GFI EventsManager 7.1
Manual
By GFI Software Ltd.
http://www.gfi.com
Email: [email protected]
This manual was produced by GFI Software Ltd. Information in this
document is subject to change without notice. Companies, names,
and data used in examples herein are fictitious unless otherwise
noted. No part of this document may be reproduced or transmitted in
any form or by any means, electronic or mechanical, for any purpose,
without the express written permission of GFI Software Ltd.
GFI EventsManager is developed by GFI Software Ltd. GFI
EventsManager is copyright of GFI Software Ltd. © 2000-2006 GFI
Software Ltd. All rights reserved.
Version 7.1 – Last updated: March 28, 2007
Contents
Introduction
5
About this manual ..........................................................................................................5
How is this manual structured...........................................................................5
About GFI EventsManager ............................................................................................8
Key Features..................................................................................................................8
How does GFI EventsManager work? .........................................................................11
Navigating the GFI EventsManager management console .........................................13
Licensing ......................................................................................................................14
Installation
15
Introduction ..................................................................................................................15
Deployment of GFI EventsManager on a Local Area Network....................... 15
Deployment of GFI EventsManager on a Demilitarized Zone ........................ 16
System requirements ...................................................................................................17
Upgrading from a previous version ..............................................................................18
Installation procedure...................................................................................................18
Getting Started
21
Introduction ..................................................................................................................21
Getting Started: Launching GFI EventsManager for the first time...............................23
Quick start dialog .........................................................................................................24
Configuring the database backend ..............................................................................25
Configuring SQL Server details ......................................................................26
Changing database backend settings..........................................................................27
Configuring GFI EventsManager administrator account..............................................27
Configuring the general alerting options ......................................................................30
Configuring email alerts ..................................................................................31
Configuring network alerts ..............................................................................32
Configuring SMS alerts ...................................................................................32
Changing the general alerting options .........................................................................33
Getting started: Processing event logs ........................................................................34
Configuring event sources
35
Introduction ..................................................................................................................35
Adding new event sources to a default group..............................................................35
Configuring event source properties ............................................................................36
Configuring general event source properties...............................................................37
Configuring alternative domain administrator credentials............................................38
Configuring event source operational time .................................................................. 39
Configuring event processing parameters ...................................................................40
Configuring event processing rules
41
Introduction ..................................................................................................................41
Collecting and processing Windows events ................................................................43
Configuring Custom Event Logs ..................................................................................46
Collecting and processing W3C logs ...........................................................................47
Collecting and processing Syslogs ..............................................................................49
GFI EventsManager
Contents • i
Configuring the Syslog server communications port ...................................................51
Archiving events...........................................................................................................52
Selecting event processing rules .................................................................................53
Configuring alerts and actions
55
Introduction ..................................................................................................................55
Configuring default classification actions .....................................................................56
Configuring actions through event processing rules.................................................... 57
Event browsing
59
Introduction ..................................................................................................................59
Accessing and browsing stored event logs..................................................................62
Applying event queries.................................................................................................63
Creating custom event queries ....................................................................................63
Customizing the event viewer pane .............................................................................64
Configuring event color coding ....................................................................................66
Event finder tool ...........................................................................................................67
Backup events..............................................................................................................67
Switching databases ....................................................................................................68
Clear all events ............................................................................................................68
Status monitoring
69
Introduction ..................................................................................................................69
Accessing the status monitor .......................................................................................69
General Status view .....................................................................................................70
Job Activity view...........................................................................................................74
Statistics view...............................................................................................................77
Database Operations
80
Introduction ..................................................................................................................80
Why is there a need for database maintenance? ........................................................80
Configuring Database Operations................................................................................81
Creating maintenance jobs ..........................................................................................84
Move to database.........................................................................................................86
Export to file .................................................................................................................87
Import from file .............................................................................................................89
Delete data...................................................................................................................90
Configuring data filter conditions..................................................................................91
Viewing scheduled maintenance jobs..........................................................................94
Editing a maintenance job............................................................................................95
Editing a maintenance job priority................................................................................96
Deleting a maintenance job .........................................................................................96
Customizing event processing rules
99
Introduction ..................................................................................................................99
Create a new rule-set folder.......................................................................................100
Renaming and deleting folders ..................................................................................100
Creating a new rule-set..............................................................................................100
Editing a rule-set ........................................................................................................101
Deleting a rule-set ......................................................................................................101
Creating a new Windows Event Log rule...................................................................101
Creating a new W3C rule...........................................................................................104
Creating a new Syslog rule ........................................................................................107
Changing the configuration settings of a rule ............................................................110
Advanced event filtering parameters .........................................................................111
Windows Events Conditions .........................................................................111
Syslog Categories .........................................................................................111
Contents • ii
GFI EventsManager
Configuring users and groups
113
Introduction ................................................................................................................113
Creating a new user ...................................................................................................114
Changing user properties...........................................................................................114
Deleting users ............................................................................................................114
Configuring groups.....................................................................................................115
Changing user group properties ...................................................................116
Deleting user groups.....................................................................................116
Miscellaneous
117
Command Line operations.........................................................................................117
Licensing ....................................................................................................................120
Entering License Key after installation..........................................................120
Version information ....................................................................................................121
Checking for newer builds.............................................................................121
Troubleshooting
123
Introduction ................................................................................................................123
Knowledge Base ........................................................................................................123
Request technical support via email ..........................................................................123
Request technical support via web chat ....................................................................124
Request technical support via phone.........................................................................124
Web Forum ................................................................................................................124
Build notifications .......................................................................................................124
Appendix 1 – SMS Settings
125
Global settings for SMS/pager alerts .........................................................................125
In-built GSM SMS Server...........................................................................................126
GFI FAXmaker SMS service provider template.........................................................128
Clickatell Email2SMS Service....................................................................................130
Generic SMS service provider template ....................................................................132
Appendix 2: Configuring Windows
135
Introduction ................................................................................................................135
Enabling the Remote Registry service.......................................................................136
Enabling Windows security auditing ..........................................................................137
How to install Group Policy snap-ins .........................................................................138
Appendix 3: Installing SQL Server Express Edition
143
Introduction ................................................................................................................143
Software requirements...............................................................................................143
Installation steps ........................................................................................................143
Tutorial 1 – Configuring basic options through Quick Start Dialog
150
Overview ....................................................................................................................150
Parameters.................................................................................................................150
Part 1: Configuring GFI EventsManager database backend .....................................151
Part 2: Configuring default alerting options................................................................153
Part 3: Configuring GFI EventsManager administrator account ................................ 153
Tutorial 2 – Configuring event processing parameters
157
Overview ....................................................................................................................157
Parameters.................................................................................................................157
Part 1: Configuring log sources.................................................................................158
Part 2: Creating new event processing rules .............................................................159
GFI EventsManager
Contents • iii
Section 1: Create a new rules folder.............................................................159
Section 2: Create a new rule-set...................................................................161
Section 3: Create a new rule.........................................................................161
Part 3: Configuring user properties, alerts and other actions ....................................164
Section 1: Create new users/alert recipients group ......................................164
Section 2: Add new alert recipient ................................................................166
Section 3: Setting email alerts for Critical events ........................................170
Tutorial 3 – Event Browsing and Filtering
172
Overview ....................................................................................................................172
Parameters.................................................................................................................172
Create a new event query..........................................................................................172
Using the new event query ........................................................................................174
Tutorial 4 – Database Operations
176
Overview ....................................................................................................................176
Parameters.................................................................................................................176
Part 1: Configuring the interval/schedule ...................................................................177
Part 2: ‘Export to file’ maintenance job ......................................................................178
Part 3: ‘Move to database’ maintenance job..............................................................182
Part 4: ‘Delete data’ maintenance job ........................................................................186
Part 5: ‘Import from file’ maintenance job ..................................................................190
Index
Contents • iv
195
GFI EventsManager
Introduction
About this manual
How is this manual structured
This manual is structured in line with the logical chain of configuration
operations required to get GFI EventsManager up and running.
•
Chapter 1 gives an overview of how GFI EventsManager works.
•
Chapter 2 explains
EventsManager.
•
Chapter 3 describes how to configure the key operational
parameters which GFI EventsManager requires at first startup.
These instructions are presented in their proper logical sequence
and include all the information required to get GFI EventsManager
ready for event processing.
•
Chapters 4, 5, 6 guide you through the process of configuring
essential parameters required for event processing. At the end of
these chapters, you will be able to configure:
how
to
successfully
install
GFI
ƒ
Event sources that will be monitored
ƒ
Log-types that will be collected and processed
ƒ
Event processing rules that will be run against the collected
logs
ƒ
Alerts and actions that will be triggered on key events.
NOTE: At this stage, you will have gained enough knowledge to run
GFI EventsManager on default settings.
•
Chapter 7 describes how to use the built-in events browser to
analyze events stored in the GFI EventsManager database
backend. This chapter explains how to use the tools and features
provided in the events browser including:
ƒ
Default event log queries and custom query builder
ƒ
Event color-coding
ƒ
Event finder tool.
•
Chapter 8 describes how to use the Scanning Monitor to analyze
the status of GFI EventsManager as well as view statistical
information and processed events.
•
Chapter 9 guides you through the process of creating and
customizing event processing rules. This section is for advanced
users who want to create their own event processing rules.
•
Chapter 10 describes how to configure alert recipient parameters
including:
GFI EventsManager
0BIntroduction • 5
ƒ
Personal details such as mobile phone number
ƒ
Normal working hours
ƒ
Type of alerts that will be sent to every recipient.
•
Chapter 11 explains what main sources of information are
available to help users troubleshoot product issues.
•
Appendix 1 guides you through the process of configuring SMS
alerting parameters including SMS gateway provider settings.
•
Appendix 2 guides you through the process of configuring
Windows settings and services required by GFI EventsManager.
•
Appendix 3 guides you through the steps required to install
Microsoft SQL Server 2005 Express Edition.
•
Tutorials 1, 2, 3 will guide you through the process of getting GFI
EventsManager up and running.
Glossary of terms used in this manual
6 • 0BIntroduction
Actions
The activity that will be carried out as a result to
events matching specific conditions. For example
you can trigger actions whenever an event is
classified as critical. Actions supported by GFI
EventsManager include Email alerts, event
archiving and execution of scripts.
Alerts
Notifications which inform recipients that a
particular
event
has
occurred.
GFI
EventsManager can generate Email alerts, SMS
alerts and Network alerts.
Archive
A collection on events stored in the SQL Server
based database backed of GFI EventsManager.
Email alerts
Email notifications which inform recipients that a
particular event has occurred. To enable email
alerts, you must have access to an active mail
server.
Event classification
The categorization of events as Critical, High
Medium, Low or Noise.
Event logs
A collection of entries which describe events that
occurred on the network or on a computer
system. GFI EventsManager supports 3 different
types of event logs; Windows Event Logs, W3C
Logs and Syslog.
Event processing
rules
A set of instructions which are applied against an
event log.
Network alerts
Network messages (known
as Netsend
messages) which inform recipients that a
particular event has occurred. These messages
are sent through an instant messenger
system/protocol and are shown as a popup in the
system tray of the recipient’s desktop. To setup
network alerts, you must specify the name or IP of
the computers where the Netsend messages will
be sent.
GFI EventsManager
GFI EventsManager
Noise
Repeated log entries which report the same
event.
Rule-set folder
The folder which contains one or more rule-sets.
Rule-sets
A collection of event processing rules.
SMS alerts
SMS notifications which inform recipients that a
particular event has occurred. In GFI
EventsManager, SMS alerts can be sent through
various sources including mobile phones with
modem capabilities and email-to-SMS web-based
gateways.
Unclassified events
Events that did not satisfy any of the event
processing conditions configured in the event
processing rules.
W3C logs
W3C is a common log format developed by the
World Wide Web Consortium. W3C logs are textbased flat files used mainly by web servers
including Microsoft Internet Information Server
(IIS) to record web related events such as web
logs.
Windows event logs
A collection of entries which describe events that
occurred on a computer system running Windows
OS.
0BIntroduction • 7
About GFI EventsManager
Figure 1 - GFI EventsManager integrates into any existing IT infrastructure
GFI EventsManager is a results oriented event log management
solution which integrates into any existing IT infrastructure, automating
and simplifying the tasks involved in network-wide events
management.
Through the features supported by GFI EventsManager you can:
•
Automatically collect W3C, Syslog and Windows events from
network devices and Windows/Linux/Unix based systems and
manage them through one console.
•
Archive collected events in a centralized SQL Server based
database backend for future analysis and forensic studies.
•
Filter unwanted events and classify key events through the use of
powerful default or custom-built event processing rules.
•
Automate alerting and remedial actions such as the execution of
scripts and files on key events.
•
Monitor your network activity and the status of your GFI
EventsManager scanning engine through a built-in graphical
dashboard.
•
Analyze events through a built-in events browser.
•
Simplify event forensics through specialized tools which include a
built-in event query builder, an event finder tool and an event
color-coding tool.
•
Increase event processing power through a high-performance
event scanning engine.
•
Generate, schedule as well as email event activity and trend
reports through GFI EventsManager ReportPack - the powerful
reporting companion tool which ships by default with GFI
EventsManager.
Key Features
Extended event log support
GFI EventsManager is able to process various event log types
including Windows event logs, Syslog events, and W3C event logs.
This allows administrators to collect more data from the different
8 • 0BIntroduction
GFI EventsManager
hardware and software systems that are most commonly available on
a typical corporate network.
Rule based event log management
GFI EventsManager ships with a pre-configured set of event
processing rules that allow you to filter and classify events that satisfy
particular conditions. You can run these default rules without
performing any configuration or you can choose to customize these
rules or create tailored ones that suite your network infrastructure.
Event log scanning profiles
GFI EventsManager 7.1 allows you to organize event log scanning
rules into ‘Scanning Profiles’. In a scanning profile, you can configure
the set of event log monitoring rules that will be applied to a specific
computer or group of computers. The benefits of these profiles
include:
•
Simplifies product administration tasks by providing a centralized
way of tuning event processing rules.
•
Allow administrators to create different sets of event log rules that
suite the roles of scanned event sources and the corporate
network environment. For example, you can setup a set of rules
which apply only to workstations in a particular department.
Allow granular configuration of rules
Administrators can create an event processing profile that is generic
for all computers and a number of separate profiles which complement
the generic profile by providing additional and more specialized event
log rules on a computer by computer basis.
Translates cryptic windows events
One major drawback of windows event logs is that they are not user
friendly - too cryptic for the user to understand. In fact this is one of
the main reasons why only few administrators really peer into windows
event logs. GFI EventsManager 7.1 overcomes this problem by
translating event descriptions into a way that is more users friendly
and easier to understand.
Enhanced event scanning engine
GFI EventsManager 7.1 includes an event scanning engine that has
been tuned to effectively speed up event scanning for maximum
performance. This engine adopts a plug-in based concept that allows
the ‘plugging-in’ of additional features/modules without having to
perform physical changes to the existing code – hence more stability
without effecting scalability.
Automatic noise reduction
GFI EventsManager 7.1 identifies and removes unwanted event data
(such as noise and background process generated events) providing
you with only the relevant, usable data. Hence facilitates event
forensics by reducing the amount of events to be analyzed.
GFI EventsManager
0BIntroduction • 9
Enhanced real-time actions
GFI EventsManager can generate alerts or trigger actions such as
script execution when key events are detected. You can alert one or
more people in various ways including: email, network messages, and
SMS notifications sent through an email-to-SMS gateway or service.
Actions can be configured to trigger on event classification or by
configuring specific conditions in event processing rules.
Advanced event filtering features
GFI EventsManager ships with a number of event filtering features
including:
•
Pre-configured event queries and a custom event query
builder: The pre-configured event queries allow you to sift event
log data and browse only the required events - without deleting
any records from your database backend. The built-in event query
builder allows you to create your own custom event queries.
•
Event color-coding capabilities: Through this feature you can
selectively color particular events in specific colors. This way
during log browsing you can easily identify important events
through their color.
•
Event finder tool: With this tool you can quickly locate important
events by providing specific search criteria such as event type.
Event Centralization
GFI EventsManager enables you to monitor and manage events
generated by Unix\Linux\Unix systems, network devices and software
applications through a single user console.
10 • 0BIntroduction
GFI EventsManager
How does GFI EventsManager work?
Figure 2 - The GFI EventsManager operational stages
The operational functionality of GFI EventsManager is divided into 2
stages:
•
Stage 1: Event Collection
•
Stage 2: Event Processing
A description of every stage is provided below.
Stage 1: Event Collection
During the Event Collection stage, GFI EventsManager collects logs
from specific event sources. This is achieved through the use of 2
event collection engines: The Event Retrieval Engine and the Event
Receiving Engine.
The Event Retrieval Engine - The Event Retrieval Engine is used to
collect Windows event logs and W3C logs from networked event
sources. During the Event Collection process this engine will:
1. Log-on to the event source(s)
GFI EventsManager
0BIntroduction • 11
2. Collect events from the source(s)
3. Send collected events to the GFI EventsManager Server
4. Log-off from the event source(s).
The Event Retrieval Engine collects events at specific time intervals.
The event collection interval is configurable from the GFI
EventsManager management console.
The Event Receiving Engine - The Event Receiving Engine acts as a
Syslog server; it listens and collects Syslog events/messages sent by
Syslog sources on the network. As opposed to the Event Retrieval
Engine, the Event Receiving Engine receives messages directly from
the event source; therefore it does not require to remotely log-on to
the event sources for event collection. Further to this, Syslog
events/messages are collected in real-time and therefore no collection
time intervals need to be configured.
By default, the Event Receiving Engine listens to Syslog messages on
port 514 however Syslog port settings are customizable via the GFI
EventsManager management console.
Stage 2: Event Processing
During this stage, GFI EventsManager will run a set of Event
Processing Rules against collected events. Event Processing rules
are instructions that:
•
Analyze the collected logs and classify processed events as
Critical, High, Medium, Low or Noise (unwanted or repeated
events)
•
Filter events that match specific conditions
•
Trigger email, sms and network alerts on key events
•
Trigger remediation actions such as the execution of executable
files or scripts on key events
•
Optionally archive collected events in the database backend.
GFI EventsManager can be configured to archive events without
running Event Processing rules. In such cases, even though no rules
will be applied against collected logs, archiving will still be handled by
the Event Processing stage.
12 • 0BIntroduction
GFI EventsManager
Navigating the GFI EventsManager management console
Screenshot 1 - The GFI EventsManager management console
Status option – Use this option to view the status of GFI
EventsManager and statistical information on processed logs.
Configuration option – Use this option to access and
configure the main event processing options.
Event Sources – Use this option to configure event sources
including which logs to collect and which rules to process.
Event Processing Rules – Use this option to create,
configure and customize event processing rules.
Left pane – Use this pane to navigate through the additional
configuration options provided in GFI EventsManager.
General options – Use this option to check for product
updates, as well as view version and licensing details.
Events Browser – Use this option to view and analyze the
events currently stored in the GFI EventsManager database
backend.
Options – Use this option to configure general settings such
as database backend parameters, and default alerting
parameters.
Primary options bar – This bar contains the primary
configuration options provided in GFI EventsManager.
Secondary options bar – This bar contains a second layer of
configuration options which is accessible by clicking on the
options in the primary options bar.
