SpectorSoft Log Manager Help

SpectorSoft Log Manager Help 10/8/2013 2013 SpectorSoft Corporation, All rights reserved.

Table of Contents Getting Started... 1 About... 1 How it Works... 3 Upgrading from Network Event Viewer... 4 System Requirements... 6 Registration... 6 Update Service... 7 Best Practices... 7 Tutorials... 9 Tutorials... 9 Event Log Management Tutorial... 10 Encrypting and Password Protecting Event Log Backups... 20 Printing Logs for Auditors... 22 Monitoring a File for Inactivity... 31 Receiving a Monthly Event Log Error Count Report (Grouped by Event ID/Source)... 34 Receiving a Monthly Event Log Error Count Report... 35 Starting a Process when a Particular Entry is Logged... 36 Consolidating Logs to SQL Server... 37 Consolidating Logs to MySQL... 42 Using Gmail as a Backup Email Server... 47 How To... 48 User Interface Components... 48 Actions, Alerts and Notifications... 49 Active Directory... 51 Active Directory Filters... 52 Auto Configurator... 53 Backing Up and Restoring the Configuration... 54 Browsing Computers... 54 Browsing Text Logs... 55 Configuration Templates... 55 Displaying Logs... 56 Emailing Logs... 57 Encrypting Communications... 57 EVT and EVTX Files... 59 Exporting Logs... 61 Filters... 61 Frequency Reports... 64 Frequency Rules... 65 Groups... 66 Importing a Computer List... 66 Log Entry Retention Policy... 67 Log Properties... 67 Managing Event Logs... 69 Managing Syslogs... 70 Managing Text Logs... 71 Manually Downloading Event Logs... 74 Mapping Computers... 75 Monitoring and Consolidating Logs... 76 Monitoring CSV Files... 77 Oracle Support... 77 ii 2013 SpectorSoft Corporation, All rights reserved.

Table of Contents Printing Logs... 78 Regular Expressions... 78 Replacement Tags... 79 Reports... 85 Schedule Distributor... 86 Schedules... 87 Searching Logs... 87 Selecting Specific Computers... 88 Selecting Specific Logs... 89 SNMP Traps... 90 Standard Reports... 90 Tray Icon... 91 Views... 92 Security Event Log Reports... 93 Success Logon Reports... 93 Failed Logon Reports... 94 Account Lockout Reports... 95 New User Account Reports... 95 Logon/Logoff Reports... 96 Account Management Reports... 97 Options... 98 Options... 98 Web Proxy Server Configuration... 102 Windows Service... 103 Windows Service... 103 Change Service Logon... 103 Windows Service Log File... 103 Starting and Stopping the Windows Service... 104 Troubleshooting... 105 Troubleshooting... 105 Common Event Log Management Errors... 105 The RPC Server is Unavailable... 106 Access Denied... 107 Quota Violation... 109 Common Filter Issues... 110 Common Action Issues... 110 Security... 111 Configuring the Windows Firewall... 112 Technical Support... 112 SpectorSoft Information... 113 Contact Us... 113 Copyrights and Trademarks... 114 Index... 115 2013 SpectorSoft Corporation, All rights reserved. iii

Getting Started About SpectorSoft Log Manager is a network-wide log monitoring, consolidation, auditing and reporting tool enabling System Administrators to proactively monitor their networks while satisfying regulatory agency auditing requirements. Features at a Glance Monitor logs in real-time or per user defined schedule Create and assign simple or complex regular expression filters Fire multiple types of alerts or actions including SNMP traps Consolidate Event Logs, Syslogs, text logs and CSV files Automatically truncate and archive consolidated logs Schedule detailed reports Includes Security Event Log reports Merge multiple log files into a single view View Windows Event Log files (EVT and EVTX) View large log files quickly with minimal system resources Monitor Active Directory and automatically configure new computers Single installation monitors entire network No installation required on managed computers Event Log Management The Windows operating system and many 3rd party Windows Services and applications use the Windows Event Log system to log informational, warning, and error information used by Systems Administrators to help identify application errors. SpectorSoft Log Manager monitors (real-time or scheduled), consolidates and archives Event Logs to SQL Server, MySQL, Oracle or the proprietary file system. Syslog Management SpectorSoft Log Manager includes a self-contained syslog server that can be used to collect, monitor and consolidate syslog messages from both computers and devices such as network routers and firewalls. Text Log Management SpectorSoft Log Manager supports both delimited and non-delimited text log files. Delimited files follow a specific format enabling programmatic parsing over multiple lines. Many applications create log files using a date driven naming mechanism. SpectorSoft Log Manager enables you to monitor files within a directory that match user defined file name masks such as <yymmdd>.txt and *.log. When a new file is detected, the service automatically starts monitoring the file contents. 2013 SpectorSoft Corporation, All rights reserved. 1

