GFI EventsManager 7.1. Manual. By GFI Software Ltd.

Transcription

1 GFI EventsManager 7.1 Manual By GFI Software Ltd.

2 This manual was produced by GFI Software Ltd. Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of GFI Software Ltd. GFI EventsManager is developed by GFI Software Ltd. GFI EventsManager is copyright of GFI Software Ltd GFI Software Ltd. All rights reserved. Version 7.1 Last updated: March 28, 2007

3 Contents Introduction 5 About this manual...5 How is this manual structured...5 About GFI EventsManager...8 Key Features...8 How does GFI EventsManager work?...11 Navigating the GFI EventsManager management console...13 Licensing...14 Installation 15 Introduction...15 Deployment of GFI EventsManager on a Local Area Network...15 Deployment of GFI EventsManager on a Demilitarized Zone...16 System requirements...17 Upgrading from a previous version...18 Installation procedure...18 Getting Started 21 Introduction...21 Getting Started: Launching GFI EventsManager for the first time...23 Quick start dialog...24 Configuring the database backend...25 Configuring SQL Server details...26 Changing database backend settings...27 Configuring GFI EventsManager administrator account...27 Configuring the general alerting options...30 Configuring alerts...31 Configuring network alerts...32 Configuring SMS alerts...32 Changing the general alerting options...33 Getting started: Processing event logs...34 Configuring event sources 35 Introduction...35 Adding new event sources to a default group...35 Configuring event source properties...36 Configuring general event source properties...37 Configuring alternative domain administrator credentials...38 Configuring event source operational time...39 Configuring event processing parameters...40 Configuring event processing rules 41 Introduction...41 Collecting and processing Windows events...43 Configuring Custom Event Logs...46 Collecting and processing W3C logs...47 Collecting and processing Syslogs...49 GFI EventsManager Contents i

4 Configuring the Syslog server communications port...51 Archiving events...52 Selecting event processing rules...53 Configuring alerts and actions 55 Introduction...55 Configuring default classification actions...56 Configuring actions through event processing rules...57 Event browsing 59 Introduction...59 Accessing and browsing stored event logs...62 Applying event queries...63 Creating custom event queries...63 Customizing the event viewer pane...64 Configuring event color coding...66 Event finder tool...67 Backup events...67 Switching databases...68 Clear all events...68 Status monitoring 69 Introduction...69 Accessing the status monitor...69 General Status view...70 Job Activity view...74 Statistics view...77 Database Operations 80 Introduction...80 Why is there a need for database maintenance?...80 Configuring Database Operations...81 Creating maintenance jobs...84 Move to database...86 Export to file...87 Import from file...89 Delete data...90 Configuring data filter conditions...91 Viewing scheduled maintenance jobs...94 Editing a maintenance job...95 Editing a maintenance job priority...96 Deleting a maintenance job...96 Customizing event processing rules 99 Introduction...99 Create a new rule-set folder Renaming and deleting folders Creating a new rule-set Editing a rule-set Deleting a rule-set Creating a new Windows Event Log rule Creating a new W3C rule Creating a new Syslog rule Changing the configuration settings of a rule Advanced event filtering parameters Windows Events Conditions Syslog Categories Contents ii GFI EventsManager

5 Configuring users and groups 113 Introduction Creating a new user Changing user properties Deleting users Configuring groups Changing user group properties Deleting user groups Miscellaneous 117 Command Line operations Licensing Entering License Key after installation Version information Checking for newer builds Troubleshooting 123 Introduction Knowledge Base Request technical support via Request technical support via web chat Request technical support via phone Web Forum Build notifications Appendix 1 SMS Settings 125 Global settings for SMS/pager alerts In-built GSM SMS Server GFI FAXmaker SMS service provider template Clickatell 2SMS Service Generic SMS service provider template Appendix 2: Configuring Windows 135 Introduction Enabling the Remote Registry service Enabling Windows security auditing How to install Group Policy snap-ins Appendix 3: Installing SQL Server Express Edition 143 Introduction Software requirements Installation steps Tutorial 1 Configuring basic options through Quick Start Dialog 150 Overview Parameters Part 1: Configuring GFI EventsManager database backend Part 2: Configuring default alerting options Part 3: Configuring GFI EventsManager administrator account Tutorial 2 Configuring event processing parameters 157 Overview Parameters Part 1: Configuring log sources Part 2: Creating new event processing rules GFI EventsManager Contents iii

6 Section 1: Create a new rules folder Section 2: Create a new rule-set Section 3: Create a new rule Part 3: Configuring user properties, alerts and other actions Section 1: Create new users/alert recipients group Section 2: Add new alert recipient Section 3: Setting alerts for Critical events Tutorial 3 Event Browsing and Filtering 172 Overview Parameters Create a new event query Using the new event query Tutorial 4 Database Operations 176 Overview Parameters Part 1: Configuring the interval/schedule Part 2: Export to file maintenance job Part 3: Move to database maintenance job Part 4: Delete data maintenance job Part 5: Import from file maintenance job Index 195 Contents iv GFI EventsManager

7 Introduction About this manual How is this manual structured This manual is structured in line with the logical chain of configuration operations required to get GFI EventsManager up and running. Chapter 1 gives an overview of how GFI EventsManager works. Chapter 2 explains how to successfully install GFI EventsManager. Chapter 3 describes how to configure the key operational parameters which GFI EventsManager requires at first startup. These instructions are presented in their proper logical sequence and include all the information required to get GFI EventsManager ready for event processing. Chapters 4, 5, 6 guide you through the process of configuring essential parameters required for event processing. At the end of these chapters, you will be able to configure: Event sources that will be monitored Log-types that will be collected and processed Event processing rules that will be run against the collected logs Alerts and actions that will be triggered on key events. NOTE: At this stage, you will have gained enough knowledge to run GFI EventsManager on default settings. Chapter 7 describes how to use the built-in events browser to analyze events stored in the GFI EventsManager database backend. This chapter explains how to use the tools and features provided in the events browser including: Default event log queries and custom query builder Event color-coding Event finder tool. Chapter 8 describes how to use the Scanning Monitor to analyze the status of GFI EventsManager as well as view statistical information and processed events. Chapter 9 guides you through the process of creating and customizing event processing rules. This section is for advanced users who want to create their own event processing rules. Chapter 10 describes how to configure alert recipient parameters including: GFI EventsManager 0BIntroduction 5

8 Personal details such as mobile phone number Normal working hours Type of alerts that will be sent to every recipient. Chapter 11 explains what main sources of information are available to help users troubleshoot product issues. Appendix 1 guides you through the process of configuring SMS alerting parameters including SMS gateway provider settings. Appendix 2 guides you through the process of configuring Windows settings and services required by GFI EventsManager. Appendix 3 guides you through the steps required to install Microsoft SQL Server 2005 Express Edition. Tutorials 1, 2, 3 will guide you through the process of getting GFI EventsManager up and running. Glossary of terms used in this manual Actions The activity that will be carried out as a result to events matching specific conditions. For example you can trigger actions whenever an event is classified as critical. Actions supported by GFI EventsManager include alerts, event archiving and execution of scripts. Alerts Notifications which inform recipients that a particular event has occurred. GFI EventsManager can generate alerts, SMS alerts and Network alerts. Archive alerts A collection on events stored in the SQL Server based database backed of GFI EventsManager. notifications which inform recipients that a particular event has occurred. To enable alerts, you must have access to an active mail server. Event classification Event logs Event processing rules The categorization of events as Critical, High Medium, Low or Noise. A collection of entries which describe events that occurred on the network or on a computer system. GFI EventsManager supports 3 different types of event logs; Windows Event Logs, W3C Logs and Syslog. A set of instructions which are applied against an event log. Network alerts Network messages (known as Netsend messages) which inform recipients that a particular event has occurred. These messages are sent through an instant messenger system/protocol and are shown as a popup in the system tray of the recipient s desktop. To setup network alerts, you must specify the name or IP of the computers where the Netsend messages will be sent. 6 0BIntroduction GFI EventsManager

9 Noise Rule-set folder Rule-sets SMS alerts Repeated log entries which report the same event. The folder which contains one or more rule-sets. A collection of event processing rules. SMS notifications which inform recipients that a particular event has occurred. In GFI EventsManager, SMS alerts can be sent through various sources including mobile phones with modem capabilities and -to-sms web-based gateways. Unclassified events W3C logs Windows event logs Events that did not satisfy any of the event processing conditions configured in the event processing rules. W3C is a common log format developed by the World Wide Web Consortium. W3C logs are textbased flat files used mainly by web servers including Microsoft Internet Information Server (IIS) to record web related events such as web logs. A collection of entries which describe events that occurred on a computer system running Windows OS. GFI EventsManager 0BIntroduction 7

10 About GFI EventsManager Key Features Figure 1 - GFI EventsManager integrates into any existing IT infrastructure GFI EventsManager is a results oriented event log management solution which integrates into any existing IT infrastructure, automating and simplifying the tasks involved in network-wide events management. Through the features supported by GFI EventsManager you can: Automatically collect W3C, Syslog and Windows events from network devices and Windows/Linux/Unix based systems and manage them through one console. Archive collected events in a centralized SQL Server based database backend for future analysis and forensic studies. Filter unwanted events and classify key events through the use of powerful default or custom-built event processing rules. Automate alerting and remedial actions such as the execution of scripts and files on key events. Monitor your network activity and the status of your GFI EventsManager scanning engine through a built-in graphical dashboard. Analyze events through a built-in events browser. Simplify event forensics through specialized tools which include a built-in event query builder, an event finder tool and an event color-coding tool. Increase event processing power through a high-performance event scanning engine. Generate, schedule as well as event activity and trend reports through GFI EventsManager ReportPack - the powerful reporting companion tool which ships by default with GFI EventsManager. Extended event log support GFI EventsManager is able to process various event log types including Windows event logs, Syslog events, and W3C event logs. This allows administrators to collect more data from the different 8 0BIntroduction GFI EventsManager

11 hardware and software systems that are most commonly available on a typical corporate network. Rule based event log management GFI EventsManager ships with a pre-configured set of event processing rules that allow you to filter and classify events that satisfy particular conditions. You can run these default rules without performing any configuration or you can choose to customize these rules or create tailored ones that suite your network infrastructure. Event log scanning profiles GFI EventsManager 7.1 allows you to organize event log scanning rules into Scanning Profiles. In a scanning profile, you can configure the set of event log monitoring rules that will be applied to a specific computer or group of computers. The benefits of these profiles include: Simplifies product administration tasks by providing a centralized way of tuning event processing rules. Allow administrators to create different sets of event log rules that suite the roles of scanned event sources and the corporate network environment. For example, you can setup a set of rules which apply only to workstations in a particular department. Allow granular configuration of rules Administrators can create an event processing profile that is generic for all computers and a number of separate profiles which complement the generic profile by providing additional and more specialized event log rules on a computer by computer basis. Translates cryptic windows events One major drawback of windows event logs is that they are not user friendly - too cryptic for the user to understand. In fact this is one of the main reasons why only few administrators really peer into windows event logs. GFI EventsManager 7.1 overcomes this problem by translating event descriptions into a way that is more users friendly and easier to understand. Enhanced event scanning engine GFI EventsManager 7.1 includes an event scanning engine that has been tuned to effectively speed up event scanning for maximum performance. This engine adopts a plug-in based concept that allows the plugging-in of additional features/modules without having to perform physical changes to the existing code hence more stability without effecting scalability. Automatic noise reduction GFI EventsManager 7.1 identifies and removes unwanted event data (such as noise and background process generated events) providing you with only the relevant, usable data. Hence facilitates event forensics by reducing the amount of events to be analyzed. GFI EventsManager 0BIntroduction 9

12 Enhanced real-time actions GFI EventsManager can generate alerts or trigger actions such as script execution when key events are detected. You can alert one or more people in various ways including: , network messages, and SMS notifications sent through an -to-sms gateway or service. Actions can be configured to trigger on event classification or by configuring specific conditions in event processing rules. Advanced event filtering features GFI EventsManager ships with a number of event filtering features including: Pre-configured event queries and a custom event query builder: The pre-configured event queries allow you to sift event log data and browse only the required events - without deleting any records from your database backend. The built-in event query builder allows you to create your own custom event queries. Event color-coding capabilities: Through this feature you can selectively color particular events in specific colors. This way during log browsing you can easily identify important events through their color. Event finder tool: With this tool you can quickly locate important events by providing specific search criteria such as event type. Event Centralization GFI EventsManager enables you to monitor and manage events generated by Unix\Linux\Unix systems, network devices and software applications through a single user console. 10 0BIntroduction GFI EventsManager

13 How does GFI EventsManager work? Figure 2 - The GFI EventsManager operational stages The operational functionality of GFI EventsManager is divided into 2 stages: Stage 1: Event Collection Stage 2: Event Processing A description of every stage is provided below. Stage 1: Event Collection During the Event Collection stage, GFI EventsManager collects logs from specific event sources. This is achieved through the use of 2 event collection engines: The Event Retrieval Engine and the Event Receiving Engine. The Event Retrieval Engine - The Event Retrieval Engine is used to collect Windows event logs and W3C logs from networked event sources. During the Event Collection process this engine will: 1. Log-on to the event source(s) GFI EventsManager 0BIntroduction 11

14 2. Collect events from the source(s) 3. Send collected events to the GFI EventsManager Server 4. Log-off from the event source(s). The Event Retrieval Engine collects events at specific time intervals. The event collection interval is configurable from the GFI EventsManager management console. The Event Receiving Engine - The Event Receiving Engine acts as a Syslog server; it listens and collects Syslog events/messages sent by Syslog sources on the network. As opposed to the Event Retrieval Engine, the Event Receiving Engine receives messages directly from the event source; therefore it does not require to remotely log-on to the event sources for event collection. Further to this, Syslog events/messages are collected in real-time and therefore no collection time intervals need to be configured. By default, the Event Receiving Engine listens to Syslog messages on port 514 however Syslog port settings are customizable via the GFI EventsManager management console. Stage 2: Event Processing During this stage, GFI EventsManager will run a set of Event Processing Rules against collected events. Event Processing rules are instructions that: Analyze the collected logs and classify processed events as Critical, High, Medium, Low or Noise (unwanted or repeated events) Filter events that match specific conditions Trigger , sms and network alerts on key events Trigger remediation actions such as the execution of executable files or scripts on key events Optionally archive collected events in the database backend. GFI EventsManager can be configured to archive events without running Event Processing rules. In such cases, even though no rules will be applied against collected logs, archiving will still be handled by the Event Processing stage. 12 0BIntroduction GFI EventsManager

15 Navigating the GFI EventsManager management console Screenshot 1 - The GFI EventsManager management console Status option Use this option to view the status of GFI EventsManager and statistical information on processed logs. Configuration option Use this option to access and configure the main event processing options. Event Sources Use this option to configure event sources including which logs to collect and which rules to process. Event Processing Rules Use this option to create, configure and customize event processing rules. Left pane Use this pane to navigate through the additional configuration options provided in GFI EventsManager. General options Use this option to check for product updates, as well as view version and licensing details. Events Browser Use this option to view and analyze the events currently stored in the GFI EventsManager database backend. Options Use this option to configure general settings such as database backend parameters, and default alerting parameters. Primary options bar This bar contains the primary configuration options provided in GFI EventsManager. Secondary options bar This bar contains a second layer of configuration options which is accessible by clicking on the options in the primary options bar. Right pane Use this pane to browse configured event sources, event processing rules, archived events, licensing details and product version details. GFI EventsManager 0BIntroduction 13

16 Licensing Table 1 - GFI EventsManager licensing options A number of licensing options are available with GFI EventsManager as shown in the table above. During evaluation all features within GFI EventsManager are available. The initial evaluation license provides a 10-day evaluation period. This can be extended to 30 days by entering a 30-day evaluation license key. This license key is ed to the address specified when downloading GFI EventsManager from the GFI website. Upon expiry, a license key must be purchased to be able to once again access GFI EventsManager features. GFI EventsManager does not need to be uninstalled and reinstalled when entering a purchased license key. The purchase of a basic license enables the features marked with a in the Licensed column of the table above. Additional features in GFI EventsManager may be enabled by purchasing an extended license key. NOTE: Only one license key of GFI EventsManager is required at any one time. The license key type indicates which features are to be activated. 14 0BIntroduction GFI EventsManager

17 Installation Introduction Where can I install GFI EventsManager on my network? GFI EventsManager can be installed on any computer which meets the minimum system requirements irrespective of the location on your network. Use GFI EventsManager to manage the events generated: On the same computer where it is installed On all the computers that are reachable from the computer on which it is installed. Figure 3 GFI EventsManager deployment scenario GFI EventsManager can be deployed: Within your network to monitor the activity of internal servers and workstations/end points. On the DMZ to monitor and manage the events generated on your servers. Deployment of GFI EventsManager on a Local Area Network GFI EventsManager can be deployed on Windows based networks as well as on mixed environments where Linux and UNIX systems are being used as well. GFI EventsManager 1BInstallation 15