Right pane – Use this pane to browse configured event
sources, event processing rules, archived events, licensing
details and product version details.
GFI EventsManager
0BIntroduction • 13
Licensing
Table 1 - GFI EventsManager licensing options
A number of licensing options are available with GFI EventsManager
as shown in the table above.
During evaluation all features within GFI EventsManager are
available. The initial evaluation license provides a 10-day evaluation
period. This can be extended to 30 days by entering a 30-day
evaluation license key. This license key is emailed to the address
specified when downloading GFI EventsManager from the GFI
website. Upon expiry, a license key must be purchased to be able to
once again access GFI EventsManager features. GFI EventsManager
does not need to be uninstalled and reinstalled when entering a
purchased license key.
The purchase of a basic license enables the features marked with a 3
in the ‘Licensed’ column of the table above. Additional features in GFI
EventsManager may be enabled by purchasing an extended license
key.
NOTE: Only one license key of GFI EventsManager is required at any
one time. The license key type indicates which features are to be
activated.
14 • 0BIntroduction
GFI EventsManager
Installation
Introduction
Where can I install GFI EventsManager on my network?
GFI EventsManager can be installed on any computer which meets
the minimum system requirements irrespective of the location on your
network.
Use GFI EventsManager to manage the events generated:
•
On the same computer where it is installed
•
On all the computers that are reachable from the computer on
which it is installed.
Figure 3 – GFI EventsManager deployment scenario
GFI EventsManager can be deployed:
n Within your network to monitor the activity of internal servers and
workstations/end points.
o On the DMZ to monitor and manage the events generated on your
servers.
Deployment of GFI EventsManager on a Local Area Network
GFI EventsManager can be deployed on Windows based networks as
well as on mixed environments where Linux and UNIX systems are
being used as well.
GFI EventsManager
1BInstallation • 15
Figure 4 - Deployment of GFI EventsManager on LAN
When installed on a Local Area Network (LAN) GFI EventsManager
can manage Windows events, W3C event logs and Syslog messages
generated by any hardware or software that is connected to the LAN,
including:
•
Workstations and Servers (e.g. Microsoft SQL Server)
•
Network appliances (e.g. Cisco PIX firewalls)
•
Third party software (e.g. GFI EndPointSecurity)
•
Specialized Services (e.g. Microsoft Internet Information Server IIS)
•
PABXs, Keyless Access Systems, Intrusion detections systems,
etc.
When installed on a LAN, GFI EventsManager can also be used to
collect events from hardware and software systems deployed on a
Demilitarized Zone (DMZ). Since a firewall or a router usually protects
this zone with network traffic filtering capabilities, you must make sure
that:
1. The communication ports used by GFI EventsManager are not
blocked by the firewall. For more information on the communication
ports used by GFI EventsManager refer to the following kbase article:
http://kbase.gfi.com/showarticle.asp?id=KBID002770.
2. That GFI EventsManager has administrative privileges over the
computers that are running on the DMZ.
Deployment of GFI EventsManager on a Demilitarized Zone
Figure 5 - The DMZ sits between the internal LAN and the Internet
GFI EventsManager can also be deployed on a Demilitarized Zone.
This is the neutral network which sits between the “internal” corporate
16 • 1BInstallation
GFI EventsManager
network and the “outside world” (i.e. the internet). The deployment of
GFI EventsManager on a Demilitarized Zone helps you automate the
management of events generated by DMZ hardware and software
systems.
Automate management of Web and Mail server events
DMZ networks are normally used for the running of hardware and
software systems that have internet specific roles such as HTTP
servers, FTP servers, and Mail servers.
Hence, you can deploy GFI EventsManager to automatically manage
the events generated by:
•
Linux/Unix based web-servers including the W3C web-logs
generated
by
Apache
web-servers
on
http://www.onlamp.com/pub/a/onlamp/2001/01/25/lamp.html web platforms.
•
Windows based web-servers including the W3C web-logs
generated by Microsoft Internet Information Servers (IIS).
•
Linux/Unix and Windows based mail-servers including the Syslog
’auditing services’ messages generated by Sun Solaris v. 9 or
later.
Automate management of DNS server events
If you have a public DNS server, there’s a good chance that you are
running a DNS server on the DMZ. Hence you can use GFI
EventsManager to automatically collect and process DNS server
events including those stored in your Windows’ DNS Server logs.
Automate management of network appliance events
Routers and firewalls are two network appliances commonly found in
a DMZ. Specialized routers and firewalls (e.g. Cisco IOS series
routers) not only help protect your internal network, but provide
specialized features such as Port Address Translation (PAT) that can
augment the operational performance of your systems.
By deploying GFI EventsManager on your DMZ, you can collect the
events generated by such network appliances. For example, you can
configure GFI EventsManager to act as a Syslog Server and collect in
real-time the Syslog messages generated by Cisco IOS routers.
System requirements
Hardware requirements – Installation machine(s)
•
Processor: 2 gigahertz (GHz) or higher processor clock speed
•
RAM: 512 megabytes (MB)
•
Hard disk: 1.5 gigabytes (GB) of available space
Software requirements – Installation machine(s)
•
Windows 2000 (SP4) / XP (SP2) / 2003 operating system
NOTE: For information on Windows Vista refer to knowledge base
article: http://kbase.gfi.com/showarticle.asp?id=KBID003001
•
.NET framework 2.0
•
Microsoft Data Access Components (MDAC) 2.8 or later
•
Access to MSDE / SQL Server 2000 or later.
GFI EventsManager
1BInstallation • 17
Software requirements – Scanned machine(s)
•
Windows event log scanning:
ƒ
Remote registry service must be enabled.
information refer to Appendix 2 in this manual.
ƒ
Windows Audit Policy must be enabled. For more information
refer to Appendix 2 in this manual.
For
more
•
W3C log scanning: The source folders must be accessible via
Windows shares.
•
Syslog scanning: Since GFI EventsManager includes a built-in
Syslog server, Syslog sources/senders must be configured to send
their Syslog messages to the computer/IP address where GFI
EventsManager is installed.
Upgrading from a previous version
The underlying operational and processing technology subsystems on
which GFI EventsManager is built are different from those of previous
versions such as GFI LANguard Security Event Log Monitor. Hence a
previous version cannot be imported or upgraded to GFI
EventsManager 7.x.
NOTE: You are still able to run GFI EventsManager on the same
machine on which GFI LANguard Security Event Log Manager is
installed. They will not conflict with each other.
Installation procedure
GFI EventsManager includes an installation wizard which will assist
you through the installation process. To start the installation:
1. Close all running applications and log-on the target computer using
an account which has local administrative privileges.
2. Double-click on EventsManager7.exe.
3. As soon as the welcome dialog is displayed, click Next to start the
installation.
4. Read the licensing agreement carefully. To continue installing the
product, select the ‘I accept the Licensing agreement’ option and
click Next.
18 • 1BInstallation
GFI EventsManager
Screenshot 2 - Customer and License detail screen
5. Specify your name, company name and license key. If you are
evaluating the product, leave the license key as default (i.e.
‘Evaluation’) and click Next.
Screenshot 3 - Logon information screen
6. GFI EventsManager must run under an account which has domain
administrative privileges. Enter the user name and password of
domain administrator account and click Next to continue.
7. Specify an alternative installation path or click on Next to leave as
default and proceed with the installation.
GFI EventsManager
1BInstallation • 19
Screenshot 4 - Select language character and symbol support mode
8. Specify the character encoding set to be used by GFI
EventsManager. Click on the Install button to proceed with the
automatic extraction of the required files and finalize the installation.
9. Click Finish to finalize the installation.
20 • 1BInstallation
GFI EventsManager
Getting Started
Introduction
What is a computer log?
A computer log is a collection of events entries. These entries provide
an audit trail of information related to the activity of a network or
computer system. In fact, computer logs are recorded in a certain
scope to provide information suitable for forensic analysis. The
computer log may be a binary file as in the case of Windows logs, or
text-based files as in the case of Syslog or W3C logs.
What is a log?
An event is a log entry that provides information on something that
occurred within a computer system or network. Such events include
various details such as the date and time the event occurred and a
related description. Event entries are often stored in chronological
order to facilitate event browsing and forensic analysis.
What are Windows event logs?
Windows event logs are a systematic recording of computer related
events that occurred within computer systems and networks running
on Windows Operating Systems. In systems running on Windows
2000/XP/2003, events are recorded and organized in 3 default event
logs:
•
Application log
•
Security log
•
System log.
Computers with specialized network roles such as domain controllers
and DNS servers allow the logging of events to additional (default)
logs such as:
•
Directory service log
•
File Replication service log
•
DNS server log.
Windows event logs contain the following types of events:
Error – Error events indicate that a significant problem, such as
loss of data or functionality has occurred. For example an Error event
is recorded every time that a service or driver fails to load during
startup.
Warning – Warnings indicate events that are not necessarily
significant, but which may possibly cause future problems. For
GFI EventsManager
2BGetting Started • 21
example, a Warning event is recorded every time that disk space runs
low.
Information - Information events describe the successful operation
of an application, driver, or service. For example, an Information event
is recorded every time that a network driver loads successfully.
Success Audit – Success audit events indicate security access
attempts that were successful. For example, a Success Audit event is
recorded every time that a user successfully logs on to his Windows
based workstation.
Failure Audit – Failure audit events indicate security access
attempts that failed. For example, a Failure audit event is recorded
every time that a user fails to access a network drive.
A sample of the information typically recorded in a Windows event log
is shown below.
Screenshot 5 – DNS Server log
What are W3C logs?
W3C logs are used mainly by web servers to log web related events
including web logs. W3C logs are recorded in text-based flat files
using any one of the two W3C logging formats currently available:
•
W3C Common Log file format
•
W3C Extended Log File format.
The W3C common log file format was the first format to be released
and to date it is still the default format used by a variety of popular
web servers including Apache. There is however one downside - the
information about each server transaction is fixed and does not
provide for certain important fields such as referrer, agent, transfer
time, domain name, or cookie information. To overcome this problem,
22 • 2BGetting Started
GFI EventsManager
the W3C Extended log file format was released. This newer type of log
is in customizable ASCII text-based format, permitting a wider range
of data to be captured. The W3C Extended log file format is the
default log file format used by Microsoft Internet Information Server
(IIS).
A sample of the information typically recorded in a W3C extended type
log is shown below.
#Version: 1.0
#Date: 04-Sep-1996 00:00:00
#Fields: time cs-method cs-uri
00:34:23 GET /WebSRV/Pg_Snippet.html
12:21:16 GET /WebSRV/ Button_pg.html
12:45:52 GET /WebSRV/ Login_Pg.html
12:57:34 GET /WebSRV/ Error_msg.html
What are Syslogs?
Syslog is the standard for logging messages, such as system events,
in an IP network. The Syslog standard is most commonly used for the
logging of events by computer systems running on UNIX and Linux as
well by network devices and appliances such as Cisco routers and the
Cisco PIX firewall. Syslog events are not directly recorded by
applications running on the computer systems. Whenever an event is
generated, the respective computer will send a small textual message
(known as Syslog message) to a dedicated server commonly known
as ‘Syslog server’. The Syslog server will then save the received
message into a log file. Syslog messages are generally sent as clear
text; however, an SSL wrapper can be used to provide for a layer of
encryption.
Syslog is typically used for computer system management and
security auditing. While it has a number of shortcomings, its big plus is
that Syslog is supported by a wide variety of devices and receivers.
Because of this, Syslog can be used to integrate log data from many
different types of systems into a central repository using the Syslog
server as a log aggregator.
The Syslog daemon handles the recording of Syslog
messages/events in log files. The Syslog message is composed of
two main parts:
1. The ’header’ which contains the date/time information as well as the
IP or computer name from where the message has originated.
2. The “message” which includes the program or subsystem name
and the message itself, separated by a colon.
The following is an example of a Syslog message:
Sep 4 10:10:10 10.245.2.11 foo[421]:
message from WebSRV
this
is
a
Getting Started: Launching GFI EventsManager for the first time
All configuration settings for GFI EventsManager are carried out from
the GFI EventsManager management console. To open the
GFI EventsManager
2BGetting Started • 23
management console click on: Start ` All Programs ` GFI
EventsManager 7 ` Management Console.
Quick start dialog
Screenshot 6 - Quick Start Dialog
The first time that the management console is launched, the ‘Quick
Start Dialog’ will open up by default. This dialog will assist you in the
configuration of core operational parameters which GFI
EventsManager requires at first startup.
Parameters to be configured at startup are:
Database backend:
Required parameters include SQL Server name/IP and
details of the database backend to use for event archiving.
GFI EventsManager administrator account details:
Required parameters include the email address, mobilephone number and the name/IP of computers where alerts
will be sent.
General alerting options:
Required parameters include SMTP server details and SMS
gateway/service provider for email/sms alerts.
The Quick Start Dialog includes links which will take you directly to the
configuration dialogs from where you can directly configure these core
operational parameters.
24 • 2BGetting Started
GFI EventsManager
Configuring the database backend
The need for archiving computer logs
Archiving of events is crucial in environments that are striving to be
legally compliant with SOX, HIPAA and other equally important data
retention and protection regulations. For legal and compliance
reasons, corporations must provide central and secure log data
archives which are physically separate from the log data used for realtime analysis; the main reason is that raw log data must be kept in
tact.
GFI EventsManager allows you to optionally archive both processed
and unprocessed events into an SQL Server based database
backend. This not only supports your efforts to achieve legal
compliance but also provides you with:
•
A collection of events that can be used for activity analysis and
reporting purposes.
•
A collection of filtered events (in the case of processed logs).
•
A backup of your original log data so that it can be used in case of
emergency.
GFI EventsManager also allows you to automatically backup your
backend. This way you can keep a copy of your log data physically
separate from the log data used for real-time analysis. You can also
trigger database backend backups manually. For more information on
how to manually backup your database backend refer to the ‘Backup
events’ section in the ‘Log Browser’ chapter.
Screenshot 7 - Quick Start Dialog: Link to database backend settings
To configure the database backend settings for the first time, click on
the link provided in the Quick Start Dialog. This will bring up the
‘Database Options’ dialog. More information on how to configure these
options is provided below.
GFI EventsManager
2BGetting Started • 25
Configuring SQL Server details
Screenshot 8 - Database Options - Change database tab
To configure the SQL Server and database backend details:
1. Specify the name/IP of your SQL Server.
2. Specify a name
EventsManagerDB).
for
your
database
backend
(e.g.
3. Select the authentication method to be used when connecting to
the SQL Server. If SQL Server authentication is selected, specify the
login username and password.
4. To configure the database backend maintenance option, click on
the Maintenance tab. For information on how to configure
maintenance options refer to the ‘Maintaining the database backend’
section.
5. Finalize your configuration settings by clicking OK.
26 • 2BGetting Started
GFI EventsManager
Changing database backend settings
Screenshot 9 - Database configuration options
Once configured, you can still make changes to the database
maintenance parameters. To achieve this:
1. Click on the Configuration option.
2. From the secondary option bar which opens underneath, select
Options.
3. From the left pane, right-click on the Database Operations node
and select Properties
4. Configure the required parameters as described in the above
sections.
Configuring GFI EventsManager administrator account
GFI EventsManager will automatically send out email, network or SMS
alerts to specific recipients whenever particular events are discovered.
Therefore, you must configure the contact details of the intended
recipients in order to effectively distribute alerts. For example, you
need to configure the email address of your recipient(s) in order to
send them email alerts.
GFI EventsManager allows you to create a custom list of recipients
which you can organize into groups to speed up administrative tasks.
By default, GFI EventsManager will automatically create the
‘EventsManagerAdministrator’ account. However, you must still
configure user specific details such as the email address and mobile
GFI EventsManager
2BGetting Started • 27
number of the GFI EventsManager administrator. For every user, you
can configure the following parameters:
•
Contact details including email address and phone number
•
The typical working hours
•
The type of alert to send during and outside working hours
•
The notification group to which the user belongs.
Screenshot 10 - Quick Start Dialog: Link to administrator account settings
To configure the GFI EventsManagerAdministrator account for the first
time, click on the link provided in the Quick Start Dialog.
Screenshot 11 - EventsManagerAdministrator properties
This will bring up the ‘EventsManagerAdministrator properties’ dialog.
Start configuring the account as follows:
1. Specify the contact details such as email address, and mobile
number as required.
2. Specify the computers on which network alerts addressed to the
administrator will be sent.
3. Click on the Working Hours tab.
28 • 2BGetting Started
GFI EventsManager
Screenshot 12 - Configuring the typical working hours of an alert recipient
4. Select the typical working hours of the administrator/user.
Screenshot 13 - Selecting alerts to be sent during and outside working hours
5. Click on the Alerts tab and select which alerts will be sent during
and outside working hours.
GFI EventsManager
2BGetting Started • 29
Screenshot 14 - Notification groups to which a user belongs
6. Click on the Member Of tab and select the notification groups to
which the user belongs. By default the administrator is a member of
the ‘EventsManageAdministrators’ notification group.
7. Click on the OK button to finalize your settings.
Once configured, you can still make changes to the properties
configured in the administrator account. For more information on how
to achieve this refer to the ‘Configuring users and groups’ chapter.
Configuring the general alerting options
GFI EventsManager will automatically send out email, network or SMS
alerts whenever particular events are discovered. Supported alerting
methods require the configuration of a set of general alerting
parameters that are network specific. For example, to send email
alerts, GFI EventsManager must know which SMTP Server will be
used to propagate email alerts.
Screenshot 15 - Quick Start Dialog: Link to default alerting options
To configure the general alerting parameters for the first time, click on
the Configure Alerting options link provided in the Quick Start
Dialog.
30 • 2BGetting Started
GFI EventsManager
Screenshot 16 - Alerting options dialog
This will bring up the ‘Alerting Options’ dialog. Use the Email,
Network and SMS tabs provided in this dialog to configure the default
alerting settings. More information on how to configure these settings
is provided below.
Configuring email alerts
Screenshot 17- Mailserver properties dialog box
GFI EventsManager
2BGetting Started • 31
To configure email alerts do as follows:
1. From the Email tab which opens by default, click on the Add
button.
2. Specify the name/IP of your mail server. If required specify also the
mail server authentication details.
3. Specify the email address and display name that will be used when
sending email alerts.
4. Click on OK to finalize settings.
5. To customize the email text message, click on the Format Email
Message… button.
6. If required, click on the Network or SMS tabs to configure the
respective parameters.
7. Click OK to finalize your settings.
Configuring network alerts
No configuration settings are required for network alerts from this
dialog. However, you can customize the network message by clicking
on the Format network message… button.
Configuring SMS alerts
Screenshot 18 - Alerting Options: SMS dialog box
SMS alerts can be sent using various methods. Supported methods
include GFI FAXmaker SMS gateway and Clickatell Email to SMS
service gateway. To configure which method will be used to convey
SMS alerts do as follows:
1. From the provided drop-down, select the SMS system through
which SMS notification will be sent.
32 • 2BGetting Started
GFI EventsManager
2. Select the property to be configured from the list provided and click
Edit… For information on how to configure SMS alerting parameters
refer to ‘Appendix 1 – SMS Settings’ in this manual.
3. Repeat until all required properties have been configured.
4. To customize the SMS alert message, click on the Format SMS
message… button.