Log Manager Advanced Filtering Powerful filtering searches through consolidated logs allowing you to pinpoint log entries of interest or remove noise. Both simple and complex regular expression filters are offered. Selectively flag and add notes to log entries of interest. Compliance Many regulatory agencies require organizations to archive critical logs for future reference. SpectorSoft Log Manager archives your logs in their entirety or as a subset of a central SQL Server, MySQL or Oracle database, as well as to CSV, EVT, EVTX, HTML, TXT, or XML files. Alerts, Notifications and Actions SpectorSoft Log Manager supports several different alerts and actions when key log entries are detected. Trigger actions such as sending a fully customizable email, exporting to a file, displaying a message box, playing a sound, writing key log entries to a user defined database table, forwarding key log entries to log consolidation hardware via syslog, displaying a system tray popup message, sending a SMS notification through an email-to-sms gateway or firing an SNMP trap. Report Generation Generate reports that contain filtered log entries from a set of computers. For example, receive a daily report that contains a list of all failed login attempts to your domain controllers for the last 24 hours. Customize the report content using HTML email templates. Run reports on-demand or schedule. For more information, see: How it Works Monitoring and Consolidating Logs 2 2013 SpectorSoft Corporation, All rights reserved.

How it Works How it Works Components SpectorSoft Log Manager consists of three (3) major components: The User Interface is used to configure log managemernt, generate reports and watch logs in real-time. The Windows Service monitors and parses log entries, fires actions, generates scheduled reports, and automatically starts to monitor newly discovered computers. The Tray Icon fires user interface alerts such as message box, sound, and system tray popups. Implementation Log Manager uses Microsoft s Windows Management Instrumentation (WMI) to real-time monitor, download and manage remote Event Logs. Syslog messages are received by pointing the hardware generating the messages to the server on which Log Manager is installed. The Log Manager Service opens UDP port 514 and listens for syslog messages. Text Logs are monitored in real-time or by way of polling the file as frequently as every second or as in-frequent as once a month. Text logs change subscriptions and reads are done using either Microsoft Networking on Windows or Samba on Linux/Unix. Once messages are received the Log Manager Service applies filters and fires any appropriate actions. Next, consolidation filters are applied. All entries that pass the consolidation filter are stored in the log repository. Reports are on-demand or automatically generated against the consolidated logs contained within the log repository. For more information, see: Monitoring and Consolidating Logs Reports User Interface Components System Requirements 2013 SpectorSoft Corporation, All rights reserved. 3

Log Manager Upgrading from Network Event Viewer To reduce the amount of effort for users to upgrade to SpectorSoft Log Manager we have included a function to import your Network Event Viewer configurations and log repository data. Please review the list below to see what is and what is not converted. Converted: Email settings Web proxy server settings Computer mappings Database connection settings Log repository Auxiliary data source connection settings Actions Filters Download configurations Real-Time configurations Reports Directory Service connection settings Not Converted Configuration templates Auto Configurator configurations Conversion Notes Email and HTML Output All reports and actions that point to custom email and HTML templates are set to the SpectorSoft Log Manager defaults. The default email subject is applied to all converted email alerts. Filters When converting filters date based criteria is dropped. All filters that are applied to syslog configurations or reports are broken out into 2 filters, one for Event Logs the other for Syslogs. Reports When converting reports the first date based criteria found within the legacy filter is applied to the report. All reports that contain both Event Logs and Syslogs are broken out into 2 reports, one for Event Logs the other for Syslogs. 4 2013 SpectorSoft Corporation, All rights reserved.

Upgrading from Network Event Viewer Log Repository (File System) When storing Event Logs to the file system, the conversion program can point to NEV s log repository. NEV offered an option to backup previous downloaded logs files rather than append. This format of the log repository is not supported within SpectorSoft Log Manager and can not be read. The conversion function offers the capability to convert the file system to either SQL Server, MySQL or Oracle. If you are interested in using a database rather than the file system, this is a good time to convert. Stored syslog files are not converted but will show up in the repository as Event Logs. New files will be automatically created when syslog messages are received and will be displayed in the repository under Syslogs. Log Repository (Database) Prior to running any import functions below BACK UP YOUR DATA. This includes your NEV configurations and your log repository database(s) or file system. File System If you are using our file system format, there is no need to convert the data. Database If you use SQL Server or MySQL the NEV tables must be imported to new tables that SpectorSoft Log Manager can read. You can continue to use the same database without interfering with NEV. One major change between the software versions is NEV stored archived entries to the same database. SpectorSoft Log Manager stores archived entries to an alternate database. If you were archiving old log entries with NEV you must create a new database to write these entries. If you do not, by default the archived entries will be loaded into our file system format in the default archive location. If you choose to delete the NEV data once imported the database should decrease in size by approximately 50% otherwise it will increase by 50%. If you want to leave the NEV database unchanged, point the target to another database. To upgrade From SpectorSoft Log Manager Select Import from Network Event Viewer. The Network Event Viewer service will be stopped prior to running the import functions. We highly recommend you either uninstall NEV or disable the NEV service once complete. There are 3 optional steps. Answer the following questions to decide which steps to run: Do you want to continue to use the same repository? If so run Step 1. If storing logs to a database be sure to set the Target archive data provider otherwise archived data will be stored to our file system format. Do you want to import the data that was consolidated by NEV? If so run Step 2. If storing logs to a database be sure to set the Target archive data provider otherwise data previously archived by NEV will be copied to our file system format. Do you want to import all the configurations you created with NEV? If so run Step 3. Once you have completed step 3 either disable the NEV service or uninstall NEV. 2013 SpectorSoft Corporation, All rights reserved. 5

