for small networks e g lt 100 Computers option in the Auto Discover Mode option System Manager displays the EventTracker System Manager message
281. gure 85 Actions s Message Actions o Message Message Configuration notification message will be sent to the machine of choice Enter the machine name Cancel You can also access the Actions Message dialog box by selecting the corresponding check box under Message column on the Alerts Group dialog box 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS EVENTTRACKER VER 6 4 Figure 86 Alert Groups console 4BCHAPTER 4 CONFIGURING ALERT ACTIONS USER S GUIDE MANAGER SIDE 3 Type the system name under Message Configuration or select the system from the drop down list Click OK 5 Click OK on the Alert Group Configuration dialog box EventTracker displays the Alert Groups console with the newly created console message alert Alert Groups EventTracker Console new Edt Delete Save Proactive notification of events meeting certain criteria can be configured Notifications include a combination of Beep E mail Messages or any other Custom Action Forward as SNMP Q9 Forward as SYSL Ass Notification QJ Console side reme No No No No No No Administrative log on Administrative log on failure Altiris Audible Alert Audit Log Cleared CISCO Access Denied CISCO PIX Authentication Failed CISCO PIX Failover Message CISCO PIX IDS intrusion detection CISCO VPN Admin Access Authenticati
282. had you disabled this option Purging Alert Events Cache This option helps you purge Alert Events cache By default EventTracker retains event data for seven days You can configure to hold minimum 24 hour and maximum 90 days event data You cannot completely purge the cache 3BCHAPTER 3 CONFIGURING MANAGER To purge Alert Events Cache 1 Open the Management Console 2 Click the Configure menu and select the Configure Manager option EventTracker displays the Manager Configuration window Select the Enable Alert Events Cache for Alert Analysis check box EventTracker enable the Purge events from cache older than spin box Select the duration from the spin box 5 Click OK EventTracker displays the confirmation message box 6 Click Yes to save the changes 77 EVENTTRACKER VER 6 4 SHOW ONLY ACTIVE ALERT EVENTS IN USER S GUIDE CONSOLE 7 Open the Reports Console Click the Analysis tab click the Alerts analysis type to configure the report Reports Console generates the report for the configured number of days Show Only Active Alert events in Console When you open the Management console initially EventTracker sets focus on the Correlated Alerts amp Incidents Category and displays all events occurred in that Category To view only active Alerts select the Show only Active Alert events in Console check box When this check box is selected EventTracker stores all Alert events in the database but displays only the
283. hat you have entered while installing the Collection Point IP Address 192 168 1 53 Collection Master creates a folder Program Files Prism Microsystems EventTracker Archives ALICE II 192 168 1 53 and stores all the CAB files in that folder MERGING COLLECTION POINTS EVENTTRACKER VER 6 4 USER S GUIDE MODIFIED ARCHIVES FOLDER Figure 409 Collection len Collecion Male Console Point Detail Now modify the Archives folder in the Collection Master as explained in the previous section Send the Cab files to the Collection Master Collection Master creates a folder D Archives ALICE II 192 168 1 53 and stores all new CAB files in that folder Figure 410 Collection Collecihon Maier Console Point Detail l ij aif 15BCHAPTER 15 COLLECTION MASTER 419 EVENTTRACKER VER 6 4 Figure 411 Advanced Reports console 15BCHAPTER 15 COLLECTION MASTER MERGING COLLECTION POINTS USER S GUIDE MODIFIED ARCHIVES FOLDER Since the Collection Point name remains the same before and after changing the Archives path Collection Master appends Merging and Timeticks to the Collection Point name EventTracker provides this naming convention to avoid Collection Point name conflicts Example ALICE 11 192 168 1 53 default Archives path ALICE II 192 168 1 53 Merging 1252925051 modified Archive path ALICE II 192 168 1 53 Merging 1252925051 is visible when you generate Advanced Reports le
284. he Agent mode from the Select Systems drop down list and then click Event Filters tab System Manager displays the Agent Configuration window 8BCHAPTER 8 MANAGING WINDOWS AGENTS 200 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Figure 205 FS EventTracker Agent EventTracker Agent Configuration bd Configuration window File Help Select Systems LEO Agent based system Apply the following settings to specified clients Manager destinations WEBDOCT Log Backup Processes Network Connection Monitor Logfile Managers System Monitor Monitor Apps Services ou can choose to filter aut events that are not required Once the Filter is set all events matching the filter criteria will not be sent to the EventT racker Manager ou can also configure advanced filter options such as to send only specific events or choose to filter out specific events Event Types Error Warning Information Application Directory Service auch Success Basic Logs Special Logs System DNS Server Security File Replication Enable High Performance mode Audit Failure Enable SID Translation Filter Exception Advanced Filters 4 Select the Enable High Performance mode check box System Manager displays the EventTracker Agent Configuration message box 8BCHAPTER 8 MANAGING WINDOWS AGENTS 201 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Figure 206 z
285. he Logfile Monitor tab 4 Click Add File Name EventTracker displays the Enter File Name dialog box Figure 259 Enter File name dialog box Enter File name oy can configure the complete path of the log file or folder that needs to be monitored along with the strings that need to be searched Select Log File Type TEXT LIME This generic text where the TEXT value is any separate line separated by CALF ar CR in the text File Enter File name Lancel 5 Select the logfile type as CHECKPOINT from the Select Logfile Type drop down list EventTracker displays the Enter File Name dialog box 8BCHAPTER 8 MANAGING WINDOWS AGENTS 258 EVENTTRACKER VER 6 4 USER S GUIDE Figure 260 Enter File Name dialog box Enter File name Configure Event Tracker Agent to read Check Paint logs Select Log File Type Sie ata oa Recelve the Live Check Point Logs 6 Select and option from the Communication Method drop down list f Actve C Historical D Communication Method LEA Server Client ON Server DIN S5LCA File Server IP Server Port OPSEC SSLC Encryption Method 3DES A Compressed No CONFIGURING WINDOWS AGENT 10 8BCHAPTER 8 MANAGING WINDOWS AGENTS Type the Client DN Check Point generated this string while configuring the OPSEC Application Type the Server DN This is the Check Point Gateway DN Click Fr and EventTracker displays the Open window S
286. he details of missing CAB files 15BCHAPTER 15 COLLECTION MASTER 426 EVENTTRACKER VER 6 4 USER S GUIDE REQUESTING CAB FILES Figure 419 CAB EventTracker Collection Master Console Request File Configure Help CAB Status a Collection Point Detail CAB Request CAB Request Select Criteria Select Collection Poit a ow Select CAB Status Ja Period Collection Point Name Size Transmission Start Time Transmi Status etari239082116 1 4 7 2009 10 57 43 AM 4 8 2009 8 21 59 NEWYDRK 192 168 Missing etari239159185 1 4 8 2009 8 22 00 AM 4 8 2009 7 15 08 PM NEWYDRK 192 168 Missing Select all Total Cab Files 2 Send Request 4 Youcan select individual files or click Select All to select all the files and then click Send Request EventTracker displays the Collection Master Console message box Figure 420 Collection Master Console message box Eventlracker Collection Master Console 1 Requested for 2 CAB Files From Collection Point NEW Y ORK 192 168 1 38 5 Click OK Collection Master send the request receives the missing CAB files from the concerned Collection Point and displays the CAB Status screen 15BCHAPTER 15 COLLECTION MASTER 427 EVENTTRACKER VER 6 4 USER S GUIDE DELETING CAB FILES Figure 421 CAB EventTracker Collection Master Console Request File Configure Help CAB Status f Collection Point Detail
287. her specified Agents For more information refer Applying Configuration Settings to Specified Agents on page 285 Viewing Logs This option enables you to view the log details To view the log details 1 Open the System Manager 2 Click the View menu and select the Log option EventTracker displays log details in the Notepad 8BCHAPTER 8 MANAGING WINDOWS AGENTS 285 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Applying Configuration Settings to Specified Agents This option enables you to apply the current configuration settings of the selected system to other specified Agents from one centralized location To apply configuration settings to specified Agents 1 Open the Agent Configuration window EventTracker by default displays the Managers tab 2 Select the system from the Select Systems drop down list Only the saved configuration settings can apply to the specified Agents Select the check box next to Apply the following settings to specified Agents EventTracker enables the button 8BCHAPTER 8 MANAGING WINDOWS AGENTS 286 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 280 Agent Configuration window EventTracker Agent Configuration X Managers tab File Help Select Systems WEBDOCT Agent based system Iw Apply the following settings to specified clients Manager destinations BDBUCT spider simbi Log Backup Processes Net
288. ia 460 SECRE DON MUR 460 SUCCESSFUL failed pile ACCESS eei A ue A ou ud sese bu 460 Successful logons preceded by failed logons 460 Audit Toe cleared evetits DV Use dia Dna nae dedu eeu ibid 460 Invalid lo sons DY AC edes dubita aaa 460 Daly de DOOU SCAMS ECS weit cites etti d tub E E du ud 460 CPU load peaks a habcc dois ti edi dest tu 460 ACCOUNU USACE OF 460 Adie POLE DISIODV ios 461 that Were ever Tob ios 461 Administrative ACCESS fo Computers ii a 461 Lue Aces A a PT O 462 Hotfixes Dy COMPU AA AAA AS 462 East logon by Domain Controle oi O A teeta deed 462 User Account Ee Keg 463 Appendi BASEL TM aia dd nn odii nn NE 464 PASEL A O 464 Append as 465 A 465 FAMA SS ye CR a 465 FISMA SEG 3 adalat ca a A A AAA ad de aan ee hacen ea 465 S Wir CEN ua MP E a 466 PEEDS sd ctu ed edebat en date dra maa aM M 466 GlosSaby anie se nud EE 467 Ibo eee DE 471 i x EVENTTRACKER VER 6 4 USER S GUIDE PURPOSE OF THIS GUIDE About this Guide Purpose
289. ial Action at Actions Agent Remedial action will be executed at the selected system Applies only to Agent based windows systems Configuration Remedial Actions Feature disabled in EventI racker Console Configure Manager enable this feature go to the Event Tracker Management console select menu configure gt configure Manager Hiemedial Action Terminate Process Mame Predefined scripts are available in the amp gentSceript folder af the E ventT racker installation Mates Cancel 3 Select an appropriate option and then click OK EventTracker displays the Alert Groups console with the newly created custom action alert 4 Click Save on the toolbar EventTracker displays the EventTracker Management Console Message 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 128 CONFIGURING ALERT ACTIONS FOR EVENTTRACKER VER 6 4 USER S GUIDE PREDEFINED ALERTS 5 Click OK 6 Restart the Management Console Configuring Alert Actions for predefined Alerts To configure alert actions for predefined Alerts 1 Open the Alert Groups console 2 Double click the predefined Alert for which you want to set notification By default predefined Alerts are applicable for all monitored systems 3 Select the appropriate check boxes 4 Configure the settings appropriately EventTracker displays the Alert Groups console Figure 100 Alert Alert Groups EventTracker Console Groups cons
290. ic NCM Suspicious Traffic Only SNAM Generate Suspicious Network Activity report Enable disable predefined Trusted Connections List Add programs to Trusted Connections List Add programs and services in Firewall Exceptions list to Trusted Connections List Configure Manager to send notification when there is suspicious traffic in your enterprise network Schedule EventVault Integrity check Append Archives through EventVault Warehouse Manager Manage Active Directory AD Organizational Units OU Select agent based or agentless monitoring Organize event views from SYSLOG and Cisco PIX firewall sources Generate audit ready compliance reports HIPAA SOX FISMA GLBA PCI Configure real time event alerts via e mail beep RSS Feeds and custom actions Customize views and reports EVENTTRACKER VER 6 4 USER S GUIDE EVENTTRACKER SERVICES AND PORTS m Define report templates Backup and clear event logs automatically m Switch Navigation pane refresh modes m Reload the Navigation pane with changes made in the System Manager m Enable or disable SID translation m Switch Agent mode from Standard mode to High Performance mode and vice versa m 5 reports simultaneously 4 Scheduled Reports and 1 Manual Report m Configure Filter Exception in the Filter Events console Exception Events for Log Analysis Filters in the generated Log Analysis report to filter the result set Time based Alerts
291. ical risk management reporting Accurate report on the current FISMA compliance status Annual information on security training and Internet security training for the agency personnel and also the contractor 465 Appendix PCIDSS PCIDSS APPENDIX PCI DSS PCI DSS stands for Payment Card Industry Data Security Standard It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud hacking and various other security issues A company processing card payments must be compliant or they risk losing the ability to process credit card payments Requirement 1 Install and maintain a firewall configuration to protect cardholder data Requirement 2 Do not use vendor supplied defaults for system passwords and other security parameters Requirement 3 Protect stored cardholder data Requirement 4 Encrypt transmission of cardholder data across open public networks Requirement 5 Use and regularly update anti virus software Requirement 6 Develop and maintain secure systems and applications Requirement 7 Restrict access to cardholder data by business need to know Requirement 8 Assign a unique ID to each person with computer access Requirement 9 Restrict physical access to cardholder data Requirement 10 Track and monitor all access to network resources and cardholder data Requirement 11 Regularly test security systems and processes Requirement 12
292. identified Contact sales at Prism Microsystems Inc For upgrade 4 Click License info EventTracker displays the License Information window Figure 14 License Information License Information OS Type License Type ALICE A Workstation BALOO Windows Z000 Frofessional Workstation ELR Ds type not identified MEMO Windows lt P Workstation WEBDOC Windows lt P Workstation Windows 2003 Server Server 5 Click Patch Info to view the patches applied EventTracker displays the patch information 1BCHAPTER 1 GETTING STARTED 32 EVENTTRACKER VER 6 4 USER S GUIDE EVENTTRACKER COMPONENTS Figure 15 Patch information Figure 16 System Information About Eventlracker i 1 Mo EventTracker patch applied 6 Click System Info to view system information EventTracker displays the System Information window System Information 05 Type Windows amp P Professional Service Pack Service Pack 3 ODBC Version Microsoft Access Driver version 4 00 6309 Physical Memory 1 021 Free Disk Space 6 625 MB EventTracker Components 1BCHAPTER 1 GETTING STARTED System Manager System Manager enables you to manage Computer Groups Systems and Agents System Manager enables you to m Create Modify and Delete a Group You can add systems to the Group by System Type IP subnet or by manual selection m Install Uninstall and Upgrade Agents Switch modes of the Agent m Configure
293. igured Scheduled Reports the Advanced Report console might still be referring to the CAB files in the old folder So you are required to merge these two sites before you attempt to generate Advanced Reports To merge these two Sites Open the Collection Master Console click Collection Point Detail on the toolbar select both the Collection Points and then click Merge 420 MERGING COLLECTION POINTS EVENTTRACKER VER 6 4 USER S GUIDE MODIFIED ARCHIVES FOLDER Figure 412 Collection Caren Teche Collecion Male Console Colectar Pont Deted Request Poird Del ad mido Last Received CAR Na Last Fiecereed Time Archive Path ALICE 1581 BOOTS ee EP 97147 411192198151 Megng 1292905061 amp J Buld 9 200 AOPA A Collection Master Console displays the confirmation message box Figure 413 Collection Master Console EventIracker Collection Master Console message box Are vou sure You want to merge collection point ALICE II 192 168 1 53 into collection point ALICE II 192 168 1 53 Merging 1257925051 Mo Click Yes to merge the Collection Points 15BCHAPTER 15 COLLECTION MASTER 421 EVENTTRACKER VER 6 4 Figure 414 Collection Points after merging 15BCHAPTER 15 COLLECTION MASTER MERGING COLLECTION POINTS USER S GUIDE MODIFIED ARCHIVES FOLDER S Collecion Td Pile Cours dl can Statue Colectun
294. ility 1 Select the EventTracker Alerts ta be exported 2 Click the Export button 3 Choose the folder amp provide the file name Click OF Category Filters Groups Systems Scheduled Reports ASS Feeds 13BCHAPTER 13 EXPORT IMPORT UTILITY Esport E mail Settings Alerts Selected Administrative lo g on Administrative log on failure Altiris Audit Log Cleared Add All CISCO Pix Access Denied CISCO Ple Authentication Faile Add gt CISCO Failover Message CISCO IDS intrusion detect CISCO VPN Admin Access Au CISCO VPN Admin Access Au CISCO VPN Admin VPN Memory Allocation e All Critical service could not be starl Critical service is not running Crystal Enterprise v Refresh Export Close 377 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY Export Email Select this check box to export alerts with their e mail settings if Settings any Select an Alert Alerts from this list Click Add gt to add the selected Alert Alerts to the Selected list Click Add All gt gt to export all the Alerts All the Alerts are added to the Selected list Export E mail Select this check box to export e mail configurations you have Settings set along with the Alerts Selected Select an Alert Alerts from this list Click lt Remove to remove the selected Alert Alerts from this list Click lt lt Re
295. ilure Detected high memory usage Detected software Some 57475 has bee Directory permission change Disk space is critically low Domain policy changed EventTracker agent service failed X X x No No Xx No No No No No No No No sa No No No No No Events can be added edited and removed from this Alert Group No No Event Log Type Source Category Event ID User Match In Event Descr Security Administrator No Security Administrator Security Administrator No Security Administrator No Security Administrator No Security Administrator No Security Administrator No No No No No No No No Add Event Edit Event Remove Even lt Back Next gt Finish Cancel No No No No No No No No No No No No No No x x px 1 64 K K K 64 1 BX BX BX BX XC B3 1 K K Bx
296. in Auto Discover mode In Auto discover mode if you remove the system it will be removed only for that instance and when you refresh the System Manager the removed systems will be discovered and get populated to the list Example scenario Suppose you were monitoring a system and that system exists in two Groups namely TOONS and MY GROUP Now you want to remove that unmanaged system from the All Domain Computers list in the right pane do the following To remove unmanaged systems 1 Click the File menu and select the Select Auto Discover Mode option oystem Manager displays the Select Auto Discover Mode dialog box 2 Select the I will choose to add and track Computers Recommended for large networks option and then click OK System Manager displays the EventTracker System Manager message box Figure 139 EventTracker System Manager message box Eventlracker System Manager You have selected to manually add and track Computers Further discovery of Computers will stop Computers already discovered will be retained and can be removed as per our preference From File Remove Computer s 3 Click OK 4 Expand the Groups tree in the left pane 7BCHAPTER 7 MANAGING SYSTEM GROUPS 158 EVENTTRACKER VER 6 4 Figure 140 EventTracker System Manager left pane Figure 141 EventTracker System Manager left pane 7BCHAPTER 7 USER S GUIDE EventTracker System Manager File View Options Help e Co
297. int Console m ES File Configure Help g Manage CAB Configure Select Criteria ES Destination 32158138 y Select CAB Status Show Mame Period Destination Transmission Start Time Transmission Time ln Sec Status OS 1239191429 1 4 8 2009 5 19 07 4 9 2009 5 12 09 192 168 1 38 Queued OS etari239163086 1 4 8 2009 9 26 24 AM 4 8 2009 5 19 07 PM 192 168 1 38 Queued OS ea1239115255 1 4 7 2009 8 09 57 PM 4 8 2009 9 26 24 192 168 1 38 Queued OS etari239099644 1 42722009 3 49 40 PM 4 7 2009 8 09 57 PM 192 168 1 38 i Queued OS etari239065428 1 4 7 2009 6 17 38 AM 4 7 2009 3 49 40 PM 192 168 1 38 Queued OS etar1239024699 1 4 6 2009 7 00 38 4 7 2009 6 17 38 192 168 1 38 Queued OS etar1238999442 1 4 6 2009 11 59 26 AM 4 6 2009 7 00 37 PM 192 168 1 38 Queued OS etar1238979079 1 4 6 2009 6 17 57 AM 4 6 2009 11 59 26 192 168 1 38 5 Queued OS 1238950737 1 4 5 2009 10 27 56 PM 4 6 2009 6 18 00 AM 192 168 1 38 Queued OS etar1238930575 1 4 5 2009 4 51 55 PM 4 5 2009 10 27 56 PM 192 168 1 38 8 Queued OS 1238910439 1 4 5 2009 11 16 15 4 5 2009 4 51 54 PM 192 168 1 38 Queued OS etar1238889923 1 4 5 2009 5 32 35 AM 4 5 2009 11 16 15 192 168 1 38 Queued OS etari238866570 1 4 4 2009 11 05 09 PM 4 5 2009 5 32 35 192
298. ion 225 high performance mode 231 IISTANNAG E 182 multiple destinations 215 pre installation procedures 182 protecting configuration 290 Removing client components 198 SID translation 230 starting client service 204 switching modes 200 system health 232 Uninstalling 191 Upgrading 194 viewing status 204 Agent Management Tool 292 accessing eeeeseeeeeeeeeeee 292 Agent service status all 295 S 294 lt a 293 Agent service version all 298 ON OUD saint 297 SYSTEM 297 Agentless Monitoring 304 304 editing admin account 310 Alert Actions TENTE 123 predefined Alerts 129 nice A 85 configure sees 85 130 104 manager side actions 105 dls 103 Auto Discover mode Removing 199 Auto scrolling 61 Category Groups
299. ion Backing up EventVault Data This option enables you to backup EventVault data locally or remotely in a desired location for a long term storage It helps you to retrieve the backup data if the archives are tampered 10BCHAPTER 10 EVENTVAULT WAREHOUSE MANAGER 317 EVENTTRACKER VER 6 4 USER S GUIDE BACKING UP EVENTVAULT DATA To backup EventVault data 1 Open the EventVault Warehouse Manager 2 Select the CAB file s from the Available EventBoxes list OR Select the Select All check box to select all the archive files 3 Click the File menu and select the Backup EventVault option OR Click Backup Archives on the toolbar EventVault Warehouse Manager displays Eventlracker EventVault Manager message box Figure 300 EventTracker EventIracker EventVault Manager EventVault Manager message box Eventyault Manager will backup all CAB Files From the Archive Folder Continue Mo 4 Click Yes EventVault Warehouse Manager displays the Choose Directory window Figure 301 Choose Directory dialog box Choose Directory Select backup folder C Program Files Prism MicrosystemssE ventT rack EX Cancel 3 Program Files 39 Prism Microsystems Network 39 EventTracker Datalache LEU 132 158 1 87 HepartD ata TempSchedDb11 72148455 TempSchedDb1175855438 b al Drives EF 5 Select the folder where you want to store the event data 10BCHAPTER 10 EVENTVAULT WAREHO
300. ion Source Web Service 12 Click Save on the Agent Configuration window You can apply the current settings to other specified Agents For more information refer to Applying Configuration Settings to Specified Agents on page 285 Filtering Events with Advanced Filters Filters and Filter Exception go hand in hand which means you can filter all the events but with exceptions Whereas Advanced Filters help you filter out a specific event allowing other events of that type To filter events with Advanced Filters 1 Open the Agent Configuration window 8BCHAPTER 8 MANAGING WINDOWS AGENTS 227 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Select the system from the Select Systems drop down list Click the Event Filters tab Click Advanced Filters EventTracker displays the Advanced Filters dialog box Figure 224 Advanced Filters window Advanced Filters You can choose NOT to send specific events Specify the details of the events that would like to ignore Example You may want to view all Information events other than those recelved from the FTP Service To do this add a specific event with Event Source as FTP Service Log Event Type 0 0 0 Security AO Security F40 Security pag Security Edit Delete 5 Click New EventTracker displays the Event Details dialog box 6 appropriately in the relevant fields 8BCHAPTER 8 MANAGING WINDOWS AGENTS 228 EVENTT
301. irmation message box 4 Click appropriately Example Yes to All Collection Master overwrites all the redundant CAB files EventTracker displays Collection Point Detail 15BCHAPTER 15 COLLECTION MASTER 413 MERGING COLLECTION POINTS EVENTTRACKER VER 6 4 USER S GUIDE DEFAULT ARCHIVES FOLDER Figure 406 Collection EventTracker Collection Master Console Point Detail Configure Help Ml CAB Status 3 Collection Point Detail CAB Request Collection Point Detail Collection Point Name Last Received CAB Na Last Received CAB Time Archive Path O NY 192 168 1 38 6 3 Build 78 etar1233153185 14505 10 30 21 AM 4 9 2009 C Program FilessPrism Microsystems E ventTrackers amp rchivesNNY I Delete Close In this scenario only the Collection Points are merged and the Collection Master copies the CAB files from Program Files Prism Microsystems Event TrackerArchivesl NEWYORK 192 168 1 38 to Program Files Prism Microsystems EventTrackerArchivesiNY 192 168 1 38 folder CAB files of the Collection Master remain in the same archives folder Program Files Prism Microsystems EventTracker Archives When you generate Reports for the Collection Point EventTracker fetches CAB files from the NY 192 168 1 38 folder Scenario 2 Collection Master WEBDOC1 IP Address 192 168 1 88 Collection Point NEWYORK Consider this is the Site Name that you have given while installing Collection Point IP Address 192
302. is not unique 7 a unique Group name and then click OK to continue creating the Group Modifying a Group This option enables you to modify a Group To modify a Group 1 Open the System Manager 2 Click the File menu and select the Edit Group option System Manager displays the Edit Groups dialog box Figure 165 Edit Groups A Edit Groups Select the Group you want to edit Group Description Apps Database Machines servi LELEBRATE Enterprise Dom TESTING Enterprise Dom TOONS Enterprise Dom 3 Select the Group that you want to modify in the displayed list 4 Click Edit System Manager displays the Edit Group dialog box 7BCHAPTER 7 MANAGING SYSTEM GROUPS 172 EVENTTRACKER VER 6 4 USER S GUIDE LOGICAL SYSTEM GROUPS Figure 166 Edit Group 0 Edit Group Group Apps Database Group Description ina serving the amp pps database Available Systems Group Members 2 CACOFONIs ELCTEST E Remove GARFIELD GIJOE HAGAR MOUGLIOLD MURPHY sme Cancel Table 34 Description Type the system related information in this field Group Select the computer that you want to remove from the group Members Click lt Remove Available Select the computer that you want to add to the group Systems Click Add gt The selected computer is added to the list of Group Members 5 Type appropriately in the relevant fields System Manager displays the Edit Group dialo