5. Click on OK to finalize your settings.
Changing the general alerting options
Screenshot 19 - Alerting options screen
Once configured, you can still make changes to the general alerting
options. To achieve this:
1. Click on the Configuration option.
2. From the secondary option bar which opens underneath, select
Options.
3. From the left pane, right-click on the Alerting Options node and
select Edit alerting options…
4. Configure the required parameters as described in the above
sections.
GFI EventsManager
2BGetting Started • 33
Getting started: Processing event logs
At this stage, you have configured all the core operational parameters
required by GFI EventsManager on first start up. To proceed to the
next stage and start processing your logs you must specify:
Event Sources:
The name/IP of the computers from where events will be
collected for processing.
Events to be processed:
The logs (Windows EVT, W3C or Syslogs) that will be
processed.
Event processing rules:
The processing rules that will be applied against collected
events.
Alerting methods and actions:
The actions that will be triggered and the alerts that will be
generated during event processing.
The next 3 chapters will explain how to configure the above mentioned
parameters.
Screenshot 20 - Quick Start Dialog: Click the Start button to configure event sources
You can proceed to configure functional parameters directly from the
Quick Start Dialog by clicking on the Start button. This will take you to
the configuration of Log Sources. For more information on how to
configure event sources refer to the next chapter.
34 • 2BGetting Started
GFI EventsManager
Configuring event sources
Introduction
Event sources are computers that contain the logs to be processed by
GFI EventsManager. In GFI EventsManager, these event sources are
organized into specific computer groups. You can create custom
computer groups tailored on your network infrastructure or you can
use the pre-defined computer groups that ship by default with this
product. For example, you can use default computer groups to
distinctively organize and configure the servers, workstations and
laptops that will be monitored by GFI EventsManager; or you can
choose to group target computers that have specific roles on your
network such as Web Servers, File Servers and Data Servers.
Adding new event sources to a default group
Screenshot 21 - Configuring the computer that will be monitored
To configure event sources:
GFI EventsManager
3BConfiguring event sources • 35
1. Click on the Configuration option.
2. Right-click on the Computer Group which will contain the new event
sources and select Add new computer. This will bring up the target
computers configuration wizard.
Screenshot 22 - Configuration wizard: Specify the computers that will be monitored
3. Specify the name/IP of the new event source and click Add. Repeat
until you have specified all the event sources to add to this group.
NOTE: To import the list of event sources from a text file click on the
Import button. To select your targets from a list, click on the Select
button.
4. Click Finish to finalize your settings.
NOTE: GFI EventsManager will attempt to collects logs from the
configured sources immediately after clicking the Finish button.
Configuring event source properties
The general and event processing parameters of event sources are
configurable via the ‘Properties dialog’. You can configure these
parameters on a:
•
Computer by computer basis. To configure the parameters of a
particular computer in a group: Go to the right pane of the
management console, right-click on the required computer and
select Properties. This will bring up the ‘Computer Properties’
dialog.
•
Computer group by group basis. To configure the parameters of a
computer group, right-click on the computer group to be configured
and select Properties. This will bring up the ‘Computer Group
Properties’ dialog.
Through the properties dialog you can configure:
36 • 3BConfiguring event sources
GFI EventsManager
•
General event source properties
•
Alternative domain administrator credentials
•
Event source operational time
•
Log processing parameters for Windows event logs, W3C logs and
Syslog logs.
Configuring general event source properties
Screenshot 23 - Computer group properties dialog
Use the General tab in the properties dialog to:
•
Change the name of a computer group.
•
Enable/disable log collection and processing for the computers in
a group.
•
Configure log collection and processing frequency.
NOTE: In GFI EventsManager, you can also trigger the log collection
process manually. To achieve this:
1. Right-click on the computer group which contains the required
event sources.
2. Select Scanning options ` Scan now.
GFI EventsManager
3BConfiguring event sources • 37
Screenshot 24 - Triggering log collection manually
Configuring alternative domain administrator credentials
During event processing, GFI EventsManager must remotely log-on to
the target computers. This is required in order to collect the log data
that is currently stored on the target computers and pass this data on
to the event processing engine(s).
To collect and process logs, GFI EventsManager must have
administrative privileges over the target computers. By default, GFI
EventsManager will log-on to target computers using the credentials of
the account under which it is currently running; however, certain
network environments are configured to use different credentials to log
on to workstations and servers with administrative privileges. As an
example for security purposes, network administrators can setup a
dedicated account that has administrative privileges over workstations
only and a different account that has administrative privileges over
servers only.
38 • 3BConfiguring event sources
GFI EventsManager
Screenshot 25 - Configuring alternative logon credentials
GFI EventsManager, allows you to configure a dedicated set of logon
credentials for individual target computers as well as for computer
groups. To configure a set of credentials for a particular computer
group:
1. Bring up the (computer/computer group) properties dialog
2. Click on the Logon Credentials tab
3. Specify the login name and password which will be used to log-on
and collect logs from the target computer(s).
Configuring event source operational time
GFI EventsManager includes an Operational Time option through
which you specify the normal working hours of your event sources.
This is required so that GFI EventsManager can keep track of the
events that occur both during and outside working hours. Use the
operational time information for forensic analysis and to identify
network computers that are being misused outside normal working
hours. For example, through this information, you can discover
unauthorized user access, illicit transactions carried out outside
normal working hours and other potential security breaches that might
be taking place on your network.
GFI EventsManager
3BConfiguring event sources • 39
Screenshot 26 - Specify operational time
Operational time is configurable on computer group basis.
Configuration is achieved through the Operational Time tab provided
in the computer group properties; Operational time is configured by
marking the normal working hours on a graphical operational time
scale which is divided into 1 hour segments.
Configuring event processing parameters
To configure event processing parameters:
Screenshot 27 – Event-processing configuration tabs
1. Bring up the (computer/computer group) properties dialog
2. Use the Windows Event Log tab, W3C Logs tab and Syslog tab
to configure the required event processing parameters. For more
information on how to configure these parameters refer to the
‘Configuring event processing rules’ chapter.
40 • 3BConfiguring event sources
GFI EventsManager
Configuring event processing rules
Introduction
GFI EventsManager allows you to collect and process 3 types of logs:
Windows event logs, W3C logs and Syslogs. All 3 supported log types
record events in a different and proprietary format; therefore every log
type requires different configuration settings and parameters. You can
configure log collection and processing parameters:
•
On a computer by computer basis
•
On a computer group by computer group basis.
During event processing, GFI EventsManager runs a configurable set
of rules against the collected logs in order to classify events and
trigger alerts/actions accordingly. By default, GFI EventsManager
ships with a pre-configured set of event processing rules that allow
you to gain network-wide control over computer logs - with negligible
configuration effort.
Event processing rules
Event processing rules are instructions/checks that:
•
Analyze the collected logs.
•
Classify the severity of processed events. Classification is based
on the configuration settings of the processing rule.
•
Filter events that match specific criteria. For example, you can
create and run a rule which filters out low severity events and
noise (duplicate events).
•
Generate alerts and actions based on event severity. For example,
you can configure GFI EventsManager to send both SMS and
Email alerts whenever an event is classified as critical; but limit the
product to send only email alerts when an event is classified as
high in severity. For more information on how to configure alerts
and actions refer to the ‘Configuring alerting and actions’ chapter.
•
Optionally archive filtered events. Event archiving is based on the
severity of the event and on the configuration settings of the event
processing rules. For example, you can configure GFI
EventsManager to archive only events that are classified critical or
high in severity and discard all the rest.
In GFI EventsManager, event processing rules are organized into
‘Rule-sets’; and every rule-set can contain one or more specialized
rules which can be run against collected logs.
GFI EventsManager
4BConfiguring event processing rules • 41
Screenshot 28 - Rule-sets folder and Rule-sets
Rule-sets are further organized into ‘Rule-sets Folders’. This way you
can group rule-sets according to the functions and actions that the
respective rules perform. For example, the ‘Security’ rule-sets folder
groups rules sets that contain security event processing rules. By
default, GFI EventsManager ships with pre-configured folders, rulesets and event processing rules that can be further customized to
suite your event processing requirements.
Event classification
GFI EventsManager classifies events in 5 categories:
•
Critical
•
High
•
Medium
•
Low
•
Noise (unwanted or repeated log entries).
Event classification is based on the configuration of the rules that are
executed against the collected logs. Events that don’t satisfy any
event classification conditions are tagged as unclassified and can be
set to trigger the same alerts and actions available for classified
events.
Event processing, classification and actions flowchart
The flowchart chart below illustrates the event processing stages
performed by GFI EventsManager.
42 • 4BConfiguring event processing rules
GFI EventsManager
Screenshot 29 - Log processing, classification and actions flowchart
Collecting and processing Windows events
Overview
Windows events are organized into specific log categories; by default
computers running on Windows NT or higher record errors, warnings
and information events in 3 logs namely Security, Application and
System logs. Computers that have more specialized roles on the
network (e.g. Domain Controllers, DNS Servers, etc…) have
additional event log categories.
GFI EventsManager
4BConfiguring event processing rules • 43
Screenshot 30 - Computer group properties: Configuring logs to be processed
By default, Windows Operating Systems record events in the following
logs:
•
Security events log: This log contains security related events
through which you can audit successful or attempted security
breaches. Typical events found in the Security Events log include
valid and invalid logon attempts.
•
Application events log: This log contains events recorded by
software applications/programs such as file errors.
•
System events log: This log contains events logged by Windows
XP system components such as failures to load device drivers.
•
Directory service log: This log contains events generated by the
Active Directory including successful or failed attempts to make to
update the Active Directory database.
•
File Replication service log: This log contains events recorded
by the Windows File Replication service. These including file
replication failures and events that occur while domain controllers
are being updated with information about sysvol.
•
DNS server log: This log contains events associated with the
process of resolving DNS names to IP addresses.
44 • 4BConfiguring event processing rules
GFI EventsManager
Screenshot 31 - Computer group properties: Configuring Windows event logs parameters
To configure windows event log collection and processing parameters
you must:
•
Select the events to be collected.
•
Specify whether the collected logs will be processed (filtered, etc.)
or just archived without processing.
•
Select the event processing rule-sets/rules that will be run against
the collected logs.
Selecting the events to be collected
To specify which Windows events will be collected by GFI
EventsManager:
1. Bring up the (computer/computer group) properties dialog.
2. Click on the Windows Event Log tab.
GFI EventsManager
4BConfiguring event processing rules • 45
Screenshot 32 - Selecting the events to be collected
3. Click on Add and select the check-box of the events that will be
collected.
NOTE: GFI EventsManager supports custom event logs. For
information on how to configure custom event logs please refer to the
‘Configuring Custom Event Logs’ section in this chapter.
4. (Optionally) Select the option ‘Clear collected events after
completion’ to clear the collected events from event sources.
IMPORTANT: Deleting events from source logs without having them
archived or backed-up may lead to legal compliance issues. Please
make sure to archive or backup important events according to the
standards implied by data retention and data protection regulations.
Archiving Windows events
For information on how to archive events refer to the ‘Archiving
events’ section in this chapter.
Selecting Windows event processing rules
For information on how to select event processing rules refer to the
‘Selecting event processing rules’ section in this chapter.
Configuring Custom Event Logs
GFI EventsManager is configured to collect and process standard
Windows event logs. However, GFI EventsManager can also be
configured to manage events recorded in 3rd party application logs
such as anti-virus logs, software firewall logs and other security
software.
To configure custom events:
46 • 4BConfiguring event processing rules
GFI EventsManager
1. Click the Configuration option in the primary options bar.
2. Click Options from the secondary option bar.
Screenshot 33 - Custom Event Logs setup
3. From the left pane, right-click on the Custom Events Logs node
and select Edit custom logs… This will open the Custom events logs
dialog
4. Click on the Add… button. Specify the name of your custom event
log and click OK button to finalize your settings.
Collecting and processing W3C logs
W3C is another log format supported by GFI EventsManager. W3C
logs are text-based flat files containing various event details delimited
by special characters.
The W3C log format is mostly commonly used by hardware systems
(e.g. servers and appliances) which have internet specific roles.
Microsoft Internet Information Server (IIS) service and Apache web
servers for example, can collect web related events (i.e. web logs) in
the form of W3C formatted text files.
In GFI EventsManager, the configuration process of W3C log
parameters is identical to that performed for Windows event
processing, with one exception. Unlike Windows event logs, there is
no standard which dictates a specific or centralized folder location
where W3C log files are stored on disk. Therefore, in order to collect
GFI EventsManager
4BConfiguring event processing rules • 47
W3C logs, you must specify the complete path to these text-based log
files.
Selecting the events to be collected and processed
To specify which W3C logs will be collected by GFI EventsManager:
1. Bring up the (computer/computer group) properties dialog.
2. Click on the W3C Log tab.
Screenshot 34 - Computer group properties: Configuring W3C event processing parameters
3. Click on Add and specify the log file name and location. Wildcards
such as *.* are supported.
4. (Optionally) Select the option ‘Clear collected events after
completion’ to clear the collected events from event sources.
IMPORTANT: Deleting events from source logs without having them
archived or backed-up may lead to legal compliance issues. Please
make sure to archive or backup important events according to the
standards implied by data retention and data protection regulations.
Archiving W3C events
For information on how to archive events refer to the ‘Archiving
events’ section in this chapter.
Selecting W3C event processing rules
For information on how to select event processing rules refer to the
‘Selecting event processing rules’ section in this chapter.
48 • 4BConfiguring event processing rules
GFI EventsManager
Collecting and processing Syslogs
Syslog is a data logging service that is most commonly used in Linux
and UNIX based environments. The concept behind Syslogs is that
the logging of events and information is entirely handled by a
dedicated server called ‘Syslog Server’. This means that unlike
Windows and W3C log based environments, regular programs do not
log any information. They just send events in the form of data
messages (technically known as ‘Syslog Messages’) to a Syslog
server that will manage the message and save the data in a log file.
Screenshot 35 - Computer group properties: Syslog processing parameters
In order to process Syslog messages, GFI EventsManager ships with
a built-in Syslog Server. This Syslog server will automatically collect,
in real-time, all Syslog messages/events sent by Syslog sources and
pass them on to the event processing engine.
A built-in buffer allows the Syslog server to collect, queue and forward
up to 30 Syslog messages for batch processing. Buffered logs are by
default passed on to the event processing engine as soon as the
buffer fills up or at 1 minute intervals whichever comes first.
GFI EventsManager
4BConfiguring event processing rules • 49
Figure 6 - Syslog messages must be directed to the computer running GFI EventsManager
NOTE: For Syslog message processing, ALL Syslog sources (e.g.
workstations, servers, network appliances, etc.) must be configured to
send their messages to the computer/IP where GFI EventsManager is
installed. This applies also for the computer that is running GFI
EventsManager.
In GFI EventsManager, Syslog event processing parameters are
configured as follows:
1. Open up the (computer/computer group) properties dialog.
2. Click on the Syslog tab.
3. To enable the Syslog server and listen for messages sent by the
computers in a computer group, select the option ‘Accept Syslog
Messages from this computer group’.
IMPORTANT: Deleting events from source logs without having them
archived or backed-up may lead to legal compliance issues. Please
make sure to archive or backup important events according to the
standards implied by data retention and data protection regulations.
NOTE 1: The GFI EventsManager Syslog server is by default
configured to listen for Syslog messages on port 514. For more
information on how to customize Syslog server port settings refer to
the ‘Configuring Syslog server communications port’ section in this
chapter.
NOTE 2: The built-in Syslog server will only accept Syslog messages
sent from the computers that are part of this computer group.
Archiving Syslog events
For information on how to archive events refer to the ‘Archiving
events’ section in this chapter.
Selecting Syslog processing rules
For information on how to select event processing rules refer to the
‘Selecting event processing rules’ section in this chapter.
50 • 4BConfiguring event processing rules
GFI EventsManager
Configuring the Syslog server communications port
To change the default Syslog port settings:
Screenshot 36 – Configuring Syslog Server
1. Select Configuration from the primary options bar.
2. Select Options from the secondary options bar.
3. From the left pane, right-click the Syslog Server Configuration
node and select Edit Syslog options…
GFI EventsManager
4BConfiguring event processing rules • 51
Screenshot 37- Syslog server properties
4. Select the Enable in-built Syslog server on port: option and
specify the port on which GFI EventsManager will receive/listen for
Syslog messages.
5. Select OK to finalize your settings.
NOTE: When configuring Syslog server port settings, make sure that
the configured port is not already in use by other installed applications.
This may affect the delivery of Syslog messages to GFI
EventsManager.
Archiving events
Archive events without processing logs
Screenshot 38 - Archiving events without processing
By default, GFI EventsManager is configured to process all event logs
collected from target computers. To archive events without processing
logs, select the ‘Archive only’ option.
Archiving events after processing
Processed events can be optionally archived into the GFI
EventsManager database backend. By default, GFI EventsManager
can be configured to automatically archive events:
•
Based on their classification. For example, you can configure
default settings which archive only critical events. For information
on how to configure event archiving based on event classification
52 • 4BConfiguring event processing rules
GFI EventsManager
refer to the ‘Configuring default classification actions’ in the
‘Configuring alerts and actions’ chapter.
•
Based on the conditions configured in the event processing rules.
Rules provide an alternative and more flexible way to archive
processed events. Through these rules, you can selectively
archive only those events that satisfy specific rule condition(s) –
regardless their classification. For example, you can configure a
rule which archives only Critical events with ID 537. For more
information on how to create and configure event processing rules
refer to the ‘Configuring event processing rules’ chapter.
Selecting event processing rules
Screenshot 39 - Computer group properties: Configuring Windows event logs parameters
In order to process and classify events, you must specify which rules
will be applied against the collected logs. This is achieved by selecting
the rule-sets folder or rule-set(s) that contain the required event
processing rules.
Screenshot 40 - Selecting event processing rules/rule-sets
However, you must pay attention and choose the right “rule” for the
job. The rule-sets that ship with GFI EventsManager are preconfigured to specific logs; therefore it is imperative that you choose
GFI EventsManager
4BConfiguring event processing rules • 53
rule-sets that can effectively process the events recorded in the
collected logs.
Certain rule-sets contain specialized rules that are event specific.
Therefore these rules will only be effective when used to process such
specific events; Failing to do so will result into erroneous event
processing, data loss and non-significant results. For example, the
‘Monitoring and Attack detection’ rule-set contains rules specifically
built to process Windows Security events. Therefore it will not be very
effective if used to process Windows application events.
NOTE 1: By default, GFI EventsManager ships with pre-selected
rules-sets/folders that can effectively process Windows event logs. If
you are new to the product or you are not yet acquainted with the
functionality of rule-sets, we recommend that you leave these settings
as default.
NOTE 2: If no rules-sets are shown in the selection window, this
means that no event processing rules exist for the type of log being
configured. For more information on how to configure event
processing rules and rule-sets, refer to the ‘Configuring event
processing rules’ chapter.
54 • 4BConfiguring event processing rules
GFI EventsManager
Configuring alerts and actions
Introduction
During event processing, GFI EventsManager can automatically
generate various actions whenever particular events are encountered.
Supported actions include email alerts and event archiving.
You can specify alerts and actions to be triggered in two ways:
1. By configuring a set of ‘Default classification actions’.
2. By creating or customizing rules and rule-sets.
Default classification actions
Through the configuration parameters provided in the default
classification actions, you can trigger alerts and actions based only on
event classification. For example, default classification parameters
can be configured to trigger email alerts for all classified events
(critical, high, medium and low) but archive only critical events.
