GFI Product Manual Administrator Guide
The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. GFI Software is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources.
Contents 1 Introduction 1.1 About GFI EventsManager 1.2 How GFI EventsManager works 1.2.1 Stage 1: Event Collection 1.2.2 Stage 2: Event Processing 1.3 Conventions used in this guide 2 Installing GFI EventsManager 2.1 Deployment scenarios 2.1.1 Installing GFI EventsManager in a Local Area Network (LAN) 2.1.2 GFI EventsManager within a Demilitarized Zone (DMZ) 2.1.3 GFI EventsManager within a Wide Area Network (WAN) 2.2 System requirements 2.2.1 Hardware requirements 2.2.
.4.4 Configuring event source operational time 4.4.5 Configuring event source monitoring 4.4.6 Configuring event processing parameters 4.5 Database sources 4.5.1 Microsoft® SQL Server® Sources 4.5.2 Oracle server sources 5 Collecting Event Logs 5.1 Collecting Windows® event logs 5.2 Collecting Text logs 5.3 Collecting Syslogs 5.3.1 Configuring the Syslog server communications port 5.4 Collecting SNMP Traps Messages 5.4.1 Configuring the SNMP Trap server 5.5 Collecting custom logs 5.
8.4 Creating a root report 8.5 Creating custom reports 8.6 Generating reports 8.6.1 Generating a report 8.6.2 Generating daily digest reports 8.6.3 Generating settings reports 8.6.4 Generating rules reports 8.6.5 Generating operational history reports 8.6.6 Generating activity overview reports 8.7 Analyzing reports 8.8 Defining column headings 8.8.1 Reporting on events from different databases 8.9 Customizing HTML reports 9 Events Processing Rules 9.1 About events processing rules 9.1.
12.2 Managing user accounts 12.2.1 Creating a new user account 12.2.2 Changing user account properties 12.2.3 Deleting a user account 12.3 Managing user groups 12.3.1 Creating a new group 12.3.2 Changing group properties 12.3.3 Deleting a group 222 222 228 229 229 229 231 231 13 Console Security and Audit Options 232 13.1 Enabling login system 13.1.1 Password recovery 13.2 Anonymization 13.3 Auditing console activity 13.4 Auto-discovery credentials 232 234 235 238 239 14 Database Maintenance 14.
15.3.3 Viewing license details 15.3.4 Purchasing a license key 15.4 Product version information 15.4.1 Checking your GFI EventsManager version 15.4.2 Checking for newer versions 15.5 Importing and Exporting settings 15.5.1 Exporting configurations to a file 15.5.2 Importing configurations from a file 15.5.3 Importing configurations from another instance 15.6 Building query restrictions 15.6.1 Using the Edit Query Restriction dialog 16 Command Line Tools 16.1 Using ESMCmdConfig.exe 16.1.
17.1.2 Enabling permissions on Microsoft® Windows® Vista 17.1.3 Enabling permissions on Microsoft® Windows® 7 17.1.4 Enabling permissions on Microsoft® Windows® Server 2003 17.1.5 Enabling permissions on Microsoft® Windows® Server 2008 (including R2) 17.2 Enabling event source permissions automatically 17.2.1 Enabling permissions on Windows® Server 2003 via GPO 17.2.2 Enabling permissions on Windows® Server 2008 via GPO 17.3 Disabling User Account Control (UAC) 18 Troubleshooting 18.1 Documentation 18.
List of Figures Screenshot 1: GFI EventsManagerintegrates into any existing IT infrastructure 21 Screenshot 2: The GFI EventsManager operational stages 23 Screenshot 3: Export data from remote sites to the main instance of GFI EventsManager 31 Screenshot 4: Upgrade prerequisite check 36 Screenshot 5: DLib Database Server 37 Screenshot 6: DLib Database Server EULA 37 Screenshot 7: DLib install folder 38 Screenshot 8: Start installing DLib Database Server 38 Screenshot 9: Delete old version fi
Screenshot 39: Add new event source wizard 60 Screenshot 40: Add new event source wizard 67 Screenshot 41: Synchronization properties - General tab 69 Screenshot 42: Excluding computers from automatic synchronization 70 Screenshot 43: Synchronization properties -Schedule tab 71 Screenshot 44: Add new event source group 72 Screenshot 45: Event sources properties dialog 74 Screenshot 46: Configuring alternative logon credentials 75 Screenshot 47: Configuring event source license type 77 Scre
Screenshot 79: Collecting SNMP Traps 112 Screenshot 80: Configuring SNMP Traps 113 Screenshot 81: SNMP Traps options 114 Screenshot 82: Custom event logs setup 115 Screenshot 83: Custom event logs dialog 116 Screenshot 84: Enabling GFI LanGuard logging through the registry 118 Screenshot 85: Add Windows® Application logs 119 Screenshot 86: Add GFI LanGuard rules 120 Screenshot 87: Events Browser 123 Screenshot 88: Export events tool 125 Screenshot 89: Report from view button 125 Screen
Screenshot 119: Daily digest email 161 Screenshot 120: Generate configuration report 162 Screenshot 121: Settings report sample 163 Screenshot 122: Generate configuration report 164 Screenshot 123: Operational History report 165 Screenshot 124: Operational History dialog 165 Screenshot 125: Operational History report sample 166 Screenshot 126: Activity overview : Export button 166 Screenshot 127: Activity overview dialog 167 Screenshot 128: Activity overview report sample 167 Screenshot
Screenshot 159: Set the scan time interval 204 Screenshot 160: Configure event log actions 205 Screenshot 161: Target computers tab 206 Screenshot 162: Deleting folders and monitoring checks 207 Screenshot 163: Configuring default classification actions 208 Screenshot 164: Default Classification Actions dialog 209 Screenshot 165: Configuring Alerting Options 211 Screenshot 166: Configuring Email options 212 Screenshot 167: Configuring Network options 213 Screenshot 168: Configuring Network
Screenshot 199: Enabling encryption 245 Screenshot 200: Enabling / disabling record hashing 246 Screenshot 201: Record hashing dialog 247 Screenshot 202: Options tab 248 Screenshot 203: Switch between databases from the dashboard 249 Screenshot 204: Configuring database rotation options 250 Screenshot 205: Database Operations Options dialog 252 Screenshot 206: Creating Import\Export jobs 254 Screenshot 207: Import from file 254 Screenshot 208: Import from file - Specify import file path 2
Screenshot 239: Import from legacy files 276 Screenshot 240: Specify import file location 277 Screenshot 241: Decrypt the information in the import file 277 Screenshot 242: Remove anonymization 278 Screenshot 243: Filter unwanted events through filtering conditions 278 Screenshot 244: Specify when the maintenance job is executed 279 Screenshot 245: Creating Import\Export jobs 280 Screenshot 246: Import legacy file storage data 280 Screenshot 247: Specify when the maintenance job is executed
Screenshot 279: Audit object access properties 329 Screenshot 280: Allowed programs in Microsoft® Windows® Vista or later 330 Screenshot 281: Local security policy window 331 Screenshot 282: Audit object access Properties 332 Screenshot 283: Enable firewall rules in Microsoft® Windows® Server 2003 333 Screenshot 284: Firewall rules on Microsoft® Windows® Server 2008 334 Screenshot 285: Domain Policy console in Microsoft® Windows® Server 2003 335 Screenshot 286: Group Policy Management in Micro
List of Tables Table 1: GFI EventsManager engines 24 Table 2: Terms and conventions used in this manual 25 Table 3: Devices supported by GFI EventsManager 28 Table 4: Benefits of installing GFI EventsManager in DMZ 30 Table 5: Hardware requirements 32 Table 6: Storage space requirements 33 Table 7: Firewall ports and protocols 33 Table 8: Firewall permissions 34 Table 9: Event source settings 34 Table 10: Upgrading GFI EventsManager 36 Table 11: Components installed using EventsManager.
Table 39: Navigating the Events Browser 124 Table 40: Event Browser: Create new report 126 Table 41: Event Browser: Create new view 128 Table 42: Description pane positions 131 Table 43: Status monitoring: General view sections 135 Table 44: Status monitoring: Job activity view 139 Table 45: Status monitoring: Statistics view 140 Table 46: Navigating the Reporting tab 142 Table 47: Available reports 143 Table 48: Create report folder: Schedule options 145 Table 49: Range pattern options
Table 79: User filtering options 228 Table 80: Database rotation options 251 Table 81: Configuring database operations 252 Table 82: Maintenance jobs types 253 Table 83: Creating maintenance jobs - Schedule options 257 Table 84: Filtering export data 260 Table 85: Creating maintenance jobs - Schedule options 261 Table 86: Database operations: Export file name structure 261 Table 87: Export to SQL - Server options 263 Table 88: Filtering export data 265 Table 89: Creating maintenance jobs
Table 119: Events reports parameters 322 Table 120: CMD: ImportSettings.exe parameters 323 Table 121: CMD: ExportSettings.
1 Introduction The enormous volume of system event logs generated daily is of growing importance to organizations that must record information for forensic and compliance purposes. It is essential to perform realtime network-wide event log monitoring, analysis and reporting to address any incidents or security concerns and combat threats to business continuity.
Automatically monitor computers and network devices through GFI EventsManager's wide range of event log support; such as Text Logs, Windows® Event Logs, Syslogs, SNMP Traps Messages, Active Monitoring Events and even custom event logs Monitor computers and services running on your network through active monitoring features such as continuous checking of HTTP/HTTPS/FTP site availability, server roles queries, firewall queries and more Optimize security and performance while tracking operational issues by aud
1.
1.2.1 Stage 1: Event Collection During the Event Collection stage, GFI EventsManager collects logs from specific event sources. This is achieved through the use of two event collection engines: The Event Retrieval Engine and the Event Receiving Engine. Table 1: GFI EventsManager engines Engine Description The Event Retrieval Engine Used to collect Windows® Event Logs and Text Logs from networked event sources. During the Event Collection process this engine will: 1. Log-on to the event source(s) 2.
1.3 Conventions used in this guide The table below describes the common terms and conventions used in this Guide: Table 2: Terms and conventions used in this manual Term Description Additional information and references essential for the operation of GFI EventsManager. Important notifications and cautions regarding potential issues that are commonly encountered. > Step by step navigational instructions to access a specific function.
2 Installing GFI EventsManager This chapter describes the possible deployment scenarios supported by GFI EventsManager. It is essential to review system requirements and computer settings prior to installing the product to ensure full communication between GFI EventsManager and the network devices/computers that must be monitored. Topics in this chapter: 2.1 Deployment scenarios 26 2.2 System requirements 32 2.3 Upgrading GFI EventsManager 35 2.4 Installing a new instance of GFI EventsManager 44 2.
Figure 1: GFI EventsManager deployment scenario This section contains information about deploying GFI EventsManager in a: Local Area Network (LAN) - Monitor activity of the main production network, servers and workstations Demilitarized Zone (DMZ) - Monitor events generated by public service servers, such as mail servers, web servers and DNS servers Wide Area Network (WAN) - Monitor events generated by computers and network devices spread across different geographical locations.
2.1.1 Installing GFI EventsManager in a Local Area Network (LAN) GFI EventsManager can be deployed on Windows® based networks as well as on mixed environments where Linux and Unix systems are being used as well.
2.1.2 GFI EventsManager within a Demilitarized Zone (DMZ) GFI EventsManager is able to monitor events generated by machines in a DMZ, from being installed within the LAN or by being installed directly in the DMZ. Since a firewall or a router usually protects this zone with network traffic filtering capabilities, you must make sure that: The communication ports used by GFI EventsManager are not blocked by the firewall.
Table 4: Benefits of installing GFI EventsManager in DMZ DMZ Automation Description Automate management of Web and Mail server events DMZ networks are normally used for the running of hardware and software systems that have Internet specific roles such as HTTP servers, FTP servers, and Mail servers.
2.1.3 GFI EventsManager within a Wide Area Network (WAN) GFI EventsManager can be installed in environments that have multiple sites in different geographical locations. Screenshot 3: Export data from remote sites to the main instance of GFI EventsManager This is achieved by installing an instance of GFI EventsManager at each location. Periodically (based on a schedule), you can export events from the remote sites and import them into the central database for complete consolidation of event logs.
2.2 System requirements To install GFI EventsManager, the host computer must meet the system requirements specified below. If you plan to manage a large number of event sources in a high traffic network, consider using a computer with greater system specs.
Windows® SBS 2008 Windows® SBS 2003. Note GFI EventsManager cannot be installed on Server Core Installations. 2.2.3 Other software components The additional software components below are recommended to be installed to ensure full functionality of GFI EventsManager: Microsoft® .NET framework 4.0 Microsoft® Data Access Components (MDAC) 2.8 or later A mail server (when email alerting is required). Note Microsoft® Data Access Components (MDAC) 2.8 can be downloaded from http://go.gfi.com/?pageid=esm_mdac 2.
Port Protocols Description 1521 UDP and TCP Used to collect Oracle Server audit logs. Port 1521 is the default port for this connection. If the port is changed manually in the Oracle Listener’s configuration, adjust firewall settings accordingly. 49153 UDP and TCP Used by GFI EventsManager to collect events from event sources with Microsoft® Windows®Vista or Microsoft® Windows® 7. 2.2.
2.2.8 Antivirus exceptions If an antivirus application installed on the computer where GFI EventsManager is running, make sure that: Traffic is not blocked on the ports in use by GFI EventsManager esmui.exe and esmproc.exe are allowed access through the firewall(s) GFI EventsManager folders are excluded from real-time antivirus scanning. 2.2.9 Computer identification considerations GFI EventsManager identifies computers via computer name or IP.
Table 10: Upgrading GFI EventsManager Method Description Automatically Launch the new setup and complete the wizard to upgrade and retain data. For more information refer to Upgrading from a previous version. Manually Export settings and events from an older version of GFI EventsManager and import them in the new one using Database Operations and Import/Export tools. For more information refer to Creating Maintenance Jobs and Importing and Exporting Settings. 2.3.
