NETWRIX EVENT LOG MANAGER QUICK-START GUIDE FOR THE ENTERPRISE EDITION Product Version: 4.0 July/2012.
Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment from NetWrix Corporation of any features or functions discussed. NetWrix Corporation assumes no responsibility or liability for the accuracy of the information presented, which is subject to change without notice. NetWrix is a registered trademark of NetWrix Corporation. The NetWrix logo and all other NetWrix product or service names and slogans are registered trademarks or trademarks of NetWrix Corporation. Active Directory is a trademark of Microsoft Corporation. All other trademarks and registered trademarks are property of their respective owners. Disclaimers This document may contain information regarding the use and installation of non-netwrix products. Please note that this information is provided as a courtesy to assist you. While NetWrix tries to ensure that this information accurately reflects the information provided by the supplier, please refer to the materials provided with any non-netwrix product and contact the supplier for confirmation. NetWrix Corporation assumes no responsibility or liability for incorrect or incomplete information provided about non-netwrix products. 2012 NetWrix Corporation. All rights reserved. Page 2 of 26
Table of Contents 1. INTRODUCTION... 4 1.1. Overview... 4 1.2. How This Guide Is Organized... 4 1.3. Free Pre-Sales Support... 4 2. PRODUCT OVERVIEW... 5 2.1. Key Features and Benefits... 5 2.2. Product Workflow... 5 2.3. Licensing Information... 6 3. INSTALLING NETWRIX EVENT LOG MANAGER... 8 3.1. Installation Prerequisites... 8 3.1.1. Hardware Requirements... 8 3.1.2. Software Requirements... 8 3.1.3. Target Computers Requirements... 8 3.2. Installing NetWrix Event Log Manager... 8 4. CONFIGURING TARGET COMPUTERS... 10 5. CONFIGURING MANAGED OBJECTS... 11 5.1. Creating a Managed Object... 11 5.2. Configuring Real-Time Alerts... 20 6. MONITORING YOUR COMPUTERS FOR EVENTS... 23 A APPENDIX: RELATED DOCUMENTATION... 26 Page 3 of 26
1. INTRODUCTION 1.1. Overview This guide is intended for the first-time users of NetWrix Event Log Manager. It contains an overview of the product functionality, and instructions on how to install, configure and start using the product. This guide can be used for evaluation purposes, therefore, it is recommended to read it sequentially, and follow the instructions in the order they are provided. After reading this guide, you will be able to: Install and configure NetWrix Event Log Manager; Run data collection; Receive an events summary and a real-time alert. Note: This guide only covers simple installation and configuration options. For advanced installation scenarios and configuration options, as well as for information on various reporting possibilities, refer to NetWrix Event Log Manager Administrator s Guide. 1.2. How This Guide Is Organized This section explains how this guide is organized and provides a brief overview of each chapter. Chapter 1 Introduction: the current chapter. It explains the purpose of this document, defines its audience and explains its structure. Chapter 2 Product Overview: contains an overview of the product, lists its main features and explains its architecture and workflow. It also contains information on licensing. Chapter 3 Installing NetWrix Event Log Manager: lists all hardware and software requirements for the installation of NetWrix Event Log Manager. It also provides information on the requirements to the monitored environment and instructions on how to install the product. Chapter 4 Configuring Target Computers: explains how to configure your target computers for auditing. Chapter 5 Configuring Managed Objects: explains how to create and configure a Managed Object using the Managed Object wizard. Chapter 6 Monitoring Your Computers for Events: explains how to manually generate an events summary and provides examples of reports and notifications. A Appendix: Related Documentation: contains a list of all documentation published to support NetWrix Event Log Manager. 1.3. Free Pre-Sales Support You are eligible for free technical support during the evaluation period of all NetWrix products. If you encounter any problems or would like assistance with the installation, configuration or implementation of NetWrix Event Log Manager, please contact our support specialists. Page 4 of 26
2. PRODUCT OVERVIEW 2.1. Key Features and Benefits NetWrix Event Log Manager is a tool for event log consolidation and archiving and for real-time alerting on the specified events. NetWrix Event Log Manager provides the following functionality: Consolidation of all event log and syslog entries from an entire network into a central location. Compression and archiving of collected data for convenient analysis, prevention of data loss and audit purposes. Storage of event log entries in a SQL database. Detection of critical events and sending of email alerts. Reports based on SQL Server Reporting Services, with filtering, grouping and sorting; predefined reports for GLBA, HIPAA, SOX, and PCI regulatory compliances. Historical reporting for any specified period of time. 2.2. Product Workflow A typical Event Log Manager data collection and reporting workflow is as follows: 1. The administrator configures Managed Objects, i.e. collections of computers that will be monitored. 