303. ive results Event Details empty Field implies all matches Computer WEBDOCI Event Type Informatico Log Type Match in Source Category Event I Match in User Match in Event Desc Match in Event Descr field can take multiple strings seperated with amp amp amp stands for AND condition stands for OA condition Hote IF you want to make match on any of the special characters like 4 0 9 etc then in the search string this char with a backslash Example fora and s fora Far mare information click here 5 Click OK EventTracker displays the Filter Events console with newly added filter EVENTTRACKER MANAGEMENT CONSOLE CONFIGURING EVENT FILTERS 49 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING EVENT FILTERS Figure 28 Filter Events Filter Events Events that are of minor significance be filtered aut The events that meet the configured Filter entera will be stored Note Filtered events are nat logged and can nat be analyzed from the Reports Console or seen in the Event History as required Computer Event Log Type categ Event User Description WEBDOC a Edi Filter Remove Filter Filter Exception Click OK Restart the Management Console N QO Modifying Event Filter settings This option enables you to modify filter events configurati
304. k the Configure menu and select the Configure Manager option EventTracker displays the Manager Configuration window Type the URL of the Knowledge Base Web site in the KB Website field Click OK EventTracker displays the confirmation message box Click Yes to save the changes EventTracker selects the Enable Syslog Receiver check box by default to enable the EventTracker Receiver to receive SYSLOGs sent by non Windows systems To disable SYSLOG receiver 1 2 Open the Management Console Click the Configure menu and select the Configure Manager option EventTracker displays the Manager Configuration window Enable SYSLOG receiver check box 15 selected by default Clear the check box Click OK EventTracker displays the confirmation message box Click Yes to save the changes Monitoring Syslogs For monitoring Syslog events you must configure the UNIX computer to forward Syslog events to the computer where the EventTracker Manager 15 installed The default Syslog port is UDP Port 514 Also see the FAQ on Syslog To configure UNIX systems to forward Syslog messages to EventTracker 1 Identify the IP Address of the computer that is hosting the EventTracker Manager Log on with the root account in the UNIX computer Open the syslog conf file in a text editor The default path of the syslog conf file is etc syslog conf 65 EVENTTRACKER VER 6 4 USER S GUIDE VIRTUAL COLLECTION POINTS 4 Append the configuration
305. l alerts received Total systems monitored and so on EventVault The console used to archive the events from EventTracker database EventVault can operate in Automatic Archival and EventBox on demand methods Exclude List The process to configure the network connections that need not to be monitored The process to filter out events that you do not want to monitor Include List The process to configure the network connections to monitor Include list Network connections always override the Exclude list Network connections A 32 bit address used to identify a node on an IP internet The address is typically represented with a decimal value of each octet separated by a period For example 192 168 7 27 Knowledge Base A Web site containing information about Windows events and custom EventTracker events Log Backup A backup that copies event logs automatically in the EventTracker Agent directory whenever the event logs are full 468 EVENTTRACKER VER 6 4 USER S GUIDE GLOSSARY Logfiles The process to monitor textual log files such as SQL or ISA logs created by any vendor You can also configure the strings to search If any record matching the search string is found an event will be generated Manager Configuration Process of configuring parameters of Acknowledge Events time limit Maximum Events view limit Purge Time limit Ping Frequency and connected server name Memory Usage A term used to monitor the memory usage
306. lays the Network Connection Monitor tab 4 Click Exclude List EventTracker displays the Exclude List dialog box MANAGING WINDOWS AGENTS 267 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 266 Exclude List window IF Exclude List List of authorized connections for which na notification will be sent Include list will always override it Local Address Remote Address LISTEN localhost 5 Click New EventTracker displays the Network Connection Details dialog box Figure 267 Network Connection Details window Network Connection Details Network Connection Details empty held implies all matches Local Address Details Host name ar IP Address Local Port x Remote Address Details Host name IP Address or UAL Remote Port z Select IP Address Process Mame e g lexplore exe Connection State x Cancel 8BCHAPTER 8 MANAGING WINDOWS AGENTS Remote 268 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Local Address Details Host Name or Type the host name or the IP address in this field IP Address Local Port Select a local port from the drop down list Remote Address Details Host name IP the host IP address or URL in this field Address or URL Remote Port Select a remote port from the drop down list Select IP Click this button to add IP address range ns EventTracker displays the IP Address Range Setting
307. le Figure 54 Suspicious Network Alert Configuration Suspicious Network Alert Configuration Event racker Console mx Actions This alert is applied to the list of selected camputer s ar groups Apply to all Systems Apply to selected Systems C System Groups System Groups All Spetema List of selected systems Add All gt gt NTOC WEBDOC lt Remove lt lt Remove All Back Next gt OF Cancel 4 Select Groups Systems and then click Next gt EventTracker displays the Actions tab 3BCHAPTER 3 CONFIGURING MANAGER 8 2 CONFIGUR EVENTTRACKER VER 6 4 USER S GUIDE SUSPICI Figure 55 Suspicious Network Alert Configuration Suspicious Network Alert Configuration Console a fx Systems Actions Select and configure alert actionis below Generate sound from my speaker Send E mail to specified recipient Update ASS feed Send net message Forward Events as SNMP Forward Events as SYSLOG message Execute remedial action at EventTracker Console Execute remedial action at EventTracker Agent Select appropriate alert actions and then click OK Select the Check to Knowledge base updates check box 7 Click OK on the Manager Configuration window EventTracker displays the confirmation message box 8 Click Yes to save the changes By selecting Check for Knowledge base updates EventTracker updates th
308. le Monitor W Logfile Monitor Search log files various formats supported for matching patterns specified here Bath individual Files as well as folders can monitored for matching entries Matches cause an event to be generated Logfiles to be monitored Logfile Check Point Edt File Mame Delete File Mame Search Strings 13 Click Save Monitoring VMware Logs This option helps you monitor logs generated by VMware To monitor VMware logs 1 Open the Agent Configuration window 2 Select the system from the Select System drop down list MANAGING WINDOWS AGENTS 261 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT 3 Click the Logfile Monitor tab EventTracker displays the Logfile Monitor tab 4 Click Add File Name EventTracker displays the Enter File Name dialog box Figure 262 Enter File name dialog box Enter File name oy can configure the complete path of the log file or folder that needs to be monitored along with the strings that need to be searched Select Log File Type TEXT LIME This i a generic text where the TEXT value is any separate line separated by CALF ar ER in the text File Enter File name 5 Select the logfile type as VMWARE from the Select Logfile Type drop down list EventTracker displays the Enter File Name dialog box Figure 263 Enter File Name dialog box Enter File name Configure Event racker Agent to read
309. lection 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 59 EVENTTRACKER VER 6 4 USER S GUIDE RELOADING THE NAVIGATION PANE Figure 37 Create Group Create Group Select Systems Select systems that you want to add LACOFON CHARLIE DONALD EXCHTEST Cancel lt Previous Next 6 Select the Systems 7 Click Finish EventTracker displays the System Manager message box Figure 38 System Manager message box Eventlracker System Manager 1 5MARTset Management Console will now start populating the newly created group IF vau have a large network this may take a Few minutes 8 Click OK EventTracker displays the System Manager message box after populating your Group Figure 39 System Manager message box EventIracker System Manager Select OK Eo view 1 Completed populating the newly created group 9 Click OK EventTracker displays the System Manager with the newly created Group 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 60 EVENTTRACKER VER 6 4 USER S GUIDE AUTO SCROLLING OPTION Figure 40 Ui EventTracker System Manager SEE EventTracker System em File View Options Help Manager q Configure Agents 8 Search Computers 4 Create Group Delete Group red Add System Remove System S Upgrade Agent Computer Groups My Group User selected systems Groups System Status zu TOONS 2 192 168 1 96 5 System Managed zl CELEBRATE zx ELCTEST En EXCHSUPP
310. levant fields MANAGING CATEGORY GROUPS AND CATEGORIES 363 EVENTTRACKER VER 6 4 USER S GUIDE 105BMANAGING EVENT CATEGORIES Figure 345 Create Event Category dialog Create Event Category Wizard box E vent Details Enter ar select event details information Enter comments ar recommended action Far the event Click 4dd to save and continue click Finish to save and exit seventy Information Event Details Event Information Category Eo Log Directory Service Eventlb Soume User ne Match in Event Descr EE Event Descr Exception Match in Event Descr field can take multiple strings seperated with 5 amp ar amp amp stands for AND condition stands For OR condition Mate want to make a match on any of the special characters like myn ete then in Ehe search string prefix this char with a backslash Example fora and fora For mare information click here information to 8 Click Add Click Finish If there is a mismatch in the Severity and Event Type then the EventTracker displays the EventTracker Console message box Figure 346 Create Event Category dialog box Event Tracker Console A You have selected Severity as Information For Warning Event type This is generally nat recommended Do you wank Eo continue 10 Click Yes to proceed further or
311. lick Configure on the Collection Point Console OR Click the Configure menu and then select Manager EventTracker displays the Configure Managers console 2 Select the Collection Master and then click Edit EventTracker displays Edit Destination dialog box 16BCHAPTER 16 COLLECTION POINT 440 DELETING COLLECTION MAS TER EVENTTRACKER VER 6 4 USER S GUIDE SETTINGS Figure 436 Edit Destination dialog box If Edit Destination Destination 42 158 1 38 Test Connection Pork 14507 le Active Encrypt Data No Description Forwarding LAB to NEWYORK Cancel You can edit Port Description and select or clear Active check box Type changes appropriately in the relevant fields and then click OK Deleting Collection Master Settings This option helps you delete Collection Master settings To delete Collection Master settings 1 Click Configure on the Collection Point Console EventTracker displays the Configure Managers console 2 Select the Collection Master and then click Remove EventTracker displays the confirmation message box Figure 457 Collection EventTracker Collection Point Console E _ Xx Point Console confirmation message The delete operation will remove all references of the Collection Master 192 1868 1 38 From the database box J Are vou sure that vau want to delete the selected Collection Master Click Yes bo confirm to abort Yes Ma 3 Click Yes EventT
312. lick Next gt EventTracker displays the Enter privileged account information dialog box Q Type valid username and password Click Execute EventTracker displays the EventTracker Agent Management Tool message box 7 Click OK EventTracker displays the result in the Notepad Restarting Agent Service All This option enables you to restart the agent service in all the systems and the Groups To restart the agent service in all the systems and the Groups 1 Select the All option 2 Select the Restart Agent service option 3 Click Next gt EventTracker displays the Enter privileged account information dialog box Type valid username and password 5 Click Execute EventTracker displays the EventTracker Agent Management Tool message box 6 Click OK EventTracker displays the result in the Notepad 8BCHAPTER 8 MANAGING WINDOWS AGENTS 296 EVENTTRACKER VER 6 4 USER S GUIDE WINDOWS AGENT MANAGEMENT TOOL Querying version of the Agent Service System This option enables you to Query the version of the agent service in the selected system To query the version of the agent service in the selected system 1 2 3 4 a Select the System option Select the system from the System Name drop down list Select the Query for Agent version option Click Next gt EventTracker displays the Enter privileged account information dialog box Enter valid username and password Click Execute EventTracker displays the
313. lick Yes 6 Click Save This feature works in all versions of EventTracker from 5 2 upwards More information please go through SID translate pdf found in the Eventlracker installation folder typically MProgram Piles Prism Microsystems Event Tracker Enabling High Performance mode This option helps you enable High Performance mode To enable High Performance mode 1 Open the Agent Configuration window 2 Select the system from the Select Systems drop down list 3 Click the Event Filters tab 4 Select the Enable High Performance mode check box EventTracker displays the EventTracker Agent Configuration message box 8BCHAPTER 8 MANAGING WINDOWS AGENTS 231 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 228 EventTracker Agent Event Tracker Agent Configuration Configuration message Dos You have enabled the High Performance Mode of the EventTracker Agent This mode is suitable For servers that generate more than 700 eventsimin such as Domain Controllers or Active Directory servers This mode is separately licensed Are ou sure 5 Click Yes Click Save Open the System Manager EventTracker displays the Agent mode switched to High Performance mode Figure 229 EventTracker System Manager EventTracker System File View Options Help Manager e Configure System 88 Search Computers 4 Create Group Delete Group x Add System Remove System 8 Upgrade Agent
314. lter Specify the details of such events here Example ou may want to filter out all Information events other than those received from the Web Serice To do this set the Information filter and add a Filter Exception with Event Source as Web Service Computer Log Type EventType Cate Eve Source User New Edit Delete 6 Click New to add new filter exception criteria EventTracker displays the Event Details console 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 53 CONFIGURING EVENT FILTERS WITH EVENTTRACKER VER 6 4 USER S GUIDE EXCEPTION Figure 31 Event Details ES Event Details Event Details empty Field implies all matches Computer Event Type BW H Category Log Match in Source Event ID DL Match in Event Descr Match in User ___ Ea 1 Match in Event Dezcr field can take multiple strings seperated with or amp amp stands for AND condition stands for OR condition Mate you want ta make match on any of the special characters like e etc then in the search string prefix this char with a backslash Example for a and for a Far mare information click here 7 Enter select appropriately in the relevant fields 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 54 CONFIGURING EVENT FILTERS WITH EVENTTRACKER VER 6 4 USER S GUIDE EXCEPTION Figure 32 Ev
315. ly used options are provided on the Toolbar You cannot customize move or drag the Toolbar Mouse over ToolTip for command buttons help you know the purpose the buttons serve System Manager Open System Manager Knowledge Base Open EventTracker Knowledge Base Web site http kb prismmicrosys com Print current Events on the Dashboard Navigation Pane Navigation pane displays EventTracker objects such as Computer Groups and Computer in All Computers tree view and Category Groups and Categories in All Categories tree view You can expand and collapse All Computers and All Categories trees Dashboard Pane By default EventTracker displays Alert events that occurred in the monitored systems on the Dashboard Workspace The workspace consists of the navigation pane and the dashboard pane 26 EVENTTRACKER VER 6 4 USER S GUIDE EVENT O METER Event O Meter Figure 7 Event O Meter Graph 1BCHAPTER 1 GETTING STARTED Status Bar Navigation pane EventTracker displays the Total Categories Status Bar Dashboard pane In the Dashboard pane EventTracker displays Total Events received since the console is launched in the first section row id of the selected event in the second section By default row id of the latest event is displayed and the Max Rows i e the maximum number of events set to view is displayed in the third section By default the EventTracker displays 500 rows of events You reset console
316. matching entries Matches cause an event to be generated Lagfile Name https ess vcserver sdk vimService WMA RE Mew File Details Delete File Search Strings 9 Click Save Monitoring Network Connections NCM provides you with the capability to effectively monitor for network connections on any system in your enterprise It is a feature that provides you security beyond the firewall by detecting threats from inside the firewall as well as keeping the external attackers at bay 264 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT It helps you keep track of various happenings like connections established by remote applications unauthorized connections to server and connections made to standard ports NCM provides second level security beyond firewall NCM can drastically reduce internal security threats and can be configured to raise an alert whenever any intruder outside a list of trusted IP addresses attempts to make network connection The functionality can also be set at high security mode wherein an event is generated for all incoming and out going connections The NCM functionality facilitates to achieve the following key objectives Host based intrusion detection o provide second level security and complement to firewall and anti virus n strengthening security policies o improve security policies against inside security breaches m monitor all network connections TC
317. me Systems txt and press Enter 3 Open the Agent Management Tool console and check for the Agent status MANAGING WINDOWS AGENTS 302 Chapter 9 Agentless Monitoring of Windows In this chapter you will learn how to Monitor remote Windows systems without deploying Agents EVENTTRACKER VER 6 4 USER S GUIDE AGENTLESS MONITORING Agentless Monitoring In cases where it is not possible or desirable to install the EventTracker Windows Agent EventTracker can be configured to periodically poll the target computers over the network to collect new event log entries since the last poll Pros m No agent to deploy Simpler product deployment There is lesser effort during planning deployment and upgrade Cons m Increased network load Depending on the selected polling cycle and level of event generation network load is greater m Greater dependency more critical points of failure The Console becomes critical since it is polling target machines Network choke points can impact performance m Real time notification not possible The earliest notifications can be sent depends on where the Console is in its polling cycle m Limited to operation within a domain The Console and target machine must be in the same domain so that domain privileges are preserved m Performance monitoring this feature is not available m Application monitoring this feature is not available m Software install removal
318. mended Do ou wank to continue Click No 8 Select appropriate severity from the Severity drop down list EventTracker displays the Manage Categories console with the modified event details Manage Categories New Edit Delete ICategories are used to organize events in an ordered and user friendly manner Category Management is used extensively in Reports showing only the events A HN E Ithat vou find interesting This interface can be used to create manipulate and manage Categories events that belong to any pre defined Alert ALERTS 23 Categories Alerts a xxl ERTS Altiris Deployment Solution es AntiVirus es Check Point es CISCO 105 E CISCO PIX CISCO VPN E Citrix es Crystal Enterprise DoubleT ake es EventTracker 8 Fortigate es Linux Cracking Linux Violation Netscreen m Dracle nf Cunr Event LogType Source Categor EventID User Event 0 MSExchange MSExchange MSExchange MSExchange MSExchange MSExchange MSExchange EventTracker EventTracker EventTracker MSS LServer MSS LServer EventTracker telnet 9002 1112 5002 9559 2007 1004 1184 3218 3217 3209 17052 17055 2008 516 0 2026 2028 Sooo og Socio ooo om oo Error Application 0 Es eate Cal Delete Cat Edit Cat Add Events Remove Event f Total Categories 575 9
319. ment Console 2 Right click the Category that you want to configure as Alert EventTracker displays the shortcut menu From the shortcut menu choose Add As Alert OR Open the Manage Categories console Right click the Category that you want to configure as Alert EventTracker displays the shortcut menu From the shortcut menu choose Add As Alert EventTracker displays the Alert Group Configuration console 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 370 EVENTTRACKER VER 6 4 USER S GUIDE 105BMANAGING EVENT CATEGORIES Figure 354 Alert E Tiu Configuration Mi Alert Group Configuration EventTracker Console PEZ bd Console Alert Name Event Details Event Filters Custom Systems Actions Alerts can be configured to produce Beep fram the speaker to send E mail to send a Console message across the network to execute a Custom action ar the combination of all an the occurence of specified events Enter Alert Mame EN warning events Cancel Type select appropriately in the relevant tabs Click OK Open the Management Console oO a amp Q Click the Configure menu and select the Configure Alerts option EventTracker displays the Alert Groups console with the newly added Alert 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 371 EVENTTRACKER VER 6 4 USER S GUIDE 105BMANAGING EVENT CATEGORIES Figure 355 Alert Groups Console 4 Alert Groups EventIracker Console New
320. menu and select the Print option OR Press Ctrl P on your keyboard EventTracker displays the report 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 6 2 Chapter 3 Configuring Manager In this chapter you will learn how to m Set Window View Limit Console m Configure EventTracker Knowledge Base Web site m Monitor Agent Health Configure SYSLOG Receiver Monitor Syslogs m Configure Virtual Collection Points for Syslogs m Configure EventTracker Receiver Ports Forward Raw Syslog messages m Configure Virtual Collection Points Configure Correlation Receiver Configure Direct Log File Archiver m Enable Alert Notification Status Tracking m Purge Alert Events Cache Configure Manager to show only active Alert events in Console Configure Manager to store only active Alert events Enable Remedial Actions Suppress Duplicate Alerts m Configure Manager to Alert Suspicious Network Activity 63 EVENTTRACKER VER 6 4 SETTING THE WINDOW VIEW LIMIT USER S GUIDE CONSOLE Setting the Window View Limit Console This option enables you to set the Management Console Dashboard view limit Figure 42 Manager Configuration To setthe Dashboard view limit 1 Open the Management Console 2 Click the Configure menu and select the Configure Manager option EventTracker displays the Manager Configuration window E Manager Configuration Configuration Max events view limit Console 500 El eventz window
321. monitoring this feature is not available m Service monitoring this feature is not available m Monitoring external log files this feature is not available m Host based intrusion detection this feature is not available m Non domain topologies not supported this feature is only available when the Console and target machine are in the same Windows domain Adding Systems for Agent less monitoring This option enables you to add systems from where you want to collect events periodically The resource CPU memory disk usage log file monitoring and other agent required features are disabled in the agent less monitoring systems Additionally the service account of the local agent should have administrative privileges on all the systems that are added for collecting events 9BCHAPTER 9 AGENTLESS MONITORING OF WINDOWS SYSTEMS 304 EVENTTRACKER VER 6 4 USER S GUIDE AGENTLESS MONITORING To add systems for Agent less monitoring 1 Open the System Manager 2 Click the Options menu and select the Add System option OR Click Add System on the toolbar System Manager displays the Add Agent window 3 Select the computers Click Next gt System Manager displays the Add Agent window Figure 291 Add gs System window 732 Add Agent Computer selection Select system to be monitored for events E Computers All gt gt Selected Computers ALICE ARNDLD CHARLIE m E DONALD I ELE
322. move All to remove all Alerts from this list Refresh Click to update the Alerts 3 Type appropriately in the relevant fields 4 Click Export EventTracker displays the Select Export File dialog box 5 Click the Save in drop down box and select the path where you want to export the alerts 6 Enter the file name in the File name field The valid file extension is isalt 7 Click Save EventTracker displays the Export Import Utility message box Figure 362 Export ehm Alerts message box Export Import Utility s 1 Successfully exported the selected Alert Alerts 8 Click OK 13BCHAPTER 13 EXPORT IMPORT UTILITY 378 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY Exporting System Groups To export system groups 1 Open the Export Import Utility 2 Select the Groups option EventTracker displays the Export Import Utility Figure 363 Export Import Utility window Export Domains Export Import Utility Export Import 1 Select the EventTracker groups to be esported 2 Click the Export button 3 Choose the folder amp provide the file name Click Category D amainz Selected Filters Alert E Add gt gt Add gt Systems amp DES All Scheduled Reports 655 Feeds Refresh Export Close Table 69 Domains Select a Domain Domains from this list Click Add gt to add the selected Domain Domains to the Sel
323. mplement the FISMA requirements and transmit the corresponding reports to Office of Management and Budget OMB by October of each year According to the sections FISMA Sec 3505 and FISMA Sec 3544 the transmitted reports should summarize the following requirements to comply with FISMA FISMA Sec 3505 Sec 3505 c 1 Maintenance and results of major federal information systems or applications inventory security of the agency Sec 3505 c 2 Inventory of networks interfaces not only within the agency but also the network of other agencies or contractors working under the agency FISMA Sec 3544 Sec 3544 a 1 A i Information security protection against unauthorized access use disclosure disruption modification or destruction of information and information systems of the agency Sec 3544 a 1 A ii Information security against unauthorized usage risks of the contractor or other organizations working on behalf of the agency Sec 3544 a 1 A ii The responsibility of the head while the major federal systems operated either by the agency or by the contractor and other agencies under the agency Sec 3544 b Integrity authenticity availability of the systems supporting the agency operations and assets Sec 3544 b 2 C Detailed reporting on the existing risks and remedial actions Effectiveness of Information Assurance program and progress in remedial plans and actions Sec 3544 b 2 D Period