Screenshot 5: DLib Database Server 3. The DLib Database Server install wizards opens automatically after system components are installed. Click Next at the wizard welcome screen. Screenshot 6: DLib Database Server EULA 4. Carefully read the license agreement. Select I accept the terms in the License Agreement and click Next.
Screenshot 7: DLib install folder 5. Click Next to install the database server in the default folder or click Change... to select an alternate folder where it is installed. Screenshot 8: Start installing DLib Database Server 6. Click Install to start installing DLib Database Server. Click Finish when prompted.
Note After the database server is installed, the installer automatically opens the install wizard of GFI EventsManager Management Console. 7. Click Yes to uninstall the previous version of GFI EventsManager and continue installing the new one. Click No to stop the installation. Note Running two instances of the Management Console on the same computer is not supported. Screenshot 9: Delete old version files 8.
Screenshot 11: GFI EventsManager EULA 10. Carefully read the license agreement. Select I accept the terms in the License Agreement and click Next. Screenshot 12: GFI EventsManager registration details 11. Key in your user name and license key in the User Name and License Key fields. To register for a free 30 day evaluation license key, click Register. Click Next.
Screenshot 13: Remote logon credentials for event log monitoring 12. Key in the logon credentials that GFI EventsManager uses to log onto remote computers. Note It is recommended to use a domain administrator or an account with administrative rights over all the remote computers managed by GFI EventsManager.
Screenshot 14: GFI EventsManager install folder 13. Click Next to install the Management Console in the default folder or click Change... to select an alternate folder where it is installed. Screenshot 15: GFI EventsManager installation completed 14. Click Install to start the installation. 15. When the installation is complete, click Finish.
Screenshot 16: Auto updates check 16. If GFI EventsManager detects an Internet connection, it automatically attempts to download product updates from GFI updates servers. Click Details to expand the information section of the Auto Update dialog and view the updates that are being downloaded. Screenshot 17: Set the database backend Note After product updates are applied, the Switch Database Server dialog opens. This dialog is used to link the Management Console to a database server.
Note Configuration data of GFI EventsManager 2012 is not deleted. Data is copied to the new install folder (%install folder%\Data_Old). Data in this folder is used to retain previous configurations. Note Test the installation to ensure that all the components were successfully installed. For more information refer to Testing the installation. 2.4 Installing a new instance of GFI EventsManager The components listed in the following table can be installed using EventsManager.
Screenshot 18: Upgrade prerequisite check 2. The installer displays a list of system components that must be installed prior to installing the product. Click Install to start the installation of missing system components (if necessary).
Screenshot 19: DLib Database Server 3. The DLib Database Server install wizards opens automatically after system components are installed. Click Next at the wizard welcome screen. Screenshot 20: DLib Database Server EULA 4. Carefully read the license agreement. Select I accept the terms in the License Agreement and click Next.
Screenshot 21: DLib install folder 5. Click Next to install the database server in the default folder or click Change... to select an alternate folder where it is installed. Screenshot 22: Start installing DLib Database Server 6. Click Install to start installing DLib Database Server. Click Finish when prompted.
Note After the database server is installed, the installer automatically opens the install wizard of GFI EventsManager Management Console. Screenshot 23: GFI EventsManager setup wizard welcome screen 7. Click Next at the wizard welcome screen.
Screenshot 24: GFI EventsManager EULA 8. Carefully read the license agreement. Select I accept the terms in the License Agreement and click Next. Screenshot 25: GFI EventsManager registration details 9. Key in your user name and license key in the User Name and License Key fields. To register for a free 30 day evaluation license key, click Register. Click Next.
Screenshot 26: Remote logon credentials for event log monitoring 10. Key in the logon credentials that GFI EventsManager uses to log onto remote computers. Note It is recommended to use a domain administrator or an account with administrative rights over all the remote computers managed by GFI EventsManager.
Screenshot 27: GFI EventsManager install folder 11. Click Next to install the Management Console in the default folder or click Change... to select an alternate folder where it is installed. Screenshot 28: GFI EventsManager installation completed 12. Click Install to start the installation. 13. When the installation is complete, click Finish.
Screenshot 29: Auto updates check 14. If GFI EventsManager detects an Internet connection, it automatically attempts to download product updates from GFI updates servers. Click Details to expand the information section of the Auto Update dialog and view the updates that are being downloaded. Screenshot 30: Set the database backend Note After product updates are applied, the Switch Database Server dialog opens. This dialog is used to link the management console to a database server.
Note Test the installation to ensure that all the components were successfully installed. For more information refer to Testing the installation. 2.5 Testing the installation After all the required components are installed, the Management Console opens automatically. By default, it is configured to launch the Quick Launch Console on startup.
Option Description Customize... Customize default settings, such as: Event sources and log types Events processing rules Database operations Alert recipients Alerting options Active monitoring. 2.5.1 Process events - Local computer This option enables you to automatically add the localhost as an event source and start processing logs generated by it. To process events from the local computer: Screenshot 32: Process events - Local computer 1. Click Process events - Local computer.
Screenshot 33: Console main actions 2. After the localhost logs start processing, you can: Table 13: Quick Launch Console options Icon Description Browse events Access the built-in events and forensic tools that will help you to locate, analyze and filter key events. For more information refer to Browsing Stored Events. Generate reports Access reporting features including instant/scheduled report generations and automated report distribution. For more information refer to Reporting.
Note To confirm that logs are successfully processed, go to Status tab > Job Activity and check that there are activity logs under the Operational History section. 2.5.2 Process events - Local domain This option enables you add one or more computers that are on the same domain or workgroup as GFI EventsManager. The Automatic Network Discovery wizard enables you to select the type of event sources you want to add and then lists the sources that are detected.
Screenshot 35: Automatic discovery wizard 2. Click Next at the wizard welcome screen. Screenshot 36: Select event source types to detect on your network 3. Select the type of event sources that the wizard will attempt to detect on your network. Click Next.
Screenshot 37: Search network progress Note If GFI EventsManager detects computers that cannot be logged onto using the supplied credentials, it enables you to specify alternate logon credentials for each computer you select. 4. Select a computer from the list and key in the username and password. Click OK to close the Alternative Credentials dialog. Note Repeat this step until all the required sources are added. 5. Click Next and Finish.
2.5.3 Process events - Selected machines This option enables you to add specific computers manually, by: Keying in computer names and IPs Selecting computers from reachable domains and workgroups Importing computers from a text file containing a single computer name per line. To process events of selected machines: Screenshot 38: Process events - Selected machines 1. Click Process events - Selected machines. 2. This opens the Add New Event Source dialog.
Screenshot 39: Add new event source wizard 3. The following table describes the available options: Table 14: Adding new event sources manually Option Description Add Key in the computer name or IP address in the Add the following computers field. Click Add to add the specified computer to the Computer list. Note Repeat this step until you add all the event sources to the selected group.
Note If synchronization is not enabled, you can use the Network Discovery Wizard to automatically search and add events sources. To launch Network Discovery Wizard, right-click All event sources from the event sources tree and select Scan local domain. For more information refer to Adding event sources automatically. Note To confirm that logs are successfully processed, go to Status tab > Job Activity and check that there are activity logs under the Operational History section.
3 Achieving Results This chapter provides information on how to use GFI EventsManager to achieve results. The information provided helps you conduct positive forensic investigations and system monitoring. It also enables you to achieve positive legal compliance results, while ensuring network security at all times. Topics in this chapter: 3.1 Achieving Network Security 62 3.2 Effective System Health Monitoring 64 3.3 Achieving PCI DSS Compliance 66 3.
3. Configure Alerts and Default Actions GFI EventsManager enables you to keep track of network activity in real-time by triggering alerts, execute scripts and perform other operations when certain event logs are collected. Configure alert recipients and notification settings for SMS, Email, Network and SNMP messages. For more information refer to Configuring Alerting Options. Configure operations that are performed on detection of specific attributes of an event log.
3.2 Effective System Health Monitoring GFI EventsManager is able to perform thorough system checks on your servers and workstations. It uses Active Monitoring to help you detect and proactively fix system errors and hardware defects, to prevent network disasters. System checks are able to monitor mission-critical servers including Microsoft® ISA Server®, Exchange Server®, SQL Server® and IIS®.
4. Configure Active Monitoring Active Monitoring Checks are conditional parameters, run against event sources on based a schedule. Whether the parameter conditions are being met or not, monitoring checks generate event logs. The generated event log can be combined with events processing rules to further analyze the issue that generated the log, send notifications, execute scripts and perform remedial actions. GFI EventsManager contains a few generic Active Monitoring that you can use out of the box.
3.3 Achieving PCI DSS Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) is a standard defining a list of requirements for security management, policies, network architecture and other measures that helps protect a customer's account and credit card information details. Full compliance with PCI DSS requires complete event log management coupled with extensive reporting, GFI EventsManager is therefore an essential solution to assist with your PCI compliance program.
4 Managing Event Sources This chapter provides you with information about adding and managing your event sources. Event sources are networked computers and devices that are accessed and processed by GFI EventsManager. The Events Sources sub-tab, enables you to organize your event sources into specific groups. You can create new groups or use the default ones to distinctively configure and organize event sources. Topics in this chapter: 4.1 Adding event sources manually 67 4.
Table 15: Adding new event sources manually Option Description Add Key in the computer name or IP address in the Add the following computers field. Click Add to add the specified computer to the Computer list. Note Repeat this step until you add all the event sources to the selected group. Note Since Syslog and SNMP traps use IP addresses to determine the source of an event, it is recommended to use the source IP address instead of the computer name when adding Syslog and SNMP Traps sources.
Screenshot 41: Synchronization properties - General tab 3. Select General tab and configure the options described below: Table 16: Synchronization properties - General tab Option Description Domain Select the domain name from the list or key in a valid domain name. Group Select the GFI EventsManager group name where to add the discovered event sources. Source type Select the type of event sources that GFI EventsManager scans for, in the specified domain. 4.
Screenshot 42: Excluding computers from automatic synchronization 6. (Optional) Select Exclusions tab to configure the list of computers that will be excluded from synchronization. Click Add and key in a computer name to exclude. Note Event sources that are already part of an event source group will be automatically excluded from synchronization. 7. Select Schedule tab to configure when the synchronization should be performed.
Screenshot 43: Synchronization properties -Schedule tab 8. Key in a valid interval in hours or days. 9. (Optional) Select Send an email to the… to send an email notification when event sources are changed after synchronization. 10. (Optional) Click Synchronize now to synchronize event sources immediately. 11. Click Apply and OK. Note Adding event sources manually to a synchronized group is not allowed in GFI EventsManager. 4.
Screenshot 44: Add new event source group 4. Key in a unique name and an optional description. Select the tabs described below, and configure the available options: Table 17: Event source group options Tab Name Description General Enable collection of events and schedule the scanning process. For more information refer to Configuring general event source properties. Logon credentials Configure the username and password used to login target machines and collect information.
4.4 Configuring event source properties GFI EventsManager allows you to customize the event source parameters to suit the operational requirements of your infrastructure. You can configure these parameters on single event sources or at event source group. Any member of a configured group inherits the same configuration, automatically.
Screenshot 45: Event sources properties dialog 3. From the General tab, configuring the options described below: Table 18: Event source properties - General options Option Description Group Name Key in a unique name for the computer group. Description (Optional) Key in a description. Enable collection of logs from this computer group Select/unselect this option to enable/disable event log collection from the group. Real-Time i.e.
To collect and process logs,GFI EventsManager must have administrative privileges over the target computers. By default, GFI EventsManager will log-on to target computers using the credentials of the account under which it is currently running; however, certain network environments are configured to use different credentials to log on to workstations and servers with administrative privileges.
Note Alternate logon credentials enable you to use different usernames and passwords to log into remote computers. You can set alternate credentials for a group of event sources or for each event source. Members of an event source group can be configured to inherit credentials from the parent group. 5. Select/unselect SSH authentication to use/stop using SSH authentication. Note SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user, if necessary.
To configure event source properties: 1. From Configuration tab > Event Sources > Group Type, select Event Sources Groups. 2. To configure settings of a: Computer group - right-click on the computer group to configure, and select Properties Single event source - right-click on the source to configure, and select Properties. Screenshot 47: Configuring event source license type 3. Click Licensing type tab and select the license you want to use for the event source or group that is being configured. 4.
2. To configure settings of a: Computer group - right-click on the computer group to configure, and select Properties Single event source - right-click on the source to configure, and select Properties. Screenshot 48: Specify operational time 3. From Operational Time tab, mark the time intervals of your normal working hours. Note Cells marked blue represent your normal working hours. 4. Click Apply and OK. 4.4.
To configure event source properties: 1. From Configuration tab > Event Sources > Group Type, select Event Sources Groups. 2. To configure settings of a: Computer group - right-click on the computer group to configure, and select Properties Single event source - right-click on the source to configure, and select Properties. Screenshot 49: Event source properties - Monitoring tab 3.
Option Description Archive all logs without any further processing Select this option to store events without applying any further checks (from Events Processing Rules). Process the logs with the rules selected below before archiving Expand the list of rules which are applied to the collected logs. GFI EventsManager enables you to create custom rules and configure them to trigger when one of the active monitoring check generates an event.
3. Use the Windows Event Log, Text Logs, Syslog and SNMP Traps tabs configure the required event processing parameters. 4. Click Apply and OK. Note For more information, refer to: Collecting Windows® Event Logs Collecting Text logs Collecting Syslogs Collecting SNMP Traps. 4.5 Database sources GFI EventsManager can monitor and process events from database servers. Database event sources require specific configuration settings to collect and process events generated by database activity.
Option Description Description (Optional) Key in a description. Collects logs from the database servers included in this group Enable option to collect database events from all servers in this group. Screenshot 52: Configure logon settings from the Logon Credentials tab 4.
Screenshot 53: Configure the normal working hours from Operational Time tab 5. Select Operational Time and configure the operational time when the database is normally used. Marked time intervals are considered normal working hours.
Screenshot 54: Configure SQL Server Auditing from SQL Server Audit tab 6. Select SQL Server® Audit tab and configure the options described below: Table 23: Microsoft® SQL Database group -SQL Server® Audit Option Description Archive all logs without further processing Archive events in GFI EventsManager database backend without applying processing rules.
