SpectorSoft Log Manager Help

Transcription

1 SpectorSoft Log Manager Help 10/8/ SpectorSoft Corporation, All rights reserved.

2 Table of Contents Getting Started... 1 About... 1 How it Works... 3 Upgrading from Network Event Viewer... 4 System Requirements... 6 Registration... 6 Update Service... 7 Best Practices... 7 Tutorials... 9 Tutorials... 9 Event Log Management Tutorial Encrypting and Password Protecting Event Log Backups Printing Logs for Auditors Monitoring a File for Inactivity Receiving a Monthly Event Log Error Count Report (Grouped by Event ID/Source) Receiving a Monthly Event Log Error Count Report Starting a Process when a Particular Entry is Logged Consolidating Logs to SQL Server Consolidating Logs to MySQL Using Gmail as a Backup Server How To User Interface Components Actions, Alerts and Notifications Active Directory Active Directory Filters Auto Configurator Backing Up and Restoring the Configuration Browsing Computers Browsing Text Logs Configuration Templates Displaying Logs ing Logs Encrypting Communications EVT and EVTX Files Exporting Logs Filters Frequency Reports Frequency Rules Groups Importing a Computer List Log Entry Retention Policy Log Properties Managing Event Logs Managing Syslogs Managing Text Logs Manually Downloading Event Logs Mapping Computers Monitoring and Consolidating Logs Monitoring CSV Files Oracle Support ii 2013 SpectorSoft Corporation, All rights reserved.

3 Table of Contents Printing Logs Regular Expressions Replacement Tags Reports Schedule Distributor Schedules Searching Logs Selecting Specific Computers Selecting Specific Logs SNMP Traps Standard Reports Tray Icon Views Security Event Log Reports Success Logon Reports Failed Logon Reports Account Lockout Reports New User Account Reports Logon/Logoff Reports Account Management Reports Options Options Web Proxy Server Configuration Windows Service Windows Service Change Service Logon Windows Service Log File Starting and Stopping the Windows Service Troubleshooting Troubleshooting Common Event Log Management Errors The RPC Server is Unavailable Access Denied Quota Violation Common Filter Issues Common Action Issues Security Configuring the Windows Firewall Technical Support SpectorSoft Information Contact Us Copyrights and Trademarks Index SpectorSoft Corporation, All rights reserved. iii

4

5 Getting Started About SpectorSoft Log Manager is a network-wide log monitoring, consolidation, auditing and reporting tool enabling System Administrators to proactively monitor their networks while satisfying regulatory agency auditing requirements. Features at a Glance Monitor logs in real-time or per user defined schedule Create and assign simple or complex regular expression filters Fire multiple types of alerts or actions including SNMP traps Consolidate Event Logs, Syslogs, text logs and CSV files Automatically truncate and archive consolidated logs Schedule detailed reports Includes Security Event Log reports Merge multiple log files into a single view View Windows Event Log files (EVT and EVTX) View large log files quickly with minimal system resources Monitor Active Directory and automatically configure new computers Single installation monitors entire network No installation required on managed computers Event Log Management The Windows operating system and many 3rd party Windows Services and applications use the Windows Event Log system to log informational, warning, and error information used by Systems Administrators to help identify application errors. SpectorSoft Log Manager monitors (real-time or scheduled), consolidates and archives Event Logs to SQL Server, MySQL, Oracle or the proprietary file system. Syslog Management SpectorSoft Log Manager includes a self-contained syslog server that can be used to collect, monitor and consolidate syslog messages from both computers and devices such as network routers and firewalls. Text Log Management SpectorSoft Log Manager supports both delimited and non-delimited text log files. Delimited files follow a specific format enabling programmatic parsing over multiple lines. Many applications create log files using a date driven naming mechanism. SpectorSoft Log Manager enables you to monitor files within a directory that match user defined file name masks such as <yymmdd>.txt and *.log. When a new file is detected, the service automatically starts monitoring the file contents SpectorSoft Corporation, All rights reserved. 1

6 Log Manager Advanced Filtering Powerful filtering searches through consolidated logs allowing you to pinpoint log entries of interest or remove noise. Both simple and complex regular expression filters are offered. Selectively flag and add notes to log entries of interest. Compliance Many regulatory agencies require organizations to archive critical logs for future reference. SpectorSoft Log Manager archives your logs in their entirety or as a subset of a central SQL Server, MySQL or Oracle database, as well as to CSV, EVT, EVTX, HTML, TXT, or XML files. Alerts, Notifications and Actions SpectorSoft Log Manager supports several different alerts and actions when key log entries are detected. Trigger actions such as sending a fully customizable , exporting to a file, displaying a message box, playing a sound, writing key log entries to a user defined database table, forwarding key log entries to log consolidation hardware via syslog, displaying a system tray popup message, sending a SMS notification through an -to-sms gateway or firing an SNMP trap. Report Generation Generate reports that contain filtered log entries from a set of computers. For example, receive a daily report that contains a list of all failed login attempts to your domain controllers for the last 24 hours. Customize the report content using HTML templates. Run reports on-demand or schedule. For more information, see: How it Works Monitoring and Consolidating Logs SpectorSoft Corporation, All rights reserved.

7 How it Works How it Works Components SpectorSoft Log Manager consists of three (3) major components: The User Interface is used to configure log managemernt, generate reports and watch logs in real-time. The Windows Service monitors and parses log entries, fires actions, generates scheduled reports, and automatically starts to monitor newly discovered computers. The Tray Icon fires user interface alerts such as message box, sound, and system tray popups. Implementation Log Manager uses Microsoft s Windows Management Instrumentation (WMI) to real-time monitor, download and manage remote Event Logs. Syslog messages are received by pointing the hardware generating the messages to the server on which Log Manager is installed. The Log Manager Service opens UDP port 514 and listens for syslog messages. Text Logs are monitored in real-time or by way of polling the file as frequently as every second or as in-frequent as once a month. Text logs change subscriptions and reads are done using either Microsoft Networking on Windows or Samba on Linux/Unix. Once messages are received the Log Manager Service applies filters and fires any appropriate actions. Next, consolidation filters are applied. All entries that pass the consolidation filter are stored in the log repository. Reports are on-demand or automatically generated against the consolidated logs contained within the log repository. For more information, see: Monitoring and Consolidating Logs Reports User Interface Components System Requirements 2013 SpectorSoft Corporation, All rights reserved. 3

8 Log Manager Upgrading from Network Event Viewer To reduce the amount of effort for users to upgrade to SpectorSoft Log Manager we have included a function to import your Network Event Viewer configurations and log repository data. Please review the list below to see what is and what is not converted. Converted: settings Web proxy server settings Computer mappings Database connection settings Log repository Auxiliary data source connection settings Actions Filters Download configurations Real-Time configurations Reports Directory Service connection settings Not Converted Configuration templates Auto Configurator configurations Conversion Notes and HTML Output All reports and actions that point to custom and HTML templates are set to the SpectorSoft Log Manager defaults. The default subject is applied to all converted alerts. Filters When converting filters date based criteria is dropped. All filters that are applied to syslog configurations or reports are broken out into 2 filters, one for Event Logs the other for Syslogs. Reports When converting reports the first date based criteria found within the legacy filter is applied to the report. All reports that contain both Event Logs and Syslogs are broken out into 2 reports, one for Event Logs the other for Syslogs SpectorSoft Corporation, All rights reserved.

9 Upgrading from Network Event Viewer Log Repository (File System) When storing Event Logs to the file system, the conversion program can point to NEV s log repository. NEV offered an option to backup previous downloaded logs files rather than append. This format of the log repository is not supported within SpectorSoft Log Manager and can not be read. The conversion function offers the capability to convert the file system to either SQL Server, MySQL or Oracle. If you are interested in using a database rather than the file system, this is a good time to convert. Stored syslog files are not converted but will show up in the repository as Event Logs. New files will be automatically created when syslog messages are received and will be displayed in the repository under Syslogs. Log Repository (Database) Prior to running any import functions below BACK UP YOUR DATA. This includes your NEV configurations and your log repository database(s) or file system. File System If you are using our file system format, there is no need to convert the data. Database If you use SQL Server or MySQL the NEV tables must be imported to new tables that SpectorSoft Log Manager can read. You can continue to use the same database without interfering with NEV. One major change between the software versions is NEV stored archived entries to the same database. SpectorSoft Log Manager stores archived entries to an alternate database. If you were archiving old log entries with NEV you must create a new database to write these entries. If you do not, by default the archived entries will be loaded into our file system format in the default archive location. If you choose to delete the NEV data once imported the database should decrease in size by approximately 50% otherwise it will increase by 50%. If you want to leave the NEV database unchanged, point the target to another database. To upgrade From SpectorSoft Log Manager Select Import from Network Event Viewer. The Network Event Viewer service will be stopped prior to running the import functions. We highly recommend you either uninstall NEV or disable the NEV service once complete. There are 3 optional steps. Answer the following questions to decide which steps to run: Do you want to continue to use the same repository? If so run Step 1. If storing logs to a database be sure to set the Target archive data provider otherwise archived data will be stored to our file system format. Do you want to import the data that was consolidated by NEV? If so run Step 2. If storing logs to a database be sure to set the Target archive data provider otherwise data previously archived by NEV will be copied to our file system format. Do you want to import all the configurations you created with NEV? If so run Step 3. Once you have completed step 3 either disable the NEV service or uninstall NEV SpectorSoft Corporation, All rights reserved. 5

10 Log Manager System Requirements Supported Operating Systems Windows Server 2008 R2, Server 2008, 7, Vista, Server 2003 or XP. Supported CPUs (64-Bit and 32-Bit) Our software is compiled with the latest version of the.net Framework which allows us to compile the program once for any CPU meaning SpectorSoft Log Manager runs natively on both 64-bit and 32-bit hardware. Memory 2 GBs of available memory, 4 GBs suggested for large networks. Microsoft.NET Framework 3.5 Service Pack 1 The installation detects if the.net Framework 3.5 Service Pack 1 is already installed. If not, the framework is automatically downloaded from Microsoft and then installed. Please note the framework takes a significant amount of time to install. Please be patient while the installation completes. Domain Administrator Account To access remote logs both the logged in user and the Windows Service must have domain administrator rights. The first time the application is run, you will be prompted to assign domain administrator credentials to the service. Windows Management Instrumentation (client and server) Event Logs are consolidated and managed using Microsoft's Windows Management Instrumentation (WMI) API. WMI is preinstalled on all supported operating systems. For more information, see: How it Works Registration To register your software, visit and purchase a license. You will receive your license key by . After you receive your license key, select Register from the Help menu. When prompted, specify the address the license key was mailed to and the license key. Click Submit. If you are running on an isolated or secure network, please contact SpectorSoft Technical Support and have your your order information and target system s MAC address ready SpectorSoft Corporation, All rights reserved.

11 Update Service If you are moving your license from one computer to another, please contact SpectorSoft Technical Support. For more information, see: Update Service Update Service All or our software supports automatic updates. At startup, each of our user interfaces downloads an XML file from our web server. Using version information, our software determines if an update is necessary. License information may be transmitted to our registration web service, also running on web server, to determine upgrade eligibility. If eligible, our software will download the latest version from our web server. Each license comes with access to updates and major releases for 1 year. After that, you can purchase a maintenance contract that provides you access to updates and major releases for 1 more year. For more information, see: Registration Best Practices Log management is typically very CPU and memory intensive. Please consider some of the following suggestions when managing logs: Consolidation Consolidate often. The more often you consolidate Event Logs and text logs, the easier it is on the target server, the network, the database server and the management console. Event Log entries are received from the target computer in a random order. When using the file system to store logs or when applying post consolidation filters the entries must be sorted in memory. For this reason we suggest using SQL Server, MySQL or Oracle to store your logs and configuring reports in place of post consolidation filters. If a database is not a viable option, you are forwarding entries to a log management device or you must use post consolidation filters for some other reason, schedule the Event Log downloads or text log polling as frequent as once an hour in large networks or once a day in smaller networks. Filters Creating vague filters will allow many entries to pass. Keep your filters tight so only those that you are really interested in pass or those that are of no interest are removed SpectorSoft Corporation, All rights reserved. 7

12 Log Manager Reports One of the most common issues we see is reports run with vague filters over large date ranges. This scenario typically causes the system to run out of memory as the is generated. Keep the filter tight and the date range short. This will limit the amount of data sent in your reports. Archiving Many of our users store their logs for at least a year. When storing logs more than 90 days, we suggest entries be archived frequently. Use the built in archive functionality to move entries from your primary database or file system to an archive database or network location. Schedule the archive function to run once a week during off hours. Every 90 or 180 days backup the database or network location and prune all the archive data. Doing so will increase both the user interface and the archive process performance. Displaying Logs When displaying logs within the viewer, limit the number of days per page - 1 day per page is best. When very little data appears, increase the number of days per page to suite your needs SpectorSoft Corporation, All rights reserved.

13 Tutorials Tutorials Tutorials Event Log Management Tutorial Encrypting and Password Protecting Event Log Backups Printing Logs for Auditors Monitoring a Rolling Text Log File (IIS) Monitoring a File for Inactivity Monitoring a File for Maximum Size Receiving a Monthly Event Log Error Count Report (Grouped by Event ID/Source) Receiving a Monthly Event Log Error Count Report Starting a Process when a Particular Entry is Logged Consolidating Logs to SQL Server Consolidating Logs to MySQL Using Gmail as a Backup Server 2013 SpectorSoft Corporation, All rights reserved. 9

14 Log Manager Event Log Management Tutorial This tutorial shows you how to configure real-time monitoring, save log entries to a central database, and configure log entry retention policy. When you have completed this tutorial you will have understanding of how to monitor Security Event Logs for multiple failed logon attempts, save all audit failure and error events to a central database, receive notification when warning and error System Event Log entries are downloaded, and lastly, configure log entry retention policy. Start the Log Management Wizard Select New Log Monitor from the File menu item. From the Log Management Wizard select Windows Event Logs. Click Next. Choose the method to select the computers. Once selected, the computers will display in the list. Click Next. If the any of the selected remote computers are off domain, use the Computer combo-box to select each off-domain computer. Once selected specify the appropriate credentials to access the logs. When complete, select (All) in the Computer combo-box SpectorSoft Corporation, All rights reserved.

15 Event Log Management Tutorial Click Next. Specify a group to add the computers to and check the logs you want to consolidate to your database. For this tutorial check the Security and System Event Logs. Click Next. To consolidated the Event Logs check the Save entries to the log repository option. If you only want to save specific Event Log entries, for example, audit failure and error events, select Save all entries that pass the consolidation filter. In the Consolidation filter combo-box select the filter to apply. If you have not yet created the filter, click the configure filters button and create your consolidation filter. For this tutorial we only want to save audit failure and error entries so let s create the filter now. Once created your filter should look like the following screen shot: 2013 SpectorSoft Corporation, All rights reserved. 11

16 Log Manager Click Close and save your changes. Next schedule the frequency to download the Event Logs. If configuring many downloads, click the Distribute Schedules button to evenly distribute the schedules over a time period. For example: Next limit the initial download (or first download) to the previous X number of days. When downloading domain controller Security Event Logs you may need to minimize this number of days as domain controller Security Logs tend to be quite large causing potentially significant CPU load, memory load, and processing time. Lastly, choose to clear the remote Event Log upon download completion. When you have finished configuring this page your wizard should look something like the following: SpectorSoft Corporation, All rights reserved.

17 Event Log Management Tutorial Click Next. For performance reasons, reports should be used to notify users on a daily or hourly basis of events of interest; however, there are many cases when you may want to be notified immediately upon download completion of specific events. In these rare cases, assign post consolidation filters and actions. For this tutorial we want to be notified of all warning and error events downloaded from the System Event Logs. Create the filter now. Once created your filter should look like the following screen shot: Click Close and save your changes. Assign your newly created filter and apply an action. Next assign an action SpectorSoft Corporation, All rights reserved. 13

18 Log Manager Click OK. The wizard should now look like the following screen shot: Click Next. Many regulatory agencies require companies to store Event Log entries for up to a year or even more. Use the Entry Retention Policies tab to configure how many days of entries are saved. Once configured the service will truncate the saved log tables or files according at the interval or schedule you define. Incorporated in the retention policy is the concept of archiving. Archiving allows you to move entries from the tables or files you regularly review to archive tables or files. This format enables you to query the system for recent entries very quickly and when necessary query the system for older entries from what is typically quite larger tables and files requiring more memory and processing time. Choose to either Remove or Archive entries within the tables or files. Choose the maximum number of days to store. If you choose Remove, the entries are removed from the tables or files when executed. If you choose Archive, the entries are moved from the primary tables or files and appended to the archive tables or files. Use the Options dialog to configure the location the archive database or file system resides. Schedule the frequency to apply the data retention rules. If configuring many downloads, click the Distribute Schedules button to evenly distribute each entry retention policy execution over a time period, for example: SpectorSoft Corporation, All rights reserved.