Log Manager System Requirements Supported Operating Systems Windows Server 2008 R2, Server 2008, 7, Vista, Server 2003 or XP. Supported CPUs (64-Bit and 32-Bit) Our software is compiled with the latest version of the.net Framework which allows us to compile the program once for any CPU meaning SpectorSoft Log Manager runs natively on both 64-bit and 32-bit hardware. Memory 2 GBs of available memory, 4 GBs suggested for large networks. Microsoft.NET Framework 3.5 Service Pack 1 The installation detects if the.net Framework 3.5 Service Pack 1 is already installed. If not, the framework is automatically downloaded from Microsoft and then installed. Please note the framework takes a significant amount of time to install. Please be patient while the installation completes. Domain Administrator Account To access remote logs both the logged in user and the Windows Service must have domain administrator rights. The first time the application is run, you will be prompted to assign domain administrator credentials to the service. Windows Management Instrumentation (client and server) Event Logs are consolidated and managed using Microsoft's Windows Management Instrumentation (WMI) API. WMI is preinstalled on all supported operating systems. For more information, see: How it Works Registration To register your software, visit www.spectorsoft.com and purchase a license. You will receive your license key by email. After you receive your license key, select Register from the Help menu. When prompted, specify the email address the license key was mailed to and the license key. Click Submit. If you are running on an isolated or secure network, please contact SpectorSoft Technical Support and have your your order information and target system s MAC address ready. 6 2013 SpectorSoft Corporation, All rights reserved.

Update Service If you are moving your license from one computer to another, please contact SpectorSoft Technical Support. For more information, see: Update Service Update Service All or our software supports automatic updates. At startup, each of our user interfaces downloads an XML file from our web server. Using version information, our software determines if an update is necessary. License information may be transmitted to our registration web service, also running on web server, to determine upgrade eligibility. If eligible, our software will download the latest version from our web server. Each license comes with access to updates and major releases for 1 year. After that, you can purchase a maintenance contract that provides you access to updates and major releases for 1 more year. For more information, see: Registration Best Practices Log management is typically very CPU and memory intensive. Please consider some of the following suggestions when managing logs: Consolidation Consolidate often. The more often you consolidate Event Logs and text logs, the easier it is on the target server, the network, the database server and the management console. Event Log entries are received from the target computer in a random order. When using the file system to store logs or when applying post consolidation filters the entries must be sorted in memory. For this reason we suggest using SQL Server, MySQL or Oracle to store your logs and configuring reports in place of post consolidation filters. If a database is not a viable option, you are forwarding entries to a log management device or you must use post consolidation filters for some other reason, schedule the Event Log downloads or text log polling as frequent as once an hour in large networks or once a day in smaller networks. Filters Creating vague filters will allow many entries to pass. Keep your filters tight so only those that you are really interested in pass or those that are of no interest are removed. 2013 SpectorSoft Corporation, All rights reserved. 7

Log Manager Reports One of the most common issues we see is reports run with vague filters over large date ranges. This scenario typically causes the system to run out of memory as the email is generated. Keep the filter tight and the date range short. This will limit the amount of data sent in your email reports. Archiving Many of our users store their logs for at least a year. When storing logs more than 90 days, we suggest entries be archived frequently. Use the built in archive functionality to move entries from your primary database or file system to an archive database or network location. Schedule the archive function to run once a week during off hours. Every 90 or 180 days backup the database or network location and prune all the archive data. Doing so will increase both the user interface and the archive process performance. Displaying Logs When displaying logs within the viewer, limit the number of days per page - 1 day per page is best. When very little data appears, increase the number of days per page to suite your needs. 8 2013 SpectorSoft Corporation, All rights reserved.

Tutorials Tutorials Tutorials Event Log Management Tutorial Encrypting and Password Protecting Event Log Backups Printing Logs for Auditors Monitoring a Rolling Text Log File (IIS) Monitoring a File for Inactivity Monitoring a File for Maximum Size Receiving a Monthly Event Log Error Count Report (Grouped by Event ID/Source) Receiving a Monthly Event Log Error Count Report Starting a Process when a Particular Entry is Logged Consolidating Logs to SQL Server Consolidating Logs to MySQL Using Gmail as a Backup Email Server 2013 SpectorSoft Corporation, All rights reserved. 9

Log Manager Event Log Management Tutorial This tutorial shows you how to configure real-time monitoring, save log entries to a central database, and configure log entry retention policy. When you have completed this tutorial you will have understanding of how to monitor Security Event Logs for multiple failed logon attempts, save all audit failure and error events to a central database, receive notification when warning and error System Event Log entries are downloaded, and lastly, configure log entry retention policy. Start the Log Management Wizard Select New Log Monitor from the File menu item. From the Log Management Wizard select Windows Event Logs. Click Next. Choose the method to select the computers. Once selected, the computers will display in the list. Click Next. If the any of the selected remote computers are off domain, use the Computer combo-box to select each off-domain computer. Once selected specify the appropriate credentials to access the logs. When complete, select (All) in the Computer combo-box. 10 2013 SpectorSoft Corporation, All rights reserved.