324. n on receipt of an event Disk Space Usage A term used to monitor the disk space usage A feature that instructs programs that usually notifies information by E mail Log Analysis Process of analyzing the event details by setting criteria such as date range time range rule and computer Event Filtering Process of filtering the events that are not important Monitoring unimportant events cause the database to occupy more disk space 27BGLOSSARY 467 EVENTTRACKER VER 6 4 27BGLOSSARY USER S GUIDE GLOSSARY Event History The report for the selected period for which events have been collected based on the setting criteria Event Information A window pane that displays the summary of event details in the EventTracker Management console Event Logs A type of event message The event logs are recorded whenever certain events occur such as services starting and stopping or users logging on and off and accessing resources Event Monitoring A window pane that displays the real time event information in the EventTracker Management console EventTracker An application that can be used to centrally monitor analyze manage events being emitted by Windows NT 2000 XP UNIX systems and SNMP enabled devices EventBox An archived event data file You can create an EventBox by using EventVault Warehouse Manager console EventTracker Statistics process to view the summary of event statistics such as Total events received Tota
325. nagement Console Click the Configure menu and select the Configure Alerts option OR Open the Alerts Dashboard Click the Alert Config hyperlink in the right upper corner EventTracker displays the Alert Groups console CONFIGURING ALERTS AND ALERT NOTIFICATIONS 85 EVENTTRACKER VER 6 4 USER S GUIDE Figure 56 Alert Groups Edt X Delete save Alert Groups EventTracker Console Administrative log on No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No Administrative log on failure Altiris Audit Log Cleared CISCO Access Denied CISCO Authentication Failed CISCO Failover Message CISCO IDS intrusion detection CISCO VPN Admin Access Authenticati CISCO VPN Admin Access Authorizatio CISCO VPN Admin Access Access Contr CISCO VPN Memory Allocation Failed Citrix Critical service could not be started Critical service is not running Crystal Enterprise Detected high memory usage Detected software Some 5445 has bee Directory permission change Disk space is critically low Domain policy changed EventTracker agent service failed EventTracker Agent configuration changed EventTracker Collection Master Error EventTracker Collection
326. nd select the Configure System option in the System Manager OR 213 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Click Configure Agents on the toolbar To access the Agent Configuration Window through Control Panel m Double click Agent Configuration on the control panel To access the Agent Configuration Window through Programs m Click Start point to Programs point to Prism Microsystems point to EventTracker and select the Agent Config option Basic configuration While installing EventTracker you have the liberty to set the basic configuration settings 8BCHAPTER 8 MANAGING WINDOWS AGENTS 214 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 214 Basic 7 configuration settings Basic configuration General Syslog Monitor C Enable Event Log Backup System Monitor Overall CPU performance Overall Memory performance Disk Utilization Service Monitor Monitor Device Changes Logfile Monitor Application Monitor App Install LIninstall App Usage Per Process CPU performance Per Process Memory performance w Network Connection Monitoring Connection Type i TCP Open Close UDF Open Close m Monitor All Network Traffic Only Suspicious Traffic Event racker includes several important features ou can customize E ventTracker by enabling dizabling the above list of available features m Select appropriately and then click O
327. ndow 252 Add Agent Apply configuration Apply configuration After events are collected they are processed at the Manager To apply a predefined configuration select Custom and specify that eg C etacontig ini can select Default and configure this later Default Custom Config File Table 57 Default Select this option to set the default system configuration The default configuration will track all events Select this option to apply a different configuration The File field is enabled Click Browse and select the file The file extension should be ini format 9 Click the appropriate system configuration 9BCHAPTER 9 AGENTLESS MONITORING OF WINDOWS SYSTEMS 308 EVENTTRACKER VER 6 4 Figure 295 Add System window Apply configuration Figure 296 System Manager message box 9BCHAPTER 9 AGENTLESS MONITORING OF WINDOWS SYSTEMS USER S GUIDE AGENTLESS MONITORING Add Agent Apply configuration After events are collected they are processed at the Manager To apply a predefined configuration select Custom and specify that eg C etacontig ini can select Default and configure this later Default f Custom Config File C Program Files Prism MicrospatemetE ventTrackersHematelnstaller etacanfig ini Cancel lt Back al Install 10 Click Install oystem Manager starts adding the system and displays the progress ba
328. newly created will get added up Enter Group name Name of the Group you create 4 Type the name of the Group you create in the Enter Group name field Figure 329 Add Group dialog box Add Group Parent node iz All Categories Enter Group name Cancel 5 Click OK 6 Expand the tree EventTracker displays the newly created Group Figure 330 Manage Manage Categories fel Categories dialog box with newly created E ILategories are used to organize events in an ordered and user friendly manner Category Management is used extensively in Reports showing only the events Group 5 that vou find interesting This interface can be used to create manipulate and manage Categories New Delete Categories Fortigate Event Type Event ID Linux Cracking Linux Violation Netscreen Oracle Snort Solaris BSM sox Suspicious Network Activity SYSLOG Veritas e WhatChanged Windows Microsoft Windows Hyper V All error events All information events All warning events ica My Group le CieateCat Delete Cat Esca Bemove Event Edi Close Total Categories 575 E Ee Fe Ee Ee EE Fe E E 7 create sub group within that newly created Group right click it From the shortcut menu choose New Group EventTracker displays Add Group dialog box 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 350 EVENTTRACKER VER 6 4 USER S GUIDE ANALYZING
329. nfigure Agents search Computers 4 Create Group Computer Groups E zu Groups TOONS CELEBRATE m 24 EXCHSUPP i ISATEST E SUPPORT REMOVING UNMANAGED SYSTEMS Computer Type Description System Status 13 192 168 1 96 SysLog System Windows 2000 Windows 2000 Windows 2000 Windows 2003 Windows 2000 Windows 2003 Windows 2003 Windows XP Windows 2000 Windows XP Windows XP Windows 2003 Windows 2000 Windows 2003 Windows XP Windows 2000 Windows 2003 Windows 2000 Windows XP 9 Delete Group Add System Professional Professional Professional Server Professional Server Server Professional Server Professional Server Professional Server Professional hone hone hone hone hone hone hone hone hone hone Test lab Exchan SRINATH 55 6 x Remove System 8 Upgrade Agent Al Domain Computers Managed Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Displaying W indows Systems 5 Right click Support System Manager displays the shortcut menu EventTracker System Manager File view Option
330. nfirmation message box Figure 304 Delete k EventBox Confirm Archive Delete confirmatory message pox Are you sure vou want to delete archives 4 Click Yes The selected EventBox is deleted from the Available EventBoxes list After deleting the EventBox EventVault Warehouse Manager displays the Archintegrity report in the Notepad Moving CAB files This option helps you move all or selected CAB files to a new location After physically moving the CAB files EventTracker updates the index file etwarindex mdb Moving the CAB files to a new location does not harm your scheduled reports You can run on demand reports define reports and even configure new scheduled reports as you normally do To move CAB files 1 Open the EventVault Warehouse Manager 2 Select the CAB files from the Available EventBoxes list OR Select the Select All check box to select all the EventBoxes 3 Click Move EventVault Warehouse Manager displays the confirmation message box MCA 2 dl Confirm Archive Move confirmatory message pos Are you sure vou want bo move archives Mo 1OBCHAPTER 10 EVENTVAULT WAREHOUSE MANAGER 322 EVENTTRACKER VER 6 4 USER S GUIDE APPENDING CAB FILES 4 Click Yes to proceed EventVault Warehouse Manager displays the Choose Directory dialog box 5 Select the location local or network and then click OK EventVault Warehouse Manager moves all the selected files to the new location and displays th
331. ng in all the systems and the Groups To query agent service status in all the systems and the Groups 1 Select the All option 2 Select the Query for Agent service status option 3 Click Next gt EventTracker displays the Enter privileged account information dialog box 4 Type valid username and password and then click Execute EventTracker displays the EventTracker Agent Management Tool message box 5 Click OK EventTracker displays the result in the Notepad Restarting Agent Service System This option enables you to restart the agent service in the selected system To restart the agent service in the selected system 1 Select the System option 2 Select the system from the System Name drop down list 3 Select the Restart Agent service option 4 Click Next gt EventTracker displays the Enter privileged account information dialog box Q Type valid username and password Click Execute EventTracker displays the EventTracker Agent Management Tool message box 7 Click OK EventTracker displays the result in the Notepad 8BCHAPTER 8 MANAGING WINDOWS AGENTS 295 EVENTTRACKER VER 6 4 USER S GUIDE WINDOWS AGENT MANAGEMENT TOOL Restarting Agent Service Group This option enables you to restart the agent service in the selected Group To restart the agent service in the selected Group 1 Select the Group option 2 Select the Group from the Group Name drop down list 3 Select the Restart Agent service option 4 C
332. ng settings to specified clients Manager destinations WE BOOC spider simbi Log Backup Processes Network Connection Monitor Logfile Managers System Monitor Monitor Apps Services ou can choose to filter aut events that are not required the filter iz set all events matching the filter will not be sent to the EventTracker Manager ou also configure advanced filter options such as to send only specific events or choose to filter out specific events Basic Logs Special Logs Event Types System DNS Server Error Security File Replication warning Information Audit Success Enable SID Translation Audit Failure Application Directory Service Enable High Performance mode Filter Exception Advanced Filters Table 40 Select Select a system from the drop down list for which you want to Systems filter events Basic Logs Select appropriate check boxes to filter the events being sent to the Manager Special Logs Select appropriate check boxes to filter the events being sent to the Manager Event Types Select appropriate check boxes to filter the events being sent to the Manager Enable SID Select this check box for SID translation For more information 8BCHAPTER 8 MANAGING WINDOWS AGENTS 222 EVENTTRACKER VER 6 4 8BCHAPTER 8 USER S GUIDE CONFIGURING WINDOWS AGENT Translation on SID translation refer SID translate pdf in the Even
333. nmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged Unmanaged 3 Remove System Upgrade Agent Domain Computers Managed Standard M Unmanaged Unmanaged Displaying Windows Systems Auto Discover 41 Systems Removing Computers Manual Mode This option enables you to remove computers when the System Manager is in Manual Discover Mode To remove Computer s 1 Open the System Manager 2 Click the File menu and select the Remove Computer s option System Manager displays the Remove Computer s dialog box System Manager automatically discovered the Computers listed in the Remove Computer s dialog box Remove button is disabled by default System Manager enables Computer s from the list it only when you select 3 Select the Computer s that you want to remove 4 Click Remove System Manager removes the selected computer s 7BCHAPTER 7 MANAGING SYSTEM GROUPS 157 EVENTTRACKER VER 6 4 USER S GUIDE REMOVING UNMANAGED SYSTEMS 5 Refresh the System Manager Since the System Manager is in Manual mode it could not discover the removed Computer It is obvious that you have to add the removed Computer s manually Removing Unmanaged Systems This option helps you remove unmanaged systems from the view as well as from the database The discovery of systems in your enterprise should be in Manual mode and not
334. nt Configuration Configuration message bo gt IF older log files where monitored old log entries will be unearthed Do vau want to enable this option 12 Click Yes EventTracker displays the Search String dialog box Figure 248 Search Search String String window Search Strings for CAWINOOW S S log Use a in any column to match every entry in the File Add String Edit String Delete String 13 Click Add String 8BCHAPTER 8 MANAGING WINDOWS AGENTS 250 EVENTTRACKER VER 6 4 USER S GUIDE EventTracker displays the Enter Search String dialog box Figure 249 Enter Search String dialog Enter Search St ring pee oy can configure the strings that need to be searched in the selected log file s IF ary record matching the search string is found an event will be generated Select Field Nome 00000 This i the Microsoft 15 log file format generated 15 Enter Search String es 14 Select the file name from the Select Field Name drop down list CONFIGURING WINDOWS AGENT 15 Type the string that you want to search in the Enter Search String field EventTracker displays the Enter Search String dialog box Figure 250 Enter Search String dialog Enter Search St ring pon oy can configure the strings that need to be searched in the selected log file s IF ary record matching the search string is found an event will be generated Select Field Mame HastN ame This i the
335. ntains All Specific words Exclude following wards Add Add Edi Ed Remove Remove Select Systems From 2723 2000 9 2131 f Al Systems Specific Systeme To 2423 2010 10 21 31 xe Select Time Range Select this check box to exclude all words specified in this list You can also add modify and delete keywords from this list Traffic Analyzer Analyze the event traffic pattern being logged It is recommended that use this data to filter aut irrelevant events and perform other operational tasks Select Criteria View by Categom C View byEventld View by Custom Selection Keywords Analysis Keywords Analysis Contains All Specific words Add Add Edit i Edit Remove Remove Select Time Range Select Systeme From 2 23 2000 8 21 31 AM t AllSystems Specific Systems To 2 23 2010 10 21 31 AM 5 xe 4 Type appropriately in the relevant fields 5 Select the systems 6 Click Analyze 339 EVENTTRACKER VER 6 4 USER S GUIDE TRACKING ENTERPRISE ACTIVITY EventTracker displays the report in the Notepad Tracking Enterprise Activity Enterprise Activity module helps you effectively monitor and manage enterprise activities It presents statistical data on For Alert events occurred Admin amp non Admin user activities Processes executed Provision to get more information on processes Activi
336. nts NEWYORK 192 168 1 38 NY 192 168 1 38 and then click Merge Points to remember 1 Old folder merges with the new folder 2 While merging Collection Master prompts you whether to overwrite the redundant CAB files or not This option helps you merge two Collection Points To merge Collection Points 1 Click Collection Point Detail on the Collection Master Console EventTracker displays the Collection Point Detail MERGING COLLECTION POINTS EVENTTRACKER VER 6 4 USER S GUIDE DEFAULT ARCHIVES FOLDER Figure 404 Collection EventTracker Collection Master Console Point Detail File Configure Help CAB Status a Collection Point Detail CAB Request Collection Point Detail E Collection Point Name Last Received CAB Na Last Received CAB Time Archive Path O NEWYORK 192 168 1 6 3 Build 78 etar1239159185 14505 10 03 18 4 9 2009 C Program FilessPrism Microsystems E ventT racker 4rchives NE O Nv 192 168 1 38 6 3 Build 78 etar1239159185 14505 10 30 21 AM 4 9 2009 C Program FilessPrism Microsystems E ventT rackersArchivesNNY Merge Delete 2 Select the Collection Points and then click Merge EventTracker displays the confirmation message box Figure 405 Confirmation message box EventTracker Collection Master Console Are vou sure vou wank bo merge collection point NEWYORK 192 168 1 38 into collection point Wy 192 168 1 38 3 Click Yes EventTracker displays conf
337. nts that are reporting to Point Name the Collection Master Displays the version of the Collection Points Last Received Name of the last CAB file that is received from Collection Points CAB Name Last Received Date and Time when the Collection Master received the last CAB CAB Time file Archive Path Displays the path of the folder where cab files of the respective Collection Points are stored at the Collection Master computer Example Program Files Prism MicrosystemsEventTracker Archives NEWYORK 192 168 1 38 Viewing CAB Status This option helps you view status of the cab files transferred and being transferred by the Collection Points to the Collection Master To view CAB status 1 Click CAB Status on the Collection Master Console EventTracker displays the CAB Status 15BCHAPTER 15 COLLECTION MASTER 408 EVENTTRACKER VER 6 4 Figure 400 CAB Status Figure 401 CAB Status 15BCHAPTER 15 COLLECTION MASTER USER S GUIDE VIEWING CAB STATUS EventTracker Collection Master Console File Configure Help CAB Status CAB Status Select Criteria Select Collection Point All al Select CAB Status lan y Show Name Period Collection Point Size Kb Transmission Start Time Transmi Status t 08 etar1239082116 1 4 7 2009 10 57 43 4 8 2009 8 21 59 NEWYORK 192 168 2985 10 01 51 4 3 2003 30 Success 16 1123915918511 NEWYORK 192 168 0 10 02 51 AM 4 3 200
338. ny alert in case it is a duplicate of an alert received earlier within a particular time frame How do I use the feature Duplicate Alarm Suppression The Duplicate Alarm Suppression feature is GUI driven The configuration settings are present in the evtrxer ini This configuration file is located in the directory where the EventTracker is installed Typical example would be C Program Files Prism Microsystems Event Tracker The evtrxer ini file has the following settings by default dup suppr interval 0 max alerts allowed 0 dup suppr interval This is the interval during which duplicate alerts will be suppressed The interval can be defined in seconds value 0 DISABLES the suppression feature max alerts allowed This is the maximum number of duplicate alerts that will be allowed during the interval set in suppr interval 0 value causes all duplicate alerts to be suppressed which means that only one alert will be allowed during the Suppression Interval 3BCHAPTER 3 CONFIGURING MANAGER 80 EVENTTRACKER VER 6 4 CONFIGURING MANAGER USER S GUIDE SUSPICIOUS NETWORK A The EventTracker Receiver service has to be restarted once any change is made to the evirxer ini file If the service is not restarted the changes made will not be taken in by the service Sample Alert Suppression setting dup_suppr_interval 300 max alerts allowed 5 The above settings inform the EventTracker to allow a MAXIMUM
339. of this guide This guide will enable you to use every option of EventTracker and provides detailed procedures for the same Who should read this guide Intended audience m Administrators who are assigned the task to monitor and manage events using EventTracker m Operations personnel who manage day to day operations using EventTracker Typographical Conventions Before you start it is important to understand the typographical conventions followed in this guide Table 1 References to other guides and documents Input fields radio button names check boxes drop down lists links on screens menus and menu options CAPS Keys on the keyboard and buttons on screens Text to customize A placeholder for something that you must customize For example Server would be replaced with the name of your server machine name or an IP address constante wird Text that you enter program code files and directory names function names A Note providing additional information about a certain topic OBABOUT THIS GUIDE X EVENTTRACKER VER 6 4 USER S GUIDE DOCUMENT REVISION CONTROL Document Revision Control Table 2 OBABOUT THIS GUIDE This section defines the conventions followed for the document revision control number The revision control number is an alphanumeric identifier unique to the document The components of the acronym identify the following m First two letters name of the product m Se
340. older amp provide the file name Click OF Category Systems Selected Filters Add All gt gt Add gt lt Remove lt lt Remove All Scheduled Reports ASS Feeds M Refresh Esport Table 70 Systems Select a System Systems from this list Click Add gt to add the selected System Systems to the Selected list Click Add All gt gt to export all the Systems All the Systems are added to the Selected list Selected Select a System Systems from this list Click lt Remove to remove the selected System Systems from this list Click lt lt Remove All to remove all the Systems from this list Refresh Click to update the Systems Type appropriately in the relevant fields Click Export EventTracker displays the Select Export File dialog box 5 Click the Save in drop down box and select the path where you want to export the systems 6 Type the file name in the File name field 13BCHAPTER 13 EXPORT IMPORT UTILITY 381 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY The valid file extension is issys 7 Click Save Event Tracker displays the Export Import Utility message box Figure 366 Export Systems message box Expo rt Im port Uti lity 1 Successfully exported the selected Svskem Svskems 8 Click OK Exporting Schedule Reports To export Scheduled Reports 1 Open the Export Import Utility 2 Select the Scheduled Reports option to export
341. ole New Edit Delete save Proactive notification of events meeting certain criteria can be configured Notifications include a combination of Beep E mail Messages or any other Custom Action Console side reme Administrative log on No No No No No Administrative log on failure Altiris Audible Alert Audit Log Cleared CISCO Access Denied CISCO Authentication Failed CISCO PIX Failover Message CISCO PIX IDS intrusion detection CISCO VPN Admin Access Authenticati CISCO VPN Admin Access Authorizatio CISCO YPN Admin Access Access Contr CISCO VPN Memory Allocation Failed Citrix Console Message Alert Critical service could not be started Critical service is not running Crystal Enterprise Detected high memory usage Detected software Some S w has bee Directory permission change Disk space is critically low Domain policy changed E mail Alert Events as SNMP Traps Events as SYSLOG Messages EventTracker agent service failed EventTracker Agent configuration changed EventTracker Collection Master Error EventTracker Collection Point Error EventTracker DLA No files found for pro EventTracker DLA file processing failed EventTracker Remedial action failed Tea ale wee Meee a dial sme 20 No No No No No No No No No No No No No No No No No No No No No No Yes No No No No No No No No
342. oles exe Mame Mame Mame Mame Mame Mame EventTracker EventT racker EventT racker EventT racker EventT racker EventT racker Savlll exe Name Symantec Antivirus RoboHTML exe RoboHelp HTML 11 Descrip PID 31 PID 21 Descrip _ 37 gt Descrip EtwContolPanelese Name EventTracker FID 21 D lexplore exe Savlll exe Mame Symantec Antivirus Snaglt32 ex amp Name Snaglt wweb32 exe Name WordWeb Description VW sS upport exe Mame EventTracker Explore Name Microsoft Windows Smeluiexe Symantec Client Explore EXE Mame Microsoft Windows Ope SmcGulexe Symantec Client M anagemer wweb32 WordWeb PID 952 5naglt32 exe Name Snaglt cles5upporlexe EventTracker iexplore exe explore exe EXCEL EXE explore exe E amp CEL EXE jiBvnlnre eve gt WINMWORDLESE Name Microsoft Office sP D Windows Internet Explorer Descript iexplore exe Windows Internet Explorer msimn exe Microsoft Windows Operati msimn exe Mame Microsoft Windows Operati Description 5nagl Descriptic PID 3980 PID 3100 Name Windows Internet Explorer Mame Windows Internet Explorer Mame Microsoft Office P PID 4 Mame Windows Internet Explorer Mame Microsoft Office P Descn gt From the shortcut menu
343. om option 7 Navigate and locate the systems file you want to import and click Open EventTracker displays the Import tab on the Export Import Utility dialog box Figure 388 Export 1 e aed Export t Utilit Import Utility window Ep ipa Uti Import Systems Export Import 1 Provide the path amp fle name of the systern file Use the button to browse amp locate the import file 2 Chick the Import button Category Filters dii Custom Alerts Source Groups Files Prism Microsystems E ventT racker le Susteme Scheduled Reports t ASS Feeds Import Close 8 Click Import EventTracker displays the Export Import Utility message box Figure 389 Import n Systems message box Expo rt Im port Uti lity i X Successfully imported Domains Systems From C Program Files Prism AJ MicrosystemsiEventTrackeriMySystems issvs To view Ehe imported Domains please go to Configure Manage Systems 9 Click OK 13BCHAPTER 13 EXPORT IMPORT UTILITY 395 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY Importing Schedule Reports To import Schedule Reports 1 Open the Export Import Utility 2 Click the Import tab 3 Select the Scheduled Reports option to import new Reports Console Scheduled Reports EventTracker displays the Export Import Utility Figure 390 Export 3 amp Export t Utilit Import Utility window Export Import Utility
344. omply with internal policies and industry regulations Successful logons preceded by failed logons Multiple failed logins followed by a successful login could indicate a successful breach by a hacker Audit log cleared events by user A successful hacker will attempt to remove any trace of their attack Their attempts to Clear the audit logs are captured and can be displayed with this report Invalid logons by date Allows you to identify days of heavy invalid logins Many invalid logins over a weekend could indicate an attempt to penetrate the network Daily reboot statistics Daily reboot statistics can help system administrators identify systems that might be having problems CPU load peaks by computers CPU load peaks can indicate a system that is either configured incorrectly or one that is simply overworked This can allow the system administrator to identify the system having problems and either fix the issues or transfer some of the workload or justify new hardware Account usage outside of normal hours This report can identify those accounts that are being used outside of normal definable hours of operations Users occasionally work late but frequent account usage after hours can indicate a security breach 23BAPPENDIX SECURITY REPORTS 460 EVENTTRACKER VER 6 4 USER S GUIDE SECURITY REPORTS Audit policy history Tracking audit policy on enterprise systems is a key function for security auditors The