19 Event Log Management Tutorial When you have finished configuring this page your wizard should look something like the following: Click Next. The Remote EVT and EVTX File Back Up page should now be displayed. This page enables you to schedule native backups of EVT and EVTX files. For a detailed tutorial on this functionality please see the Encrypting and Password Protecting Event Log Backups tutorial SpectorSoft Corporation, All rights reserved. 15

20 Log Manager Click Next. If you want to real-time monitor specific logs select each computer and log from the appropriate combo-boxes and check Real-Time monitor the Event Log for new entries. Please note a thread will be burned for each log being real-time monitored and if the network fails, entries will be lost. Once checked, configure any times or days you want to exclude the real-time monitor from running, for example during weekly maintenance windows. If you are applying frequency rules, for example when you want to be notified when a specific entry is received 10 times within an hour, choose to either shutdown the monitor or suppress actions during the exclusion period. Shutting down the monitor will reset the frequency rule. All entries that match the real-time monitor filters are then ignored. If, however, you want the frequency rules to continue executing but simply do not want to receive any alerts, choose Suppress actions during exclusion period. For this tutorial select the Security Event Log from the Event Log combo box and check Real-Time monitor the Event Log for new entries. You will notice there is also an option to poll the Event Log entries. If you have no plans to consolidate log entries, you can use the poll option to scan logs for entries. This format guarantees results. Unlike the real-time monitor, when there is a network outage, entries will be downloaded the next time the schedule runs SpectorSoft Corporation, All rights reserved.

21 Event Log Management Tutorial Click Next. If you elect to real-time monitor an Event Log, use the Computer and Event Log combo-boxes to apply the appropriate filter and action to each log. If you want to apply the same filter to the same log on multiple computers, in the Computer combo-box select (All) and in the Event Log combobox select the specific log. Assign the filters and actions. For more information on assigning filters and actions see Monitoring and Consolidating Logs. For this tutorial click the Add button. Once the Assign Filter and Action dialog loads, click the Configure Filters button. Use the Filters Manager dialog to create a new Failed Logon Event Log filter as seen below. Make sure you set the Group by option to User. This will enable the realtime monitor to group failed logon attempts by each unique user name enabling you to receive notification when the same user attempts to logon multiple times without success. Click Close and save your changes SpectorSoft Corporation, All rights reserved. 17

22 Log Manager Assign your newly created filter and apply the frequency rule as seen below. The frequency rule will enable you to receive notification when any user attempts to logon with their username unsuccessfully 3 or more times unsuccessfully. Next assign an action. Click OK. The wizard should now look like the following screen shot: Click Next. Lastly, choose to send error notification s upon download or entry retention policy execution failure SpectorSoft Corporation, All rights reserved.

23 Event Log Management Tutorial Click Finished SpectorSoft Corporation, All rights reserved. 19

24 Log Manager Encrypting and Password Protecting Event Log Backups Overview Many regulatory compliance agencies require companies to backup and archive Event Log files from mission critical systems. Some of these agencies require backup data to be encrypted and password protected. With these requirements in mind, we added scheduled Event Log backup support to SpectorSoft Log Manager. In this tutorial we will show you how to schedule SpectorSoft Log Manager to automatically backup Event Log files from the remote computers they reside, compress the backups, encrypt and password protect the output file, and lastly decrypt and view the backed up Event Log files. Assumptions This tutorial assumes you have already configured Event Log consolidation for the target computers. The Tutorial From the Navigation view select the Configuration Explorer tab. If applicable, expand the group. Expand the Event Logs tree node and check each computer to configure. Right-click and select Log Management Properties. Once the Event Log Management Wizard opens click through the wizard until you reach the Remote EVT and EVTX File Back Up page. From this page check the Backup option. To compress the output to ZIP format, check the compress option. To encrypt the output, check the encrypt option and specify a strong password. When encrypted, each Event Log file is output to a proprietary file format. You must use the viewer to decrypt the Event Log, however once decrypted, you can use either Windows Event Viewer or SpectorSoft Log Manager to view the decrypted Event Log. Specify the output filename. You can save the files to the local disk or a remote disk. If saving to a remote location do not use mapped drive letters but instead specify the UNC path. For example: \\servername\c$\evtbackups The directory or filename can contain any combination of the following replacement strings: {HOST} {LOG} {DATE} {TIME} The host name the log resides The name of the log file, for example, Security The current date in yyyymmdd format The current time in hhmmss format SpectorSoft Corporation, All rights reserved.

25 Encrypting and Password Protecting Event Log Backups To automatically clear the remote Event Log after backed up, select the Clear option. Next schedule the backups. If scheduling many backups use the Schedule Distributor to distribute the backup schedules evenly over a period of time. Please see the sample screen shot for reference: Finally, click the Next button and resume through the wizard. Verifying the Event Logs are Backing Up To verify the backups are executing properly, review the service log file for entries that contain Event Log Backup Manager or open Windows Explorer and verify the existence of the backups. Depending on the options you selected, the files will be in one of the following formats:.evt.evtx.zip.cbx Windows Server 2003, Windows XP, Windows 2000 and Windows NT Event Log file format. Windows Server 2008 and Windows Vista Event Log format. Compressed ZIP file that contains a single.evt or.evtx file Encrypted password protected Event Log file that may or may not be compressed. Viewing Event Log Back Up Files Select Tools Event Log Backups View Backed Up Event Log. Select the.evt file to view. To view an encrypted.evt file select the.cbx that contains the encrypted Event Log file and when prompted specify the decryption password. NOTE: When viewing.evt files that were generated from a remote computer the Event Log entries may not display correctly. For more information see SpectorSoft Corporation, All rights reserved. 21

26 Log Manager Printing Logs for Auditors Overview In this tutorial we will show you how to print log entries for auditors. When you are finished with this tutorial you will know how to query a log for a specific time range, print log content, and customize print output. Assumptions This tutorial assumes you have already consolidated log entries. How does Printing Work? The print function works by taking the entries you have displayed in the viewer, exporting them to a temporary HTML file and then opening the file in your Internet browser. You then use your Internet browser to print the log entries. Displaying Event Log Entries From the Navigation view select Log Repository. Check each log you want to print. Please note you can only merge logs of the same type. If printing a single log right click and select View Consolidated Log. If printing multiple logs, right click and select Merge and View Consolidated Logs. If printing Event Logs or Syslogs, when prompted select all levels or priorities. Lastly, select the filter you want to apply to the view. Once the viewer displays the log entries, navigate to the page of interest or use the Days per page text box in the upper right corner of the viewer to increase or decrease the number of days displayed. Printing the Current Page From within the view, right click and select Print. The view will be exported to HTML and displayed in your Internet browser. Customizing the Output If you want to customize the output you will need to change the HTML template. An example of a typical modification is to remove the message from the output. Select Options from the Tools menu item. Select the HTML Template tab. Expand and navigate to the appropriate HTML Template under the Save View heading. Highlight the filename and press Ctrl-C as seen in this screen shot: SpectorSoft Corporation, All rights reserved.

27 Printing Logs for Auditors Using Notepad, select Open from the File menu time. Paste the previously copied filename into the open dialog and click OK. Select Save As from the File menu item. Specify your own filename, for example my-event-logview.html. Select Replace from the Edit menu item. Search for {MESSAGE} and replace with an empty string. Select Save from the File menu item and close Notepad. From within the Options dialog within SpectorSoft Log Manager update the appropriate HTML template value. For example: From this point forward your template will be used when printing the current page, exporting the current page to HTML and ing the current page SpectorSoft Corporation, All rights reserved. 23

28 Log Manager Monitoring a Rolling Text Log File (IIS) Many applications such as IIS log to a daily log file. Each day the application creates a new file that contains the date within the name, for example ex log or 2010 June 25th. This format is simple to implement and enables system administrators to easily archive log files. This tutorial will show you how to monitor rolling text log files by configuring Log Manager to monitor IIS logs. Requirements Server 2008 with IIS7 installed The Tutorial The first step is to find the directory our log files reside. To do this you must log onto the target server and check the target log location within IIS7. To check the location Logon to the target server. From the Start menu select Administrative Tools Internet Information Services (IIS) Manager. From the left pane select the target web site. From the right pane double-click Logging. The log file path is listed within the Directory text box. By default the path is: %SystemDrive%\inetpub\logs\LogFiles Which expands to: c:\inetpub\logs\logfiles IIS writes the log files to a sub-directory called W3SVC1 which is the directory you want to monitor. Now that you have the location, you need to configure Log Manager to monitor the directory. To configure the monitor From the File menu item select New Log Monitor. From the Log Management Wizard select Text Log Files followed by Directory. Click the Next button. The Select Computers page should now be displayed. This page enables you to select the computers to monitor. Select the method to find your computers: Browse Network Browse Active Directory Browse Mapped Computers Map Computer Select Localhost Select the computer IIS7 is installed. If Log Manager is installed on the same computer as IIS7, select Select Localhost SpectorSoft Corporation, All rights reserved.

29 Printing Logs for Auditors Click the Next button. The Specify Logon As Credentials page should now be displayed. This page enables you to specify alternate logon as credentials when necessary. Please note you only need to specify alternate credentials if the target computer is off-domain as the service should already have domain administrator credentials assigned. Click the Next button. The Select Directories page should now be displayed. This page enables you to select the directory the log files are located. Navigate to the target directory, check it and then click the Add button. The directory should now be listed at the bottom of the page SpectorSoft Corporation, All rights reserved. 25

30 Log Manager Click the Next button. The Specify Friendly Name page should now be displayed. This page enables you to specify a user friendly name to apply to the directory monitor, select a group to assign the computer too, and most importantly add the filename masks. Specify the following values: Friendly name: IIS7 Logs Mask: u_ex<yymmdd>.log Please note the replacement tags within the mask value. If today were 2010 June 25 th, the following file would be found when clicking the Test button: u_ex log Click the Next button SpectorSoft Corporation, All rights reserved.

31 Printing Logs for Auditors The Specify Entry Delimiters page should now be displayed. This page enables you to configure the method to delineate each entry. By default Log Manager treats each line as a single log entry. Since IIS log entries are limited to a single line leave the entry pattern recognition disabled. Change the read method to Beginning of File. Click the Next button. The Schedule Parameters page should now be displayed. This page enables you to configure the frequency to poll the file. Please note if you poll the file faster that once a minute, for example once every second, a thread is dedicated to monitoring the file. Configure the monitor to poll the file every 5 minutes. Note: If you would like to receive a daily report, set the schedule to: Daily at 12:00 AM SpectorSoft Corporation, All rights reserved. 27

32 Log Manager Click the Next button. The Assign Filters and Actions page should now be displayed. This page enables you to apply filters and assign actions to fire when specific entries are read. For this tutorial we will send an notification every time a client requests the hello.aspx page. To create the filter, click the Add button. From the Assign Filter and Action dialog click the Filters Manager button. From the Filters Manager dialog click the New button. Specify the following parameters: Name: GetHello.aspx Type: Text Log Criteria: Message Contains GET /hello.aspx Apply the new filter and assign an action. Please note if you have not created an action create one now SpectorSoft Corporation, All rights reserved.

33 Printing Logs for Auditors Click the OK button. The Assign Filters and Actions page should now list your filter and action assignment. Click through to the Log Consolidation and Retention Policies page. The Log Consolidation and Retention Policies page should now be displayed. This page enables you to configure Log Manager to automatically consolidate entries to the log repository. Check Save entries to the log repository and check Remove entries older than 30 days. Click the Next button. The Logical Filename page should now be displayed. This page enables you to specify a logical name to save the dated filenames to. If you do not specify a logical name the log repository will contain a log for each day. Both scheduled reports and auto-archiving require a fixed log name 2013 SpectorSoft Corporation, All rights reserved. 29

34 Log Manager within the log repository. When configuring directory monitors we highly suggest you specify a logical name. For this tutorial enable the logical filename and set the value to: u_ex.log Click the Close button. When prompted save your changes. The configuration is now complete. Next verify the monitor starts correctly. From the View menu select Service Output. The Service Output status view should now be displayed. You should see the following message within 1 minute: Info 6/25/2010 4:31:01 PM [Text Log Monitor] - \\KAMAS\C$\inetpub\logs\LogFiles\W3SVC1\u_ex<yyMMdd>.log - \\kamas\c$\inetpub\logs\logfiles\w3svc1\u_ex log - Polling... Every 5 minutes The monitor should also display the current log file within the Configuration Explorer as seen below: SpectorSoft Corporation, All rights reserved.

35 Monitoring a File for Inactivity Now test the monitor, filter and action. Open a browser and type the following in the address bar then press enter. You should receive a 404 error in your browser. The next time the monitor scans the file you should receive an that includes the corresponding IIS log entry. If you don t receive the , review the Service Output view for errors. Please note if the server connection settings have not been set causing the monitor to error when sending the alert, you must request the page again before the monitor will attempt to fire another alert. Monitoring a File for Inactivity This tutorial will show you how to configure this software to monitor a file for inactivity. When you have completed this tutorial, you will receive notification every 20 minutes a file remains idle or dormant. Select New Log Monitor from the File menu item. From the Log Management Wizard select Text Logs. Click the Next button. The Select Computers page should now be displayed. Select the computer that contains the file of interest. Click the Next button. The Specify Logon As Credentials page should now be displayed. If the remote computer is off domain, use this page to specify or update the logon as credentials. Click the Next button. The Select Files page should now be displayed. Navigate to the file of interest, check the file then click the Add button. Click the Next button. The Specify Friendly Name page should now be displayed. If the computer the file resides has other file monitors they will all be listed in the Logs combo-box. Select the log of interest from the Logs combo-box. Click the Next button. The Schedule Parameters page should now be displayed. Specify the schedule to poll the file, for example, once a minute. Do not subscribe to updates. Click the Next button. The Optionally Assign Filters and Actions page should now be displayed. Click the Add button. From the Assign Filter and Action dialog, click the Filters Manager button. From the Filters Manager dialog, create a new Text Log filter. Set the name to Empty. Set the type to Text Log SpectorSoft Corporation, All rights reserved. 31

36 Log Manager Click the Close button. When prompted, save your changes. Back in the Assign Filter and Action dialog select your newly created filter. Select Fire the action after an entry passes the filter < 1 times every 20 minutes. This rule configures the service to fire an alert every 20 minutes the file receives no new entries. Lastly, assign an action. Click the OK button. Back in the Optionally Assign Filters and Actions page, click the Close button and save your changes when prompted. You have successfully completed this tutorial. Your action should now be fired every 20 minutes the file remains inactive. Monitoring a File for Maximum Size SpectorSoft Corporation, All rights reserved.

37 Monitoring a File for Inactivity This tutorial will show you how to configure this software to monitor a file for maximum size. When you have completed this tutorial, you will receive notification every 20 minutes a file exceeds 10 MBs. Select New Log Monitor from the File menu item. From the Log Management Wizard select Text Logs. Click the Next button. The Select Computers page should now be displayed. Select the computer that contains the file of interest. Click the Next button. The Specify Logon As Credentials page should now be displayed. If the remote computer is off domain, use this page to specify or update the logon as credentials. Click the Next button. The Select Files page should now be displayed. Navigate to the file of interest, check the file then click the Add button. Click the Next button. The Specify Friendly Name page should now be displayed. If the computer the file resides has other file monitors they will all be listed in the Logs combo-box. Select the log of interest from the Logs combo-box. Click the Next button. The Schedule Parameters page should now be displayed. Specify the schedule to poll the file, for example, once a minute. Do not subscribe to updates. Click the Next button. The Optionally Assign Filters and Actions page should now be displayed. Click the Next button. The Configure File Size Monitor page should now be displayed. Set the following options: Fire the alert when the file size exceeds 10 MB Automatically clear alerts after 20 minutes Assign an action Click the Close button and save your changes when prompted. You have successfully completed this tutorial. Your action should now be fired every 20 minutes the file exceeds 10 MBs SpectorSoft Corporation, All rights reserved. 33

38 Log Manager Receiving a Monthly Event Log Error Count Report (Grouped by Event ID/Source) This tutorial will show you how to create a monthly Event Log report that shows a total count of Event Log errors grouped by the unique combination of Event IDs and Sources for the previous month. From the File menu item select New Report. Once the Report Wizard opens, select Event Log then click Next. Specify a report name such as Monthly Event Log Errors. Click the Schedule button. From the Report Schedule dialog select Monthly. By default the report will run on the first day of the month at 12:00 AM. Click OK. Next configure the date range to include. To configure the date range to include in the report select Last month from within the Date/Time combo box at the bottom of the page then click Next. Next add the computers to include in the report then click Next. Next check the logs to include in the report then click Next. From the Select Filter and Output page click the Filters Manager button. From the Filters Manager dialog specify a name then from the Type combo box select Event Log (Simple). Click Add Criteria. From the Add Simple Filter Criteria dialog de-select Information, Warning, Audit Success, and Audit Failure. Click OK then click Select Filter and save your changes. Back in the Report Wizard check Hide entries with the same Source and Event ID then assign an or file output action. When you are finished click Close and save your changes. The report is now complete. To test the report, from the Reports and Views pane within the Navigation view right click on the new report and select Report Properties Wizard, click past the Welcome page then check the option to run the report within the next minute. To view the report progress select View -> Service Output. Once complete download your and review the report. When reviewing the report note that last error entry for each Event ID and Source combination is displayed along with a count of all Errors on the left side of the report SpectorSoft Corporation, All rights reserved.