7. Select Settings tab and configure the options described in below: Table 24: Microsoft® SQL Database group - Settings Option Description Scan all the events for all databases All Microsoft® SQL Server® events are collected and processed by GFI EventsManager. Scan only security events for all databases Only security events are collected and processed by GFI EventsManager. 8. Click Apply and OK. Adding a new Microsoft® SQL Server ® event source To add a new Microsoft® SQL Server® source: 1.
Screenshot 55: Add new Microsoft® SQL server 2. Key in the server name or IP and click Add. Note Use Select and Import to search the network for SQL Server® or import list of SQL servers from a text file respectively. 3. Click Finish and the Add New SQL Servers dialog closes. 4. From Groups, select SQL Servers and from the right pane, double-click the new Microsoft® SQL Database instance.
Screenshot 56: Microsoft® SQL Database properties: General tab 5. From General tab, configure the options described below: Table 25: Microsoft® SQL Database - General tab options Option Description Inherit SQL Server post collecting processing from parent group Inherits all settings from the parent group. Archive events in database Archive events in GFI EventsManager database backend without applying processing rules.
Screenshot 57: Microsoft® SQL Database properties: Connection Settings tab 6. Select Connection Settings and configure the options described below: Table 26: Microsoft® SQL Database - Connection Settings tab Option Description Inherit the logon credentials from the parent group Select this option to inherit login settings from the parent group. Use Windows authentication Connect to Microsoft® SQL Database using windows authentication.
Screenshot 58: Microsoft® SQL Database properties: Settings tab 7. Select Settings tab and configure the options described below: Table 27: Microsoft® SQL Database - Settings tab options Option Description Inherit the settings from the parent group Inherits settings from the parent group. Scan all the events for all databases Scan all databases and collect all events from the Microsoft® SQL Server®.
The following Oracle Database versions are supported: Oracle Database 9i Oracle Database 10g Oracle Database 11g This section contains information about: Pre-configuration settings for Oracle Servers event sources Creating a new Oracle Server group Adding a new Oracle Server event source Pre-configuration settings for Oracle Servers event sources Before adding Oracle Server event sources, follow the steps below on each Oracle Server instance you want to monitor: Table 29: Oracle Server configuration stages
Screenshot 60: Oracle Database group - General tab 4. From General tab, configure the options described in below: Table 30: Oracle Database group - General tab Option Description Group Name Key in a group name to identify the Oracle Database group. Description Optionally, key in a description. Collects logs from the database servers included in this group Collects events from the event sources in the Oracle group. Once this option is enabled, configure the Schedule scanning and Maintenance options.
Screenshot 61: Oracle Database group - Logon Credentials tab 5. Select Logon Credentials tab and key in a valid username and password to connect to the Oracle server.
Screenshot 62: Oracle Database group - Operational Time tab 6. Select Operational Time tab and configure the normal operational time of the Oracle Database servers in this group.
Screenshot 63: Oracle Database group - Oracle Audit tab 7. Select Oracle Audit and configure the options described below: Table 31: Oracle Database group - Oracle Audit Option Description Archive all logs without further processing Archive events in GFI EventsManager database backend without applying processing rules. Process the logs with the rules selected below before archiving Specify the rules to perform before archiving events in GFI EventsManager database backend. 8. Click Apply and OK.
Screenshot 64: Add new Oracle server 2. Key in the server name or IP and click Add. 3. Click Finish and the Add New Oracle Servers dialog closes. Note Use Select and Import to search the network for SQL Server® or import list of SQL Server® from a text file respectively.
Screenshot 65: Oracle Server properties - General tab 4. From the right pane, double-click the new oracle server event source and configure the options described below: Table 32: Oracle Server properties - General tab Option Description Inherit Oracle Server post collecting processing from parent group Select to inherit all settings from the parent group. Archive events in database Archive events in GFI EventsManager database backend without applying processing rules.
Screenshot 66: Oracle Server properties - Connection Settings tab 5. Select Connection Settings and configure the options described below: Table 33: Oracle Server properties - Connection Settings tab Option Description Inherit the logon credentials from the parent group Select to inherit login settings from the parent group. Port Key in the port to use to connect to the Oracle Database. SID The SID is a unique name to identify an Oracle Database instance. Key in the SID of the database to audit.
Screenshot 67: Oracle Server properties - Audit by Objects tab 6. Select Audit by Objects and configure the options described below: Table 34: Oracle Server properties - Audit by Objects tab Option Description Object Click Browse to launch a list of available Oracle objects. Select the object to audit and click OK. NOTE: Amongst others, Oracle objects can be procedures, views, functions and tables. Operations Operations are actions that modify or query an object.
Screenshot 68: Oracle Server properties - Audit by Statements tab 7. Select Audit by Statements and configure the options described below: Table 35: Oracle Server properties - Audit by Statements tab Option Description Statements Click Browseto launch a list of available Oracle statements. Select the Oracle statements to audit and click OK. NOTE: Amongst others, Oracle statements can be ALTER, CREATE and SELECT . User Oracle enables you to audit statements for a specific user.
5 Collecting Event Logs This chapter provides you with information about how to configure your event sources to apply events processing rules to collected events. Assign existing or custom events processing rules to precisely process the events wanted only. Topics in this chapter: 5.1 Collecting Windows® event logs 100 5.2 Collecting Text logs 103 5.3 Collecting Syslogs 106 5.4 Collecting SNMP Traps Messages 110 5.5 Collecting custom logs 114 5.6 Collecting GFI LanGuard event logs 116 5.
Screenshot 69: Computer group properties: Configuring Windows® Event Logs parameters To configure Windows® Event Log collection and processing parameters: 1. From Configuration tab > Event Sources, right-click an event source or group and select Properties.
Screenshot 70: Selecting event logs to collect 2. Click Windows Event Log tab > Add... to select the logs you want to collect. Expand Windows Logs and/or Applications and Services Logs and select from the list of available logs. 3. (Optional) Click Add custom log... and key in a unique name for the unlisted event log.
Screenshot 71: Configuring Windows Event Log Processing parameters 4. Select Clear collected events after completion to clear the collected events from the respective event source. 5. Select Archive events in database to archive collected events without applying events processing rules. 6. Select Process using these rule sets and select the rule sets you want to run against the collected events. 7. Select Add generic fields to add extended fields to the database.
In GFI EventsManager, the configuration process of W3C log parameters is identical to that performed for Windows® event processing, with one exception. Unlike Windows® Event Logs, there is no standard which dictates a specific or centralized folder location where W3C log files are stored on disk. Therefore, in order to collect W3C logs, you must specify the complete path to these text-based log files. Screenshot 72: Text logs options To collect Text logs: 1.
Screenshot 73: Adding folders containing Text Logs 2. Click Text Logs tab > Add... to add folder paths containing Text Logs. 3. From the Select text logs folder... dialog, key in the path to the folder containing the text logs files and Click OK. 4. Select Clear collected events after completion to clear the collected events from the respective event source. 5. Select Process subdirectories to recursively scan the specified path that contains the text logs. 6.
8. Select Process using these rule sets and select the rule sets you want to run against the collected events. 9. Click Apply and OK. Important Deleting event logs without archiving may lead to legal compliance penalties. 5.3 Collecting Syslogs Syslog is a data logging service that is most commonly used by Linux and UNIX based systems. The concept behind Syslogs is that the logging of events and information is entirely handled by a dedicated server called ‘Syslog Server’.
Screenshot 74: Syslog messages must be directed to the computer running GFI EventsManager Important Before you start collecting Syslogs, every Syslog event source (workstations, servers and/or network devices) must be configured to send their Syslog Messages to the computer name or IP where GFI EventsManager is installed. To collect Syslogs: 1. From Configuration tab > Event Sources, right-click an event source or group and select Properties.
Screenshot 75: Collecting Syslogs - Syslogs options 2. Click Syslog tab and select Accept Syslog messages to EventsManager to enable the collection of Syslogs from that event source/event source group. 3. From the Syslog parsing schema drop-down, select the method that GFI EventsManager Syslog Server interprets Syslog Messages from network devices. Select from: Simple Syslog message Standard Linux message Juniper Network Firewall Cisco ASA. 4. Click Advanced… to use custom windows code page.
6. Select Process using these rule sets and select the rule sets you want to run against the collected events. 7. Click Apply and OK. Note The GFI EventsManager Syslog server is by default configured to listen for Syslog messages on port 514. For more information refer to Configuring the Syslog server communications port. Important Deleting event logs without archiving may lead to legal compliance penalties. 5.3.
Screenshot 77: Syslog server options 4. Select Enable in-built Syslog server on TCP port: and specify the TCP port on which GFI EventsManager will receive/listen for Syslog messages. 5. Select Enable in-built Syslog server on UDP port: and specify the UDP port on which GFI EventsManager will receive/listen for Syslog messages. 6. Click Apply and OK. Note When configuring Syslog server port settings, make sure that the configured port is not already in use by other installed applications.
Screenshot 78: SNMP Trap messages must be directed to the computer running GFI EventsManager Note GFI EventsManager natively supports an extensive list of SNMP devices and Management Information Bases (MIBs). For a full list of supported devices, view the following KBASE article: http://go.gfi.com/?pageid=esm_syslog_snmp_support GFI EventsManager includes a dedicated SNMP Trap Server through which SNMP Traps are handled.
Screenshot 79: Collecting SNMP Traps 2. Click SNMP Traps tab and select Accept SNMP Traps messages from this event source to enable the collection of SNMP Traps. 3. Select Decrypt incoming SNMP Traps 3 messages and specify the security key in the Host key text box. 4. Select Archive events in database to archive collected events without applying events processing rules. 5. Select Process using these rule sets and select the rule sets you want to run against the collected events. 6. Click Apply and OK.
Note The built in SNMP Trap Server supports SNMP version 3 Traps with encryption. For encrypted SNMP messages the encryption host key must be provided in the decrypt incoming SNMP Traps 3 message field. Important Deleting event logs without archiving may lead to legal compliance penalties. 5.4.1 Configuring the SNMP Trap server Screenshot 80: Configuring SNMP Traps To change the default SNMP Trap Server settings: 1. Click Configuration tab > Options. 2.
Screenshot 81: SNMP Traps options 3. Enable the required TCP/UDP SNMP server. Specify the TCP/UDP port on which GFI EventsManager will listen for SNMP messages. 4. Click Advanced tab to add, edit or remove SNMP Trap object identifiers (OIDs). 5. Click Specific Trap Type tab to add, edit or remove trap types. 6. Click Apply and OK. Note When configuring SNMP Trap Server port settings, make sure that the configured TCP or UDP port is not already in use by other installed applications.
Screenshot 82: Custom event logs setup 2.
Screenshot 83: Custom event logs dialog 3. Click Add… button and specify the name of your custom event log. 4. Click OK. 5. (Optional) Click Edit to rename the selected custom event, or click Remove to delete the selected custom event. 6. Click Apply and OK. 5.6 Collecting GFI LanGuard event logs GFI EventsManager enables you to monitor events generated by GFI LanGuard.
Gathered Information Description Antivirus operational and malware definition status GFI LanGuard is able to check if your virus database definitions are up to date. If it is not, you will be alerted and GFI LanGuard will attempt to update it. Applications detected on scanned targets GFI LanGuard enumerates applications installed on scan targets. You can create an inventory of wanted and/or unwanted applications and configure GFI LanGuard to automatically uninstall applications categorized as unwanted.
Screenshot 84: Enabling GFI LanGuard logging through the registry 3. Go to the following registry key and edit the value to enable event logging: Windows® x86 platforms: HKEY_LOCAL_MACHINE\SOFTWARE\GFI\LNSS[n]\Config Set value of REG_DWORD EventLog to 1 Windows® x64 platforms: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GFI\LNSS[n]\Config Set value of REG_DWORD EventLog to 1 Important [n] is the major version number of GFI LanGuard.
3. Right-click on the GFI LanGuard event source and select Properties. Screenshot 85: Add Windows® Application logs 4. From Windows® Event Log tab, click Add and select Windows® Logs. Click OK.
Screenshot 86: Add GFI LanGuard rules 5. Select Process using these rule sets. Expand Windows Events > GFI Rules node and select GFI LanGuard rules. 6. Click OK. Note GFI EventsManager has built-in processing rules for GFI LanGuardevents that are enabled by default. To monitor events generated by GFI LanGuard, select Status tab > General and locate the Critical and High Importance Events section. Note To configure GFI LanGuard event processing rules, click Configuration tab > Event Processing Rules.
4. Once the stored events are loaded, search for an entry with: Source: GFI LanGuard Event ID: 0. In case the event log is not created, typically the GFI LanGuard scan was already initiated once the registry key to output event logs was modified. Re-run the scan. Alternatively ensure that the registry value was created in the right location as the location for x86 platforms is different from that of x64 platforms. 5.
Note For more information on how to configure GFI EndPointSecurity logging options, refer to the GFI EndPointSecurity documentation available from http://www.gfi.com/products/gfi-endpointsecurity/manual. Monitor GFI EndPointSecurity Events GFI EventsManager has built-in processing rules for GFI EndPointSecurity events that are enabled by default. To monitor events generated by GFI EndPointSecurity, select Status tab > General and locate the Critical and High Importance Events section.
6 Browsing Stored Events This chapter provides you with information about using the Events Browser. The Events Browser is equipped with tools for event analysis and forensic investigation. It also enables you to easily browse through multiple events databases as well as export events to encrypted databases for legal compliance purposes. Topics in this chapter: 6.1 Navigating the Events Browser 123 6.2 Using the Events Browser 124 6.3 Managing Events Browser views 127 6.
Table 39: Navigating the Events Browser Section Description Views The Views section includes a wide range of predefined views. Use this section to view specific logs such as Windows® Event Logs, Text Logs, SQL Server® audits and more. Common Tasks Common Tasks enable you to customize the look of the Events Browser and switch database to view exported and/or archived event logs. Actions Use the Actions section to run common functions related to analyzing event logs.