18 Figure 4 - Deployment of GFI EventsManager on LAN When installed on a Local Area Network (LAN) GFI EventsManager can manage Windows events, W3C event logs and Syslog messages generated by any hardware or software that is connected to the LAN, including: Workstations and Servers (e.g. Microsoft SQL Server) Network appliances (e.g. Cisco PIX firewalls) Third party software (e.g. GFI EndPointSecurity) Specialized Services (e.g. Microsoft Internet Information Server - IIS) PABXs, Keyless Access Systems, Intrusion detections systems, etc. When installed on a LAN, GFI EventsManager can also be used to collect events from hardware and software systems deployed on a Demilitarized Zone (DMZ). Since a firewall or a router usually protects this zone with network traffic filtering capabilities, you must make sure that: 1. The communication ports used by GFI EventsManager are not blocked by the firewall. For more information on the communication ports used by GFI EventsManager refer to the following kbase article: 2. That GFI EventsManager has administrative privileges over the computers that are running on the DMZ. Deployment of GFI EventsManager on a Demilitarized Zone Figure 5 - The DMZ sits between the internal LAN and the Internet GFI EventsManager can also be deployed on a Demilitarized Zone. This is the neutral network which sits between the internal corporate 16 1BInstallation GFI EventsManager

19 network and the outside world (i.e. the internet). The deployment of GFI EventsManager on a Demilitarized Zone helps you automate the management of events generated by DMZ hardware and software systems. Automate management of Web and Mail server events DMZ networks are normally used for the running of hardware and software systems that have internet specific roles such as HTTP servers, FTP servers, and Mail servers. Hence, you can deploy GFI EventsManager to automatically manage the events generated by: Linux/Unix based web-servers including the W3C web-logs generated by Apache web-servers on web platforms. Windows based web-servers including the W3C web-logs generated by Microsoft Internet Information Servers (IIS). Linux/Unix and Windows based mail-servers including the Syslog auditing services messages generated by Sun Solaris v. 9 or later. Automate management of DNS server events If you have a public DNS server, there s a good chance that you are running a DNS server on the DMZ. Hence you can use GFI EventsManager to automatically collect and process DNS server events including those stored in your Windows DNS Server logs. Automate management of network appliance events Routers and firewalls are two network appliances commonly found in a DMZ. Specialized routers and firewalls (e.g. Cisco IOS series routers) not only help protect your internal network, but provide specialized features such as Port Address Translation (PAT) that can augment the operational performance of your systems. By deploying GFI EventsManager on your DMZ, you can collect the events generated by such network appliances. For example, you can configure GFI EventsManager to act as a Syslog Server and collect in real-time the Syslog messages generated by Cisco IOS routers. System requirements Hardware requirements Installation machine(s) Processor: 2 gigahertz (GHz) or higher processor clock speed RAM: 512 megabytes (MB) Hard disk: 1.5 gigabytes (GB) of available space Software requirements Installation machine(s) Windows 2000 (SP4) / XP (SP2) / 2003 operating system NOTE: For information on Windows Vista refer to knowledge base article: framework 2.0 Microsoft Data Access Components (MDAC) 2.8 or later Access to MSDE / SQL Server 2000 or later. GFI EventsManager 1BInstallation 17

20 Software requirements Scanned machine(s) Windows event log scanning: Remote registry service must be enabled. For more information refer to Appendix 2 in this manual. Windows Audit Policy must be enabled. For more information refer to Appendix 2 in this manual. W3C log scanning: The source folders must be accessible via Windows shares. Syslog scanning: Since GFI EventsManager includes a built-in Syslog server, Syslog sources/senders must be configured to send their Syslog messages to the computer/ip address where GFI EventsManager is installed. Upgrading from a previous version The underlying operational and processing technology subsystems on which GFI EventsManager is built are different from those of previous versions such as GFI LANguard Security Event Log Monitor. Hence a previous version cannot be imported or upgraded to GFI EventsManager 7.x. NOTE: You are still able to run GFI EventsManager on the same machine on which GFI LANguard Security Event Log Manager is installed. They will not conflict with each other. Installation procedure GFI EventsManager includes an installation wizard which will assist you through the installation process. To start the installation: 1. Close all running applications and log-on the target computer using an account which has local administrative privileges. 2. Double-click on EventsManager7.exe. 3. As soon as the welcome dialog is displayed, click Next to start the installation. 4. Read the licensing agreement carefully. To continue installing the product, select the I accept the Licensing agreement option and click Next. 18 1BInstallation GFI EventsManager

21 Screenshot 2 - Customer and License detail screen 5. Specify your name, company name and license key. If you are evaluating the product, leave the license key as default (i.e. Evaluation ) and click Next. Screenshot 3 - Logon information screen 6. GFI EventsManager must run under an account which has domain administrative privileges. Enter the user name and password of domain administrator account and click Next to continue. 7. Specify an alternative installation path or click on Next to leave as default and proceed with the installation. GFI EventsManager 1BInstallation 19

22 Screenshot 4 - Select language character and symbol support mode 8. Specify the character encoding set to be used by GFI EventsManager. Click on the Install button to proceed with the automatic extraction of the required files and finalize the installation. 9. Click Finish to finalize the installation. 20 1BInstallation GFI EventsManager

23 Getting Started Introduction What is a computer log? A computer log is a collection of events entries. These entries provide an audit trail of information related to the activity of a network or computer system. In fact, computer logs are recorded in a certain scope to provide information suitable for forensic analysis. The computer log may be a binary file as in the case of Windows logs, or text-based files as in the case of Syslog or W3C logs. What is a log? An event is a log entry that provides information on something that occurred within a computer system or network. Such events include various details such as the date and time the event occurred and a related description. Event entries are often stored in chronological order to facilitate event browsing and forensic analysis. What are Windows event logs? Windows event logs are a systematic recording of computer related events that occurred within computer systems and networks running on Windows Operating Systems. In systems running on Windows 2000/XP/2003, events are recorded and organized in 3 default event logs: Application log Security log System log. Computers with specialized network roles such as domain controllers and DNS servers allow the logging of events to additional (default) logs such as: Directory service log File Replication service log DNS server log. Windows event logs contain the following types of events: Error Error events indicate that a significant problem, such as loss of data or functionality has occurred. For example an Error event is recorded every time that a service or driver fails to load during startup. Warning Warnings indicate events that are not necessarily significant, but which may possibly cause future problems. For GFI EventsManager 2BGetting Started 21

24 example, a Warning event is recorded every time that disk space runs low. Information - Information events describe the successful operation of an application, driver, or service. For example, an Information event is recorded every time that a network driver loads successfully. Success Audit Success audit events indicate security access attempts that were successful. For example, a Success Audit event is recorded every time that a user successfully logs on to his Windows based workstation. Failure Audit Failure audit events indicate security access attempts that failed. For example, a Failure audit event is recorded every time that a user fails to access a network drive. A sample of the information typically recorded in a Windows event log is shown below. Screenshot 5 DNS Server log What are W3C logs? W3C logs are used mainly by web servers to log web related events including web logs. W3C logs are recorded in text-based flat files using any one of the two W3C logging formats currently available: W3C Common Log file format W3C Extended Log File format. The W3C common log file format was the first format to be released and to date it is still the default format used by a variety of popular web servers including Apache. There is however one downside - the information about each server transaction is fixed and does not provide for certain important fields such as referrer, agent, transfer time, domain name, or cookie information. To overcome this problem, 22 2BGetting Started GFI EventsManager

25 the W3C Extended log file format was released. This newer type of log is in customizable ASCII text-based format, permitting a wider range of data to be captured. The W3C Extended log file format is the default log file format used by Microsoft Internet Information Server (IIS). A sample of the information typically recorded in a W3C extended type log is shown below. #Version: 1.0 #Date: 04-Sep :00:00 #Fields: time cs-method cs-uri 00:34:23 GET /WebSRV/Pg_Snippet.html 12:21:16 GET /WebSRV/ Button_pg.html 12:45:52 GET /WebSRV/ Login_Pg.html 12:57:34 GET /WebSRV/ Error_msg.html What are Syslogs? Syslog is the standard for logging messages, such as system events, in an IP network. The Syslog standard is most commonly used for the logging of events by computer systems running on UNIX and Linux as well by network devices and appliances such as Cisco routers and the Cisco PIX firewall. Syslog events are not directly recorded by applications running on the computer systems. Whenever an event is generated, the respective computer will send a small textual message (known as Syslog message) to a dedicated server commonly known as Syslog server. The Syslog server will then save the received message into a log file. Syslog messages are generally sent as clear text; however, an SSL wrapper can be used to provide for a layer of encryption. Syslog is typically used for computer system management and security auditing. While it has a number of shortcomings, its big plus is that Syslog is supported by a wide variety of devices and receivers. Because of this, Syslog can be used to integrate log data from many different types of systems into a central repository using the Syslog server as a log aggregator. The Syslog daemon handles the recording of Syslog messages/events in log files. The Syslog message is composed of two main parts: 1. The header which contains the date/time information as well as the IP or computer name from where the message has originated. 2. The message which includes the program or subsystem name and the message itself, separated by a colon. The following is an example of a Syslog message: Sep 4 10:10: foo[421]: this is a message from WebSRV Getting Started: Launching GFI EventsManager for the first time All configuration settings for GFI EventsManager are carried out from the GFI EventsManager management console. To open the GFI EventsManager 2BGetting Started 23

26 Quick start dialog management console click on: Start All Programs GFI EventsManager 7 Management Console. Screenshot 6 - Quick Start Dialog The first time that the management console is launched, the Quick Start Dialog will open up by default. This dialog will assist you in the configuration of core operational parameters which GFI EventsManager requires at first startup. Parameters to be configured at startup are: Database backend: Required parameters include SQL Server name/ip and details of the database backend to use for event archiving. GFI EventsManager administrator account details: Required parameters include the address, mobilephone number and the name/ip of computers where alerts will be sent. General alerting options: Required parameters include SMTP server details and SMS gateway/service provider for /sms alerts. The Quick Start Dialog includes links which will take you directly to the configuration dialogs from where you can directly configure these core operational parameters. 24 2BGetting Started GFI EventsManager

27 Configuring the database backend The need for archiving computer logs Archiving of events is crucial in environments that are striving to be legally compliant with SOX, HIPAA and other equally important data retention and protection regulations. For legal and compliance reasons, corporations must provide central and secure log data archives which are physically separate from the log data used for realtime analysis; the main reason is that raw log data must be kept in tact. GFI EventsManager allows you to optionally archive both processed and unprocessed events into an SQL Server based database backend. This not only supports your efforts to achieve legal compliance but also provides you with: A collection of events that can be used for activity analysis and reporting purposes. A collection of filtered events (in the case of processed logs). A backup of your original log data so that it can be used in case of emergency. GFI EventsManager also allows you to automatically backup your backend. This way you can keep a copy of your log data physically separate from the log data used for real-time analysis. You can also trigger database backend backups manually. For more information on how to manually backup your database backend refer to the Backup events section in the Log Browser chapter. Screenshot 7 - Quick Start Dialog: Link to database backend settings To configure the database backend settings for the first time, click on the link provided in the Quick Start Dialog. This will bring up the Database Options dialog. More information on how to configure these options is provided below. GFI EventsManager 2BGetting Started 25

28 Configuring SQL Server details Screenshot 8 - Database Options - Change database tab To configure the SQL Server and database backend details: 1. Specify the name/ip of your SQL Server. 2. Specify a name for your database backend (e.g. EventsManagerDB). 3. Select the authentication method to be used when connecting to the SQL Server. If SQL Server authentication is selected, specify the login username and password. 4. To configure the database backend maintenance option, click on the Maintenance tab. For information on how to configure maintenance options refer to the Maintaining the database backend section. 5. Finalize your configuration settings by clicking OK. 26 2BGetting Started GFI EventsManager

29 Changing database backend settings Screenshot 9 - Database configuration options Once configured, you can still make changes to the database maintenance parameters. To achieve this: 1. Click on the Configuration option. 2. From the secondary option bar which opens underneath, select Options. 3. From the left pane, right-click on the Database Operations node and select Properties 4. Configure the required parameters as described in the above sections. Configuring GFI EventsManager administrator account GFI EventsManager will automatically send out , network or SMS alerts to specific recipients whenever particular events are discovered. Therefore, you must configure the contact details of the intended recipients in order to effectively distribute alerts. For example, you need to configure the address of your recipient(s) in order to send them alerts. GFI EventsManager allows you to create a custom list of recipients which you can organize into groups to speed up administrative tasks. By default, GFI EventsManager will automatically create the EventsManagerAdministrator account. However, you must still configure user specific details such as the address and mobile GFI EventsManager 2BGetting Started 27

30 number of the GFI EventsManager administrator. For every user, you can configure the following parameters: Contact details including address and phone number The typical working hours The type of alert to send during and outside working hours The notification group to which the user belongs. Screenshot 10 - Quick Start Dialog: Link to administrator account settings To configure the GFI EventsManagerAdministrator account for the first time, click on the link provided in the Quick Start Dialog. Screenshot 11 - EventsManagerAdministrator properties This will bring up the EventsManagerAdministrator properties dialog. Start configuring the account as follows: 1. Specify the contact details such as address, and mobile number as required. 2. Specify the computers on which network alerts addressed to the administrator will be sent. 3. Click on the Working Hours tab. 28 2BGetting Started GFI EventsManager

31 Screenshot 12 - Configuring the typical working hours of an alert recipient 4. Select the typical working hours of the administrator/user. Screenshot 13 - Selecting alerts to be sent during and outside working hours 5. Click on the Alerts tab and select which alerts will be sent during and outside working hours. GFI EventsManager 2BGetting Started 29

32 Screenshot 14 - Notification groups to which a user belongs 6. Click on the Member Of tab and select the notification groups to which the user belongs. By default the administrator is a member of the EventsManageAdministrators notification group. 7. Click on the OK button to finalize your settings. Once configured, you can still make changes to the properties configured in the administrator account. For more information on how to achieve this refer to the Configuring users and groups chapter. Configuring the general alerting options GFI EventsManager will automatically send out , network or SMS alerts whenever particular events are discovered. Supported alerting methods require the configuration of a set of general alerting parameters that are network specific. For example, to send alerts, GFI EventsManager must know which SMTP Server will be used to propagate alerts. Screenshot 15 - Quick Start Dialog: Link to default alerting options To configure the general alerting parameters for the first time, click on the Configure Alerting options link provided in the Quick Start Dialog. 30 2BGetting Started GFI EventsManager

33 Screenshot 16 - Alerting options dialog This will bring up the Alerting Options dialog. Use the , Network and SMS tabs provided in this dialog to configure the default alerting settings. More information on how to configure these settings is provided below. Configuring alerts Screenshot 17- Mailserver properties dialog box GFI EventsManager 2BGetting Started 31

34 To configure alerts do as follows: 1. From the tab which opens by default, click on the Add button. 2. Specify the name/ip of your mail server. If required specify also the mail server authentication details. 3. Specify the address and display name that will be used when sending alerts. 4. Click on OK to finalize settings. 5. To customize the text message, click on the Format Message button. 6. If required, click on the Network or SMS tabs to configure the respective parameters. 7. Click OK to finalize your settings. Configuring network alerts No configuration settings are required for network alerts from this dialog. However, you can customize the network message by clicking on the Format network message button. Configuring SMS alerts Screenshot 18 - Alerting Options: SMS dialog box SMS alerts can be sent using various methods. Supported methods include GFI FAXmaker SMS gateway and Clickatell to SMS service gateway. To configure which method will be used to convey SMS alerts do as follows: 1. From the provided drop-down, select the SMS system through which SMS notification will be sent. 32 2BGetting Started GFI EventsManager

35 2. Select the property to be configured from the list provided and click Edit For information on how to configure SMS alerting parameters refer to Appendix 1 SMS Settings in this manual. 3. Repeat until all required properties have been configured. 4. To customize the SMS alert message, click on the Format SMS message button. 5. Click on OK to finalize your settings. Changing the general alerting options Screenshot 19 - Alerting options screen Once configured, you can still make changes to the general alerting options. To achieve this: 1. Click on the Configuration option. 2. From the secondary option bar which opens underneath, select Options. 3. From the left pane, right-click on the Alerting Options node and select Edit alerting options 4. Configure the required parameters as described in the above sections. GFI EventsManager 2BGetting Started 33

36 Getting started: Processing event logs At this stage, you have configured all the core operational parameters required by GFI EventsManager on first start up. To proceed to the next stage and start processing your logs you must specify: Event Sources: The name/ip of the computers from where events will be collected for processing. Events to be processed: The logs (Windows EVT, W3C or Syslogs) that will be processed. Event processing rules: The processing rules that will be applied against collected events. Alerting methods and actions: The actions that will be triggered and the alerts that will be generated during event processing. The next 3 chapters will explain how to configure the above mentioned parameters. Screenshot 20 - Quick Start Dialog: Click the Start button to configure event sources You can proceed to configure functional parameters directly from the Quick Start Dialog by clicking on the Start button. This will take you to the configuration of Log Sources. For more information on how to configure event sources refer to the next chapter. 34 2BGetting Started GFI EventsManager