Event Log Management Tutorial Click Next. Specify a group to add the computers to and check the logs you want to consolidate to your database. For this tutorial check the Security and System Event Logs. Click Next. To consolidated the Event Logs check the Save entries to the log repository option. If you only want to save specific Event Log entries, for example, audit failure and error events, select Save all entries that pass the consolidation filter. In the Consolidation filter combo-box select the filter to apply. If you have not yet created the filter, click the configure filters button and create your consolidation filter. For this tutorial we only want to save audit failure and error entries so let s create the filter now. Once created your filter should look like the following screen shot: 2013 SpectorSoft Corporation, All rights reserved. 11

Log Manager Click Close and save your changes. Next schedule the frequency to download the Event Logs. If configuring many downloads, click the Distribute Schedules button to evenly distribute the schedules over a time period. For example: Next limit the initial download (or first download) to the previous X number of days. When downloading domain controller Security Event Logs you may need to minimize this number of days as domain controller Security Logs tend to be quite large causing potentially significant CPU load, memory load, and processing time. Lastly, choose to clear the remote Event Log upon download completion. When you have finished configuring this page your wizard should look something like the following: 12 2013 SpectorSoft Corporation, All rights reserved.

Event Log Management Tutorial Click Next. For performance reasons, reports should be used to notify users on a daily or hourly basis of events of interest; however, there are many cases when you may want to be notified immediately upon download completion of specific events. In these rare cases, assign post consolidation filters and actions. For this tutorial we want to be notified of all warning and error events downloaded from the System Event Logs. Create the filter now. Once created your filter should look like the following screen shot: Click Close and save your changes. Assign your newly created filter and apply an action. Next assign an action. 2013 SpectorSoft Corporation, All rights reserved. 13

Log Manager Click OK. The wizard should now look like the following screen shot: Click Next. Many regulatory agencies require companies to store Event Log entries for up to a year or even more. Use the Entry Retention Policies tab to configure how many days of entries are saved. Once configured the service will truncate the saved log tables or files according at the interval or schedule you define. Incorporated in the retention policy is the concept of archiving. Archiving allows you to move entries from the tables or files you regularly review to archive tables or files. This format enables you to query the system for recent entries very quickly and when necessary query the system for older entries from what is typically quite larger tables and files requiring more memory and processing time. Choose to either Remove or Archive entries within the tables or files. Choose the maximum number of days to store. If you choose Remove, the entries are removed from the tables or files when executed. If you choose Archive, the entries are moved from the primary tables or files and appended to the archive tables or files. Use the Options dialog to configure the location the archive database or file system resides. Schedule the frequency to apply the data retention rules. If configuring many downloads, click the Distribute Schedules button to evenly distribute each entry retention policy execution over a time period, for example: 14 2013 SpectorSoft Corporation, All rights reserved.

Event Log Management Tutorial When you have finished configuring this page your wizard should look something like the following: Click Next. The Remote EVT and EVTX File Back Up page should now be displayed. This page enables you to schedule native backups of EVT and EVTX files. For a detailed tutorial on this functionality please see the Encrypting and Password Protecting Event Log Backups tutorial. 2013 SpectorSoft Corporation, All rights reserved. 15

Log Manager Click Next. If you want to real-time monitor specific logs select each computer and log from the appropriate combo-boxes and check Real-Time monitor the Event Log for new entries. Please note a thread will be burned for each log being real-time monitored and if the network fails, entries will be lost. Once checked, configure any times or days you want to exclude the real-time monitor from running, for example during weekly maintenance windows. If you are applying frequency rules, for example when you want to be notified when a specific entry is received 10 times within an hour, choose to either shutdown the monitor or suppress actions during the exclusion period. Shutting down the monitor will reset the frequency rule. All entries that match the real-time monitor filters are then ignored. If, however, you want the frequency rules to continue executing but simply do not want to receive any alerts, choose Suppress actions during exclusion period. For this tutorial select the Security Event Log from the Event Log combo box and check Real-Time monitor the Event Log for new entries. You will notice there is also an option to poll the Event Log entries. If you have no plans to consolidate log entries, you can use the poll option to scan logs for entries. This format guarantees results. Unlike the real-time monitor, when there is a network outage, entries will be downloaded the next time the schedule runs. 16 2013 SpectorSoft Corporation, All rights reserved.