Generating actions through event processing rules
Rules allow you to configure actions on a more granular level. Rules
allow you to configure and trigger actions whenever an event fits one
or more specific conditions. For example, you can create a rule which
archives only events having event ID 231, regardless their
classification.
Supported actions
GFI EventsManager supports the following actions:
•
Archive the event - Archives the classified event into the GFI
EventsManager database back-end.
•
Send e-mail/sms/network notifications to - Sends email, sms
and network alerts to specific recipients.
•
Run File – Runs an executable file. Files that can be executed
include VBScripts (.VBS), Batch files (.BAT) or another executable
type of file (.EXE). You can also specify any command-line
parameters to pass on to the executable file.
GFI EventsManager
5BConfiguring alerts and actions • 55
Configuring default classification actions
Screenshot 41 - Configuring default classification actions
To configure default classification actions:
1. Select Configuration from the primary options bar.
2. Select Options from the secondary options bar.
3. From the left pane, right-click on the Default Classification
Actions node and select Edit default… option.
56 • 5BConfiguring alerts and actions
GFI EventsManager
Screenshot 42 - Default classification actions screen
4. From the provided drop-down, select the event classification to be
configured.
5. From the provided list of supported actions, select the ones to be
triggered for the selected classification.
6. Click on the Configure button specifies any parameters required by
the selected action.
NOTE: Be aware that assigning actions on events classified as low
might generate:
•
A lot of network traffic (especially if email, sms or network alerts
are being generated)
•
A high volume of database data/transactions if events are being
archived.
Configuring actions through event processing rules
For more information on how to trigger actions through event
processing rules refer to the ‘Configuring event processing rules’
chapter.
GFI EventsManager
5BConfiguring alerts and actions • 57
Event browsing
Introduction
The Event Browsing option allows you to access and browse
processed or unprocessed events/logs that are currently stored in the
main or backup database backbends.
Screenshot 43 - GFI EventsManager: Events Browser
Use the Events Browser for forensic analysis of events. All events
accessible through the events browser are organized (by Log type) in
3 tabs; Windows Events Browser tab, W3C Events Browser tab
and Syslog Events Browser tab. This way you can quickly access
the events belonging to a particular log type. Event data is organized
into columns and clicking on a particular event will show additional
information in a dedicated events description pane.
GFI EventsManager
6BEvent browsing • 59
Screenshot 44 - Event details provided on the web-page
When browsing Windows events, in addition to the information
provided in the event description pane, you will also find a link. Use
this link to access more detailed event information over the web
including:
•
A detailed description of the event
•
Links and tips that explain what causes this type of event and how
to possibly solve any related issues.
Event Browsing tools
Event analysis is quite a demanding task; GFI EventsManager is
equipped with specialized tools that simplify the search for specific
events. These specialized tools include:
•
An event filter/query builder
•
Event color-coding options
•
Event finder tool.
60 • 6BEvent browsing
GFI EventsManager
Event filter/query builder
Screenshot 45 – Custom query builder
Use the event query builder that ships with GFI EventsManager to
create custom filters that sift events data and display only the
information that you need to browse – without deleting one single
record from your database backend. Further to this GFI
EventsManager ships with pre-configured queries that can filter events
without any configuration effort – just click and go.
Screenshot 46 - Default and custom event queries
GFI EventsManager
6BEvent browsing • 61
Event color-coding options
Screenshot 47 – Event color coding filters
Use the event color-coding tool to tint key events in a particular color.
This way the required events are easier to locate during event
browsing. For example, you can create a query that shows events
classified as Critical or High and at the same time color in red all
Critical events having event ID 231.
The configuration of color-codes is carried out through a dedicated
query builder. Use this query builder to specify:
•
The conditions that define which events must be colored
•
The colors to be used when showing these events.
Event finder tool
Screenshot 48 – Event finder tool
Use the event finder tool to locate events that match a specific search
string. For example, you can search events that have a specific ID or
which contain specific keywords in the description.
Accessing and browsing stored event logs
To access and browse events stored in the database backend:
1. Select Events Browser from the primary option bar.
62 • 6BEvent browsing
GFI EventsManager
Screenshot 49 - Events browsers
2. From the secondary options bar, click on Windows Events
Browser, W3C Events Browser or Syslog Events Browser
accordingly.
Applying event queries
To run an event query:
1. Select Events Browser from the primary option bar.
2. Click on Windows Events Browser, W3C Events Browser or
Syslog Events Browser accordingly.
3. Select the required query from the filter options in the left pane.
Filtered events will be displayed in the right pane.
Creating custom event queries
Screenshot 50 - GFI EventsManager: Events Browser
In GFI EventsManager, custom queries are added as a sub-node
within the default queries that ship with the product. To create custom
event queries:
GFI EventsManager
6BEvent browsing • 63
1. Click Events Browser from the primary option bar.
2. Click on Windows Events Browser, W3C Events Browser or
Syslog Events Browser.
3. Right-click on the default query where the new event query will be
created and select Query builder… This will bring up the event query
builder.
Screenshot 51- Custom query builder
4. Specify a name and a description for the new query.
5. Click Add, configure the required query condition(s) and click OK.
Repeat until all required query conditions have been specified.
6. Click OK to finalize your settings.
Customizing the event viewer pane
Selecting columns to be displayed
To select which columns will be displayed in the Log Browser’s
viewing pane:
1. Select Events Browser from the primary option bar.
2. Click on Windows Events Browser, W3C Events Browser or
Syslog Events Browser.
64 • 6BEvent browsing
GFI EventsManager
3. Select the Customize view option from the ‘Common Tasks’ area
in the left pane.
Screenshot 52 - Customize view: columns
4. Select the Columns option.
5. Select the columns that will be displayed in the viewing pane. Use
the up/down arrows on the side to define the order in which the
columns will be shown.
6. Close the customize view pane to finalize your settings.
Customize the position of the description window
GFI EventsManager allows you to customize the right viewing pane.
To achieve this:
1. Select Events Browser from the primary option bar.
2. Click on Windows Events Browser, W3C Events Browser or
Syslog Events Browser accordingly.
3. Select Customize view option from the ‘Common Tasks’ pane.
Screenshot 53 - Customize view
4. Select the view that you want to use.
GFI EventsManager
6BEvent browsing • 65
Configuring event color coding
Assigning a color-code to a specific event
Screenshot 54 - Assigning event color-codes
To assign a color-code to a specific event:
1. Select Events Browser from the primary option bar.
2. Click on Windows Events Browser, W3C Events Browser or
Syslog Events Browser accordingly.
3. Select the Customize view option.
4. From the right pane, select Colors option.
5. Specify the query/filter condition and choose the color to be applied
to the sifted events.
6. Click on the Apply Color button to finalize your settings.
NOTE: To clear all color settings select Clear color filters option.
Assigning different color-codes to multiple events
To assign different color-codes to multiple events:
1. Select Events Browser from the primary option bar.
2. Click on Windows Events Browser, W3C Events Browser or
Syslog Events Browser accordingly.
3. Select the Customize view option.
4. Select the Colors option and click on Advanced.
Screenshot 55 - Advanced Color Filter
5. Click Add, specify a name for the color filter condition and configure
the condition parameters. Click OK to finalize your settings. Repeat
until all required conditions have been configured.
66 • 6BEvent browsing
GFI EventsManager
6. Click OK to finalize your settings.
Event finder tool
Use the event finder tool to search and locate specific events using
simple customizable filters. To search for a particular event:
1. Select Events Browser from the primary option bar.
2. Click on Windows Events Browser, W3C Events Browser or
Syslog Events Browser accordingly.
3. Select the Find events option from the ‘Actions’ are in the left pane.
Screenshot 56 – Event finder tool
4. Specify the event search conditions through the options provided on
top of the right pane. To trigger a case sensitive search, click on
Options and select the Match case option.
5. Click Find to trigger the search.
Backup events
GFI EventsManager allows you to backup the events stored in the
main database backend. This way you can reduce the size of your
main database backend but at the same time keep all your event
records for historical and forensic investigation purposes.
Use the backup events feature to backup events that are older than a
specific amount of hours. For example, you can choose to backup
events that are older than 48 hours. To backup events:
1. Select Events Browser from the primary option bar.
2. Click on Windows Events Browser, W3C Events Browser or
Syslog Events Browser accordingly.
3. Select the Backup events option from the ‘Actions’ area in the left
pane.
Screenshot 57 - Backup events dialog box
4. Specify the time period (in hours).
5. Select the OK button to finalize your settings.
GFI EventsManager
6BEvent browsing • 67
Switching databases
For event browsing purposes, GFI EventsManager allows you to
switch between the main and backup database backend. Use this
feature to browse events that have been backed up, using the tools
provided in the Events Browser. To achieve this:
1. Select Events Browser from the primary option bar.
2. Click on Windows Events Browser, W3C Events Browser or
Syslog Events Browser accordingly.
3. Select Switch to main/backup database option from the ‘Common
tasks’ area in the left pane.
Clear all events
To clear ALL the events stored in the currently selected database:
1. Select Events Browser from the primary option bar.
2. Click on Windows Events Browser, W3C Events Browser or
Syslog Events Browser accordingly.
3. Select the Clear all events option from the ‘Actions’ pane.
Screenshot 58 - Clear all events dialog box
4. If you are currently browsing events from the main database,
specify whether you want to backup events before clearing or clear
without backing up your events.
68 • 6BEvent browsing
GFI EventsManager
Status monitoring
Introduction
The status monitor is a dashboard that shows the status of GFI
EventsManager as well as provides you with statistical information
related to the events collected, processed and archived by this
product. The status monitor consists of three different dashboard
views: General view, Job Activity view and Statistics view.
Accessing the status monitor
To access the status monitor:
1. Click the Status option from the primary options bar.
Screenshot 59 - Dashboard View Options
2. Select the required dashboard view by clicking on the General
option, Job Activity option or Statistics option accordingly.
GFI EventsManager
7BStatus monitoring • 69
General Status view
Screenshot 58 - GFI EventsManager status: General view
Use the General option to:
•
View the status of the GFI EventsManager event processing
engine
•
Access statistical information such as the number of events
processed on a computer by computer basis.
The information provided in this view is divided into dedicated
sections. More details on these sections are provided below.
70 • 7BStatus monitoring
GFI EventsManager
EventsManager Service status
Screenshot 60 - GFI EventsManager General Status view: Service Status
This section shows:
•
The operational status of GFI EventsManager service/event
processing engine
•
The user account under which the GFI EventsManager engine is
running
•
The time when the event processing service was started.
IMPORTANT: The GFI EventsManager service will not start if no
database backend is currently configured.
Syslog Server status
Screenshot 61 - GFI EventsManager General Status view: Syslog Server status
This section shows:
•
The operational status of the Syslog server
•
The Syslog server messaging/communication port.
GFI EventsManager
7BStatus monitoring • 71
Database Backend Status
Screenshot 62 - GFI EventsManager General Status view: Database Backend Status
This section shows:
•
The operational status of the database server currently in use by
GFI EventsManager
•
The name of the database server currently in use by GFI
EventsManager
•
The name of the database in which GFI EventsManager is
archiving collected events.
Global Event Count
Screenshot 63 - GFI EventsManager General Status view: Global Event Count
This section graphically represents the percentage number of
Windows, W3C and Syslog events processed by GFI EventsManager.
72 • 7BStatus monitoring
GFI EventsManager
Events Type By Classification
Screenshot 64 - GFI EventsManager General Status view: Events Type by Classification
This section graphically represents the percentage number of events
that were:
•
Classified as Critical, High, Medium or Low
•
Unclassified.
Activity Overview
Screenshot 65 - GFI EventsManager General Status view: Activity Overview
This section shows:
•
The total number of Windows, W3C and Syslog events processed
on a machine by machine basis
•
The date/time of the last event collection performed from every
machine.
GFI EventsManager
7BStatus monitoring • 73
Job Activity view
Screenshot 66 - GFI EventsManager Job Activity view
Use the Job Activity option to view your current event collection and
processing activity. This includes active event collection jobs as well
as Syslog messaging history on a machine by machine.
The information provided in this view is divided into dedicated
sections. More details on these sections are provided below.
74 • 7BStatus monitoring
GFI EventsManager
Active Jobs
Screenshot 67 - GFI EventsManager Job Activity view: Active Jobs
This section shows a list of all event collection jobs currently taking
place on every event source/machine. The information provided
includes the job progress as well as the Log Source from which events
are being collected.
Queued Jobs
Screenshot 68 - GFI EventsManager Job Activity view: Queued Jobs
This section shows a list of all pending event collection jobs on a
machine by machine basis. The information provided includes the Log
Source from which events will be collected as well as the time that
these jobs were queued.
GFI EventsManager
7BStatus monitoring • 75
Syslog Message History
Screenshot 69 - GFI EventsManager Job Activity view: Syslog Message History
This section shows a list of all Syslog messages that were received by
GFI EventsManager. The information provided includes the total
number of messages sent by every source machine and the date/time
when the last Syslog message was received.
Operational History
Screenshot 70 - GFI EventsManager Job Activity view: Operational History
This section shows an audit trail of the event collection operations
carried out by GFI EventsManager. The information provided includes
errors and information messages generated during the event
collection process as well as the name of the log file that was being
processed on the source machine.
Maintenance Jobs
Screenshot 71 - Job activity status
This section shows the progress of maintenance jobs that have been
created through Database Operations. The information provided
includes the job description as well as the time when the job began
execution.
76 • 7BStatus monitoring
GFI EventsManager
Statistics view
Screenshot 72 - GFI EventsManager Statistics view
Use the Statistics option to view the daily event activity trends and
statistics of a particular computer or of your entire network.
The information provided in this view is divided into dedicated
sections. More details on these sections are provided below.
Events Count For Today
Screenshot 73 - GFI EventsManager Statistics view: Events Count For Today
This section graphically represents the daily event collection trend on
a machine by machine basis as well as on a network by network
basis. A color scheme is used to differentiate between Windows, W3C
and Syslog events.
GFI EventsManager
7BStatus monitoring • 77
Events Count By Log Type
Screenshot 74 - GFI EventsManager Statistics view: Events Count By Log Type
This section graphically represents the number of Windows, W3C and
Syslog events collected by GFI Events Manager from a particular
machine or network.
Events Count by Classification
Screenshot 75 - GFI EventsManager Statistics view: Events Count by Classification
This section graphically represents (on a machine or network wide
level) the percentage number of events that were:
•
Classified as Critical, High, Medium or Low
•
Unclassified.
78 • 7BStatus monitoring
GFI EventsManager
Windows Events Count by Event Log
Screenshot 76 - GFI EventsManager Statistics view: Windows Events Count by Event Log
This section graphically represents the percentage number of
Windows events collected from the Security, System, Application,
DNS Server, Directory and File Replications Service logs.
GFI EventsManager
7BStatus monitoring • 79
Database Operations
Introduction
The Database Operations module in GFI EventsManager provides
advanced functionality allowing administrators to:
•
Centralize events collected by other remote GFI EventsManager
instances into one database backend.
•
Optimize GFI EventsManager performance by actively controlling
database backend growth hence keeping it in good shape.
Why is there a need for database maintenance?
Periodical database maintenance is essential in preventing excessive
data growth in the database backend. A database which is large in
size drastically affects the performance of GFI EventsManager; events
browsing will be slower and queries will take longer to execute. There
will also be a negative impact on GFI EventsManager ReportPack
performance, with reports taking longer to be generated.
Through GFI EventsManager a number of database operations,
referred to as maintenance jobs, can be carried out on the database
backend. These include:
•
Move to database – Use this operation to move events from the
main database to the backup database or to another existing
database.
•
Export to file – Use this operation to export events from the main
database to a compressed binary file which can also be encrypted
and backed to CD/DVD or tape for safekeeping.
•
Import from file – Use this operation to import events from GFI
EventsManager export files into the main database backend.
•
Delete data – Use this operation to remove events from the main
or backup database backends.
For each of these operations, you can also apply filters that determine
which events will be affected by the database operation.
80 • 8BDatabase Operations
GFI EventsManager
Consolidation of events for a WAN
Figure 1: Consolidation of events for a WAN
In the case of organizations with remote geographical sites, Database
Operations can be used to consolidate all or part of the events data
collected in remote sites on to one central database. This is achieved
using the ‘Export to file’ feature through which GFI EventsManager
compresses and encrypts the file as well as export the file to be
processed to a central location. The ‘Import to file’ job is executed at
the central location, importing the events from the remote site into the
central database.
Events for the remote site can then be viewed through the Events
Browser. Reports with information relevant to the remote site can also
be generated using data from the central database.
Configuring Database Operations
With GFI EventsManager you can schedule maintenance jobs to be
executed on a specific day, at a specific time and at specific intervals.
GFI EventsManager
8BDatabase Operations • 81
Screenshot 77 – Configuring Database Operations
NOTE: Database maintenance operations may require high utilization
of resources which can degrade server and GFI EventsManager
performance. Thus, it is recommended that you schedule
maintenance jobs to be executed after office hours. This allows you to
maximize the availability of your system resources during working
hours and avoid any possible disruptions to workflow.
To configure Database Operations:
1. Click on the Configuration option.
2. From the secondary options bar which opens underneath, select
Options.
3. From the left pane, right-click on the Database Operations node
and select Properties. This will bring up the ‘Database Operations
Options’ dialog.
82 • 8BDatabase Operations
GFI EventsManager
Screenshot 78 – Database Operations Options dialog: GFI EventsManager unique identifier
4. Specify the unique identifier by which this instance of GFI
EventsManager will be identified on the network. This identifier is used
as part of the export file-name during ‘Export to file’ operations.
Screenshot 79 - Database Operations Options dialog: Scheduling options
5. Click on the Schedule tab to specify:
•
GFI EventsManager
Hours of the day during which maintenance jobs can be executed
8BDatabase Operations • 83
•
The interval in hours/days with which maintenance jobs will be
executed
•
The scheduled date/time when maintenance jobs will start being
executed.
Creating maintenance jobs
To create a new maintenance job:
1. Click on the Configuration option.
2. From the secondary options bar which opens underneath, select
Options.
3. From the left pane, right-click on the Database Operations node
and select Create new job… This will bring up the ‘New job wizard’.
4. As soon as the welcome dialog is displayed, click on the Next
button to bring up the ‘Job Type’ dialog.
Screenshot 80 - New job wizard: Job Type dialog
5. Select the type of maintenance job you want to create and click
Next to proceed to the configuration dialog.
6. Specify the required parameters and click Next to proceed to the
data filter configuration dialog.
NOTE: For information on how to configure the parameters of a
particular maintenance job, refer to the relevant section in this chapter.
84 • 8BDatabase Operations
GFI EventsManager
Screenshot 81 – Data filter dialog: Specifying data filter conditions
7. Specify which data will be filtered from your database backend. If
no filter is specified, the selected maintenance job will affect all data
within your database backend. Click Next to continue.
NOTE: For more information on how to configure filter conditions,
refer to the section ‘Configuring data filter conditions’ in this chapter.
Screenshot 82 - Specify when the job will be executed
8. Specify whether the selected maintenance job should be scheduled
or executed immediately.