2. The administrator sets the parameters for automated data collection, and defines the types of events that must be written to the Audit Archive (local file storage) and/or a SQL database. It is also possible to specify events that must trigger real-time alerts. 3. NetWrix Event Log Manager collects all new event log entries and archives them in the Audit Archive. The Archived audit data can be viewed using the NetWrix Event Viewer tool. 4. If an event that triggers an alert is detected, an email notification is sent to the specified recipients. 5. If the Reports feature is enabled and configured, audit data is also written to a specified SQL database. You can generate various detailed SSRS-based reports using a set of pre-defined report templates. SSRS-based reports can be viewed either in NetWrix Enterprise Management Console, or in a web browser. Also, you can subscribe to these reports and receive them by email. 6. An events summary is sent by email to the specified recipients every 24 hours by default. The following figure illustrates the NetWrix Event Log Manager workflow: Page 5 of 26
Figure 1: NetWrix Event Log Manager Workflow 2.3. Licensing Information NetWrix Event Log Manager is available in two editions: Freeware and Enterprise. The following table outlines the differences between them: Table 1: NetWrix Event Log Manager Editions Feature Freeware Edition Enterprise Edition Long-term archiving and reporting Only for 1 month Any period of time Reports based on SQL Server Reporting Services, with filtering, grouping and sorting Predefined reports for GLBA, HIPAA, SOX, and PCI compliance Custom reports No No No Yes Yes Yes. Create manually or order from NetWrix (3 reports at no charge!) Enterprise-class scalability No Yes Subscription to reports No Yes A single installation handles multiple computer collections, each with its own individual settings Consolidation of all event log and syslog entries from an entire network into a central location. Integrated interface for all NetWrix products, which provides centralized configuration and settings management No Only for event logs No Yes Yes Yes Page 6 of 26
Integrated reports with lots of predefined out-of-the-box reports for all the major platforms. Technical Support Licensing No Support Forum, Knowledge Base Free of charge for up to 10 servers/dcs and 100 workstations Yes Full range of options (phone, email, submission of support tickets, Support Forum, Knowledge Base) Per monitored machine or volume license, please request a quote Page 7 of 26
3. INSTALLING NETWRIX EVENT LOG MANAGER 3.1. Installation Prerequisites NetWrix Event Log Manager can be installed on any computer in the domain that your target computers belong to, or in a trusted domain, but it is not recommended to install it on a domain controller. 3.1.1. Hardware Requirements Before installing NetWrix Event Log Manager, make sure that your system meets the following hardware requirements: Table 2: NetWrix Event Log Manager Hardware Requirements Component Minimum Recommended Processor Intel or AMD 32 bit, 2GHz Intel or AMD 64 bit, 3GHz Memory 512MB RAM 2GB RAM Disk* 50MB physical disk space for the installation * Approximately 500 bytes of disk space are required per each event. 20GB free space 3.1.2. Software Requirements Before installing NetWrix Event Log Manager, make sure that your system meets the following software requirements: Operating System Table 3: NetWrix Event Log Manager Software Requirements Component Windows XP SP3 or later Requirement Framework.NET Framework 2.0, 3.0 or 3.5 3.1.3. Target Computers Requirements The following requirements apply to Event Log Manager target computers: Table 4: Target Computers Requirements Operating System Services Component Windows 2000 or later Requirement Make sure that the Remote Registry service is started. 3.2. Installing NetWrix Event Log Manager To install NetWrix Event Log Manager, perform the following procedure: Procedure 1. To install NetWrix Event Log Manager 1. Download NetWrix Event Log Manager. 2. Run the setup package called elmfull_setup.msi. Page 8 of 26
3. Follow the instructions of the installation wizard. 4. When prompted, accept the license agreement and specify the installation folder. 5. On the last step, click Finish to complete the installation. The NetWrix Event Log Manager shortcut will be added to your Start menu. Note: NetWrix Event Log Manager runs as a service, therefore it is not necessary to keep the program open once it has been configured. Page 9 of 26