39 Receiving a Monthly Event Log Error Count Report Receiving a Monthly Event Log Error Count Report This tutorial will show you how to create a monthly Event Log report that shows a total count of Event Log errors for the previous month. From the File menu item select New Report. Once the Report Wizard opens select Event Log (Frequency) then click Next. Specify a report name such as Monthly Event Log Errors. Click the Schedule button. From the Report Schedule dialog select Monthly. By default the report will run on the first day of the month at 12:00 AM. Click OK. Next configure the date range to include. To configure the date range to include in the report select Last month from within the Date/Time combo box at the bottom of the page then click Next. Next add the computers to include in the report then click Next. Next check the logs to include in the report then click Next. From the Select Filters page click the Filters Manager button. From the Filters Manager dialog specify a name then from the Type combo box select Event Log (Simple). Click Add Criteria. From the Add Simple Filter Criteria dialog de-select Information, Warning, Audit Success, and Audit Failure. Click OK then click Select Filter and save your changes. Back in the Report Wizard configure the report to Pass the entry when it occurs more than 0 times in 31 days. When you are finished, click Next. Click Next past the Day and Time Exclusions page. From the Select Output page add an or file output action then click Close and save your changes. The report is now complete. To test the report, from the Reports and Views pane within the Navigation view right click on the new report and select Report Properties Wizard, click past the Welcome page then check the option to run the report within the next minute. To view the report progress select View -> Service Output. Once complete download your and review the report. When reviewing the report note that last error entry is displayed along with a count of all error entries on the right side of the report SpectorSoft Corporation, All rights reserved. 35

40 Log Manager Starting a Process when a Particular Entry is Logged This tutorial will show you how to start a process when a particular entry is logged to an Event Log. Select New Log Monitor from the File menu item. From the Log Management Wizard select Event Logs. Click the Next button. The Select Computers page should now be displayed. Select the computer that contains the log of interest. Click the Next button. The Specify Logon As Credentials page should now be displayed. If the remote computer is off domain, use this page to specify or update the logon as credentials. Click the Next button. The Select Event Logs page should now be displayed. Check the log of interest and click the Next button. The Event Log Monitoring Schedule page should now be displayed. Check the Real-Time monitor the Event Log for new entries option and then click the Next button. The Assign Event Log Monitor Filters and Actions page should now be displayed. Click the Add button. From the Assign Filter and Action dialog click the Filters Manager button. From the Filters Manager dialog create a Simple Event Log Filter that only displays errors and select it. Next click the Actions Manager button. From the Actions Manager, click New, specify a name and select the Start Process type. In the Filename text box enter the full UNC path to the executable or batch file for example, \\myserver\c$\temp\startmyprocess.bat. Next, if the target computer is off domain check Run As and specify admin credentials for the remote machine, otherwise do not specify credentials as the service should already have domain administrator credentials assigned. Check Run on remote computer and specify the target host name or IP address. Click the Close button and save your changes when prompted SpectorSoft Corporation, All rights reserved.

41 Consolidating Logs to SQL Server From the Assign Filter and Action dialog select the new action and click the OK button. Close the Log Management Wizard and save your changes when prompted. You have successfully completed this tutorial. Your process should now be fired every time an entry passes your filter. Consolidating Logs to SQL Server In this tutorial, we walk you through the process of configuring SQL Server. Once completed, we will configure SpectorSoft Log Manager to use SQL Server as its Event Log repository. Lastly, we will download logs to the SQL Server database and verify entries were written to the database. Step 1: Create a new primary and archive database From the Start menu, navigate to the Microsoft SQL Server shortcut folder and select Microsoft SQL Server Management Studio and login to your database server. From the left pane called the Object Explorer, right click on Databases and select New Database. Specify CBLM in the Database name text box. When you are finished you should see the following: Create another database called CBLM_ARCHIVE with the same options. Step 2: Create the database user From the Object Explorer right click on Security and select New Login SpectorSoft Corporation, All rights reserved. 37

42 Log Manager Specify the cblmuser in the Login name text box. Select SQL Server authentication. Specify a password. De-select Enforce password policy. In the Default database combo box select CBLM. When you are finished you should see the following: Step 3: Assign the user to the CBLM and CBLM_ARCHIVE databases From the Object Explorer expand Databases\CBLM. Right-click on Security and select New User. Specify the cblmuser in the User name text box. Specify the cblmuser in the Login name text box. From within the Database Role Membership list check db_owner. When you are finished you should see the following: SpectorSoft Corporation, All rights reserved.

43 Consolidating Logs to SQL Server Repeat the above steps for the CBLM_ARCHIVE database. Step 4: Initialize SQL Server to work with SpectorSoft Log Manager Open SpectorSoft Log Manager, select Options from the Tools menu item and then select the Data Providers tab. Use this page to add the primary and archive log repositories (CBLM and CBLM_ARCHIVE). Create the primary log repository Click the new data provider button. Use the Name text box to specify a user friendly name that uniquely identifies the data provider, for example, SQL Server. Under the Provider combo-box SQL Server. Under the Type combo-box select Log Repository. Use the Host text box to specify the host name the database resides. If you are using SQL Express use the following format: [HOSTNAME]\SQLExpress. For example, servername\sqlexpress. Type cblm in the Database text box. Type cblmuser in the Username text box. Type the password you assigned the user when created within SQL Server Management Studio. Once complete click the Test Connection button. If you were unable to connect, verify you created and assigned the user to the database as well as typed the connection information correctly SpectorSoft Corporation, All rights reserved. 39

44 Log Manager Once you have successfully tested the connection, click the Initialize button. When you are finished you should see the following: When you clicked the Initializebutton SpectorSoft Log Manager should have created 6 tables. They are: Table level facility priority event_logs syslogs text_logs Description Contains a list of the Event Log levels (Information, Warning, Error, Audit Success, and Audit Failure). Contains a list of the Syslog facilities. Contains a list of the Syslog priorities. Contains an index of consolidated Event Logs. Contains an index of consolidated Syslogs. Contains an index of consolidated Text Logs. Each log file is consolidated to its own table. Event Log and Syslog tables follow the following naming conventions: Event Log: [host]_evt_[log] Syslog: [host]_syslog Since the only thing that uniquely identifies a text log is the filename a GUID is used in place of the filename. The Text_Logs table maps the consolidated Text Log s filename to the GUID. Create the archive log repository SpectorSoft Corporation, All rights reserved.

45 Consolidating Logs to SQL Server Follow the steps above again but this time under the Type combo-box select Archive. After you have configured and initialized the database you should see the following: Step 5: Test and verify the configuration From the Navigation view within Log Manager, select the Configuration Explorer tab. Navigate to a server and highlight the Application log. From the File menu item select Download Event Logs. Once the download is complete you will be prompted to display the log. Click Yes. When prompted to apply a filter, select all Levels and clear the filter option. You should now see all the newly downloaded Event Log entries. Go back to your Microsoft SQL Server Management Studio, from the Object Explorerview expand Databases\cblm\Tables, right click on the Tables node, select Refresh then expand the Tables node. You should now see a new table called [servername]_evt_application where [servername] is the name of the server you downloaded the logs from. If you see this table, you have successfully downloaded the Event Log and saved it to your SQL Server database SpectorSoft Corporation, All rights reserved. 41

46 Log Manager Consolidating Logs to MySQL In this tutorial, we walk you through the process of downloading, installing and configuring MySQL. Once completed, we will configure SpectorSoft Log Manager to use MySQL as its Event Log repository. Lastly, we will download logs to the MySQL database and verify entries were written to the database. Step 1: Download and install MySQL Community Server Download and install MySQL Community Server from: Step 2: Download and install MySQL Workbench The MySQL Workbench enables you to configure and manage MySQL. Download and install from: Step 3: Create new server instance The first time you open the workbench you must add the connection to your database. From the Home page select New Server Instance. Follow the wizard adding in your connection information. Step 4: Create a new primary and archive database From the Home page, under the SQL Development column, double-click on the connection to your database. The SQL Editor should now be displayed. From the Object Browser, right click and select Create Schema. Specify the name CBLM. Select utf8 - default collation. Click Apply, Apply SQL, Finish and finally Close. Create another database called CBLM_ARCHIVE with the same options. When you are finished you should have 2 new databases as seen below SpectorSoft Corporation, All rights reserved.

47 Consolidating Logs to MySQL Step 5: Create the database user and assign privileges From Home page, under the Server Administration column, double-click on the server instance. The Server Status page should now be displayed. Click on the Accounts tab. From the Server Access Management tab select Add Account. Specify the username cblmuser, enter a password, lastly click Apply. Select the Schema Privileges tab then select the cblmuser user. Click Add Entry, select Selected schema, select CBLM, then OK. Highlight the new entry then click Select All followed by Save Changes. Repeat this step for the CBLM_ARCHIVE database. When you are finished you should have 1 new user and 2 schema privileges assigned as seen below SpectorSoft Corporation, All rights reserved. 43

48 Log Manager You have now completed configuring MySQL. Step 6: Initialize MySQL to work with SpectorSoft Log Manager Open SpectorSoft Log Manager, select Options from the Tools menu item and then select the Data Providers tab. Use this page to add the primary and archive log repositories (CBLM and CBLM_ARCHIVE). Create the primary log repository Click the new data provider button. Use the Name text box to specify a user friendly name that uniquely identifies the data provider, for example, MySQL Log Repository. Under the Provider combo-box select MySQL. Under the Type combo-box select Log Repository. Use the Host text box to specify the host name the database resides. Type cblm in the Database text box. Type cblmuser in the Username text box. Type the password you assigned the user when created within MySQL Workbench. Once complete click the Test Connection button. If you were unable to connect, verify you created and assigned the user to the database as well as typed the connection information correctly SpectorSoft Corporation, All rights reserved.

49 Consolidating Logs to MySQL Once you have successfully tested the connection, click the Initialize button. When you are finished you should see the following: When you clicked the Initializebutton Log Manager should have created 6 tables. They are: Table level facility priority event_logs syslogs text_logs Description Contains a list of the Event Log levels (Information, Warning, Error, Audit Success, and Audit Failure). Contains a list of the Syslog facilities. Contains a list of the Syslog priorities. Contains an index of consolidated Event Logs. Contains an index of consolidated Syslogs. Contains an index of consolidated Text Logs. Each log file is consolidated to its own table. Event Log and Syslog tables follow the following naming conventions: Event Log: [host]_evt_[log] Syslog: [host]_syslog Since the only thing that uniquely identifies a text log is the filename a GUID is used in place of the filename. The Text_Logs table maps the consolidated Text Log s filename to the GUID. Create the archive log repository Follow the steps above again but this time under the Type combo-box select Archive. After you have configured and initialized the database you should see the following: 2013 SpectorSoft Corporation, All rights reserved. 45

50 Log Manager Step 7: Test and verify the configuration From the Navigation view within Log Manager, select the Configuration Explorer tab. Navigate to a server and highlight the Application log. From the File menu item select Download Event Logs. Once the download is complete you will be prompted to display the log. Click Yes. When prompted to apply a filter, select all Levels and clear the filter option. You should now see all the newly downloaded Event Log entries. Go back to your MySQL Workbench, within the SQL Editor, expand the CBLM database, right click on the Tables node, select Refresh All then expand the Tables node. You should now see a new table called [servername]_evt_application where [servername] is the name of the server you downloaded the logs from. If you see this table, you have successfully downloaded the Event Log and saved it to your MySQL database SpectorSoft Corporation, All rights reserved.

51 Using Gmail as a Backup Server Using Gmail as a Backup Server This tutorial will show you how to configure this software to use your Gmail account to send alerts when your primary server is unavailable or unable to send. To configure Gmail From the Tools menu item select Options. Select the tab. At the bottom of the tab check Use a backup server when this servers unavailable or unable to send. Click the Configure Backup button. You should now see the Configure Settings (Backup) dialog. This dialog enables you to configure your backup server. Specify the following values: server (SMTP): smtp.gmail.com:465 Check Use Secure Socket Layer (SSL) Username: Enter your username Password: Enter your password Once complete enter the address you want to send the alert to. Typically this would be your Gmail account, for example, [email protected]. Click the Test button. The packets will output to the Test Status window. Once complete a message will popup that shows the success or failure. Log into your Gmail account and verify you received the test message SpectorSoft Corporation, All rights reserved. 47

52 How To User Interface Components The user interface consists of several views: Event Log Explorer This view enables you to navigate their network, discover available Event Logs, download Event Logs and save them to the log repository and select logs to review. Configuration Explorer This view lists all configured computers, devices and logs. You can sort by computer or group configurations by log type. When sorted by computer use drag and drop to move computers from one display group to another. Use this view to re-configure logs, download Event Logs and select logs to review. Log Repository This view lists each repository followed by computer or device followed by log type. Use this view to select logs to review. Reports and Views This view lists all configured reports and view. Use this view to create new reports and views as well as execute reports and views on demand. Service Output The SpectorSoft Log Manager Windows Service writes status messages to a log file. This view tails the log file and displays each status message. The log file is located in the following directory: Window XP/Server 2003: \documents and settings\all users\application data\spectorsoft\log Manager\cblmsrv.log Windows Server 2008/7/Vista:\programdata\SpectorSoft\Log Manager\cblmsrv.log Manual Event Log Management Output When manually downloading or clearing an Event Log or a set of Event Logs, this view displays all status messages. Status messages are grouped by log, enabling users to quickly review all status messages associated with each log. For more information, see: How it Works Monitoring and Consolidating Logs 2013 SpectorSoft Corporation, All rights reserved. 48

53 How To Actions, Alerts and Notifications When log entries pass filter criteria an action, alert, or notification is fired. By our definition actions, alerts and notifications are one in the same. Writing an entry to a CSV file or database table is more of an action than an alert while sending an notification is more of an alert or notification than an action, however; the software does not see these as different hence the term action is used stand-alone throughout the application and this help file. The following actions are available: Database Writes each filtered log entry to a database table. Please note error alerts cannot be written to a database table. Sends a simple notification message or a detailed message that contains the filtered log entries or alert. Event Log Entry Writes the filtered log entries to a Windows Event Log. Please note you have the option to include the hostname or IP address of which each log entry was generated within the Event Log Source. To include the hostname or IP address, include one of the following tags to the source field: {HOST}, {IPv4}, {IPv6}. For example: Log Monitor on {HOST}. File Exports the filtered log entries to CSV, EVT, HTML, TXT, or XML. Message Box Displays a message box on the local machine that optionally includes the filtered log entries or alert. Pager (SMS) Sends a text message using one of several web SMS online gateway services. Sound Plays a sound. SNMP Trap Sends a SNMP trap via Microsoft s SNMP Service. Start Process Starts a background process. Please note you have the option to start a process for each entry contained within the action. In the arguments field specify any of the following fields: {HOST}, {IPv4}, {IPv6}, {MESSAGE}. These fields are replaced with the appropriate values within each entry prior to the process being 2013 SpectorSoft Corporation, All rights reserved. 49

54 Log Manager started. Please note there is a maximum limit of 20 processes that will start per action execution. Syslog Message Forwards each filtered log entry or alert to a syslog server. Tray Popup Displays a balloon window above the tray icon that optionally includes the filtered log entries or alert. To create, modify, or remove an action Select Configure Actions from the Tools menu item. Use this dialog to create, modify, and remove actions. To assign actions to a monitor or report You must assign an action when configuring real-time monitoring, post consolidation filters or scheduling reports. When prompted to assign an action click the Add button to add and assign an action or doubleclick on an already assigned action to modify or review the action. If prompted, select the filter to apply. Most actions support frequency rules, for example, receive notification when a specific entry is received more than 5 times within 1 hour or an expected entry is not received within a 24 hour period (called a less than frequency rule). To set this option, select the Fire the action after an entry passes the filter option. Select the frequency rule: either greater than (>) or less than (<), the value and lastly, the time period. For more information see Monitoring and Consolidating Logs. When assigning an action to a real-time monitor you have the option to limit the number of actions fired within a time period. For example, you can limit the number of notifications you will receive to 5 every hour. To set this option, check the Limit action frequency to check box and use the following controls to set the action limits. When assigning an action to a text log monitor you have the option to include a number of previous and following entries within the action. For example, you can include the previous 3 entries every time an entry passes your filter for a total of 4 entries that will be included in your alert. For more information see: Monitoring and Consolidating Logs Reports Replacement Tags SpectorSoft Corporation, All rights reserved.