345. omputers to uninstall Agent software Computers AddAb Selected Computers LEO SUPPSERYER Add gt Remove lt lt Remove All For field descriptions refer Figure 268 Add System window on page 184 3 Select the computer 4 Click Next gt Figure 192 Uninstall Remote Agent s Uninstall Remote Agent s Agent s will be uninstalled from the following remote computer Latest Status m Managed Standard Mode Select Uninstall to proceed 8BCHAPTER 8 MANAGING WINDOWS AGENTS 192 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS 5 Click Uninstall System Manager displays the Login dialog box Figure 193 Uninstall Remote Agent s az Login Login Please provide an account with sufficient privileges to access the network Usually a Domain Admin account 1 required Please enter the account name in OOMAINSUSER format Account Password 6 Type valid user credentials and then click Login System Manager starts uninstalling the Agent and displays the progress bar After successfully uninstalling the Agent System Manager displays the EventTracker System Manager message box Figure 194 Uninstalling Agent System Manager message box 1 The process is complete Please check the status against each computer 7 Click OK System Manager displays the successful uninstallation message 8BCHAPTER 8 MANAG
346. on list EventTracker displays the Trusted Connections List The connections listed in the Trust List are exempted from monitoring Figure 274 Trusted Connections List Trusted Connections List Following iz list of trusted connections a Port Description ho Simple Services Simple Services Active Users UM D autime Simple TCP IP Services duatd Simple TCP IP Services Chargen Simple Services FTP default data FTP Publishing Service FTP control FTP Publishing Service 7 Application Layer Gat Telnet SMTP Simple Mail Transfer Protocol rap Haute Access Protocol Resource Location Protocol WINS Replication Windows Internet Name Service DNS DMS Server DHCP Server Internet Connection Firewall 2 Internet Conme TETD Trivial ETA AS gt Mew E dit Delete Add Program Add Firewall List Cloze 9 8 EST ES 8 IST EST S ST ES E 08 E E By default the predefined trusted connections are enabled which means Eventlracker exempts those processes and ports from monitoring Clear the check boxes against the processes that you want to be monitored by EventTracker Add new trusted connections EventTracker displays Trusted Port Details window Table 50 Mew 8BCHAPTER 8 MANAGING WINDOWS AGENTS 275 EVENTTRACKER VER 6 4 USER S GUIDE Edit 8BCHAPTER 8 MANAGING WINDOWS AGENTS bj Process name
347. on Pane m Set Auto Scroll option m Rename a Window EVENTTRACKER VER 6 4 USER S GUIDE CHOOSING COLUMNS Choosing Columns This option enables you to select the columns that you want to display on the Dashboard By default EventTracker displays Date Computer Source and Description columns on the Dashboard To choose columns 1 Click the Configure menu and select the Choose Columns option EventTracker displays the Choose Columns dialog box 2 Select the columns and then click OK To select all the columns press holding Ctrl key on your keyboard Search Based Console Search based console helps to search amp view events occurred in a specific Category By default EventTracker displays number of events as configured in the Manager Configuration window Max events view limit Console Whenever you open the Management Console EventTracker sets the focus on Correlated Alerts and Incidents Category and displays the events associated with that Category If there are no events occurred in that particular time frame EventTracker gives you options to search farther back You can also configure EventTracker to show store only the active Alerts through the options provided in the Manager Configuration window 1 Select an event Category Example EventTracker gt EventTracker Software install uninstall You can also select a system and then click an event Category to view events occurred in that Category for that particular syst
348. on Point Details m View CAB status m Configure Collection Master listening port m Merge Collection Points m Request CAB files Delete CAB files Delete Collection Point Detail Configure Alerts 15BCHAPTER 15 COLLECTION MASTER 405 STARTING COLLECTION MAS TER EVENTTRACKER VER 6 4 USER S GUIDE CONSOLE Starting Collection Master Console This option helps you open Collection Master Console To open Collection Master Console 1 Open the EventTracker Control Panel Collection Master 2 Double click Configuration OR Click Start point to Programs point to Prism Microsystems point to EventTracker and then select EventTracker Collection Master Configuration option EventTracker displays the Collection Master Console Figure 398 EventTracker Collection Master Console EventTracker Configure Help Collection Master ill CAB Status f Collection Point Detail CAB Request Console CAB Status Select Criteria Select Collection Point All Select CAB Status All y Name Period Collection Point Name Size Kb Status Select all Total Cab Files 0 Success Failed In Progress Delete Table 71 Collection View Collection Point details Point Detail CAB Status View status of CAB files received from Collection Points CAB Request Send a request to a Collection Point to forward CAB files missing 15BCHAPTER 15 COLLECTION MASTER 406 EVENTTRACKER VER 6 4 USER S GUIDE VIEWING
349. on Points Select the Collection Point Name Point from Select Collection Point drop down EventTracker displays all the CAB files sent and being sent by the selected Collection Point You can also set filter criteria by selecting appropriate option from Select CAB Status drop down list Size Kb Displays size of the CAB files Transmission Displays date and time when the Collection Point started sending Start Time the CAB files Transmission Displays time taken in seconds to send the CAB files Time e Sec Status Displays status of the CAB files 0 status of the Displays status of the CAB files files Comments Reason for failure in receiving the CAB files is displayed in this column For Success and In Progress no comment is displayed Total Cab Files Displays total number of CAB Files received from All Collection Points or Collection Point selected from the Select Client drop down list Table 76 CAB files received successfully by the Collection the Master r CAB files not received successfully by the Collection Master s CAB files being received by the Collection Master Select a Collection Point from the Select Collection Point drop down list Select the status from the Select CAB Status drop down list Example In Progress 4 Click Show EventTracker displays the CAB Status 15BCHAPTER 15 COLLECTION MASTER 410 EVENTTRACKER VER 6 4 USER S GUIDE EventTracker displays the status of the CAB files f
350. on settings To modify event filter configuration settings 1 Open the Filter Events console EventTracker displays the Filter Events console 2 Select the filter from the list and then click Edit Filter EventTracker displays the Add Event Filter Parameters dialog box For field descriptions refer to Figure 37 Add Event Filter Parameters on page 46 3 Enter select appropriately in the relevant fields Click OK EventTracker displays the Filter Events console with the modified filter Click OK Restart the Management Console 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 50 CONFIGURING EVENT FILTERS WITH EVENTTRACKER VER 6 4 USER S GUIDE EXCEPTION Deleting Event Filters This option enables you to delete the event filters To delete event filters 1 Open the Filter Events console EventTracker displays the Filter Events console 2 Select the filter information that you want to delete in the list Click Remove Filter EventTracker displays the EventTracker Console confirmation message box 4 Click Yes EventTracker deletes the selected filter Configuring Event Filters with Exception This option enables you to filter events with exception Suppose you want to filer out all Information Event Type events but interested in monitoring a particular event You can do this with the Filter Exception option in the Filter Events console To configure event filters with exception 1 Open the Filter Events console 2 Click Ad
351. on the Managers tab EventTracker displays the Edit Destination dialog box 8BCHAPTER 8 MANAGING WINDOWS AGENTS 218 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 218 Edit Destination window Edit Destination Destination WE 20007 Port 14505 Connect ta Manager using High Performance Mode uses minimal network traffic UDP and is the best choice for most installations High Performance Mode UDP Guaranteed Delivery Configure cache folder Mininun Amount of Free space to be left 20 El on Storage Device By default EventTracker selects the High Performance Mode UDP option 5 Select the Guaranteed Delivery Mode TCP option 8BCHAPTER 8 MANAGING WINDOWS AGENTS 219 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 219 Edit a Destination window Edit Destination Destination WEBDOCI Port 14505 Connect ta Manager using Guaranteed Delivery Mode assures event delivery in the Face of failures by caching and retransmitting events Itis best suited For high end installations C High Performance Mode Configure cache folder LA Program FilessPrism Minimum Amount of Free space ta be left on Storage Device 2 en By default EventTracker stores the cache in the C Program Files Prism Microsystems EventTracker Agent ged folder You can also modify if you prefer a different folder
352. onnect to Manager using High Performance Mode uses minimal network traffic UDP and is the best choice for most installations f High Performance Mode UCF Guaranteed Delivery Made TCF Configure cache folder C Program Files Prism s a Mininun Amount of Free space to be left m on Storage Device Table 39 Destination Type the system name in this field Make sure that EventTracker Manager is installed in the system Type the port number in this field By default the port number is 14505 Connect to Select the appropriate option Manager using options are High Performance Mode UDP and Guaranteed Delivery Mode TCP Configure Select the cache folder This is used to store events locally on cache folder the Agent system when the connection to EventTracker Manager is lost Minimum This is the feature applies to TCP mode of agent Amount of Actual usage of TCP mode is to deliver the event in a Free spaceto guaranteed way irrespective of connection problems Receiver be left on status etc In case if the Agent is not able to communicate with Storage the Receiver Agent will start storing all the events as cache files Device in the specified folder refer Configure cache folder If the Receiver is dead for weeks together Agent keeps storing these files in disk and there by affecting DISK SPACE on critical 8BCHAPTER 8 MANAGING WINDOWS AGENTS 217 EVENTTRACKER VER 6 4 USER S GUIDE CONFI
353. ons nirmal App Open Exe NOTEPAD EXE Name Microsoft Windows Operating 5 10 49 46 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open Exe iexplore exe Name Windows Internet Explorer Descriptior 10 48 58 01 13 2010 3221 WEBDOCI Information Application EventTracker toons nimal App Open Exe WINWORD EXE Name Microsoft Office XP Description Y 10 47 49 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open Exe msimn exe Name Microsoft Windows Operating System 10 46 40 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open Exe iexplore exe Name Windows Internet Explorer Descriptior 10 41 25 AM 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open Exe msimn exe Name Microsoft Windows Operating System 10 40 49 AM 01 13 2010 3221 WEBDOCI Information Application EventTracker toons nirmal App Open Exe Alerts Dashboard exe Name EventTracker Description Ale 10 39 05 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nirmal App Open Exe Alerts Dashboard exe Name EventTracker Description Ale 10 37 31 AM 01 13 2010 3221 WEBDOC1 Information Application EventTracker toons nimal App Open Exe Alerts Dashboard exe Name EventTracker Description Ale 10 31 09 01 13 2010 3221 WEBDOCI Information Application EventTracker toons nirmal App Open Exe ETArchive exe Name Ev
354. onsole then the functionality varies accordingly EventTracker Scheduler service monitors and manages Log Volume Analyzer schedules and EventVault Integrity check schedules EventTracker logs the service related information in etslog txt file which is available in the default EventTracker installation folder typically AProgram Files Prism Microsystems EventTracker Eventlracker logs Log Volume Analyzer schedule related information etrptschlog txt which IS available In Program Files Prism Microsystems EventTracker folder EventVault integrity check related information in CABIntChkLog txt which is available in Program Files Prism Microsystems EventTracker Archives folder If the Program Files Prism Microsystems EventTracker Archives folder is on a remote machine across the network crosscheck the following EventTracker Scheduler service account settings Check if the EventTracker Scheduler service account has Administrator privilege on the remote machine If the EventTracker Scheduler service does not have the mandatory privilege do the following 1 Open Services msc 2 Right click EventTracker Scheduler 3 From the shortcut menu choose the Properties option 4 Click the Log On tab 5 Select the This account option 6 Type valid user name and password which has Administrator privilege on the remote machine where the CAB files reside 7 Click Apply Firewall settings Example Windows Firewall When the Ev
355. or other Windows Agents No other additional configuration settings are required Filtering Events Event Logs is a dynamic list of Channels Whenever a new Channel is provided for subscription EventTracker updates this list automatically High performance mode is not available for Vista Agent 8BCHAPTER 8 MANAGING WINDOWS AGENTS 211 EVENTTRACKER VER 6 4 USER S GUIDE VISTA AGENT Figure 213 Vista Agent Configuration window ei tTracker Agent Configuration Event Filters tab m File Help Select Systems PN PL TEST ISTA Agent based system Apply the following settings to specified clients Manager destinations pnpltest vista Log Backup Processes Network Connection Moritor Logfile Monitor Managers System Monitor Monitor Apps Services Tou can choose to filter out events that are not required the filter is set all events matching the filter criteria will not be sent to the EventTracker Manager You can also configure advanced filter options such as to send only specific events or choose to filter out specific events Event Types Application TO Error OFS Replication Warning HardwareE vents tamales Audit Success Audit Failure Enable SID Translation Filter Exception Advanced Filters Monitoring EVTX Logfiles This option enables you to monitor Vista event log back up files To monitor EVTX log files 1 Open the Agent Configuration wind
356. or the selected Collection Point in the CAB Status window If there is no CAB file that meets the selected status criteria then EventTracker displays the message box Figure 402 EventTracker Collection Master Console message box Event Tracker Collection Master Console E os 9 i cab File present Configuring Collection Master listening port This option helps you configure listening port of the Collection Master By default EventTracker Collection Master and Collection Points communicate through port 14507 You can configure this port number from the Collection Master Console If you configure a new port other than the default one you have to configure at the Collection Points with the same port number for successful communication between the Collection Points and Collection Master To configure Collection Master listening port 1 Click the Configure menu and then select Port Number EventTracker displays the Configure Port dialog box Figure 403 Configure Port dialog box Configure Port Port number in which the EventT racker Collection Master services are enabled Changing this port number requires changes with Collection Point configuration For further Communications Collection Master Port Number 1 4507 Cancel 2 the port number in the Collection Master Port Number field and then click OK 15BCHAPTER 15 COLLECTION MASTER 411 EVENTTRACKER VER 6 4 MERGING COLLECTION POINTS USER
357. orrelating Events This option enables you to correlate events with the offline events in the database To correlate events Open the Management Console Click the Tools menu and select the Traffic Analyzer option Select the All Correlation Events option from the Category drop down list Set the From To date and time range through the From To spin boxes Select the systems O QQ a Q NH a Click Analyze EventTracker displays the analysis report EvtTrfcAnalyze in the Notepad Traffic Analysis View by Event Id This option helps you analyze hard coded Windows specific security events To analyze event traffic View by Event Id 1 Open the Management Console 2 Click the Tools menu and select the Traffic Analyzer option 3 Select the View by Event Id option 333 EVENTTRACKER VER 6 4 USER S GUIDE EVENT TRAFFIC ANALYSIS Figure 314 Traffic Analyzer E Traffic Analyzer Saks Analyze the event traffic pattern being logged Itis recommended that you use this data to filter aut relevant events and perform other operational tasks Select Critena t View by Custom Selection Keywords Analysis Analysis of specific Windows events C Display all records C Display only top records select Event ld 540 4624 Successful Network Logon 67247684772 Authentication Ticket Granted 673 4769 4773 Service Ticket Granted 575 4771 Pre authentication failed 680 4776 Logon attempt Select Time Rang
358. ort follow up e mails can then be sent to the appropriate managers to determine what has transpired with the employees whose accounts appear in the report i e have these staff left the company or are they on some extended leave Once the status of the employee is known these accounts may then be disabled or deleted as required User Account Locked Out User account lockouts occur when a user incorrectly enters password several times in succession In most organizations a user who enters their password incorrectly three times will have their account locked out i e be barred from accessing the network for some defined time period e g 15minutes or possibly indefinitely Frequent user account lockouts can result from clumsy or forgetful users but they may also be an indication of some trying to gain unauthorized access to the network using their own or someone else s account Like file and resource access account lockouts are recorded in Windows Event logs of each server that authenticates user access Once again the challenge is to pull this information together Reporters User Account Locked Out report extracts lock out events from all the data collected from servers across the company effectively mining out the transactions that might indicate suspicious activity As part of the regular audit process it would be advisable to schedule the execution of this report in the early morning hours just prior to start of business e g at 6 a
359. ort Import Utility message box Export Import Utility MicrasvsktemsYEvenkTrackerlExESumR ep issch Successfully imported Scheduled Reports configuration From C Program Filesi Prism To view the imported Scheduled Reports configuration please go to Reports Reports Console Schedule Report 10 Click OK Importing RSS Feeds To import RSS Feeds 1 Open the Export Import Utility 2 Click the Import tab 3 Select the RSS Feeds EventTracker displays the Export Import Utility 397 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY Figure 392 Export a Import Utility window Export Import Utility ERIS Import Scheduled Reports 1 Provide the path amp file name of Ass Feed file Use the button to browse amp locate the import file 2 Click the Import button Category Filters Alerts Source Groups El Systems Scheduled Reports ASS Feeds Import 4 Click El located adjacent to the Source field EventTracker displays the Select issrss File dialog box 5 Navigate and locate the scheduled reports file you want to import and click Open 6 EventTracker displays the Import tab on the Export Import Utility 13BCHAPTER 13 EXPORT IMPORT UTILITY 398 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY Fi 393 E t gt ee Utility win Jow Ee Export Import Utility z x Import Scheduled Export Import Reports
360. ory you want to delete in the left pane 3 Figure 352 Delete Click Delete Category OR Right click the category that you want to delete EventTracker displays the shortcut menu From the shortcut menu choose Remove Category OR Click the Delete menu and select the Delete Category option EventTracker displays the Confirmation message box Category Confirmation confirmatory message box 4 4 7 j Do vou want to remove the selected Category No Click Yes EventTracker deletes the selected Category Deleting Event Details This option helps you delete Event Details To delete event details 1 2 3 4 12BCHAPTER 12 Open the Manage Categories console Select the category in the left pane Select the event you want to delete from the displayed list in the right pane Click Remove Event MANAGING CATEGORY GROUPS AND CATEGORIES 369 EVENTTRACKER VER 6 4 USER S GUIDE 1O5BMANAGING EVENT CATEGORIES EventTracker displays the Confirmation message box Figure 353 Delete 7 7 Event confirmatory Confirmation message box Deleting an eventis From a category will affect all the category groups where this category exists Are you sure vou want Ep remove selected Event Detail Yes 5 Click Yes The selected event details are deleted Adding Categories as Alerts This option enables you to add Categories as Alerts To add Categories as Alerts 1 Open the Manage
361. oups console 4BCHAPTER 4 CONFIGURING ALERT ACTIONS USER S GUIDE MANAGER SIDE Type the duration in seconds in this field This field supports numeric data type only Delay Type the delay in seconds between beeps in this field This field supports numeric data type only Frequency Type the frequency in Hertz in this field This field supports numeric data type only 3 appropriately in the relevant fields 4 Click OK 5 Click OK on the Alert Group Configuration window EventTracker displays the Alert Groups console with the newly created audible alert h Alert Groups EventTracker Console amp New Edit Delete save Proactive notification of events meeting certain criteria can be configured Notifications include a combination of Beep E mail Messages or any other Custom Action L Forward as SNMP Forward as SYSL Ej Riss Notification Console side reme No No No No No No Administrative log on No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No Al No No No No No No No No No No
362. ow Eg Cmyfile bat EventT LogT ype Computer Source Category Event ID User Description Browse Cancel 5 Click Browse EventTracker displays the Open dialog box Go to the appropriate folder and select the file to be executed Click Open EventTracker displays the Actions dialog box 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 124 CONFIGURING ALERT ACTIONS EVENTTRACKER VER 6 4 USER S GUIDE MANAGER SIDE Figure 97 Editing Actions Actions Remedial Action at Console Configuration Select a file to execute when an event occurs The order of command line arguments to the is as shown in the example given below Eg Cmyfile bat Event LogT ype Computer Source Category Event ID User Description CAMYEXE exe OR Cancel Click OK on the Actions dialog box Click Finish on the Alert Group Configuration EventTracker Console dialog box 10 Click Save on the toolbar EventTracker displays the EventTracker Management Console Message 11 Click OK 12 Restart the Management Console 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 125 EVENTTRACKER VER 6 4 USER S GUIDE NG REMEDIAL ACTION AT TRACKER AGENT SYSTEM Executing Remedial Action at EventTracker Agent System Upon receiving Events that fall under Alerts Category EventTracker can be configured to E E E m Raise a beep sound from the PC speaker Send e mail to one or
363. ow 2 Select the system from the Select Systems drop down list 3 Click the Logfile Monitor tab 8BCHAPTER 8 MANAGING WINDOWS AGENTS 212 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT 10 11 EventTracker displays the Logfile Monitor tab Click Add File Name EventTracker displays the Enter File Name dialog box Select the logfile type as EVTX from the Select Logfile Type drop down list Type the path in the Enter File Name field OR click a to locate and select the log file EventTracker displays the Select Folder File Name dialog box Go to the appropriate folder and then select the file Click OK Select the log type from the EVT Log Type drop down list Click OK EventTracker displays the Agent Configuration window with newly added configuration settings Click Save Configuring Windows Agent 8BCHAPTER 8 MANAGING WINDOWS AGENTS Accessing the Agent Configuration Window This section helps you access the Agent Configuration window in multiple ways To access the Agent Configuration Window through Management console 1 2 1 Open the Management Console Click the Configure menu and select the Configure Agents option To access the Agent Configuration Window through System Manager Click the Configure menu and select the Manage Agents option in the Management console OR Click System Manager on the toolbar EventTracker displays the System Manager Click the Options menu a
364. ows 2000 none Managed Sta 14505 Windows 2003 none Unmanaged Windows lt P Raj Unmanaged Windows lt P none Unmanaged Windows 2000 none Unmanaged Windows 2003 none Unmanaged Windows 2000 none Unmanaged Windows lt P SRINATH SS Unmanaged Displaying Windows Systems Auto Discover 57 Systems This feature is not applicable for Vista Agent 8BCHAPTER 8 MANAGING WINDOWS AGENTS 202 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Figure 208 La EventTracker Agent Confiquration mm EventTracker Agent A Configuration window File Help Vista Agent Select Systems VISTAD Agent based system amp pply the following settings to specified clients Manager destinations HAGAR Log Backup Processes Network Connection Monitor Logfile Monitor Managers Event Filters System monitor Monitor Apps Services ou choose to filter aut events that are not required the filter is set all events matching the filter criteria wall not be sent to the EventTracker Manager ou can also configure advanced filter options such as to send only specific events or choose to filter out specific events Event Types Application Error DFS Replication Warning HardwareE vents q Information Internet Explorer 4 gt Audit Success Audit Failure Enable SID Translation Filter Exception Advanc
365. per system for each event id Filter and display event count details based on user defined criteria Usage Analyze Windows specific security events correlate events broad searches per criteria with subsequent sorting and ordering of the result set 1 Open the Management Console 2 Click the Tools menu and select the Traffic Analyzer option EventTracker displays the Traffic Analyzer 11BCHAPTER 11 ANALYSIS 331 EVENTTRACKER VER 6 4 USER S GUIDE EVENT TRAFFIC ANALYSIS Figure 313 Traffic Analyzer Traffic Analyzer Analyze the event traffic pattern being logged It is recommended that you use this data to filter aut irrelevant events and perform other operational tasks View by Event Id C View by Custom Selection Analysis based on category Category E Events Select Time Range From 3 18 2008 4 13 07 To 3419 2009 4 13 07 PM mm me Traffic Analysis View by Category This option helps you analyze events based on Category To analyze event traffic View by Category 1 Select the View by Category option 2 Select a Category from the Category drop down list Example All Warning Events 3 Setthe From To date and time range through the From To spin boxes Select the systems 5 Click Analyze EventTracker displays the report in the Notepad 11BCHAPTER 11 ANALYSIS 332 EVENTTRACKER VER 6 4 11BCHAPTER 11 ANALYSIS USER S GUIDE EVENT TRAFFIC ANALYSIS C