37 Configuring event sources Introduction Event sources are computers that contain the logs to be processed by GFI EventsManager. In GFI EventsManager, these event sources are organized into specific computer groups. You can create custom computer groups tailored on your network infrastructure or you can use the pre-defined computer groups that ship by default with this product. For example, you can use default computer groups to distinctively organize and configure the servers, workstations and laptops that will be monitored by GFI EventsManager; or you can choose to group target computers that have specific roles on your network such as Web Servers, File Servers and Data Servers. Adding new event sources to a default group Screenshot 21 - Configuring the computer that will be monitored To configure event sources: GFI EventsManager 3BConfiguring event sources 35

38 1. Click on the Configuration option. 2. Right-click on the Computer Group which will contain the new event sources and select Add new computer. This will bring up the target computers configuration wizard. Screenshot 22 - Configuration wizard: Specify the computers that will be monitored 3. Specify the name/ip of the new event source and click Add. Repeat until you have specified all the event sources to add to this group. NOTE: To import the list of event sources from a text file click on the Import button. To select your targets from a list, click on the Select button. 4. Click Finish to finalize your settings. NOTE: GFI EventsManager will attempt to collects logs from the configured sources immediately after clicking the Finish button. Configuring event source properties The general and event processing parameters of event sources are configurable via the Properties dialog. You can configure these parameters on a: Computer by computer basis. To configure the parameters of a particular computer in a group: Go to the right pane of the management console, right-click on the required computer and select Properties. This will bring up the Computer Properties dialog. Computer group by group basis. To configure the parameters of a computer group, right-click on the computer group to be configured and select Properties. This will bring up the Computer Group Properties dialog. Through the properties dialog you can configure: 36 3BConfiguring event sources GFI EventsManager

39 General event source properties Alternative domain administrator credentials Event source operational time Log processing parameters for Windows event logs, W3C logs and Syslog logs. Configuring general event source properties Screenshot 23 - Computer group properties dialog Use the General tab in the properties dialog to: Change the name of a computer group. Enable/disable log collection and processing for the computers in a group. Configure log collection and processing frequency. NOTE: In GFI EventsManager, you can also trigger the log collection process manually. To achieve this: 1. Right-click on the computer group which contains the required event sources. 2. Select Scanning options Scan now. GFI EventsManager 3BConfiguring event sources 37

40 Screenshot 24 - Triggering log collection manually Configuring alternative domain administrator credentials During event processing, GFI EventsManager must remotely log-on to the target computers. This is required in order to collect the log data that is currently stored on the target computers and pass this data on to the event processing engine(s). To collect and process logs, GFI EventsManager must have administrative privileges over the target computers. By default, GFI EventsManager will log-on to target computers using the credentials of the account under which it is currently running; however, certain network environments are configured to use different credentials to log on to workstations and servers with administrative privileges. As an example for security purposes, network administrators can setup a dedicated account that has administrative privileges over workstations only and a different account that has administrative privileges over servers only. 38 3BConfiguring event sources GFI EventsManager

41 Screenshot 25 - Configuring alternative logon credentials GFI EventsManager, allows you to configure a dedicated set of logon credentials for individual target computers as well as for computer groups. To configure a set of credentials for a particular computer group: 1. Bring up the (computer/computer group) properties dialog 2. Click on the Logon Credentials tab 3. Specify the login name and password which will be used to log-on and collect logs from the target computer(s). Configuring event source operational time GFI EventsManager includes an Operational Time option through which you specify the normal working hours of your event sources. This is required so that GFI EventsManager can keep track of the events that occur both during and outside working hours. Use the operational time information for forensic analysis and to identify network computers that are being misused outside normal working hours. For example, through this information, you can discover unauthorized user access, illicit transactions carried out outside normal working hours and other potential security breaches that might be taking place on your network. GFI EventsManager 3BConfiguring event sources 39

42 Screenshot 26 - Specify operational time Operational time is configurable on computer group basis. Configuration is achieved through the Operational Time tab provided in the computer group properties; Operational time is configured by marking the normal working hours on a graphical operational time scale which is divided into 1 hour segments. Configuring event processing parameters To configure event processing parameters: Screenshot 27 Event-processing configuration tabs 1. Bring up the (computer/computer group) properties dialog 2. Use the Windows Event Log tab, W3C Logs tab and Syslog tab to configure the required event processing parameters. For more information on how to configure these parameters refer to the Configuring event processing rules chapter. 40 3BConfiguring event sources GFI EventsManager

43 Configuring event processing rules Introduction GFI EventsManager allows you to collect and process 3 types of logs: Windows event logs, W3C logs and Syslogs. All 3 supported log types record events in a different and proprietary format; therefore every log type requires different configuration settings and parameters. You can configure log collection and processing parameters: On a computer by computer basis On a computer group by computer group basis. During event processing, GFI EventsManager runs a configurable set of rules against the collected logs in order to classify events and trigger alerts/actions accordingly. By default, GFI EventsManager ships with a pre-configured set of event processing rules that allow you to gain network-wide control over computer logs - with negligible configuration effort. Event processing rules Event processing rules are instructions/checks that: Analyze the collected logs. Classify the severity of processed events. Classification is based on the configuration settings of the processing rule. Filter events that match specific criteria. For example, you can create and run a rule which filters out low severity events and noise (duplicate events). Generate alerts and actions based on event severity. For example, you can configure GFI EventsManager to send both SMS and alerts whenever an event is classified as critical; but limit the product to send only alerts when an event is classified as high in severity. For more information on how to configure alerts and actions refer to the Configuring alerting and actions chapter. Optionally archive filtered events. Event archiving is based on the severity of the event and on the configuration settings of the event processing rules. For example, you can configure GFI EventsManager to archive only events that are classified critical or high in severity and discard all the rest. In GFI EventsManager, event processing rules are organized into Rule-sets ; and every rule-set can contain one or more specialized rules which can be run against collected logs. GFI EventsManager 4BConfiguring event processing rules 41

44 Screenshot 28 - Rule-sets folder and Rule-sets Rule-sets are further organized into Rule-sets Folders. This way you can group rule-sets according to the functions and actions that the respective rules perform. For example, the Security rule-sets folder groups rules sets that contain security event processing rules. By default, GFI EventsManager ships with pre-configured folders, rulesets and event processing rules that can be further customized to suite your event processing requirements. Event classification GFI EventsManager classifies events in 5 categories: Critical High Medium Low Noise (unwanted or repeated log entries). Event classification is based on the configuration of the rules that are executed against the collected logs. Events that don t satisfy any event classification conditions are tagged as unclassified and can be set to trigger the same alerts and actions available for classified events. Event processing, classification and actions flowchart The flowchart chart below illustrates the event processing stages performed by GFI EventsManager. 42 4BConfiguring event processing rules GFI EventsManager

45 Screenshot 29 - Log processing, classification and actions flowchart Collecting and processing Windows events Overview Windows events are organized into specific log categories; by default computers running on Windows NT or higher record errors, warnings and information events in 3 logs namely Security, Application and System logs. Computers that have more specialized roles on the network (e.g. Domain Controllers, DNS Servers, etc ) have additional event log categories. GFI EventsManager 4BConfiguring event processing rules 43

46 Screenshot 30 - Computer group properties: Configuring logs to be processed By default, Windows Operating Systems record events in the following logs: Security events log: This log contains security related events through which you can audit successful or attempted security breaches. Typical events found in the Security Events log include valid and invalid logon attempts. Application events log: This log contains events recorded by software applications/programs such as file errors. System events log: This log contains events logged by Windows XP system components such as failures to load device drivers. Directory service log: This log contains events generated by the Active Directory including successful or failed attempts to make to update the Active Directory database. File Replication service log: This log contains events recorded by the Windows File Replication service. These including file replication failures and events that occur while domain controllers are being updated with information about sysvol. DNS server log: This log contains events associated with the process of resolving DNS names to IP addresses. 44 4BConfiguring event processing rules GFI EventsManager

47 Screenshot 31 - Computer group properties: Configuring Windows event logs parameters To configure windows event log collection and processing parameters you must: Select the events to be collected. Specify whether the collected logs will be processed (filtered, etc.) or just archived without processing. Select the event processing rule-sets/rules that will be run against the collected logs. Selecting the events to be collected To specify which Windows events will be collected by GFI EventsManager: 1. Bring up the (computer/computer group) properties dialog. 2. Click on the Windows Event Log tab. GFI EventsManager 4BConfiguring event processing rules 45

48 Screenshot 32 - Selecting the events to be collected 3. Click on Add and select the check-box of the events that will be collected. NOTE: GFI EventsManager supports custom event logs. For information on how to configure custom event logs please refer to the Configuring Custom Event Logs section in this chapter. 4. (Optionally) Select the option Clear collected events after completion to clear the collected events from event sources. IMPORTANT: Deleting events from source logs without having them archived or backed-up may lead to legal compliance issues. Please make sure to archive or backup important events according to the standards implied by data retention and data protection regulations. Archiving Windows events For information on how to archive events refer to the Archiving events section in this chapter. Selecting Windows event processing rules For information on how to select event processing rules refer to the Selecting event processing rules section in this chapter. Configuring Custom Event Logs GFI EventsManager is configured to collect and process standard Windows event logs. However, GFI EventsManager can also be configured to manage events recorded in 3 rd party application logs such as anti-virus logs, software firewall logs and other security software. To configure custom events: 46 4BConfiguring event processing rules GFI EventsManager

49 1. Click the Configuration option in the primary options bar. 2. Click Options from the secondary option bar. Screenshot 33 - Custom Event Logs setup 3. From the left pane, right-click on the Custom Events Logs node and select Edit custom logs This will open the Custom events logs dialog 4. Click on the Add button. Specify the name of your custom event log and click OK button to finalize your settings. Collecting and processing W3C logs W3C is another log format supported by GFI EventsManager. W3C logs are text-based flat files containing various event details delimited by special characters. The W3C log format is mostly commonly used by hardware systems (e.g. servers and appliances) which have internet specific roles. Microsoft Internet Information Server (IIS) service and Apache web servers for example, can collect web related events (i.e. web logs) in the form of W3C formatted text files. In GFI EventsManager, the configuration process of W3C log parameters is identical to that performed for Windows event processing, with one exception. Unlike Windows event logs, there is no standard which dictates a specific or centralized folder location where W3C log files are stored on disk. Therefore, in order to collect GFI EventsManager 4BConfiguring event processing rules 47

50 W3C logs, you must specify the complete path to these text-based log files. Selecting the events to be collected and processed To specify which W3C logs will be collected by GFI EventsManager: 1. Bring up the (computer/computer group) properties dialog. 2. Click on the W3C Log tab. Screenshot 34 - Computer group properties: Configuring W3C event processing parameters 3. Click on Add and specify the log file name and location. Wildcards such as *.* are supported. 4. (Optionally) Select the option Clear collected events after completion to clear the collected events from event sources. IMPORTANT: Deleting events from source logs without having them archived or backed-up may lead to legal compliance issues. Please make sure to archive or backup important events according to the standards implied by data retention and data protection regulations. Archiving W3C events For information on how to archive events refer to the Archiving events section in this chapter. Selecting W3C event processing rules For information on how to select event processing rules refer to the Selecting event processing rules section in this chapter. 48 4BConfiguring event processing rules GFI EventsManager

51 Collecting and processing Syslogs Syslog is a data logging service that is most commonly used in Linux and UNIX based environments. The concept behind Syslogs is that the logging of events and information is entirely handled by a dedicated server called Syslog Server. This means that unlike Windows and W3C log based environments, regular programs do not log any information. They just send events in the form of data messages (technically known as Syslog Messages ) to a Syslog server that will manage the message and save the data in a log file. Screenshot 35 - Computer group properties: Syslog processing parameters In order to process Syslog messages, GFI EventsManager ships with a built-in Syslog Server. This Syslog server will automatically collect, in real-time, all Syslog messages/events sent by Syslog sources and pass them on to the event processing engine. A built-in buffer allows the Syslog server to collect, queue and forward up to 30 Syslog messages for batch processing. Buffered logs are by default passed on to the event processing engine as soon as the buffer fills up or at 1 minute intervals whichever comes first. GFI EventsManager 4BConfiguring event processing rules 49

52 Figure 6 - Syslog messages must be directed to the computer running GFI EventsManager NOTE: For Syslog message processing, ALL Syslog sources (e.g. workstations, servers, network appliances, etc.) must be configured to send their messages to the computer/ip where GFI EventsManager is installed. This applies also for the computer that is running GFI EventsManager. In GFI EventsManager, Syslog event processing parameters are configured as follows: 1. Open up the (computer/computer group) properties dialog. 2. Click on the Syslog tab. 3. To enable the Syslog server and listen for messages sent by the computers in a computer group, select the option Accept Syslog Messages from this computer group. IMPORTANT: Deleting events from source logs without having them archived or backed-up may lead to legal compliance issues. Please make sure to archive or backup important events according to the standards implied by data retention and data protection regulations. NOTE 1: The GFI EventsManager Syslog server is by default configured to listen for Syslog messages on port 514. For more information on how to customize Syslog server port settings refer to the Configuring Syslog server communications port section in this chapter. NOTE 2: The built-in Syslog server will only accept Syslog messages sent from the computers that are part of this computer group. Archiving Syslog events For information on how to archive events refer to the Archiving events section in this chapter. Selecting Syslog processing rules For information on how to select event processing rules refer to the Selecting event processing rules section in this chapter. 50 4BConfiguring event processing rules GFI EventsManager

53 Configuring the Syslog server communications port To change the default Syslog port settings: Screenshot 36 Configuring Syslog Server 1. Select Configuration from the primary options bar. 2. Select Options from the secondary options bar. 3. From the left pane, right-click the Syslog Server Configuration node and select Edit Syslog options GFI EventsManager 4BConfiguring event processing rules 51

54 Archiving events Screenshot 37- Syslog server properties 4. Select the Enable in-built Syslog server on port: option and specify the port on which GFI EventsManager will receive/listen for Syslog messages. 5. Select OK to finalize your settings. NOTE: When configuring Syslog server port settings, make sure that the configured port is not already in use by other installed applications. This may affect the delivery of Syslog messages to GFI EventsManager. Archive events without processing logs Screenshot 38 - Archiving events without processing By default, GFI EventsManager is configured to process all event logs collected from target computers. To archive events without processing logs, select the Archive only option. Archiving events after processing Processed events can be optionally archived into the GFI EventsManager database backend. By default, GFI EventsManager can be configured to automatically archive events: Based on their classification. For example, you can configure default settings which archive only critical events. For information on how to configure event archiving based on event classification 52 4BConfiguring event processing rules GFI EventsManager

55 refer to the Configuring default classification actions in the Configuring alerts and actions chapter. Based on the conditions configured in the event processing rules. Rules provide an alternative and more flexible way to archive processed events. Through these rules, you can selectively archive only those events that satisfy specific rule condition(s) regardless their classification. For example, you can configure a rule which archives only Critical events with ID 537. For more information on how to create and configure event processing rules refer to the Configuring event processing rules chapter. Selecting event processing rules Screenshot 39 - Computer group properties: Configuring Windows event logs parameters In order to process and classify events, you must specify which rules will be applied against the collected logs. This is achieved by selecting the rule-sets folder or rule-set(s) that contain the required event processing rules. Screenshot 40 - Selecting event processing rules/rule-sets However, you must pay attention and choose the right rule for the job. The rule-sets that ship with GFI EventsManager are preconfigured to specific logs; therefore it is imperative that you choose GFI EventsManager 4BConfiguring event processing rules 53

56 rule-sets that can effectively process the events recorded in the collected logs. Certain rule-sets contain specialized rules that are event specific. Therefore these rules will only be effective when used to process such specific events; Failing to do so will result into erroneous event processing, data loss and non-significant results. For example, the Monitoring and Attack detection rule-set contains rules specifically built to process Windows Security events. Therefore it will not be very effective if used to process Windows application events. NOTE 1: By default, GFI EventsManager ships with pre-selected rules-sets/folders that can effectively process Windows event logs. If you are new to the product or you are not yet acquainted with the functionality of rule-sets, we recommend that you leave these settings as default. NOTE 2: If no rules-sets are shown in the selection window, this means that no event processing rules exist for the type of log being configured. For more information on how to configure event processing rules and rule-sets, refer to the Configuring event processing rules chapter. 54 4BConfiguring event processing rules GFI EventsManager

57 Configuring alerts and actions Introduction During event processing, GFI EventsManager can automatically generate various actions whenever particular events are encountered. Supported actions include alerts and event archiving. You can specify alerts and actions to be triggered in two ways: 1. By configuring a set of Default classification actions. 2. By creating or customizing rules and rule-sets. Default classification actions Through the configuration parameters provided in the default classification actions, you can trigger alerts and actions based only on event classification. For example, default classification parameters can be configured to trigger alerts for all classified events (critical, high, medium and low) but archive only critical events. Generating actions through event processing rules Rules allow you to configure actions on a more granular level. Rules allow you to configure and trigger actions whenever an event fits one or more specific conditions. For example, you can create a rule which archives only events having event ID 231, regardless their classification. Supported actions GFI EventsManager supports the following actions: Archive the event - Archives the classified event into the GFI EventsManager database back-end. Send /sms/network notifications to - Sends , sms and network alerts to specific recipients. Run File Runs an executable file. Files that can be executed include VBScripts (.VBS), Batch files (.BAT) or another executable type of file (.EXE). You can also specify any command-line parameters to pass on to the executable file. GFI EventsManager 5BConfiguring alerts and actions 55