55 How To Active Directory SpectorSoft Log Manager interfaces with Active Directory and other generic LDAP servers in several ways. By default our software automatically connects to the Active Directory server on your domain controller. If you are not connected to a domain or want to use another LDAP server you can configure the connection via the Options dialog. You can configure as many Active Directory and LDAP servers as you need. Once connected you can use Active Directory to: Browse the Event Log Explorer Browse for computers within the configuration wizards and optionally recursively scan, apply an Active Directory Filter and automatically select a list of computers Use the Auto Configurator to automatically manage new computers and optionally apply an Active Directory Filter to limit which computers to configure For more information, see: Auto Configurator Active Directory Filters Options 2013 SpectorSoft Corporation, All rights reserved. 51

56 Log Manager Active Directory Filters Log Manager enables you to create Active Directory Filters which can be applied when selecting computers to monitor or when configuring the Auto Configurator. How to scan Active Directory when configuring computers When using one of the wizards to create a log monitor select Browse Active Directory from the Select Computers page. From the Browse Active Directory dialog, click Select Specific Computers. From the Select Specific Computers, dialog click Filter Manager. From the Filter Manager, create a new filter, apply your criteria then select the new filter. From the Select Specific Computers dialog, click OK. You will be prompted to scan the currently selected Active Directory node or recursively scan all child nodes. If you choose to only scan the selected node the child computers will be scanned and checked as appropriate. If you choose to recursively scan all child nodes, the computers which pass the filter are stored, the Browse Active Directory dialog dismissed and finally the results appended to the Select Computers page within the wizard. How to apply an Active Directory filter to the Auto Configurator From the Active Directory menu item, click Auto Configurator. Add the appropriate Active Directory paths to scan then click Next. Navigate through to the Computer/Device Filters page then click Filter Manager. From the Filter Manager, create a new filter, apply your criteria then select the new filter. When the Auto Configurator runs the filter is applied to each computer. All accessible computers that pass the filter will be configured. For more information, see: Active Directory Auto Configurator Browsing Computers Selecting Specific Computers SpectorSoft Corporation, All rights reserved.

57 How To Auto Configurator The Auto Configurator enables you to configure this software to automatically manage computers as they are added to your network. For example, if on average you add 5 workstations a week to your network, you can use the Auto Configuration to monitor the directory entry those computers are placed. Once discovered, a configuration template for Event Log management and a configuration template for Syslog management can be automatically assigned. Using the Auto Configurator Before you use the Auto Configuration you must first must create the configuration templates you want to apply. For more information see Configuration Templates. Once you have your configuration templates complete, select Auto Configurator from the Active Directory menu item. From the Auto Configurator Wizard, use the Add button to add each directory entry to monitor. There is no need to add child directory entries unless you want to apply different templates to each child that may contain computers. When finished click Next to move to the Schedule Scan page. If you have multiple directory entries configured the Schedule Scan page lists each directory entry in the Active Directory Entry combo-box. You can fine tune each configuration by selecting the directory entry or you can configure all the directory entries at once by selecting (All) and then making your changes. If you need to temporarily disable a scan, de-select Enabled. Specify the schedule to scan the directory entry. If you want the Auto Configurator to recursively scan each sub-directory entry check the recurse option. Once complete, click the Next button to navigate to the Configuration Template Assignment page. From the Configuration Template Assignment page select the configuration templates to apply when a new computer is discovered. If none appear, exit the wizard and create your configuration templates via the Log Management Properties Wizard. For more information see Configuration Templates. Once you have assigned your templates click the Next button to navigate to the Computer/Devices Exclusions page. From the Computer/Devices Exclusions page add computes or devices that you do not want configured. Please note you do not need to add computers and devices already configured. This option is available to you so you can ignore computers you are not interested in managing. Once you have assigned your exclusions click the Next button to navigate to the Results page. From the Results page specify an address to send the scan results to. Please note you will only receive a results report if new computers or devices are added to the system. For more information see Active Directory 2013 SpectorSoft Corporation, All rights reserved. 53

58 Log Manager Active Directory Filters Configuration Templates Options Backing Up and Restoring the Configuration All configurations and settings are saved to binary.dat files stored in the application data directory. Windows Server 2003/XP c:\documents and settings\all users\application data\spectorsoft\log Manager Windows Server 2008/7/Vista c:\program data\spectorsoft\log Manager For ease of use we have included a backup and restore function within this software. Please note when restoring from a backup set of files all configurations and settings will be replaced. To backup the current configurations and settings From the Tools menu item select Backup Configuration. Select a destination directory and click OK. All of the.dat files within the application data directory will be immediately copied. To restore from a backup set of files From the Tools menu bar select Restore Configuration. Select the source directory and click OK. All of the.dat files within the source directory will be immediately copied. The user interface will take a few moments to load the restored configurations and settings. NOTE: When moving the installation to another computer these files can be transferred, however; the installation directory and target OS should be identical as path information may be listed in any of the configuration files. If the paths are different be sure to reset the HTML templates and any other options that contain path information within the Options dialog. Browsing Computers Throughout SpectorSoft Log Manager you are prompted to select computers or devices via our many different browse computers dialogs. When configuring log management you have the option to browse and select computers by: Network Mimics Windows Network Neighborhood Active Directory Navigate your directory service tree SpectorSoft Corporation, All rights reserved.

59 How To Mapped Computers Select from a list of computers you have previously manually added to the system or specified access credentials. When configuring an Event Log or Syslog report you are prompted to select computers from a list of configured computers or computers that have log entries consolidated to one of the log repositories. To select computers To select a computer from any of the browse dialogs check the computer or computers and click the OK button. To search and select specific computers Some of the browse dialogs allow you to search for computers that contain specific characters or are of a specific type. For example, SpectorSoft Log Manager can automatically check all computers that start with SRV and are running any of the Windows Server operating systems. To search for a specific computer click the Select Specific Computers button. For more information, see: Selecting Specific Computers Browsing Text Logs When creating a Text Log Report you must select the logs to include in the report. Use the Select Log dialog to select logs contained within the primary, archive or auxiliary log repositories. For more information, see: Reports Configuration Templates To aid in configuring new computers, SpectorSoft Log Manager enables users to save a configuration to a template. Once saved, users can quickly apply the configuration to another computer or device. To save a configuration to a template Form the Configuration Explorer tab, navigate to and right click on the computer of interest. Select Log Management Properties SpectorSoft Corporation, All rights reserved. 55

60 Log Manager When opening an Event Log configuration, click on the Next button until you are at the Select Event Logs page. When opening a Syslog configuration, click on the Next button until you are at the Monitor Schedule page. Once at the appropriate page click the Save As Template button. Specify a name and click OK. To overwrite an existing template, select the template from the combo-box and click OK. To apply a configuration template to a new computer Select New Log Monitor from the File menu item. Follow the wizard until you are prompted to apply the template. When configuring Event Logs, this will be on the Select Event Logs page. When configuring Syslogs, this will be on the Monitor Schedule page. Once at the appropriate page click the Apply Template button. Select the template and click OK. Please note when configuring Event Logs, only Event Log templates appear in the available template list. When configuring Syslogs, only Syslog templates appear in the available template list. For more information, see: Auto Configurator Monitoring and Consolidating Logs Displaying Logs One of the core functions of SpectorSoft Log Manager is the ability to display logs for review. SpectorSoft Log Manager enables you to view logs in either real-time or from the consolidated log repository. To view logs in real-time From the Navigation view select any of the tabs that list the log file of interest. Navigate to the log file of interest, right click and select Watch Log. To view consolidated logs From the Navigation view select the Log Repository tab. Navigate to the log file of interest. Right-click and select View Consolidated Log. To view multiple Event Logs or Syslogs From the Navigation view select the Log Repository tab. Check each log file to include in the merge. Select Merge and View Consolidated Logs SpectorSoft Corporation, All rights reserved.

61 How To For more information see: Searching Logs Filters ing Logs Exporting Logs Printing Logs ing Logs SpectorSoft Log Manager provides the capability to the current view or merge to one or many users. The view is exported to a temporary HTML file and then ed. To the current view From the detail view, right click and select . Separate each address with a semi-colon. To use your own HTML template, check the Override the default HTML template check box and specify the location the HTML template resides. Lastly, click Send. Encrypting Communications Many organizations today need to remotely transfer domain controller Security Event Logs while keeping prying eyes from sniffing packets and reading data. SpectorSoft Log Manager enables you to both download and consolidate Event Logs using encryption methods. Encrypting WMI Traffic when Downloading Event Log Entries By default, when downloading Event Logs, WMI transmits all packets in the clear. To encrypt these packets it s as simple as setting an option within WMI. This option can be set within SpectorSoft Log Manager s Options dialog. To encrypt WMI packets Select Options from the Help menu item then select the WMI tab. Use the Authentication level option to set or clear the encryption option. When Packet is selected all data passed via WMI is unencrypted. When PacketPrivacy is selected all data passed via WMI is encrypted SpectorSoft Corporation, All rights reserved. 57

62 Log Manager Encrypting SQL Server Traffic when Consolidating and Reporting To communicate with SQL Server over an encrypted channel you need to install a certificate authority generated SSL certificate to the Windows certificate store, configure SQL Server to force protocol encryption and finally configure your database connection to use encryption. Installing your SSL Certificate Open a command-prompt and type mmc. Select File Add/Remove Snap In. Double-click on Certificates and select Computer account followed by Next then Finish. Click OK to close the Add or Remove Snap ins dialog. Expand Certificates (Local Computer) followed by Personal. From the detail view right click and select All Tasks Import. From the Certificate Import Wizard click Next then type the full path or browse to your certificate authority generated SSL certificate. Click Next Next Finish. For more information see: Configure SQL Server to enforce protocol encryption From the Start menu select Microsoft SQL Server Configuration Tools SQL Server Configuration Manager. Select SQL Server Network Configuration. From the detail view, right click on Protocols for <instance_name> and select Properties. From the Flags tab, enable Force Encryption. Select the Certificates tab and select your SSL certificate. Click OK then restart the SQL Server service. For more information see: Configure SpectorSoft Log Manager to connect over the encrypted channel From SpectorSoft Log Manager select Options from the Tools menu item. Select the Data Providers tab. Select the target data provider and check the Encrypt connection option. Click the Test button to verify you are able to connect. Click OK and save your changes. For more information, see: How to enable SSL encryption for an instance of SQL Server by using Microsoft Management Console Encrypting Connections to SQL Server Options SpectorSoft Corporation, All rights reserved.

63 How To EVT and EVTX Files What are EVT and EVTX Files and How do they Work? The Windows operating system stores event log entries to binary EVT and EVTX files. EVT/X files contain each entry s information, however; EVT/X files may not contain entry messages but instead contain replacement strings. When the Windows Event Viewer displays an event log entry, Windows Event Viewer opens the associated message DLL for the event log entry source. Using the event ID, Windows Event Viewer looks up the message in the message DLL. Using a string insertion function Windows Event Viewer inserts the replacement strings contained within the EVT/X file. Viewing EVT and EVTX Files EVT/X files should ALWAYS be viewed from the generating computer. If the generating computer is no longer functioning, you should open the EVT/X files from another computer that has the most similar configuration. Please note when viewing entries from applications that do not properly interface their Event Log entries with the operating system or when viewing EVT/X files from a computer other than the computer that generated the event log entries the following message may display: The description for Event ID {0} from source {1} cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: {2} For more information see To open an EVT or EVTX file Select Open from the File menu item. Select the.evt or.evtx file to view. To view an encrypted EVT/X file select the.cbx that contains the encrypted Event Log file and when prompted specify the decryption password. Backing Up EVT and EVTX Files You can configure SpectorSoft Log Manager to automatically backup, compress, encrypt and clear remote EVT and EVTX (Event Log files) files. Use the Log Management Wizard to schedule the service to automatically backup your EVT and EVTX files. We highly suggest using this function as a means to redundantly store all your Windows Event Log entries SpectorSoft Corporation, All rights reserved. 59

64 Log Manager Exporting to EVT SpectorSoft Log Manager also enables you to export logs to EVT file format upon download completion as well as on demand from within the Log Repository tab. If you plan on exporting consolidated Event Logs to EVT you must first enable SpectorSoft Log Manager to save all necessary columns prior to downloading the Event Logs. You can turn this option on via the Log Repositories tab within the Options dialog. Please note that turning this option on will double your storage requirements. Importing EVT and EVTX Files Log Manager enables you to import both EVT and EVTX files into the Log Repository. You can import a single file or multiple files into the Log Repository at the same time. NOTE: When importing multiple EVT (not EVTX) files (e.g. Server 2003, XP), the log types (e.g. Application, System, Security) must be the same. In other words, only import multiple Application logs at the same time. Do not import Application and Security EVT files at the same time. EVTX files do not have this limitation. NOTE: When importing multiple log files, entries that are duplicated across backups will also be duplicated within the Log Repository. For more information, see: Actions, Alerts and Notifications Exporting Logs Options Monitoring and Consolidating Logs SpectorSoft Corporation, All rights reserved.

65 How To Exporting Logs SpectorSoft Log Manager provides the capability to export the selected consolidated logs, the current view or merge to file. The following file types are supported: CSV, HTML, EVT (Event Logs only), TXT, XML To export the selected consolidated logs From the Log Repository tab, check each log to export. Right-click and select Save Logs As. Specify the file name excluding the extension to export the logs to. The file name supports replacement tags. For more information see Replacement Tags. Select the file type. When exporting to HTML if you want to use your own HTML template, check the Override the default HTML template check box and specify the location the HTML template resides. Lastly, click Save. To export the current view From the detail view, right click and select Export. Use the Save As dialog to specify the file name. Lastly, click Save. For more information see: Replacement Tags Filters Logs typically contain thousands of entries. In order to limit the entries viewed or receive notification when specific entries are detected you can create filters. Filters are applied to real-time and consolidated log views, monitors and reports. Note: Filters are saved in a local file called filters.dat. You have the option to share this file between multiple installations. For more information continue reading. Simple Filters Simple filters are comprised of a series of criteria. Each criteria can include or exclude specific entries. Each include or show criteria is executed followed by each exclude or hide criteria. If an entry passes any criteria it is either shown or hidden depending on the criteria SpectorSoft Corporation, All rights reserved. 61

66 Log Manager Complex Filters Complex filters are comprised of a series of very specific criteria that can be nested. Unlike simple filters which only support OR operands between criteria, complex filters support the AND operand. Nesting occurs when you group criteria. Filter Types 8 Types of filters can be created: Type Event Log (Simple) Event Log (Complex) Event Log (Failed Logon) Event Log (Success Logon) Event Log (Account Management) Syslog Text Log Text Log (Table) Description A simple filter for Event Log entries. A complex filter for Event Log entries. A filter specific to audit failure Security Event Log entries. A filter specific to audit success Security Event Log entries. A filter specific to account management Security Event Log entries. A complex filter for syslog messages. A complex filter for text log entries. A complex filter for comma delimited files (CSV). To create a filter Select Configure Filters from the Tools menu item. Use the Filters Manager dialog to create, modify, and remove filters. To create a filter from an entry You can create a new filter or append criteria to a current filter for a specific entry by simply right clicking on the entry and selecting Filter Selected Entry. The Filter Selected Event dialog automatically creates filter criteria based on the selected event. Please note the time the entry occurred is not included within the filter criteria. Choose to Include or Exclude the entry when applying the filter. Select if you want to create a new filter or append new criteria to an existing filter. If creating a new filter for an Event Log entry, specify if you want to create a simple or complex filter. If appending to an existing filter, select the filter to append. Finally, choose if you want to create and apply the filter criteria to the current view, create and review the filter criteria within the Filters Manager, or simply create the filter criteria without applying the filter to the current view SpectorSoft Corporation, All rights reserved.