Distribution of key event data via email Running automated scripts that convert CSV exported events data to HTML for upload on web/company intranet Generation of graphical management reports and statistical data using native tools such as Microsoft® Excel® Generation of custom reports using third party applications Interfacing events data with applications and scripts built in-house. To export events to CSV: 1. From Events Browser > Views, right-click a view and select Export events.
Table 40: Event Browser: Create new report Tab Description General Specify the new report name and add conditions. Layout Select the columns that you want to be visible in the report. You can also customize the order of appearance. Chart Select Use graphical charts to generate a report showing information in a chart. The available chart types are: Pie chart Bar chart Line graph. Schedule Select Use schedule to enable report scheduling.
Note To completely remove event logs from GFI EventsManager, you must run a Commit Deletion job on the selected database. For more information refer to Commit deletions. 6.2.4 Searching stored events Use the event finder tool to search and locate specific events using simple customizable filters. To search for a particular event: 1. Click Events Browser > Actions > Find events. Screenshot 90: Event finder tool 2. Configure the event search parameters through the options provided on top of the right pane.
Table 41: Event Browser: Create new view View Description Create root view… Enables you to create top-level views which may contain a number of sub-views. This creates a new set of views beneath the ones that ship with the product (Example: All Events view). Create view… Create views within root views. Custom views can be added to the default root views and views. To create a Root view/View: 1.
Screenshot 92: Edit view restriction 4. Select a field from the list of available fields and specify the Field operator and Field value. Repeat this step until all required conditions are specified. Click OK. For more information, refer to Defining Restrictions. Screenshot 93: Customize View tab 4. Click Customize view tab to select the columns to show in the new custom view. You can also arrange their order of appearance using the Up and Down arrow buttons.
5. (Optional) Click Apply to subviews to apply the selected columns to all subviews of the root view. 6. Click Apply and OK. Screenshot 94: Sample: New Root Views and Views 6.3.2 Editing a view 1. From Events Browser > Views, select the view to edit. 2. From Actions click Edit view… 3. From the View Properties dialog, add, edit or delete conditions according to your requirements. 6.3.3 Deleting a view 1. From Events Browser > Views, select the view to delete. 2. From Actions, click Delete view.
Table 42: Description pane positions Option Description Description on the right Places the description pane to the right of the events list. Description on bottom Places the description pane at the bottom of the events list. No description Removes description pane. 6.4.2 Event color-coding options Use the event color-coding tool to tint key events in a particular color. This way the required events are easier to locate during event browsing.
Screenshot 97: Advanced Color Filter 2. Click Add button. Specify filter name and configure event filter parameters. 3. Click OK. 4. Repeat until all required event filter conditions have been configured. Click OK. 6.5 Browsing events from different databases GFI EventsManager enables you to switch between different databases. Use this feature to browse events that have been exported or archived for further analysis or stored in different databases. To switch databases: 1.
Screenshot 98: Switch database dialog 2. Select the database from the list of databases and click OK. Note You can click Add… to specify a path and a unique name to create a new database. Click Edit… to edit the specified information.
7 Activity Monitoring This chapter provides you with information about monitoring the events collection processes. The Status tab is a dashboard that shows the status of GFI EventsManager as well as statistical information related to the events collected, processed and archived. The status monitor consists of three different dashboard views: General view, Job Activity view and Statistics view. Topics in this chapter: 7.1 General Status view 134 7.2 Job Activity view 138 7.3 Statistics view 139 7.
Screenshot 99: GFI EventsManager Status: General view The General view consists of the sections described below: Table 43: Status monitoring: General view sections Section Description Use this section to select the chart type for top events. The Top Important Log Events section provides statistical information about: Top 10 successful Logon events outside working hours Top 10 important Logon events during working hours Top 10 failed Logon events.
Section Description The Critical and High Importance Events section provides statistical/graphical information about critical events collected from all event sources. This graph shows the event processing rules that collected and processed the events for a particular period. From the drop down lists, select the type of information to display.
Section Description The Top Network Activity Events section displays details of the top 10 network activities (inbound and outbound). Network activity consists of all type of traffic that is generated by various protocols including SMTP, HTTP, FTP and MSN traffic. The network activities displayed can be filtered by: Applications Source Addresses Destination Addresses Computers Ports Users. Select parameters from the drop down lists or key in the values to filter the type of chart displayed.
Section Description The Events Count By Database Fill-Up displays: The horizontal bars represent the number of events stored in the database backend, sorted by event log type The date and time of the last backup The date and time of the next scheduled backup. The bar color turns from green to red as the database is populated with events. Note Double-click the graph to open the graph in a new window. When a 3D graph is selected, the new window allows you to rotate, zoom or resize the graph.
The information provided in this view is divided into the following dedicated sections: Table 44: Status monitoring: Job activity view Section Description The Active Jobs section provides a list of all event collection jobs currently taking place on every event source/machine. The information provided includes the job progress as well as the Log Source from which events are being collected.
Screenshot 101: GFI EventsManager Status: Statistics view The information provided in this view is divided into the following dedicated sections: Table 45: Status monitoring: Statistics view Section Description Use this drop-down menu to select what information is displayed. Select between All sources or select specific sources to view their information accordingly.
8 Reporting This chapter provides information about the fully-fledged reporting engine of GFI EventsManager. It ships with a number of reports including technical and executive level reports showing graphical and statistical information based on hardware and software managed by GFI EventsManager. Topics in this chapter: 8.1 Navigating the Reports tab 142 8.2 Available reports 143 8.3 Managing reports 144 8.4 Creating a root report 146 8.5 Creating custom reports 151 8.
8.1 Navigating the Reports tab Screenshot 102: Navigating the Reporting UI The Reporting tab consists of the sections described below: Table 46: Navigating the Reporting tab Section Description The Reports section contains all the predefined reports that ship with the product. Use this section to organize and generate various reports from technical to executive type. Find reports rapidly, using the available filtering options.
8.2 Available reports GFI EventsManager's extensive report list contains reports for various requirements designed to facilitate reporting as much as possible. The following report categories are included in GFI EventsManager by default. GFI EventsManager allows you to use the existing reports as templates to create your own ones.
8.3 Managing reports Reports are organized in a tree structure enabling you to easily find and generate the required report. GFI EventsManager includes various options that allow you to easily maintain the reports structure as the number of reports increase by time. This section contains information about: Creating a root folder Creating a folder Creating a root report Creating custom reports Defining column headings 8.3.
Screenshot 103: Create Report Folder dialog 2. From the General tab, specify a name and a description (optional) for the new folder. 3. Click Schedule tab and select Use schedule to configure a schedule for the reports included in this new folder. Configure the options described below: Table 48: Create report folder: Schedule options Option Description Inherit from Parent Select when the new folder is part of a root folder that already has scheduling configured.
4. Click Apply and OK. 8.3.2 Creating a folder GFI EventsManager allows you to create as many recurring folders as required. To create a folder: 1. From Reporting tab > Reports, right-click a root or sub-folder and select Create Folder. 2. From the General tab, specify the name and description (optional) for the new group. 3. Click Schedule tab and configure the required schedule settings. 4. Click Apply and OK. 8.4 Creating a root report Root reports behave in the same way as root folders.
3. Click Add to select a field on which to base the query condition. For the selected field, specify the Field Operator and Field Value. Click OK. Note Repeat this step until all the required fields are selected. For more information refer to Building query restrictions. Screenshot 105: Configuring new root report layout options 4. Click Layout tab and add the column headings that you want to be visible in the report.
Screenshot 106: Inserting a chart in a new root report 5. (Optional) Click Chart tab and select Use graphical charts to include graphs in your report. 6. From the Place chart at drop-down menu, specify the location of the chart. Select from: Beginning of Report End of Report. 7. From Properties > X axis and Y axis, configure the X and Y Axis properties. I.e. select the data represented in the chart. 8. Select Top 10 to view the Top 10 records only.
Screenshot 107: Configuring the schedule for when the report is generated 9. (Optional) Click Schedule tab and configure schedule settings. 10. Select Send report by email to and click Configure to select the recipients of this report.
Screenshot 108: Create new report Options 11. Click Options tab and specify the path to where the report generates to in the Target path area. 12. From the Range pattern drop-down menu, select the options described in the table below: Table 49: Range pattern options Pattern Description All Time Select All Time to generate the report based on information from all the related logs. Relative Generate the report based on events from: Today Yesterday Last 7 Days This Month Last Month.
Screenshot 109: Record limit settings 13. Click Other tab to configure report record limits. Available options are described in the table below: Table 50: Report record settings Option Description Split report if it contains more than {X} records Select the checkbox to enable record limit per report. GFI EventsManager automatically creates a new report for every number of records you specify.
1. From Reporting tab > Reports, right-click a root folder/folder/root report and select Create Report. Screenshot 110: Creating a root report 2. From the General tab, specify a name and description (optional) for the new root report. 3. Click Add to select a field on which to base the query condition. For the selected field, specify the Field Operator and Field Value. Click OK. Note Repeat this step until all the required fields are selected. For more information refer to Building query restrictions.
Screenshot 111: Configuring new root report layout options 4. Click Layout tab and add the column headings that you want to be visible in the report. If you have a saved report template, click Open location to browse and load your template. For more information refer to Defining column headings.
Screenshot 112: Inserting a chart in a new root report 5. (Optional) Click Chart tab and select Use graphical charts to include graphs in your report. 6. From the Place chart at drop-down menu, specify the location of the chart. Select from: Beginning of Report End of Report. 7. From Properties > X axis and Y axis, configure the X and Y Axis properties. I.e. select the data represented in the chart. 8. Select Top 10 to view the Top 10 records only.
Screenshot 113: Configuring the schedule for when the report is generated 9. (Optional) Click Schedule tab and configure schedule settings. 10. Select Send report by email to and click Configure to select the recipients of this report.
Screenshot 114: Create new report Options 11. Click Options tab and specify the path to where the report generates to in the Target path area. 12. From the Range pattern drop-down menu, select the options described in the table below: Table 51: Range pattern options Pattern Description All Time Select All Time to generate the report based on information from all the related logs. Relative Generate the report based on events from: Today Yesterday Last 7 Days This Month Last Month.
Screenshot 115: Record limit settings 13. Click Other tab to configure report record limits. Available options are described in the table below: Table 52: Report record settings Option Description Split report if it contains more than {X} records Select the checkbox to enable record limit per report. GFI EventsManager automatically creates a new report for every number of records you specify.
8.6 Generating reports GFI EventsManager enables you to generate a number of different reports, containing information about GFI EventsManager configuration settings, network activity and product activity. This section contains information about: Generating a report Generating daily digest reports Generating settings reports Generating rules reports Generating operational history reports Generating activity overview reports 8.6.1 Generating a report To generate a report: 1.
Note Reports can also be generated by selecting a report from the list and clicking Generate Report at the top of the reporting page. Screenshot 117: Report sample 8.6.2 Generating daily digest reports GFI EventsManager can be configured to send a summary report by email on a daily basis. The report contains a summary of the most important events collected and processed during the last 24 hours. To configure a user to receive Daily Digest emails: 1. From Configuration tab > Options.
Screenshot 118: Daily Digest email settings 5. Configure the time when the Daily Digest email is sent. 6. Click Apply and OK.
Screenshot 119: Daily digest email Table 53: Daily digest email description Section Description The start and end date of the report. The report displays the most important events collected by GFI EventsManager between the start and end date. The number of Critical and High events collected in the last 24 hours. This graph provides statistical information about critical events collected from all event sources in the last 24 hours. 8.6.
Heading Description Rules folder Provides a list of rule categories applied to the selected group, such as: Noise reduction Security System health PCI DSS requirements. Rule sets A granular list of rules applied on the selected group. To generate settings report: 1. Click Configuration tab > Event Sources. Screenshot 120: Generate configuration report 2. Right-click an event source group and select Report on settings.
Screenshot 121: Settings report sample 8.6.4 Generating rules reports Rules repots provide a detailed view of applied rules on event sources. The information provided in rules reports are described below: Table 55: Rules report heading information Heading Description Rule name Name of the applied rule. Importance The classified importance level of the collect event log, such as: Critical High Medium Low Noise event.
Heading Description Actions Describes the actions taken when the event is processed, including: Archiving settings Mail to settings Threshold settings. To generate rules report: 1. Click Configuration tab > Event Sources. Screenshot 122: Generate configuration report 2. Right-click an event source and select Report on rules. 8.6.5 Generating operational history reports GFI EventsManager's operational history can be exported for further analysis and archiving purposes.
Log file/name Type of logs collected. Amongst others: Application Security Logs generated by other applications such as GFI LanGuard and GFI EndPointSecurity. Message The actual message generated while performing the job. To generate Operational History reports: 1. Click Status tab > Job Activity. Screenshot 123: Operational History report 2. Click Export data. Screenshot 124: Operational History dialog 3. Specify the options described below and click Export.
Screenshot 125: Operational History report sample 8.6.6 Generating activity overview reports GFI EventsManager enables you to export Activity Overview data. Activity overview reports provide the information described below: Table 58: Activity overview report headings Heading Description Date/Time Date and time when the message was generated. Machine Event source that generated the message. Source Source operation that cause the message to be generated.
Screenshot 127: Activity overview dialog 3. Configure the options described in and click Export. Table 59: Export Operational History options Option Description Format The report output format. Available formats are HTML and CSV. All time Export all messages displayed Activity Overview. From a specific date Specify a date to export all messages generated on that date. Only computers with errors/not scanned Export only data of computers with scanning issues.
8.7 Analyzing reports Screenshot 129: Analyzing reports The reporting system of GFI EventsManager comes with dedicated tools to help you analyze and export reports. Once a report is generated, select it from the list of Generated Reports and use the common controls which help you run common report analysis commands.
8.8 Defining column headings GFI EventsManager enables you to create custom columns through the Add Custom Columns dialog. This dialog allows you specify conditions, create a new field and add them to your report(s). Also based on conditions, this dialog enables you to further customize existing or new reports. To add custom columns: 1. From Reporting tab > Actions, click Create Report. 2. Click Layout tab > Add Existing Column, to add default columns. 3.