Event Log Management Tutorial Click Next. If you elect to real-time monitor an Event Log, use the Computer and Event Log combo-boxes to apply the appropriate filter and action to each log. If you want to apply the same filter to the same log on multiple computers, in the Computer combo-box select (All) and in the Event Log combobox select the specific log. Assign the filters and actions. For more information on assigning filters and actions see Monitoring and Consolidating Logs. For this tutorial click the Add button. Once the Assign Filter and Action dialog loads, click the Configure Filters button. Use the Filters Manager dialog to create a new Failed Logon Event Log filter as seen below. Make sure you set the Group by option to User. This will enable the realtime monitor to group failed logon attempts by each unique user name enabling you to receive notification when the same user attempts to logon multiple times without success. Click Close and save your changes. 2013 SpectorSoft Corporation, All rights reserved. 17

Log Manager Assign your newly created filter and apply the frequency rule as seen below. The frequency rule will enable you to receive notification when any user attempts to logon with their username unsuccessfully 3 or more times unsuccessfully. Next assign an action. Click OK. The wizard should now look like the following screen shot: Click Next. Lastly, choose to send error notification emails upon download or entry retention policy execution failure. 18 2013 SpectorSoft Corporation, All rights reserved.

Event Log Management Tutorial Click Finished. 2013 SpectorSoft Corporation, All rights reserved. 19

Log Manager Encrypting and Password Protecting Event Log Backups Overview Many regulatory compliance agencies require companies to backup and archive Event Log files from mission critical systems. Some of these agencies require backup data to be encrypted and password protected. With these requirements in mind, we added scheduled Event Log backup support to SpectorSoft Log Manager. In this tutorial we will show you how to schedule SpectorSoft Log Manager to automatically backup Event Log files from the remote computers they reside, compress the backups, encrypt and password protect the output file, and lastly decrypt and view the backed up Event Log files. Assumptions This tutorial assumes you have already configured Event Log consolidation for the target computers. The Tutorial From the Navigation view select the Configuration Explorer tab. If applicable, expand the group. Expand the Event Logs tree node and check each computer to configure. Right-click and select Log Management Properties. Once the Event Log Management Wizard opens click through the wizard until you reach the Remote EVT and EVTX File Back Up page. From this page check the Backup option. To compress the output to ZIP format, check the compress option. To encrypt the output, check the encrypt option and specify a strong password. When encrypted, each Event Log file is output to a proprietary file format. You must use the viewer to decrypt the Event Log, however once decrypted, you can use either Windows Event Viewer or SpectorSoft Log Manager to view the decrypted Event Log. Specify the output filename. You can save the files to the local disk or a remote disk. If saving to a remote location do not use mapped drive letters but instead specify the UNC path. For example: \\servername\c$\evtbackups The directory or filename can contain any combination of the following replacement strings: {HOST} {LOG} {DATE} {TIME} The host name the log resides The name of the log file, for example, Security The current date in yyyymmdd format The current time in hhmmss format 20 2013 SpectorSoft Corporation, All rights reserved.

Encrypting and Password Protecting Event Log Backups To automatically clear the remote Event Log after backed up, select the Clear option. Next schedule the backups. If scheduling many backups use the Schedule Distributor to distribute the backup schedules evenly over a period of time. Please see the sample screen shot for reference: Finally, click the Next button and resume through the wizard. Verifying the Event Logs are Backing Up To verify the backups are executing properly, review the service log file for entries that contain Event Log Backup Manager or open Windows Explorer and verify the existence of the backups. Depending on the options you selected, the files will be in one of the following formats:.evt.evtx.zip.cbx Windows Server 2003, Windows XP, Windows 2000 and Windows NT Event Log file format. Windows Server 2008 and Windows Vista Event Log format. Compressed ZIP file that contains a single.evt or.evtx file Encrypted password protected Event Log file that may or may not be compressed. Viewing Event Log Back Up Files Select Tools Event Log Backups View Backed Up Event Log. Select the.evt file to view. To view an encrypted.evt file select the.cbx that contains the encrypted Event Log file and when prompted specify the decryption password. NOTE: When viewing.evt files that were generated from a remote computer the Event Log entries may not display correctly. For more information see http://support.microsoft.com/kb/165959 2013 SpectorSoft Corporation, All rights reserved. 21

Log Manager Printing Logs for Auditors Overview In this tutorial we will show you how to print log entries for auditors. When you are finished with this tutorial you will know how to query a log for a specific time range, print log content, and customize print output. Assumptions This tutorial assumes you have already consolidated log entries. How does Printing Work? The print function works by taking the entries you have displayed in the viewer, exporting them to a temporary HTML file and then opening the file in your Internet browser. You then use your Internet browser to print the log entries. Displaying Event Log Entries From the Navigation view select Log Repository. Check each log you want to print. Please note you can only merge logs of the same type. If printing a single log right click and select View Consolidated Log. If printing multiple logs, right click and select Merge and View Consolidated Logs. If printing Event Logs or Syslogs, when prompted select all levels or priorities. Lastly, select the filter you want to apply to the view. Once the viewer displays the log entries, navigate to the page of interest or use the Days per page text box in the upper right corner of the viewer to increase or decrease the number of days displayed. Printing the Current Page From within the view, right click and select Print. The view will be exported to HTML and displayed in your Internet browser. Customizing the Output If you want to customize the output you will need to change the HTML template. An example of a typical modification is to remove the message from the output. Select Options from the Tools menu item. Select the HTML Template tab. Expand and navigate to the appropriate HTML Template under the Save View heading. Highlight the filename and press Ctrl-C as seen in this screen shot: 22 2013 SpectorSoft Corporation, All rights reserved.