58 Configuring default classification actions Screenshot 41 - Configuring default classification actions To configure default classification actions: 1. Select Configuration from the primary options bar. 2. Select Options from the secondary options bar. 3. From the left pane, right-click on the Default Classification Actions node and select Edit default option. 56 5BConfiguring alerts and actions GFI EventsManager

59 Screenshot 42 - Default classification actions screen 4. From the provided drop-down, select the event classification to be configured. 5. From the provided list of supported actions, select the ones to be triggered for the selected classification. 6. Click on the Configure button specifies any parameters required by the selected action. NOTE: Be aware that assigning actions on events classified as low might generate: A lot of network traffic (especially if , sms or network alerts are being generated) A high volume of database data/transactions if events are being archived. Configuring actions through event processing rules For more information on how to trigger actions through event processing rules refer to the Configuring event processing rules chapter. GFI EventsManager 5BConfiguring alerts and actions 57

60

61 Event browsing Introduction The Event Browsing option allows you to access and browse processed or unprocessed events/logs that are currently stored in the main or backup database backbends. Screenshot 43 - GFI EventsManager: Events Browser Use the Events Browser for forensic analysis of events. All events accessible through the events browser are organized (by Log type) in 3 tabs; Windows Events Browser tab, W3C Events Browser tab and Syslog Events Browser tab. This way you can quickly access the events belonging to a particular log type. Event data is organized into columns and clicking on a particular event will show additional information in a dedicated events description pane. GFI EventsManager 6BEvent browsing 59

62 Screenshot 44 - Event details provided on the web-page When browsing Windows events, in addition to the information provided in the event description pane, you will also find a link. Use this link to access more detailed event information over the web including: A detailed description of the event Links and tips that explain what causes this type of event and how to possibly solve any related issues. Event Browsing tools Event analysis is quite a demanding task; GFI EventsManager is equipped with specialized tools that simplify the search for specific events. These specialized tools include: An event filter/query builder Event color-coding options Event finder tool. 60 6BEvent browsing GFI EventsManager

63 Event filter/query builder Screenshot 45 Custom query builder Use the event query builder that ships with GFI EventsManager to create custom filters that sift events data and display only the information that you need to browse without deleting one single record from your database backend. Further to this GFI EventsManager ships with pre-configured queries that can filter events without any configuration effort just click and go. Screenshot 46 - Default and custom event queries GFI EventsManager 6BEvent browsing 61

64 Event color-coding options Screenshot 47 Event color coding filters Use the event color-coding tool to tint key events in a particular color. This way the required events are easier to locate during event browsing. For example, you can create a query that shows events classified as Critical or High and at the same time color in red all Critical events having event ID 231. The configuration of color-codes is carried out through a dedicated query builder. Use this query builder to specify: The conditions that define which events must be colored The colors to be used when showing these events. Event finder tool Screenshot 48 Event finder tool Use the event finder tool to locate events that match a specific search string. For example, you can search events that have a specific ID or which contain specific keywords in the description. Accessing and browsing stored event logs To access and browse events stored in the database backend: 1. Select Events Browser from the primary option bar. 62 6BEvent browsing GFI EventsManager

65 Screenshot 49 - Events browsers 2. From the secondary options bar, click on Windows Events Browser, W3C Events Browser or Syslog Events Browser accordingly. Applying event queries To run an event query: 1. Select Events Browser from the primary option bar. 2. Click on Windows Events Browser, W3C Events Browser or Syslog Events Browser accordingly. 3. Select the required query from the filter options in the left pane. Filtered events will be displayed in the right pane. Creating custom event queries Screenshot 50 - GFI EventsManager: Events Browser In GFI EventsManager, custom queries are added as a sub-node within the default queries that ship with the product. To create custom event queries: GFI EventsManager 6BEvent browsing 63

66 1. Click Events Browser from the primary option bar. 2. Click on Windows Events Browser, W3C Events Browser or Syslog Events Browser. 3. Right-click on the default query where the new event query will be created and select Query builder This will bring up the event query builder. Screenshot 51- Custom query builder 4. Specify a name and a description for the new query. 5. Click Add, configure the required query condition(s) and click OK. Repeat until all required query conditions have been specified. 6. Click OK to finalize your settings. Customizing the event viewer pane Selecting columns to be displayed To select which columns will be displayed in the Log Browser s viewing pane: 1. Select Events Browser from the primary option bar. 2. Click on Windows Events Browser, W3C Events Browser or Syslog Events Browser. 64 6BEvent browsing GFI EventsManager

67 3. Select the Customize view option from the Common Tasks area in the left pane. Screenshot 52 - Customize view: columns 4. Select the Columns option. 5. Select the columns that will be displayed in the viewing pane. Use the up/down arrows on the side to define the order in which the columns will be shown. 6. Close the customize view pane to finalize your settings. Customize the position of the description window GFI EventsManager allows you to customize the right viewing pane. To achieve this: 1. Select Events Browser from the primary option bar. 2. Click on Windows Events Browser, W3C Events Browser or Syslog Events Browser accordingly. 3. Select Customize view option from the Common Tasks pane. Screenshot 53 - Customize view 4. Select the view that you want to use. GFI EventsManager 6BEvent browsing 65

68 Configuring event color coding Assigning a color-code to a specific event Screenshot 54 - Assigning event color-codes To assign a color-code to a specific event: 1. Select Events Browser from the primary option bar. 2. Click on Windows Events Browser, W3C Events Browser or Syslog Events Browser accordingly. 3. Select the Customize view option. 4. From the right pane, select Colors option. 5. Specify the query/filter condition and choose the color to be applied to the sifted events. 6. Click on the Apply Color button to finalize your settings. NOTE: To clear all color settings select Clear color filters option. Assigning different color-codes to multiple events To assign different color-codes to multiple events: 1. Select Events Browser from the primary option bar. 2. Click on Windows Events Browser, W3C Events Browser or Syslog Events Browser accordingly. 3. Select the Customize view option. 4. Select the Colors option and click on Advanced. Screenshot 55 - Advanced Color Filter 5. Click Add, specify a name for the color filter condition and configure the condition parameters. Click OK to finalize your settings. Repeat until all required conditions have been configured. 66 6BEvent browsing GFI EventsManager

69 Event finder tool 6. Click OK to finalize your settings. Use the event finder tool to search and locate specific events using simple customizable filters. To search for a particular event: 1. Select Events Browser from the primary option bar. 2. Click on Windows Events Browser, W3C Events Browser or Syslog Events Browser accordingly. 3. Select the Find events option from the Actions are in the left pane. Backup events Screenshot 56 Event finder tool 4. Specify the event search conditions through the options provided on top of the right pane. To trigger a case sensitive search, click on Options and select the Match case option. 5. Click Find to trigger the search. GFI EventsManager allows you to backup the events stored in the main database backend. This way you can reduce the size of your main database backend but at the same time keep all your event records for historical and forensic investigation purposes. Use the backup events feature to backup events that are older than a specific amount of hours. For example, you can choose to backup events that are older than 48 hours. To backup events: 1. Select Events Browser from the primary option bar. 2. Click on Windows Events Browser, W3C Events Browser or Syslog Events Browser accordingly. 3. Select the Backup events option from the Actions area in the left pane. Screenshot 57 - Backup events dialog box 4. Specify the time period (in hours). 5. Select the OK button to finalize your settings. GFI EventsManager 6BEvent browsing 67

70 Switching databases Clear all events For event browsing purposes, GFI EventsManager allows you to switch between the main and backup database backend. Use this feature to browse events that have been backed up, using the tools provided in the Events Browser. To achieve this: 1. Select Events Browser from the primary option bar. 2. Click on Windows Events Browser, W3C Events Browser or Syslog Events Browser accordingly. 3. Select Switch to main/backup database option from the Common tasks area in the left pane. To clear ALL the events stored in the currently selected database: 1. Select Events Browser from the primary option bar. 2. Click on Windows Events Browser, W3C Events Browser or Syslog Events Browser accordingly. 3. Select the Clear all events option from the Actions pane. Screenshot 58 - Clear all events dialog box 4. If you are currently browsing events from the main database, specify whether you want to backup events before clearing or clear without backing up your events. 68 6BEvent browsing GFI EventsManager

71 Status monitoring Introduction The status monitor is a dashboard that shows the status of GFI EventsManager as well as provides you with statistical information related to the events collected, processed and archived by this product. The status monitor consists of three different dashboard views: General view, Job Activity view and Statistics view. Accessing the status monitor To access the status monitor: 1. Click the Status option from the primary options bar. Screenshot 59 - Dashboard View Options 2. Select the required dashboard view by clicking on the General option, Job Activity option or Statistics option accordingly. GFI EventsManager 7BStatus monitoring 69

72 General Status view Screenshot 58 - GFI EventsManager status: General view Use the General option to: View the status of the GFI EventsManager event processing engine Access statistical information such as the number of events processed on a computer by computer basis. The information provided in this view is divided into dedicated sections. More details on these sections are provided below. 70 7BStatus monitoring GFI EventsManager

73 EventsManager Service status Screenshot 60 - GFI EventsManager General Status view: Service Status This section shows: The operational status of GFI EventsManager service/event processing engine The user account under which the GFI EventsManager engine is running The time when the event processing service was started. IMPORTANT: The GFI EventsManager service will not start if no database backend is currently configured. Syslog Server status Screenshot 61 - GFI EventsManager General Status view: Syslog Server status This section shows: The operational status of the Syslog server The Syslog server messaging/communication port. GFI EventsManager 7BStatus monitoring 71

74 Database Backend Status Screenshot 62 - GFI EventsManager General Status view: Database Backend Status This section shows: The operational status of the database server currently in use by GFI EventsManager The name of the database server currently in use by GFI EventsManager The name of the database in which GFI EventsManager is archiving collected events. Global Event Count Screenshot 63 - GFI EventsManager General Status view: Global Event Count This section graphically represents the percentage number of Windows, W3C and Syslog events processed by GFI EventsManager. 72 7BStatus monitoring GFI EventsManager

75 Events Type By Classification Screenshot 64 - GFI EventsManager General Status view: Events Type by Classification This section graphically represents the percentage number of events that were: Classified as Critical, High, Medium or Low Unclassified. Activity Overview Screenshot 65 - GFI EventsManager General Status view: Activity Overview This section shows: The total number of Windows, W3C and Syslog events processed on a machine by machine basis The date/time of the last event collection performed from every machine. GFI EventsManager 7BStatus monitoring 73

76 Job Activity view Screenshot 66 - GFI EventsManager Job Activity view Use the Job Activity option to view your current event collection and processing activity. This includes active event collection jobs as well as Syslog messaging history on a machine by machine. The information provided in this view is divided into dedicated sections. More details on these sections are provided below. 74 7BStatus monitoring GFI EventsManager

77 Active Jobs Screenshot 67 - GFI EventsManager Job Activity view: Active Jobs This section shows a list of all event collection jobs currently taking place on every event source/machine. The information provided includes the job progress as well as the Log Source from which events are being collected. Queued Jobs Screenshot 68 - GFI EventsManager Job Activity view: Queued Jobs This section shows a list of all pending event collection jobs on a machine by machine basis. The information provided includes the Log Source from which events will be collected as well as the time that these jobs were queued. GFI EventsManager 7BStatus monitoring 75

78 Syslog Message History Screenshot 69 - GFI EventsManager Job Activity view: Syslog Message History This section shows a list of all Syslog messages that were received by GFI EventsManager. The information provided includes the total number of messages sent by every source machine and the date/time when the last Syslog message was received. Operational History Screenshot 70 - GFI EventsManager Job Activity view: Operational History This section shows an audit trail of the event collection operations carried out by GFI EventsManager. The information provided includes errors and information messages generated during the event collection process as well as the name of the log file that was being processed on the source machine. Maintenance Jobs Screenshot 71 - Job activity status This section shows the progress of maintenance jobs that have been created through Database Operations. The information provided includes the job description as well as the time when the job began execution. 76 7BStatus monitoring GFI EventsManager

79 Statistics view Screenshot 72 - GFI EventsManager Statistics view Use the Statistics option to view the daily event activity trends and statistics of a particular computer or of your entire network. The information provided in this view is divided into dedicated sections. More details on these sections are provided below. Events Count For Today Screenshot 73 - GFI EventsManager Statistics view: Events Count For Today This section graphically represents the daily event collection trend on a machine by machine basis as well as on a network by network basis. A color scheme is used to differentiate between Windows, W3C and Syslog events. GFI EventsManager 7BStatus monitoring 77

80 Events Count By Log Type Screenshot 74 - GFI EventsManager Statistics view: Events Count By Log Type This section graphically represents the number of Windows, W3C and Syslog events collected by GFI Events Manager from a particular machine or network. Events Count by Classification Screenshot 75 - GFI EventsManager Statistics view: Events Count by Classification This section graphically represents (on a machine or network wide level) the percentage number of events that were: Classified as Critical, High, Medium or Low Unclassified. 78 7BStatus monitoring GFI EventsManager

81 Windows Events Count by Event Log Screenshot 76 - GFI EventsManager Statistics view: Windows Events Count by Event Log This section graphically represents the percentage number of Windows events collected from the Security, System, Application, DNS Server, Directory and File Replications Service logs. GFI EventsManager 7BStatus monitoring 79

82 Database Operations Introduction The Database Operations module in GFI EventsManager provides advanced functionality allowing administrators to: Centralize events collected by other remote GFI EventsManager instances into one database backend. Optimize GFI EventsManager performance by actively controlling database backend growth hence keeping it in good shape. Why is there a need for database maintenance? Periodical database maintenance is essential in preventing excessive data growth in the database backend. A database which is large in size drastically affects the performance of GFI EventsManager; events browsing will be slower and queries will take longer to execute. There will also be a negative impact on GFI EventsManager ReportPack performance, with reports taking longer to be generated. Through GFI EventsManager a number of database operations, referred to as maintenance jobs, can be carried out on the database backend. These include: Move to database Use this operation to move events from the main database to the backup database or to another existing database. Export to file Use this operation to export events from the main database to a compressed binary file which can also be encrypted and backed to CD/DVD or tape for safekeeping. Import from file Use this operation to import events from GFI EventsManager export files into the main database backend. Delete data Use this operation to remove events from the main or backup database backends. For each of these operations, you can also apply filters that determine which events will be affected by the database operation. 80 8BDatabase Operations GFI EventsManager

83 Consolidation of events for a WAN Figure 1: Consolidation of events for a WAN In the case of organizations with remote geographical sites, Database Operations can be used to consolidate all or part of the events data collected in remote sites on to one central database. This is achieved using the Export to file feature through which GFI EventsManager compresses and encrypts the file as well as export the file to be processed to a central location. The Import to file job is executed at the central location, importing the events from the remote site into the central database. Events for the remote site can then be viewed through the Events Browser. Reports with information relevant to the remote site can also be generated using data from the central database. Configuring Database Operations With GFI EventsManager you can schedule maintenance jobs to be executed on a specific day, at a specific time and at specific intervals. GFI EventsManager 8BDatabase Operations 81

84 Screenshot 77 Configuring Database Operations NOTE: Database maintenance operations may require high utilization of resources which can degrade server and GFI EventsManager performance. Thus, it is recommended that you schedule maintenance jobs to be executed after office hours. This allows you to maximize the availability of your system resources during working hours and avoid any possible disruptions to workflow. To configure Database Operations: 1. Click on the Configuration option. 2. From the secondary options bar which opens underneath, select Options. 3. From the left pane, right-click on the Database Operations node and select Properties. This will bring up the Database Operations Options dialog. 82 8BDatabase Operations GFI EventsManager

85 Screenshot 78 Database Operations Options dialog: GFI EventsManager unique identifier 4. Specify the unique identifier by which this instance of GFI EventsManager will be identified on the network. This identifier is used as part of the export file-name during Export to file operations. Screenshot 79 - Database Operations Options dialog: Scheduling options 5. Click on the Schedule tab to specify: Hours of the day during which maintenance jobs can be executed GFI EventsManager 8BDatabase Operations 83

86 The interval in hours/days with which maintenance jobs will be executed The scheduled date/time when maintenance jobs will start being executed. Creating maintenance jobs To create a new maintenance job: 1. Click on the Configuration option. 2. From the secondary options bar which opens underneath, select Options. 3. From the left pane, right-click on the Database Operations node and select Create new job This will bring up the New job wizard. 4. As soon as the welcome dialog is displayed, click on the Next button to bring up the Job Type dialog. Screenshot 80 - New job wizard: Job Type dialog 5. Select the type of maintenance job you want to create and click Next to proceed to the configuration dialog. 6. Specify the required parameters and click Next to proceed to the data filter configuration dialog. NOTE: For information on how to configure the parameters of a particular maintenance job, refer to the relevant section in this chapter. 84 8BDatabase Operations GFI EventsManager