Option Description Fixed Value Select Fixed Value if the value of the new field is going to be fixed. Specify a value as a field name. For example, to check that events always occur after 5pm, specify 5 as the fixed value instead of defining a time field and assign a value of 5. Special Column Special columns are predefined columns that may be used in your condition. Edit restric- This section enables you to add, edit or delete field restrictions. tions 6. Click Apply and OK. 8.8.
Important Before editing the default report template, save a copy of the original so that you can easily revert to default for troubleshooting. To edit the layout of HTML reports: 1. Go to GFI EventsManager install directory: %Program Files\GFI\EventsManager2012\Data\Templates\DefaultReportLayout Screenshot 132: Editing HTML report templates 2. From DefaultReportLayout folder, edit the templates described below: Table 62: Default HTML templates Template Description template_group_ new.
3. Using an HTML editor, edit the following elements of the templates: Table 63: HTML template: Editable sections Section Description Report logo Replace GFI EventsManager logo with a logo of your choice. Add more logos or completely remove them from your reports. Labels and text Rename and reposition labels according to your needs.
9 Events Processing Rules During events processing, GFI EventsManager runs a configurable set of rules against the collected logs in order to classify events and trigger alerts/actions accordingly. By default, GFI EventsManager ships with a pre-configured set of events processing rules that allow you to gain network-wide control over computer logs - with negligible configuration effort. You can also customize these default rules or create tailored ones for your organization’s requirements.
The flowchart chart below illustrates the event processing stages performed by GFI EventsManager: Screenshot 133: How Events Processing Rules work 9.1.1 Event classification Event classification is based on the configuration of the rules that are executed against the collected logs. Events that don’t satisfy any event classification conditions are tagged as unclassified. Unclassified events may also be used to trigger the same alerts and actions available for classified events.
9.2 Managing rules-set folders In GFI EventsManager, event processing rules are organized into rule-sets and every rule-set can contain one or more specialized rules which can be run against collected logs. Screenshot 134: Rule-sets folder and Rule-sets Rule-sets are further organized into Rule-set Folders. This way you can group rule-sets according to the functions and actions that the respective rules perform.
Table 65: Common available rule-set folders Rule-Set Folder Description Windows Events Contains rules tailored for Windows® servers and workstations; These include: Noise reduction rules PCI DSS Requirements rules Security rules System Health rules Security Application rules Infrastructure Server rules Database Server rules Web Server rules Print Server rules GFI rules Terminal Services rules Email Server rules File Replication rules Directory Service rules Custom rules Reporting rules SharePoint Audit
Rule-Set Folder Description SQL Server® Audits Contains rules tailored for SQL Server® Audit monitoring. These include: Noise reduction rules Database changes rules Server changes rules Logon/Logoff rules SQL Server® rules Database access rules. Oracle Audits Contains rules tailored for Oracle Server Audit monitoring. Amongst others, these include: Noise reduction rules Database changes rules Server changes rules Logon/Logoff rules Security changes rules.
9.3 Creating new events processing rules To create a new event processing rule: 1. Click Configuration tab > Event Processing Rules. Screenshot 135: Creating a new rule 2. Right-click the rule-set where the new rule will be created and click Create new rule… 3. Specify the name and description (optional) for the new rule. Click Next.
Screenshot 136: Select the logs which the rule will be applied to 4. Select the event logs to which the rule applies. 5. (Optional) Click Add custom log… to insert an event log which you pre-configured. Click Next. For more information refer to Collecting custom events. Note For SQL Audit, Oracle Audit, Syslogs, Text Logs and SNMP Traps messages, specify the full path of the object’s log folder; example: “C:\W3C\logs”.
Screenshot 137: Configure the rule conditions 6. Click Add to select a field on which to base the query condition. For the selected field, specify the Field Operator and Field Value. Click OK. Note Repeat this step until all the required fields are selected. For more information refer to Building query restrictions.
Screenshot 138: Select event occurrence and importance 7. Specify the time when the rule is applicable. Example: anytime, during working hours or outside working hours. Working and non-working hours are based on the operational time parameters configured for your event sources. For more information refer to Configuring event source operational time. 8. Select the classification (critical, high, medium, low or noise) that will be assigned to events that satisfy the conditions in this rule. Click Next.
Screenshot 139: Select the triggered action 9. Specify which actions are triggered by this rule and click Next. Available actions are: Table 66: Configuring new events processing rules: Actions Action Description Ignore the event Select this option so that GFI EventsManager will ignore the event and not trigger any actions or notifications. Use the default clas- Select this option to use the pre-configured Default Classification Actions.
Action Description Use the following actions profile The Archive All profile is added by default. To create a new profile: 1. From the drop-down menu, select . This launches the New actions profile... dialog. 2. Specify a name for the new profile in the Action Profile Name text box. 3. Select the actions that you want the profile to perform.
Screenshot 140: Creating a rule from an existing event 2. Right-click the event and select Create rule from event.
Screenshot 141: New rule from event - General settings 3. Specify a unique name and an optional description for the new rule. 4. From The rule applies if the event happens drop-down menu, select the time when the rule is applicable. Select from: At any time of the day During Normal Operational Time Outside the Normal Operational Time. Note For more information refer to Configuring event source operational time. 5.
Screenshot 142: New rule from event - Select logs to collect 6. From the Event Logs tab, select the logs you want to collect. To add custom logs, click Add custom log..., specify the custom log name and click OK. Note For more information refer to Collecting custom logs.
Screenshot 143: New rule from event - Add conditions 7. Click the Conditions tab.Click Add to select a field on which to base the query condition. For the selected field, specify the Field Operator and Field Value. Click OK. Note Repeat this step until all the required fields are selected. For more information refer to Building query restrictions. 8. Click Actions tab and select what action is performed when the rule is triggered.
9.5 Advanced event filtering parameters GFI EventsManager allows systems administrators to set up advanced event filtering parameters. These options are available only for Windows® Event Logs and Syslogs. Refer to the following sections for information about: Windows® event filtering parameters Syslog filtering parameters 9.5.
9.6 Prioritizing events processing rules Events Processing Rules are executed in order of priority. To change the order of execution: 1. From Configuration tab > Events Processing Rules > Rule Folders, expand a rule-set folder. 2. From the right pane, right-click a rule and select Increase priority or Decrease priority accordingly. Alternatively, select a rule and press Ctrl+Up to increase or Ctrl+Down to decrease priority.
10 Active Monitoring Event logs are useful to track different operational aspects of devices, computers and servers, but in many cases users need more than logs to inspect this activity in further detail. To mitigate this problem, GFI EventsManager uses Active Monitoring Checks. Monitoring checks help you detect failures or irregularities automatically, so you can identify and proactively fix unexpected problems before they happen.
Screenshot 144: How Active Monitoring Checks work Example You configure a monitoring check to generate an event log when a computer's free hard disk spaces reaches a pre-configured limit.
1. When the limit is reached and the monitoring check generates an event, locate it in Events Browser and create an event processing rule based on it. For more information refer to Creating new rules from existing events. 2. Configure the new events processing rule conditions to ignore non-matching events. For more information refer to Creating new events processing rules. 3. Configure the new rule to trigger an alert or action, to resolve the problem.
Screenshot 146: Folder properties - General tab 2. Specify a unique name and an optional description in the Name and Description fields.
3. Click Target computers tab and select the event sources. Active Monitoring added to this new folder are applied to the selected event sources. Screenshot 148: Folder properties - Schedule tab 4. From the Schedule tab, set the time interval when GFI EventsManager runs the monitoring check (s) on the selected event sources. By default, a monitoring check interval is set to 5 seconds.
Screenshot 149: Folder properties - Action events tab Note Regardless of whether Active Monitoring fails or succeeds, the computer that it checks generates an event log. This event log can be processed by events processing rules which can trigger alerts or run scripts/applications for remedial operations. For more information refer to Creating new rules from existing events. 5. From the Action events tab, configure when event logs are generated and how GFI EventsManager classifies the generated events.
Option Description Once every {X} messages Generates an event log once every number of messages you specify. Example: if you key in 10, only one event log is generated for every 10 times the check fails/succeeds/both. When the check switch state, generate an audit event from this machine/device Generate an event log when the check changes state from Fail to Succeed or vice versa. Failed severity Select the severity rating that GFI EventsManager assigns to the event log of a failed system check.
Screenshot 151: Folder properties - Target computer tab Note Select Inherit from parent to use the same settings as the parent folder. 3. Click the Target computers tab and select the event sources. Active Monitoring that are added to this new folder are applied to the selected event sources.
Screenshot 152: Folder properties - Schedule tab Note Select Inherit from parent to use the same settings as the parent folder. 4. From the Schedule tab, set the interval when GFI EventsManager runs the monitoring check(s) on the selected event sources. By default, a monitoring check interval is set to 5 seconds.
Screenshot 153: Folder properties - Action events tab Note Regardless of whether Active Monitoring fails or succeeds, the computer that it checks generates an event log. This event log can be processed by events processing rules which can trigger alerts or run scripts/applications for remedial operations. For more information refer to Creating new rules from existing events. Note Select Inherit from parent to use the same settings as the parent folder. 5.
Table 72: Monitoring checks - Action events Option Description Generate an audit event from this machine/device when the check GFI EventsManager enables you to generate event logs after the event source is checked for irregularities.
10.4 Creating and configuring active monitoring checks To create a new active monitoring check: Screenshot 154: Creating a new active monitoring check 1. Click Configuration > Active Monitoring. 2. Right-click the root/sub-folder where you want the new monitoring check to be saved and select Create new check.
Screenshot 155: Select check type 3. Select the check type and click Next. Screenshot 156: Configure general check properties 4. Specify a unique name and an optional description in the Name and Description fields. 5. In Consider this monitoring check as fail after {X} errors text box specify the number of errors that must occur, before the new checks is classified as Failed. 6. Select/unselect Enable/disable this check, to turn on/off the new monitoring check. Click Next.
Screenshot 157: Configure monitoring check parameters 7. Configure the parameters that have to be checked and click Next. Note This step is different for each different type of check you select in step 3.
Note Select Inherit from parent to use the same settings as the parent folder. 8. From the list of event sources, select the computers to monitor by this new check. Click Next. Screenshot 159: Set the scan time interval Note Select Inherit from parent to use the same settings as the parent folder. 9. Configure the scan interval schedule for the new check. By default, the check scans the selected source(s) once every 5 seconds.
Screenshot 160: Configure event log actions Note Select Inherit from parent to use the same settings as the parent folder. 10. A monitoring check generates an event log regardless of whether it fails or succeeds. From Action events, when event logs are generated and how GFI EventsManager classifies the generated logs.
Option Description Success severity Select the severity rating that GFI EventsManager assigns to the event log of a successful system check. 11. Click Finish. 10.5 Applying active monitoring checks Active Monitoring can be applied to single event sources or groups of event sources. Event sources can be selected on a check-by-check basis or at root folder level. Configuring settings at folder level enables the pertaining checks to inherit the same event source settings.
10.6 Deleting folders and monitoring checks To delete a folder/monitoring check: 1. Go to Configuration > Active Monitoring. Screenshot 162: Deleting folders and monitoring checks 2. From the Monitoring checks section, right-click the folder/monitoring check to delete and select Delete. Important Deleting a root folder (parent folder), deletes all the contents as well. Make sure that you delete unwanted items only.
11 Alerts and Default Actions This chapter provides you with information about the available alerting methods and how to configure each according to your requirements. During event processing, GFI EventsManager automatically executes actions and triggers alerts whenever particular events are encountered. Topics in this chapter: 11.1 Configuring Default Classification Actions 208 11.2 Configuring Alerting Options 210 11.
Screenshot 164: Default Classification Actions dialog 2. From the drop-down menu, select the event classification to be configured. 3. From Action list, select actions to be triggered and click Configure. The available actions are: Table 74: Default Classification Actions Action Description Archive the event Archives events without further processing. Send email alerts to Click Configure and select the recipients. NOTE Ensure that users have a valid email address configured.
Action Description Run file Click Configure and select the file to execute and specify any command-line parameters you want to pass to the file. Supported files include: VB Scripts - *.VBS Batch Files - *.BAT Executables - *.EXE Send SNMP Message Click Configure and select the recipients. Scan computer GFI EventsManager re-audits the computer. Run checks on computer Click Configure, select the monitoring checks you want to run when the action is triggered.
To configure Alerting Options: Screenshot 165: Configuring Alerting Options 1. Click Configuration tab > Options, right-click Alerting Options and select Edit alerting options... Note Select Edit alert recipients to configure the contact details of the alerting recipients and to manage user accounts. For more information refer to Managing user accounts. 2. Configure the alerting method of your choice.
11.2.1 Email alerts Screenshot 166: Configuring Email options To configure email alerts: 1. From the Alerting Options dialog, click Email tab. 2. Configure the options described below: Table 75: Alerting Options dialog - Email alerts Option Description Add/Remove/Edit Click Add… to specify the mail server details including the server name /IP, logon credentials and recipient email address. Use the Remove or Edit button to remove a selected server or edit details.
11.2.2 Network alerts Screenshot 167: Configuring Network options To configure network alerts: 1. From the Alerting Options dialog, click Network tab. 2. From Format network message… drop-down menu, select the log type and customize the format of the message. Screenshot 168: Configuring Network alerts: Format message 3. Click Insert tag to select from a list of tags to include in the message. 4. Click Save and OK.
11.2.3 SMS alerts Screenshot 169: Configuring SMS options To configure SMS alerts: 1. From the Alerting Options dialog, click SMS tab. 2. Configure the options described below: Table 76: Alerting Options dialog: SMS Option Description Select SMS Select the SMS service used to send SMS alerts. Available services include: In-built GSM SMS Server FaxMaker SMS service provider template Clickatell Email2SMS Service Generic SMS service provider template.
11.2.4 SNMP alerts To configure SNMP alerts: Screenshot 170: Configuring SNMP alerts 1. From the Alerting Options dialog, click SNMP tab. 2. Configure the options described below: Table 77: Alerting Options: SNMP Traps Option Description Specify the IP address where the SNMP alerts will be sent Enter the IP address of the recipient. Specify the port(s) which will be used to send SNMP alerts Specify TCP/UDP communication port. By default, the assigned port is 162.