4. CONFIGURING TARGET COMPUTERS For NetWrix Event Log Manager to work properly, the Remote Registry service must be enabled on the target computers. Note: This is only required if you are not going to use the Network Traffic Compression option. Verify that the service has been started on the machines that you want to monitor for events, otherwise run the service. To enable the service, perform the following procedure: Procedure 2. To enable the Remote Registry service 1. Navigate to Start Run. Type Services.msc and click OK. In the Services dialog proceed to the Remote Registry service: Figure 2: The Services Dialog 2. Right-click the Remote Registry service and select Properties. In the Remote Registry Properties dialog, make sure that the Startup type parameter is set to Automatic and click the Start button: Figure 3: Remote Registry Properties 3. Click OK to save the changes. 4. In the Services dialog, ensure that the Remote Registry status has changed to Started. Page 10 of 26
5. CONFIGURING MANAGED OBJECTS In NetWrix Event Log Manager, a Managed Object is a computer collection that you monitor for events. This chapter provides step-by-step instructions on how to: Creating a Managed Object Configuring Real-Time Alerts 5.1. Creating a Managed Object To create and configure a Managed Object, follow the procedure below: Procedure 3. To create and configure a Managed Object 1. Navigate to Start All Programs NetWrix Event Log Manager Event Log Manager (Enterprise Edition). In NetWrix Enterprise Management Console click the Managed Objects node. The Managed Objects page will be displayed: Figure 4: The Managed Objects Page 2. Click Create New Managed Object in the right pane to start the New Managed Object wizard: Page 11 of 26
Figure 5: New Managed Object Wizard: Select Managed Object Type 3. On the first step, select Computer Collection as the Managed Object type and click Next to continue. Note: If you have installed other NetWrix products previously, the list of Managed Objects types may contain several options. 4. On the next step, click the Specify Account button: Note: If you have installed other NetWrix products previously and specified the default account and email settings on their configuration, steps 4-6 of this procedure will be omitted. Figure 6: New Managed Object Wizard: Default Account Page 12 of 26
5. Enter the default data processing account (<domain name>\<account name>) that will be used by NetWrix Event Log Manager for data collection. This must be a local admin account on the computer where NetWrix Event Log Manager is installed and on the target computers: Figure 7: Default Data Processing Account Click OK to continue. 6. On the next step, specify the email settings that will be used to send event summaries: Figure 8: New Managed Object Wizard: Configure Email Settings The following parameters must be specified: Parameter SMTP server name Table 5: Email Settings Parameters Instruction Enter your SMTP server name. Page 13 of 26
Port Sender address Use SMTP authentication User name Password Confirm password Use Secure Sockets Layer encrypted connection (SSL) Use Implicit SSL connection mode Enter your SMTP server port number. Enter the address that will appear in the From field in reports and alerts. NOTE: To check the correctness of the email address, click Verify. The system will send a test message to the specified address and will inform you if any problems are detected. Select this check-box if your mail server requires SMTP authentication. Enter the user name for SMTP authentication. Enter the password for SMTP authentication. Re-enter the password. Select this checkbox if your SMTP server requires SSL to be enabled. Select this checkbox if implicit SSL mode is used, which means that SSL connection is established before any meaningful data is sent. 7. On the next step, specify your computer collection name: Figure 9: New Managed Object Wizard: Specify Computer Collection Name 8. On the next step, make sure that NetWrix Event Log Manager is selected under Installed Modules: Page 14 of 26
Figure 10: New Managed Object Wizard: Add Modules 9. On the next step, make sure that the Enable Reports option is not selected. Note: The Event Log Manager functionality allows generating reports based on Microsoft SQL Server Reporting Services. For detailed information on how to configure and use SSRS-based reports, refer to NetWrix Event Log Manager Administrator s Guide. 10. Click Next to continue. 11. On the Add Items to Collection screen, select items that you want to monitor. To do this, click the Add button: Page 15 of 26
Figure 11: New Managed Object Wizard: Adding Items to Collection 12. In the Computer Collection New Item wizard select the required platform: Figure 12: New Managed Object Wizard: Select Item Type 13. Click Next. Select the Single computer radio-button and specify a computer by entering its FQDN, NETBIOS name or IP address. You can click the Browse button to select from the network computers: Page 16 of 26
Figure 13: Computer Collection New Item Wizard 14. Click Next to continue. Review your new item s settings and click Finish. It will be added to the computer collection. 15. On the next step, select the Enable Network Traffic Compression option: Figure 14: New Managed Object Wizard: Network Traffic Compression 16. Click Next to continue. On the next step, you must specify the events summary recipient(s): Page 17 of 26