87 Screenshot 81 Data filter dialog: Specifying data filter conditions 7. Specify which data will be filtered from your database backend. If no filter is specified, the selected maintenance job will affect all data within your database backend. Click Next to continue. NOTE: For more information on how to configure filter conditions, refer to the section Configuring data filter conditions in this chapter. Screenshot 82 - Specify when the job will be executed 8. Specify whether the selected maintenance job should be scheduled or executed immediately. NOTE 1: Scheduled jobs are executed according to interval settings configured in the Database Operations. NOTE 2: Selected maintenance jobs will be executed only once. GFI EventsManager 8BDatabase Operations 85

88 9. Click Finish to finalize your configuration settings. Screenshot 83 - Progress and successful completion of a maintenance job Move to database To create a maintenance job which moves events between the main database and any other target database: 1. Launch the New job wizard dialog; select the Move to database option. Screenshot 84 - New job wizard: Move to database 2. Specify the database to which events will be moved. This should be either the backup database or another accessible database on the SQL Server hosting the main database. 3. Specify the frequency in hours/days at which events will be moved from the main database. 4. Click Next to bring up the data filter conditions dialog. 5. Configure the data filter conditions that will be applied for the Move to database job. If you do not set any data filter conditions, than all events older than the specified period will be moved. Click Next to continue. 86 8BDatabase Operations GFI EventsManager

89 Export to file NOTE: For more information on how to configure filter conditions, refer to the section Configuring data filter conditions in this chapter. 6. Specify whether the maintenance job should be scheduled or executed immediately. 7. Click on Finish to finalize configuration of the new Move to database job. To export events from the main database to a binary file: 1. Launch the New job wizard and select the Export to file option. Screenshot 85 - New job wizard: Export to file 2. Specify the target folder where the exported file will be stored. Use the UNC notation to specify remote paths. NOTE: Ensure that GFI EventsManager has administrative rights over the specified target folder. 3. Specify the frequency in hours/days at which events will be exported from the main database. 4. Click Next to bring up the data protection dialog. GFI EventsManager 8BDatabase Operations 87

90 Screenshot 86 - New job wizard: Export to file using encryption 5. Define whether the exported events data will be encrypted, specify the password to be used for decryption and click Next to proceed to the data filter dialog. NOTE 1: It is recommended that files to be exported are always encrypted using strong passwords. 6. Configure the data filter conditions that will be applied for Export to file jobs. If you do not set any data filter conditions, than all events older than the specified period will be exported. Click Next to continue. NOTE: For more information on how to configure filter conditions, refer to the section Configuring data filter conditions in this chapter. 7. Define whether the maintenance job should be scheduled or executed immediately. 8. Click on Finish to finalize your settings. Export filename The convention used by GFI EventsManager to name the export file is shown and described below: [ESM ID]_[Job ID]_[Date From]_[Date To].EXP ESM ID refers to the unique identifier given to each GFI EventsManager instance running in the organization. Job ID refers to the unique identifier given to each maintenance job created. Date From refers to the date of the earliest event exported. Date To refers to the date of the latest event exported..exp this is the file extension given to all export files. The following is an example of an export filename: SERVER01_0051_ _ EXP 88 8BDatabase Operations GFI EventsManager

91 Import from file To import events from a file into the main database: 1. From the New job wizard dialog, select the Import from file option. Screenshot 87 - New job wizard: Import from file 2. Specify the folder where the export file is stored. Use the UNC notation to specify remote paths. NOTE 1: Ensure that GFI EventsManager has administrative rights over the specified folder. NOTE 2: GFI EventsManager will import all files having a.exp extension. 3. Click Next to proceed to the data protection dialog. GFI EventsManager 8BDatabase Operations 89

92 Delete data Screenshot 88 - New job wizard: Import from file decryption 4. Specify the password with which events data will be decrypted and click Next to proceed to the data filter dialog. NOTE: Use the same password used for the encryption of your events data. 5. Configure the data filters that will be applied against the imported file and click Next to continue. NOTE 1: Use data filters to define which events will be imported into the main database. NOTE 2: For more information on how to configure filter conditions, refer to the Configuring data filter conditions section in this chapter. 6. Specify whether the maintenance job should be scheduled or executed immediately. 7. Click on Finish to finalize your settings. NOTE: GFI EventsManager will change the file extension of all successfully imported files from.exp to.imp. To remove events from the main database: 1. From the New job wizard dialog, select the Delete data option. NOTE: Important events data should be backed up through the Move to database or Export to file maintenance jobs. Failure to do this means that deleted records can NOT be recovered. 90 8BDatabase Operations GFI EventsManager

93 Screenshot 89 - New job wizard: Delete data 2. Specify whether events will be deleted from the Main database or from the Backup database. 3. Specify the frequency in hours/days at which events will be deleted from the main/backup database. 4. Click Next to bring up the data filter conditions dialog. 5. Configure the data filter conditions that will be applied for the Delete data job. If you do not set any data filter conditions, than all events older than the specified period will be deleted. Click Next to continue. NOTE: For more information on how to configure filter conditions, refer to the section Configuring data filter conditions in this chapter. 6. Specify whether the maintenance job should be scheduled or executed immediately. 7. Click on Finish to finalize configuration of the new Delete data job. Configuring data filter conditions Use data filter conditions to specify which events will be affected by the maintenance job. Only events which match the specified criteria will be processed, moved, exported, deleted or imported. Filters can be created for one or more of the following log types: Windows Event Logs W3C Logs Syslog Messages. GFI EventsManager 8BDatabase Operations 91

94 Screenshot 90 Data filter dialog To specify which events are affected by maintenance jobs, click on the Filter button in the data filter dialog. This dialog is available through the New job wizard. Example: Windows Event Logs filter Export events from the Windows Event Logs with the following conditions: Log type: Security Event ID: 540 Successful logon User: administrator Event Type: Error. Configure your filter parameters as shown in the Edit filter dialog shown below: 92 8BDatabase Operations GFI EventsManager

95 Screenshot 91 - Creating a filter for Windows events: Edit filter dialog Choose Ok to finalize filter configuration. Advanced conditions Screenshot 92 - Advanced Filter settings GFI EventsManager 8BDatabase Operations 93

96 From the Edit filter dialog you can also set advanced filter conditions. Through this dialog you can also create and apply filters on all events data fields used by GFI EventsManager. Note: Filters can also be applied on maintenance jobs after they have been created. For more information refer to the Editing a maintenance job section. Viewing scheduled maintenance jobs Screenshot 93 - Viewing scheduled maintenance jobs To view maintenance jobs created: 1. Click on the Configuration option. 2. From the secondary option bar, select Options. 3. From the left pane, select the Database operations node. 4. The list of scheduled maintenance jobs are available in the right pane. 94 8BDatabase Operations GFI EventsManager

97 Job activity status Screenshot 94 - Job activity status The progress of maintenance jobs that are being processed can be viewed through the status monitor: 1. Click the Status option from the primary options bar. 2. Select the Job Activity dashboard view. 3. View the status of maintenance jobs in the Maintenance Jobs section of the dashboard. Editing a maintenance job You can make changes to maintenance job parameters for jobs scheduled. 1. Click on the Configuration option. 2. From the secondary option bar, select Options. 3. From the left pane, select the Database Operations node. 4. From the right pane, right-click on the maintenance job to edit and select Properties. Screenshot 95 - Example dialog to edit a scheduled job 5. Configure the required parameters as described in the sections above: GFI EventsManager 8BDatabase Operations 95

98 Select the General tab to edit parameters such as: o file locations or databases o frequency in hours/days. Select the Data tab to edit filter conditions. Select the Data Protection tab to edit encrypt/decrypt settings. Editing a maintenance job priority Screenshot 96 - Maintenance job priorities When maintenance jobs are created, it is given a priority setting. Job priorities are set according to the sequence with which the jobs are created. The first job created is given a priority setting of 1, the second job created is given a priority setting of 2, and so on. The priority determines the sequence in which jobs are executed. To increase or decrease the priority of a maintenance job: 1. Click on the Configuration option. 2. From the secondary option bar, select Options. 3. From the left pane, select the Database Operations node. 4. From the right pane, right-click on the maintenance job to change and select Increase Priority or Decrease Priority as required. Deleting a maintenance job Scheduled maintenance jobs awaiting execution can also be deleted. 1. Click on the Configuration option. 2. From the secondary option bar, select Options. 3. From the left pane, select the Database Operations node. 4. From the right pane, right-click on the maintenance job to delete and select Delete. 96 8BDatabase Operations GFI EventsManager

99 NOTE: Due diligence should be taken when deleting maintenance jobs for such an operation has an indirect effect on events data. An example is an Export to file maintenance job with a higher priority than a Delete data job. If you delete the Export to file job, one may end up with events data being removed without having any backup of such data. GFI EventsManager 8BDatabase Operations 97

100

101 Customizing event processing rules Introduction Event processing rules are the conditions which: Classify processed events Filter out noise (repeated events) or unwanted events Trigger , sms and network alerts on key events Attempt remedial actions by executing specific scripts and executable files on key events. GFI EventsManager ships with pre-configure rules that can be used to process events with minor configuration effort. You can also customize these default rules or create tailored ones for all supported log types (i.e. Windows event logs, W3C and Syslog). In GFI EventsManager, event processing rules are organized into rulesets, which in turn are stored in rule-set folders. The pre-configured rules that ship with GFI EventsManager are organized into the following rule-set folders: Rule-set folder Noise reduction rules Security System Health Security Applications Infrastructure Server Database Server Web Server Print Server Terminal Services Linux/Unix Description Contains rules tailored for the removal of repeated events and other noise from logs. Contains rules tailored for the processing of Security logs and System logs. Contains rules tailored for the processing of Application logs and System logs. Contains rules tailored for the processing of Application logs, Security logs and System logs. Contains rules tailored for the processing of Application logs, DNS logs and System logs. Contains rules tailored for the processing of Application logs. Contains rules tailored for the processing of Application logs and System logs. Contains rules tailored for the processing of Application logs and System logs. Contains rules tailored for the processing of events generated terminal device driver services. Contains rules tailored for the processing of Syslogs. GFI EventsManager 9BCustomizing event processing rules 99

102 Cisco PIX & ASA Contains rules tailored for the processing of events generated by Cisco PIX firewalls and Cisco Adaptive Security Appliances Create a new rule-set folder Screenshot 97 The log type drop-down list To create a new rule-set folder: 1. Select Configuration from the primary options bar. 2. Select Event Processing Rules from the secondary options bar. 3. From the provided drop-down, select the log-type for which you will be creating the rule-set folder. 4. Select the Create folder option from the Common tasks area in the left pane. 5. Specify a unique name for the new rule-set folder. Renaming and deleting folders To rename or delete existing rule-set folders, right-click on the target rule-set folder and select Rename or Delete accordingly. NOTE: Deleting a rule-set folder will lead to the deletion of all the rules and rule-sets contained within the deleted folder. Creating a new rule-set To create a new rule-set: 1. Select Configuration from the primary options bar. 2. Select Event Processing Rules from the secondary options bar. 3. From the provided drop-down, select the log-type for which you will be creating the new rule-set. 4. Right-click on the folder where to create the new rule-set and select Create new rule set 100 9BCustomizing event processing rules GFI EventsManager

103 Editing a rule-set Deleting a rule-set Screenshot 98 - New rule-set dialog box 5. Specify a name and a description for this new rule-set. 6. Click OK to finalize your settings. To edit rule-set parameters: 1. Right-click on the rule-set to edit and select Properties. 2. Make the required changes and click OK to finalize your settings. To delete a rule-set, right-click on the rule-set and select Delete. Creating a new Windows Event Log rule To create a new rule which is applicable only to Windows Event Logs: 1. Select Configuration from the primary options bar. 2. Select Event Processing Rules from the secondary options bar. Screenshot 99 - Selecting log-type from the provided drop-down 3. From the provided drop-down, select Windows Event Logs. GFI EventsManager 9BCustomizing event processing rules 101

104 4. Right-click on the rule-set in which you will be creating the new rule and select Create new rule 5. Specify the name and a description for the new rule. Click Next to proceed with the configuration. Screenshot GFI EventsManager: Select the Log(s) 6. Select the event logs to which the rule applies and click Next. Screenshot GFI EventsManager: Select the filtering conditions 7. Configure the event filtering conditions of this rule. To create a rule which will be applied to all events, leave the event ID empty. Click Next to continue BCustomizing event processing rules GFI EventsManager

105 NOTE: For more information of how to configure advanced event filtering conditions, refer to the Advanced event filtering parameters section in this manual. Screenshot New processing rule wizard: Select event occurrence and importance 8. Specify the time when this rule will be executed. (i.e. anytime, during working hours or outside working hours). NOTE: Working and non-working hours are based on the operational time parameters configured for your event sources. For more information on how to configure operational times, refer to the Configuring event source operational time section in the Configuring event sources chapter. 9. Select the classification (critical, high, medium, low or noise) that will be assigned to events that satisfy the conditions in this rule. Click Next to continue. GFI EventsManager 9BCustomizing event processing rules 103

106 Screenshot New processing rule wizard: Select action 10. Specify which actions will be triggered by this rule. You can choose to ignore the event, trigger the default action, or customize alerts. 11. Click Next to proceed to the final dialog. Click Finish to finalize your settings. NOTE: Newly created rules are disabled by default, hence will NOT become operational unless enabled. For information on how to enable event processing rules refer to the Collecting and processing Windows events section in this Manual. Creating a new W3C rule To create a new rule which is applicable only for W3C logs: 1. Select Configuration from the primary options bar. 2. Select Event Processing Rules from the secondary options bar. 3. From the provided drop-down, select W3C Logs. 4. Right-click on the rule-set in which you will be creating the new rule and select Create new rule 5. Specify a name and description for the new rule. Click Next to proceed with the configuration BCustomizing event processing rules GFI EventsManager

107 Screenshot New processing rule wizard: Select W3C Log 6. Click on the Add button. Specify the path to the W3C logs for which this rule applies or leave blank to apply this rule to all W3C logs. Click Next to continue. NOTE: Multiple paths can be specified during configuration. Screenshot New processing rule wizard: Configure filtering conditions. GFI EventsManager 9BCustomizing event processing rules 105

108 7. Click on the Add button and configure event filtering conditions. Repeat until all conditions have been specified. Click Next to continue. Screenshot New processing rule wizard: Select event occurrence and importance 8. Specify the time when this rule will be executed. (i.e. anytime, during working hours or outside working hours). NOTE: Working and non-working hours are based on the operational time parameters configured for your event sources. For more information on operational times, refer to the Configuring event source operational time section in the Configuring event sources chapter. 9. Select the classification (critical, high, medium, low or noise) that will be assigned to events that satisfy the conditions in this rule. Click Next to continue BCustomizing event processing rules GFI EventsManager

109 Screenshot New processing rule wizard: Select action 10. Specify which actions will be triggered by this rule. You can choose to ignore the event, trigger the default action, or customize alerts. 11. Click Next to proceed to the final dialog. Click Finish to finalize your settings. NOTE: Newly created rules are disabled by default, hence will NOT become operational unless enabled. For information on how to enable event processing rules refer to the Collecting and processing W3C logs section in this Manual. Creating a new Syslog rule To create a new rule which is applicable only for the processing of Syslog messages: 1. Select Configuration from the primary options bar. 2. Select Event Processing Rules from the secondary options bar. 3. From the provided drop-down, select Syslog. 4. Right-click on the rule-set in which you will be creating the new rule and select Create new rule 5. Specify the name and a description for the new rule. Click Next to proceed with the configuration. GFI EventsManager 9BCustomizing event processing rules 107

110 Screenshot New processing rule wizard: Configure Conditions 6. Specify the log filtering conditions to be processed by this rule. When all conditions have been specified, click Next. NOTE: For more information of how to configure advanced event filtering conditions, refer to the Advanced event filtering parameters section in this manual. Screenshot New processing rule wizard: Select event occurrence and importance 7. Specify the time when this rule will be executed. (i.e. anytime, during working hours or outside working hours). NOTE: Working and non-working hours are based on the operational time parameters configured for your event sources. For more 108 9BCustomizing event processing rules GFI EventsManager

111 information on operational times, refer to the Configuring event source operational time section in the Configuring event sources chapter. 8. Select the classification (critical, high, medium, low) that will be assigned to events that satisfy this rule. Click Next to continue. Screenshot New processing rule wizard: Select action 9. Specify which actions will be triggered by this rule. You can choose to ignore the event, trigger the default action, or customize alerts. 10. Click Next to proceed to the final dialog. Click Finish to finalize your settings. NOTE: Newly created rules are disabled by default, hence will NOT become operational unless enabled. For information on how to enable event processing rules refer to the Collecting and processing Syslogs section in this Manual. GFI EventsManager 9BCustomizing event processing rules 109

112 Changing the configuration settings of a rule Screenshot Log processing rule properties To edit the property settings of an event processing rule: 1. Right-click on the rule and select Properties. This will bring up the Rule Properties dialog. 2. Use the tabs provided in the dialog to navigate the existing parameters and make the required changes. The tabs provided in the properties dialog include: General Use this tab to configure the general properties of the rule including the rule name and rule classification. Logs This tab is available only for W3C log rules. Use this tab to specify the W3C logs for which this rule applies. Event Logs This tab is available only for Windows event log rules only. Use this tab to specify which events will be processed by this rule. Conditions Use this tab to configure event filtering conditions. Actions Use this tab to configure alerts and actions triggered by this rule. Threshold Use this tab to configure the event threshold value i.e. the number of times that an event must be detected prior to triggering alerts and remedial actions. This helps reducing false positives triggered by noise (repeated events) in your event logs BCustomizing event processing rules GFI EventsManager