NOTE 1: Scheduled jobs are executed according to interval settings
configured in the ‘Database Operations’.
NOTE 2: Selected maintenance jobs will be executed only once.
GFI EventsManager
8BDatabase Operations • 85
9. Click Finish to finalize your configuration settings.
Screenshot 83 - Progress and successful completion of a maintenance job
Move to database
To create a maintenance job which moves events between the main
database and any other target database:
1. Launch the ‘New job wizard’ dialog; select the Move to database
option.
Screenshot 84 - New job wizard: Move to database
2. Specify the database to which events will be moved. This should be
either the backup database or another accessible database on the
SQL Server hosting the main database.
3. Specify the frequency in hours/days at which events will be moved
from the main database.
4. Click Next to bring up the data filter conditions dialog.
5. Configure the data filter conditions that will be applied for the ‘Move
to database’ job. If you do not set any data filter conditions, than all
events older than the specified period will be moved. Click Next to
continue.
86 • 8BDatabase Operations
GFI EventsManager
NOTE: For more information on how to configure filter conditions,
refer to the section ‘Configuring data filter conditions’ in this chapter.
6. Specify whether the maintenance job should be scheduled or
executed immediately.
7. Click on Finish to finalize configuration of the new ‘Move to
database’ job.
Export to file
To export events from the main database to a binary file:
1. Launch the ‘New job wizard’ and select the Export to file option.
Screenshot 85 - New job wizard: Export to file
2. Specify the target folder where the exported file will be stored. Use
the UNC notation to specify remote paths.
NOTE: Ensure that GFI EventsManager has administrative rights over
the specified target folder.
3. Specify the frequency in hours/days at which events will be
exported from the main database.
4. Click Next to bring up the data protection dialog.
GFI EventsManager
8BDatabase Operations • 87
Screenshot 86 - New job wizard: Export to file using encryption
5. Define whether the exported events data will be encrypted, specify
the password to be used for decryption and click Next to proceed to
the data filter dialog.
NOTE 1: It is recommended that files to be exported are always
encrypted using strong passwords.
6. Configure the data filter conditions that will be applied for ‘Export to
file’ jobs. If you do not set any data filter conditions, than all events
older than the specified period will be exported. Click Next to
continue.
NOTE: For more information on how to configure filter conditions,
refer to the section ‘Configuring data filter conditions’ in this chapter.
7. Define whether the maintenance job should be scheduled or
executed immediately.
8. Click on Finish to finalize your settings.
Export filename
The convention used by GFI EventsManager to name the export file is
shown and described below:
[ESM ID]_[Job ID]_[Date From]_[Date To].EXP
•
ESM ID – refers to the unique identifier given to each GFI
EventsManager instance running in the organization.
•
Job ID – refers to the unique identifier given to each maintenance
job created.
•
Date From – refers to the date of the earliest event exported.
•
Date To – refers to the date of the latest event exported.
•
.EXP – this is the file extension given to all export files.
The following is an example of an export filename:
SERVER01_0051_20061020_20061025.EXP
88 • 8BDatabase Operations
GFI EventsManager
Import from file
To import events from a file into the main database:
1. From the ‘New job wizard’ dialog, select the Import from file
option.
Screenshot 87 - New job wizard: Import from file
2. Specify the folder where the export file is stored. Use the UNC
notation to specify remote paths.
NOTE 1: Ensure that GFI EventsManager has administrative rights
over the specified folder.
NOTE 2: GFI EventsManager will import all files having a .EXP
extension.
3. Click Next to proceed to the data protection dialog.
GFI EventsManager
8BDatabase Operations • 89
Screenshot 88 - New job wizard: Import from file decryption
4. Specify the password with which events data will be decrypted and
click Next to proceed to the data filter dialog.
NOTE: Use the same password used for the encryption of your events
data.
5. Configure the data filters that will be applied against the imported
file and click Next to continue.
NOTE 1: Use data filters to define which events will be imported into
the main database.
NOTE 2: For more information on how to configure filter conditions,
refer to the ‘Configuring data filter conditions’ section in this chapter.
6. Specify whether the maintenance job should be scheduled or
executed immediately.
7. Click on Finish to finalize your settings.
NOTE: GFI EventsManager will change the file extension of all
successfully imported files from .EXP to .IMP.
Delete data
To remove events from the main database:
1. From the ‘New job wizard’ dialog, select the Delete data option.
NOTE: Important events data should be backed up through the ‘Move
to database’ or ‘Export to file’ maintenance jobs. Failure to do this
means that deleted records can NOT be recovered.
90 • 8BDatabase Operations
GFI EventsManager
Screenshot 89 - New job wizard: Delete data
2. Specify whether events will be deleted from the Main database or
from the Backup database.
3. Specify the frequency in hours/days at which events will be deleted
from the main/backup database.
4. Click Next to bring up the data filter conditions dialog.
5. Configure the data filter conditions that will be applied for the
‘Delete data’ job. If you do not set any data filter conditions, than all
events older than the specified period will be deleted. Click Next to
continue.
NOTE: For more information on how to configure filter conditions,
refer to the section ‘Configuring data filter conditions’ in this chapter.
6. Specify whether the maintenance job should be scheduled or
executed immediately.
7. Click on Finish to finalize configuration of the new ‘Delete data’ job.
Configuring data filter conditions
Use data filter conditions to specify which events will be affected by
the maintenance job. Only events which match the specified criteria
will be processed, moved, exported, deleted or imported.
Filters can be created for one or more of the following log types:
•
Windows Event Logs
•
W3C Logs
•
Syslog Messages.
GFI EventsManager
8BDatabase Operations • 91
Screenshot 90 – Data filter dialog
To specify which events are affected by maintenance jobs, click on the
Filter button in the data filter dialog. This dialog is available through
the ‘New job wizard’.
Example: Windows Event Logs filter
Export events from the Windows Event Logs with the following
conditions:
•
Log type:
Security
•
Event ID:
540 – Successful logon
•
User:
administrator
•
Event Type:
Error.
Configure your filter parameters as shown in the ‘Edit filter’ dialog
shown below:
92 • 8BDatabase Operations
GFI EventsManager
Screenshot 91 - Creating a filter for Windows events: Edit filter dialog
Choose Ok to finalize filter configuration.
Advanced conditions
Screenshot 92 - Advanced Filter settings
GFI EventsManager
8BDatabase Operations • 93
From the ‘Edit filter’ dialog you can also set advanced filter conditions.
Through this dialog you can also create and apply filters on all events
data fields used by GFI EventsManager.
Note: Filters can also be applied on maintenance jobs after they have
been created. For more information refer to the ‘Editing a maintenance
job’ section.
Viewing scheduled maintenance jobs
Screenshot 93 - Viewing scheduled maintenance jobs
To view maintenance jobs created:
1. Click on the Configuration option.
2. From the secondary option bar, select Options.
3. From the left pane, select the Database operations node.
4. The list of scheduled maintenance jobs are available in the right
pane.
94 • 8BDatabase Operations
GFI EventsManager
Job activity status
Screenshot 94 - Job activity status
The progress of maintenance jobs that are being processed can be
viewed through the status monitor:
1. Click the Status option from the primary options bar.
2. Select the Job Activity dashboard view.
3. View the status of maintenance jobs in the Maintenance Jobs
section of the dashboard.
Editing a maintenance job
You can make changes to maintenance job parameters for jobs
scheduled.
1. Click on the Configuration option.
2. From the secondary option bar, select Options.
3. From the left pane, select the Database Operations node.
4. From the right pane, right-click on the maintenance job to edit and
select Properties.
Screenshot 95 - Example dialog to edit a scheduled job
5. Configure the required parameters as described in the sections
above:
GFI EventsManager
8BDatabase Operations • 95
•
Select the General tab to edit parameters such as:
o
file locations or databases
o
frequency in hours/days.
•
Select the Data tab to edit filter conditions.
•
Select the Data Protection tab to edit encrypt/decrypt settings.
Editing a maintenance job priority
Screenshot 96 - Maintenance job priorities
When maintenance jobs are created, it is given a priority setting. Job
priorities are set according to the sequence with which the jobs are
created. The first job created is given a priority setting of 1, the second
job created is given a priority setting of 2, and so on. The priority
determines the sequence in which jobs are executed.
To increase or decrease the priority of a maintenance job:
1. Click on the Configuration option.
2. From the secondary option bar, select Options.
3. From the left pane, select the Database Operations node.
4. From the right pane, right-click on the maintenance job to change
and select Increase Priority or Decrease Priority as required.
Deleting a maintenance job
Scheduled maintenance jobs awaiting execution can also be deleted.
1. Click on the Configuration option.
2. From the secondary option bar, select Options.
3. From the left pane, select the Database Operations node.
4. From the right pane, right-click on the maintenance job to delete
and select Delete.
96 • 8BDatabase Operations
GFI EventsManager
NOTE: Due diligence should be taken when deleting maintenance
jobs for such an operation has an indirect effect on events data. An
example is an ‘Export to file’ maintenance job with a higher priority
than a ‘Delete data’ job. If you delete the ‘Export to file’ job, one may
end up with events data being removed without having any backup of
such data.
GFI EventsManager
8BDatabase Operations • 97
Customizing event processing rules
Introduction
Event processing rules are the conditions which:
•
Classify processed events
•
Filter out noise (repeated events) or unwanted events
•
Trigger email, sms and network alerts on key events
•
Attempt remedial actions by executing specific scripts and
executable files on key events.
GFI EventsManager ships with pre-configure rules that can be used to
process events with minor configuration effort. You can also
customize these default rules or create tailored ones for all supported
log types (i.e. Windows event logs, W3C and Syslog).
In GFI EventsManager, event processing rules are organized into rulesets, which in turn are stored in rule-set folders. The pre-configured
rules that ship with GFI EventsManager are organized into the
following rule-set folders:
Rule-set folder
GFI EventsManager
Description
Noise reduction
rules
Contains rules tailored for the removal of
repeated events and other noise from logs.
Security
Contains rules tailored for the processing of
Security logs and System logs.
System Health
Contains rules tailored for the processing of
Application logs and System logs.
Security
Applications
Contains rules tailored for the processing of
Application logs, Security logs and System
logs.
Infrastructure
Server
Contains rules tailored for the processing of
Application logs, DNS logs and System logs.
Database Server
Contains rules tailored for the processing of
Application logs.
Web Server
Contains rules tailored for the processing of
Application logs and System logs.
Print Server
Contains rules tailored for the processing of
Application logs and System logs.
Terminal Services
Contains rules tailored for the processing of
events generated terminal device driver
services.
Linux/Unix
Contains rules tailored for the processing of
Syslogs.
9BCustomizing event processing rules • 99
Cisco PIX & ASA
Contains rules tailored for the processing of
events generated by Cisco PIX firewalls and
Cisco Adaptive Security Appliances
Create a new rule-set folder
Screenshot 97 – The log type drop-down list
To create a new rule-set folder:
1. Select Configuration from the primary options bar.
2. Select Event Processing Rules from the secondary options bar.
3. From the provided drop-down, select the log-type for which you will
be creating the rule-set folder.
4. Select the Create folder option from the ‘Common tasks’ area in
the left pane.
5. Specify a unique name for the new rule-set folder.
Renaming and deleting folders
To rename or delete existing rule-set folders, right-click on the target
rule-set folder and select Rename or Delete accordingly.
NOTE: Deleting a rule-set folder will lead to the deletion of all the rules
and rule-sets contained within the deleted folder.
Creating a new rule-set
To create a new rule-set:
1. Select Configuration from the primary options bar.
2. Select Event Processing Rules from the secondary options bar.
3. From the provided drop-down, select the log-type for which you will
be creating the new rule-set.
4. Right-click on the folder where to create the new rule-set and select
Create new rule set…
100 • 9BCustomizing event processing rules
GFI EventsManager
Screenshot 98 - New rule-set dialog box
5. Specify a name and a description for this new rule-set.
6. Click OK to finalize your settings.
Editing a rule-set
To edit rule-set parameters:
1. Right-click on the rule-set to edit and select Properties.
2. Make the required changes and click OK to finalize your settings.
Deleting a rule-set
To delete a rule-set, right-click on the rule-set and select Delete.
Creating a new Windows Event Log rule
To create a new rule which is applicable only to Windows Event Logs:
1. Select Configuration from the primary options bar.
2. Select Event Processing Rules from the secondary options bar.
Screenshot 99 - Selecting log-type from the provided drop-down
3. From the provided drop-down, select Windows Event Logs.
GFI EventsManager
9BCustomizing event processing rules • 101
4. Right-click on the rule-set in which you will be creating the new rule
and select Create new rule…
5. Specify the name and a description for the new rule. Click Next to
proceed with the configuration.
Screenshot 100 - GFI EventsManager: Select the Log(s)
6. Select the event logs to which the rule applies and click Next.
Screenshot 101 - GFI EventsManager: Select the filtering conditions
7. Configure the event filtering conditions of this rule. To create a rule
which will be applied to all events, leave the event ID empty. Click
Next to continue.
102 • 9BCustomizing event processing rules
GFI EventsManager
NOTE: For more information of how to configure advanced event
filtering conditions, refer to the ‘Advanced event filtering parameters’
section in this manual.
Screenshot 102 - New processing rule wizard: Select event occurrence and importance
8. Specify the time when this rule will be executed. (i.e. anytime,
during working hours or outside working hours).
NOTE: Working and non-working hours are based on the operational
time parameters configured for your event sources. For more
information on how to configure operational times, refer to the
‘Configuring event source operational time’ section in the ‘Configuring
event sources’ chapter.
9. Select the classification (critical, high, medium, low or noise) that
will be assigned to events that satisfy the conditions in this rule. Click
Next to continue.
GFI EventsManager
9BCustomizing event processing rules • 103
Screenshot 103 - New processing rule wizard: Select action
10. Specify which actions will be triggered by this rule. You can
choose to ignore the event, trigger the default action, or customize
alerts.
11. Click Next to proceed to the final dialog. Click Finish to finalize
your settings.
NOTE: Newly created rules are disabled by default, hence will NOT
become operational unless enabled. For information on how to enable
event processing rules refer to the “Collecting and processing
Windows events” section in this Manual.
Creating a new W3C rule
To create a new rule which is applicable only for W3C logs:
1. Select Configuration from the primary options bar.
2. Select Event Processing Rules from the secondary options bar.
3. From the provided drop-down, select W3C Logs.
4. Right-click on the rule-set in which you will be creating the new rule
and select Create new rule…
5. Specify a name and description for the new rule. Click Next to
proceed with the configuration.
104 • 9BCustomizing event processing rules
GFI EventsManager
Screenshot 104 - New processing rule wizard: Select W3C Log
6. Click on the Add button. Specify the path to the W3C logs for which
this rule applies or leave blank to apply this rule to all W3C logs. Click
Next to continue.
NOTE: Multiple paths can be specified during configuration.
Screenshot 105 - New processing rule wizard: Configure filtering conditions.
GFI EventsManager
9BCustomizing event processing rules • 105
7. Click on the Add button and configure event filtering conditions.
Repeat until all conditions have been specified. Click Next to continue.
Screenshot 106 - New processing rule wizard: Select event occurrence and importance
8. Specify the time when this rule will be executed. (i.e. anytime,
during working hours or outside working hours).
NOTE: Working and non-working hours are based on the operational
time parameters configured for your event sources. For more
information on operational times, refer to the ‘Configuring event
source operational time’ section in the ‘Configuring event sources’
chapter.
9. Select the classification (critical, high, medium, low or noise) that
will be assigned to events that satisfy the conditions in this rule. Click
Next to continue.
106 • 9BCustomizing event processing rules
GFI EventsManager
Screenshot 107 - New processing rule wizard: Select action
10. Specify which actions will be triggered by this rule. You can
choose to ignore the event, trigger the default action, or customize
alerts.
11. Click Next to proceed to the final dialog. Click Finish to finalize
your settings.
NOTE: Newly created rules are disabled by default, hence will NOT
become operational unless enabled. For information on how to enable
event processing rules refer to the “Collecting and processing W3C
logs” section in this Manual.
Creating a new Syslog rule
To create a new rule which is applicable only for the processing of
Syslog messages:
1. Select Configuration from the primary options bar.
2. Select Event Processing Rules from the secondary options bar.
3. From the provided drop-down, select Syslog.
4. Right-click on the rule-set in which you will be creating the new rule
and select Create new rule…
5. Specify the name and a description for the new rule. Click Next to
proceed with the configuration.
GFI EventsManager
9BCustomizing event processing rules • 107
Screenshot 108 - New processing rule wizard: Configure Conditions
6. Specify the log filtering conditions to be processed by this rule.
When all conditions have been specified, click Next.
NOTE: For more information of how to configure advanced event
filtering conditions, refer to the ‘Advanced event filtering parameters’
section in this manual.
Screenshot 109 - New processing rule wizard: Select event occurrence and importance
7. Specify the time when this rule will be executed. (i.e. anytime,
during working hours or outside working hours).
NOTE: Working and non-working hours are based on the operational
time parameters configured for your event sources. For more
108 • 9BCustomizing event processing rules
GFI EventsManager
information on operational times, refer to the ‘Configuring event
source operational time’ section in the ‘Configuring event sources’
chapter.
8. Select the classification (critical, high, medium, low) that will be
assigned to events that satisfy this rule. Click Next to continue.
Screenshot 110 - New processing rule wizard: Select action
9. Specify which actions will be triggered by this rule. You can choose
to ignore the event, trigger the default action, or customize alerts.
10. Click Next to proceed to the final dialog. Click Finish to finalize
your settings.
NOTE: Newly created rules are disabled by default, hence will NOT
become operational unless enabled. For information on how to enable
event processing rules refer to the “Collecting and processing
Syslogs” section in this Manual.
GFI EventsManager
9BCustomizing event processing rules • 109
Changing the configuration settings of a rule
Screenshot 111 - Log processing rule properties
To edit the property settings of an event processing rule:
1. Right-click on the rule and select Properties. This will bring up the
‘Rule Properties’ dialog.
2. Use the tabs provided in the dialog to navigate the existing
parameters and make the required changes. The tabs provided in the
properties dialog include:
•
General – Use this tab to configure the general properties of the
rule including the rule name and rule classification.
•
Logs – This tab is available only for W3C log rules. Use this tab to
specify the W3C logs for which this rule applies.
•
Event Logs – This tab is available only for Windows event log
rules only. Use this tab to specify which events will be processed
by this rule.
•
Conditions – Use this tab to configure event filtering conditions.
•
Actions – Use this tab to configure alerts and actions triggered by
this rule.
•
Threshold – Use this tab to configure the event threshold value
i.e. the number of times that an event must be detected prior to
triggering alerts and remedial actions. This helps reducing false
positives triggered by noise (repeated events) in your event logs.
110 • 9BCustomizing event processing rules
GFI EventsManager
Advanced event filtering parameters
GFI EventsManager allows systems administrators to set up
advanced event filtering parameters. These options are available only
for Windows Events and Syslogs.