67 How To To assign a filter to the current view Select the appropriate filter from the toolbar s Filter combo-box. Once selected, the filter is automatically applied to the current file. To assign a filter to a monitor or consolidation See Monitoring and Consolidating Logs To assign a filter to a report See Reports To share filters between multiple installations To enable sharing search your application data directory for a file called filters.dat. On Windows Server 2008 this is typically c:\programdata\cornerbowl\log Manager\filters.dat. Create a new file called filters.dat.redirect. Open the new file in a text editor such as notepad and type the UNC path that contains the target location. For example, \\servername\c$\log Manager. Save the file then restart both the SpectorSoft Log Manager service and user interface. For more information see: Monitoring and Consolidating Logs Reports Regular Expressions Searching Logs 2013 SpectorSoft Corporation, All rights reserved. 63

68 Log Manager Frequency Reports A report is defined as the scheduled automatic filtered output for a predefined set of computers and logs. For example, a report may send an every week that contains all critical entries from all domain controllers for the last week. A frequency report enables you to receive a count of entries that are similar. For example, you can create a report to return a count or summary of all errors, warnings and information messages. Another example would be a report that counts all failed logon attempts within the last week. When generating an or exporting a report to HTML you have the option of merging entries from multiple logs into a single list, grouping entries by host, by host and log, by log or by log and host. For more information see and HTML Templates. To create a report From the File menu item, select Report and View Wizard. Follow the instructions within the wizard. For more information see: Reports Standard Reports Success Logon Reports Failed Logon Reports Account Lockout Reports New User Account Reports Logon/Logoff Reports Account Management Reports SpectorSoft Corporation, All rights reserved.

69 How To Frequency Rules All of the log monitors support frequency rules. Frequency rules enable you to receive notification when, for example, a specific entry is received more than 5 times within 1 hour or an expected entry is not received within a 24 hour period (called a less than frequency rule). All entries that pass the same filter are applied to the frequency rule. For example, if you create a filter that passes all error entries, each error entry is applied to the frequency rule. Note: All monitors except Event Log downloads support less than frequency rules. When firing frequency rule actions a column is automatically added to each entry that shows the count of similar entries. To receive a count of specific entries To receive a count of a specific entry within a time period, such as daily, specify greater than (>) 0 times every period. If any entries pass the filter with the time period, an action will be automatically fired once at the end of each time period that includes the total count of all entries that passed the filter within the time period. For more information see: Monitoring and Consolidating Logs GoTo Line When viewing a text log you can quickly set your focus to a specific line number. To move to a specific line number Press Ctrl-G. Specify the line number. The viewer will find the line number in the file, display the page the line exists, and lastly highlight the line number SpectorSoft Corporation, All rights reserved. 65

70 Log Manager Groups To facilitate ease of navigation, configuration and log merging, computers and devices can be grouped. To create a logical group Select New Group from the File menu item. Specify the group name and click OK. To assign a single computer to a logical group From the Navigation view use drag and drop to assign each computer to the appropriate group. To assign multiple computers at once From the Navigation view select the Configuration Explorer pane. Expand the log type that contains the computer you want to group together. Check each computer to group. Right-click and select Log Management Properties. Select or add the group when prompted. To rename a logical group Select (highlight) the group and press F2. Enter the new name and press the enter key. Importing a Computer List Log Manager enables you to import a list of computers from a text or CSV file. When imported, the each computer is mapped into the system and log monitoring is optionally applied via the configuration templates you define. To import a computer list From the Tools menu item select Import Computer List. The Host Importer Wizard should now be displayed. Follow the instructions found within the wizard. For more information, see: Configuration Templates SpectorSoft Corporation, All rights reserved.

71 How To Log Entry Retention Policy When saving (consolidating) log entries to the log repository you have the option to configure an entry retention policy. For example, you can define a rule that archives entries older than 30 days and limits the number of days to retain within the archive log repository to 90 days. In this example, the log repository contains the last 30 days of entries while the archive database contains the following 90 days of entries for a total of 120 days of entries. Log entry retention policy enforcement can be individually scheduled on a per log basis. For example, you can retain Application Event Log entries for 30 days while retaining 180 days of Security Event Log entries. Note: When monitoring many logs be sure to use the Schedule Distributor to evenly distribute the policy enforcement throughout the day, week or month. For more information see: Monitoring and Consolidating Logs Schedule Distributor Log Properties From within the Log Repository view you can view information about each log. Please note statistics are limited to the selected consolidated log. When viewing the primary log s properties the archived log is not included within the statistics and vise-a-versa. Event Logs Remote Log Properties The Windows Event Log tab enables you to set the remote log entry retention policy. Use this tab to configure the maximum log size and overwrite policy. Please note these properties are for the remote Event Log rather than the consolidated Event Log. Consolidated Log Properties The Consolidated Log tab displays the following information: Last download status Last entry time Oldest entry time Number of entries Pie chart breaking out the percentage and count of each level SpectorSoft Corporation, All rights reserved. 67

72 Log Manager Top Events The Top Events tab enables you to query the Event Log repository for the top unique entries. An example report would be the top 10 events for the last week or the top 100 events for the last year. An Event Log entry is deemed unique by the combination of its source and ID. The report is displayed in both a tabular and graphical format. Within the graphical output events less than 5% of the total report results are grouped together. Download Now Click the Download button to immediately download all entries since the previous download. All assigned post consolidation filters and actions are applied and executed accordingly. For more information see Manually Downloading Event Logs. Syslogs The Consolidated Log tab displays the following information: Last entry time Oldest entry time Number of entries Pie chart breaking out the percentage and count of each priority. Text Logs The Consolidated Log tab displays the following information: Last entry time Oldest entry time Number of entries The Size Monitor State tab displays the following information: The current size monitor alert state, either Triggered or OK. The last time the size monitor state was triggered or cleared which ever is later. If triggered, an informational message showing log size information. Common View History The SpectorSoft Log Manager Service log file contains information pertaining to monitoring and consolidation of each log. Although each log type has its own properties dialog, all properties dialogs enable you to view the relevant history. To view the history, click the History button. Please note the service log file is automatically truncated once it exceeds 1 MB. For more information see Windows Service Log File. View Log Each property dialog enables you to open the consolidated log. To view the consolidated log, click the View button. For more information see: SpectorSoft Corporation, All rights reserved.

73 How To Manually Downloading Event Logs Windows Service Log File Managing Event Logs Log Manager enables you to: Download and consolidate remote Event Log entries to SQL Server, MySQL, Oracle or our own flat file format and optionally fire actions when specific entries are detected. Automatically remove and/or archive old entries. For more information see Log Entry Retention Policy. Real-time monitor mission critical logs for specific entries. Backup, compress, and encrypt Windows Event Logs in their native format to a central location. Once backed-up, remote event logs can optionally be cleared. Run on-demand or schedule reports against consolidated logs. Note: Event Logs are managed using Microsoft s Windows Management Instrumentation (WMI) API. If you are having difficulty accessing remote Event Logs see Troubleshooting. Downloading Once downloaded, entries are optionally filtered and then saved to the Log Repository. After being saved, remote Event Logs are optionally cleared. Next, using post consolidation filters, log entries are optionally filtered again and actions fired accordingly. This is the best method for receiving notification of important entries within a reasonable timeframe. Real-Time and Poll Monitoring When an entry is received your real-time filter is applied and actions fired accordingly. Please note, Event Log entries are not saved to the Log Repository when received in real-time. If you do not have a need to save the entries to the Log Repository, we suggest using the poll monitor function to monitor your log files as real-time monitoring is resource intensive and not guaranteed in nature. That is, when there is a network failure, the monitor is unable to receive events. These events will be lost in the system. When using the poll monitor, you are guaranteed to get the entries the next time the entries are successfully downloaded. Backing Up, Compressing, Encrypting and Clearing EVT and EVTX Files You can configure the service to automatically backup, compress, encrypt and clear remote EVT and EVTX files (Event Log files) at a schedule independent of Event Log downloads. When encrypting Event Log files the output is to a proprietary file format with the extension.cbx. To decrypt.cbx files, select File Open SpectorSoft Corporation, All rights reserved. 69

74 Log Manager Note: If backing up Event Log files as well as downloading and consolidating, do not configure the service to clear the remote Event Logs upon download completion. If you do, to ensure entries are not dropped, the service must generate a new Event Log backup every time it performs a download. To create a new Event Log configuration Select New Log Monitor from the File menu item. To modify an existing Event Log configuration From the Navigation view select the Configuration Explorer pane. Right-click and select De-Select All. Check the Event Logs to re-configure. Right-click and select Log Property Pages. Managing Syslogs Log Manager enables you to: Real-time monitor UDP and TCP syslog messages and save (consolidate) to SQL Server, MySQL, Oracle or our own flat file format and optionally fire actions when specific entries are detected. Automatically remove and/or archive old entries. For more information see Log Entry Retention Policy. Backup, compress, and encrypt Syslog messages as required by some compliance regulations. Once backed-up, saved (consolidated) Syslog messages can optionally be cleared from the log repository. Run on-demand or schedule reports against consolidated logs. Syslog messages are managed using a self-contained UDP and/or TCP server. When a message is received for a configured computer or device your optional consolidation filter is applied. All messages that pass the consolidation filter are saved to the Log Repository. Next, all received messages, not just those that pass the consolidation filter, are passed to the optional real-time monitor. Once the real-time monitor receives the message your real-time filter is applied and actions fired accordingly. Note: As the systems administrator you must first configure each of your devices to Syslog messages to the IP address or hostname (if routable from your device) to the computer Log Manager is installed. Syslogs cannot be downloaded. By default all received messages are automatically saved to the Log Repository. To create a new Syslog configuration SpectorSoft Corporation, All rights reserved.

75 How To Select New Log Monitor from the File menu item. To modify an existing Syslog configuration From the Navigation view select the Configuration Explorer pane. Right-click and select De-Select All. Check the Syslogs to re-configure. Right-click and select Log Property Pages. Managing Text Logs Log Manager enables you to: Poll or real-time text log files and save (consolidate) to SQL Server, MySQL, Oracle or our own flat file format and optionally fire actions when specific entries are detected. Automatically remove and/or archive old entries. For more information see Log Entry Retention Policy. Define entry patterns. Monitor file sizes. Run on-demand or schedule reports against consolidated logs. Text Logs are monitored using Microsoft Networking. When accessing remote Text Log files the UNC path is always used. Text Log files cannot be access using Windows Explorer drive mappings. If your target Text Logs are on a Unix based server such as Linux, as the systems administrator you must first install Samba on the Unix based server. Once installed Log Manager will be able to access the remote files using the UNC path (e.g. \\servername\logs\syslog). To create a new Text Log configuration Select New Log Monitor from the File menu item. Choose to monitor a single file or a directory. Hint: If the file you are monitoring is contained in a directory that contains the current date or the filename itself contains the date create a directory monitor otherwise create a file monitor. Click Next. From the Select Computers page select the computers that contain the target logs. Click Next. From the Specify Logon As Credentials page specify administrator or appropriate credentials that enable you to access the target computers. If you are a domain administrator and the service is running with domain administrator credentials, there is no need to specify credentials unless the remote computer is off-domain. Click Next. If you created a file monitor, select the target files and click Add. When you are finished adding all the log files to monitor click Next SpectorSoft Corporation, All rights reserved. 71

76 Log Manager If monitoring a directory, you have the option to include date and time directory and filename masks. For example, if your directory or filename contains the year, month, and day you can specify a tag enabling the service to monitor the current directory or file. The following tags are supported: Date/Time Replacement String Example Year yy or yyyy Use yy to replace 08. Use yyyy to replace Month M or MM Use M to replace 6. Use MM to replace 06. Day d or dd Use d to replace 6. Use dd to replace 06. Hour h or hh Use h to replace 6. Use hh to replace 06. When specifying date and time tags wrap the tags with <>. For example, <yyyymmdd>. Once you have specified the directory assign file search masks. For example, *.log or <yyyymmdd>.log. Note: When using the date and time masks, the text log is read at the moment the tag no longer matches the current date and time. This automatic read enables you to get notified of all entries contained within a log even if they are written at the last second prior to a log being rolled. If you created a directory monitor, select the directory and click Add. If the directory contains the current date, manually add the UNC path using the supported replacement tags. When you are finished adding all the directories to monitor click Next. If monitoring a directory add the file search masks. For example, <yyyymmdd>.log or *.log. Click the Test button to verify the mask works as expected. When you have added all of your masks click Next. Log Entry Delimiters Next, define the log entry pattern that enables the software to identify the lines associated with a single entry. If your log file only contains single line entries, there is no need to enable this function. If however, entries contain embedded carriage returns or line feeds (CRLF, CR, LF) you will need to define a pattern. For example, each entry within the SpectorSoft Log Manager Service Log file starts with a less than sign (<). In this case you would choose: Starts with <. If each entry ends with a double dash (--), choose: Ends with --. If an empty line is present after each entry choose: Ends with and then leave the text box empty. Finally if reading a stream of data such as the case of Emergency Broadcast Systems, choose: Ends with (No CR, LF or CRLF) then specify the appropriate delimiter for example, --. To define complex patterns such as date and time use regular expressions. Read Method Next, define the read methodology. You have the option of reading the file with 3 different methods. Beginning of File This is the default value. The first time the file is read the entire file is read, filtered and actions fired accordingly. Each following read picks up where it left off reading only entries written since the previous read SpectorSoft Corporation, All rights reserved.

77 How To End of File The first time the file is read only the file length is read and saved for future reference. Each following read picks up where it left off reading only entries written since the previous read. Read All Each time the file is read in its entirety, filtered and actions fired accordingly. Once you have selected the read method click Next. Monitor Method Next, define how to monitor the file. We suggest polling the log files as the subscription method is not necessarily immediate. The subscription method is only reliable when the application writing the log file closes the file in between each write. If the application writing the log file does not close the file in between writes you may not immediately receive notification. For the second scenario, which is typical, we suggest polling the file. If necessary, you can poll the file as quickly as every second. Polling the file also provides a means to run daily or weekly reports when not saving (consolidating) the entries to the log repository. Click Next. Filters and Actions Next, add as many filters and actions as necessary. You can optionally receive notification when a particular entry is received numerous times within a timeframe or is not detected within a timeframe. For more information see Frequency Rules. You also have the option to limit the number of times to fire actions. For example, you can limit alerts to once an hour. Finally, you have the option to include previous or following entries is available. This last option enables you to see entries within the proximity of the critical message. Click Next. File Size Monitoring Next, optionally configure file size monitoring. You can monitor by a change in size or a maximum size. Once triggered, actions are no longer fired until the alert is cleared. You can configure the service to automatically clear the alert after a specific time or you can manually clear the alert via the Text Log Properties dialog. Click Next. Log Consolidation and Retention Policies Next, optionally choose to save entries to the log repository. When saved to the log repository entries are centralized enabling you to create daily and weekly reports. To limit which entries are saved to the log repository assign a consolidation filter otherwise all entries are saved. For more information on retention policies see Log Entry Retention Policy. For more information see: Actions, Alerts and Notifications Filters Frequency Rules Log Entry Retention Policy Monitoring CSV Files Reports 2013 SpectorSoft Corporation, All rights reserved. 73

78 Log Manager Text Log Properties Manually Downloading Event Logs Prior to viewing a Windows Event Log it must be downloaded and saved or consolidated. Typically Event Log downloads are scheduled via the Log Management Wizard, however; at any time you can manually download Event Logs enabling you to view the latest entries without waiting for the next scheduled download. To manually download Event Logs From Navigation view select one of the following tabs: Configuration Explorer, Log Repository or Event Log Explorer. Navigate to the Event Log of interest and select Download Event Logs from the File menu item. Note: When manually downloading Event Logs that have been previously configured for scheduled downloads all post consolidation filters are applied and actions fired accordingly. When manually downloading Event Logs that have not been previously configured for scheduled downloads only the previous 7 days of entries are downloaded. If you need to download entries older than 7 days, delete the previously downloaded Event Log from the Log Repository, configure the Event Log via the Log Management Wizard and lastly, download the Event Log. For more information see: Monitoring and Consolidating Logs SpectorSoft Corporation, All rights reserved.