113 Advanced event filtering parameters GFI EventsManager allows systems administrators to set up advanced event filtering parameters. These options are available only for Windows Events and Syslogs. Windows Events Conditions Event IDs field: The Event IDs: field allows systems administrators to setup: Parameter type: Example: Single events List of events Range of events Combination of events Source, Category and User fields: The Source, Category and User fields allow systems administrators to setup: Parameter type: Example: Single source name List of sources Wildcards (% and *) Syslog Categories Message and Process fields: The Message and Process fields allow systems administrators to setup: Parameter type: Example: Single message List of messages Wildcards (% and *) GFI EventsManager 9BCustomizing event processing rules 111

114

115 Configuring users and groups Introduction Screenshot Configuring users and groups node When an alert is triggered, GFI EventsManager does not send alert messages directly to a specific or mobile number. The type of alert to be sent is determined by the user properties. User properties include the contact details and working hours of every recipient. Based on these settings, GFI EventsManager will automatically determine the type of alert to be triggered during and outside of working hours. In GFI EventsManager, alert recipients can be organized into groups. This way you can configure alerting options on a user group level, rather than having to configure the same settings for each and every user. GFI EventsManager 10BConfiguring users and groups 113

116 Creating a new user To create a new user: 1. Click on the Configuration option. 2. Select Options from the secondary option bar. 3. Expand the Users and Groups node, right-click on the Users subnode and select Create user 4. Configure user properties. For more information refer to the Configuring GFI EventsManager administrator account section in the Getting Started chapter. Changing user properties Deleting users To edit user properties: 1. From the left pane, click on the Users node. 2. Right-click on the user to edit and select Properties. 3. Make the required changes and click OK to finalize your settings. To delete a user, 1. From the left pane, click on the Users node. 2. From the right viewer pane, right-click on the user to be deleted and select Delete BConfiguring users and groups GFI EventsManager

117 Configuring groups Screenshot 113 Groups configuration screen 1. Click on the Configuration option. 2. Select Options from the secondary option bar. 3. Expand the Users and Groups node, right-click on the Groups sub-node and select Create group GFI EventsManager 10BConfiguring users and groups 115

118 Screenshot New groups setup 4. Specify the name of the new group. 5. Click Add to start adding users to the group. 6. Click OK to finalize your settings. Changing user group properties To edit the settings of a user group do as follows: 1. From the left pane, click on the Groups node. 2. From the right pane, right-click on the group to be configured and select Properties. 3. Perform the required changes and click OK to finalize your settings. Deleting user groups To delete a user group: 1. From the left pane, click on the Groups node. 2. From the right viewer pane, right-click on the group to be deleted and select Delete BConfiguring users and groups GFI EventsManager

119 Miscellaneous Command Line operations GFI EventsManager provides you with three command line tools through which you can perform data export and import functions. These three tools are: Exportdata.exe: Exports data from an ESM 7.1 database using database operations engine Importdata.exe: Imports data into an EMS 7.1 database using database operations engine Importsettings.exe: Imports configuration from a data folder or from a configuration export file (.esmbkp) and is used mostly from installer when preserving configuration Exportdata.exe Use this tool to export data from the GFI EventsManager database to binary file. Usage: exportdata.exe <parameters list> Parameter Mandatory Description /Optional /folder: Mandatory Defines folder where datafile will be stored <path and foldername> /period: <number of Optional Exports events older than the number of hours: Default = 7 days hours> /password: Optional Set an encryption password <file password> /delete Optional Delete the events after export /movetodb: <database name> Optional Move the events to another database on the same server. If no name is specified, the backup database is used. NOTE: Any parameter that contains spaces must be enclosed in double quotes ( ). Example: Exportdata.exe /folder:c:\exportfiles /period:240 /password:aip112sk GFI EventsManager 11BMiscellaneous 117

120 Where data is exported with the following details: A folder called exportfiles, located at c:\ Data older than 10 days (240hours) Encrypt using password aip112sk Importdata.exe Use this tool to import data in binary files to the GFI EventsManager database. Usage: importdata.exe <parameters list> Parameter /folder: <path and foldername> /password: <file password> /dbserver: <databaseser ver location > /dbname: <database name> /dbuser: <username> /dbpass: <password> Mandatory /Optional Mandatory Optional Optional Optional Optional Optional Description Defines folder where datafile will be stored Defines the password that will be used to decode files; if not specified, no password will be used Defines the database server where the destination database lies. If not specified, the database details specified in GFI EventsManager will be used. Defines the destination database name. If not specified, the database name specified in GFI EventsManager will be used. Defines the user name used to connect to database. If not specified, Windows authentication will be used. Defines the password used to connect to destination server/database. If none is specified, password is ignored. NOTE: Any parameter that contains spaces must be enclosed in double quotes ( ). Example: importdata.exe /folder:c:\exportfiles /password:aip112sk /dbserver: /dbname:mainesmdb /dbuser:sa /dbpass:sapwd Where data is imported with the following details: From folder called exportfiles, located at c:\ Decrypted using password aip112sk Saved to database on server with I.P. address , with database name:mainesmdb and with the following login credentials: username: sa and password sapwd BMiscellaneous GFI EventsManager

121 Importsettings.exe Use this tool to import GFI EventsManager configurations previously exported. Usage: importsettings.exe <parameters list> Parameter /operation: <operation> /destination: <destination path> /Sourcefile:<fil ename> /Sourcefolder: <folder name/path> Mandatory/ Description Optional Mandatory Defines the operation to perform, either importfolder or import file Optional Defines the destination folder where the configuration will be imported Optional Optional Defines the name of the file that contains the exported GFI EventsManager configuration. Defines the name of the folder that contains the exported GFI EventsManager configuration. NOTE: Any parameter that contains spaces must be enclosed in double quotes ( ). Example: importdata.exe /operation:importfolder: /destination: c:\esm\data /sourcefolder: c:\esm\old / Where data is imported with the following details: Operation is importfolder to c:\esm\data from folder c:\esm\old Customizing Unique Identifiers GFI EventsManager 7.1 enables you to customize the GFI EventsManager unique identifiers of the GFI EventsManager installation. This enables you to import the same configuration into separate without incurring duplicate GFI Eventsmanager instance Ids. Please refer to Configuring database operations section in the Database Operations chapter earlier in this manual for more information on this feature. To configure new GFI Eventsmanager unique identifiers add the following option to command line options of importdata.exe Parameter Mandatory/ Description Optional /id:<new_id> Optional Defines the new ESM instance id set after importing the configuration. Use this parameter on only if you only want to change the ESM instance id; if no value is specified the existing ESM instance id will be preserved. GFI EventsManager 11BMiscellaneous 119

122 Licensing To check your licensing details: 1. Click on the General option in the primary options bar. 2. From the left pane, click on the Licensing option. Licensing details will be displayed in the right pane of the management console. Entering License Key after installation To enter your license key after installation: 1. Click the General option in the primary options bar. 2. From the left pane, right-click on the Licensing option and select Edit license key Screenshot Update license key 3. Specify your license key details. 4. Click OK to finalize your settings BMiscellaneous GFI EventsManager

123 Version information To check your version information details: 1. Click the General option in the primary options bar. 2. Click the Version Information option. The version information details will be displayed in the right pane. Screenshot Version Information screen Checking for newer builds To check for newer builds of GFI EventsManager: 1. Click the General option in the primary options bar. 2. From the left pane, right-click on the Version Information option and select Check for newer builds GFI EventsManager 11BMiscellaneous 121

124

125 Troubleshooting Introduction Knowledge Base The troubleshooting chapter explains how you should go about resolving issues you have. The main sources of information available to users are: The manual most issues can be solved by reading the manual. The GFI Knowledge Base accessible from the GFI website. The GFI technical support site. Contacting the GFI technical support team by at Contacting the GFI technical support team using our live support service at Contacting our technical support team by telephone. GFI maintains a Knowledge Base, which includes answers to the most common problems. If you have a problem, please consult the Knowledge Base first. The Knowledge Base always has the most upto-date listing of support questions and patches. The Knowledge Base can be found on Request technical support via If, after using the Knowledge Base and this manual, you have any problems that you cannot solve, you can contact the GFI technical support team. The best way to do this is via , since you can include vital information as an attachment that will enable us to solve the issues you have more quickly. The Troubleshooter, included in the program group, automatically generates a series of files needed for GFI to give you technical support. The files would include the configuration settings, debugging log files and so on. To generate these files, start the troubleshooter wizard and follow the instructions in the application. In addition to collecting all the information, you will be asked a number of questions. Please take your time to answer these questions accurately. Without the proper information, it will not be possible to diagnose your problem. Then click the troubleshooter\support folder, located under the main program directory, compress the files in ZIP format, and send the generated ZIP file to mailto:[email protected]. GFI EventsManager 12BTroubleshooting 123

126 Ensure that you have registered your product on our website first, at We will answer your query within 24 hours or less, depending on your time zone. Request technical support via web chat You may also request technical support via Live Support (web chat). You can contact the GFI technical support department using our Live Support service at Ensure that you have registered your product on our website first, at: Request technical support via phone Web Forum Build notifications You can also contact GFI by phone for technical support. Please check our website for the correct numbers to call, depending on where you are located, and for our opening times. Technical support website: Ensure that you have registered your product on our website first, at User to user technical support is available via the web forum. The forum can be found at: We strongly suggest that you subscribe to our build notifications list. This way, you will be immediately notified about new product builds. To subscribe to our build notifications, go to: BTroubleshooting GFI EventsManager

127 Appendix 1 SMS Settings Global settings for SMS/pager alerts NOTE: This section is only applicable for advanced users. We cannot guarantee that GFI EventsManager will work with any SMS provider. Before attempting any such configuration, ensure that you have obtained the correct information from your SMS service provider. Screenshot SMS Alerts dialog Out of the box GFI EventsManager can relay SMS alerts through the: In-built GSM SMS Server GFI FAXmaker SMS service provider template Clickatell 2SMS Service Generic SMS service provider templates. GFI EventsManager 13BAppendix 1 SMS Settings 125

128 In-built GSM SMS Server Figure 7 - SMS alert flow via the in-built GSM Server The in-built GSM SMS Server allows GFI EventsManager to directly send SMS (text) messages through a GSM phone or GSM modem, connected to the computer by serial cable, Infrared or Bluetooth. Screenshot 118 The in-built GSM SMS Server properties Requirements 1. A GSM modem or GSM phone that is capable of processing AT+C commands. This GSM device must be connected to the server running GFI EventsManager. 2. Subscription to an SMSC provider. Configuring the In-built GSM SMS Server To configure the In-built GSM SMS Server: 1. Right-click on the Alerting Options node and select Properties BAppendix 1 SMS Settings GFI EventsManager

129 2. Click on the SMS tab and from the SMS System dropdown, select In-built GSM SMS Server. Screenshot Edit Property dialog 3. Double-click on the property which you want to configure (e.g., Service Center Number) and specify the necessary parameters in the Edit Property dialog. NOTE: When configuring properties, always specify the details supplied to you by your SMSC provider. If configuration parameters are not available, ask your provider to supply you with the required information. The In-built GSM SMS Server requires the following parameters: Service Center Number Specify the number of your provider s SMS service center (SMSC). This number is supplied by the SMS service provider. COM port Select the COM port where the GSM device (i.e. phone/modem) is connected. Baud Rate Specify the speed at which the communication will take place. Always specify the speed recommended by your SMSC provider. Initialization String (Optional) If required, specify any AT Commands that you wish to send to your modem. NOTE: The initialization string is a set of modem AT commands combined into one string (e.g. AT &F &C1 &D2). For a complete list of AT commands, visit 4. In the Retries entry box, specify the number of times that the Inbuilt GSM SMS Server will try to send an SMS alert should the first attempt fail. 5. Click on OK to finalize your settings. GFI EventsManager 13BAppendix 1 SMS Settings 127

130 GFI FAXmaker SMS service provider template Figure 8 - SMS alert flow via GFI FAXmaker SMS service provider The GFI FAXmaker SMS Service allows GFI EventsManager to send SMS messages through GFI FAXmaker, market-leading fax server software that allows you to send and receive faxes via your infrastructure. GFI FAXmaker is also an SMS gateway which allows you to send SMS messages through: A GSM phone / modem connected to your fax server. Or Web-based SMS service providers. For more information on GFI FAXmaker, visit Whenever an event triggers an SMS alert, GFI EventsManager sends a template (via SMTP) to the fax server (i.e. GFI FAXmaker). This template contains all the SMS alert details including the SMS text message and the recipient s number. GFI FAXmaker then converts this to SMS and sends it to the intended recipient. Screenshot FAXmaker SMS service configuration dialog BAppendix 1 SMS Settings GFI EventsManager

131 Requirements In order to use the FAXmaker SMS service, you must have: 1. GFI FAXmaker installed and configured for SMS messaging. For more information on how to configure the SMS gateway on GFI FAXmaker refer to The SMS Gateway chapter of the GFI FAXmaker manual. You can download the GFI FAXmaker manual from 2. A supported GSM phone/modem connected to the GFI FAXmaker fax server computer or a subscription to a supported web-based SMS provider. Configuring the FAXmaker SMS service To configure the FAXmaker SMS Service: 1. Right-click on the Alerting Options node and select Properties. 2. Click on the SMS tab and from the SMS System drop-down, select FAXmaker SMS Service provider template. 3. Double-click on the property which you want to configure (e.g. SMTP server) and specify the relative parameters in the Edit Property dialog. The FAXmaker SMS Service requires the following parameters: SMTP server Specify the name of the SMTP server through which GFI EventsManager will send the template to GFI FAXmaker. SMTP port Specify the SMTP port through which the transmission will take place. By default this parameter is set to 25 (i.e., default SMTP port). From Specify the account from where the template will be sent. Format this parameter as follows: <name>@<mydomain.com> To (Leave as default) This is the address on which GFI FAXmaker will receive the template s to be converted to SMS (i.e., [smsnumber]@smsmaker.com). This parameter includes variable [smsnumber] which is substituted to the number of the SMS recipient when the template is generated. For example, if an SMS must be sent to a recipient with number , the is sent on mailto: @smsmaker.com. GFI FAXmaker will then send the SMS on the number specified in the address. Subject* - (Optional parameter) Specify the text which you want to include in the template s subject field. 4. In the Retries entry box, specify the number of times that the FAXmaker SMS service will try to send an SMS alert should the first attempt fail. 5. Click on OK to finalize your settings. GFI EventsManager 13BAppendix 1 SMS Settings 129

132 Clickatell 2SMS Service Figure 9 - SMS alert flow via a Clickatell to SMS service The Clickatell 2SMS Service allows GFI EventsManager to relay SMS (text) alerts via Clickatell, a web-based SMS service which sends SMS messages worldwide. Whenever an event triggers an SMS alert, GFI EventsManager sends a template (via SMTP) to Clickatell s SMS gateway. This template contains all the required SMS alert details including the SMS text message and the recipient s number. Clickatell then converts this to SMS and sends it to the intended recipient. For more information, visit Screenshot Clickatell 2SMS Service configuration dialog Requirements No specific hardware is required for this SMS messaging method. The only requirements are: 1. You must be subscribed to the Clickatell SMS gateway service. To subscribe visit: BAppendix 1 SMS Settings GFI EventsManager

133 2. The SMTP server configured in the properties of the Clickatell 2SMS service must be able to send s over the Internet. NOTE: GFI EventsManager cannot send SMS alerts through Clickatell 2SMS Service if no Internet connection is available or when your Internet connection is down. Configuring the Clickatell 2SMS Service To configure the Clickatell 2SMS Service: 1. Right-click on the Alerting Options node and select Properties. 2. Click on the SMS tab and from the SMS System dropdown, select Clickatell 2SMS Service. 3. Double-click on the property which you want to configure (e.g. SMTP server) and specify the relative parameters in the Edit Property dialog. NOTE: When configuring properties, always specify the details supplied to you by Clickatell. If configuration parameters are not available, ask Clickatell to provide you with the required information. The Clickatell 2SMS Service requires the following parameters: SMTP server Specify the name of the SMTP server through which GFI EventsManager will send the to the SMS gateway. SMTP port Specify the SMTP port through which the transmission will take place. By default this parameter is set to 25 (i.e. default SMTP port) From Specify the account from where the will be sent. For example you can specify the address used by GFI EventsManager for generic alerts. To Specify the address of the Clickatell SMS gateway (i.e. the address where GFI EventsManager will send s for conversion to SMS). This address is provided by Clickatell (i.e. by the SMS gateway provider). By default, this property is set to NOTE: Leave this property as default, unless otherwise specified by Clickatell. CC* - (Optional parameter) Specify the address where you wish to forward copies of the s sent to the web based SMS gateway. Subject* - (Optional parameter) Specify the text which you want to include in the s subject field. Body line 1 Specify the API ID (e.g. api_id:124576). The API ID is an identification number supplied to you by Clickatell after you subscribe for the service. Format this parameter as follows: api_id:<api ID No>. NOTE: If you don t know your API ID, ask Clickatell to supply you with this information. GFI EventsManager 13BAppendix 1 SMS Settings 131