12 User Groups This chapter provides you with information related to creating and managing users and groups. Through the Users and Groups node, users and groups can be created and specific alerts, working hours and other properties can be assigned to each user and group; while different console access rights can be assigned to each user from the Console Security and Audit Options node. Topics in this chapter: 12.1 Configuring the administrator account 216 12.2 Managing user accounts 222 12.
Screenshot 171: Configuring EventsManagerAdministrator account 2. From the right pane, right-click EventsManagerAdministrator and click Properties.
3. From the General tab specify: A username for GFI EventsManager administrator account (Optional) A description for the account A valid email address for email alerts distribution A valid mobile number for SMS alerts distribution Valid computer names/IPs for network alerts distribution. Screenshot 173: Configuring user typical working hours 4. Click Working Hours tab and specify the typical working hours of the administrator. Marked time intervals are considered as working hours.
Screenshot 174: Configure alerts outside working hours 5. Click Alerts tab and select the alerts sent during and outside working hours. Optionally, select Send daily report via email at and specify the time to send an email containing daily activity.
Screenshot 175: Select the group which the user account is a member of 6. Click Member Of tab and select the notification groups to which the user belongs. By default the administrator is a member of the EventsManagerAdministrators notification group.
Screenshot 176: Configuring user account privileges 7. Click Privileges tab to edit the user privileges. By default the EventsManagerAdministrator account has full privileges and cannot be modified.
Screenshot 177: User account filtering 8. Click Filter tab to edit what the administrator can see in the management console. By default, this tab is disabled for the EventManagerAdministartor account. 9. Click Apply and OK. 12.2 Managing user accounts GFI EventsManager allows you to create a custom list of users which you can organize into groups to speed up administrative tasks.
Screenshot 178: Creating a new user 2.
3. From the General tab specify: A username for the user account (Optional) A description for the account A valid email address for email alerts distribution A valid mobile number for SMS alerts distribution Valid computer names/IPs for network alerts distribution. Screenshot 180: Creating a new user - Working hours 4. Click Working Hours tab and specify the typical working hours of the new user. Marked time intervals are considered as working hours.
Screenshot 181: Creating a new user - Alerting options 5. Click Alerts tab and select the alerts sent during and outside working hours. Optionally, select Send daily report via email at and specify the time to send an email containing daily activity. For more information, refer to Alerts and Default Actions (page 208).
Screenshot 182: Creating a new user - Select notification group(s) 6. Click Member Of tab and click Add. Select the notification groups to which the user belongs and click OK.
Screenshot 183: Creating a new user - Privileges 7. Click Privileges tab to configure user privileges. By default, new user accounts have read only privileges.
Screenshot 184: User filtering options 8. Click Filter tab to configure what the new user is allowed to display in the management console. The following table describes the available options: Table 79: User filtering options Option Description Event Sources GFI EventsManager provides you with a set of pre-configured conditions for filtering event sources. Select the event sources that you want to be visible for this user. Total priv- Click Advanced... to launch the Advanced Filtering dialog.
3. Make the required changes in the tabs available and click OK. 12.2.3 Deleting a user account To delete a user: 1. From Configuration tab > Options, expand the Users and Groups node and select Users. 2. From right pane, right-click a user and select Delete. 12.3 Managing user groups GFI EventsManager enables you to assign users to a group. Once the group properties have been configured, every member of the group inherits the same settings.
Screenshot 186: Creating a new user group - General properties 3. Specify the name and an optional description for the new group. 4. Click Add to add users to the group.
Screenshot 187: Creating a new user group - General properties 5. From the Privileges tab, select if the group has Full or Read Only permissions. 6. Click Apply and OK. 12.3.2 Changing group properties To edit the settings of a user group: 1. From Configuration tab > Options, expand Users and Groups node. 2. From the right pane, right-click on the group to be configured and select Properties. 3. Perform the required changes in the tabs available and click OK. 12.3.
13 Console Security and Audit Options Console security and audit options enable you to protect GFI EventsManager from unauthorized access and malicious intent. The provided audit options enable you to accurately monitor GFI EventsManager activity. Topics in this chapter: 13.1 Enabling login system 232 13.2 Anonymization 235 13.3 Auditing console activity 238 13.4 Auto-discovery credentials 239 13.
Screenshot 188: Editing console security options 2. Expand Console Security and Audit Options node, right-click Security Options node and select Edit security options….
Screenshot 189: Enabling EventsManager login system 3. Select Enable EventsManager login system to enable login. 4. Click Apply and OK. Note To configure or edit user passwords go to Configuration tab > Users and Groups > Users, right-click the user account and select Change Password. Important Once the login system is enabled, users must login to the console by specifying their username and password and must have a valid email configured to be able to retrieve lost passwords.
Screenshot 190: Login credentials prompt If a password is forgotten or lost: 1. Key in your username. 2. Click Forgot your password? link. GFI EventsManager will send an email containing your login password on the email address supplied during the user account setup. 13.2 Anonymization In some countries privacy laws state that it is against the law not to encrypt personal information retrieved by monitoring applications for privacy protection.
Screenshot 191: Enable console anonymization 1.
Screenshot 192: Anonymization options 2. Select Enable Anonymization and enter the encryption password. 3. (Optional) Select Use a secondary protection key to use two passwords for event log encryption. Event logs can only be decrypted by providing two decryption passwords. 4. Click Apply and OK.
13.3 Auditing console activity GFI EventsManager can save console activity to external logs. To configure console activity auditing: Screenshot 193: Enabling console user activity auditing 1. From Configuration tab > Options, expand Console Security and Audit Options node. 2. Right-click Audit Options and select Edit audit options….
Screenshot 194: Audit Options dialog 3. Select Audit all the actions done by users option and specify the location where the output log file will be saved. 4. Click Apply and OK. 13.4 Auto-discovery credentials Auto-discovery credentials are used by GFI EventsManager to login target machines and collect information when performing an automatic search for event sources.
Screenshot 195: Configuring Auto-Discovery Credentials 1. From Configuration tab > Options, expand Console Security and Audit Options node. 2. Right-click Auto-discovery credentials and select Edit auto-discovery credentials.
Screenshot 196: Specify Auto-discovery credentials 3. Key in a valid username and password. 4. Click Apply and OK.
14 Database Maintenance This chapter provides information about the storage system that GFI EventsManager uses to store processed events. This system allows great scalability with its fast read/write capabilities; even when processing high volumes of data. To help you maintain your database backend, GFI EventsManager provides you with dedicated maintenance job options.
Screenshot 197: File storage system dialog 2. Click New and key in the new database name. Click OK to close the Create new database dialog. 3. Click Browse to select a location other than the default database store. 4. (Optional) Select Encrypt data using the following password and specify the encryption password used to secure information in the new database. Note Indicates that the specified passwords do not match. 5. Click Apply and OK. 14.1.
To encrypt the database backend: Screenshot 198: Editing file storage settings 1. Click Configuration tab > Options, right-click File Storage and select Configure file storage....
Screenshot 199: Enabling encryption 2. From General tab, select Encrypt data using the following password to enable encryption. 3. Specify the password and confirmation password. Note Indicates that the specified passwords do not match. 4. Click Apply and OK. Note The live database (the database you are currently using) cannot be encrypted from this dialog. Only new or offline databases can be encrypted from here. To encrypt the live database, use the provided CMD tool: esmdlibm.exe.
character from a word), the hash value changes, indicating that someone could be tampering with stored records. Important Hashing will fail if anonymization is enabled. To configure hashing: Screenshot 200: Enabling / disabling record hashing 1. From Configuration tab > Options > Configurations, click File Storage > Configure hashing....
Screenshot 201: Record hashing dialog 2. Select/unselect Enable record hashing to turn on/off hashing features. 3. Click Check records hashes to run hash checks on the selected database. Select a database from the list and click OK to start the check. 4. Click Apply and OK. 14.1.4 Switching between file storage databases GFI EventsManager enables you to use multiple databases, stored in different locations on the same computer or on any remote computer within your LAN. To switch between databases: 1.
Screenshot 202: Options tab 2. From the left pane, right-click File Storage and select Configure file storage...
3. From the Configure file storage dialog, click Switch server. This opens the Switch Database Server dialog. 4. In the Server hostname text box, key in the Computer Name or IP address of the database machine. Click OK. 5. Click Apply and OK. Switching databases from the dashboard The General dashboard view enables you to switch to a different database without having to access the configuration tab.
14.1.5 Configuring database rotation options When processing events from a large number of event sources, it is important to configure database rotation options. These options instruct GFI EventsManager to automatically switch to a new database when a certain condition is met. Doing so helps you maintain a pool of fixed size databases which enable GFI EventsManager to perform better.
Table 80: Database rotation options Option Description Rotate when database reaches {X} Records Specify the number of records that the database has to contain before rotating to a new one. Note Minimum value = 1,000, 000 records. Rotate when database reaches {X} GB Rotate to a new database when the current one reaches the specified size in Giga Bytes (GB) Note Minimum value = 1GB. Rotate when database is {X} weeks old Rotate database when the current one is older than the specified number of weeks.
Screenshot 205: Database Operations Options dialog 3. Configure the options from the tabs described below: Table 81: Configuring database operations Tab Description General Specify the unique identifier by which this instance of GFI EventsManager will be identified on the network. This identifier is used as part of the export file-name during Export to file operations.
Table 82: Maintenance jobs types Job type Description Import\Export Job Import/export data from/to other instances of GFI EventsManager. Export data and import them in other instances as part of the data centralization process. Legacy Import Job Import data from older versions of the product. Import data from Microsoft® SQL Server® databases, legacy files and legacy file storage.
Screenshot 206: Creating Import\Export jobs 4. Select Import/Export Job and click Next. Screenshot 207: Import from file 5. Select Import from file and click Next.
Screenshot 208: Import from file - Specify import file path 6. Specify the path to the configuration file that contains data you want to import. Optionally, click Browse to look for the location. Click Next. Screenshot 209: Decrypt secure import files 7. (Optional) If the file you are importing is encrypted, select Decrypt the files using the following password and specify the password used to encrypt the file. Click Next.
Screenshot 210: Add filtering conditions 8. Add advanced filtering parameters to import specific data only. Leave blank to import all the event logs from the file. Note For more information refer to Building Query Restrictions.
Screenshot 211: Execute job options 9. Select when the job is executed and click Finish: Table 83: Creating maintenance jobs - Schedule options Options Description Schedule job The job will be saved and executed according to the database operations schedule. Run the job now Job is executed immediately. Unscheduled jobs only run once and cannot be reused. 14.2.
Screenshot 212: Creating Import\Export jobs 4. Select Import/Export Job and click Next. Screenshot 213: Export to file 5. Select Export to file and click Next.
Screenshot 214: 6. Key in the path to the folder where exported files are saved to. Alternatively, click Browse to look for the location. Click Next. Screenshot 215: Decrypt/Encrypt data 7. If the source database (esmstg) is encrypted, select Decrypt data using the following password and key in the decryption key in the Password field.
8. To encrypt export data, select Encrypt exported data using the following password and key in an encryption key in the Password and Confirm password fields. Click Next. Screenshot 216: Filtering export data 9. Configure the following filtering options and click Next: Table 84: Filtering export data Option Description Export all events Export all events from the database. Events older than Only export events older than the specified number of days/weeks/months.
Screenshot 217: Execute job options 10. Select when the job is executed and click Finish: Table 85: Creating maintenance jobs - Schedule options Options Description Schedule job The job will be saved and executed according to the database operations schedule. Run the job now Job is executed immediately. Unscheduled jobs only run once and cannot be reused.
3. Click Next at the wizard welcome screen. Screenshot 218: Creating Import\Export jobs 4. Select Import/Export Job and click Next. Screenshot 219: Export to SQL 5. Select Export to SQL and click Next.
Screenshot 220: Specifying SQL Server details 6. Configure the following server options and click Next: Table 87: Export to SQL - Server options Option Description Server Key in the name of the machine that is running SQL Server. Database Key in the name of the destination database. Note If the specified database does not exist, GFI EventsManager creates it for you. Table Key in the name of the destination table. Note If the specified table does not exist, GFI EventsManager creates it for you.
Screenshot 221: Select columns to export 7. Select the columns you want to export and click Next. Note To export all columns, select Export all columns.
Screenshot 222: Filtering export data 8. Configure the following filtering options and click Next: Table 88: Filtering export data Option Description Export all events Export all events from the database. Events older than Only export events older than the specified number of days/weeks/months. Events in the last Only export events that occurred in the last specified number of days/weeks/months. Mark events as deleted Hide events from the source database after they are exported.
Screenshot 223: Execute job options 9. Select when the job is executed and click Finish: Table 89: Creating maintenance jobs - Schedule options Options Description Schedule job The job will be saved and executed according to the database operations schedule. Run the job now Job is executed immediately. Unscheduled jobs only run once and cannot be reused. 14.2.4 Copy data To create Copy data jobs: 1. Click Configuration tab and select Options. 2.
Screenshot 224: Creating Import\Export jobs 4. Select Import/Export Job and click Next. Screenshot 225: Select Copy data job 5. Select Copy data and click Next.
Screenshot 226: Specify source and destination databases 6. Select the source and destination databases. Click Next. Screenshot 227: Decrypt source and encrypt destination databases 7. If the source database is encrypted, select Decrypt data using the following password and specify the password used to encrypt the database.
8. If you want to encrypt the source data, select Encrypt exported data using the following password. Specify the encryption password and click Next. Screenshot 228: Filtering export data 9. Configure the following filtering options and click Next: Table 90: Filtering export data Option Description Export all events Export all events from the database. Events older than Only export events older than the specified number of days/weeks/months.
3. Click Next at the wizard welcome screen. Screenshot 229: Creating Import\Export jobs 4. Select Import/Export Job and click Next. Screenshot 230: Create commit deletion jobs 5. Select Commit deletions and click Next.