79 How To Mapping Computers Map computers when it is necessary to supply login credentials or when a computer or device is online but undiscoverable. If you are managing computers off-domain or the computer this software is installed is off-domain, you must assign login credentials for each remote computer. To map a computer From the File menu item select New Log Monitor. Select the log type you want to monitor and click Next. If selecting Event Logs, use the combo box and select Map Computer. If selecting Syslogs, credentials are not needed. To manage a router, firewall, or other device that can not be discovered, simply specify the IP address and click the Add button. If selecting Text Logs the user interface assumes your account has access to the file using Windows Networking. Specify the file to monitor using the UNC path (\\server\c$\temp\yourlog.txt) and click Next. If the Windows Service is running under another account, specify the appropriate credentials to access the file. To modify login credentials If the login credentials change, for example the password changes, select the Configuration Explorer tab from the Navigation view. Right-click on the target computer and select Properties. To remove a mapping Please note, credentials are removed when the Logon As check-box is cleared within the Log Management Wizard. For more information, see: Security 2013 SpectorSoft Corporation, All rights reserved. 75

80 Log Manager Monitoring and Consolidating Logs Monitoring and consolidating of logs, commonly referred to as log management, is the core of Log Manager. Log consolidation is defined as the process of downloading logs or receiving log entries, in the case of Syslog messages, and saving the entries to a central database or directory. Log Manager enables you to manage the following log types: Log Type Windows Event Logs Syslogs Text Logs Example Application, System, Security Logs generated from routers, firewalls, and Unix, Linux and AS400 servers. SQL Server application log, IIS logs, CSV files To create a new Event Log configuration Select New Log Monitor from the File menu item. To modify an Event Log configuration From the Navigation view select the Configuration Explorer pane. Right-click and select De-Select All. Check the Event Logs to re-configure. Right-click and select Log Property Pages. For more information see: Managing Event Logs Managing Syslogs Managing Text Logs Monitoring CSV Files Reports SpectorSoft Corporation, All rights reserved.

81 How To Monitoring CSV Files Log Manager enables you to monitor the values contained within comma, tab, space, and user defined delimited files. Once a value exceeds a filter criteria threshold an alert or action can be fired. To monitor a CSV file Use the Log Management Wizard as you would to create a regular Text Log monitor. When prompted to assign a filter, use the Filters Manager to create a Text Log (Table) filter. Define the columns of interest by specifying a name, the column index within the file and the data type (either string or decimal). Next, add the filter criteria for the newly defined columns. Assign the new filter and apply the appropriate actions. Note: Index values are zero based. That is the first column is defined as index zero (0). For more information see: Filters Monitoring and Consolidating Logs Managing Text Logs Oracle Support SpectorSoft Log Manager enables you to consolidate logs to an Oracle database. Prior to configuring the software to use Oracle you must first install the Oracle.Net Client Libraries. At this time these libraries are named: Oracle Database 11g Release 2 Client ( ) for Microsoft Windows (32-bit) Oracle Database 11g Release 2 Client ( ) for Microsoft Windows (x64) To configure Oracle 1. Go to Oracle s website and download then Install the appropriate client libraries. 2. Once installed select Options from the Tools menu item. 3. Select the Data Providers tab then create a new Oracle data provider. 4. Specify the appropriate connection parameters then set the Type to Log Repository. If archiving data, you must point the archive to another database. The log repository and archive cannot reside within the same database. NOTE: The Oracle data provider enables you to save log entries to either single byte or Unicode format enabling support for languages such as Japanese SpectorSoft Corporation, All rights reserved. 77

82 Log Manager Printing Logs SpectorSoft Log Manager provides the capability to print the current view or merge. The view is exported to a temporary HTML file and then opened using your default Internet browser. Once displayed in your browser, use the browser to print the page. To print the current view From the detail view, right click and select Print. Regular Expressions Regular expression support enables you to create extremely complex filter and search criteria. For more information on regular expressions check out the following sites: SpectorSoft Corporation, All rights reserved.

83 How To Replacement Tags Replacement tags are used to insert variable values when firing actions, generating reports and exporting logs. When necessary each tag is parsed out and replaced with the appropriate value. The available replacement tags depend on the current functionality that is running. The following tags are supported when: Firing actions on behalf of Real-time Monitors and Event Log downloads {CATEGORY} {COUNT} {DATA} {DATE} {ENTRIES} {ENTRY} {EVENT} {FACILITY} {FILENAME} {FILTER} {HOST} {IPv4} {IPv6} {LATEST_ENTRY} {LEVEL} {LOCALHOST} {LOG} {MESSAGE} The event category. Pertains to Event Log entries only. The count of entries. The event data in hexadecimal format. Pertains to Event Log entries only. The current date or the entry's date when nested between ENTRY_BEGIN and ENTRY_END tags. The entries contained within the monitor. Typically used when firing message box alerts. The entries contained within the monitor. Typically used when firing message box alerts. The event ID. Pertains to Event Log entries only. The facility of the entry. Pertains to Syslog entries only. Event Logs: Host\Log Syslogs: Host\Syslog Text Logs: Full file path and name The applied filter. The host name the entry was generated from. The IP address the entry was generated from. The IPv6 address the entry was generated from. The most current entry contained within the monitor. The level of the entry (Informational, Warning, etc.). Pertains to Event Log entries only. The host name of the machine the software is installed. Event Logs: Log Syslogs: Syslog Text Logs: The file name excluding the path The entry message rather than the entire entry SpectorSoft Corporation, All rights reserved. 79

84 Log Manager {NAME} {OLDEST_ENTRY} {PRIORITY} {SOURCE} {TIME} {USER} Event Logs: Host\Log Syslogs: Host\Syslog Text Logs: The friendly name or full file path and name The least current entry contained within the monitor. The priority of the entry. Pertains to Syslog entries only. The event source. Pertains to Event Log entries only. The current time or the entry's time when nested between ENTRY_BEGIN and ENTRY_END tags. The user account that wrote the event. Pertains to Event Log entries only. In addition to the entries above, the following tags are supported when: firing actions on behalf of real-time Event Log monitors {AD_USER} {USER} When firing an alert for an Event Log entry that passes a real-time monitor s filter or a post consolidation filter, the tag is replaced with the Active Directory assigned address for the user listed within the USER column of the entry. If multiple entries pass the post consolidation filter the first entry that contains a nonnull value within the USER column is used for the lookup. When firing an alert for an Event Log entry that passes a real-time monitor s filter or a post consolidation filter, the address can be changed to the contents of the USER column within the entry. If multiple entries pass the post consolidation filter the first entry that contains a non-null value within the USER column is used for the replacement. If the USER column contains a domain name, the domain name is removed. For example: If the Event Log entry USER column contains: LITTLEWATER\jdoe and the address within the action is defined as: {USER}@mycompany.com the actual address used is: [email protected] The following tags are supported when: exporting consolidated logs to HTML or sending consolidated log entries through HTML formatted {HOST} The host name the log resides SpectorSoft Corporation, All rights reserved.

85 How To {IPv4} {IPv6} {LOG} {FILENAME} {NAME} {DATE} {TIME} {LOCALHOST} The IP address the log resides. The IP6 address the log resides. Event Logs: Log Syslogs: Syslog Text Logs: The file name excluding the path Event Logs: Host\Log Syslogs: Host\Syslog Text Logs: Full file path and name Event Logs: Host\Log Syslogs: Host\Syslog Text Logs: The friendly name or full file path and name The current date. The current time. The host name of the machine the software is installed. The following tags are supported when an error occurs while: downloading and monitoring logs truncating and archiving consolidated logs backing up Windows Event Log files (EVT and EVTX files) backing up consolidated Syslogs {HOST} {IPv4} {IPv6} {LOG} {DATE} {TIME} {ERROR} {MESSAGE} {LOCALHOST} The host name the log resides. The IP address the log resides. The IP6 address the log resides. Event Logs: Log Syslogs: Syslog Text Logs: The file name excluding the path The current date. The current time. The short error message. A longer more detailed error message. The host name of the machine the software is installed. The following tags are supported when: generating a report {CATEGORY} The event category. Pertains to Event Log entries only SpectorSoft Corporation, All rights reserved. 81

86 Log Manager {COUNT} {DATA} {DATE_RANGE} {DATE} {ENTRIES} {ENTRY} {EVENT} {FACILITY} {FILENAME} {FILTER} {FLAG} {HOST} {IPv4} {IPv6} {LATEST_ENTRY} {LEVEL} {LOCALHOST} {LOG} {MESSAGE} {NAME} {NOTES} {OLDEST_ENTRY} {PRIORITY} {SOURCE} {TIME} The count of entries. The event data in hexadecimal format. Pertains to Event Log entries only. The report s date range. The current date or the entry's date when nested between ENTRY_BEGIN and ENTRY_END tags. The entries contained within the report. Typically used when firing a message box report. The entries contained within the report. Typically used when firing a message box report. The event ID. Pertains to Event Log entries only. The facility of the entry. Pertains to Syslog entries only. The filename. Pertains to text log reports only. The applied filter. The assigned flag (None, Flag, FlagComplete) Comma separated list of hosts or when nested between ENTRY_BEGIN and ENTRY_END tags the host the entry was generated from. Comma separated list of IPs or when nested between ENTRY_BEGIN and ENTRY_END tags the IP address the entry was generated from. Comma separated list of IPs or when nested between ENTRY_BEGIN and ENTRY_END tags the IPv6 address the entry was generated from. The most current entry contained within the report. The level of the entry (Informational, Warning, etc.). Pertains to Event Log entries only. The host name of the machine the software is installed. Comma separated list of logs. The entry message rather than the entire entry. The report's name. The user assigned notes. The least current entry contained within the report. The priority of the entry. Pertains to Syslog entries only. The event source. Pertains to Event Log entries only. The current time or the entry's time when nested between SpectorSoft Corporation, All rights reserved.

87 How To ENTRY_BEGIN and ENTRY_END tags. {USER} The user account that wrote the event. Pertains to Event Log entries only. The following tags are supported when an error occurs while: generating a report {NAME} {DATE} {TIME} {ERROR} {LOCALHOST} The report name. The current date. The current time. The error message. The host name of the machine the software is installed. The following tags are supported when: creating a file name on behalf of file based actions and manual exports to file {HOST} {IPv4} {IPv6} {LOG} {NAME} {FILTER} {DATE} {TIME} The host name the log resides. The IP address the log resides. The IP6 address the log resides. Event Logs: Log Syslogs: Syslog Text Logs: The file name excluding the path Event Logs: Host\Log Syslogs: Host\Syslog Text Logs: The friendly name or full file path and name The name of the filter being applied. The current date. The current time. The following tags are supported when: creating a file name on behalf of EVT and EVTX backups {HOST} {IPv4} {IPv6} {LOG} The host name the log resides. The IP address the log resides. The IP6 address the log resides. Event Logs: Log Syslogs: Syslog Text Logs: The file name excluding the path 2013 SpectorSoft Corporation, All rights reserved. 83

88 Log Manager {DATE} {TIME} The current date. The current time. For more information see: Actions, Alerts and Notifications Monitoring and Consolidating Logs Reports SpectorSoft Corporation, All rights reserved.

89 How To Reports A report is defined as the scheduled automatic filtered output for a predefined set of computers and logs. For example, a report may send an every week that contains all critical entries from all domain controllers for the last week. 4 different types of reports can be generated Event Logs Syslogs Text Logs Standard X X X - Single Log Only Frequency X X X - Single Log Only Success Logon Failed Logon Account Lockout New User Account Reports Logon/Logoff Reports Account Management Reports X X X X X X To create a report From the File menu item, select Report and View Wizard. Follow the instructions within the wizard. NOTE: A view is simply a report that is not scheduled to automatically run at a specified frequency. If you disable the schedule a report is run automatically via the Report and View Wizard it becomes a view. For more information see: Views Standard Reports Frequency Reports Success Logon Reports Failed Logon Reports Account Lockout Reports New User Account Reports Logon/Logoff Reports 2013 SpectorSoft Corporation, All rights reserved. 85

90 Log Manager Account Management Reports Schedule Distributor When managing large networks or logs with large amounts of data you may need to distribute the Event Log consolidation and entry retention policy enforcement load over time. For example, if you are consolidating 6 Event Logs and you download every hour on the hour, 6 consolidation functions will be reading and consolidating the Event Logs at the same time. If instead you distribute the schedules over an hour, a single Event Log will be downloaded and consolidated every 10 minutes. When consolidating 100s of Event Logs you should distribute the schedules. If you don t you may find your database server or local memory load reaching the breaking point. To distribute Event Log downloads From the Configuration Explorer tab check each Event Log and/or computer you want to distribute the download schedule for. Right-click and select Log Management Properties. Click the Next button until you are at the Log Consolidation page. Click the Distribute Schedules button. From the Schedule Distributor dialog, select the schedule type and click the Distribute Schedules button. To distribute the entry retention policy enforcement From the Configuration Explorer tab check each log and/or computer you want to distribute the entry retention policy enforcement for. Right-click and select Log Management Properties. Click the Next button until you are at the Entry Retention Policies page. Click the Distribute Schedules button. From the Schedule Distributor dialog, select the schedule type and click the Distribute Schedules button SpectorSoft Corporation, All rights reserved.

91 How To Schedules Throughout SpectorSoft Log Manager you are prompted to specify schedules. Most commonly you are prompted to schedule Event Log download frequencies and log entry retention policy enforcement. The schedule dialog offers several different types of frequencies. Some of the frequencies support exclusion time periods. For example, you can configure Event Log downloads to run Monday Friday every hour excluding 9:00 AM 4:00 PM. The table below lists the supported frequencies and available exclusion options. Frequency Description Day Exclusion Time Exclusion Minutes Executes every X minutes. X X Hourly Executes every X hours X minutes after the hour. X X Daily Executes every day at XX:XX X Weekly Monthly Executes one day a week at XX:XX Executes one day a month at XX:XX Note: When managing large networks be sure to use the Schedule Distributor to evenly distribute schedules over time. For more information see Schedule Distributor. For more information, see: Schedule Distributor Searching Logs While viewing logs you have the capability to search logs for specific entries. To search a for a specific entry From the real-time or consolidated log view press Ctrl-F. Specify your search criteria and click Find Next. If an entry is found, the entry is highlighted. Press F3 to find the next entry. Note: When searching consolidated logs the search function is limited to the current page. For more information see: Displaying Logs 2013 SpectorSoft Corporation, All rights reserved. 87

92 Log Manager Selecting Specific Computers Throughout this application you are prompted to select computers or devices via our many different browse computers dialogs. Some of the browse dialogs allow you to search for computers that contain specific characters or are of a specific type. For example, SpectorSoft Log Manager can automatically select all computers that start with SRV and are running any of the Windows Server operating systems. To search for a specific computer click the Select Specific Computers button. The Select Specific Computers dialog offers two different search criteria. You can search by text and computer types. To search by text To search for a specific string within a computer name simply type the string. There is no need to include wildcards such as * or %. You also have the option of using regular expressions which will enable you to search for both characters and position. For more information see Regular Expressions. To search by computer type You can search and select computers based on type. When using this option a network call is made to each computer meaning this function may be time consuming depending on computer availability. The following search types are supported: Server Domain Controller SQL Server Workstation To filter by Active Directory properties When searching the Active Directory tree from within one of the configuration wizards you have the option to create complex computer property filters. For example, you can limit your results to all computers running a specific version of OS. For more information see Active Directory Filters. For more information, see: Active Directory Filters Browsing Computers Regular Expressions SpectorSoft Corporation, All rights reserved.

93 How To Selecting Specific Logs SpectorSoft Log Manager enables you to search any of the Navigation views and select specific logs for specific computers. For example, you can select all Security Event Logs on all your domain controllers. To select specific logs From any on the Navigation views right click and select Select Specific Logs. To search for a specific string within a computer name simply type the string. There is no need to include wildcards such as * or %. You also have the option of using regular expressions which will enable you to search for both characters and position. For more information see Regular Expressions. You can search and select computers based on type. When using this option a network call is made to each computer meaning this function may be time consuming depending on computer availability. The following search types are supported: Server Domain Controller SQL Server Workstation Select the type of logs to select. If you select Event Logs check each log type to select. If the log type is not listed manually specify the log name and click the Add button. Wildcards are not supported. Use the Remove button to remove manually added log names. If you select Text Logs manually specify the filename you would like to select. The text log search function supports the * wildcard. For more information, see: Regular Expressions 2013 SpectorSoft Corporation, All rights reserved. 89

94 Log Manager SNMP Traps SpectorSoft Log Manager enables you to fire SNMP traps via Microsoft s SNMP Service. SNMP Traps enable you to receive event notification within SNMP management applications such as HP OpenView. Prior to configuring an SNMP Trap action you must first install and configure Microsoft s SNMP Windows Component. When you create an SNMP Trap action, SpectorSoft Log Manager verifies the SNMP Service is installed and adds all necessary registry keys to properly interface with Microsoft s SNMP Service. For more information see: Actions, Alerts and Notifications Configuring the SNMP Service Standard Reports A report is defined as the scheduled automatic filtered output for a predefined set of computers and logs. For example, a report may send an every week that contains all critical entries from all domain controllers for the last week. A standard report enables you to receive a scheduled that contains entries of interest. For example, you can receive a daily report that includes all warning and error entries that occurred yesterday. When generating an or exporting a report to HTML you have the option of merging entries from multiple logs into a single list, grouping entries by host, by host and log, by log or by log and host. For more information see and HTML Templates. To create a report From the File menu item, select Report and View Wizard. Follow the instructions within the wizard. For more information see: Reports Frequency Reports Success Logon Reports Failed Logon Reports Account Lockout Reports New User Account Reports Logon/Logoff Reports Account Management Reports SpectorSoft Corporation, All rights reserved.