366. plays the Export Import Utility Export Import Utility Export Import 1 Provide the path amp file name of the alerts file Use the button to browse amp locate the import 2 Chick the Import button Category iw Import E mail Settings Filters Alerts Source Groupe gt a Systems Scheduled Reports ASS Feeds Import 4 Click El located adjacent to the Source field EventTracker displays the Select isalt File dialog box Navigate and locate the Alerts file you want to import Click Open EventTracker displays the Import tab on the Export Import Utility Seles 390 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY Figure 380 Export a aed E tl t Utilit 0O Import Utility window Export Import Utility aj Import Alerts Export Import 1 Provide the path amp file name of the alerts Use the button to browse amp locate the import file 2 Click the Import button Category Iw Import E mail Settings Filters Alerts Source Groups C Program FilessPrism Microsystems E ventT racker pis Systems Scheduled Reports ASS Feeds Import 7 Import E mail Settings check box is selected by default to import the Alerts with their e mail configuration settings Clear this check box to import Alerts without their e mail settings 8 Click Import Event Tracker displays the Export Import Utility message bo
367. pni ras Console Ww Show All Reports Event Tracker 4 Lar d Pes i Pipa k Ler Hir BPG Peeing seed por leg pergen y einige hen ura Hp des ed apcdic men ee Part A ERTS Ej FP memi date rin De ane thing Q Destined rude Rapes Firma ope Esser pa Chee bre ad or Saar qe med LA eed Pepo id aa eer Lar nnam dis Hes E i iie S sal LOE ped imren sepan Fiamma Ma pre piad mcm ar reer eke ere b usn AE Pee TN Ra ter Pokey Dre ai Summers rien Serie cor parda DE AAA A St wel e Dermy Sc meri Tiir a te teu eai pe eE Farry Hear cues piip ebrio py cung Genus dera pobre change Repeats Shoe dii Ema Sere ap acide ey ome Piast Flan nim Tank mur i anus arum r zar pir charge Pebury Lines aio reped Meira lon Sarita Varr Seto Polls dra Armida monimn 4 F b o da Had you conf
368. porting to the Collection Master are listed in this drop Point down list Select CAB Select the status of the CAB files from this drop down list and Status then click Show Available options are All Missing in Source and Failed to Transfer 425 EVENTTRACKER VER 6 4 USER S GUIDE REQUESTING CAB FILES Displays name of the CAB files Period Displays the start time and end time Start time 15 the date and time of the first event and end time is the date and time of the last event in the CAB file Collection Displays name of the Collection Points Select the Collection Point Name Point from Select Collection Point drop down EventTracker displays all the CAB files sent and being sent by the selected Collection Point You can also set filter criteria by selecting appropriate option from Select CAB Status drop down list Transmission Start Time Transmission Time In Sec Status Displays status of the CAB files as Missing or Failed Comments Reason for failure in receiving the CAB files is displayed in this column For Success and In Progress no comment is displayed Total Cab Files Displays total number of CAB Files selected for request Di CAB files missing or failed to transfer To understand the functionality of CAB Request delete some CABs from the Archives folder and see what happens 3 Open the Collection Master Console and click CAB Request EventTracker displays the CAB Request window with t
369. ps EventTracker Console new 4 Edt Delete save Proactive notification of events meeting certain criteria can be configured Notifications include a combination of Beep E mail Messages or any other Custom Action D Forward as SNMP Forward as SYSL E Rss Notification No No No No No No Administrative log on Administrative log on failure Altiris Audible Alert Audit Log Cleared CISCO Access Denied CISCO Authentication Failed CISCO Failover Message CISCO IDS intrusion detection CISCO VPN Admin Access Authenticati CISCO VPN Admin Access Authorizatio CISCO VPN Admin amp ccess Access Contr CISCO VPN Memory Allocation Failed Citrix Console Message Alert Critical service could not be started Critical service is not running Crystal Enterprise Detected high memory usage Detected software Some 5 gt has bee Directory permission change Disk space is critically low Domain policy changed E mail Alert EventTracker agent service failed EventTracker Agent configuration changed EventTracker Collection Master Error EventTracker Collection Point Error EventTracker DLA No files found for pro EventTracker DLA file processing failed EventTracker Remedial action failed EventTracker Remedial action ignored Pn meh Tew wl ee Monen
370. ptimized to absolutely minimize resource usage Pre installation Procedures You MUST have Local Admin privileges on the remote systems where you want to install the Agents You can also install Agents with Domain Admin privileges Make sure that the systems that you are selecting to monitor are accessible through the network have disks that are shared for the Admin and have disk space up to 5MB that can be used by the Windows Agent If the remote system is accessed through a slow line the install may take time and it is recommended that you plan accordingly Installing Windows Agents This option enables you to install Windows Agents in Standard mode 8BCHAPTER 8 MANAGING WINDOWS AGENTS EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS To install agents in Standard mode 1 Open the System Manager 2 Click the Options menu and select the Add System option OR Click Add System on the toolbar OR Right click the system where you want to install the agent System Manager displays the shortcut menu Figure 177 Add W EventTracker System Manager BEES System ED File View Options Help q Configure Agents 23 Search Computers 4 Create Group Delete Group E Add System x Remove System 2 Upgrade Agent Computer Groups AIl Domain Computers 5 EM Groups Computer Type Description System Status Pot Windows 2003 Unmanaged Windows 2000 Unmanaged Windows 2003 Unmanaged Unmanag
371. r IU ere then in Ehe search string prefix this char with a backslash Example for a W and for a Far more information click here information PO Table 65 Severity Select a severity type from the drop down list The options are Clear Information Warning Minor Major and Critical Event Details Event Type Select an event type from the drop down list The options are Error Warning Information Audit Success Audit Failure and Success Category Type the category number in this field This field supports numeric data type only Log Type Select a log type from the drop down list 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 362 EVENTTRACKER VER 6 4 12BCHAPTER 12 USER S GUIDE 105BMANAGING EVENT CATEGORIES The options are System Security Application DNS Server File Replication Service and Directory Service Event ID Type the event ID number in this field This field supports numeric data type only Source Type the source in this field Type the user name in this field Match in Event Type a sub string of the description that needs to be matched Descr More Type the additional information about the event category in this information field If a field is left blank a wildcard match for that field is assumed For example leaving the user field blank implies that any value in that field is acceptable 7 appropriately in the re
372. r After adding the system System Manager displays the EventTracker System Manager message box Event racker System Manager s 1 The process is complete Please check the status against each computer 11 Click OK System Manager displays the successful installation message 309 EVENTTRACKER VER 6 4 Figure 297 Add System window Successful installation message Figure 298 Change account details warning message 9BCHAPTER 9 USER S GUIDE AGENTLESS MONITORING Add Agent Completed installing Agent software Latest Status E BALOO Installed successtully Completed successtully Finish 12 Click Einish Editing Admin account This option helps you modify the admin account details You cannot modify these details for individual systems Once it is set it is applicable for all the systems To modify admin account details 1 Add a system System Manager disables Account Password and Confirm Password fields 2 Click Edit Account System Manager displays the warning message box Event racker System Manager This account will be used to access all systems which are configured Far agentless monitoring Please ensure that vou configure an account that can access these systems as an administrator AGENTLESS MONITORING OF WINDOWS SYSTEMS 310 EVENTTRACKER VER 6 4 USER S GUIDE 3 Click OK and make necessary changes 9BCHAPTER 9 AGENTLESS MONITORING OF WINDOWS SYSTEMS
373. r Manager By default the communication happens through port 14505 Suppose you want to configure different ports 14515 and 14525 for Sys2 and Sys3 respectively do the following Computer Sys1 Configuring Ports 1 Double click Manager Configuration on the Control Panel VIRTUAL COLLECTION POINTS FOR EVENTTRACKER VER 6 4 USER S GUIDE WINDOWS EVENTS EventTracker displays the Manager Configuration window Purge events from cache older than E p days ES pv id E Manager Configuration Configuration Configuration Alert Events Max events view limit Console 500 ri eventz windaow I Enable Alert Notification Status Website http kb prismMicroSys com Enable Alert Events Cache for Alerts Analysis Check Status I ICE Show only Active Alert events in Console IF ping frequency is set to O this Feature will be disabled Store only Active Alert events mm Enable Remedial Action iv Enable SYSLOG receiver Edit Parts Suppress Duplicate Alerts Virutal Collection Points Multiple processing stacks Correlation Receiver Suspicious Network Activity Send results of all correlation rules to port 114509 DEEP Direct Log Archiver Check for knowledge base updates Direct log file archiving from external sources 2 Select the Multiple processing stacks check box EventTracker displays the Virtual Collection Points dialog box Figure 48 Virtual Virtual Collection Points Colle
374. r deepak EventTracker N EventTracker deepak FventTrarker deenak Event Type Information Information Information Information Information Information Information Warning Information Warning Warning Warning Information Waring Information Information Eventld System 11 46 07 AM 01 3221 WEBDOC1 11 45 42 01 3221 WEBDOCI 11 45 05 AM 01 3222 555 11 44 52 01 3222 WEBDOCI 11 44 51 AM 01 3221 555 11 44 15 AM 01 3221 WEBDOC1 11 43 55 01 3222 WEBDOC1 11 42 18 AM 01 2007 NEMO 11 42 12 4M 3221 SPIDER 11 42 12 01 3201 SPIDER 11 42 12 01 3201 SPIDER 11 42 12 M 3201 SPIDER 11 42 12 01 3221 SPIDER 11 42 12 01 3201 SPIDER 11 42 12 M 01 3221 SPIDER 11 41 35 AM N1 3243 SPIDFR lt Refreshed 1 13 2010 11 47 21 AM Double click on the graphs to view details System Group Enterprise system groups are listed in this drop down list By default EventTracker selects the ALL option By default top 5 systems with more Alert events are displayed in the top pane You can select up to top 20 systems Interval 000 Select the period for which you want to view Alert details Select the refresh interval for both the panes Total alerts View all Alert events occurred in all monitored systems Open Alert Groups console Alert Config 341 EVENTTRACKER VER 6 4 Figure 318 Full View of Graphs 11BCHAPTER 11 ANALYSIS USER
375. r removes the selected filter 4 Click Filter Exception The filter exception you have set earlier remains unaltered 5 Select the filter exceptions and then click Delete EventTracker displays the EventTracker Console message box 6 Click Yes EventTracker removes the selected filter exception So it is obvious from the above scenario it is your responsibility to manage Filters and Filter Exceptions The table given below will provide you a vivid idea how the combination of Filters and Filter Exceptions work EventTracker filters all events from the view EventTracker allows all events Y EventTracker allows events with exception NIN o Evenflracker allows all events Viewing and Editing Alert Details This option facilitates to locate alert from the alert event displayed in the Management Console m Right click an event and select the Show Alert Rule option from the shortcut menu to view the exact alert which caused this event 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 56 EVENTTRACKER VER 6 4 USER S GUIDE VIEWING AND EDITING ALERT DETAILS Figure 33 Management Event Tracker Management Console Console File View Configure Reports Tools Window Help System Manager 35 EventVault Ed Log Search e Enterprise Activity Navigation Auto Refresh Dashboard Correlated Alerts amp Incidents m Correlated Alerts amp Incidents E All Computers zu Default TOONS All Categories Al
376. racker deletes the selected Collection Master configuration settings 16BCHAPTER 16 COLLECTION POINT 441 EVENTTRACKER VER 6 4 USER S GUIDE VIEWING CAB STATUS Viewing CAB Status This option helps you view status of the CAB files that are transferred and being transferred by the Collection Point to the Collection Master s To view CAB status 1 Click Manage CAB on the Collection Point Console EventTracker displays the Manage CAB Console Figure 438 Manage EventTracker Collection Point Console E 215 xj CAB console File Configure Help g Manage CAB Configure Select Criteria Destination 1921 68 1 38 y Select CAB Status All d Destination Transmission Start Time Transmission Time ln Sec Status ea1239191429 1 4 8 2009 5 19 07 PM 4 9 2009 5 12 09 192 168 1 38 Do Not OS etari239163086 1 4 8 2009 9 26 24 AM 4 8 2009 5 19 07 PM 192 168 1 38 Do Not OS ea12381152553 4 7 2009 8 09 57 PM 4 8 2009 9 26 24 192 168 1 38 Do Not etari239099644 1 47722009 3 49 40 PM 4 7 2009 8 09 57 PM 192 168 1 38 Do Not OS ea1239065428 1 4 7 2009 6 17 38 AM 4 7 2009 3 49 40 PM 192 168 1 38 Do Not OS etar1239024699 1 4 6 2009 7 00 38 PM 4 7 2009 6 17 38 192 168 1 38 Do Not OS etari238999442 1 4 6 2009 11 59 26 4 6 2009 7 00 37 192 168 1 38 Do Not O
377. ram Files Prism Microsystems EventTracker Agent Script System Manager displays the Caution message box Click Yes to install scripts Figure 182 Remedial s Action Configuration a Remedial Action Configuration A Caution This feature permits the execution of scripts agent systems Carefully review the and benefits before enabling this feature Click here for more information Are you sure 8 Click Next gt 8BCHAPTER 8 MANAGING WINDOWS AGENTS 186 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Figure 183 Add Agent Installation path Add Agent Select installation path on the remote machines Program Hles 3Priern Microsustems E ventT racker Selected Systems use lt Back to edit system list LEU Select Install to proceed Cancel lt Back Advanced 9 To install the agent in a different drive apart from the default one type the installation path in the Select installation path on the remote machines field System Manager displays the EventTracker System Manager message box if the typed path 15 not of recommended levels deep Figure 184 System Te bomber Eventlracker System Manager To set a more specific configuration click Advanced OR click Install to install the Agent 10 Click Advanced 8BCHAPTER 8 MANAGING WINDOWS AGENTS 187 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Figure 185 Add Agent Add A pe gen Apply
378. raphically or logically dispersed branch offices and generate consolidated audit reports from a centralized location Collection Point works on a client server model whereby the Collection Points clients installed at the branch office locations periodically send the cab files to the Collection Master server installed at the corporate headquarters Since Collection Point model utilizes TCP as a transport layer Collection Master server acknowledges every packet sent by Collection Points clients This assures recovery from data that is damaged lost duplicated or delivered out of order by the Internet communication system Moreover the encryption mechanism assures the confidentiality and integrity of data is not compromised while it traverses through the public network Every Collection Point client can be configured to report up to five Collection Masters Servers simultaneously Standard Console Best suited for single level flat topologies where all monitored nodes report directly to one or more EventTracker Managers Collection Master Console Best suited for hierarchical topologies Being designated as a Collection Master receives archives CAB files replicated by Collection Points Collection Point Console Best suited for hierarchical topologies where all monitored nodes report directly to a local EventTracker Manager which is designated as a Collection Point replicates archives CAB files to one or more Collection Ma
379. rd Analy SiS A A Aa 336 Tracking Enterprise Ac dal 340 A O a A A IA 340 Chapter 12 Managing Category Groups and Categories cccccccccccccsssssssssccsccccccccccscssscssssees 347 Created ACTO OU Srl a 348 Addins Cate Portes toa 6 sa E Ure AI AAA AAA AA 352 Modi vins Cates on CIEOUDS a a E S 357 Deleting Catesory Groups SA Mea vata 358 Man asino Event Cater orles ai N 358 Creaune Event Cadena tt lides 359 Modyo C atc POLES e sti 365 Delene Cate cosas T Em 369 Deletino Event Details ES deinen A imde ecd aos 369 Addins Catesories AS A AAA AA AAA 370 Chapter I5 Export Import Utility a 373 Export and dd 374 a 15 o ES 374 EXPortno P AA 376 EXPOLIO AIE 377 Systemi GROUPS t eae tat Leche ug EN d 379 EXDOLUlb Sy SLOTS coc tease teo dete data tdt 380 Ex porone chedule aisla 382 ide uiae Peds cq 384 CAV Corne sust dl nadal ctor eia o DN Ud 385 A AA O EN du pda Uv 387 MOVING A TOES oos eerte re bob E c a vad octane o Eis vob SN it Det iaa 390 POTTS y GIEOHD Surtido dd telas 392
380. re event filters Open the Management Console 2 Click the Configure menu and select the Filter Events option EventTracker displays the Filter Events console EVENTTRACKER MANAGEMENT CONSOLE 44 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING EVENT FILTERS Figure 25 Filter Events Falterabwents 6 Events that are of minor significance can be filtered aut The events that meet the configured Filter criteria will nat be stored Note Filtered events are nat logged and can nat be analyzed from the Reports Console or seen in the Event History as required Computer Event T Log Type Source Categ Event User Description Add Filter Edit Filter Remove Fiter Filter Exception ox Cancel 3 Click Add Filter EventTracker displays the Add Event Filter Parameters dialog box 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 45 EVENTTRACKER VER 6 4 USER S GUIDE Figure 26 Add Event CONFIGURING EVENT Pilter Parameters Add Event Filter Parameters Please take care to enter the correct details Far effective resulte Event Details empty Field implies all matches Computer Event Type Log Type Match in Source Category Event I Match in User Match in Event Desc Match in Event Descr field can take multiple strings seperated with amp or amp amp stands for AND condition stands for OA condition Hobe IF want to make match on
381. ree Y gt Refreshed 1 8 2010 11 01 40 AM Double click on the graphs to view detads EventTracker highlights the Audit Failure events in Red 11BCHAPTER 11 ANALYSIS 345 EVENTTRACKER VER 6 4 USER S GUIDE ANALYZING ALERTS Figure 324 Alerts F ource Description Dashboard Bottom 11 39 06 AM 01 EventTracker App Close Exe MSTSC EXE Name Mictosolt R Windows R 2000 Operating System PID 11 37 26 AM 01 EvertTracker App Close Exe OUTLOOK EXE Name Microsoft Office Outlook PID 284 Pane 11 37 26 AM 01 EventTracker App Close Exe Explorer EXE Name Microsoft Windows Operating System PID 280 11 37 23 AM 01 EventTracker Detected Service PostgreSQL Server 8 3 it nol running Name PostgreSQL Server 8 3 Ty 11 37 11 AM 01 EventTracket App Close Exe SmeGui exe Name Symantec Chert Management Component PID 3552 11 37 11 AM Secunty A process has exited Process ID 1224lmage File Name CAWINNT Asystem32cHmon 11 37 11 AM 01 EventTracker App Close Exe notepad exe Name Microsoft Windows Operating System PID 3892 11 37 01 AM 01 EventTrackes App Close Exe taskmgr eve Name Microsoft Windows Operating System PID 2650 11 37 01 AM 01 EventTracket App Close Exe explore exe Name Windows Internet Explorer PID 4036 11 37 01 AM 01 EventTracket App Close Exe explore exe Name Windows Internet Explorer PID 1692 11 37 01 AM 01 EventTracker Apo Close Exe
382. ror have been added exclusively for Collection Point model You can configure those Alerts in the Alert Groups console to send you notifications It is not possible to get alert notification for Collection Master related errors in Collection Point and vice versa To configure Alerts 1 Open EventTracker Management Console 2 Click the Configure menu and select the Configure Alerts option EventTracker displays the Alert Groups console Figure 428 Alert amp Alert Groups EventIracker Console Groups console Edit X Delete save Proactive notification of events meeting certain criteria can be configured Notifications include a combination of Beep E mail Messages or any other Custom Action J Forward as SNMP Forward as SYSL Rss Notification GH Console side reme No No No No No No Administrative log on No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No Al No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No Ale No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No
383. rosystems E ventT racker Archives 1 4505 C Program Files Prism Microsystems E ventT rackertArchives 14505 C Program Files Prism Microsystems E ventT racker Archives 14505 C Program Files Prism Microsystems E ventT rackersArchivesN14505 C Program FilessPrism Microsystems E ventTrackers amp rchivesN1 4505 C Program FilessPrism Microsystems E ventT racker4rchives 1 4505 C Program Files Prism Microsystems E ventT rackertArchives 14505 C Program Files Prism Microsystems E ventT rackerM4rchives 1 4505 C Program Files Prism Microsystems E ventT rackersArchivesN14505 C Program Files Prism Microsystems E ventT racker Archives 14505 C Program Files Prism Microsystems E ventT rackerArchivesN14505 C Program FilessPrism Microsystems E ventTrackers amp rchivesN1 4505 C Program Files Prism Microsystems EventTracker Archives 14505 C Program FilessPrism Microsystems E ventT rackert rchivesr 14505 C Program Files Prism Microsystems E ventT racker 4rchives 1 4505 C Program Files Prism Microsystems E ventT rackersArchivesN14505 C Program Files Prism Microsystems E ventT racker4rchives 1 4505 C Program Files Prism Microsystems E ventTrackers amp rchivess1 4505 C Program Files Prism Microsystems E ventT rackerArchivesN14505 C Program Files Prism Microsystems E ventT racker4rchives 1 4505 C Program Files Prism Microsystems E ventT rackersArchivesN14505 C Program Files Prism Microsystems E ventT rackersArchivesN1 4505 Number of E
384. rts ASS Feeds Import Close 8 Click Import EventTracker displays the Export Import Utility message box Figure 374 Import Category message Expo rt Im port Ut lity box i Successfully imported category categories From File C Program FilesiPrism LD Microsystems EventTrackeriSolarisB5M iscat To view Ehe imported categories please go to Reports Categories 9 Click OK Importing Filters To import Filters 1 Open the Export Import Utility 2 Click the Import tab 3 Select the Filters option on the Import tab EventTracker displays the Export Import Utility 13BCHAPTER 13 EXPORT IMPORT UTILITY 387 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY Figure 375 Export ES Import Utility window amp auport PRIME Import Filters Export Import 1 Provide the path amp fle name of the filters file Use the button to browse amp locate the import 2 Chick the Import button Category Alerts Source Groups E Systems Scheduled Reports ASS Feeds Import 4 Click E located adjacent to the Source field EventTracker displays the Select isfil File dialog box 5 Navigate and locate the filters file you want to import Click Open EventTracker displays the Import tab on the Export Import Utility 13BCHAPTER 13 EXPORT IMPORT UTILITY 388 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY Figure 376 Export gt
385. s For more information refer http www prismmicrosys com resources documents YCP paf Virtual Collection Points for Syslogs EventTracker Receiver can be configured to listen on 20 10 UDP amp 10 TCP ports for Unix Linux Solaris Syslogs Configuring EventTracker Receiver Ports This option helps you configure EventTracker Receiver to listen on different ports To configure virtual collection points for syslogs 1 Enable SYSLOG receiver check box is checked by default Click Edit Ports EventTracker displays the Virtual Collection Points for Syslogs window 3BCHAPTER 3 CONFIGURING MANAGER 68 VIRTUAL COLLECTION POINTS FOR EVENTTRACKER VER 6 4 USER S GUIDE SYSLOGS Figure 44 Virtual x s Collection Points for Virtual Collection Points for Syslogs Syslogs Upto 10 collection groups can be configured each using a different part Port Number Description Syslog Raw Forward All Syslog Systems UDF Edit Remove Table 16 Add UDP TCP ports LN NEN Remove Remove ports 2 Click Add EventTracker displays the Syslog Receiver Port window 3BCHAPTER 3 CONFIGURING MANAGER 6 9 EVENTTRACKER VER 6 4 Figure 45 Syslog Receiver Port 3BCHAPTER 3 CONFIGURING MANAGER VIRTUAL COLLECTION POINTS FOR USER S GUIDE SYSLOGS Es Syslog Receiver Port Port Number Description Haw Syslog Forward Select a destination and part to which all the incoming events will b
386. s Event Log but by the ETW consumer that creates them Channels defined by event publishers are identified by a name and should be based on the publisher name Event Consumers in Windows Event Log Event consumers are entities that receive events from a computer Windows Event Viewer EventVwr exe is a event consumer that displays event information from a variety of specified event logs There are two types of Windows Event Log consumers Subscribers Applications that receive event notifications as they are received by Windows Event Log Event log readers Applications that query logged events For more details log on to Microsoft Web site Prerequisites Following are the mandatory settings you ought to do on Vista systems before you deploy Vista Agent 1 By default the Startup Type of Remote Registry is manual Modify the Startup Type as Automatic and Start the service Enable File and Printer Sharing Turn on and enable Network Discovery MANAGING WINDOWS AGENTS 210 EVENTTRACKER VER 6 4 USER S GUIDE VISTA AGENT 4 configure Vista agent remotely on Vista system add port no 14506 TCP to Firewall Exceptions 5 user must be domain administrator member of domain admin or must be added to the local administrator group on the Vista system where the agent has to be deployed Installing Uninstalling Vista Agent Installation and uninstallation procedure for Vista Agent is identical to the procedures f