134 Body line 2 - Specify your Clickatell SMS gateway user name (e.g. user:jasonm). Format this parameter as follows: user:<user name> NOTE: If you don t know your user name, ask Clickatell to supply you with this information. Body line 3 - Specify your Clickatell SMS gateway password (e.g. password:abcde). Format this parameter as follows: password:<password text> NOTE: If you don t know your password, ask Clickatell to supply you with this information. Body line 4 (Leave as default). This property contains the number of the SMS recipient (i.e. the number where the SMS will be sent). This number is automatically passed on by GFI EventsManager through variable [smsnumber] which is substituted to text when the template is generated. The contents of this property are formatted as follows: to:[smsnumber] Body line 5 - (Leave as default). This property contains the text which must be included in the SMS. These contents are automatically passed on by GFI EventsManager through variable [smsmessage] which is substituted to text when the is generated. The contents of this property are formatted as follows: text:[smsmessage]. 4. In the Retries entry box, specify the number of times that GFI EventsManager will try to send the to the web-based to SMS provider should the first attempt fail. 5. Click on OK to save your configuration settings. Generic SMS service provider template Figure 10 - SMS alert flow via a web-based to SMS service provider GFI EventsManager can relay SMS (text) alerts via a web-based SMS gateway. Whenever an event triggers an SMS alert, GFI EventsManager will send a template (via SMTP) to a web-based SMS gateway. This template contains all the required SMS alert details including the SMS text message and the recipient s number. The SMS gateway then converts this to SMS and sends it to the intended recipient. NOTE: This template can be customized allowing you to use any provider which supports to SMS services BAppendix 1 SMS Settings GFI EventsManager

135 Screenshot Generic SMS service configuration dialog Requirements No specific hardware is required for this SMS messaging method. The only true requirements are: 1. You must be subscribed to an SMS gateway service. 2. The SMTP server configured in the properties of the Generic SMS service must be able to send s over the Internet. NOTE: GFI EventsManager cannot send SMS alerts through the Generic SMS service if no Internet connection is available or when your Internet connection is down. Configuring the Generic SMS service provider template To configure the Generic SMS service: 1. Right-click on the Alerting Options node and select Properties. 2. Click on the SMS tab and from the SMS System dropdown, select Generic SMS service provider template. 3. Double-click on the property which you want to configure (e.g. SMTP server) and specify the relative parameters in the Edit Property dialog. NOTE: When configuring properties, always specify the details supplied to you by your SMS gateway provider. The Generic SMS service requires the following parameters: SMTP server Specify the name of the SMTP server through which GFI EventsManager will send the to the SMS gateway. SMTP port Specify the SMTP port through which the transmission will take place. By default this parameter is set to 25 (i.e. default SMTP port). GFI EventsManager 13BAppendix 1 SMS Settings 133

136 From Specify the account from where the will be sent. You can specify the address configured in GFI EventsManager for generic alerts. To Specify the address of your SMS gateway provider (i.e. the address where GFI EventsManager will send s for conversion to SMS). This address is supplied by the SMS gateway provider and must be formatted as follows: E.g. NOTE: If you don t know the address of your SMS Gateway, ask your SMS gateway provider to provide this information. CC* - (Optional parameter) Specify the address where you wish to forward copies of the s sent to the SMS gateway. Subject* - (Optional parameter) Specify the text which you want to include in the s subject field. Body line 1 Specify the API ID which has been assigned to you by your SMS gateway provider. This parameter is required by the SMS gateway for authentication purposes. Format this parameter as follows: api_id:<api ID No>. E.g. api_id: NOTE: If you don t know your API ID, ask your SMS gateway provider to supply you with this information. Body line 2 - Specify your SMS gateway user-name (e.g. user:jasonm). Format this entry as follows: user:<user name>. NOTE: If you don t know your SMS gateway user name, ask your SMS gateway provider to supply you with this information. Body line 3 - Specify your SMS gateway password (e.g. password:abcde). Format this entry as follows: password:<password text>. NOTE: If you don t know your SMS gateway password, ask your SMS gateway provider to provide this information. Body line 4 (Leave as default). This property contains the number of the SMS recipient (i.e. the number where the SMS will be sent). This value is automatically passed on by GFI EventsManager through variable [smsnumber] which is substituted to text when the is generated. The contents of this property are formatted as follows: to:[smsnumber] Body line 5 - (Leave as default). This property contains the text which must be included in the SMS. These contents are automatically passed on by GFI EventsManager through variable [smsmessage] which is substituted to text when the is generated. The contents of this property are formatted as follows: text:[smsmessage]. 4. In the Retries entry box, specify the number of times that GFI EventsManager will try to send the to the web-based to SMS provider should the first attempt fail. 5. Click on OK to finalize your settings BAppendix 1 SMS Settings GFI EventsManager

137 Appendix 2: Configuring Windows Introduction In this appendix, you will learn how to: Enable and configure your Windows security event auditing level using Audit Policies. Start the Remote Registry service. Both Windows security auditing and Remote Registry services are required by GFI EventsManager to effectively manage windows event logs. Remote Registry service The Remote Registry service is required by GFI EventsManager to remotely connect to the event sources and perform event log auditing and collection. By default, the Remote Registry service is installed as part of the operating system on all computers running Windows NT/2000/XP and Screenshot Scanning Monitor: Error Messages pane If this service is not enabled, the error message shown above will be displayed in the Job Activity view Operational History section of the GFI EventsManager Status Monitor. For more information on how to access the Status Monitor refer to the Status monitoring chapter. Windows Audit Policy Windows security logs can be configured to record server events as well as directory or file access events. Events that can be recorded include valid and invalid logon attempts, as well as events that are related to use of system resource such as the creating, opening, or deleting of files. GFI EventsManager 14BAppendix 2: Configuring Windows 135

138 Screenshot Audit Policy node: Audit policy configuration options In order for GFI EventsManager to effectively perform security event log auditing, you must first enable security event auditing on your Windows operating system otherwise no events will be recorded in the Windows Security Log and therefore GFI EventsManager will have no logs to process. Security event auditing is enabled and configured through the Microsoft Management Console (MMC) via the Audit Policy node. NOTE: GFI EventsManager will not generate any error if security event auditing is not enabled. Enabling the Remote Registry service To enable the Remote Registry service: 1. Click on Start Run and type in Services.msc. This will bring up the Services dialog. Screenshot Services properties dialog BAppendix 2: Configuring Windows GFI EventsManager

139 2. Navigate the list of services until you find the Remote Registry service. Right-click on the service and select Properties. Screenshot Remote Registry Properties dialog 3. From the General tab which opens by default, select Automatic from the Start type drop-down provided and click Start. 4. Click OK to save your settings and close the dialog. Enabling Windows security auditing NOTE: To audit access to files and folders in Windows 2000, you must use the Group Policy snap-in to enable the Audit Object Access setting in the Audit Policy. Failing to do so will result into an error message which will be displayed during the setting up of file and folder configuration settings. For more information on how to create/install Group Policy snap-ins, refer to the How to install Group Policy Snapins section in this Appendix. To enable local Windows security auditing: 1. Log on to Windows with an account that has Administrator rights. 2. Ensure that the Group Policy snap-in is installed. 3. Navigate to the Administrative Tools window (Start Settings Control Panel Administrative tools). GFI EventsManager 14BAppendix 2: Configuring Windows 137

140 Screenshot Local Security Settings MMC snap-in 4. Double-click on the Local Security Policy icon to bring up the Local Security Settings MMC snap-in. 5. Expand the Local Policies node and then double-click Audit Policy node. 6. From the right pane, double-click the policy that you want to configure (enable/disable). This will bring up the Audit system events properties dialog. Screenshot Audit system events properties dialog 7. Select the Define these policy settings option and configure the type of audit required (i.e. on Successful or failed attempts). For more information on Windows security auditing settings visit How to install Group Policy snap-ins To use the auditing features in Windows 2000, you need to install the Group Policy snap-in. This snap-in is not included in the Computer BAppendix 2: Configuring Windows GFI EventsManager

141 Management console, and therefore you need to create a new console for the Group Policy snap-in. For more information about adding MMC snap-ins, see the Windows 2000 documentation. To create a new MMC console and add the Group Policy snap-in: 1. Click on Start Run and type in mmc. This will bring up the new MMC configuration console. 2. From the console s pull-down menu, click on File and select Add/Remove Snap-in. 3. From the Add/Remove Snap-in dialog box which opens up, click on the Add button. GFI EventsManager 14BAppendix 2: Configuring Windows 139

142 Screenshot List of available snap-ins 4. From the provided list of snap-ins, select Group Policy Object Editor from the list of available snap-ins and click Add. 5. In the Select Group Policy Object dialog box, click on Browse to locate the computer you want to audit. Screenshot 130 Browse for a Group Policy Object dialog: Computers Tab 6. From the Browse for a Group Policy Object dialog, click the Computers tab, click Another computer, select the computer that you want to audit and click OK. 7. Click Finish to finalize your settings. 8. Close the Add Standalone Snap-in dialog and click OK BAppendix 2: Configuring Windows GFI EventsManager

143 9. Click on File Save to save the new console to your hard disk. Use this new console to configure the auditing features. GFI EventsManager 14BAppendix 2: Configuring Windows 141

144

145 Appendix 3: Installing SQL Server Express Edition Introduction In this appendix we will go through the steps required to install Microsoft SQL Server 2005 Express Edition. Software requirements Installation steps The computer on which SQL Server Express Edition will be installed must meet the following software installed: Windows Installer 3.1.NET framework 2.0 The following steps are required to install SQL Server Express Edition: Screenshot 131 Downloading SQL Server Express edition 1. Download SQL Server Express edition from 2. After successfully downloading the installation file, double-click on SQLEXPR_ADV.exe. 3. Read the end-user licensing agreement and click Agree to proceed with the installation. GFI EventsManager 15BAppendix 3: Installing SQL Server Express Edition 143

146 Screenshot Installation Requirements 4. Click on the Install button to start SQL Server installation. Screenshot 133 System Configuration Check BAppendix 3: Installing SQL Server Express Edition GFI EventsManager

147 5. The installer will now analyze your system and will generate a list of your current configurations settings. Verify that all settings are correct and if necessary act on any errors included in the list. Click Next to continue. Screenshot 134 Registration details 6. Specify your personalized registration details in the provided fields. Unselect the option Hide advanced configuration options and click Next. GFI EventsManager 15BAppendix 3: Installing SQL Server Express Edition 145

148 Screenshot 135 Feature Selection 7. Select the features that you wish to install and click Next. Screenshot 136 Select Instance BAppendix 3: Installing SQL Server Express Edition GFI EventsManager

149 8. Select the default instance option and click Next. Screenshot 137 Configure Service Account 9. Provide the service account details and click Next. 10. Select the authentication mode to be used and click Next. GFI EventsManager 15BAppendix 3: Installing SQL Server Express Edition 147

150 Screenshot Collation Settings 11. Select the desired collation settings and click Next. 12. Specify whether you want to enable user instances or not and click Next BAppendix 3: Installing SQL Server Express Edition GFI EventsManager

151 Screenshot Error and Usage Report Settings 13. Select the desired Error and Usage Report settings and click Next. 14. Click Finish to finalize the installation. GFI EventsManager 15BAppendix 3: Installing SQL Server Express Edition 149

152 Tutorial 1 Configuring basic options through Quick Start Dialog Overview In this tutorial we will be demonstrating how to configure the key parameters required by GFI EventsManager at first startup. These settings will be performed through the Quick Start Dialog which is automatically launched the first time that GFI EventsManager is started. The scope of this example extends from the configuration of the events database settings, to the configuration of the default alerting options and administrator account. This tutorial is divided in 3 parts; In part 1 you will learn how to configure GFI EventsManager database backend. In part 2 you will learn how to configure the default alerting options In part 3 you will learn how to configure the GFI EventsManager administrator account. Parameters The parameters that will be used in this tutorial are listed below: Part 1: Configure the events database: Server: SQLServer01 Database: EventsManager Use SQL authentication User: John Doe Password: pass1234. Part 2. Configure the default alerting options: Hostname/IP: Port: 25 Username: johndoe Password:pass3344 Sender ( ): [email protected] Sender (Display Name): John Doe. Part 3. Configure the administration account: User: John Doe Description: EventsManager Administrator BTutorial 1 Configuring basic options through Quick Start Dialog GFI EventsManager

153 Mobile number: Computer: , Working Days: Monday to Friday Working Hours: From 09h to 19h notifications: During and outside of working hours. Network message alerts: During and outside of working hours. SMS alerts: During and outside of working hours. Member of: EventsManagerAdministrators. Part 1: Configuring GFI EventsManager database backend Screenshot Quick Start Dialog Box 1. From the Quick Start Dialog box select the Configure events database option. GFI EventsManager 16BTutorial 1 Configuring basic options through Quick Start Dialog 151

154 Screenshot Setting up database 2. Specify the following details: Server: MSSQLServer Database: EventsManager Use SQL Server authorization User: johndoe Password: pass Click OK to finalize your settings BTutorial 1 Configuring basic options through Quick Start Dialog GFI EventsManager

155 Part 2: Configuring default alerting options 1. From the Quick Start Dialog box select the Configure Alerting Options. Screenshot 142 Configuring alerting options: Mail server setup 2. In the tab which opens by default click the Add button. 3. In the Mailserver Properties dialog box specify the following mail server settings: Hostname/IP: Port: 25 Username: johndoe Password:pass3344 Sender ( ): Sender (Display Name): John Doe. 4. Click OK to save your alerts settings and close the Mailserver properties dialog. 5. Since no network and SMS notifications will be configured in this tutorial, click OK to finalize your alert configuration settings. Part 3: Configuring GFI EventsManager administrator account 1. From the Quick Start Dialog box select the Configure Administrator account option. GFI EventsManager 16BTutorial 1 Configuring basic options through Quick Start Dialog 153

156 Screenshot Configuring GFI EventsManager Administrator Setup 2. In the General tab which opens by default specify the following details: Username: John Doe Description: EventsManager Administrator [email protected] Mobile number: Computers: ; BTutorial 1 Configuring basic options through Quick Start Dialog GFI EventsManager

157 Screenshot 144 Configuring administrator working hours Click on the Working Hours tab and specify the following parameters: Working Days: Monday to Friday Working Hours: From 09h to 19h Screenshot Configuring alerting options 4. Click on the Alerts tab and specify the following alerting parameters: notifications: During and outside of working hours. GFI EventsManager 16BTutorial 1 Configuring basic options through Quick Start Dialog 155

158 Network message alerts: During and outside of working hours. SMS alerts: During and outside of working hours. Screenshot Adding the user to a user group 5. Click on the Member Of tab and specify to which group the user belongs. 6. Click OK to finalize your settings BTutorial 1 Configuring basic options through Quick Start Dialog GFI EventsManager

159 Tutorial 2 Configuring event processing parameters Overview In this tutorial we will be demonstrating how to configure the event processing parameters required by GFI EventsManager. The scope of this example extends from the configuration of the event sources, to the configuration of the alerts that will be triggered on key events. By the end of this tutorial you will learn how to configure and start processing logs using GFI EventsManager. This tutorial is divided in 3 parts; In part 1 you will learn how to configure the computers from which GFI EventsManager will collect logs. In part 2 you will learn how to create and configure Windows event processing rules. In part 3 you will learn how to configure user properties alerts and actions. Parameters The parameters and conditions that will be used in this tutorial are listed below: Part 1: Configuring the event sources. NOTE: The parameters required in this part are user-specific. Substitute the domain and server parameters listed below with the ones that correspond to your network system. Domain: <MyDomain> Server: <MyServer> Part 2: Configuring event processing rules Parameters for Section 1: Create a new rule-set folder. Rule-set Folder Name: New Rules folder Parameters for Section 2: Create a new rule-set within the new ruleset folder. Rule-set Name: Example security rule-set Description: This is an example of a windows event rule-set. Rule type: Windows Events processing Parameters for Section 3: Create a new rule within the new rule-set. GFI EventsManager 17BTutorial 2 Configuring event processing parameters 157

160 Name: Example security rule Description: This is an example of a windows event processing rule. Rule type: Windows Events processing Logs: Security Events Event ID range: Source computers: Category: Security event details User: Administrator Event type: Error Rule should apply only during normal working hours Use default classification actions. Part 3: Configuring user properties, alerts and other actions Parameters for Section 1: Create new users/alert recipients group. Group name: GFI EventsManager User Group Description: Example GFI EventsManager User Group Parameters for Section 2: Create new user/alert recipient. User name: John Doe Description: Demonstration User mailto:[email protected] Mobile Number: Computers: Working Days: Monday to Saturday Working Hours: From 09h to 19h notifications: During working hours. Network message alerts: None. SMS alerts: None. Member of: GFI EventsManager User Group Parameters for Section 3: Setting alerts for Critical events Hostname/IP: Port: 25 Username: John Doe Password: pass3344 Sender [email protected] Sender name: John Doe notifications: During working hours Network message alerts: None SMS alerts: None. Part 1: Configuring log sources 1. Select Configuration from the primary options bar. 2. Select Event Sources from the secondary options bar BTutorial 2 Configuring event processing parameters GFI EventsManager