Windows Events Conditions
Event IDs field:
The ‘Event IDs:’ field allows systems administrators to setup:
Parameter type:
Single events
Example:
List of events
Range of events
Combination of events
Source, Category and User fields:
The ‘Source’, ‘Category’ and ‘User’ fields allow systems administrators
to setup:
Parameter type:
Single source name
Example:
List of sources
Wildcards (% and *)
Syslog Categories
Message and Process fields:
The ‘Message’ and ‘Process’ fields allow systems administrators to
setup:
Parameter type:
Single message
Example:
List of messages
Wildcards (% and *)
GFI EventsManager
9BCustomizing event processing rules • 111
Configuring users and groups
Introduction
Screenshot 112 - Configuring users and groups node
When an alert is triggered, GFI EventsManager does not send alert
messages directly to a specific email or mobile number. The type of
alert to be sent is determined by the user properties.
User properties include the contact details and working hours of every
recipient. Based on these settings, GFI EventsManager will
automatically determine the type of alert to be triggered during and
outside of working hours.
In GFI EventsManager, alert recipients can be organized into groups.
This way you can configure alerting options on a user group level,
rather than having to configure the same settings for each and every
user.
GFI EventsManager
10BConfiguring users and groups • 113
Creating a new user
To create a new user:
1. Click on the Configuration option.
2. Select Options from the secondary option bar.
3. Expand the Users and Groups node, right-click on the Users subnode and select Create user…
4. Configure user properties. For more information refer to the
‘Configuring GFI EventsManager administrator account’ section in the
‘Getting Started’ chapter.
Changing user properties
To edit user properties:
1. From the left pane, click on the Users node.
2. Right-click on the user to edit and select Properties.
3. Make the required changes and click OK to finalize your settings.
Deleting users
To delete a user,
1. From the left pane, click on the Users node.
2. From the right viewer pane, right-click on the user to be deleted and
select Delete.
114 • 10BConfiguring users and groups
GFI EventsManager
Configuring groups
Screenshot 113 –Groups configuration screen
1. Click on the Configuration option.
2. Select Options from the secondary option bar.
3. Expand the Users and Groups node, right-click on the Groups
sub-node and select Create group…
GFI EventsManager
10BConfiguring users and groups • 115
Screenshot 114 - New groups setup
4. Specify the name of the new group.
5. Click Add to start adding users to the group.
6. Click OK to finalize your settings.
Changing user group properties
To edit the settings of a user group do as follows:
1. From the left pane, click on the Groups node.
2. From the right pane, right-click on the group to be configured and
select Properties.
3. Perform the required changes and click OK to finalize your settings.
Deleting user groups
To delete a user group:
1. From the left pane, click on the Groups node.
2. From the right viewer pane, right-click on the group to be deleted
and select Delete.
116 • 10BConfiguring users and groups
GFI EventsManager
Miscellaneous
Command Line operations
GFI EventsManager provides you with three command line tools
through which you can perform data export and import functions.
These three tools are:
•
Exportdata.exe: Exports data from an ESM 7.1 database using
database operations engine
•
Importdata.exe: Imports data into an EMS 7.1 database using
database operations engine
•
Importsettings.exe: Imports configuration from a data folder or
from a configuration export file (.esmbkp) and is used mostly from
installer when preserving configuration
Exportdata.exe
Use this tool to export data from the GFI EventsManager database to
binary file.
Usage:
exportdata.exe <parameters list>
Parameter
/folder:
Mandatory
/Optional
Mandatory
Description
Defines folder where datafile will be stored
<path and
foldername>
/period:
Optional
Exports events older than the number of hours:
Default = 7 days
Optional
Set an encryption password
/delete
Optional
Delete the events after export
/movetodb:
Optional
Move the events to another database on the same
server. If no name is specified, the backup
database is used.
<number of
hours>
/password:
<file
password>
<database
name>
NOTE: Any parameter that contains spaces must be enclosed in
double quotes (“).
Example:
Exportdata.exe /folder:c:\exportfiles /period:240 /password:aip112sK
GFI EventsManager
11BMiscellaneous • 117
Where data is exported with the following details:
A folder called exportfiles, located at c:\
Data older than 10 days (240hours)
Encrypt using password aip112sK
Importdata.exe
Use this tool to import data in binary files to the GFI EventsManager
database.
Usage:
importdata.exe <parameters list>
Parameter
/folder:
Mandatory
/Optional
Mandatory
Description
Defines folder where datafile will be stored
<path and
foldername>
/password:
Optional
Defines the password that will be used to decode
files; if not specified, no password will be used
Optional
Defines the database server where the destination
database lies. If not specified, the database details
specified in GFI EventsManager will be used.
Optional
Defines the destination database name. If not
specified, the database name specified in GFI
EventsManager will be used.
Optional
Defines the user name used to connect to
database. If not specified, Windows authentication
will be used.
Optional
Defines the password used to connect to
destination server/database. If none is specified,
password is ignored.
<file
password>
/dbserver:
<databaseser
ver location >
/dbname:
<database
name>
/dbuser:
<username>
/dbpass:
<password>
NOTE: Any parameter that contains spaces must be enclosed in
double quotes (“).
Example:
importdata.exe /folder:c:\exportfiles /password:aip112sK
/dbserver:192.168.3.55 /dbname:mainesmdb /dbuser:sa
/dbpass:sapwd
Where data is imported with the following details:
From folder called exportfiles, located at c:\
Decrypted using password aip112sK
Saved to database on server with I.P. address 192.168.3.55, with
database name:mainesmdb and with the following login credentials:
username: sa and password sapwd.
118 • 11BMiscellaneous
GFI EventsManager
Importsettings.exe
Use this tool to import GFI EventsManager configurations previously
exported.
Usage:
importsettings.exe <parameters list>
Parameter
/operation:
<operation>
Mandatory/
Optional
Mandatory
Description
Defines the operation
importfolder or import file
to
perform,
either
/destination:
<destination
path>
Optional
Defines the destination folder
configuration will be imported
/Sourcefile:<fil
ename>
Optional
Defines the name of the file that contains the
exported GFI EventsManager configuration.
/Sourcefolder:
<folder
name/path>
Optional
Defines the name of the folder that contains the
exported GFI EventsManager configuration.
where
the
NOTE: Any parameter that contains spaces must be enclosed in
double quotes (“).
Example:
importdata.exe /operation:importfolder: /destination: c:\esm\data
/sourcefolder: c:\esm\old /
Where data is imported with the following details:
Operation is importfolder to c:\esm\data from folder c:\esm\old
Customizing Unique Identifiers
GFI EventsManager 7.1 enables you to customize the GFI
EventsManager unique identifiers of the GFI EventsManager
installation. This enables you to import the same configuration into
separate without incurring duplicate GFI Eventsmanager instance Ids.
Please refer to Configuring database operations section in the
Database Operations chapter earlier in this manual for more
information on this feature.
To configure new GFI Eventsmanager unique identifiers add the
following option to command line options of importdata.exe
Parameter
/id:<new_id>
GFI EventsManager
Mandatory/
Optional
Optional
Description
Defines the new ESM instance id set after
importing the configuration. Use this parameter on
only if you only want to change the ESM instance
id; if no value is specified the existing ESM
instance id will be preserved.
11BMiscellaneous • 119
Licensing
To check your licensing details:
1. Click on the General option in the primary options bar.
2. From the left pane, click on the Licensing option. Licensing details
will be displayed in the right pane of the management console.
Entering License Key after installation
To enter your license key after installation:
1. Click the General option in the primary options bar.
2. From the left pane, right-click on the Licensing option and select
Edit license key…
Screenshot 115 - Update license key
3. Specify your license key details.
4. Click OK to finalize your settings.
120 • 11BMiscellaneous
GFI EventsManager
Version information
To check your version information details:
1. Click the General option in the primary options bar.
2. Click the Version Information option. The version information
details will be displayed in the right pane.
Screenshot 116 - Version Information screen
Checking for newer builds
To check for newer builds of GFI EventsManager:
1. Click the General option in the primary options bar.
2. From the left pane, right-click on the Version Information option
and select Check for newer builds…
GFI EventsManager
11BMiscellaneous • 121
Troubleshooting
Introduction
The troubleshooting chapter explains how you should go about
resolving issues you have. The main sources of information available
to users are:
•
The manual – most issues can be solved by reading the manual.
•
The GFI Knowledge Base – accessible from the GFI website.
•
The GFI technical support site.
•
Contacting the GFI technical support team by email at
mailto:[email protected].
•
Contacting the GFI technical support team using our live support
service at http://support.gfi.com/livesupport.asp.
•
Contacting our technical support team by telephone.
Knowledge Base
GFI maintains a Knowledge Base, which includes answers to the most
common problems. If you have a problem, please consult the
Knowledge Base first. The Knowledge Base always has the most upto-date listing of support questions and patches.
The Knowledge Base can be found on http://kbase.gfi.com/.
Request technical support via email
If, after using the Knowledge Base and this manual, you have any
problems that you cannot solve, you can contact the GFI technical
support team. The best way to do this is via email, since you can
include vital information as an attachment that will enable us to solve
the issues you have more quickly.
The Troubleshooter, included in the program group, automatically
generates a series of files needed for GFI to give you technical
support. The files would include the configuration settings, debugging
log files and so on. To generate these files, start the troubleshooter
wizard and follow the instructions in the application.
In addition to collecting all the information, you will be asked a number
of questions. Please take your time to answer these questions
accurately. Without the proper information, it will not be possible to
diagnose your problem.
Then click the troubleshooter\support folder, located under the main
program directory, compress the files in ZIP format, and send the
generated ZIP file to mailto:[email protected].
GFI EventsManager
12BTroubleshooting • 123
Ensure that you have registered your product on our website first, at
http://customers.gfi.com/.
We will answer your query within 24 hours or less, depending on your
time zone.
Request technical support via web chat
You may also request technical support via ‘Live Support (web chat)’.
You can contact the GFI technical support department using our Live
Support service at http://support.gfi.com/livesupport.asp
Ensure that you have registered your product on our website first, at:
http://customers.gfi.com/.
Request technical support via phone
You can also contact GFI by phone for technical support. Please
check our website for the correct numbers to call, depending on where
you are located, and for our opening times.
Technical support website:
http://support.gfi.com/.
Ensure that you have registered your product on our website first, at
http://customers.gfi.com/.
Web Forum
User to user technical support is available via the web forum. The
forum can be found at:
http://forums.gfi.com/.
Build notifications
We strongly suggest that you subscribe to our build notifications list.
This way, you will be immediately notified about new product builds.
To subscribe to our build notifications, go to:
http://support.gfi.com/.
124 • 12BTroubleshooting
GFI EventsManager
Appendix 1 – SMS Settings
Global settings for SMS/pager alerts
NOTE: This section is only applicable for advanced users. We cannot
guarantee that GFI EventsManager will work with any SMS provider.
Before attempting any such configuration, ensure that you have
obtained the correct information from your SMS service provider.
Screenshot 117 - SMS Alerts dialog
Out of the box GFI EventsManager can relay SMS alerts through the:
•
In-built GSM SMS Server
•
GFI FAXmaker SMS service provider template
•
Clickatell Email2SMS Service
•
Generic SMS service provider templates.
GFI EventsManager
13BAppendix 1 – SMS Settings • 125
In-built GSM SMS Server
Figure 7 - SMS alert flow via the in-built GSM Server
The in-built GSM SMS Server allows GFI EventsManager to directly
send SMS (text) messages through a GSM phone or GSM modem,
connected to the computer by serial cable, Infrared or Bluetooth.
Screenshot 118 – The in-built GSM SMS Server properties
Requirements
1. A GSM modem or GSM phone that is capable of processing AT+C
commands. This GSM device must be connected to the server
running GFI EventsManager.
2. Subscription to an SMSC provider.
Configuring the In-built GSM SMS Server
To configure the In-built GSM SMS Server:
1. Right-click on the Alerting Options’ node and select Properties.
126 • 13BAppendix 1 – SMS Settings
GFI EventsManager
2. Click on the SMS tab and from the SMS System dropdown, select
‘In-built GSM SMS Server’.
Screenshot 119 - Edit Property dialog
3. Double-click on the property which you want to configure (e.g.,
Service Center Number) and specify the necessary parameters in the
‘Edit Property’ dialog.
NOTE: When configuring properties, always specify the details
supplied to you by your SMSC provider. If configuration parameters
are not available, ask your provider to supply you with the required
information.
The In-built GSM SMS Server requires the following parameters:
•
Service Center Number – Specify the number of your provider’s
SMS service center (SMSC). This number is supplied by the SMS
service provider.
•
COM port – Select the COM port where the GSM device (i.e.
phone/modem) is connected.
•
Baud Rate – Specify the speed at which the communication will
take place. Always specify the speed recommended by your
SMSC provider.
•
Initialization String – (Optional) If required, specify any AT
Commands that you wish to send to your modem.
NOTE: The initialization string is a set of modem AT commands
combined into one string (e.g. AT &F &C1 &D2). For a complete list of
AT commands, visit http://www.modems.com/general/extendat.html.
4. In the ‘Retries’ entry box, specify the number of times that the Inbuilt GSM SMS Server will try to send an SMS alert should the first
attempt fail.
5. Click on OK to finalize your settings.
GFI EventsManager
13BAppendix 1 – SMS Settings • 127
GFI FAXmaker SMS service provider template
Figure 8 - SMS alert flow via GFI FAXmaker SMS service provider
The GFI FAXmaker SMS Service allows GFI EventsManager to send
SMS messages through GFI FAXmaker, market-leading fax server
software that allows you to send and receive faxes via your email
infrastructure. GFI FAXmaker is also an SMS gateway which allows
you to send SMS messages through:
•
A GSM phone / modem connected to your fax server.
Or
•
For
Web-based SMS service providers.
more
information
on
GFI
FAXmaker,
visit
http://www.gfi.com/faxmaker/.
Whenever an event triggers an SMS alert, GFI EventsManager sends
a ’template’ email (via SMTP) to the fax server (i.e. GFI FAXmaker).
This template email contains all the SMS alert details including the
SMS text message and the recipient’s number. GFI FAXmaker then
converts this email to SMS and sends it to the intended recipient.
Screenshot 120 - FAXmaker SMS service configuration dialog
128 • 13BAppendix 1 – SMS Settings
GFI EventsManager
Requirements
In order to use the FAXmaker SMS service, you must have:
1. GFI FAXmaker installed and configured for SMS messaging. For
more information on how to configure the SMS gateway on GFI
FAXmaker refer to ‘The SMS Gateway’ chapter of the GFI FAXmaker
manual. You can download the GFI FAXmaker manual from
http://www.gfi.com/downloads/downloads.aspx?pid=FAX&lid=en.
2. A supported GSM phone/modem connected to the GFI FAXmaker
fax server computer or a subscription to a supported web-based SMS
provider.
Configuring the FAXmaker SMS service
To configure the FAXmaker SMS Service:
1. Right-click on the Alerting Options’ node and select Properties.
2. Click on the SMS tab and from the SMS System drop-down, select
‘FAXmaker SMS Service provider template’.
3. Double-click on the property which you want to configure (e.g.
SMTP server) and specify the relative parameters in the ‘Edit
Property’ dialog.
The FAXmaker SMS Service requires the following parameters:
•
SMTP server – Specify the name of the SMTP server through
which GFI EventsManager will send the template email to GFI
FAXmaker.
•
SMTP port – Specify the SMTP port through which the
transmission will take place. By default this parameter is set to 25
(i.e., default SMTP port).
•
From – Specify the account from where the template email will be
sent. Format this parameter as follows:
<name>@<mydomain.com>
•
To – (Leave as default) This is the email address on which GFI
FAXmaker will receive the template emails to be converted to SMS
(i.e., [smsnumber]@smsmaker.com). This parameter includes
variable [smsnumber] which is substituted to the number of the
SMS recipient when the template email is generated. For example,
if an SMS must be sent to a recipient with number 88885555, the
email is sent on mailto:[email protected]. GFI FAXmaker will
then send the SMS on the number specified in the email address.
•
Subject* - (Optional parameter) Specify the text which you want to
include in the template email’s subject field.
4. In the ‘Retries’ entry box, specify the number of times that the
FAXmaker SMS service will try to send an SMS alert should the first
attempt fail.
5. Click on OK to finalize your settings.
GFI EventsManager
13BAppendix 1 – SMS Settings • 129
Clickatell Email2SMS Service
Figure 9 - SMS alert flow via a Clickatell Email to SMS service
The Clickatell Email2SMS Service allows GFI EventsManager to relay
SMS (text) alerts via Clickatell, a web-based SMS service which
sends SMS messages worldwide.
Whenever an event triggers an SMS alert, GFI EventsManager sends
a ‘template’ email (via SMTP) to Clickatell’s SMS gateway. This
template email contains all the required SMS alert details including the
SMS text message and the recipient’s number. Clickatell then
converts this email to SMS and sends it to the intended recipient. For
more
information,
visit
http://www.clickatell.com/brochure/products/api_smtp.php.
Screenshot 121 - Clickatell Email2SMS Service configuration dialog
Requirements
No specific hardware is required for this SMS messaging method. The
only requirements are:
1. You must be subscribed to the Clickatell SMS gateway service. To
subscribe visit:
130 • 13BAppendix 1 – SMS Settings
GFI EventsManager
http://www.clickatell.com/central/campaigns/redir.php?cid=870.
2. The SMTP server configured in the properties of the Clickatell
Email2SMS service must be able to send emails over the Internet.
NOTE: GFI EventsManager cannot send SMS alerts through Clickatell
Email2SMS Service if no Internet connection is available or when your
Internet connection is down.
Configuring the Clickatell Email2SMS Service
To configure the Clickatell Email2SMS Service:
1. Right-click on the Alerting Options node and select Properties.
2. Click on the SMS tab and from the SMS System dropdown, select
‘Clickatell Email2SMS Service’.
3. Double-click on the property which you want to configure (e.g.
SMTP server) and specify the relative parameters in the ‘Edit
Property’ dialog.
NOTE: When configuring properties, always specify the details
supplied to you by Clickatell. If configuration parameters are not
available, ask Clickatell to provide you with the required information.
The Clickatell Email2SMS Service requires the following parameters:
•
SMTP server – Specify the name of the SMTP server through
which GFI EventsManager will send the email to the SMS
gateway.
•
SMTP port – Specify the SMTP port through which the
transmission will take place. By default this parameter is set to 25
(i.e. default SMTP port)
•
From – Specify the account from where the email will be sent. For
example you can specify the email address used by GFI
EventsManager for generic alerts.
•
To – Specify the email address of the Clickatell SMS gateway (i.e.
the address where GFI EventsManager will send emails for
conversion to SMS). This address is provided by Clickatell (i.e. by
the SMS gateway provider). By default, this property is set to
mailto:[email protected].
NOTE: Leave this property as default, unless otherwise specified
by Clickatell.
•
CC* - (Optional parameter) Specify the email address where you
wish to forward copies of the emails sent to the web based SMS
gateway.
•
Subject* - (Optional parameter) Specify the text which you want to
include in the email’s subject field.
•
Body line 1 – Specify the API ID (e.g. api_id:124576). The API ID
is an identification number supplied to you by Clickatell after you
subscribe for the service. Format this parameter as follows:
api_id:<API ID No>.
NOTE: If you don’t know your API ID, ask Clickatell to supply you
with this information.
GFI EventsManager
13BAppendix 1 – SMS Settings • 131
•
Body line 2 - Specify your Clickatell SMS gateway user name
(e.g. user:JasonM). Format this parameter as follows: user:<user
name>
NOTE: If you don’t know your user name, ask Clickatell to supply
you with this information.