387. s EventTracker Archives 14505 C Program Files Prism Microsystems EventTracker Archives 14509 C Program Files Prism Microsystems EventT racker Archives 514 Copy the folders 14505 14509 and 514 and paste them to the new Archives folder It should be similar as follows D Archives 14505 D Archives 14509 D Archives 51 4 Double click Maintenance Tools on the Control Panel Double click Archive Indexer EventTracker displays the Archive Indexer MERGING COLLECTION POINTS EVENTTRACKER VER 6 4 USER S GUIDE MODIFIED ARCHIVES FOLDER Fi 407 Archi ub 2 Archive Indexer Specify Event Archive Folder Source WwEBDOCI Collection Point Master Archive Path WProgram Fles Prism Microsystems EventTrackerrchives toe 7 Select the Source as your Collection Master system 8 Click the browse button and select the new Archives folder Fi 408 Archi i e 2 Archive Indexer Specify Ewent Archive Folder Source WEBDOCT Collection Point Master Archive Path dWrchives P Create Index Close 9 Click Create Index Archive Indexer creates the index file etwarindex mdb in the new Archives folder 10 Open the EventVault Warehouse Manager console and select the Archives folder in the Configuration window Example D Archives 11 Restart the EventTracker services Caution Do not disturb the Collection Point CAB files To move Collection Point CAB files you have to merge the Collection Points I
388. s Help e Configure Agents search Computers 4 Create Group Delete Group Add System Manual 53 Systems Ser Remove System 8 Upgrade Agent Computer Groups SUPPORT Enterprise Domain Groups Computer Type Description System Status TOONS PNPL 1 SUP Windows 2000 Professional none Unmanaged CELEBRATE PNPL 2 SUP Windows XP Support Brahma Unmanaged ELCTEST PNPL 3 SUP Windows 2003 Server Support Team F Unmanaged EXCHSUPP SUPPSERVER Windows Support Server Unmanaged ISATEST PNPL Details Edit Add System Remove System Upgrade Agent Displaying Windows Systems From the shortcut menu choose Edit MANAGING SYSTEM GROUPS Manual 4 Systems 159 EVENTTRACKER VER 6 4 Figure 142 Edit Group window 7BCHAPTER 7 MANAGING SYSTEM GROUPS USER S GUIDE REMOVING UNMANAGED SYSTEMS System Manager displays the Edit Group window 0 Edit Group Group SUPPORT Description F nterprise Domain Available Systems Group Members PNPL 1 SUP PNPL 2 SUP 192 168 1 96 PMPL 3 SUP ALICE SUPPSERYER ARNOLD BALOO CHAPLIN CHARLIE DONALD E LHTEST HAGAR JERRY Select the system from the Group Members list and then click lt Remove System Manager displays the Edit Group window EVENTTRACKER VER 6 4 Figure 143 Edit Group USER S GUIDE REMOVING UNMANAGED SYSTEMS 0 Edi
389. s SSL BJ Rss Notification amp 2 Console side reme No No No No No No No X No No No No Yes ISA Server Network communication devi ISA Server Dut of Band attack detected ISA Server Ping attack detected ISA Server Port scan detected on a well ISA Server Spoof attack detected ISA Server UDP attack detected Mc fee virusscan enterprise Update failed MSExchange ADC service stopped MSExchange Database maximum size is MSExchange 15 Service cannot be started MSExchange Log disk is full MSExchange Server cannot handle influx MSExchange Unable to start Microsoft E My Alert Netscreen Authentication failure Netscreen IDS intrusion detection Netscreen Security device error Netscreen Spam found Netscreen System configuration erased Netscreen USB storage device attached Oracle Ports Spoof sites R55 Alert Runaway CPU process 4 process consu Runaway memory process process is t Session setup authentication failed Software uninstalled from a system SOX CISCO PIX Authentication failure 50 5 IDS intrusion detection SOX SOX SOX SOX PO EventTracker Eventlog full EventTracker EXE tracking Solaris BSM Failed local logon logoff Solaris BSM SU failure Palen DON AII xX X PX DX Xx DX DX DX DX DX D DX
390. s significantly greater capability over manual log monitoring Pros m Filters are applied locally This minimizes network traffic as uninteresting events can be discarded with no further drain on resources Local agent survives in the face of network failure If the Guaranteed Delivery Mode GED is used events are cached and recovered when network recovers m Real time notification The agent immediately forwards new local event log entries to the Console Critical events relating to security uptime etc usually requires immediate alerts Performance monitoring The agent is capable of detecting excessive CPU disk or memory usage and reporting if when user defined thresholds are detected m Application monitoring The agent is capable of detecting and reporting the start stop of applications This can be used to comply with licensing requirements or for usage tracking Native backup of event logs The agent is capable of detecting when the event log 15 full backing up the native evt file to a configured location and resetting the log Some installations require the original files XP and 2003 m Software install removal monitoring The agent can detect and report the installation or removal of software from the target machine m topology The agent needs only TCP IP network to communicate with the Console In particular the Console 15 not required to be in the same Windows Active
391. se ASS feed UAL http lt this server gt eventrsszwml EntF eed lt feed name gt sml To subscribe these feeds point your ASS reader to the UAL shown above Replace lt this servero with the name or IP address of this server and lt fheed name gt with name of the ASS feed To know more about 55 feeds please click here 6 the URL in the address bar of the browser as advised on the RSS Feeds window 5BCHAPTER 5 CONFIGURING RSS FEEDS 135 EVENTTRACKER VER 6 4 Figure 106 RSS Feeds Web page 5BCHAPTER 5 CONFIGURING RSS FEEDS USER S GUIDE RSS FEEDS EventTracker Enterprise Feed SummRpt Windows Internet Explorer e e rn http webdoc Jeventrss xmijentfeedisummrpt xml Jer E on gt B v Page iG Tools d e EventTracker Enterprise Feed SummRpt EventTracker Enterprise Feed SummRpt Displaying 0 0 You are viewing a feed that contains frequently updated content When you subscribe to a feed it is added to the Common Feed List Updated information from the feed is automatically downloaded to your computer and can be viewed in Internet Explorer and other programs Learn more about feeds e All 0 Subscribe to this feed m Sort by Date Title You need to have IE v7 0 and above to subscribe to RSS Feeds You can also add the feed links to RSS Reader 7 Click Close on the RSS Feeds window
392. se the EventTracker Agent Management Tool Deploying Windows Agents in Command line mode 8BCHAPTER 8 The advantages of Agent deployment through command line mode are as follows m You can specify the system name or IP address and installation path by providing appropriate command line arguments to the Agent Manager application m You can create a text file mentioning the system names or IP addresses where you want to install or uninstall the Agents This multiple Agent installation and uninstallation will be performed in silent mode i e without displaying any user interface The Agent Installer runs on the EventTracker Console and requires Domain Admin privileges It can only be used to deploy EventTracker Agents to monitor Windows machines within the same or trusted domain Command line parameters The Agent Manager application has the following command line parameters Agentinstaller exe 1 N Sys Name or F lt filename gt P Install path gt MANAGING WINDOWS AGENTS 298 EVENTTRACKER VER 6 Table 54 8BCHAPTER 8 MANAGING WINDOWS AGENTS 4 DEPLOYING WINDOWS AGENTS USER S GUIDE COMMAND LINE MOD To Install Agent To Uninstall Agent A Name of the system or IP address of the system A AAA Filename supplied in place of lt filename gt containing the System list PO Installation Path for the Installation Path for the Agent Examples 1 To install an Agent in system
393. security access attempt that succeeds For example a user s successful attempt to log on the system will be logged as a Success Audit event audited security access attempt that fails For example if a user tries to access a network drive and fails the attempt will be logged as a Failure Audit event 4 7 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING EVENT FILTERS Application AppEvent evt Records events as All Windows systems log determined by each software vendor Security log SecEvent evt Records events based All Windows systems on how audit policy is configured System log SysEvent evt Records events for All Windows systems Windows operating system components Directory NTDS evt Records events for Domain controllers only Service log Active Directory DNS Server DnsEvent evt Records events for DNS DNS servers only log servers and name resolution File NtFrs evt Records events for Domain controllers only Replication domain controller Service log replication If you leave a field blank EventTracker assumes a wildcard match for that field For example leaving the user field blank implies that any value in that field is acceptable 4 appropriately in the relevant fields 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 4 8 EVENTTRACKER VER 6 4 Figure 27 Add Event Filter Parameters 2BCHAPTER 2 USER S GUIDE Add Event Filter Parameters Please take care to enter the correct details for effect
394. ser Ensuring that appropriate permission is set on sensitive data is one side of the data security coin The other is the process of auditing who is using the permissioned resources and when There are times when it is important to know who the last person was to use their authorized access a resource It is just as important to know if someone is trying to access a resource that he or she does not have access to Take the example of a spreadsheet containing salary information Mary Hart works in human resources and is authorized to access this information E ach time she accesses the file if auditing is enabled this access will be recorded to Windows Event Logs as successful access On the other hand George hogan is an employee in the mailroom with some time on his hands He spends this time browsing the network Since he is part of the company Administration Department he has visibility of the department s shared files He may be able to see a folder called Payroll Info when he tries to access this folder however he will receive the message Access Denied The fact that he unsuccessfully tried to access this folder will also be recorded to the Event Logs as a failed file access The event log information described about is another distributed data source Each files server maintains its own store of information on who accessed what file on that server and when The challenge is to consolidate this informa
395. service runs Account system Select Systems WEBDOCT Select All 5 Select the system for which you want to apply the changes in the logon account OR Select the Select All check box to select all the systems in the list 6 Click Finish System Manager displays the Status dialog box 8BCHAPTER 8 MANAGING WINDOWS AGENTS 206 EVENTTRACKER VER 6 4 USER S GUIDE GENERATING SYSTEM REPORT Figure 211 Client Service Logon Status Account Status Event racker Client Service logon account successful changed for the Following systems EventTracker Client Service lagon account could not be changed for the following systems View Log Close 7 Click View Log to view log System Manager displays the log information in the notepad 8 Click Close Generating System Report System Report helps you keep track of Managed and Unmanaged systems Filter option is provided to view the ports used by Managed systems To generate system report 1 Open the System Manager 2 Click the View menu and then select the System Report option System Manager displays the System Report console 8BCHAPTER 8 MANAGING WINDOWS AGENTS 207 EVENTTRACKER VER 6 4 USER S GUIDE GENERATING SYSTEM REPORT Figure 212 System Report a System Report Show only Sustem Status Managed t Unmanaged All Select bu t Group CO Port Number System Type Lin nown EventTracker disables the Port Number
396. ses the very fact that the access is recorded is deterrent enough for malicious activity much like the presence of a surveillance camera in a parking lot Logon Failure report The security logon feature includes logging all unsuccessful login attempts The user name date and time are included in this report Audit Logs access report HIPAA requirements 164 308 3 review and audit access logs calls for procedures to regularly review records of information system activity such as audit logs 456 Appendix SOX Sarbanes Oxley Compliance Reports 21BAPPENDIX SOX Section 404 of the Sarbanes Oxley SOX act describes specific regulations requires for publicly traded companies to document the management s Assessment of Internal Controls over security processes The standard requires that a security management process must exist in order to protect against attempted or successful unauthorized access use disclosure modification or interference with system operations In other words being able to monitor report and alert on attempted or successful access to systems and applications that contain sensitive financial information ELC provides the following reports to help comply with the SOX regulations User Logoff report SOX requirements Sec 302 4 and D states that user accesses to the system be recorded and monitored for possible abuse User Logon report SOX requirements Sec 302 4
397. side You execute these actions only on Windows systems where agents are deployed You cannot execute these actions on NIX systems where Agent less monitoring is deployed Remedial action at EventTracker Agent 23 Select the type of action and type appropriate information in the displayed dialog boxes 24 Click OK EventTracker displays the Alert Groups console with the newly added Alert Group Alert Groups EventTracker Console amp New Edit Delete save Proactive notification of events meeting certain criteria can be configured Notifications include a combination of Beep E mail Messages or any other Custom Action Forward as SNMP Forward as SYSL J Rss Notification Console side reme No No No No No No Excessive user lockout in your enterprise No Figure 66 Alert Groups x Excessive user lockout in your enterprise File Replication Service staging area full Group policy processing error High CPU utilization 15 Logging shutdown 15 Server stopped 15 World Wide Web service terminated ISA Server All port port scan detected ISA Server Excessive Winsock applicatio ISA Server Failed to start service ISA Server Land attack detected ISA Server Network communication devi ISA Server Dut of Band attack detected ISA Server Ping attack detected ISA Server Port scan detected on a well ISA Server Spoof attack detected ISA Server UDP at
398. sses will be monitored MANAGING WINDOWS AGENTS 280 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT To configure the process to monitor 1 Open the Agent Configuration window 2 Select the system from the Select Systems drop down list 3 Click the Processes tab EventTracker displays the Processes tab Figure 278 Agent Configuration window EventTracker Agent Configuration Processes tab File Help Select Systems WEBDOCT Agent based system Apply the following settings to specified clients Manager destinations WEBDOCI Managers Event Filters System Monitor Monitor amp pps Services Network Connection Monitor Logfile Monitor By default all processes will be monitored for CPU and Memory threshold limits au can also filter out processes that need not be monitored stop all process monitoring unselect that parameter List of Filtered Processes Add Remove Iw CPU Performance X Bh Iv Memory Usage 280 8BCHAPTER 8 MANAGING WINDOWS AGENTS 281 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Table 51 CPU Performance Click Add EventTracker displays the EventTracker Agent Configuration dialog box Type the process name in the Enter Process Name field Click OK EventTracker adds the process to the List of Filtered Processes Click Save on the Agent Configuration window EventTracker generates the process
399. ssion Start Time Transmission Sec Status 4 etar1239191423 1 4 8 2009 5 19 07 PM 4 9 2009 5 12 09 192 168 1 38 1 53 57 PM 4 9 2009 6 Send etari239163086 1 4 8 2008 9 26 24 AM 4 8 2009 5 19 07 PM 192 168 1 38 1 54 28 PM 4 9 2009 5 Send 1239115255 1 4 7 2009 8 09 57 PM 4 8 2009 9 26 24 AM 192 168 1 38 1 54 57 PM 4 9 2009 6 Send etar1239099644 1 4 7 2009 3 49 40 4 7 2009 8 09 57 PM 192 168 1 38 1 55 27 PM 4 9 2009 6 Send 1239065428 1 4 7 2009 6 17 38 AM 4 7 2009 3 49 40 PM 192 168 1 38 1 55 57 PM 4 9 2009 7 Send etar1239024699 1 4 6 2009 7 00 38 PM 4 7 2009 6 17 38 192 168 1 38 1 56 28 PM 4 9 2009 5 Send 11238999442 1 4 5 2009 11 59 26 AM 4 6 2009 7 00 37 192 168 1 38 1 56 57 4 9 2009 8 Send etari238979079 1 4 6 2009 6 17 57 AM 4 6 2009 11 59 26 192 168 1 38 1 57 27 PM 4 9 2009 10 Send 1238950737 1 4 5 2009 10 27 56 PM 4 6 2009 6 18 00 AM 192 168 1 38 1 57 57 PM 4 9 2009 9 Send 1238930575 1 4 5 2009 4 51 55 PM 4 5 2009 10 27 56 192 168 1 38 1 58 28 4 9 2009 8 Send etari238910439 1 4 5 2009 11 16 15 AM 4 5 2009 4 51 54 PM 192 168 1 38 1 58 58 PM 4 9 2009 9 Send 1 1238889923 1 4 5 2009 5 32 35 AM 4 5 2009 11 16 15 192 168 1 38 1 59 28 4 9 2009 Send 1238866570 1 4 4 2009 11 05 09 PM 4 5 2009 5 32 35 192 168 1 38
400. sssssses SUD ASEMtESS MORON alo elos 304 A 304 Sor UM c ccc 304 Adding Systems for Agent less rrr nnn nnns 304 Editins AMI AC coUa ead exea eux adeat red eta aet astu et estet futu o ate 310 Chapter 10 EventVault Warehouse Manager eee eee eee eee eee ee eee ee eee OLD EVENTTRACKER VER 6 4 USER S GUIDE DOCUMENT REVISION CONTROL Eventlracker Scheduler SCEVIGGU 2o at 313 EventTracker Scheduler service Collection Master Console esee 314 EventTracker Scheduler service Collection Point Console 314 VIC WIS CAD eS iii sar dei plain 314 Contieuitie Event Valles let il astu quces 315 Backine up EyentV aule DAL atole 317 Savine Eventibox MeIQadat au tii qp aa Lato o fa otv ca toam IAM dE 319 VETO Event BOX Mile ST Manarillo sacas 320 Extractine Pventbox Dala sonrisa iii 321 Even BOX tests rola 321 Movin C AT ES 227 Appendino CAB Pies eor Eo IR E un ela id tdi 323 Chapter E ILI Li mm ON 330 Event l racker E09 Scar cio tas dicio E to carios old ETUR DELE 331 Event Trate Anal S18 331 A alysis Dy C ate co sra eli 332 Correlati e Events 333 Anial ysis View by Event it 333 Trattic Analysis View by Custom Sl tai 335 Trah Analysis Keywo
401. st will always override it Local Address Remote Address Remote Port Process LISTEN localhost ESTAB WEBDOC 20 mmn Edit Delete 8 modify the network connection details click Edit Type the information in the Network Connection Details window and then click OK 8BCHAPTER 8 MANAGING WINDOWS AGENTS 270 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT 9 To delete the network connection details select the network connection details you want to delete from the list and then click Delete 10 Click Close on the Exclude List dialog box 11 Click Save on the Agent Configuration window Including Network Connections for monitoring To configure network connections to monitor 1 Open the Agent Configuration dialog box 2 Select the system from the Select Systems drop down list 3 Click the Network Connection Monitor tab EventTracker displays the Network Connection Monitor tab Select the appropriate check boxes 5 Click Include List EventTracker displays the Include List dialog box Figure 270 Include List window IF Include List List of connections that will always be monitored This is opposite of exclude list Monitor only the parts that are in this list Local Address Local Port CLOSED 6 Select the Monitor only the ports that are in this list option to monitor only the ports in the list and then click Close 7 To add more Network Connection details click New
402. stall the Agent Click Add gt The selected computer is added to the Selected Computers list Click Add All gt gt to install the Agents on all the computers in the selected group Selected Select a computer and then click lt Remove The selected Computers computer 15 removed from the list Click lt lt Remove All to remove all the computers from the list 3 Select the systems 4 Click Next gt Figure 180 Add Agent 6 Add Agent Select system to be monitored for events All Computers Add gt gt ELC ELA ESCHTEST GARFIELD lt Remove lt lt Remove All MICKEY 5 Click Next gt 8BCHAPTER 8 MANAGING WINDOWS AGENTS 185 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Figure 181 Add Agent Agent Type Add Agent Please select the type below Agent Type Agent based Full featured Install Remedial Action scripts Agentless limited features The following Features will nat be applicable for agent less Log file monitoring Guaranteed Event Delivery System monitoring CPU Disk Memory Process monitoring Memory Network Connection Monitoring Application monitoring Software Install 7 Uninstall Service Monitoring Cancel lt Back 6 Select the Agent based Full featured option Select the Install Remedial Action scripts check box to install the scripts in the EventTracker install directory typically Prog
403. sters Collection Point model is best suited for organizations having multiple sites The sites may geographically spread across the globe or do exist in the same precinct but with a robust setup COLLECTION POINT MODEL 401 EVENTTRACKER VER 6 4 USER S GUIDE REAL WORLD SCENARIOS Real world scenarios Figure 395 1 CORPORATE HEADQUARTERS Collection Master Collection Point Collection Point Collection Point SITE 2 SITE 2 SITEn TN gt gt QE 214 y i la uc 14 ETCor amp ETCor amp ELC ETCor 15 PES Pay 1 Y 7 1 amp i 1 t f ETA1 ETA2 ETAn ETA1 2 ETAn ETA1 ETA2 ETAn In the above depicted scenario all the Collection Points clients send their respective cab files periodically to the Collection Master server at the corporate headquarters 14BCHAPTER 14 COLLECTION POINT MODEL 402 EVENTTRACKER VER 6 4 USER S GUIDE Figure 396 Scenario 2 14BCHAPTER 14 REAL WORLD SCENARIOS CORPORATE HEADQUARTERS Collection Master x N ETCor 1 ELC r 1 4 ETAT 2 ETAn pa y SITE 1 SITE 2 a nas 1 S igs ETM1 ETM2 ETM n ETM ZR EN i H ElCor X ELCETCor 1 ELCETCor 1 amp ELC F of k i 4 4 f 4 EG OL 2E D pL ETA1 ETA2 ETAn ETA ETAn ETA
404. sts of shortcuts that help you to quickly access EventTracker components To open an application either double click OR select and press ENTER on your keyboard 1BCHAPTER 1 GETTING STARTED 20 EVENTTRACKER VER 6 4 USER S GUIDE CONTROL PANEL Figure 3 Control Panel MIS Eve niTracker Co nt rol Panel P 2 Enterprise Activity Alerts Dashboard Event Monitoring Log Search A Reports Console System Manager Collection Master Manager Configuration Configuration Agent Configuration Event Knowledge E vent ault Maintenance Tools Base Warehouse Manager O Diagnostics About Event racker Eventi racker Plugins Download Eventi racker Web Interface E mail support iprismmicrosys com 1BCHAPTER 1 GETTING STARTED 2 1 EVENTTRACKER VER 6 4 USER S GUIDE CONTROL PANEL Figure 4 Control Panel cocoa Poni Eve niTracker Co nt rol Panel 2 P Enterprise Activity Alerts Dashboard Event Monitoring Log Search Reports Console System Manager Collection Pomt Manager Configuration Configuration Agent Configuration Event Knowledge E vent ault Maintenance Tools Base Warehouse Manager O Diagnostics About Event racker Eventi racker Plugins Download Eventi racker Web Interface E mail support iprismmicrosys com 1BCHAPTER 1 GETTING STARTED 22 EVENTTRACKER VER 6 4 USER S GUIDE CONTROL PANEL Figure 5 Control Panel EventTracker Control Panel Standard Control Panel aa
405. success EventTracker Custom column config char EventTracker Direct log archiver EventTracker Disk space low EventTracker E ventlog full EventTracker EXE tracking a EventTracker Initial user network logon y EventTracker Logfile monitor a EventTracker Network connections y EventTracker New enterprise activity four EventTracker Dut of ordinary activity four EventTracker Ping status y EventTracker Published reports cleanup a EventTracker Remedial action EventTracker Report Analysis config cha EventTracker Runaway processes EventTracker Scheduled reports status EventTracker Service changes PlEventTracker Software install uninstall EventTracker Suspicious network connec yy EventTracker Truncated description A Criss Trader darian lt 57 Total Categories 850 Z Total Events 2 Selected Event 1 Rows 500 2 Click Refresh to view recent events If initial search is returned with no matching records then EventTracker displays the EventTracker Console message box Figure 22 EventTracker Console Eventlracker Console message box Initial search found na matches For All altiris deployment solution events Search Farther back 3 Click Yes to continue If EventTracker does not find any events then displays the EventTracker Console dialog box with appropriate message 2BCHAPTER 2 EVENTTRACKER MANAGEMENT CONSOLE 4 2 EVENTTRACKE
406. t Severity Critical Event Details Event Fi Category Log Type e EventID Source User IN Match in Event Descr mE Event Descr Exception Match in Event Dezcr field can take multiple strings seperated with 5 amp ar amp amp stands for AND condition stands For OR condition Mate want to make a match on any of the special characters like xr Hn ete then in Ehe search string prefix this char with a backslash Example fora and fora For mare information click here Mare information Error events usually indicate that correct operation of the system or program haz been affected adversely Type appropriately in the relevant fields Example Log Type Application Click OK EventTracker displays the Confirmation message box Confirmation Y Modifications done to category will affect all the category groups where this category exists Are sure you want bo save Ehe changes Mo 6 Click Yes CONFIGURING ALERTS AND ALERT NOTIFICATIONS 9 9 EVENTTRACKER VER 6 4 Figure 72 EventTracker Console message box Figure 73 Manage Categories console USER S GUIDE CONFIGURING ALERTS EventTracker displays the EventTracker Console message box if there is disparity in Severity and Event Type EventTracker Console ou have selected Severity as Clear For Error Event type This is generally not recom
407. t Details deleting eeeeeesss sss 369 Event Traffic Analysis 331 CALICO OW e 332 corelate ca tad 333 CUSTOM cd 335 Eventi Mc 333 Event O Meter 27 EventTracker ABOUT eee 14 control panel 20 ICON 28 management console 25 services and ports 16 E Eur HE 18 EventTracker Components EventVault Warehouse Manager 35 Knowledge 37 System Manager 33 EventVault appending CABs 323 NER 317 elo grjTe PI g Ta o 315 deleting EventBox 321 extracting EventBox 321 moving CABS ns 322 saving EventBox information 319 verifying EventBox integrity 320 viewing CABS 314 Export AlenS teach ne rares 377 Categories 374 JOM GINS Dr 379 ee eee neta 376 A 384 Scheduled reports 382 SA 380 Filtering Events advanced filters 228 Filtering events from view 43 configure event filters 44 deleting event filters 51 472 EVENTTRACKER VER 6 4 USER S G
408. t Group Group SUPPORT Description i nterprise Domain Available Systems Group Members Remove PNPL 1 SUP FNPL z SUP AE moe m PHPLSERVER FHFL TESTLABT FNFL TESTLAB2 FHPL TESTLAB3 FNFL TESTLABA Save Cancel 7 Click Save 7BCHAPTER 7 MANAGING SYSTEM GROUPS System Manager removes the selected system and displays the System Manager EVENTTRACKER VER 6 4 USER S GUIDE REMOVING UNMANAGED SYSTEMS Figure et Ui EventTracker System Manager BEES E System File view Options Help anager 8 e Configure Agents search Computers 4 Create Group Delete Group Add System x Remove System 8 Upgrade Agent Computer Groups SUPPORT Enterprise Domain Groups Computer Type Descrptim Es TOONS CELEBRATE ELCTEST 24 EXCHSUPP es ISATEST Es PNPL SUPPORT Displaying Windows Systems Manual 0 Systems 8 To remove the system from all the groups right click Groups in the left pane Figure Ui EventTracker System Manager a Ene lef File View Options Help stem Manager left eus E 5 e Configure Agents search Computers 4 Create Group Delete Group wi Add System x Remove System 8 Upgrade Agent Computer Groups Al Domain Computers aet Grou Details mputer Type System Status Co Edit Windows 2000 Professional none Unmanaged Windows XP none Unmanaged Add System Windows XP none Unmanaged Remove System Windows 2003 Server Unmanaged En Upgrade Agent