Screenshot 231: Select database to delete records from 6. Select the database to delete records from. Click Next. 7. Select when the job is executed and click Finish: Table 92: Creating maintenance jobs - Schedule options Options Description Schedule job The job will be saved and executed according to the database operations schedule. Run the job now Job is executed immediately. Unscheduled jobs only run once and cannot be reused. 14.2.6 Import from SQL Server® Database 1.
Screenshot 232: Creating Import\Export jobs 4. Select Legacy Import Job and click Next. Screenshot 233: Select Import from SQL Server Database 5. Select Import from SQL Server® database and click Next.
Screenshot 234: Specify SQL Server address and login details 6. Configure the following server options and click Next: Table 93: Export to SQL - Server options Option Description Server Key in the name of the machine that is running SQL Server. Database Key in the name of the source database. Use Windows authentication Use the same logon credentials used to log on to Windows®. The SQL Server® must support this type of authentication mode to be able to connect and copy information from the server.
Screenshot 235: Decrypt anonymized databases 7. (Optional) If the SQL Server® database is anonymized, select Enable decryption and specify the password used to anonymize the database. 8. (Optional) If the SQL Server database was anonymized using two password, select Use secondary decryption key and specify the second security password used to anonymize the database. Click Next.
9. Add advanced filtering parameters to import specific data only. Leave blank to import all the event logs. Note For more information refer to Building Query Restrictions. Screenshot 237: Specify when the maintenance job is executed Select Run the job now and click Finish. 14.2.7 Import from legacy files To create Import from legacy files jobs: 1. Click Configuration tab and select Options. 2. From Configurations, right-click Database Operations node and select Create new job… 3.
Screenshot 238: Creating Import\Export jobs 4. Select Legacy Import Job and click Next. Screenshot 239: Import from legacy files 5. Select Import from legacy files and click Next.
Screenshot 240: Specify import file location 6. Specify the path to the configuration file that contains data you want to import. Optionally, click Browse to look for the location. Click Next. Screenshot 241: Decrypt the information in the import file 7. (Optional) If the file was encrypted, select Decrypt the files using the following password and specify the password used to encrypt the file. Click Next.
Screenshot 242: Remove anonymization 8. (Optional) If the file is anonymized, select Enable decryption and specify the password used to anonymize the data. 9. (Optional) If the file was anonymized using two passwords, select Use secondary decryption key and specify the second key used to anonymize the data within the file. Click Next.
10. Add advanced filtering parameters to import specific data only. Leave blank to import all the event logs. Note For more information refer to Building Query Restrictions. Screenshot 244: Specify when the maintenance job is executed Select Run the job now and click Finish. 14.2.8 Import from legacy file storage To create Import from legacy files jobs: 1. Click Configuration tab and select Options. 2. From Configurations, right-click Database Operations node and select Create new job… 3.
Screenshot 245: Creating Import\Export jobs 4. Select Legacy Import Job and click Next. Screenshot 246: Import legacy file storage data 5. Select Import from legacy file storage and click Next. 6. Specify the path to where the import file is located. Alternatively, click Browse and look for the location.
7. (Optional) If the data is anonymized, select Enable decryption and specify the password used to encrypt the data. 8. (Optional) If the data is encrypted by two passwords, select Use secondary decryption key and key in the secondary password. Click Next. 9. (Optional) Specify filtering conditions to filter out unwanted data. Leave it blank to export all the data in the database. For more information, refer to Defining Restrictions. Click Next.
Screenshot 248: Maintenance job activity Click Status tab > Job Activity. The status of all maintenance jobs will be displayed in the Queued Jobs section. To view created maintenance jobs: Screenshot 249: Viewing scheduled maintenance jobs 1. Click Configuration tab and select Options. 2. From Configurations, select the Database Operations node. Scheduled maintenance jobs are displayed in the right pane. 14.3.2 Editing maintenance job properties To edit maintenance jobs properties: 1.
Screenshot 250: Maintenance job properties dialog 3. From the Job Properties dialog, you can modify the settings you configured while creating the job; such as: Encryption/decryption passwords Database names and addresses Source/destination paths General job details. 4. Click Apply and OK. Note For more information refer to Creating maintenance jobs.
14.3.3 Changing maintenance jobs priority Screenshot 251: Maintenance job priorities By default maintenance jobs are executed according to the sequence with which the jobs are created (First-in-First-out). Thus the priority of maintenance jobs is determined by the sequence in which jobs are executed. To increase or decrease the priority of a maintenance job: 1. Click Configuration tab and select Options. 2. From Configurations, select Database Operations node. 3.
15 Configuring the Management Console This chapter provides you with information about configuring general settings of GFI EventsManager, such as product licensing, performance options and product updates. Topics in this chapter: 15.1 Performance options 285 15.2 Product updates 286 15.3 Product licensing 293 15.4 Product version information 294 15.5 Importing and Exporting settings 295 15.6 Building query restrictions 302 15.
Screenshot 253: Performance Options dialog 2. Select/Unselect Enable EventsManager service performance to enable/disable service performance options. 3. Move the slider left (low) to right (high) until you reach the required performance level. 4. Click Apply and OK. Note Setting the performance level on low is estimated to process 50 events per second per event source, while setting the bar on high processes 1,000 - 2,000 events per second per event source. 15.
15.2.1 Downloading updates directly GFI EventsManager enables users to configure how to automatically check for, download and install product updates. To configure Auto Update options: 1. From Configuration tab > Options > Configurations, right-click Auto Update Options and select Edit updater options... Screenshot 254: Configure auto update options 2.
Screenshot 255: Configuring proxy settings to download product updates 4. Select Use a proxy server and key in the proxy server address and listening port in the Address and Port fields. 5. (Optional) If the proxy server requires authentication, select Enable Authentication and key in the proxy logon credentials. 6. Click Apply and OK. 15.2.2 Downloading updates from an alternate location (offline) To download product updates, GFI EventsManager connects to GFI's updates server.
To download updates from an alternate location: 1. On a computer with Internet access, go to http://update.gfi.com/esm. 2. Key in your username and password. This opens the GFI EventsManager updates directory on the updates server. Screenshot 256: GFI EventsManager updates 3. Click ESMUpdateInfo.xml.gz and save it to a location of your choice.
Note Transfer the downloaded updates package from the computer with Internet access to the GFI EventsManager host. Screenshot 257: GFI EventsManager updates repository 4. On the GFI EventsManager machine, copy the updates package to the following repository: C:\Program Files\GFI\EventsManager2012\Data\AutoUpdate.
Screenshot 258: Open CMD in administrator mode 5. Open CMD in elevated privileges mode, and key in: 64-bit systems - CD C:\Program Files (x86)\GFI\EventsManager2012 32-bit systems - CD C:\Program Files\GFI\EventsManager2012 Press Enter.
Screenshot 259: Change path to GFI EventsManager install directory Note The path changes according to the directory you specify. Screenshot 260: Manually launch an update session 6. Key in: updater.exe /InstallNow Press Enter.
To ensure that all updates are installed, run updater.exe /InstallNow, until you get a message indicating that 0 missing updates were found. Screenshot 261: Updates status 15.3 Product licensing GFI EventsManager is licensed by event source/computer. All devices that generate a log are considered to be an event source. Refer to the sections below for more information about GFI EventsManager licensing options.
3. Specify your license key and click OK. 15.3.2 Obtaining a free 30-day trial license key GFI EventsManager allows you to register your version of the product and receive a free 30-day trial. Once the trial period is expired, all event log monitoring and management services are disabled and a full license key is required. To register and receive a 30-day trial license key: 1. From General tab > General, click Licensing. 2. Click the provided link.
Screenshot 264: Version Information screen 2. View version information details from the right pane. 3. (Optional) Click Click here to obtain the version number of the latest release to get the latest version information from GFI servers. 15.4.2 Checking for newer versions To check for newer builds of GFI EventsManager: 1. From General tab > General, right-click Version Information and select Check for newer builds... 2.
Exporting configurations to a file Importing configurations from a file Importing configurations from another instance 15.5.1 Exporting configurations to a file To export you GFI EventsManager configurations: 1. Click File > Import and Export Configurations.... Screenshot 265: Export configurations to a file 2. Select Export the desired configurations to a file and click Next.
Screenshot 266: Specify export destination 3. Specify the location where the exported file will be saved or click Browse... to look for the location. Click Next. Screenshot 267: Select export configurations 4. Select the configurations you want to export and click Next. 5. Wait for GFI EventsManager to export the configuration and click OK.
15.5.2 Importing configurations from a file To import configurations from a file: 1. Click File > Import and Export Configurations.... Screenshot 268: Import configurations from a file 2. Select Import the desired configurations from a file and click Next.
Screenshot 269: Specify configuration file location 3. Specify the path where the import file is stored or click Browse... to look for it. Click Next. ] Screenshot 270: Select configurations to import 4. Select the configurations you want to import and click Next. 5. Wait for GFI EventsManager to import the configurations and click OK.
Note If GFI EventsManager detects other configurations, it will ask you if you want to override or merge both configurations. 15.5.3 Importing configurations from another instance To import configurations from another instance of GFI EventsManager: 1. Click File > Import and Export Configurations... Screenshot 271: Import configurations from another instance of GFI EventsManager 2. Select Import the configurations from another instance and click Next.
Screenshot 272: Specify instance location 3. Specify the installation folder path of the instance you want to import configurations from. Alternatively, click Browse... to look for it. Click Next. Screenshot 273: Select configurations to import from another instance of GFI EventsManager 4. Select the configurations you want to import and click Next. 5. Wait for the configurations to import and click OK.
Note If GFI EventsManager detects other configurations, it will ask you if you want to override or merge both configurations. 15.6 Building query restrictions GFI EventsManager enables you to build custom queries, using the Edit Query Restriction dialog. Queries are instructions GFI EventsManager sends to the database backend when storing and retrieving data. They are also used to configure rules to trigger actions and alerts when certain attribute values are detected.
Screenshot 274: Users, Events processing rules and Report queries 15.6.1 Using the Edit Query Restriction dialog To edit query restrictions for granular filtering and configuration: 1. The following table describes how to launch the Edit Query Restriction dialog for users, reports and processing rules: Table 96: Launching the Edit Query Restrictions dialog Configure... Procedure Users To launch the query restrictions dialog: 1. Click Configuration tab > Options > Users and Groups > Users. 2.
Screenshot 275: Defining restrictions: Editing a query restriction 2. From the list of available fields, select a field. Optionally, key in the name in Field Name text box to search for the required field. 3. Specify a Field Operator for the selected field. Available operators include: Table 97: Defining restrictions: Field Operators Field Operator Description Equal To When the event field is equal to the value configured.
Note You can copy report restrictions from existing reports. From Reporting tab > Reports, right-click a report and select Copy Report Restrictions. Screenshot 276: Defining restrictions: Customizing the condition 6. Once all the restrictions are defined, use the options described below to customize the query conditions: Table 98: Defining restrictions: Query Condition tools Options Description AND Select the condition to configure and select AND.
Options Description +) Click ‘+ )’ to add a closing bracket to the selected condition. Conditions enclosed in brackets are processed first. -( Click ‘- (‘ to remove an opening bracket from the selected condition. -) Click ‘- )’ to remove a closing bracket from the selected condition. Add Click Add to launch the restrictions dialog and add more fields to the condition. Edit Click Edit to access the restrictions dialog and customize the selected condition.
16 Command Line Tools GFI EventsManager provides you with command line tools through which you can perform various functions without accessing the Management Console. The available CMD tools are located in the GFI EventsManager install folder. Topics in this chapter: 16.1 Using ESMCmdConfig.exe 307 16.2 Using EsmDlibM.exe 310 16.3 Using DLibAdm.exe 318 16.4 Using EsmReport.exe 320 16.1 Using ESMCmdConfig.exe ESMCmdConfig.
16.1.1 /op:registerService This function enables you to register GFI EventsManager services, using an administrator account. The following parameters are supported: Table 99: /op:registerService Parameters Parameter Description /username: Specify the username of an administrator account. Note Parameters that contain spaces must be enclosed in double quotes (“). /pass: Specify the password for the account specified in the /username parameter. Example ESMCmdConfig.
Example ESMCmdConfig.exe /op:SetLicense /licenseKey:********* 16.1.5 /op:configureAlerting This function enables you to turn on and configure email alerting options. The following parameters are supported: Table 102: /op:configureAlerting Parameters Parameter Description /Server: Specify the mail server IP address or fully qualified domain name (FQDN). /SenderEmail: Specify the sender email address. Notifications appear to have been sent from the specified address.
Example ESMCmdConfig.exe /op:createProgramGroupShortcuts 16.1.8 /op:removeProgramGroupShortcuts This function enables you to remove group shortcuts and has no additional parameters. Example ESMCmdConfig.exe /op:removeProgramGroupShortcuts 16.1.9 /op:getComputers This function enables you to retrieve a text file containing the names of event sources managed by GFI EventsManager.
/commitDeletedRecords /exportToSQL 16.2.1 /importFromSQL This function enables you to import data from an SQL Server® database. The data must be exported from an older version of GFI EventsManager. The following parameters are supported: Table 105: /importFromSQL Parameters Parameter Description /server: Specify the SQL Server® IP address or machine name. /database:<(maindb)|(backupdb)|databaseName> Specify the type and name of the source database to import data from .
Parameter Description /anonpass2:< password> (Optional) If the source database is anonymized, using two anonymization keys, key in the secondary anonymization password to decrypt import data. Example EsmDlibM.exe /importFromDlib /path:C:\DLibServer /name:EventsData /anonpass1:p@ss 16.2.3 /copyData This function enables you to copy data from one DLib database server to another.
Parameter Description / period :< type> Enables you to filter by event date to get events from the last days/weeks/months or older than days/weeks/months. For instance, to filter events that happened in the Last 24 Days, the parameter value is: l24d. And to filter events Older than 3 Weeks, the parameter value is O3W. Supported values include: : o - older than l - last - specify the number of days/weeks/months : d - days w - weeks m - months.