Printing Logs for Auditors Using Notepad, select Open from the File menu time. Paste the previously copied filename into the open dialog and click OK. Select Save As from the File menu item. Specify your own filename, for example my-event-logview.html. Select Replace from the Edit menu item. Search for {MESSAGE} and replace with an empty string. Select Save from the File menu item and close Notepad. From within the Options dialog within SpectorSoft Log Manager update the appropriate HTML template value. For example: From this point forward your template will be used when printing the current page, exporting the current page to HTML and emailing the current page. 2013 SpectorSoft Corporation, All rights reserved. 23

Log Manager Monitoring a Rolling Text Log File (IIS) Many applications such as IIS log to a daily log file. Each day the application creates a new file that contains the date within the name, for example ex100625.log or 2010 June 25th. This format is simple to implement and enables system administrators to easily archive log files. This tutorial will show you how to monitor rolling text log files by configuring Log Manager to monitor IIS logs. Requirements Server 2008 with IIS7 installed The Tutorial The first step is to find the directory our log files reside. To do this you must log onto the target server and check the target log location within IIS7. To check the location Logon to the target server. From the Start menu select Administrative Tools Internet Information Services (IIS) Manager. From the left pane select the target web site. From the right pane double-click Logging. The log file path is listed within the Directory text box. By default the path is: %SystemDrive%\inetpub\logs\LogFiles Which expands to: c:\inetpub\logs\logfiles IIS writes the log files to a sub-directory called W3SVC1 which is the directory you want to monitor. Now that you have the location, you need to configure Log Manager to monitor the directory. To configure the monitor From the File menu item select New Log Monitor. From the Log Management Wizard select Text Log Files followed by Directory. Click the Next button. The Select Computers page should now be displayed. This page enables you to select the computers to monitor. Select the method to find your computers: Browse Network Browse Active Directory Browse Mapped Computers Map Computer Select Localhost Select the computer IIS7 is installed. If Log Manager is installed on the same computer as IIS7, select Select Localhost. 24 2013 SpectorSoft Corporation, All rights reserved.

Printing Logs for Auditors Click the Next button. The Specify Logon As Credentials page should now be displayed. This page enables you to specify alternate logon as credentials when necessary. Please note you only need to specify alternate credentials if the target computer is off-domain as the service should already have domain administrator credentials assigned. Click the Next button. The Select Directories page should now be displayed. This page enables you to select the directory the log files are located. Navigate to the target directory, check it and then click the Add button. The directory should now be listed at the bottom of the page. 2013 SpectorSoft Corporation, All rights reserved. 25

Log Manager Click the Next button. The Specify Friendly Name page should now be displayed. This page enables you to specify a user friendly name to apply to the directory monitor, select a group to assign the computer too, and most importantly add the filename masks. Specify the following values: Friendly name: IIS7 Logs Mask: u_ex<yymmdd>.log Please note the replacement tags within the mask value. If today were 2010 June 25 th, the following file would be found when clicking the Test button: u_ex100625.log Click the Next button. 26 2013 SpectorSoft Corporation, All rights reserved.

Printing Logs for Auditors The Specify Entry Delimiters page should now be displayed. This page enables you to configure the method to delineate each entry. By default Log Manager treats each line as a single log entry. Since IIS log entries are limited to a single line leave the entry pattern recognition disabled. Change the read method to Beginning of File. Click the Next button. The Schedule Parameters page should now be displayed. This page enables you to configure the frequency to poll the file. Please note if you poll the file faster that once a minute, for example once every second, a thread is dedicated to monitoring the file. Configure the monitor to poll the file every 5 minutes. Note: If you would like to receive a daily report, set the schedule to: Daily at 12:00 AM. 2013 SpectorSoft Corporation, All rights reserved. 27

Log Manager Click the Next button. The Assign Filters and Actions page should now be displayed. This page enables you to apply filters and assign actions to fire when specific entries are read. For this tutorial we will send an email notification every time a client requests the hello.aspx page. To create the filter, click the Add button. From the Assign Filter and Action dialog click the Filters Manager button. From the Filters Manager dialog click the New button. Specify the following parameters: Name: GetHello.aspx Type: Text Log Criteria: Message Contains GET /hello.aspx Apply the new filter and assign an email action. Please note if you have not created an email action create one now. 28 2013 SpectorSoft Corporation, All rights reserved.