Figure 15: New Managed Object Wizard: Specify Events Summary Recipients 17. Click the Add button and specify the email address(es) where the events summary recipients: Figure 16: New Email Address 18. Click Next to continue. On the following step, you need to configure real-time alerts. For detailed information on how to do this, refer to Section 5.2 Configuring Real-Time Alerts. 19. On the next step, configure audit archiving filters. These filters define what events will be stored in the repository and a SQL database. The filters required to store information for all predefined SSRS-based reports and Syslog-based platforms are selected by default. Click the Enable button and select Disable all. Select All Windows Logs check box and click Next: Note: Information and verbose events wll be filtered out though the All Windows Logs inclusive filter is selected. Page 18 of 26
Figure 17: New Managed Object Wizard: Audit Archiving Filters 20. On the last step, review your Managed Object settings and click Finish to complete the wizard. The following confirmation message will be displayed: Figure 18: The Confirmation message 21. The newly created Managed Object will appear under the Managed Objects node, and its details will be displayed in the right pane: Page 19 of 26
Figure 19: New Managed Object Details 5.2. Configuring Real-Time Alerts Real-time alerts are configured using the New Alert wizard. When creating a Managed Object, the following dialog is displayed: Figure 20: New Managed Object Wizard: Configure Real-Time Alerts To configure a real-time alert, follow the procedure below: Procedure 4. To configure a real-time alert 1. Start the New Alert wizard by clicking the Add button. The following dialog will be displayed: Page 20 of 26
Figure 21: New Alert Wizard: Specify Real-Time Alert Name 2. In this dialog, enter the alert name in the Name entry field (for example NetWrix Event Log Agents ). Set 10 in the Alerts per one email entry field. Click Next. The Configure Real-Time Alerts Filters and Notifications dialog will open: Figure 22: New Alert Wizard: Configure Real-time Alert Filters and Notifications 3. Click the Add button under Event filters to add a new filter. The Event Filter Parameters dialog will be displayed. Page 21 of 26
4. Select the Event Filters tab. As an example, type NetWrix Event Log Agent in the Source entry field: Figure 23: Event Filters Parameters In this case, you will receive real-time alerts on the NetWrix Event Log Agents activity. 5. Click OK to save the changes. 6. In the Configure Real-Time Alerts Filters and Notifications dialog, click Next to continue. Review your real-time alert settings and click Finish. A new real-time alert will be added. Page 22 of 26
6. MONITORING YOUR COMPUTERS FOR EVENTS When a new Managed Object is added, NetWrix Event Log Manager starts collecting events from monitored computers according to the specified filters and stores them in the Audit Archive. If you do not want to wait until the product generates an events summary, you can generate it manually. To manually generate an events summary, in NetWrix Enterprise Management Console expand the Managed Objects node and select your Managed Object. Click the Run button: Figure 24: Computer Collection Page After all currently available events are collected, an events summary is sent to the specified recipient(s): Figure 25: Events Summary Page 23 of 26
Such emails are automatically sent once a day and/or every time you manually start events summary generation. Once the product detects the required events, it will send real-time alerts to the specified recipients. The following figure illustrates an alert for the NetWrix Event Log Manager Agents event: Figure 26: Example of a Real-Time Alert To view collected events, follow procedure below: Procedure 5. To view collected events 1. Navigate to Start All programs NetWrix Event Log Manager Advanced Tools Viewer. NetWrix Event Viewer will open: Page 24 of 26
Figure 27: NetWrix Event Viewer 2. Select the Event Log you want to view, specify the date range for events to be displayed and click the View button. 3. Select the location to write events to and click Save. Selected events will be displayed in Event Viewer: Figure 28: Selected Events Page 25 of 26
A APPENDIX: RELATED DOCUMENTATION The table below lists all documents available to support NetWrix Event Log Manager: Table 6: Document Name NetWrix Event Log Manager Quick-Start Guide NetWrix Event Log Manager Administrator s Guide NetWrix Event Log Manager Installation and Configuration Guide NetWrix Event Log Manager Quick-Start Guide (Freeware Edition) NetWrix Event Log Manager User Guide NetWrix Event Log Manager Release Notes Product Documentation The current document. Overview Provides detailed instructions on how to configure and use NetWrix Event Log Manager. Provides detailed instructions on how to install NetWrix Event Log Manager and configure monitored computers. Provides an overview of the product s functionality, and instructions on how to install, configure and start using NetWrix Event Log Manager (Freeware Edition). Provides information on different NetWrix Event Log Manager reporting capabilities, lists all available report types and report formats, and explains how these reports can be viewed and interpreted. The document provides a list of known issues that customer may experience while using the release version 4.0. Page 26 of 26