Example EsmDlibM.exe /copyData /destinationPath:Z:\DestServ /destinationName:DestData /sourcePath:C:\SourServ /sourceName:SourData /sourceEncPass:p@ss /markEventsAsDeleted 16.2.4 /importFromLegacyFile This function enables you to import data that was exported to files from an older version of GFI EventsManager. The following parameters are supported: Table 108: /importFromLegacyFile Parameters Parameter Description /path: Specify the path to the import file.
Parameter Description / period :< type> Enables you to filter by event date to get events from the last days/weeks/months or older than days/weeks/months. For instance, to filter events that happened in the Last 24 Days, the parameter value is: l24d. And to filter events Older than 3 Weeks, the parameter value is O3W. Supported values include: : o - older than l - last - specify the number of days/weeks/months : d - days w - weeks m - months.
Example EsmDlibM.exe /exportToFile /path:C:\ExportedDataFolder /sourceEncPass:p@ss /markEventsAsDeleted /importance:High 16.2.6 /importFromFile This function enables you to import data from a file as part of the data centralization process. The import file must be created from an Export to File job. The following parameters are supported: Table 110: /importFromFile Parameters Parameter Description /path: Specify the path to where the import file is saved.
Example EsmDlibM.exe /importFromFile /path:C:\ImportFolder\Import.cfg /password:p@ss /machine:MS11.domain.com /occured:true 16.2.7 /commitDeletedRecords This function enables you to delete events that are marked as deleted from the database. The following parameters are supported: Table 111: /commitDeletedRecords Parameters Parameter Description /dbPath: Specify the path to the database server which contains events marked as deleted.
Parameter Description /table:
Specify the name of the destination table. Note Parameters that contain spaces must be enclosed in double quotes (“). / period :< type > Enables you to filter by event date to get events from the last days/weeks/months or older than days/weeks/months. For instance, to filter events that happened in the Last 24 Days, the parameter value is: l24d. And to filter events Older than 3 Weeks, the parameter value is O3W.16.3.1 /decryptDatabase This function enables you to decrypt an encrypted DLib database. The following parameters are supported: Table 113: /decryptDatabase Parameters Parameter Description /dbPath: Specify the path to the database you want to decrypt. Note Parameters that contain spaces must be enclosed in double quotes (“). /dbName: Specify the name of the database you want to decrypt. Note Parameters that contain spaces must be enclosed in double quotes (“).
Table 115: /displayAllDLib Parameters Parameter Description /path: Specify the folder path where you want to scan for valid DLib Database Servers. Note Parameters that contain spaces must be enclosed in double quotes (“). Example DLibAdm.exe /displayAllDLib /path:"C:\Program Files\GFI\Database Server 2.0" 16.3.4 /copyMoveDLib This function enables you to copy or move a DLib database to a specified location.
CD 4. Key in EsmReport.exe followed by any of the following functions: Generate Configuration reports Generate Status reports Generate Events reports 16.4.1 Generate Configuration reports This function enables you to generate Configuration reports about a single or group of event sources.
Table 118: Status report parameters Parameter Description /type: Specify the type of report you want to generate. Supported values are: configuration status events. Key in /type:status to generate a status report. /subtype: Specify the type of status report you want to generate.
Parameter Description /repname: Specify a name for the generated report. Note Parameters that contain spaces must be enclosed in double quotes (“). /repid: Specify a unique ID for the generated report. Note Parameters that contain spaces must be enclosed in double quotes (“). /target Specify the folder path where the report is saved. Note Parameters that contain spaces must be enclosed in double quotes (“). /format: Specify the format of the report.
Parameter Description /sourceFile: name when running an importFile operation. Note Parameters that contain spaces must be enclosed in double quotes (“). /sourceFolder: Specify the folder name that contains exported configurations. Use this parameter to define the folder name when running an importFolder operation.
Example ExportSettings.
17 Miscellaneous This chapter provides you with information related to configuring Third-Party components required for GFI EventsManager auditing operations. Learn how to configure and run GFI EventsManager actions through the provided command line tools. Topics in this chapter: 17.1 Enabling event source permissions manually 326 17.2 Enabling event source permissions automatically 334 17.3 Disabling User Account Control (UAC) 339 17.
Screenshot 277: Firewall rules on Microsoft® Windows® XP 2. From Programs and Services list, enable File and Printer Sharing. 3. Click OK. 17.1.2 Enabling permissions on Microsoft® Windows® Vista To enable permissions on machines running Microsoft® Windows® Vista: Step 1: Enable Firewall permissions Step 2: Enable additional auditing features Step 1: Enable Firewall permissions 1. Click Start > Control Panel > Security and click Allow a program through Windows Firewall from the left panel. 2.
Step 2: Enable additional auditing features 1. Click Start > Run and key in secpol.msc. Press Enter. 2. From the Security Settings node, expand Local Policies > Audit Policy. Screenshot 278: Local security policy window 3. From the right panel, double-click Audit object access.
Screenshot 279: Audit object access properties 4. From the Audit object access Properties, select Success and Failure and click OK. 5. From the right panel, double-click Audit Process tracking. 6. From the Audit process tracking Properties, select Success and Failure and click OK. 7. From the right panel, double-click Audit account management. 8. From the Audit process tracking Properties, select Success and Failure and click OK. 9. From the right panel, double-click Audit system events. 10.
17.1.3 Enabling permissions on Microsoft® Windows® 7 To enable permissions on machines running Microsoft® Windows® 7: Step 1: Enable Firewall permissions Step 2: Enable additional auditing features Step 1: Enable Firewall permissions To manually enable firewall rules on Microsoft® Windows® 7: 1. Click Start > Control Panel > System and Security and click Allow a program through Windows Firewall, under Windows Firewall category. Screenshot 280: Allowed programs in Microsoft® Windows® Vista or later 2.
4. Click OK. Step 2: Enable additional auditing features 1. Click Start > Run and key in secpol.msc. Press Enter. 2. From the Security Settings node, expand Local Policies > Audit Policy. Screenshot 281: Local security policy window 3. From the right panel, double-click Audit object access. 4. From Audit object access Properties, select Success and Failure. Click OK.
Screenshot 282: Audit object access Properties 5. From the right pane, double-click Audit Process tracking. 6. From Audit process tracking Properties, select Success and Failure. Click OK. 7. From Audit process tracking Properties, select Success and Failure. Click OK. 8. From the right panel, double-click Audit account management. 9. From Audit process tracking Properties, select Success and Failure. Click OK. 10. From the right panel, double-click Audit system events. 11.
Screenshot 283: Enable firewall rules in Microsoft® Windows® Server 2003 2. From Programs and Services list, enable File and Printer Sharing. 3. Click OK. 17.1.5 Enabling permissions on Microsoft® Windows® Server 2008 (including R2) 1. Click Start > Control Panel > Security and click Allow a program through Windows Firewall under Windows Firewall category. 2. In the list of programs, enable the following: File and Printer Sharing Network Discovery Remote Event Log Management.
Screenshot 284: Firewall rules on Microsoft® Windows® Server 2008 3. Click OK. Note In Windows® Server 2008 R2, ensure to select Domain, Private and Public for each rule mentioned above. 17.2 Enabling event source permissions automatically This section contains information about: Enabling permissions on Windows® Server 2003 via GPO Enabling permissions on Windows® Server 2008 via GPO 17.2.
1. Click Start > Run, key in mmc. Press Enter. 2. Click File > Add/Remove Snap-in and click Add. 3. Locate and select Group Policy Object Editor and click Add. 4. Click Browse, select Default Domain Policy and click OK. 5. Click Finish. 6. Select Group Policy Object Editor again and click Add. 7. Click Browse, double-click Domain Controllers folder and select Default Domain Controllers Policy. Click OK. 8. Click Finish and Close. 9.
Screenshot 286: Group Policy Management in Microsoft® Windows® Server 2008 R2 3. Right-click Default Domain Policy and select Edit. 4.
Screenshot 287: Group Policy Management Editor 5. In the New Inbound Rule Wizard, select Predefined and select File and Printer Sharing.
Screenshot 288: Predefined rules 6. Click Next. 7. Select all rules and click Next. 8. Select Allow the connection and click Finish. 9. Repeat steps 5 to 8 for each of the following rules: Remote Event Log Management Network discovery. 10. From Group Policy Management Editor, expand Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security, right click Outbound Rules and select New Rule… 11.
13. From Group Policy Management, expand Group Policy Management > Forest > Domains > > Default Domain Controllers Policy. 14. Repeat steps 4 to 13. 15. Click File > Save to save the management console. The group policy comes into effect the next time each machine is restarted. 17.3 Disabling User Account Control (UAC) When GFI EventsManager is configured to collect events using a local account target machines must have User Account Control (UAC) disabled.
18 Troubleshooting Use the information in the following sections to resolve issues encountered in GFI EventsManager: Documentation GFI SkyNet Request technical support Web forum Troubleshooter wizard 18.1 Documentation If this manual does not satisfy your expectations, or if you think that this documentation can be improved in any way, let us know via email on: documentation@gfi.com. 18.
Screenshot 290: Select information gathering mode 4. Select how the troubleshooter will collect information. Select from: Automatically detect and fix known issues - Select this option to allow GFI EventsManager to run a set of checks to determine what is wrong Gather only application information and logs - Specify your contact details, issue description and your system information to upload them to our support team. If you choose this option, skip to step 9.
Screenshot 291: Troubleshooter automatic checks 5. Wait for the troubleshooter to run the required checks and click Next. Screenshot 292: Troubleshooter automatically fixing detected issues 6. Wait for the troubleshooter to apply fixes for issues detected during the check. If this solves your problem, click Yes and Finish. If the problem remains, select No and click Next.
Screenshot 293: If the problem persists, search for articles on our knowledge base 7. Search our knowledge base archive for articles related to your problem. Key in the error your are encountering in the Enter search items text box and click Search. If this solves your problem, click Yes and Finish. If the problem remains, select No and click Next. Screenshot 294: Manually checking for issues 8. Click Next.
Screenshot 295: Specify contact details 9. Key in your contact details so that our support team would be able to contact you for further analysis information. Click Next. Screenshot 296: Key in the problem description and other information 10. Specify the error you are getting and other information that would help our support team to recreate this issue. Click Next.
Screenshot 297: Gathering machine information 11. The troubleshooter scans your system to get hardware information. You can manually add more information in the space provided or click Next. Screenshot 298: Finalizing the troubleshooting process 12. At this stage, the troubleshooter creates a package with the information gathered from the previous steps. Next, send this package to our support team so they can analyze and troubleshoot your problem.
FTP Upload Instructions - Opens an article to give you instructions on how you can upload the troubleshooter package to our FTP server Open Containing Folder - Opens the folder containing the troubleshooter package so that you can send it via email Go to GFI Support - Opens the support page of GFI website. 13. Click Finish.
19 Glossary A Actions The activity that will be carried out as a result to events matching specific conditions. For example you can trigger actions whenever an event is classified as critical. Actions supported by GFI EventsManager include Email alerts, event archiving and execution of scripts. Alerts Notifications which inform recipients that a particular event has occurred. GFI EventsManager can generate Email alerts, SMS alerts and Network alerts.
Event logs A collection of entries which describe events that occurred on the network or on a computer system. GFI EventsManager supports different types of event logs including: Windows Event Log, W3C Logs, Syslog, SNMP Traps and SQL Server audit events. Event processing rules A set of instructions which are applied against an event log. F File and Printer sharing Enable this firewall permission to allow GFI EventsManager to access events definitions on target machines.
Network discovery Enable this firewall permission to allow GFI EventsManager to gather information about connected machines on the network that can be scanned. For more information, refer to http://technet.microsoft.com/en-us/library/cc181373.aspx Noise Repeated log entries which report the same event. O Object auditing Enable this auditing feature to audit events of users accessing objects (example, files, folder and printer). For more information, refer to http://technet.microsoft.
Syslog messages Notifications/alerts most commonly generated and transmitted to a Syslog server by UNIX and Linux-based systems whenever important events occur. Syslog messages can be generated by workstations, servers as well as active network devices and appliances such as Cisco routers and Cisco PIX firewalls to record failures and security violations amongst other activities.
20 Index A Activity Monitoring 55, 63, 66, 134 Alerting Options 54, 63-64, 145, 210, 225, 232, 309 Alerts 24, 55, 63-64, 80, 136, 159, 173-174, 187, 208, 210, 216, 224, 287 Anonymization 62, 235, 246, 278, 311 Antivirus 32, 117 Archive 24, 32, 72, 80, 84, 94, 103, 105, 108, 112, 173, 183, 209, 343 Audit Options 98, 232-233, 238 Auto Update 287 B Backup 138, 168, 215, 323 C Checks 64, 72, 74, 78, 173, 177, 183, 190, 192, 196, 201, 206-207, 210, 212, 247, 341 Classification 64, 174, 181, 185, 208 Color Codi
L LAN 27-29, 247 U License 37, 46, 71, 73, 76, 307, 340 Licensing 72, 76, 285, 293 Users 62, 98, 116, 121, 137, 143, 145, 159, 171, 190, 209, 216, 222, 229, 232, 239, 287, 302 Logon 41, 50, 60, 63, 68, 72-74, 82, 90, 100, 134, 143, 177, 180, 212, 263, 273, 288, 307 V M Version 294 Monitor 22, 27-29, 34, 44, 62, 66, 81, 90, 116, 122, 232 W N WAN 27, 31 Network Alerts 213 O Operational History 56, 61, 139, 158, 164, 167 P Performance Options 285 ports 121, 137 Protocols 33, 137, 176 Q Quick Lau
USA, CANADA AND CENTRAL AND SOUTH AMERICA 15300 Weston Parkway, Suite 104 Cary, NC 27513, USA Telephone: +1 (888) 243-4329 Fax: +1 (919) 379-3402 ussales@gfi.com UK AND REPUBLIC OF IRELAND Magna House, 18-32 London Road, Staines-upon-Thames, Middlesex, TW18 4BP, UK Telephone: +44 (0) 870 770 5370 Fax: +44 (0) 870 770 5377 sales@gfi.com EUROPE, MIDDLE EAST AND AFRICA GFI House, San Andrea Street, San Gwann, SGN 1612, Malta Telephone: +356 2205 2000 Fax: +356 2138 2419 sales@gfi.