Printing Logs for Auditors Click the OK button. The Assign Filters and Actions page should now list your filter and action assignment. Click through to the Log Consolidation and Retention Policies page. The Log Consolidation and Retention Policies page should now be displayed. This page enables you to configure Log Manager to automatically consolidate entries to the log repository. Check Save entries to the log repository and check Remove entries older than 30 days. Click the Next button. The Logical Filename page should now be displayed. This page enables you to specify a logical name to save the dated filenames to. If you do not specify a logical name the log repository will contain a log for each day. Both scheduled reports and auto-archiving require a fixed log name 2013 SpectorSoft Corporation, All rights reserved. 29

Log Manager within the log repository. When configuring directory monitors we highly suggest you specify a logical name. For this tutorial enable the logical filename and set the value to: u_ex.log Click the Close button. When prompted save your changes. The configuration is now complete. Next verify the monitor starts correctly. From the View menu select Service Output. The Service Output status view should now be displayed. You should see the following message within 1 minute: Info 6/25/2010 4:31:01 PM [Text Log Monitor] - \\KAMAS\C$\inetpub\logs\LogFiles\W3SVC1\u_ex<yyMMdd>.log - \\kamas\c$\inetpub\logs\logfiles\w3svc1\u_ex100625.log - Polling... Every 5 minutes The monitor should also display the current log file within the Configuration Explorer as seen below: 30 2013 SpectorSoft Corporation, All rights reserved.

Monitoring a File for Inactivity Now test the monitor, filter and action. Open a browser and type the following in the address bar then press enter. You should receive a 404 error in your browser. http://localhost/hello.aspx The next time the monitor scans the file you should receive an email that includes the corresponding IIS log entry. If you don t receive the email, review the Service Output view for errors. Please note if the email server connection settings have not been set causing the monitor to error when sending the email alert, you must request the page again before the monitor will attempt to fire another alert. Monitoring a File for Inactivity This tutorial will show you how to configure this software to monitor a file for inactivity. When you have completed this tutorial, you will receive notification every 20 minutes a file remains idle or dormant. Select New Log Monitor from the File menu item. From the Log Management Wizard select Text Logs. Click the Next button. The Select Computers page should now be displayed. Select the computer that contains the file of interest. Click the Next button. The Specify Logon As Credentials page should now be displayed. If the remote computer is off domain, use this page to specify or update the logon as credentials. Click the Next button. The Select Files page should now be displayed. Navigate to the file of interest, check the file then click the Add button. Click the Next button. The Specify Friendly Name page should now be displayed. If the computer the file resides has other file monitors they will all be listed in the Logs combo-box. Select the log of interest from the Logs combo-box. Click the Next button. The Schedule Parameters page should now be displayed. Specify the schedule to poll the file, for example, once a minute. Do not subscribe to updates. Click the Next button. The Optionally Assign Filters and Actions page should now be displayed. Click the Add button. From the Assign Filter and Action dialog, click the Filters Manager button. From the Filters Manager dialog, create a new Text Log filter. Set the name to Empty. Set the type to Text Log. 2013 SpectorSoft Corporation, All rights reserved. 31

Log Manager Click the Close button. When prompted, save your changes. Back in the Assign Filter and Action dialog select your newly created filter. Select Fire the action after an entry passes the filter < 1 times every 20 minutes. This rule configures the service to fire an alert every 20 minutes the file receives no new entries. Lastly, assign an action. Click the OK button. Back in the Optionally Assign Filters and Actions page, click the Close button and save your changes when prompted. You have successfully completed this tutorial. Your action should now be fired every 20 minutes the file remains inactive. Monitoring a File for Maximum Size 32 2013 SpectorSoft Corporation, All rights reserved.

Monitoring a File for Inactivity This tutorial will show you how to configure this software to monitor a file for maximum size. When you have completed this tutorial, you will receive notification every 20 minutes a file exceeds 10 MBs. Select New Log Monitor from the File menu item. From the Log Management Wizard select Text Logs. Click the Next button. The Select Computers page should now be displayed. Select the computer that contains the file of interest. Click the Next button. The Specify Logon As Credentials page should now be displayed. If the remote computer is off domain, use this page to specify or update the logon as credentials. Click the Next button. The Select Files page should now be displayed. Navigate to the file of interest, check the file then click the Add button. Click the Next button. The Specify Friendly Name page should now be displayed. If the computer the file resides has other file monitors they will all be listed in the Logs combo-box. Select the log of interest from the Logs combo-box. Click the Next button. The Schedule Parameters page should now be displayed. Specify the schedule to poll the file, for example, once a minute. Do not subscribe to updates. Click the Next button. The Optionally Assign Filters and Actions page should now be displayed. Click the Next button. The Configure File Size Monitor page should now be displayed. Set the following options: Fire the alert when the file size exceeds 10 MB Automatically clear alerts after 20 minutes Assign an action Click the Close button and save your changes when prompted. You have successfully completed this tutorial. Your action should now be fired every 20 minutes the file exceeds 10 MBs. 2013 SpectorSoft Corporation, All rights reserved. 33