95 How To Tray Icon Icons in the lower right corner of Windows Taskbar are called Tray Icons. Tray Icons display application status. The SpectorSoft Log Manager tray icon has three states: Service Running This is the normal state. Important Entries Detected A message box alert was fired in response to an entry passing either a real-time monitor or an Event Log download. Double-clicking this icon opens the message box alert. Service Stopped This state indicates the SpectorSoft Log Manager Service is not running. Either use the Windows Service Control Manager or the user interface to turn the service on. Once running, the icon will change to the Service Running state. To temporarily turn the tray icon off From the Service menu item select Close Tray Icon. NOTE: Message box, tray popup messages, and sound actions will no longer fire. To temporarily turn the tray icon on Select Start Tray Icon from the Service menu. To permanently disable or re-enable the tray icon From the Tools menu item select Options. Select the User Preferences tab. Check the option to disable or un-check to re-enable SpectorSoft Corporation, All rights reserved. 91

96 Log Manager Views A view is defined as a filtered display of a saved collection of logs. Use views to create quick access to a set of computers and logs you regularly monitor. Optionally assign a filter to a view enabling you to minimize the entries that are loaded into the viewer. To create a view from the current merge Within the log merge window right click and select Save As View. The currently selected filter is saved to the view, however; the entry level (Event Logs - information, warning, error, audit success, and audit failure) or priority (Syslogs) settings are not saved to the view. To filter on levels or priorities, include the level or priority criteria within your filter. To display a view Once a view is created it is listed in the Reports and Views tab within the Navigation view. To display the view, simply double-click on the listed view. By default views display the last 7 days of entries. To modify a view At any time you can add or remove logs from a view, change the date range or apply an alternate filter. From the Navigation view, right click on the view and select Properties. Follow the instructions within the wizard. NOTE: A report is simply a view that is scheduled to automatically run at a specified frequency. If you schedule a view to run automatically via the Report and View Wizard it becomes a report and you must assign the report s output. For example, you can configure SpectorSoft Log Manager to automatically generate a report every day that s all error entries to you. For more information see: Reports SpectorSoft Corporation, All rights reserved.

97 Security Event Log Reports Success Logon Reports As you are probably already aware, Windows writes many different Event Log entries related to logons. Some of these events are specific to OS versions while others span multiple versions. Logon events embed important information within the message portion of the entry that enable system administrators to track down activity. SpectorSoft Log Manager parses these messages and places the results into data tables. The result enables SpectorSoft Log Manager to: Create summary reports that list the number of times a user logs into a domain or a computer Summarize different event ID messages into a single view. Detail all similar events into a single table. You have the option to include up to 11 different report types within a single report: Report Type Name Description Supported OS Domain Logon Summary Parses and summarizes Domain Logon events 672 and Server 2008/2003 Domain Logon 672 Parses domain logon event 672. Server 2003 Domain Logon 4768 Parses domain logon event Server 2008 Logon Summary Parses and summarizes logon events 528, 540 and Server 2008/2003 Logon 528 Parses successful logon event 528. Server 2003 Logoff 538 Parses logoff event 538. Server 2003 Logon 540 Parses successful network logon event 540. Server 2003 Logoff 551 Parses user initiated logoff event 551. Server 2003 Logon 4624 Parses successful logon event Server 2008 Logoff 4634 Parses logoff event Server 2008 Logoff 4647 Parses user initiated logoff event Server 2008 To manually run a success logon report From the Log Repository view, check the Security Event Logs to run the report against, right click and select Reports Successful Logons. Follow the instructions within the wizard. To create a report From the Reports menu item, select Report and View Wizard. Follow the instructions within the wizard SpectorSoft Corporation, All rights reserved. 93

98 Log Manager Failed Logon Reports As you are probably already aware, Windows writes many different Event Log entries related to logon failures. Some of these events are specific to OS versions while others span multiple versions. Logon events embed important information within the message portion of the entry that enable system administrators to track down malicious activity. SpectorSoft Log Manager parses these messages and places the results into data tables. The result enables SpectorSoft Log Manager to: Create summary reports that list the number of times users attempt to logon to a domain or a computer Summarize different event ID messages into a single view. Detail all similar events into a single table. You have the option to include up to 7 different report types within a single report: Report Type Name Account logon failure summary Account logon failure (672) Account logon failure (675) Account logon failure (680) Description Parses and summarizes account logon events 672, 675 and 680. Parses and displays all 672 event message parameters. The 'Result Code' is replaced with the Kerberos description per RFC Parses and displays all 675 event message parameters. The 'Result Code' is replaced with the Kerberos description per RFC Parses and displays all 680 event message parameters. The NTLM 'Error Code' is replaced with a short description. Logon failure summary Parses and summarizes logon events 529, 530, 531, 532, 533, 534, 535, 539 and Logon failure (2000/XP/2003) Logon failure (Vista/2008) Parses and displays all 529, 530, 531, 532, 533, 534, 535 and 539 event message parameters. The 'Logon Type' is replaced with a short description. Parses and displays all 4625 event message parameters. The 'Logon Type' is replaced with a short description. The NTLM 'Sub Status' is replaced with a short description. To manually run a failed logon report From the Log Repository view, check the Security Event Logs to run the report against, right click and select Reports Failed Logons. Follow the instructions within the wizard SpectorSoft Corporation, All rights reserved.

99 Options To create a report From the Reports menu item, select Report and View Wizard. Follow the instructions within the wizard. Account Lockout Reports Use SpectorSoft Log Manager to generate on-demand or scheduled account lockout reports. The report engine queries consolidated Security Event Logs for account lockout events and returns a list of locked out accounts along with lockout history summary information. To manually run an account lockout report From the Log Repository view, check the Security Event Logs to run the report against, right click and select Reports Account Lockouts. Follow the instructions within the wizard. To create a report From the Reports menu item, select Report and View Wizard. Follow the instructions within the wizard. New User Account Reports Use SpectorSoft Log Manager to generate on-demand or scheduled new user account reports. The report engine queries consolidated Security Event Logs for new user account events and summarizes for easy review. To manually run a new user account report From the Log Repository view, check the Security Event Logs to run the report against, right click and select Reports New User Accounts. Follow the instructions within the wizard. To create a report From the Reports menu item, select Report and View Wizard. Follow the instructions within the wizard SpectorSoft Corporation, All rights reserved. 95

100 Log Manager Logon/Logoff Reports As you are probably already aware, Windows writes many different Event Log entries related to logons. Some of these events are specific to OS versions while others span multiple versions. Logon events embed important information within the message portion of the entry that enables system administrators to track down activity. SpectorSoft Log Manager parses these messages, correlates logon and logoff entries then places the results into a list. To isolate the logon/logoff sessions you are interested in you have the option to: Limit results by looking up users in your domain s Active Directory tree. Choosing this option will limit the result set by removing machine accounts such as SERVERNAME$ from the report. Limit results to a sub-set of logon types. For example, you can configure the report to limit entries to Interactive and Remove Interactive logon sessions. To manually run a Logon/Logoff report From the Log Repository view, check the Security Event Logs to run the report against, right click and select Reports Logon/Logoff. Follow the instructions within the wizard. To create a report From the Reports menu item, select Report and View Wizard. Follow the instructions within the wizard SpectorSoft Corporation, All rights reserved.

101 Options Account Management Reports Many regulatory agencies require account management reports for compliance purposes. As you are probably already aware, Windows writes many different Event Log entries related to account management. Some of these events are specific to OS versions while others span multiple versions. Account management events embed important information within the message portion of the entry that enables systems administrators to track down activity. SpectorSoft Log Manager parses these messages then places the results into a list. Account management reports enable you to limit results to a subset of users that you define or are listed in your domain s Active Directory tree. To manually run an Account Management report From the Log Repository view, check the Security Event Logs to run the report against, right click and select Reports Account Management. Follow the instructions within the wizard. To create a report From the Reports menu item, select Report and View Wizard. Follow the instructions within the wizard SpectorSoft Corporation, All rights reserved. 97

102 Log Manager Options Options Server Information Specify the name of the SMTP server. For example: mail.yourserver.com. If your server runs on a port other than 25, for example 2000, use the following format: mail.yourserver.com:2000 Use the Connection security option to enable secure communications via SSL/TLS or STARTTLS. Logon Information If your SMTP server requires authentication to send messages, specify your username and password. From Information Optionally, specify the name and from address to appear in outgoing mail. Limiter (Spam Control) The limiter enables you to limit the number of s sent over a period of time. When an is dropped a message is logged to the service log file. Backup Server Check this option and click the Configure Backup to configure an alternate server to use when your primary server is unavailable or unable to send your alert. Testing Settings When ever you change the mail server settings, it is a good idea to test the settings. To test the server and account settings, specify a test address then click the Send Test button. Log Repositories A log repository is defined as a database or file system location that contains consolidated log entries. There are 3 types of log repositories: primary, archive and auxiliary. The primary log repository contains all recently consolidated log entries. The archive log repository contains log entries that meet archive policies. Auxiliary log repositories are used to view log entries previously backed up and removed from the primary or archive log repositories or to view log repositories generated by other installations of SpectorSoft Log Manager. Use this tab to assign already configured log repositories as primary, archive or auxiliary. Manually truncating and archiving the log repository You may find it necessary to manually remove and archive entries in order to free up your database or hard drive space. At any point in time you can manually run the entry retention policy SpectorSoft Corporation, All rights reserved.

103 Options you previously configured within the Log Management Wizard. To manually remove old entries and/or archive them to the archive log repository click Remove/Archive Entries Now. Data Providers A data provider is defined as a database or file system location that contains consolidated log entries. SpectorSoft Log Manager can save log entries to SQL Server, MySQL, Oracle or the file system. Use this dialog to assign database connection parameters and file system locations. Please note, when using a database to store log entries you must first create the database and assign an account with owner permissions to the database using the database specific administration tools. Once you have set the connection parameters several tables must be created and populated. To initialize the database, click the Initialize button. Directory Services SpectorSoft Log Manager interfaces with Active Directory and other generic LDAP servers in several ways. By default our software automatically connects to the Active Directory server on your domain controller. If you are not connected to a domain or want to use another LDAP server use this page to configure your connection. For more information see Active Directory. Syslog SpectorSoft Log Manager includes a self-contained syslog daemon/server. In order to receive syslog messages you must enable the syslog server. Use this page to enable or disable the syslog server. HTML Templates Throughout this software you can and save log entries to HTML. Just like our other software products, SpectorSoft Log Manager enables users to customize the look, feel, and content by overriding our and HTML templates. Use this page to assign your own templates to the specific application functions. For more information see and HTML Templates. User Preferences General There are 4 views you can choose to automatically open at startup. Choose to the views to automatically open. Dashboard Event Log Dashboard Syslog Dashboard Error Report A general dashboard that shows various service and log management information Event Log specific dashboard Syslog specific dashboard When a log management function fails, an error alert state is set. All errors are displayed in this report. Please note the errors will continue to display until they are manually cleared or automatically via configured auto clear rules. If the system does not currently have any errors set, the view is not displayed SpectorSoft Corporation, All rights reserved. 99

104 Log Manager Log View Display logs in pages of X days Many log files are very large and displaying the entire content at once can be very resource intense and time consuming. For this reason, all entries are displayed in pages. By default a page contains the last 3 days of entries. Use this control to override the initial number of days per page. Auto advancing When display a log, entries may not reside within the first page for several reasons. Here are several reasons why: Entries may not have been downloaded recently or there was an error during the download process. There may not have been any entries written with the timeframe of the first page. The level or priority filter (Information, Warning, Error, etc.) may be hiding the entries contained on the first page. A simple or complex filter may be applied via the Filter Combo Box on the toolbar that may be hiding the entries contained on the first page. You have the option of configuring the viewer to automatically advance to the first page, prompt you before advancing, or doing nothing and displaying the first page (which will be empty). Display log names using color By default the viewer displays the 3 default log names that reside on all Windows computers using colors. The colors are listed as follows. Use this option to turn off the colorization of the event log names. Please note changes to this option will not reflect in the current views. Log Application System Security Color Dark green Dark blue Dark red Auto Refresh The viewer optionally refreshes the currently displayed log(s) merge or report. Please note, when viewing entries on any page other than the first page, the refresh does not occur. The software was implemented in this manner so users would not lose their position while reviewing their logs. Tray Icon The tray icon is responsible for firing user interface actions such as message box and tray icon popups. If you are running this software on a server and do not use user interface actions, you can save system memory by disabling the tray icon SpectorSoft Corporation, All rights reserved.

105 Options Fonts The font used to display log entries within log viewers can be modified. This may extremely helpful when looking at text log files and trying to line up various entries or when entries contain multiple lines. WMI Packet Encryptions WMI is used to download remote Event Log entries. By default all entries downloaded are unencrypted. Use the WMI tab to enable or disable encryption. When Packet is selected all data passed via WMI is unencrypted. When PacketPrivacy is selected all data passed via WMI is encrypted. Manual Event Log Download Threads When downloading multiple Event Logs at the same time, the local memory and CPU can easily become overloaded. In an effort to limit the memory and CPU load when manually downloading we have included a maximum thread variable that can be set to decrease or increase the number of allowed concurrent downloads. By default this value is set to 20, however, you may find it advantageous to decrease this value to as low as 10 if you frequently manually download numerous server Security Event Logs or you may want to increase this value if you frequently manually download many Application Event Logs. This value has no effect on scheduled downloads. To limit concurrent scheduled downloads use the Schedule Distributor. For more information see: Active Directory and HTML Templates Encrypting Communications Schedule Distributor 2013 SpectorSoft Corporation, All rights reserved. 101

106 Log Manager Web Proxy Server Configuration SpectorSoft Log Manager communicates over HTTP when querying our servers for updates and when registering your license. If your network requires you to use a web proxy server when communicating over HTTP you will need to specify your proxy server settings. To configure your proxy server settings Select Register from the Help menu item. Click the Configure Web Proxy button. Use the Configure Web Proxy Server Settings dialog to enable or disable the proxy, specify the host and port, and lastly specify the authentication settings SpectorSoft Corporation, All rights reserved.

107 Windows Service Windows Service SpectorSoft Log Manager uses a service to run real-time monitors, consolidation, reports and data management. This service is called SpectorSoft Log Manager. Change Service Logon SpectorSoft Log Manager uses a service to run real-time monitors, consolidation, reports and data management. This service is called SpectorSoft Log Manager. In order for the SpectorSoft Log Manager Service to access network resources, it must run with domain administrator rights. To change the service logon credentials From the Service menu item select Change Service Logon. Specify a domain administrator username and password. Lastly, specify the domain. When you are finished, click the Next button. The service configuration will be modified with these rights and the service restarted. For more information, see: Security Windows Service Log File SpectorSoft Log Manager uses a service to run real-time monitors, consolidation, reports and data management. This service is called SpectorSoft Log Manager. The SpectorSoft Log Manager Service logs all significant activity to a log file called 'cblmsrv.log'. This information is invaluable when troubleshooting the service. This file is located in the installation directory. The default location is: Windows Server 2003/XP c:\documents and settings\all users\application data\spectorsoft\log Manager\cblmsrv.log Windows Server 2008/7/Vista c:\programdata\spectorsoft\log Manager\cblmsrv.log To View the Log File From the Service menu item select View Service Log. The entries are sorted from oldest to latest. The log file can also be viewed in any text editor SpectorSoft Corporation, All rights reserved. 103

108 Log Manager To Clear the Log File The service automatically truncates the log file to a little less than 1 MB every hour on the hour. The service will log a notice message when attempting to truncate the log file if the user interface is open. To manually clear or delete the entire log file, the service must be stopped and the user interface closed. Once the service is stopped and the user interface is closed, manually delete the log file. After the file has been deleted, re-start the service. Starting and Stopping the Windows Service SpectorSoft Log Manager uses a service to run real-time monitors, consolidation, reports and data management. This service is called SpectorSoft Log Manager. To Start the Service From the Service menu item select Start. If you are unable to start the service because of a logon failure, you must reset the logon credentials. For more information see Change Service Logon. To Start the Service in Verbose Mode To aid in troubleshooting, the service can be started in verbose (debug) mode. In this mode, extra messages are logged. From the Service menu item select Start Verbose. To Stop the Service From the Service menu item select Stop SpectorSoft Corporation, All rights reserved.