161 3. Right-click on Servers option from the left pane and select Add new computer This will bring up the New Computer Wizard. Screenshot Add a new server to pick event logs from 4. Click on the Select button. 5. Select <MyDomain> from the domain drop-down box and click Search. 6. Select <MyServer> from the provided list of domain computers. 7. Click on OK button to save setup. Part 2: Creating new event processing rules In Part 2 we shall be demonstrating how to create new Windows Event Log rules. This part of the tutorial is divided in 3 sections: Section 1: Create a new rules folder. Section 2: Create a new rule-set within the new rules folder. Section 3: Create a new rule within the new rule-set. Section 1: Create a new rules folder 1. Select Configuration from the primary options bar. 2. Select Event Processing Rules from the secondary options bar. 3. From the left pane, select Windows Event Logs and then click on the Create folder option. GFI EventsManager 17BTutorial 2 Configuring event processing parameters 159

162 Screenshot Creating a new rule folder 4. Name the new folder as New rules folder BTutorial 2 Configuring event processing parameters GFI EventsManager

163 Section 2: Create a new rule-set 1. Right-click on New rules folder node in right pane and select Create new rule set option. Screenshot Providing Security rule properties 2. Specify the following rule-set properties: Name: Example Security Rule-set Description: This is an example of a windows event rule-set. 3. Click OK to finalize your settings. Section 3: Create a new rule 1. Right-click Example Security Rule node from the left pane. Select Create new rule option from the context sensitive menu. GFI EventsManager 17BTutorial 2 Configuring event processing parameters 161

164 Screenshot New Processing Rule Wizard: Defining Rule Details 2. Specify the following rule details. Name: Example security rule. Description: This is an example of a new security processing rule. 3. Click Next to proceed to the next dialog. Screenshot 151- New Processing Rule Wizard: Selecting the logs 4. Select Security Events as the log to be processed and click Next to continue setup BTutorial 2 Configuring event processing parameters GFI EventsManager

165 Screenshot New Processing Rule Wizard: Setting the conditions 5. Specify the following rule conditions. Event IDs: Source: Category: Security Event Details User: Administrator Event Type: Error. 6. Click Next to proceed to the next dialog. Screenshot New Processing Rule Wizard: Selecting event occurrence and importance 7. Specify the following event occurrence and importance parameters: GFI EventsManager 17BTutorial 2 Configuring event processing parameters 163

166 The rule applies if the event happens during Normal Operational Time (N.O.T.) Classify the event as: High importance event. 8. Click Next button to proceed to the next dialog. Screenshot New Processing Rule Wizard: Selecting Actions 9. Select the Use the default classification actions option and click Next. 10. Click Finish to finalize your settings. Part 3: Configuring user properties, alerts and other actions In part 3 we will be demonstrating how to configure the alert recipients i.e. users that will be alerted by this rule, as well as the type of alerts that will be generated. This part of the tutorial is divided in 3 sections: Section 1: Create new users/alert recipients group. Section 2: Add new alert recipients. Section 3: Setting alerts for Critical events. Section 1: Create new users/alert recipients group 1. Select Configuration from the primary options bar. 2. Select Options from the secondary options bar. 3. From the left pane, right-click on Groups node and select Create group BTutorial 2 Configuring event processing parameters GFI EventsManager

167 Screenshot New group user input 4. Specify the following group details: Group name: GFI EventsManager User Group Description: Example GFI EventsManager User Group. 5. Click OK to finalize your settings. GFI EventsManager 17BTutorial 2 Configuring event processing parameters 165

168 Section 2: Add new alert recipient Screenshot Create users 1. From the left pane, right-click on Users node and select Create user Screenshot New Users general tab BTutorial 2 Configuring event processing parameters GFI EventsManager

169 2. Specify all the following user details: User name: John Doe Description: Demonstration User Mobile Number: Computers: Screenshot Set working hours 3. Click on the Working Hours tab and configure the working hours as follows: Working Days: Monday to Saturday Working Hours: From 09h to 19h. GFI EventsManager 17BTutorial 2 Configuring event processing parameters 167

170 Screenshot Set alerting options 4. Click on the Alerts tab and configure the alerting parameters as follows: notifications: During working hours. Network message alerts: None. SMS alerts: None BTutorial 2 Configuring event processing parameters GFI EventsManager

171 Screenshot Defining user group membership 5. Click on the Member Of tab. 6. Click Add and double-click GFI EventsManager User Group from the provided list. 7. Click OK to finalize your settings. GFI EventsManager 17BTutorial 2 Configuring event processing parameters 169

172 Section 3: Setting alerts for Critical events Screenshot GFI EventsManager: Edit default classification actions 1. From the left pane, right-click on the Default Classification Actions node and select Edit defaults BTutorial 2 Configuring event processing parameters GFI EventsManager

173 Screenshot Customizing the default classification actions 2. From the provided drop-down, select Critical events actions. 3. Select the Send notifications to option from the provided list. 4. Select GFI EventsManager User Group and click Add. Click on the OK button to close the dialog. 5. Click OK to finalize your settings. GFI EventsManager 17BTutorial 2 Configuring event processing parameters 171

174 Tutorial 3 Event Browsing and Filtering Overview In this tutorial we shall be demonstrating how to use the event query builder to create new event queries. The scope of this example extends from the creation of new event queries to the use of event queries to display only the required event data. Parameters The parameters used in this tutorial are listed below: Query Name: Filter events with ID 520 Description: Query that displays events having event ID 520 Event ID: 520. Create a new event query 1. Select Events Browser from the primary options bar. 2. Select Windows Events Browser from the secondary options bar. 3. From the left pane, right-click on the Security Events option and select Query builder. This will bring up the event query builder BTutorial 3 Event Browsing and Filtering GFI EventsManager

175 Screenshot Filter set-up 4. Specify the following query details: Name: Filter events with ID 520 Description: Query that displays events having event ID Click Add and specify the following query conditions: Select field operator: Equal To Enter field value: Click OK to close the dialog. GFI EventsManager 18BTutorial 3 Event Browsing and Filtering 173

176 Screenshot Filter properties dialog box 7. Click OK to finalize query settings. Using the new event query Screenshot Select new filter Click on the Query for events with ID 520 to filter all events having event ID BTutorial 3 Event Browsing and Filtering GFI EventsManager

177 GFI EventsManager 18BTutorial 3 Event Browsing and Filtering 175

178 Tutorial 4 Database Operations Overview In this tutorial we shall be demonstrating how to configure maintenance jobs on the database backend. The scope of this example extends from the creation of new jobs, to their scheduling and execution. This tutorial is divided in 5 parts; In part 1 you will learn how to configure the interval/schedule for executing maintenance jobs. In part 2 you will learn how to configure an Export to file maintenance job. In part 3 you will learn how to configure a Move to database maintenance job. In part 4 you will learn how to configure a Delete data maintenance job. In part 5 you will learn how to configure an Import from file maintenance job. Parameters The parameters and conditions that will be used in this tutorial are listed below: Part 1: Configuring the interval/schedule Hours: 6:00pm to 9:00am Interval: 5 days Start date: 12/22/2006 Start time: 6:00pm Part 2: Export to file maintenance job NOTE: The Folder parameter is user-specific. Substitute the parameter listed below with one that corresponds to your environment. Folder: c:\esm7_export Export events older than: 5 days Encryption password: pass3344 Log type: Windows Event Logs Logs: Security Events Event IDs: 528, BTutorial 4 Database Operations GFI EventsManager

179 Scheduled job Part 3: Move to database maintenance job NOTE: The Database Name parameter is user-specific. Substitute the parameter listed below with one that corresponds to your environment. Database Name: EventsManager Move events older than: 5 days Log type: Windows Event Logs Logs: Security Events Event IDs: 528, 540 Scheduled job Part 4: Delete data maintenance job Database: Main database Delete events older than: 5 days Log type: Windows Event Logs Logs: Security Events Event IDs: 528, 540 Scheduled job Part 5: Import from file maintenance job NOTE: The Folder parameter is user-specific. Substitute the parameter listed below with one that corresponds to your environment. Folder: c:\esm7_export Decryption password: pass3344 Log type: Windows Event Logs Logs: Security Events Event IDs: 528, 540 Scheduled job Part 1: Configuring the interval/schedule 1. Click on the Configuration option. 2. From the secondary options bar which opens underneath, select Options. 3. From the left pane, right-click on the Database Operations node and select Properties. This will bring up the Database Operations Options dialog. GFI EventsManager 19BTutorial 4 Database Operations 177

180 Screenshot 166 Specify scheduling options 4. Click on the Schedule tab to specify: Hours of the day during which maintenance jobs can be executed: 6:00pm to 9:00am Interval: 5 days Start date: 12/22/2006 Start time: 6:00pm 5. Click OK to finalize your settings. Part 2: Export to file maintenance job In part 2 we shall be demonstrating how to create a new Export to file maintenance job, and how to specify the relevant job parameters. 1. Click on the Configuration option. 2. From the secondary options bar which opens underneath, select Options. 3. From the left pane, right-click on the Database Operations node and select Create new job This will bring up the New job wizard. 4. As soon as the welcome dialog is displayed, click on the Next button to bring up the Job Type dialog BTutorial 4 Database Operations GFI EventsManager

181 Screenshot Job Type dialog: Export to file maintenance job 5. Select the Export to file maintenance job and click Next to proceed to the configuration dialog. Screenshot 168 Export to file parameters 6. Specify the following export parameters: Folder: c:\esm7_export Export events older than: 5 days 7. Click Next to proceed to the next dialog. GFI EventsManager 19BTutorial 4 Database Operations 179

182 Screenshot 169 Export to file: encryption password 8. Specify, and confirm, the following parameter: Encryption password: pass Click Next to proceed to the data filter dialog. Screenshot 170 Export to file: log type to process with data filter 10. Specify the following log type parameter to be processed by data filters: Log type: Windows Event Logs 11. Click Filter to bring up the data filter conditions dialog BTutorial 4 Database Operations GFI EventsManager

183 Screenshot 171 Export to file: data filter conditions 12. Specify the following data filter parameters: Logs: Security Events Event IDs: 528, Click OK to finalize your data filter condition settings. 14. Click Next to proceed to the next dialog. GFI EventsManager 19BTutorial 4 Database Operations 181

184 Screenshot 172 Scheduled job 15. Select Scheduled job and click Finish to finalize the maintenance job settings. Part 3: Move to database maintenance job In part 3 we shall be demonstrating how to create a new Move to database maintenance job, and how to specify the relevant job parameters. 1. Click on the Configuration option. 2. From the secondary options bar which opens underneath, select Options. 3. From the left pane, right-click on the Database Operations node and select Create new job This will bring up the New job wizard. 4. As soon as the welcome dialog is displayed, click on the Next button to bring up the Job Type dialog BTutorial 4 Database Operations GFI EventsManager

185 Screenshot Job Type dialog: Move to database maintenance job 5. Select the Move to database maintenance job and click Next to proceed to the configuration dialog. Screenshot 174 Move to database parameters 6. Specify the following parameters: Database Name: EventsManager Move events older than: 5 days 7. Click Next to proceed to the data filter dialog. GFI EventsManager 19BTutorial 4 Database Operations 183

186 Screenshot 175 Move to database: log type to process with data filter 8. Specify the following log type parameter to be processed by data filters: Log type: Windows Event Logs 9. Click Filter to bring up the data filter conditions dialog BTutorial 4 Database Operations GFI EventsManager

187 Screenshot 176 Move to database: data filter conditions 10. Specify the following data filter parameters: Logs: Security Events Event IDs: 528, Click OK to finalize your data filter condition settings. 12. Click Next to proceed to the next dialog. GFI EventsManager 19BTutorial 4 Database Operations 185

188 Screenshot 177 Scheduled job 13. Select Scheduled job and click Finish to finalize the maintenance job settings. Part 4: Delete data maintenance job In part 4 we shall be demonstrating how to create a new Delete data maintenance job, and how to specify the relevant job parameters. 1. Click on the Configuration option. 2. From the secondary options bar which opens underneath, select Options. 3. From the left pane, right-click on the Database Operations node and select Create new job This will bring up the New job wizard. 4. As soon as the welcome dialog is displayed, click on the Next button to bring up the Job Type dialog BTutorial 4 Database Operations GFI EventsManager

189 Screenshot Job Type dialog: Delete data maintenance job 5. Select the Delete data maintenance job and click Next to proceed to the configuration dialog. Screenshot 179 Delete data parameters 6. Specify the following parameters: Database: Main database Delete events older than: 5 days 7. Click Next to proceed to the data filter dialog. GFI EventsManager 19BTutorial 4 Database Operations 187

190 Screenshot 180 Delete data: log type to process with data filter 8. Specify the following log type parameter to be processed by data filters: Log type: Windows Event Logs 9. Click Filter to bring up the data filter conditions dialog BTutorial 4 Database Operations GFI EventsManager

191 Screenshot 181 Delete data: data filter conditions 10. Specify the following data filter parameters: Logs: Security Events Event IDs: 528, Click OK to finalize your data filter condition settings. 12. Click Next to proceed to the next dialog. GFI EventsManager 19BTutorial 4 Database Operations 189

192 Screenshot 182 Scheduled job 13. Select Scheduled job and click Finish to finalize the maintenance job settings. Part 5: Import from file maintenance job In part 5 we shall be demonstrating how to create a new Import from file maintenance job, and how to specify the relevant job parameters. 1. Click on the Configuration option. 2. From the secondary options bar which opens underneath, select Options. 3. From the left pane, right-click on the Database Operations node and select Create new job This will bring up the New job wizard. 4. As soon as the welcome dialog is displayed, click on the Next button to bring up the Job Type dialog BTutorial 4 Database Operations GFI EventsManager

193 Screenshot Job Type dialog: Import from file maintenance job 5. Select the Import from file maintenance job and click Next to proceed to the configuration dialog. Screenshot 184 Import file parameters 6. Specify the following import parameter: Folder: c:\esm7_export 7. Click Next to proceed to the next dialog. GFI EventsManager 19BTutorial 4 Database Operations 191

194 Screenshot 185 Import from file: decryption password 8. Specify, and confirm, the following parameter: Decryption password: pass Click Next to proceed to the data filter dialog. Screenshot 186 Import from file: log type to process with data filter 10. Specify the following log type parameter to be processed by data filters: Log type: Windows Event Logs 11. Click Filter to bring up the data filter conditions dialog BTutorial 4 Database Operations GFI EventsManager

195 Screenshot 187 Export to file: data filter conditions 12. Specify the following data filter parameters: Logs: Security Events Event IDs: 528, Click OK to finalize your data filter condition settings. 14. Click Next to proceed to the next dialog. GFI EventsManager 19BTutorial 4 Database Operations 193

196 Screenshot 188 Scheduled job 15. Select Scheduled job and click Finish to finalize the maintenance job settings BTutorial 4 Database Operations GFI EventsManager

197 Index A actions 5, 6, 10, 12, 34, 41, 42, 43, 53, 55, 56, 57, 104, 107, 109, 110, 158, 170, 171 Alerting Options 126, 129, 131, 133 B backup events 67, 68 C Computer Group Properties 36 Computer Properties 36 configuration settings 123 D database backend 5, 10, 12, 24, 25, 26, 27, 52, 62, 67, 68 Database Operations 80, 176 default alerting settings 31 E alerts 6, 27, 30, 31, 32, 41, 55 event archiving 6, 24, 52, 55 event classification 10, 42, 52, 55, 57 event color-coding 62 event finder tool 62 event processing rules 5, 7, 9, 10, 12, 41, 42, 46, 48, 50, 53, 54, 55, 57, 99 event query 10, 60, 61, 63, 64 event query builder 10, 64 event sources 9, 11, 12, 34, 35, 36, 39, 46, 48, 103, 106, 108 events browser 5, 59 F filter conditions 85, 87, 88, 90, 91 G GSM 126 I installation wizard 18 L license key 19 licensing 13, 18, 120 LogMonitorAdministrator 27, 28 logon credentials 39 N network alerts 6, 28, 32, 55, 57 O operational time 37, 39, 40, 103, 106, 108 P privileges 18 Properties 126, 129, 131, 133 Q Quick Start Dialog 24, 25, 28, 30, 34, 150, 151, 153 R rule-set 53, 54, 99, 100, 101, 102, 104, 107 S scanning monitor 69 SMS 125 SMS alerts 6, 7, 27, 30, 32, 125, 131, 133, 151, 156, 158, 168 Syslog messages 23, 49 Syslog server 23, 49, 50, 51 U Upgrading 18 V version information 121 W W3C logs 7, 11, 21, 22, 37, 41, 47, 48, 104, 105, 110 GFI EventsManager 19BTutorial 4 Database Operations 195

198 Windows event logs 7, 8, 11, 21, 37, 41, 43, 45, 47, 53, 54, 99 wizard 123 working hours 6, 28, 29, 39, 40, 103, 106, 108, 113, 151, 155, 156, 158, 167, BTutorial 4 Database Operations GFI EventsManager