Log Manager Receiving a Monthly Event Log Error Count Report (Grouped by Event ID/Source) This tutorial will show you how to create a monthly Event Log report that shows a total count of Event Log errors grouped by the unique combination of Event IDs and Sources for the previous month. From the File menu item select New Report. Once the Report Wizard opens, select Event Log then click Next. Specify a report name such as Monthly Event Log Errors. Click the Schedule button. From the Report Schedule dialog select Monthly. By default the report will run on the first day of the month at 12:00 AM. Click OK. Next configure the date range to include. To configure the date range to include in the report select Last month from within the Date/Time combo box at the bottom of the page then click Next. Next add the computers to include in the report then click Next. Next check the logs to include in the report then click Next. From the Select Filter and Output page click the Filters Manager button. From the Filters Manager dialog specify a name then from the Type combo box select Event Log (Simple). Click Add Criteria. From the Add Simple Filter Criteria dialog de-select Information, Warning, Audit Success, and Audit Failure. Click OK then click Select Filter and save your changes. Back in the Report Wizard check Hide entries with the same Source and Event ID then assign an email or file output action. When you are finished click Close and save your changes. The report is now complete. To test the report, from the Reports and Views pane within the Navigation view right click on the new report and select Report Properties Wizard, click past the Welcome page then check the option to run the report within the next minute. To view the report progress select View -> Service Output. Once complete download your email and review the report. When reviewing the report note that last error entry for each Event ID and Source combination is displayed along with a count of all Errors on the left side of the report. 34 2013 SpectorSoft Corporation, All rights reserved.

Receiving a Monthly Event Log Error Count Report Receiving a Monthly Event Log Error Count Report This tutorial will show you how to create a monthly Event Log report that shows a total count of Event Log errors for the previous month. From the File menu item select New Report. Once the Report Wizard opens select Event Log (Frequency) then click Next. Specify a report name such as Monthly Event Log Errors. Click the Schedule button. From the Report Schedule dialog select Monthly. By default the report will run on the first day of the month at 12:00 AM. Click OK. Next configure the date range to include. To configure the date range to include in the report select Last month from within the Date/Time combo box at the bottom of the page then click Next. Next add the computers to include in the report then click Next. Next check the logs to include in the report then click Next. From the Select Filters page click the Filters Manager button. From the Filters Manager dialog specify a name then from the Type combo box select Event Log (Simple). Click Add Criteria. From the Add Simple Filter Criteria dialog de-select Information, Warning, Audit Success, and Audit Failure. Click OK then click Select Filter and save your changes. Back in the Report Wizard configure the report to Pass the entry when it occurs more than 0 times in 31 days. When you are finished, click Next. Click Next past the Day and Time Exclusions page. From the Select Output page add an email or file output action then click Close and save your changes. The report is now complete. To test the report, from the Reports and Views pane within the Navigation view right click on the new report and select Report Properties Wizard, click past the Welcome page then check the option to run the report within the next minute. To view the report progress select View -> Service Output. Once complete download your email and review the report. When reviewing the report note that last error entry is displayed along with a count of all error entries on the right side of the report. 2013 SpectorSoft Corporation, All rights reserved. 35

Log Manager Starting a Process when a Particular Entry is Logged This tutorial will show you how to start a process when a particular entry is logged to an Event Log. Select New Log Monitor from the File menu item. From the Log Management Wizard select Event Logs. Click the Next button. The Select Computers page should now be displayed. Select the computer that contains the log of interest. Click the Next button. The Specify Logon As Credentials page should now be displayed. If the remote computer is off domain, use this page to specify or update the logon as credentials. Click the Next button. The Select Event Logs page should now be displayed. Check the log of interest and click the Next button. The Event Log Monitoring Schedule page should now be displayed. Check the Real-Time monitor the Event Log for new entries option and then click the Next button. The Assign Event Log Monitor Filters and Actions page should now be displayed. Click the Add button. From the Assign Filter and Action dialog click the Filters Manager button. From the Filters Manager dialog create a Simple Event Log Filter that only displays errors and select it. Next click the Actions Manager button. From the Actions Manager, click New, specify a name and select the Start Process type. In the Filename text box enter the full UNC path to the executable or batch file for example, \\myserver\c$\temp\startmyprocess.bat. Next, if the target computer is off domain check Run As and specify admin credentials for the remote machine, otherwise do not specify credentials as the service should already have domain administrator credentials assigned. Check Run on remote computer and specify the target host name or IP address. Click the Close button and save your changes when prompted. 36 2013 SpectorSoft Corporation, All rights reserved.

Consolidating Logs to SQL Server From the Assign Filter and Action dialog select the new action and click the OK button. Close the Log Management Wizard and save your changes when prompted. You have successfully completed this tutorial. Your process should now be fired every time an entry passes your filter. Consolidating Logs to SQL Server In this tutorial, we walk you through the process of configuring SQL Server. Once completed, we will configure SpectorSoft Log Manager to use SQL Server as its Event Log repository. Lastly, we will download logs to the SQL Server database and verify entries were written to the database. Step 1: Create a new primary and archive database From the Start menu, navigate to the Microsoft SQL Server shortcut folder and select Microsoft SQL Server Management Studio and login to your database server. From the left pane called the Object Explorer, right click on Databases and select New Database. Specify CBLM in the Database name text box. When you are finished you should see the following: Create another database called CBLM_ARCHIVE with the same options. Step 2: Create the database user From the Object Explorer right click on Security and select New Login. 2013 SpectorSoft Corporation, All rights reserved. 37