409. t Manager Console Otherwise you cannot execute remedial action at the Agent systems To configure remedial action 1 Open the Management Console 2 Click the Configure menu and then select the Configure Manager option EventTracker displays the Manager Configuration window 3 Select the Enable Remedial Action check box EventTracker displays the Caution dialog box Figure 53 Remedial z Action Configuration Remedial Action Configuration Caution This feature permits the execution of scripts on agent systems Carefully review the risks and benefits before enabling this Feature Click here for more information Are You sure Click Yes 5 Click OK on the Manager Configuration window EventTracker displays confirmation dialog box to save changes 6 Click Yes 3BCHAPTER 3 CONFIGURING MANAGER 79 EVENTTRACKER VER 6 4 USER S GUIDE SUPPRESSING DUPLICATE ALERTS Suppressing Duplicate Alerts What does Duplicate Alert Suppression mean EventTracker provides the facility of generating user configurable alerts for events received by the EventTracker This feature is very useful in case the user is not always available at the Manager Console In case the multiple instances of an event with a configured alert are received in a short period of time then a large number of alerts will be generated this could confuse the user Duplicate Alert Suppression feature will handle such a deluge of alerts by suppressing a
410. t Office XP Descript EventTracker App Open Exe crobat exe Adobe Acrobat Description Adot EventTracker App Close Exe crobat exe Adobe Acrobat PID 6096 EventTracker App Close Exe WINWORD EXE Name Microsoft Office 2003 PID 1 EventTracker App Oper Exe Acrobatexe Name Adobe Acrobat Description Adot EventTracker Oper Exe WINWORD EXE Name Microsoft Office XP Descript EventTracker App Close Exe WINWORD EXE Name Microsoft Office XP PID 538 EventTracker App Close Exe Acrobatexe Name Adobe Acrobat PID 1448 EventTracker App Open Exe crobat exe Adobe Acrobat Description Adot EventTracker New activity found IP Address 192 168 1 43 System SUPPSERWER T EventTracker App Close Exe WINWORD EXE Name Microsoft Office XP PID 51 EventTracker App Close Exe Acrobatexe Name Adobe Acrobat PID 1612 EventTracker App Oper Exe WINWORD EXE Name Microsoft Office XP Descript EventTracker App Open Exe Acrobatexe Name Adobe Acrobat Description Adot EventTracker App Open Exe WINWORD EXE Name Microsoft Office XP Descript EventTracker App Close Exe WINWORD EXE Microsoft Office XP PID 41 EventTracker App Close Exe crobat exe Name Adobe Acrobat PID 4412 EventTracker App Open Exe MSTSC EXE Name Microsoft R Windows 2000 Of EventTracker App Open Exe OUTLOOK EXE Name Microsoft Office Outlook Des EventTracker App Close Exe DUTLOOK EXE Name Microsoft Office Outlook PI
411. t in Manual Mode you have to add them explicitly This section helps you add Computer s when the System Manager is in Manual Mode Adding a single Computer This option enables you to add a computer To add a single computer 1 Open the System Manager MANAGING SYSTEM GROUPS 148 EVENTTRACKER VER 6 4 Figure 124 Add Computer s Add a single computer Table 30 7BCHAPTER 7 USER S GUIDE ADDING COMPUTERS 2 Click the File menu and select the Find Add Computer s option OR Click Search Computers on the toolbar OR Press F holding Ctrl key on your keyboard System Manager displays the Add Computer s dialog box Add Computer s Do vau want t t Add group of Computers from available Domains t Add Computers belonging to an IP subnet Add a single Select this option to add a single computer Computer By name or IP address Add a group of Select this option to add a group of computers Computers from available Domains Add Select this option to add computers from an IP subnet Computers belonging to an IP subnet 3 Click the Add a single Computer By name or IP address option 4 Click Next gt System Manager displays the EventTracker System Manager dialog box MANAGING SYSTEM GROUPS 149 EVENTTRACKER VER 6 4 USER S GUIDE ADDING COMPUTERS Figure 125 Add Computer s Add a Eventlracker System Manager single computer Enter Computer name ar IP address Lancel
412. t in the list and click Edit Modify the details in the Event Details dialog box and click then OK 9 delete the settings select the event in the list and click Delete 10 Click Close on the Advanced Filters The filter is set and specific events matching the filter criteria will not be forwarded to EventTracker Manager All Error Events will be forwarded to the Manager except the events matching the filtered criteria set 11 Click Save on the Agent Configuration window You can apply the current settings to other specified Agents For more information refer Applying Configuration Settings to Specified Agents on page 285 Enabling SID Translation This option helps you enable SID translation To enable SID translation 1 Open the Agent Configuration window 8BCHAPTER 8 MANAGING WINDOWS AGENTS 230 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Select the system from the Select Systems drop down list Click the Event Filters tab Select the Enable SID Translation check box EventTracker displays the EventTracker Agent Configuration message box Figure 227 EventTracker Agent EventTracker Agent Configuration Message Configuration message box Caution This is an advanced Feature of the EventTracker Agent Please refer to the document SID translate pdf in the install Folder Far detailed instructions Improper Usage can cause a Flood of audit events within your network 5 C
413. tTracker installation folder Enable High Select this check box to switch the Agent modes Performance mode Filter Click this button to set the filter exceptions for the specific events Exception that you want to monitor Advanced Click this button to set the filters for the specific events that you Filters do not want to monitor 4 Select appropriately in the relevant fields EventTracker displays the Event Filters tab with the newly added filter MANAGING WINDOWS AGENTS 223 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 221 Agent gt Configuration window EventTracker Agent Configuration Event Filters tab a File Help Select Systems AWEBDOCT Agent based system Apply the following settings to specified clients Manager destinations WE BOOC spider simbi Log Backup Processes Network Connection Monitor Logfile Managers Event Filters System Monitor Monitor Apps Services ou can choose to filter aut events that are not required the filter iz set all events matching the filter will not be sent to the EventTracker Manager ou also configure advanced filter options such as to send only specific events or choose to filter out specific events Basic Logs Special Logs Event Types System DNS Server Error Security File Replication Warming Application I Directoy Service I information Audit
414. tack detected McAfee virusscan enterprise Update failed MSExchange ADC service stopped MSExchange Database maximum size is MSExchange 15 Service cannot be started MSExchange Log disk is full MSExchange Server cannot handle influx MSExchange Unable to start Microsoft E K IX Bx BX BX Dx EX No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No Dx xj Dx E Dx Bx Ex Ex Bx Lx Ex x Bx Bx No No No No No No No am oo 2 2 2 2 2 2 My Alert No No No No No No No Netscreen Authentication failure Netscreen IDS intrusion detection Netscreen Security device error Netscreen Spam
415. tems To 2 22 2010 2 50 10 PM uuu me Type appropriately in the relevant fields Select the systems Click Analyze EventTracker displays the report in the Notepad Traffic Analysis Keyword Analysis This option helps to analyze traffic by keywords To analyze event traffic by keywords 1 Open the Management Console 2 Click the Tools menu and select the Traffic Analyzer option 3 Select the Keywords Analysis option 11BCHAPTER 11 ANALYSIS 336 EVENTTRACKER VER 6 4 USER S GUIDE EVENT TRAFFIC ANALYSIS Figure 316 Traffic Analyzer Traffic Analyzer Analyze the event traffic pattern being logged Itis recommended that you use this data to filter aut relevant events and perform other operational tasks Select Criteria C View by Category C View by Event Id Keywords Analysis Contains All Specific words Exclude following words Add Edit Remove Select Time Range r Select Systems 2 22 2010 lt 1 5050 All Sustems Specific Systems 2 22 2000 2 5050 me Keywords Analysis Helps to analyze events by keywords Contains All Analyze logs that contain all keywords specified 11BCHAPTER 11 ANALYSIS 337 EVENTTRACKER VER 6 4 USER S GUIDE EVENT TRAFFIC ANALYSIS Keywords Analysis Helps to analyze events by keywords B Traffic Analyzer EFE Analyze the event traffic pattern being logged It is recommended that you us
416. tenance Tools on the Control Panel Double click Import and Export Utility EventTracker displays the Export Import Utility 3 Click the Import tab EventTracker displays the Export Import Utility 13BCHAPTER 13 EXPORT IMPORT UTILITY 385 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY Figure 372 Export Import Utility window Import tab Export Import Utility EIo 1 Provide the path amp file name of the categories Use the button ta browse amp locate the import file 2 Click the Import button Category Filters Alerts Source Groups Systems Scheduled Reports ASS Feeds Import 4 Category option is selected by default 5 Click El located adjacent to the Source field EventTracker displays the Select iscat File dialog box 6 Navigate and locate the category file you want to import Click Open EventTracker displays the Import tab on the Export Import Utility 13BCHAPTER 13 EXPORT IMPORT UTILITY 386 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY Figure 373 Export Import Utility window Import Category Export Import Export Import Utility EIo 1 Provide the path amp file name of the categories Use the button ta browse amp locate the import file 2 Click the Import button Category Filters Alerts Source Groupe C Program Files Prism Microsystems E ventT racker Systems Scheduled Repo
417. ter s Latest Status Managed Standard Mode 5 Click Next gt 8BCHAPTER 8 MANAGING WINDOWS AGENTS 195 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Fi 198 U d Ec igure parade 32 Upgrade Remote Agent s Remote Agent s Select the method of upgrade Choose Upgrade Ower IP option to upgrade the agent which is outside the domain Upgrade Method f Windows Domain Network t Upgrade Over IP Windows Domain Install default Remedial Action on this system Table 37 Upgrade Method Windows Select this option if all systems to be upgraded can be reached Domain over the Windows Network and you have administrative Network privileges on all these systems Upgrade Over Select this option if all systems to be upgraded can be reached IP Non only via IP and not by the Microsoft Network Windows Domain Install default Select this check box to install remedial executables on this Remedial system Action EXEs on this system 6 Click the appropriate Upgrade Method 7 Click Upgrade System Manager displays the Login dialog box 8BCHAPTER 8 MANAGING WINDOWS AGENTS 196 EVENTTRACKER VER 6 4 USER S GUIDE DEPLOYING AGENTS Figure 199 Upgrade Agent s Login I Login Please provide an account with sufficient privileges to access the network Usually a Domain Admin account 1 required Please enter the account name in DOM AINSLISER format Account Password 8 Type v
418. terprise Activity Mis Reports y Meter Knowledge Base amp 9 Navigation Auto Refresh Dashboard Correlated Alerts amp Incidents Correlated Alerts amp Incidents Date Computer ig ps ha 2 44 40 PM 1 13 2010 WEBDOCI EventTracker App Open Exe crobat exe Name Adobe Acrobat Description Adot aT TOONS E 2 45 10 PM 1 13 2010 WEBDOCI EventTracker App Close Exe WINWORD EXE Name Microsoft Office XP PID 40 All Categories 2 45 10 PM 1 13 2010 WEBDOCI EventTracker App Close Exe amp crobatexe Name Adobe Acrobat PID 1784 Altiris Deployment Solution 3 2 46 13 PM 1 13 2000 X WEBDDOCT EventTracker App Oper Exe WINWORD EXE Name Microsoft Office lt Descript Antivirus 3 2 46 58 PM 1 13 2010 WEBDOC1 EventTracker App Oper Exe Acrobatexe Name Adobe Acrobat Description Adot Check Point 3 2 47 22 PM 1 13 2010 WEBDOC1 EventTracker App Close Exe Acrobatexe Name Adobe Acrobat PID 6096 Cisco ASA 2 47 32 1 13 2000 SY55 EventTracker App Close Exe WINWORD EXE Microsoft Office 2003 PID 1 Cisco Aironet 2 48 57 1 13 2010 WEBDOCI EventTracker App Open Exe amp crobatexe Name Adobe Acrobat Description Adot 51 Cisco Catalyst 4 2 49 42 1 13 2010 WEBDOCI EventTracker App Open Exe WINWORD EXE Microsoft Office Descript Cisco Director 4 2 49 42 1 13 2010 WEBDOCI EventTracker App Close Exe WINWORD EXE Name Microsoft Office lt PID 538 Cisco 105 4 2 49 42 1 1
419. ters with Exception ooooooonnnncccnnnnnnnncnononnnonononnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnos 51 Understanding Filters and Filter Exceptions ici 55 Viewine and Editino Alert Detallado ido 56 Reloading the Navit anon Pisando 58 AMOS TO NE OPUN MELLE 61 Current View cei 62 Chapter 3 ConliP rnis Man acer iia EN tenia ie eR Ue vea In Pus ve i OO Setting the Window View Limit Gonsole uso ii 64 EVENTTRACKER VER 6 4 USER S GUIDE DOCUMENT REVISION CONTROL EventI racker Know led cease Web cda 64 SYSLOG RECEIVE da 65 Montoto Sy to r a 65 ATEC OE CUNO a A O 66 AGILE CUTE Edd 66 Configuring EventTracker Receiver to listen on multiple 67 Virtial ollectroi Ponts Tor 9 y ido odd tet a Rods CORE add etum dos 68 Contouring Event Eracker Receiver POMS oen fon rto iia oue dade 68 Forward Raw SvsIOe THOSSQP BS oen et tot rd Soccer utet eure chutes possc rc A 70 Virtual Collection Points for Windows Events cccccccccccccssssseecceeeeaeseseecccceesaeeeecceeeeeaaeseeeeeeeeas 71 Examples CNA CHEM 71 Computer e b 71 Upgrading Agent Sys2 from Manager Sys iine eiii
420. the Beep column To remove the settings just click on the tick mark Adding Alerts from the Dashboard This option helps you access the Alert Group Configuration console from the Dashboard To add Alerts from the Dashboard m Right click the event that you want to configure as alert EventTracker displays the shortcut menu 4BCHAPTER 4 CONFIGURING ALERTS AND ALERT NOTIFICATIONS 130 EVENTTRACKER VER 6 4 Figure 101 Management Console Shortcut menu 4BCHAPTER 4 USER S GUIDE Dashboard All Categories EventTracker EventTracker EXE tracking Category EventTracker EXE tracking Showing recent 107 events J 22 01 AM 4 29 2008 i 9 21 40 AM 4 29 2009 J 0 34 06 AM 4 29 2009 J 17 24 AM 4 29 2008 J 17 24 AM 4 29 2008 J 8 11 06 AM 4 29 2009 4 8 11 06 AM 4 29 2008 J amp 09 13 4 29 2009 J 7 50 54 AM 4 29 2009 LacalwEBDU LCI LacalwEBDU LCI LacalwEBDU LCI LacalwEBDU LT LacalwEBDU LT LacalwEBDU LT Loca WwEBDDOCT Local WEBDOC1 Local wYEBDOCI LocalbiEBDOC1 1 7 56 53 AM 4 7 53 53 AM 4 1 7 53 32 AM 4 J 7 52 52 AM 4 J 7 58 10 4 29 2009 Filter Add Alert Event Detail Goto evtCatalog Show Alert Rule 7 52 35 AM 4 J 7 52 35 AM 4 29 2009 7 52 35 AM 4 29 2009 3 7 52 07 AM 4 29 2009 J 7 52 07 AM 4 29 2009 06 15 21 4 28 2009 06 15 05 PM 4 28 2009 06 15 05 PM 4 28 2009 06 15 05 PM 4 28 2009 06 15 05 PM 4 28 2009 06 14 29 PM 4 28 2009 36 13
421. the Groups or Categories on the left pane EventTracker displays the shortcut menu From the shortcut menu choose Manage Categories EventTracker displays the Manage Categories console 3 Expand the tree in the left pane Right click the Group that you want to delete EventTracker displays the shortcut menu From the shortcut menu choose Remove Group OR Click the Delete menu and select the Delete Group option EventTracker displays the Confirmation message box Figure 340 Confirmation message Confirmation box Do vau want to delete the selected Group and it s contents Mo 5 Click Yes to remove or No to abort Managing Event Categories A set of relevant events can be grouped under a Category For example you can create a set of MS Exchange events under one Category and use this Category to show all events that occurred in MS Exchange This is far easier and flexible than generic reports 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 358 EVENTTRACKER VER 6 4 USER S GUIDE 1O5BMANAGING EVENT CATEGORIES Creating Event Categories This option enables you to organize categories in an ordered manner You can create modify and delete the categories To create a Category 1 Open the Management Console 2 Click the Configure menu and select the Manage Categories option OR Right click any of the Groups or Categories on the left pane EventTracker displays the shortcut menu From the shortcut men
422. the current settings to other specified Agents For more information refer Applying Configuration Settings to Specified Agents on page 285 Clear the check box against the Logfile Name to exclude the file from monitoring EventTracker displays the EventTracker Agent Configuration message box if you try to save without entering the search string for the monitored log file 8BCHAPTER 8 MANAGING WINDOWS AGENTS 253 EVENTTRACKER VER 6 4 Figure 253 EventTracker Agent Configuration message box Figure 254 Enter File Name dialog box 8BCHAPTER 8 USER S GUIDE CONFIGURING WINDOWS AGENT EventIracker Agent Configuration 1 Enter search string Far CINDOC 156 log Viewing File Details This option helps you view files details To File Details 1 Open the Agent Configuration window 2 Select the system from the Select Systems drop down list 3 Click the Logfile Monitor tab EventTracker displays the Logfile Monitor tab Select the log file from the list under Logfile Name 5 Click View File Details EventTracker displays the Enter File Name dialog box Enter File name oy can configure the complete path of the log file or folder that needs to be monitored along with the strings that need to be searched Select Log Fille Type This i the Microsoft 15 log file format generated by 15 Enter File name 6 Click Close MANAGING WINDOWS AGENTS 254 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WI
423. ties occurred at a particular system IP address Provision to resolve IP addresses Event IDs on occurrences Provision to get more information on Event IDs more information refer http www prismmicrosys com Support latest quides Enterprise Activity pdf Analyzing Alerts This option helps you analyze Alert events occurred in the monitored systems To analyze Alert events 1 11BCHAPTER 11 ANALYSIS Double click Alerts Dashboard on the Control Panel EventTracker displays the Alerts Dashboard EVENTTRACKER VER 6 4 Figure 317 Alerts Dashboard Table 61 Table 62 11BCHAPTER 11 ANALYSIS USER S GUIDE Event Tracker Alerts Dashboard File Configure Help ANALYZING ALERTS Last Refreshed at 11 47 21 AM Eek System Group ALL v Systems Interval Last 1 Day v Refresh once in 5 mins Total alerts 165 Alert Config WEBDOC1 NEMO TT SOX EventTra TT Administrative SOX EventTra EventTracker TT Administrative TT Detected softw SYS5 TT SOX EventTra SOX EventTra TT Critical servi TT Critical servi EventTracker Spyware 1 SPIDER Disk spaceis SOX EventTra TT EventTracker T Administrative Spyware 3 Latest 20 Alerts Date Time Description App Open Exe RoboHTML exe Name RoboHelp HTML 11 Description RoboHelp HTML App Open Exe WINWORD EXE Name Microsoft Office XP Description WINWORD EXE
424. ting Filters To export Filters 1 Open the Export Import Utility 2 Select the Filters option EventTracker displays the Export Import Utility 3 Click Export EventTracker displays the Select Export File dialog box 4 Click the Save in drop down box and select the path where you want to export the filters 5 Enter the file name in the File name field The valid file extension is isfil 6 Click Save EventTracker displays the Export Import Utility message box Figure 358 Export Filters message box Export Import Utility h 1 Successfully exported all Ehe Filters 7 Click OK If the file already exists EventTracker displays the Export Import Utility message box Figure 359 Export Filters message box Export Import Utility 2 m File already exists do you want to append the existing File Yes Cancel 13BCHAPTER 13 EXPORT IMPORT UTILITY 376 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY EventTracker displays Export Import Utility message box there is no filter detail exists in the database Figure 360 Export Filters message box Export Import Utility Mo such Filter data in DB to export Exporting Alerts To export Alerts 1 Open the Export Import Utility 2 Select the Alerts option EventTracker displays the Export Import Utility Figure 361 Export Import Utility window Export Alerts Export Import Ee Export Import Ut
425. tion into one location and extract the most relevant transactions Hot fixes by Computer Microsoft releases hot fixes on an almost weekly basis to remedy critical technical and security problems with the operating system Clearly these problems are considered serious enough that they might significantly disrupt a customers business if not repaired This puts pressure on administrators to keep close track of which hot fixes are installed on servers and workstations an essential but potentially time consuming task Being able to poll computers on a scheduled e g weekly basis to verify which hot fixes they have installed means having on fewer balls to juggle Reporter s Hot Fixes by Computer report obviates the need to use a second tool to the collected hot fix information The report interrogates the Registry of each workstation and server on the network to determine which hot fixes are installed Like all of Reporters reports this process can be scheduled at whatever interval the administrator deems appropriate This way the hot fixes check becomes part of the administrators standard list of scheduled audit reports Frequent collection ensures that the most current information is always at hand Last logon by Domain Controller As previously noted identifying redundant user accounts is an important step towards achieving a secure network We previously discussed the use of the user never logged on report to highlight accounts that
426. tiris Deployment Solution Antivirus Check Point Cisco ASA Cisco Aironet Cisco Catalyst Cisco Director Cisco 105 Cisco PIX Cisco VPN ey Citrix Crystal Enterprise Dell OpenManage DoubleT ake EventTracker Fortigate Juniper SBR Linux Cracking Linux Violation Microsoft Windows Hyper V Netscreen Dracle Snort Solaris BSM SOX Suspicious Network Activity 1 Syslog Veritas VMware ESX WatchGuard Firebox WhatChanged Windows aa o EE CROATA H A LEE rr Computer Source Descip nien nt Security Network Logon User Name Administrator Domain PNPL Add Alert Security Successful Network Logon UserName Administrator Domain PNPL Event Detail EventTracker App Open Exe MSIEXEC EXE Windows Installer Unicode D Goto evtCatalog EventTracker App Oper Exe SmcGuiexe Name Symantec Client Management Com Show Alert Rule EventTracker App Oper Exe Snaglt32 exe Name Snaglt Description Snaglt32 ex 10 27 25 1 13 2010 wEBDOCT EventTracker App Oper Exe wweb32 exe Name WordWeb Description W ordw e 10 27 25 AM 1 13 2010 WEBDOC1 EventTracker App Open Exe Explore EXE Name Microsoft Windows Operating 10 27 52 AM 1 13 2010 WEBDOC1 EventTracker App Open Exe ETReport_Migration exe Name ETReport Migration 4 10 27 52 AM 1 13 2010 WEBDOCI EventTracker Detected software lt EventTracker gt has been installed on this system Nar
427. to monitor application usage Usage The App Exceptions and Monitor Specific Apps buttons are enabled App Exceptions Enables you to set the applications that you do not want to monitor Monitor Specific Apps Enables you to set the applications that you want to monitor 8BCHAPTER 8 MANAGING WINDOWS AGENTS 239 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT 4 5 Select appropriately the Monitor App Install Uninstall and Monitor App Usage options Click Save You can apply the current settings to other specified Agents For more information refer Applying Configuration Settings to Specified Agents on page 286 Filtering applications that need not be monitored To filter out applications that need not be monitored 1 2 3 Figure 236 App Open the Agent Configuration window Select the system from the Select Systems drop down list Select the Monitor App Usage option EventTracker displays the Monitor Apps tab Click App Exceptions EventTracker displays the App Exceptions dialog box Click Add EventTracker displays the EventTracker Agent Configuration dialog box Type the application name with exe extension that you do not want to monitor Click OK EventTracker displays the App Exceptions dialog box Exceptions window App Exceptions 8 9 8BCHAPTER 8 MANAGING WINDOWS AGENTS List of App Executable that will be monitor SnaglE3z exe Remove Close
428. ts Dashboard exe MN ame EventTracker Descriptio 11 39 06 01 13 2010 3222 WEBDOC1 Information Application EventTracker toons nirmal App Close ME xe msimn exe Name Microsoft Windows Operating Sys 11 38 06 01 13 2010 3222 WEBDOC1 Information Application EventTracker toons nirmal App Close xe iexplore exe MName Windows Internet Explorer IMPID 11 16 14 01 13 2010 540 WEBDOC1 AuditSuccess Security Security Administrator Successful Network Logon 010 Name dministratortf IDomain MPNPLD E 11 16 14 01 13 2010 540 WEBDOC1 AuditSuccess Security Security Administrator Successful Network Logon 010 Namel dministratol IDomain MPNPLD 11 12 21 AM 01 13 2010 540 WEBDOC1 AuditSuccess Security Security Administrator Successful Network Logon LI ser Name l dministratol ID omain BPNPLID E 11 12 21 01 13 2010 540 WEBDOC1 AuditSuccess Security Security Administrator Successful Network Logon LI ser Namel dministratol IDomain MPNPLD E 0 0 0 11 11 43 01 13 201 540 WEBDOC1 AuditSuccess Security Security Administrator Successful Network IU ser Name l4dministratonl IDomain MPNPLD E 11 11 42 01 13 7201 540 WEBDOC1 AuditSuccess Security Security Administrator Successful Network Logon User Name l4dministratorl 00 omain MPNPLI 11 08 11 01 13 201 540 WEBDOC1 AuditSuccess Security Security Administrator Successful Network Logon User Name l4dministratorl Dogan lt lll gt
429. u choose Manage Categories EventTracker displays the Manage Categories console 3 Click Create Category OR Click the New menu and select the New Category option OR Right click All Categories EventTracker displays the shortcut menu From the shortcut menu choose New Category EventTracker displays the Create Event Category Wizard 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 359 EVENTTRACKER VER 6 4 USER S GUIDE 105BMANAGING EVENT CATEGORIES Figure 341 Create Event Category dialog Create Event Category Wizard box Event Category Name Enter valid event category name Description Enter descriptive information about the Event Categor Event Category Details Parent Group My Sub Group Event Category Name Description Table 64 Parent Group The parent node under which the new category is created Event Type the event category name in this field Category Name Type the event category description in this field OR Right click any of the nodes in the left pane of the Management Console EventTracker displays the shortcut menu From the shortcut menu choose New Category EventTracker displays the Create Event Category Wizard 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 360 EVENTTRACKER VER 6 4 USER S GUIDE 105BMANAGING EVENT CATEGORIES 4 appropriately in the relevant fields Figure 342 Create Event Category dialog Create Event Categor