•
Body line 3 - Specify your Clickatell SMS gateway password (e.g.
password:abcde).
Format
this
parameter
as
follows:
password:<password text>
NOTE: If you don’t know your password, ask Clickatell to supply
you with this information.
•
Body line 4 – (Leave as default). This property contains the
number of the SMS recipient (i.e. the number where the SMS will
be sent). This number is automatically passed on by GFI
EventsManager through variable [smsnumber] which is substituted
to text when the template email is generated. The contents of this
property are formatted as follows: to:[smsnumber]
•
Body line 5 - (Leave as default). This property contains the text
which must be included in the SMS. These contents are
automatically passed on by GFI EventsManager through variable
[smsmessage] which is substituted to text when the email is
generated. The contents of this property are formatted as follows:
text:[smsmessage].
4. In the ‘Retries’ entry box, specify the number of times that GFI
EventsManager will try to send the email to the web-based email to
SMS provider should the first attempt fail.
5. Click on ‘OK’ to save your configuration settings.
Generic SMS service provider template
Figure 10 - SMS alert flow via a web-based Email to SMS service provider
GFI EventsManager can relay SMS (text) alerts via a web-based SMS
gateway.
Whenever an event triggers an SMS alert, GFI EventsManager will
send a ’template’ email (via SMTP) to a web-based SMS gateway.
This ‘template’ email contains all the required SMS alert details
including the SMS text message and the recipient’s number. The SMS
gateway then converts this email to SMS and sends it to the intended
recipient.
NOTE: This template can be customized allowing you to use any
provider which supports email to SMS services.
132 • 13BAppendix 1 – SMS Settings
GFI EventsManager
Screenshot 122 - Generic SMS service configuration dialog
Requirements
No specific hardware is required for this SMS messaging method. The
only true requirements are:
1. You must be subscribed to an SMS gateway service.
2. The SMTP server configured in the properties of the Generic SMS
service must be able to send emails over the Internet.
NOTE: GFI EventsManager cannot send SMS alerts through the
Generic SMS service if no Internet connection is available or when
your Internet connection is down.
Configuring the Generic SMS service provider template
To configure the Generic SMS service:
1. Right-click on the Alerting Options node and select Properties.
2. Click on the SMS tab and from the SMS System dropdown, select
‘Generic SMS service provider template’.
3. Double-click on the property which you want to configure (e.g.
SMTP server) and specify the relative parameters in the Edit Property
dialog.
NOTE: When configuring properties, always specify the details
supplied to you by your SMS gateway provider.
The Generic SMS service requires the following parameters:
•
SMTP server – Specify the name of the SMTP server through
which GFI EventsManager will send the email to the SMS
gateway.
•
SMTP port – Specify the SMTP port through which the
transmission will take place. By default this parameter is set to 25
(i.e. default SMTP port).
GFI EventsManager
13BAppendix 1 – SMS Settings • 133
•
From – Specify the account from where the email will be sent. You
can specify the email address configured in GFI EventsManager
for generic alerts.
•
To – Specify the email address of your SMS gateway provider (i.e.
the address where GFI EventsManager will send emails for
conversion to SMS). This address is supplied by the SMS gateway
provider
and
must
be
formatted
as
follows:
<email>@<emailtosmsprovider.com>.
E.g.
mailto:[email protected].
NOTE: If you don’t know the email address of your SMS Gateway,
ask your SMS gateway provider to provide this information.
•
CC* - (Optional parameter) Specify the email address where you
wish to forward copies of the emails sent to the SMS gateway.
•
Subject* - (Optional parameter) Specify the text which you want to
include in the email’s subject field.
•
Body line 1 – Specify the API ID which has been assigned to you
by your SMS gateway provider. This parameter is required by the
SMS gateway for authentication purposes. Format this parameter
as follows: api_id:<API ID No>. E.g. api_id:124576.
NOTE: If you don’t know your API ID, ask your SMS gateway
provider to supply you with this information.
•
Body line 2 - Specify your SMS gateway user-name (e.g.
user:JasonM). Format this entry as follows: user:<user name>.
NOTE: If you don’t know your SMS gateway user name, ask your
SMS gateway provider to supply you with this information.
•
Body line 3 - Specify your SMS gateway password (e.g.
password:abcde).
Format
this
entry
as
follows:
password:<password text>.
NOTE: If you don’t know your SMS gateway password, ask your
SMS gateway provider to provide this information.
•
Body line 4 – (Leave as default). This property contains the
number of the SMS recipient (i.e. the number where the SMS will
be sent). This value is automatically passed on by GFI
EventsManager through variable [smsnumber] which is substituted
to text when the email is generated. The contents of this property
are formatted as follows: to:[smsnumber]
•
Body line 5 - (Leave as default). This property contains the text
which must be included in the SMS. These contents are
automatically passed on by GFI EventsManager through variable
[smsmessage] which is substituted to text when the email is
generated. The contents of this property are formatted as follows:
text:[smsmessage].
4. In the ‘Retries’ entry box, specify the number of times that GFI
EventsManager will try to send the email to the web-based email to
SMS provider should the first attempt fail.
5. Click on OK to finalize your settings.
134 • 13BAppendix 1 – SMS Settings
GFI EventsManager
Appendix 2: Configuring Windows
Introduction
In this appendix, you will learn how to:
•
Enable and configure your Windows security event auditing level
using Audit Policies.
•
Start the Remote Registry service.
Both Windows security auditing and Remote Registry services are
required by GFI EventsManager to effectively manage windows event
logs.
Remote Registry service
The Remote Registry service is required by GFI EventsManager to
remotely connect to the event sources and perform event log auditing
and collection. By default, the Remote Registry service is installed as
part of the operating system on all computers running Windows
NT/2000/XP and 2003.
Screenshot 123 - Scanning Monitor: Error Messages pane
If this service is not enabled, the error message shown above will be
displayed in the Job Activity view ` ‘Operational History’ section of the
GFI EventsManager Status Monitor. For more information on how to
access the Status Monitor refer to the ‘Status monitoring’ chapter.
Windows Audit Policy
Windows security logs can be configured to record server events as
well as directory or file access events. Events that can be recorded
include valid and invalid logon attempts, as well as events that are
related to use of system resource such as the creating, opening, or
deleting of files.
GFI EventsManager
14BAppendix 2: Configuring Windows • 135
Screenshot 124 - Audit Policy node: Audit policy configuration options
In order for GFI EventsManager to effectively perform security event
log auditing, you must first enable security event auditing on your
Windows operating system otherwise no events will be recorded in the
Windows Security Log and therefore GFI EventsManager will have no
logs to process. Security event auditing is enabled and configured
through the Microsoft Management Console (MMC) via the Audit
Policy node.
NOTE: GFI EventsManager will not generate any error if security
event auditing is not enabled.
Enabling the Remote Registry service
To enable the Remote Registry service:
1. Click on Start ` Run and type in ‘Services.msc’. This will bring
up the ‘Services’ dialog.
Screenshot 125 - Services properties dialog
136 • 14BAppendix 2: Configuring Windows
GFI EventsManager
2. Navigate the list of services until you find the ‘Remote Registry
service. Right-click on the service and select Properties.
Screenshot 126 - Remote Registry Properties dialog
3. From the General tab which opens by default, select Automatic
from the ‘Start type’ drop-down provided and click Start.
4. Click OK to save your settings and close the dialog.
Enabling Windows security auditing
NOTE: To audit access to files and folders in Windows 2000, you
must use the Group Policy snap-in to enable the Audit Object Access
setting in the Audit Policy. Failing to do so will result into an error
message which will be displayed during the setting up of file and folder
configuration settings. For more information on how to create/install
Group Policy snap-ins, refer to the ‘How to install Group Policy Snapins’ section in this Appendix.
To enable local Windows security auditing:
1. Log on to Windows with an account that has Administrator rights.
2. Ensure that the Group Policy snap-in is installed.
3. Navigate to the Administrative Tools window (Start ` Settings `
Control Panel ` Administrative tools).
GFI EventsManager
14BAppendix 2: Configuring Windows • 137
Screenshot 127 - Local Security Settings MMC snap-in
4. Double-click on the Local Security Policy icon to bring up the
Local Security Settings MMC snap-in.
5. Expand the Local Policies node and then double-click Audit
Policy node.
6. From the right pane, double-click the policy that you want to
configure (enable/disable). This will bring up the ‘Audit system events
properties’ dialog.
Screenshot 128 - Audit system events properties dialog
7. Select the Define these policy settings option and configure the
type of audit required (i.e. on Successful or failed attempts).
For more information on Windows security auditing settings visit
http://support.microsoft.com/?kbid=300549
How to install Group Policy snap-ins
To use the auditing features in Windows 2000, you need to install the
Group Policy snap-in. This snap-in is not included in the Computer
138 • 14BAppendix 2: Configuring Windows
GFI EventsManager
Management console, and therefore you need to create a new
console for the Group Policy snap-in. For more information about
adding MMC snap-ins, see the Windows 2000 documentation.
To create a new MMC console and add the Group Policy snap-in:
1. Click on Start ` Run and type in ‘mmc’. This will bring up the new
MMC configuration console.
2. From the console’s pull-down menu, click on File and select
Add/Remove Snap-in.
3. From the ‘Add/Remove Snap-in’ dialog box which opens up, click
on the Add button.
GFI EventsManager
14BAppendix 2: Configuring Windows • 139
Screenshot 129 - List of available snap-ins
4. From the provided list of snap-ins, select Group Policy Object
Editor from the list of available snap-ins and click Add.
5. In the Select Group Policy Object dialog box, click on Browse to
locate the computer you want to audit.
Screenshot 130 – Browse for a Group Policy Object dialog: Computers Tab
6. From the ‘Browse for a Group Policy Object’ dialog, click the
Computers tab, click Another computer, select the computer that you
want to audit and click OK.
7. Click Finish to finalize your settings.
8. Close the ‘Add Standalone Snap-in’ dialog and click OK.
140 • 14BAppendix 2: Configuring Windows
GFI EventsManager
9. Click on File ` Save to save the new console to your hard disk. Use
this new console to configure the auditing features.
GFI EventsManager
14BAppendix 2: Configuring Windows • 141
Appendix 3: Installing SQL Server
Express Edition
Introduction
In this appendix we will go through the steps required to install
Microsoft SQL Server 2005 Express Edition.
Software requirements
The computer on which SQL Server Express Edition will be installed
must meet the following software installed:
•
Windows Installer 3.1
•
.NET framework 2.0
Installation steps
The following steps are required to install SQL Server Express Edition:
Screenshot 131 – Downloading SQL Server Express edition
1.
Download
SQL
Server
Express
edition
from
http://go.microsoft.com/fwlink/?LinkId=65109.
2. After successfully downloading the installation file, double-click on
SQLEXPR_ADV.exe.
3. Read the end-user licensing agreement and click Agree to proceed
with the installation.
GFI EventsManager
15BAppendix 3: Installing SQL Server Express Edition • 143
Screenshot 132 - Installation Requirements
4. Click on the Install button to start SQL Server installation.
Screenshot 133 – System Configuration Check
144 • 15BAppendix 3: Installing SQL Server Express Edition
GFI EventsManager
5. The installer will now analyze your system and will generate a list of
your current configurations settings. Verify that all settings are correct
and if necessary act on any errors included in the list. Click Next to
continue.
Screenshot 134 – Registration details
6. Specify your personalized registration details in the provided fields.
Unselect the option Hide advanced configuration options and click
Next.
GFI EventsManager
15BAppendix 3: Installing SQL Server Express Edition • 145
Screenshot 135 – Feature Selection
7. Select the features that you wish to install and click Next.
Screenshot 136 – Select Instance
146 • 15BAppendix 3: Installing SQL Server Express Edition
GFI EventsManager
8. Select the default instance option and click Next.
Screenshot 137 – Configure Service Account
9. Provide the service account details and click Next.
10. Select the authentication mode to be used and click Next.
GFI EventsManager
15BAppendix 3: Installing SQL Server Express Edition • 147
Screenshot 138 - Collation Settings
11. Select the desired collation settings and click Next.
12. Specify whether you want to enable user instances or not and click
Next.
148 • 15BAppendix 3: Installing SQL Server Express Edition
GFI EventsManager
Screenshot 139 - Error and Usage Report Settings
13. Select the desired Error and Usage Report settings and click Next.
14. Click Finish to finalize the installation.
GFI EventsManager
15BAppendix 3: Installing SQL Server Express Edition • 149
Tutorial 1 – Configuring basic options
through Quick Start Dialog
Overview
In this tutorial we will be demonstrating how to configure the key
parameters required by GFI EventsManager at first startup. These
settings will be performed through the Quick Start Dialog which is
automatically launched the first time that GFI EventsManager is
started.
The scope of this example extends from the configuration of the
events database settings, to the configuration of the default alerting
options and administrator account.
This tutorial is divided in 3 parts;
•
In part 1 you will learn how to configure GFI EventsManager
database backend.
•
In part 2 you will learn how to configure the default alerting options
•
In part 3 you will learn how to configure the GFI EventsManager
administrator account.
Parameters
The parameters that will be used in this tutorial are listed below:
Part 1: Configure the events database:
•
Server: SQLServer01
•
Database: EventsManager
•
Use SQL authentication
•
User: John Doe
•
Password: pass1234.
Part 2. Configure the default alerting options:
•
Hostname/IP: 192.168.0.3
•
Port: 25
•
Username: johndoe
•
Password:pass3344
•
Sender (Email): [email protected]
•
Sender (Display Name): John Doe.
Part 3. Configure the administration account:
•
User: John Doe
•
Description: EventsManager Administrator
150 • 16BTutorial 1 – Configuring basic options through Quick Start Dialog
GFI EventsManager
•
Email: [email protected]
•
Mobile number: +12155599877
•
Computer: 192.168.0.6, 192.168.0.15
•
Working Days: Monday to Friday
•
Working Hours: From 09h to 19h
•
Email notifications: During and outside of working hours.
•
Network message alerts: During and outside of working hours.
•
SMS alerts: During and outside of working hours.
•
Member of: EventsManagerAdministrators.
Part 1: Configuring GFI EventsManager database backend
Screenshot 140 - Quick Start Dialog Box
1. From the Quick Start Dialog box select the Configure events
database option.
GFI EventsManager
16BTutorial 1 – Configuring basic options through Quick Start Dialog • 151
Screenshot 141 - Setting up database
2. Specify the following details:
Server: MSSQLServer
Database: EventsManager
Use SQL Server authorization
User: johndoe
Password: pass1234
4. Click OK to finalize your settings.
152 • 16BTutorial 1 – Configuring basic options through Quick Start Dialog
GFI EventsManager
Part 2: Configuring default alerting options
1. From the Quick Start Dialog box select the Configure Alerting
Options.
Screenshot 142 – Configuring alerting options: Mail server setup
2. In the Email tab which opens by default click the Add… button.
3. In the Mailserver Properties dialog box specify the following mail
server settings:
Hostname/IP: 192.168.0.3
Port: 25
Username: johndoe
Password:pass3344
Sender (Email): [email protected]
Sender (Display Name): John Doe.
4. Click OK to save your email alerts settings and close the Mailserver
properties dialog.
5. Since no network and SMS notifications will be configured in this
tutorial, click OK to finalize your alert configuration settings.
Part 3: Configuring GFI EventsManager administrator account
1. From the Quick Start Dialog box select the Configure
Administrator account option.
GFI EventsManager
16BTutorial 1 – Configuring basic options through Quick Start Dialog • 153
Screenshot 143 - Configuring GFI EventsManager Administrator Setup
2. In the General tab which opens by default specify the following
details:
Username: John Doe
Description: EventsManager Administrator
Email: [email protected]
Mobile number: +12155599877
Computers: 192.168.0.6; 192.168.0.15
154 • 16BTutorial 1 – Configuring basic options through Quick Start Dialog
GFI EventsManager
Screenshot 144 – Configuring administrator working hours
Click on the Working Hours tab and specify the following parameters:
Working Days: Monday to Friday
Working Hours: From 09h to 19h
Screenshot 145 - Configuring alerting options
4. Click on the Alerts tab and specify the following alerting
parameters:
Email notifications: During and outside of working hours.
GFI EventsManager
16BTutorial 1 – Configuring basic options through Quick Start Dialog • 155
Network message alerts: During and outside of working hours.
SMS alerts: During and outside of working hours.
Screenshot 146 - Adding the user to a user group
5. Click on the Member Of tab and specify to which group the user
belongs.
6. Click OK to finalize your settings.
156 • 16BTutorial 1 – Configuring basic options through Quick Start Dialog
GFI EventsManager
Tutorial 2 – Configuring event
processing parameters
Overview
In this tutorial we will be demonstrating how to configure the event
processing parameters required by GFI EventsManager. The scope of
this example extends from the configuration of the event sources, to
the configuration of the alerts that will be triggered on key events.
By the end of this tutorial you will learn how to configure and start
processing logs using GFI EventsManager.
This tutorial is divided in 3 parts;
In part 1 you will learn how to configure the computers from which GFI
EventsManager will collect logs.
•
In part 2 you will learn how to create and configure Windows event
processing rules.
•
In part 3 you will learn how to configure user properties alerts and
actions.
Parameters
The parameters and conditions that will be used in this tutorial are
listed below:
Part 1: Configuring the event sources.
NOTE: The parameters required in this part are user-specific.
Substitute the domain and server parameters listed below with the
ones that correspond to your network system.
Domain: <MyDomain>
Server: <MyServer>
Part 2: Configuring event processing rules
Parameters for Section 1: Create a new rule-set folder.
•
Rule-set Folder Name: New Rules folder
Parameters for Section 2: Create a new rule-set within the new ruleset folder.
•
Rule-set Name: Example security rule-set
•
Description: This is an example of a windows event rule-set.
•
Rule type: Windows Events processing
Parameters for Section 3: Create a new rule within the new rule-set.
GFI EventsManager
17BTutorial 2 – Configuring event processing parameters • 157
•
Name: Example security rule
•
Description: This is an example of a windows event processing
rule.
•
Rule type: Windows Events processing
•
Logs: Security Events
•
Event ID range: 671-681
•
Source computers: 192.168.0.11 – 192.168.0.240
•
Category: Security event details
•
User: Administrator
•
Event type: Error
•
Rule should apply only during normal working hours
•
Use default classification actions.
Part 3: Configuring user properties, alerts and other actions
Parameters for Section 1: Create new users/alert recipients group.
•
Group name: GFI EventsManager User Group
•
Description: Example GFI EventsManager User Group
Parameters for Section 2: Create new user/alert recipient.
•
User name: John Doe
•
Description: Demonstration User
•
Email: mailto:[email protected]
•
Mobile Number: 1234567890
•
Computers: 192.168.0.55
•
Working Days: Monday to Saturday
•
Working Hours: From 09h to 19h
•
Email notifications: During working hours.
•
Network message alerts: None.
•
SMS alerts: None.
•
Member of: GFI EventsManager User Group
Parameters for Section 3: Setting email alerts for Critical events
•
Hostname/IP: 192.168.0.3
•
Port: 25
•
Username: John Doe
•
Password: pass3344
•
Sender email: [email protected]
•
Sender name: John Doe
•
Email notifications: During working hours
•
Network message alerts: None
•
SMS alerts: None.