109 Troubleshooting Troubleshooting Troubleshooting Please select from the list of links that most closely relates to your issue: Receiving Error: The RPC Server is Unavailable Receiving Error: Access Denied Receiving Error: Quota Violation Unable to Get Filters to Work Unable to Get Actions, Alerts or Notifications to Work Common Event Log Management Errors SpectorSoft Log Manager uses a Microsoft technology known as Windows Management Instrumentation (WMI) to access Event Logs on your networked computers. The most common errors reported by the operating system for WMI problems are: The RPC server is unavailable Access_Denied Quota Violation For more information, see: Troubleshooting Security Mapping Computers Common Filter Issues Common Action Issues 2013 SpectorSoft Corporation, All rights reserved. 105

110 Log Manager The RPC Server is Unavailable A The RPC server is unavailable is thrown by the local WMI Service when an attempt is made to access a remote Event Log from a computer that is blocking WMI requests or has a firewall between the computers. To quickly verify the error using built-in Microsoft tools already installed on your server or workstation open a command-prompt and type: Wbemtest Once loaded, click the Connect button. From the Namespace text box type \\SERVERNAME\root\cimv2 where SERVERNAME is the name of the remote server throwing the RPC server is unavailable error. If either computer resides on a different domain or within a workgroup specify administrator credentials that reside on the remote computer or domain. When you are finished, click Connect. You should receive the RPC server is unavailable error. Solutions 1. Open TCP port 135 and all TCP ports above For more information read the following Microsoft article: Connecting to WMI Remotely Starting with Windows Vista NOTE: Many virus protection solutions such as McAfee and Symantec contain their own firewalls which must be configured to allow WMI packets. 2. Configure the WMI Service on each Server 2008, Windows 7 or Vista computer to run on a specific port then open TCP port 135 and the specified port. Please note this is not an option for Server 2003 or Windows XP computers. For more information read the following Microsoft article: Setting Up a Fixed Port for WMI 3. Install Log Manager on each sub-net then push Event Log entries directly to a central database. Please note this requires you to open the necessary database ports. In the case of SQL Server this is TCP port 1433 by default. Other things to look at 1. When accessing a Windows 7 or Vista computer that has joined a workgroup rather than a domain, the remote computer must disable User Access Control (UAC). To disable UAC on a Windows 7 or Vista computer, search for Turn UAC off within the Windows help system. 2. If the remote computer is running Windows XP Pro, make sure remote logons are not being coerced to the GUEST account. From the computer you are unable to download logs from, open a command-prompt and type secpol.msc. Expand the Local Policies node and select Security Options. Scroll down to the setting titled Network access: Sharing and security model for local accounts. If this is set to Guest only, change it to Classic and restart your computer. 3. From the computer you are unable to download logs from, open a command-prompt and type dcomcnfg. Expand the Component Services/Computers/My Computer node. Right-click My Computer and then select Properties. Select the COM Security tab. From the Launch SpectorSoft Corporation, All rights reserved.

111 Troubleshooting and Activation Permissions, select Edit Limits. Add the appropriate account and assign all permissions. 4. Check that DCOM is enabled on both the local and the remote computer. Check the following registry value on both computers: Key: HKLM\Software\Microsoft\OLE, value: EnableDCOM, should be set to 'Y' 5. Check that WMI is installed on both the local and remote computer. WMI is present by default in all flavors of Windows 2000 and later operating systems, but must be installed manually on NT4 systems. To check for the presence of WMI, open a command-prompt and type wbemtest. If the WMI Tester application starts up, WMI is present, if not, it must be installed. Consult Microsoft for more information. 6. Verify the Windows Management Instrumentation is running on both the local and target computers. Access Denied An Access Denied error is typically thrown by the local WMI Service when an attempt is made to access a remote Event Log from a computer that is either not logged into the domain or when the SpectorSoft Log Manager Service is not running with domain administrator credentials. To quickly verify the error using built-in Microsoft tools already installed on your server or workstation open a command-prompt and type: Wbemtest Once loaded, click the Connect button. From the Namespace text box type \\SERVERNAME\root\cimv2 where SERVERNAME is the name of the remote server throwing the RPC server is unavailable error. If either computer resides on a different domain or within a workgroup specify administrator credentials that reside on the remote computer or domain. When you are finished, click Connect. You should receive the Access Denied error. Solutions 1. Select Service Change Service Logon. Specify domain administrator credentials then click OK. The service will be automatically restarted using the credentials you specified. If the service fails to start, check the credentials and try again. 2. If either the local computer or the target computer are not logged into the domain, specify logon as credentials. From the Configuration Explorer, select Group by Log Type, navigate to the computer of interest, right click and select De-Select All. Right-click again and select Log Monitor Properties Wizard. Once the Event Log Management Wizard opens click Next. Check the Logon As option then specify the credentials. When specifying credentials that reside directly on the target computer (rather than a domain administrator account), specify the computer name in the Domain combo-box. Other things to look at 2013 SpectorSoft Corporation, All rights reserved. 107

112 Log Manager 1. Make sure WMI permissions have been set correctly. From the remote computer throwing the error, open a command-prompt and type: wmimgmt.msc. Right-click on the WMI Control (local) node and select Properties. Select the Security tab and navigate to root/cimv2. Click the Security button. Grant the account you and the service are using to access logs Remote Enable and Read Security rights. 2. If access is denied to a Windows Server 2003 log, grant the account you are logged in as and the account the service is running under access to each event log. For more information read the following MSDN article: How to set event log security locally or by using Group Policy in Windows Server When accessing a Windows 7 or Vista computer that has joined a workgroup rather than a domain, the remote computer must disable User Access Control (UAC). To disable UAC on a Windows 7 or Vista computer, search for Turn UAC off within the Windows help system. 4. If the remote computer is running Windows XP Pro, make sure remote logons are not being coerced to the GUEST account. From the computer where you cannot open download logs, open a command-prompt and type secpol.msc. Expand the Local Policies node and select Security Options. Scroll down to the setting titled Network access: Sharing and security model for local accounts. If this is set to Guest only, change it to Classic and restart your computer. 5. From the computer where you are unable to download logs, open a command-prompt and type dcomcnfg. Expand the Component Services/Computers/My Computer node. Rightclick My Computer and then select Properties. Select the COM Security tab. From the Launch and Activation Permissions, select Edit Limits. Add the appropriate account and assign all permissions. 6. Check to make sure DCOM is enabled on both the local and the remote computer. Check the following registry value on both computers: Key: HKLM\Software\Microsoft\OLE value: EnableDCOM should be set to Y 7. Check to make sure WMI is installed on both the local and remote computer. WMI is present by default in all flavors of Windows 2000 and later operating systems, but must be installed manually on NT4 systems. To check for the presence of WMI, open a commandprompt and type wbemtest. If the WMI Tester application starts up, WMI is present; if not, it must be installed. Consult Microsoft for more information. 8. Verify the Windows Management Instrumentation is running on both the local and target computers SpectorSoft Corporation, All rights reserved.

113 Troubleshooting Quota Violation A Quota Violation is thrown by the WMI Service running on the target machine when Log Manager requests the contents of a large Event Log. We typically see a quota violation thrown when downloading a remote Security Event Log that is approximately 400 MBs in size for the first time. You have 3 options to resolve this error: 1. Backup and clear the Event Log. 2. Limit the download to a smaller date range such as 1 day. 3. Increase the WMI Quota settings. Backing-up and Clearing From the Configuration Explorer, navigate to the log of interest, right click and select De-Select All. Right-click again and select Properties. Select the Windows Event Log tab and select Clear Log. Limiting the Download Date Range From the Configuration Explorer, navigate to the log of interest, right click and select De-Select All. Right-click again and select Properties. Select the Log Consolidation tab then set the initial download to a lesser value such as 1 day. Increasing the WMI Quota Select Tools Options. Select the WMI tab. Under WMI Quota select the target computer then double the Memory per host value. If the Memory per host is the same value as Memory all hosts value, double both the Memory per host and the Memory all hosts values. Click Apply when you have finished. For more information read the following Microsoft article: WMI Error: 0x C Description: Quota violation, while running WMI queries 2013 SpectorSoft Corporation, All rights reserved. 109

114 Log Manager Common Filter Issues Filters can fail to produce the expected results for many reasons. Most commonly we see users selecting the regular expression option when not needed. To verify the filter is working as expected Locate a log of interest from with the Log Repository tab. Right-click on the log and select View Consolidated Log. When prompted select the filter. Do you see the entries of interest? If not, clear the filter via the toolbar. Do you see the entries of interest? If you see entries within the viewer when no filter is applied modify your filter so only the entries of interest display. If not, verify the service is downloading the log as expected. To verify the log is being downloaded, from the Log Repository view, right click on the log and select Properties. Select the Downloaded Log tab. This dialog displays the success or failure message associated with the last scheduled download. Any errors must first be resolved. Common Action Issues I m not receiving my Typically the server has not been setup correctly. Select Options from the Tools menu item and select the tab. If using Windows Authentication mode, make sure the account the service is running under can log onto the domain. If the service is running under the SYSTEM account you will not be able to send s using Windows Authentication. If the server settings are correct, verify the filter is working as expected. For more information see Common Filter Issues. I m not receiving my desktop alert notifications The tray icon executable must be running. Select Start Tray Icon from the Service menu item. If the tray icon is already running, verify the filter is working as expected. For more information see Common Filter Issues SpectorSoft Corporation, All rights reserved.

115 Troubleshooting Security Event Logs To access remote Event Logs from the user interface, your login must have domain administrator rights. If your account does not have domain administrator rights, you can map a computer and specify login credentials that enable you to read remote Security Event Logs. For more information see Mapping Computers. When real-time monitoring or consolidating remote Event Logs, the service must be run with domain administrator credentials. The first time the application is run, you will be prompted to assign domain administrator credentials to the service. When the password assigned to the account the service is running under changes, you must update the service to use the latest password. For more information see Change Service Logon. If you are receiving an RPC or Access Denied error please see Troubleshooting. Text Logs When monitoring text log files, be sure all remote log files are accessed using UNC paths as Windows Services are unable to access Mapped disk drives. For more information, see: Change Service Logon Mapping Computers Troubleshooting 2013 SpectorSoft Corporation, All rights reserved. 111

116 Log Manager Configuring the Windows Firewall Windows Server 2008, 7, Vista, Server 2003 SP1, and XP SP2 include the Windows Firewall which, depending on the OS version, my block WMI traffic by default. If WMI traffic is blocked, SpectorSoft Log Manager will typically throw an RPC server error. In order to allow access you must enable Windows Management Instrumentation (WMI) or Remote Administration. The simplest way to do this is to open up a command prompt and type the following: Windows Server 2008/7/Vista: netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes Windows Server 2003/XP: netsh firewall set service RemoteAdmin The effect is immediate and there is no need to restart. To read more about this, consult the following Microsoft articles: Server 2008/7/Vista Server 2003/XP If you are still unable to download or monitor remote logs see Troubleshooting. Technical Support When you contact SpectorSoft Technical Support, be ready to provide information a description of the problem, and any error or warning messages that were displayed. Please include the following information with all support requests: The version you are running (find it in Help > About). The Log Manager log file, located at the following default location: Windows Server 2003/XP - C:\documents and settings\all users\application data\spectorsoft\log Manager\cblmsrv.log Windows Server 2008/7/Vista - C:\programdata\SpectorSoft\Log Manager\cblmsrv.log The operating system version you are running. A detailed description of the problem. For more information, see: Contact Us SpectorSoft Corporation, All rights reserved.

117 SpectorSoft Information Contact Us When sending or a web request, please include your company name, city, and state to ensure your request is handled as promptly as possible. Feel free to contact us 24 hours a day, 7 days a week. General Contact SpectorSoft Corporation 1555 Indian River Blvd., B-210 Vero Beach, FL USA World Wide Web: U.S. & Canada: International: Sales Contact Contact our sales staff for pre-sales questions, information about the latest SpectorSoft products, upgrade options, and pricing for our current products. SpectorSoft Corporation s professional sales staff is ready to answer your sales questions: Monday - Friday; 9:00 AM to 10:00 PM EST Saturday & Sunday; 10:00 AM to 6:00 PM EST Sales: Purchase Information [email protected] Sales Fax: Technical Support Web: Request Support U.S. & Canada: SpectorSoft Corporation, All rights reserved. 113

118 Log Manager Copyrights and Trademarks Copyright Notice Copyright 2013 SpectorSoft Corporation, 1555 Indian River Blvd., B-210, Vero Beach, Florida U.S.A. All rights reserved. SpectorSoft Log Manager, Copyright SpectorSoft Corporation. SpectorSoft and Spector are Registered Trademarks of SpectorSoft Corporation. This software includes code under license from Microsoft Corporation Microsoft Corporation. All rights reserved. All materials appearing anywhere within SpectorSoft s Help file are protected by worldwide copyright laws and treaty provisions. The copyright on such materials is held by SpectorSoft Corporation or its subsidiaries (collectively, "SpectorSoft"), or by the original creator of the materials. None of the materials may be copied (other than for personal use), reproduced (other than for personal use), displayed, modified, published, uploaded, posted, transmitted, or distributed in any form or by any means without SpectorSoft s prior written permission. All rights not expressly granted herein are reserved. Any unauthorized use of the materials appearing on SpectorSoft s Help Files may violate copyright, trademark, and other applicable laws and could result in criminal or civil penalties. Your use of SpectorSoft s Help Files constitutes your acknowledgment and acceptance of SpectorSoft s terms of use. If you do not agree with these terms of use, please do not use SpectorSoft s Help Files. Trademarks for other companies Microsoft Windows, MSN and other Microsoft products referenced herein are either registered trademarks or trademarks of Microsoft Corporation in the U.S. and / or other countries. These Help Files may contain other names and phrases (marks) that may or may not be trademarks of other organizations. All other trademarks and service marks are the property of their respective owners SpectorSoft Corporation, All rights reserved.

119 Index A About... 1 Access Denied Account Lockout Reports Account Management Reports Actions Active Directory Active Directory Filters Alerts Auditors Auto Configurator B Backing Up Backup Server Best Practices... 7 Browsing... 54, 55 Computers Text Logs C Change Service Logon Common Action Issues Common Event Log Management Errors Common Filter Issues Communications Computer List Computers... 54, 75 Browsing Mapping Configuration Backup and Restore Configuration Templates Configuring Windows Firewall Consolidating Logs CSV Files D Displaying Logs E ing Logs Encrypting Communications Event ID Event Log Action tags Event Log Management Tutorial Event Logs, Managing EVT EVTX Files Exporting Logs F Failed Logon Reports File Monitoring... 31, 32 File name created on EVT backup Filters Frequency Reports Frequency Rules G GoTo Line Groups I IIS 24 Importing a Computer List Inactivity L Log Entry Retention Policy Log Properties Logon/Logoff Reports Logs... 22, 36, 37, 42, 56, 61, 78, 87 Consolidating... 37, 42 Displaying Exporting Printing... 22, 78 Searching M Managing... 69, 70, 71 Event Logs Syslogs Text Logs Manually Downloading Event Logs Mapping Computers Maximum Size Monitoring... 24, 31, 32, 77 CSV Files File... 31, 32 Rolling Text Log File Monthly Event Log Error Count Report... 34, 35 Receiving... 34, 35 MySQL N Network Event Viewer... 4 NEV tables... 4 New User Account Reports Notifications O Options... 98, 102 Oracle Support P Particular Entry Password Protecting Event Log Backups Printing Logs... 22, 78 Process, Starting Q Quota Violation R Real-time Monitors Action tags Receiving Monthly Event Log Error Count Report... 34, 35 Registration... 6 Regular Expressions Replacement Tags Reports Restoring SpectorSoft Corporation, All rights reserved. 115

120 Log Manager Configuration Rolling Text Log File Monitoring RPC Server S Schedule Distributor Schedules Searching Logs Security Selecting... 88, 89 Specific Computers Specific Logs SNMP Traps Source Specific Computers Selecting Specific Logs Selecting SQL Server Standard Reports Starting Process Stopping Windows Service Success Logon Reports Syslogs Managing System Requirements... 6 T Tags Technical Support Text Logs... 55, 71 Browsing Managing Tray Icon Tutorials... 9 U Unavailable Update Service... 7 User Interface Components Using Gmail V Views W Web Proxy Server Configuration Windows Firewall Windows Service , 104 Windows Service Log File SpectorSoft Corporation, All rights reserved.