430. u have a large network this may take a Few minutes 5 Click OK System Manager displays the EventTracker System Manager message box after creating a group Figure 156 Create Group message box Eventlracker System Manager 1 Completed populating the newly created group SS Select OK to view The created group is displayed in the left pane of the System Manager Figure 157 EventTracker System Manager EventTracker T File View Options Help ds Configure System Search Computers Create G Delete G Wi Add syst XR System a Upgrade Agent onrigure system earch Computers reate Grou elete Grou stem emove System rade Agen newly created Group EUER i E di d ds E Computer Groups pps Database Group Machines running Apps Database y Groups Computer Type Description System Status z TOONS En CELEBRATE ELCTEST z EXCHANGE 22 PNPL i4 TESTDEP TESTDEP1 WORKGROUP Apps Database Group New logical Group Displaying Windows Systems Auto Discover O Systems 7BCHAPTER 7 MANAGING SYSTEM GROUPS 168 EVENTTRACKER VER 6 4 USER S GUIDE LOGICAL SYSTEM GROUPS Creating a New Logical Group Manual Selection This option enables you to create a new logical Group of systems and manually add Computers to that Group To create a new logical group and add systems manually to that group 1 Select the Select Manually option in the Create Group
431. umbers should be same on both the Collection Master and Collection Point Active Displays status of the Collection Master Collection Point will not Inactive send CAB files to the Collection Master s that is Inactive Description Displays description about the Collection Master s Table 83 Add new managers Edit manager configuration settings Delete manager configuration settings I Close the window 16BCHAPTER 16 COLLECTION POINT 437 EVENTTRACKER VER 6 4 USER S GUIDE ADDING COLLECTION MASTERS Purge Archives older than Archives will be purged after selected number of days EventTracker Scheduler process will not purge the archives if the number of days is set to zero 2 Click Add EventTracker displays the Add Destination dialog box Destination dialog box E Add Destination x Destination Test Connection Pork 14507 IM Active Encrypt Data Description Cancel EventTracker selects Active check box by default When you clear this check box Collection Point will not send CAB files to the Collection Master that you have deactivated Collection Point can be configured to report up to 5 Collection Masters simultaneously You can configure as many Collection Masters as possible and activate deactivate them as the situations demand 3 Enter select appropriately in the relevant fields and then click OK 16BCHAPTER 16 COLLECTION POINT 438 EVENTTRACKER VER 6 4 USER S GUIDE AD
432. ut a specific task You cannot customize move or drag the Menu Bar Toolbar The third strip is the Toolbar Toolbar contains command buttons with images Frequently used options are provided on the Toolbar You cannot customize move or drag the Toolbar Mouseover ToolTip for command buttons help you know the purpose the buttons serve Configure Agents Open the Agent Configuration window BR search Computers Search and add computers You can add a single computer or a Group of computes Create Group Create a logical computer Group You can add systems to the Group by System Type IP subnet or 34 EVENTTRACKER VER 6 4 USER S GUIDE EVENTTRACKER COMPONENTS 1BCHAPTER 1 GETTING STARTED Delete Group Delete a logical computer Group Add System Install the Agent on remote systems Remove System Uninstall the Agent from remote systems m Upgrade Agent Upgrade the Agent You can upgrade through Windows Domain Network or Upgrade Over IP Non Windows domain methods Workspace The workspace consists of a left pane and a right pane Left pane displays the tree view of computer Groups The right pane displays managed and unmanaged computer details Status Bar System Manager displays the system type i e Windows or non Windows on the left pane discover mode of System Manager i e Auto or Manual in the second section and the total number of systems discovered in the third section on the right p
433. ut systems will not be added 1 EventTracker System Manager will Find Computers in the background while you can continue working You can safely When the background processing is complete a notification message will pop up 5 Click OK System Manager displays the EventTracker System Manager message box after adding the computers Figure 130 Add a group of computers Eventlracker System Manager message box 1 Background processing and addition of Computers is complete You may want bo refresh your view and check the results 6 Click OK 7 Refresh the System Manager If you select the in the foreground I will wait as Computers are searched for and added option EventTracker displays the message in the status bar of the Select Criteria window as The EventTracker System Manager is finding Computers Computers in the selected group are added to the domain Adding a group of Computers from an IP subnet This option enables you to add computers from an IP subnet 7BCHAPTER 7 MANAGING SYSTEM GROUPS 152 EVENTTRACKER VER 6 4 USER S GUIDE ADDING COMPUTERS To add computers from an IP subnet 1 Select the domain for which you want to add computes in the left pane 2 Click the Add Computers belonging to an IP subnet option in the Add Computer s window Figure 131 Add 1 Computer s Add 362 Add Computer s computers from an IP subnet Do wou want to t Add single Computer By name or
434. utomatically starts adding Domains and computers Manual Mode Unlike in Auto Discover Mode System Manager will not discover any Domains or computers in this mode You have to add them manually Had you switched from MANAGING SYSTEM GROUPS 147 EVENTTRACKER VER 6 4 Figure 123 Set the option to add computers manually message box USER S GUIDE ADDING COMPUTERS Auto to Manual mode System Manager will retain previously discovered Domains and Computers To add computers manually 1 Select the I will choose to add and track Computers Recommended for large networks option in the Select Auto Discover Mode window 2 Click OK System Manager displays the EventTracker System Manager confirmation message box Fventlracker System Manager You have selected to manually add and track Computers Further discovery of Computers will stop Computers already discovered will be retained and can be removed as per our preference From File Remove Computer s 3 Click OK In addition to the above an option is also provided to either perform this search in the background or in the foreground Performing the search in the background allows the user to proceed with other tasks on the System Manager Adding Computers 7BCHAPTER 7 In Auto Discover Mode the System Manager automatically discovers Domains and Computers when you keep adding them in your enterprise All you need to do is to refresh the System Manager Bu
435. ventBoxes 31 Configure EventVault Warehouse Manager to archive the events from EventTracker database 2 Configuration M Save EventBox Metadata El Backup Archives Save the archive summary into a text file Back up EventVault data for a long term storage lt helps you to retrieve the backup data if the archives 1BCHAPTER 1 GETTING STARTED Append Archives are tampered Append CAB files Verify the integrity of selected EventBoxes Extract the selected EventBox data into an MS Access database Delete the selected EventBox View the CAB files for a specific period Move archives to a new location 36 EVENTTRACKER DIAGNOSTIC 8 EVENTTRACKER VER 6 4 USER S GUIDE SUPPORT TOOL Events Knowledge Base This option enables you to view event details and Knowledge Base Web site To view event details 1 Select an event in the content area 2 Click the View menu and select the Event Details option OR Right click the event and select the Event Detail option from the displayed shortcut menu OR Double click the event EventTracker displays the Event Details window EventTracker displays the details for the selected event in the Event Details tab 3 Click Next to view the next event details Click Previous to view the previous event details 5 Click the Knowledge Base tab EventTracker displays the Knowledge Base tab 6 Click the hyperlink under More Information EventTracker
436. ventTracker Agent configuration changed EventTracker Collection Master Error EventTracker Collection Point Error EventTracker DLA No files found for pro EventTracker DLA file processing failed EventTracker Remedial action failed EventTracker Remedial action ignored EventTracker Remedial action Success EventTracker USB device disabled shee ole os cme Lash oe Fn cco th Fane dt CAN LISSE lt x Bx x x BX BX BX E Ex EX Ex IST EX E 4 Bx ISI EX EX 5 EX EX 5 EX 4 Ex Ex Ex Ex Ex DX X Bx Bx
437. ventTracker Archindxr exe 7777779 Do you want to log the operations Y N gt Processing Archives Folder C Program Files Prism MicrosystemssEventTrackersa M rchives gt Processing archive etarl145844172 cab 4i Extracting DB gt gt Archive etarll45844172 cab Extraction Done Found one DB EtuArchiveli 45844172 mdh Processing DB EtwArchivel145 44172 mdb gt gt Finish Processing DB EtuArchivell45844172 md0db gt gt Done with etari145844172 cab Moving to next archive gt Processing archive etarl14573M584 cab 25 Extracting DB gt gt Archive etari1145930584 cab Extraction Done Found one DB EtwAhrchivell 45936584 mdb gt Processing DB Etu rchiueiid573H584 mdh gt gt Finish Processing DB EtwArchiveli1459360584 mdh gt gt Done with etari1l45936584 cab Moving to next archive If there are cab files in the selected folder EventTracker displays the DOS window 6BCHAPTER 6 MAINTENANCE TOOLS 141 EVENTTRACKER VER 6 4 USER S GUIDE COMPACTING THE DATABASE SIZE Figure 115 Archive t O x Index command Blxi prompt 7777729 Do you want to log the operations Y N gt Processing Archives Folder C Documents and Settingssnirmal HMy Documents My d hapes gt gt No archives found Exiting gt Indexing process terminated with Error gt gt Refer logfile C Documents and Settings nirmal My Documents My Shapes Archiuv elndexlog txt
438. ventTracker Log Search Filter and display event logs based on user defined criteria The user can define the filter or exclude string as well as specify the output format Usage Forensic Analysis of specific events broad searches per criteria with subsequent sorting and ordering of the result set For more information refer EventTracker Log Search guide Event Traffic Analysis After EventTracker is deployed on numerous systems in a large Network it is very likely that you notice EventTracker receiving millions of events Actually a majority of these events would be of little use to you Using appropriate priority you can filter out unnecessary events to improve utility Filtering unnecessary events is a powerful feature based on priority configured by you Traffic Analyzer is a tool that is part of the EventTracker Console It helps to find the details of the most common events and to set your order of priority Accordingly create filters for non essential events that are just increasing traffic but have little value Filtering is a continuous process Priority may vary from one system to another Over a period of time with your experience priority events can be separated from non priority events in a specific system Repeating this process every week enables you to receive only events of value in optimizing your operations When non priority events are filtered out EventTracker functions optimally This report provides total counts
439. view limit in the Manager Configuration window Event O Meter is an analytical graphical chart that helps quickly visualize per port trends of events against specified time range In addition numerical data has also been provided in a tabular format EventTracker Event O Meter Chat Tabular Data Event O Meter Line Chat Port 514 0 ll Port 14505 120 032 m mr ea o 2 Fr 5 4 4 4 2 4 4 2 4 2 4 4 a4 14 41 14 46 14 51 14 56 15 01 15 06 15 11 15 16 15 21 15 26 Duration Chart Type Duration O Line Bar O Pie Show data for Last 1 Hour 27 EVENTTRACKER VER 6 4 Figure 8 Event O Meter Tabular Data USER S GUIDE Event lracker Event O Meter Chart Tabular Data EVENTTRACKER ICONS StartTime 1 13 2010 2 27 14 EndTime 1 13 2010 3 27 14 PM 1 13 2010 2 27 14 PM 1 13 2010 2 32 14 PM 1 13 2010 2 37 14 PM 1 13 2010 2 42 14 PM 1 13 2010 2 47 14 PM 1 13 2010 2 52 14 PM 1 13 2010 2 57 14 PM 1 13 2010 3 02 14 PM 1 13 2010 3 07 14 PM 1 13 2010 3 12 14 PM 1 13 2010 3 17 14 PM 1 13 2010 3 22 14 PM 1 13 2010 2 32 14 PM 1 13 2010 2 37 14 PM 1 13 2010 2 42 14 PM 1 13 2010 2 47 14 PM 1 13 2010 2 52 14 PM 1 13 2010 2 57 14 PM 1 13 2010 3 02 14 PM 1 13 2010 3 07 14 PM 1 13 2010 3 12 14 PM 1 13 2010 3 17 14 PM 1 13 2010 3 22 14 PM 1 13 2010 3 27 14 PM 514 e
440. w Domain policy changed E mail Alert Events as SNMP Traps Events as SYSLOG Messages EventTracker agent service failed EventTracker Agent configuration changed EventTracker Collection Master Error EventTracker Collection Point Error EventTracker DLA No files found for pro EventTracker DLA file processing failed Monen died x A A XX A AU 4 EEE El Bd E E zlziziziziz zzz zz 20000000000 000 EZ zz zm zz mmm mmm 4 E X EX ISO E E E E E E E E E ZZZZZZZZZZZZZZ zzzzzzzzrzrizzzzzzzz O O O O 4 K Bd
441. were created but have never been used Another more frequent and common scenario is an employee or contractor leaves the organizations but IT is not notified Though policies may be in place that stipulate that the accounts of departed staff are to be disabled and eventually deleted if IT doesn t 23BAPPENDIX SECURITY REPORTS 462 EVENTTRACKER VER 6 4 USER S GUIDE SECURITY REPORTS know that someone had left they really have no way of knowing which accounts need to disabled on a given day One indication of whether an account is being used or not is the last logon time Each time a user enters their username and password either at logon time or as part of unlocking their workstation a logon transaction is recorded and the time of that transaction is stamped on to that user s account For the most part if an account s last logon time is more than 2 to 3 weeks in the past this takes into account possible employee vacations training courses or travel this is a good indication that the employee is not working with the company Reporter s Last Logon by Domain Controller report is an authoritative source of users last logon times The report polls all domain controllers DCs for the last logon seen by that DC for each user and then calculates the most recent time for insertion into the report As part of a regular security audit process this report could be scheduled to run on at least a weekly basis Armed with this rep
442. with newly created Group 7BCHAPTER 7 MANAGING SYSTEM GROUPS USER S GUIDE LOGICAL SYSTEM GROUPS Event racker System Manager 1 ISMAR Tset Management Console will now start populating the newly created group IF vau have a large network this may take a Few minutes 6 Click OK OK System Manager displays the EventTracker System Manager message box after creating a group Event racker System Manager 1 Completed populating the newly created group Select OK bo view The created group is displayed in the left pane of the System Manager EventTracker System Manager File view Options Help TOONS En CELEBRATE zm ELCTEST z5 EXCHANGE ra PNPL 53 TESTDEP zm TESTDEP1 zm WORKGROUP zu Apps Database Group Displaying Windows Systems Seles dh Configure System Bf Search Computers Create Group Delete Group Add System 3 Remove System Upgrade Agent Computer Groups 8 Groups pps Database Group Machines running Apps Database application Computer Type Description System Status DONALD I Windows 2000 Professional Unmanaged Auto Discover 1 Systems If the Group Name already exists System Manager displays the EventTracker System Manager message box 171 EVENTTRACKER VER 6 4 USER S GUIDE LOGICAL SYSTEM GROUPS Figure 164 Create Group message box EventIracker System Manager A The group name you entered
443. with the same Site Name NEWYORK Send the Cab files to the Collection Master Collection Point retains the old folder Program Files Prism Microsystems EventTracker Archives NEWYORK 192 168 1 38 and stores all the CAB files in that folder Point to remember m Collection Master backs up the older files with the same name but appends timeticks Timeticks is the time when the Collection Master received the new CAB files MERGING COLLECTION POINTS EVENTTRACKER VER 6 4 USER S GUIDE MODIFIED ARCHIVES FOLDER Merging Collection Points modified Archives folder COLLECTION MASTER CAB FILES When you modify the default archives path Collection Master stores the new CAB files in the new Archives folder You have to manually copy all the old CAB files to the new Archives folder When you generate Advanced Reports EventTracker refers to the CAB files located in the new Archives folder Before you attempt to manually copy the CAB files from old Archives folder to the new Archives folder do the following 1 15BCHAPTER 15 COLLECTION MASTER Stop the EventTracker services in the same order as given below EventTracker Agent EventTracker EventVault EventTracker Scheduler Apply the patch ET63P09 056 exe Create a new folder typically Archives Example D Archives Copy the VCP folder structure and paste to the new Archives folder Suppose the VCP folder structure is as follows C Program Files Prism Microsystem
444. work Connection Monitor Logfile Managers Event Filters System Monitor Monitor Apps Services Upto 5 managers can be configured Manager Mame Remove Edit 4 Click Apply the following settings to specified Agents EventTracker displays the Apply Client Configuration Across Enterprise dialog box 8BCHAPTER 8 MANAGING WINDOWS AGENTS 287 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 281 Apply Client Configuration Across Enterprise window Figure 282 Apply Client Configuration Across Enterprise message box 8BCHAPTER 8 Apply Client Configuration Across Enterprise The current settings can be distributed and applied to specified clients across the enterprise Select the clients where you would like to apply this configuration and select Apply Systems List of selected systems HAGAR Add All gt gt WEBDOC1 Add Add _ lt lt Bemove lt lt lt lt Remove AlI All Apply Cancel 5 Select the group and computer for which you want to apply the configuration settings Select the All Non Vista Agents option from the Groups drop down list to view all systems where non Vista Agents has been deployed Select the All Vista Agents option from the Groups drop down list to view all systems where Vista Agent has been deployed EventTracker displays the Apply Client Configuration Across Enterprise dialog box with the selected s
445. x Figure 381 Import Alerts message box Export Import Utility To view the imported Alerts please ga to Configure Config Alerts 1 Successfully imported Alert Alerts From File C Program Files Prism MicrosystemslEventTrackeriDskSpc isalt 9 Click OK EventTracker displays the Export Import Utility message box Figure 382 Import Alerts message box Export Import Utility m n 1 The EventTracker Management Console needs to be restarted For settings to take effect 13BCHAPTER 13 EXPORT IMPORT UTILITY 391 EVENTTRACKER VER 6 4 USER S GUIDE EXPORT AND IMPORT UTILITY EventTracker displays the Export Import Utility message box if the alerts already do exist Figure 383 Import Alerts message box Export Import Utility 1 Current file contains multiple Alerts and some or all of the Alerts were already existing These Alerts were automatically updated The rest were imported successfully Importing System Groups To import system groups 1 Open the Export Import Utility 2 Click the Import tab 3 Select the Groups option on the Import tab EventTracker displays the Export Import Utility E 384 E m dd DU dowr Export Import Utility al Import Domains Export Import 1 Provide the path amp fle name of the groups file Use the button to browse amp locate the import File 2 Chick the Import button Category I issus Filters s
446. x Metadata al Backup Archives C Show older than M C Show From Period O 1 9 2010 7 30 01 AM 1 9 2010 10 05 2 O 1 3 2010 10 05 32 PM 1 10 2010 10 20 1 8 2010 6 49 57 PM 121122010 11 00 11 11 2010 11 00 44 AM 1 11 2010 12 2 O 1 11 2010 12 20 22 PM 1 11 2010 2 06 1 11 2010 2 06 04 PM 1 11 2010 4 12 11 11 2010 4 12 54 PM 1 11 2010 5 01 11 11 2010 5 01 08 PM 1 11 2010 amp 23 11 11 2010 6 23 43 PM 1 12 2010 9 49 O 1 8 2010 7 41 18 PM 1 12 2010 10 43 1 12 2010 10 43 38 AM 1 12 2010 11 2 O 1 12 2010 11 23 15 AM 1 12 2010 12 0 1 12 2010 12 05 21 PM 1 12 2010 2 54 11 12 2010 2 54 07 PM 1 12 2010 3 32 O 1 12 2010 3 32 06 PM 1 12 2010 4 23 11 12 2010 4 23 11 PM 1 12 20105 11 11 12 2010 5 11 38 PM 1 12 2010 amp 14 11 13 2010 9 54 38 AM 1 13 2010 10 38 O 1 12 2010 7 11 03 PM 1 13 2010 11 29 11 13 2010 11 29 40 AM 1 13 2010 12 2 O 1 13 2010 12 27 38 PM 1 13 2010 2 25 O 1 13 2010 2 25 12 PM 1 13 2010 2 49 O 1 13 2010 2 48 50 PM 1 13 2010 3 20 lt Select All Y Verify wy Extract Eventvault Enabled Delete etar1 263002527 14 etarl 263055011 14 etar1253183333 14 1263187928 14 etar1253192715 14 etarl263199053 14 etarl 263206666 1 4 etarl 253209558 14 etarl 263214511 14 etarl 263270100 14 etar1253273304 14
447. y Displays the name of the user who configured the feed 5BCHAPTER 5 CONFIGURING RSS FEEDS 133 EVENTTRACKER VER 6 4 USER S GUIDE RSS FEEDS Added Date Displays the date when the feed was added Status Displays whether the RSS Feeds are active or inactive Show only Select from the drop down list to view All Active and Inactive feeds New Feed Add new feeds Esad Delete feeds Once the feeds are deleted they are not deleted from the db permanently rather EventTracker changes the status of the feeds as Inactive Inactive feeds cannot be reactivated Close RSS Feeds window 3 Click New Feed EventTracker displays the New RSS Feed window Figure 105 New RSS Feed Mm New RSS Feed ASS Feed Details Feed Description RSS Feed Details Type the name of the feed Type the description of the feed 4 appropriately in the relevant fields 5BCHAPTER 5 CONFIGURING RSS FEEDS 134 EVENTTRACKER VER 6 4 USER S GUIDE RSS FEEDS Figure 104 New RSS Feed SM New RSS Feed H55 Feed Details Feed Name SummR pt Description Feed for Summary Reports 5 Click OK EventTracker displays the RSS Feeds window with newly added RSS feed Figure 105 RSS Feeds GY RSS Feeds Available Feeds Feed Name Description ded By Added Date Summhpt Feed for Summary Report nirmal 2008 Active Show only Active feeds i Delete Feed Clo
448. y Wizard box Event Category Name Enter valid event category name Description Enter descriptive information about the Event Categor Event Category Details Parent Group My Sub Group Event Category Name AD Events Category Description Active Director Events 5 Click Next gt EventTracker displays the Confirmation message box Figure 343 Confirmation message Confirmation box Modifications done to category will affect all the category groups where this category exists Are vau sure you want bo save Ehe changes Yes Mo 6 Click Yes 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 361 EVENTTRACKER VER 6 4 USER S GUIDE 105BMANAGING EVENT CATEGORIES EventTracker displays the Create Event Category Wizard dialog box Figure 344 Create Event Category dialog Create Event Category Wizard box Event Details Enter or select event details information Enter comments ar recommended action Far the event Click 4dd to save and continue click Finish to save and exit Severity Clear Event Details Event Category Log Type 1 EventID Source User Match in Event Descr Event Descr Exception Match in Event Descr field take multiple strings seperated with ar amp amp stands for AND condition stands For OR condition Mate IF want to make a match on any of the special characters like N
449. y added Category Group to this Category Group 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 351 EVENTTRACKER VER 6 4 USER S GUIDE ANALYZING ALERTS Adding Categories to a Group This option helps you add Categories to a Category Group To add Categories to a Category Group 1 Open the Management Console 2 Right click the Group in the left pane for which you want to add Categories EventTracker displays the shortcut menu From the shortcut menu choose New Category OR Open Manage Categories console Select the Group in the tree for which you want to add Categories Right click it EventTracker displays the shortcut menu From the shortcut menu choose New Category OR click the New menu and select the New Category option OR click Create Cat EventTracker displays the Create Event Category Wizard 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 352 EVENTTRACKER VER 6 4 USER S GUIDE ANALYZING ALERTS Figure 333 Create Event Category Wizard Create Event Category Wizard 3 Type appropriately in the relevant fields 12BCHAPTER 12 MANAGING CATEGORY GROUPS AND CATEGORIES 353 EVENTTRACKER VER 6 4 USER S GUIDE ANALYZING ALERTS Figure 334 Create Event Category Wizard Create Event Category Wizard Event Category Name Enter valid event category name Description Enter descriptive information about the Event Categor Event Category Details Parent Group My Sub Group Event Category Name
450. ype option The options are System Type IP Subnet and Select Manually System Type Enables you to add the selected system type to the group IP Subnet Enables you to add the IP subnet to the group Select Manually Enables you to add the systems manually from the available list to the group 7BCHAPTER 7 MANAGING SYSTEM GROUPS 164 EVENTTRACKER VER 6 4 USER S GUIDE LOGICAL SYSTEM GROUPS 4 appropriately in the relevant fields Figure 148 Create Group System Type 5 Create Group Select Group Mame amp Type Group Mame App Database Group Group Description running amp pps Database Application Select whether you want this group to be based on system tupe IP subnet or you like to select the group members System Type CIP Subnet t Select Manually Cancel Next gt 5 Click Next gt If you select the System Type option System Manager displays the Create Group dialog box Figure 149 Create Group System Type 5 Create Group Select System Type Select the system type fram the list of supported types All systema of the following type will become members of this group Servers 2003 2000 HT Lancel lt Previous 6 Select the system type from the Select System Type drop down list 7 Click Finish System Manager displays the EventTracker System Manager message box 7BCHAPTER 7 MANAGING SYSTEM GROUPS 165 EVENTTRACKER VER 6 4 U
451. ystems 6 Click Apply EventTracker displays the EventTracker Agent Configuration message box Event Iracker Agent Configuration You have chosen to apply current configuration to specified clients This will result in loss of specific client configuration done earlier Do ou want Ea continue Yes Po 7 Click Yes EventTracker displays the success status MANAGING WINDOWS AGENTS 288 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT Figure 283 Saving m Agent Configuration Saving Client Configuration pop up window Completed Note Double click on system to view its status 8 Double click the system name EventTracker displays EventTracker Agent Configuration message box Figure 284 z EventTracker Agent Event Tracker Agent Configuration 4 Configuration message 1 System SIMBI i Status Success box OK 9 Click OK 10 Click Close on the Saving Client Configuration window 11 Click Save Backing up Current Configuration This option enables you to back up the current configuration settings To back up the current configuration settings 1 Open the Agent Configuration window EventTracker by default displays the Managers tab 2 Select the system from the Select Systems drop down list 8BCHAPTER 8 MANAGING WINDOWS AGENTS 289 EVENTTRACKER VER 6 4 USER S GUIDE CONFIGURING WINDOWS AGENT 3 Click the File menu and click the Backup option EventTracker by

Download Pdf Manuals

Related Search

Related Contents

Samsung WB WB550  GOJO INDUSTRIES INC  こちらをクリック※PDFファイルが開きます。  Télécharger la brochure      

Copyright © All rights reserved. Failed to retrieve file