Part 1: Configuring log sources
1. Select Configuration from the primary options bar.
2. Select Event Sources from the secondary options bar.
158 • 17BTutorial 2 – Configuring event processing parameters
GFI EventsManager
3. Right-click on Servers option from the left pane and select Add
new computer… This will bring up the New Computer Wizard.
Screenshot 147 - Add a new server to pick event logs from
4. Click on the Select button.
5. Select <MyDomain> from the domain drop-down box and click
Search.
6. Select <MyServer> from the provided list of domain computers.
7. Click on OK button to save setup.
Part 2: Creating new event processing rules
In Part 2 we shall be demonstrating how to create new Windows
Event Log rules. This part of the tutorial is divided in 3 sections:
Section 1: Create a new rules folder.
Section 2: Create a new rule-set within the new rules folder.
Section 3: Create a new rule within the new rule-set.
Section 1: Create a new rules folder
1. Select Configuration from the primary options bar.
2. Select Event Processing Rules from the secondary options bar.
3. From the left pane, select Windows Event Logs and then click on
the Create folder option.
GFI EventsManager
17BTutorial 2 – Configuring event processing parameters • 159
Screenshot 148 - Creating a new rule folder
4. Name the new folder as New rules folder.
160 • 17BTutorial 2 – Configuring event processing parameters
GFI EventsManager
Section 2: Create a new rule-set
1. Right-click on New rules folder node in right pane and select
Create new rule set… option.
Screenshot 149 - Providing Security rule properties
2. Specify the following rule-set properties:
Name: Example Security Rule-set
Description: This is an example of a windows event rule-set.
3. Click OK to finalize your settings.
Section 3: Create a new rule
1. Right-click Example Security Rule node from the left pane. Select
Create new rule… option from the context sensitive menu.
GFI EventsManager
17BTutorial 2 – Configuring event processing parameters • 161
Screenshot 150 - New Processing Rule Wizard: Defining Rule Details
2. Specify the following rule details.
Name: Example security rule.
Description: This is an example of a new security processing rule.
3. Click Next to proceed to the next dialog.
Screenshot 151- New Processing Rule Wizard: Selecting the logs
4. Select Security Events as the log to be processed and click Next
to continue setup.
162 • 17BTutorial 2 – Configuring event processing parameters
GFI EventsManager
Screenshot 152 - New Processing Rule Wizard: Setting the conditions
5. Specify the following rule conditions.
Event IDs: 671-681
Source: 192.168.0.11-192.168.0.240
Category: Security Event Details
User: Administrator
Event Type: Error.
6. Click Next to proceed to the next dialog.
Screenshot 153 - New Processing Rule Wizard: Selecting event occurrence and importance
7. Specify the following event occurrence and importance parameters:
GFI EventsManager
17BTutorial 2 – Configuring event processing parameters • 163
The rule applies if the event happens during Normal Operational Time
(N.O.T.)
Classify the event as: High importance event.
8. Click Next button to proceed to the next dialog.
Screenshot 154 - New Processing Rule Wizard: Selecting Actions
9. Select the Use the default classification actions option and click
Next.
10. Click Finish to finalize your settings.
Part 3: Configuring user properties, alerts and other actions
In part 3 we will be demonstrating how to configure the alert recipients
i.e. users that will be alerted by this rule, as well as the type of alerts
that will be generated. This part of the tutorial is divided in 3 sections:
Section 1: Create new users/alert recipients group.
Section 2: Add new alert recipients.
Section 3: Setting email alerts for Critical events.
Section 1: Create new users/alert recipients group
1. Select Configuration from the primary options bar.
2. Select Options from the secondary options bar.
3. From the left pane, right-click on Groups node and select Create
group…
164 • 17BTutorial 2 – Configuring event processing parameters
GFI EventsManager
Screenshot 155 - New group user input
4. Specify the following group details:
Group name: GFI EventsManager User Group
Description: Example GFI EventsManager User Group.
5. Click OK to finalize your settings.
GFI EventsManager
17BTutorial 2 – Configuring event processing parameters • 165
Section 2: Add new alert recipient
Screenshot 156 - Create users…
1. From the left pane, right-click on Users node and select Create
user…
Screenshot 157 - New Users general tab
166 • 17BTutorial 2 – Configuring event processing parameters
GFI EventsManager
2. Specify all the following user details:
User name: John Doe
Description: Demonstration User
Email: mailto:[email protected]
Mobile Number: 1234567890
Computers: 192.168.0.55.
Screenshot 158 - Set working hours
3. Click on the Working Hours tab and configure the working hours
as follows:
Working Days: Monday to Saturday
Working Hours: From 09h to 19h.
GFI EventsManager
17BTutorial 2 – Configuring event processing parameters • 167
Screenshot 159 - Set alerting options
4. Click on the Alerts tab and configure the alerting parameters as
follows:
Email notifications: During working hours.
Network message alerts: None.
SMS alerts: None.
168 • 17BTutorial 2 – Configuring event processing parameters
GFI EventsManager
Screenshot 160 - Defining user group membership
5. Click on the Member Of tab.
6. Click Add and double-click GFI EventsManager User Group from
the provided list.
7. Click OK to finalize your settings.
GFI EventsManager
17BTutorial 2 – Configuring event processing parameters • 169
Section 3: Setting email alerts for Critical events
Screenshot 161 - GFI EventsManager: Edit default classification actions
1. From the left pane, right-click on the Default Classification
Actions node and select Edit defaults….
170 • 17BTutorial 2 – Configuring event processing parameters
GFI EventsManager
Screenshot 162 - Customizing the default classification actions
2. From the provided drop-down, select Critical events actions.
3. Select the Send email notifications to option from the provided
list.
4. Select GFI EventsManager User Group and click Add. Click on
the OK button to close the dialog.
5. Click OK to finalize your settings.
GFI EventsManager
17BTutorial 2 – Configuring event processing parameters • 171
Tutorial 3 – Event Browsing and
Filtering
Overview
In this tutorial we shall be demonstrating how to use the event query
builder to create new event queries. The scope of this example
extends from the creation of new event queries to the use of event
queries to display only the required event data.
Parameters
The parameters used in this tutorial are listed below:
Query Name: Filter events with ID 520
Description: Query that displays events having event ID 520
Event ID: 520.
Create a new event query
1. Select Events Browser from the primary options bar.
2. Select Windows Events Browser from the secondary options bar.
3. From the left pane, right-click on the Security Events option and
select Query builder…. This will bring up the event query builder.
172 • 18BTutorial 3 – Event Browsing and Filtering
GFI EventsManager
Screenshot 163 - Filter set-up
4. Specify the following query details:
Name: Filter events with ID 520
Description: Query that displays events having event ID 520.
5. Click Add and specify the following query conditions:
Select field operator: Equal To
Enter field value: 520.
6. Click OK to close the dialog.
GFI EventsManager
18BTutorial 3 – Event Browsing and Filtering • 173
Screenshot 164 - Filter properties dialog box
7. Click OK to finalize query settings.
Using the new event query
Screenshot 165 - Select new filter
Click on the Query for events with ID 520 to filter all events having
event ID 520.
174 • 18BTutorial 3 – Event Browsing and Filtering
GFI EventsManager
GFI EventsManager
18BTutorial 3 – Event Browsing and Filtering • 175
Tutorial 4 – Database Operations
Overview
In this tutorial we shall be demonstrating how to configure
maintenance jobs on the database backend. The scope of this
example extends from the creation of new jobs, to their scheduling
and execution.
This tutorial is divided in 5 parts;
•
In part 1 you will learn how to configure the interval/schedule for
executing maintenance jobs.
•
In part 2 you will learn how to configure an ‘Export to file’
maintenance job.
•
In part 3 you will learn how to configure a ‘Move to database’
maintenance job.
•
In part 4 you will learn how to configure a ‘Delete data’
maintenance job.
•
In part 5 you will learn how to configure an ‘Import from file’
maintenance job.
Parameters
The parameters and conditions that will be used in this tutorial are
listed below:
Part 1: Configuring the interval/schedule
•
Hours: 6:00pm to 9:00am
•
Interval: 5 days
•
Start date: 12/22/2006
•
Start time: 6:00pm
Part 2: ‘Export to file’ maintenance job
NOTE: The ‘Folder’ parameter is user-specific. Substitute the
parameter listed below with one that corresponds to your environment.
•
Folder: c:\esm7_export
•
Export events older than: 5 days
•
Encryption password: pass3344
•
Log type: Windows Event Logs
•
Logs: Security Events
•
Event IDs: 528, 540
176 • 19BTutorial 4 – Database Operations
GFI EventsManager
•
Scheduled job
Part 3: ‘Move to database’ maintenance job
NOTE: The ‘Database Name’ parameter is user-specific. Substitute
the parameter listed below with one that corresponds to your
environment.
•
Database Name: EventsManager200612
•
Move events older than: 5 days
•
Log type: Windows Event Logs
•
Logs: Security Events
•
Event IDs: 528, 540
•
Scheduled job
Part 4: ‘Delete data’ maintenance job
•
Database: Main database
•
Delete events older than: 5 days
•
Log type: Windows Event Logs
•
Logs: Security Events
•
Event IDs: 528, 540
•
Scheduled job
Part 5: ‘Import from file’ maintenance job
NOTE: The ‘Folder’ parameter is user-specific. Substitute the
parameter listed below with one that corresponds to your environment.
•
Folder: c:\esm7_export
•
Decryption password: pass3344
•
Log type: Windows Event Logs
•
Logs: Security Events
•
Event IDs: 528, 540
•
Scheduled job
Part 1: Configuring the interval/schedule
1. Click on the Configuration option.
2. From the secondary options bar which opens underneath, select
Options.
3. From the left pane, right-click on the Database Operations node
and select Properties. This will bring up the ‘Database Operations
Options’ dialog.
GFI EventsManager
19BTutorial 4 – Database Operations • 177
Screenshot 166 – Specify scheduling options
4. Click on the Schedule tab to specify:
•
Hours of the day during which maintenance jobs can be executed:
6:00pm to 9:00am
•
Interval: 5 days
•
Start date: 12/22/2006
•
Start time: 6:00pm
5. Click OK to finalize your settings.
Part 2: ‘Export to file’ maintenance job
In part 2 we shall be demonstrating how to create a new ‘Export to file’
maintenance job, and how to specify the relevant job parameters.
1. Click on the Configuration option.
2. From the secondary options bar which opens underneath, select
Options.
3. From the left pane, right-click on the Database Operations node
and select Create new job… This will bring up the ‘New job wizard’.
4. As soon as the welcome dialog is displayed, click on the Next
button to bring up the ‘Job Type’ dialog.
178 • 19BTutorial 4 – Database Operations
GFI EventsManager
Screenshot 167 - Job Type dialog: “Export to file’ maintenance job
5. Select the ‘Export to file’ maintenance job and click Next to proceed
to the configuration dialog.
Screenshot 168 – Export to file parameters
6. Specify the following export parameters:
•
Folder: c:\esm7_export
•
Export events older than: 5 days
7. Click Next to proceed to the next dialog.
GFI EventsManager
19BTutorial 4 – Database Operations • 179
Screenshot 169 – Export to file: encryption password
8. Specify, and confirm, the following parameter:
•
Encryption password: pass3344
9. Click Next to proceed to the data filter dialog.
Screenshot 170 – Export to file: log type to process with data filter
10. Specify the following log type parameter to be processed by data
filters:
•
Log type: Windows Event Logs
11. Click Filter to bring up the data filter conditions dialog.
180 • 19BTutorial 4 – Database Operations
GFI EventsManager
Screenshot 171 – Export to file: data filter conditions
12. Specify the following data filter parameters:
•
Logs: Security Events
•
Event IDs: 528, 540
13. Click OK to finalize your data filter condition settings.
14. Click Next to proceed to the next dialog.
GFI EventsManager
19BTutorial 4 – Database Operations • 181
Screenshot 172 – Scheduled job
15. Select Scheduled job and click Finish to finalize the maintenance
job settings.
Part 3: ‘Move to database’ maintenance job
In part 3 we shall be demonstrating how to create a new ‘Move to
database’ maintenance job, and how to specify the relevant job
parameters.
1. Click on the Configuration option.
2. From the secondary options bar which opens underneath, select
Options.
3. From the left pane, right-click on the Database Operations node
and select Create new job… This will bring up the ‘New job wizard’.
4. As soon as the welcome dialog is displayed, click on the Next
button to bring up the ‘Job Type’ dialog.
182 • 19BTutorial 4 – Database Operations
GFI EventsManager
Screenshot 173 - Job Type dialog: “Move to database’ maintenance job
5. Select the ‘Move to database’ maintenance job and click Next to
proceed to the configuration dialog.
Screenshot 174 – Move to database parameters
6. Specify the following parameters:
•
Database Name: EventsManager200612
•
Move events older than: 5 days
7. Click Next to proceed to the data filter dialog.
GFI EventsManager
19BTutorial 4 – Database Operations • 183
Screenshot 175 – Move to database: log type to process with data filter
8. Specify the following log type parameter to be processed by data
filters:
•
Log type: Windows Event Logs
9. Click Filter to bring up the data filter conditions dialog.
184 • 19BTutorial 4 – Database Operations
GFI EventsManager
Screenshot 176 – Move to database: data filter conditions
10. Specify the following data filter parameters:
•
Logs: Security Events
•
Event IDs: 528, 540
11. Click OK to finalize your data filter condition settings.
12. Click Next to proceed to the next dialog.
GFI EventsManager
19BTutorial 4 – Database Operations • 185
Screenshot 177 – Scheduled job
13. Select Scheduled job and click Finish to finalize the maintenance
job settings.
Part 4: ‘Delete data’ maintenance job
In part 4 we shall be demonstrating how to create a new ‘Delete data’
maintenance job, and how to specify the relevant job parameters.
1. Click on the Configuration option.
2. From the secondary options bar which opens underneath, select
Options.
3. From the left pane, right-click on the Database Operations node
and select Create new job… This will bring up the ‘New job wizard’.
4. As soon as the welcome dialog is displayed, click on the Next
button to bring up the ‘Job Type’ dialog.
186 • 19BTutorial 4 – Database Operations
GFI EventsManager
Screenshot 178 - Job Type dialog: “Delete data’ maintenance job
5. Select the ‘Delete data’ maintenance job and click Next to proceed
to the configuration dialog.
Screenshot 179 – Delete data parameters
6. Specify the following parameters:
•
Database: Main database
•
Delete events older than: 5 days
7. Click Next to proceed to the data filter dialog.
GFI EventsManager
19BTutorial 4 – Database Operations • 187
Screenshot 180 – Delete data: log type to process with data filter
8. Specify the following log type parameter to be processed by data
filters:
•
Log type: Windows Event Logs
9. Click Filter to bring up the data filter conditions dialog.
188 • 19BTutorial 4 – Database Operations
GFI EventsManager
Screenshot 181 – Delete data: data filter conditions
10. Specify the following data filter parameters:
•
Logs: Security Events
•
Event IDs: 528, 540
11. Click OK to finalize your data filter condition settings.
12. Click Next to proceed to the next dialog.
GFI EventsManager
19BTutorial 4 – Database Operations • 189
Screenshot 182 – Scheduled job
13. Select Scheduled job and click Finish to finalize the maintenance
job settings.
Part 5: ‘Import from file’ maintenance job
In part 5 we shall be demonstrating how to create a new ‘Import from
file’ maintenance job, and how to specify the relevant job parameters.
1. Click on the Configuration option.
2. From the secondary options bar which opens underneath, select
Options.
3. From the left pane, right-click on the Database Operations node
and select Create new job… This will bring up the ‘New job wizard’.
4. As soon as the welcome dialog is displayed, click on the Next
button to bring up the ‘Job Type’ dialog.
190 • 19BTutorial 4 – Database Operations
GFI EventsManager
Screenshot 183 - Job Type dialog: “Import from file’ maintenance job
5. Select the ‘Import from file’ maintenance job and click Next to
proceed to the configuration dialog.
Screenshot 184 –Import file parameters
6. Specify the following import parameter:
•
Folder: c:\esm7_export
7. Click Next to proceed to the next dialog.
GFI EventsManager
19BTutorial 4 – Database Operations • 191
Screenshot 185 –Import from file: decryption password
8. Specify, and confirm, the following parameter:
•
Decryption password: pass3344
9. Click Next to proceed to the data filter dialog.
Screenshot 186 – Import from file: log type to process with data filter
10. Specify the following log type parameter to be processed by data
filters:
•
Log type: Windows Event Logs
11. Click Filter to bring up the data filter conditions dialog.
192 • 19BTutorial 4 – Database Operations
GFI EventsManager
Screenshot 187 – Export to file: data filter conditions
12. Specify the following data filter parameters:
•
Logs: Security Events
•
Event IDs: 528, 540
13. Click OK to finalize your data filter condition settings.
14. Click Next to proceed to the next dialog.
GFI EventsManager
19BTutorial 4 – Database Operations • 193
Screenshot 188 – Scheduled job
15. Select Scheduled job and click Finish to finalize the maintenance
job settings.
194 • 19BTutorial 4 – Database Operations
GFI EventsManager
G
GSM 126
Index
I
installation wizard 18
L
A
actions 5, 6, 10, 12, 34, 41,
42, 43, 53, 55, 56, 57,
104, 107, 109, 110,
158, 170, 171
Alerting Options 126, 129,
131, 133
license key 19
licensing 13, 18, 120
LogMonitorAdministrator 27,
28
logon credentials 39
N
network alerts 6, 28, 32, 55,
57
B
O
backup events 67, 68
operational time 37, 39, 40,
103, 106, 108
C
P
Computer Group Properties
36
Computer Properties 36
configuration settings 123
privileges 18
Properties 126, 129, 131,
133
D
Q
database backend 5, 10, 12,
24, 25, 26, 27, 52, 62,
67, 68
Database Operations 80, 176
default alerting settings 31
Quick Start Dialog 24, 25, 28,
30, 34, 150, 151, 153
E
email alerts 6, 27, 30, 31, 32,
41, 55
event archiving 6, 24, 52, 55
event classification 10, 42,
52, 55, 57
event color-coding 62
event finder tool 62
event processing rules 5, 7,
9, 10, 12, 41, 42, 46,
48, 50, 53, 54, 55, 57,
99
event query 10, 60, 61, 63,
64
event query builder 10, 64
event sources 9, 11, 12, 34,
35, 36, 39, 46, 48, 103,
106, 108
events browser 5, 59
F
filter conditions 85, 87, 88,
90, 91
GFI EventsManager
R
rule-set 53, 54, 99, 100, 101,
102, 104, 107
S
scanning monitor 69
SMS 125
SMS alerts 6, 7, 27, 30, 32,
125, 131, 133, 151,
156, 158, 168
Syslog messages 23, 49
Syslog server 23, 49, 50, 51
U
Upgrading 18
V
version information 121
W
W3C logs 7, 11, 21, 22, 37,
41, 47, 48, 104, 105,
110
19BTutorial 4 – Database Operations • 195
Windows event logs 7, 8, 11,
21, 37, 41, 43, 45, 47,
53, 54, 99
wizard 123
working hours 6, 28, 29, 39,
40, 103, 106, 108, 113,
151, 155, 156, 158,
167, 168
196 • 19BTutorial 4 – Database Operations
GFI EventsManager