Table of Contents 1 Introduction 1.1 About this manual 1.2 Conventions used in this manual 1.3 About GFI EventsManager 1.4 Key Features Extended event log support Rule-based event log management Event log scanning profiles Allow granular configuration of rules Translates cryptic Windows events Enhanced event scanning engine Automatic noise reduction Enhanced real-time actions Advanced event filtering features Event centralization User access privileges SQL Server audit Oracle Server audit Database operations (WAN Connector) Management Information Base 1.5 How does GFI EventsManager work? Stage 1: Event Collection Stage 2: Event Processing 1.6 Navigating the GFI EventsManager management console 2 Installation 2.1 Introduction Where can I install GFI EventsManager on my network? 2.1.1 Deployment of GFI EventsManager on a local area network 2.1.2 Deployment of GFI EventsManager on a demilitarized zone 2.2 Hardware requirements 2.3 Software requirements Software requirements - Installation machine(s) Software requirements - Scanned machine(s) 2.4 Other requirements 2.4.1 Ports and permissions that must be enabled Ports used by GFI EventsManager Firewall permissions that must be enabled 2.5 Microsoft Windows Vista and Microsoft Windows 7 2.6 Upgrading from a previous version 2.7 Installation procedure 3 Getting Started 3.1 Introduction What is a computer log? What is a log? What are Windows Event Logs? What are W3C logs? What are Syslogs? What are SNMP Traps? What are SQL Server audit logs? What are Oracle Server audit logs? 3.2 Running GFI EventsManager for the first time 3.3 Step 1: Configure the database backend 3.4 Step 2: Launch events processing 3.4.1 Processing events from the local computer 3.4.2 Processing events from the local domain 3.4.3 Processing events from selected machines 3.5 Step 3: Analyze events and generate reports 3.5.1 Navigating the Quick Launch Console 4 Event browsing 4.1 Introduction 4.2 Event filter/query builder 4.2.1 Creating custom event queries 4.2.2 Create query from an existing event 4.2.3 View or Edit a custom query 4.3 Event color-coding options 4.3.1 Assigning a color-code to a specific event 4.3.2 Assigning different color-codes to multiple events 4.4 Event finder tool 4.5 Export events tool 4.5.1 Export To CSV tool 4.5.2 Export to HTML tool 4.5.3 Adding and Editing Templates 4.6 Customizing the event viewer pane Select columns to be displayed Customize the position of the description window 4.7 Event maintenance 4.7.1 Backup events 4.7.2 Switching databases 4.7.3 Clear events from a query result 5 Generating reports 5.1 Introduction 5.2 Daily Digest 5.3 Download the GFI EventsManager ReportPack 5.4 Launching the GFI EventsManager ReportPack 6 Manage event sources 6.1 Introduction 6.2 Managing event sources groups 6.2.1 Create a new group 6.2.2 Edit synchronization options 6.3 Adding event sources 6.3.1 Adding an event source to a group 6.4 Configuring event source properties 6.4.1 Configuring general event source properties 6.4.2 Configure Logon Credentials 6.4.3 Configure operational time 6.4.4 Configure GFI EventsManager Auditing 6.4.5 Configuring event processing parameters 6.5 Microsoft SQL Server sources 6.5.1 Adding a new Microsoft SQL Server group 6.5.2 Adding a new Microsoft SQL Server 6.6 Oracle Server sources 6.6.1 Introduction 6.6.2 Pre-configuration settings for Oracle servers 6.6.3 Adding a new Oracle Database group 6.6.4 Adding a new Oracle Database 6.7 Adding GFI LANguard event sources 6.7.1 Introduction 6.7.2 How to enable GFI LANguard event logging? 6.7.3 Monitor GFI LANguard Events 6.8 Adding GFI EndPointSecurity event sources 6.8.1 Introduction 6.8.2 Enable GFI EndPointSecurity logging 6.8.3 Monitor GFI EndPointSecurity Events 7 Using event processing rules 7.1 Introduction 7.2 How event processing works 7.3 Collecting events 7.3.1 Collecting Windows events Selecting the events to be collected 7.3.2 Collecting W3C logs Selecting the events to be collected and processed 7.3.3 Collecting Syslogs 7.3.4 Configuring the Syslog server communications port 7.3.5 Collecting SNMP Traps 7.3.6 Configuring the SNMP Trap server settings 7.3.7 Collecting custom events 7.4 Archiving events 7.4.1 Configure storage folder 7.5 Select event processing rules 7.6 Triggering event source scanning manually 8 Manage rule-sets 8.1 Introduction 8.2 Managing rule set folders 8.2.1 Add a rule-set folder 8.2.2 Renaming and deleting folders 8.2.3 Creating a new rule-set 8.2.4 Editing a rule-set 8.3 Create log rules 8.3.1 Creating a new Windows Event Log rule 8.3.2 Creating a new W3C rule 8.3.3 Creating a new Syslog rule 8.3.4 Creating a new SNMP Trap rule 8.3.5 Creating a new SQL Server audit log 8.3.6 Create new rule from an existing event Create new rule from event 8.3.7 View or Edit a custom rule 8.3.8 Changing the configuration settings of a rule 8.4 Advanced event filtering parameters 8.4.1 Windows events conditions 8.4.2 Syslog categories 8.4.3 Field operators 9 Customizing alerts and actions 9.1 Introduction Default classification actions Generating actions through event processing rules Supported actions 9.2 Configuring default classification actions 9.3 Configuring alerting options 9.3.1 Configuring email alerts 9.3.2 Configuring network alerts 9.3.3 Configuring SMS alerts 9.3.4 Configuring SNMP alerts 9.3.5 Configuring generic alerts 10 Configuring users and groups 10.1 Introduction 10.2 Manage user accounts 10.2.1 Configuring the administrator account 10.2.2 Create user accounts 10.2.3 Changing user properties 10.2.4 Deleting users 10.3 Manage groups 10.3.1 Changing user group properties 10.3.2 Deleting user groups 10.4 Manage console security 10.4.1 GFI EventsManager login system 10.4.2 Password recovery 10.4.3 Audit console activity 10.4.4 Auto-discovery credentials 11 Status monitoring 11.1 Introduction 11.2 General status view 11.2.1 GFI EventsManager service status 11.2.2 Top Important Logon Events 11.2.3 Critical and High Importance events 11.2.4 Events Count by Database Fill-Up Backup and Clean now 11.2.5 Top Services Status Events 11.2.6 Top Network Activity Events 11.3 Job activity view 11.3.1 Active jobs 11.3.2 Queued jobs 11.3.3 Server message history 11.3.4 Operational history 11.3.5 Maintenance jobs 11.4 Statistics view 11.4.1 Events count for today 11.4.2 Events count by log type 11.4.3 Activity overview 12 Database Operations 12.1 Introduction 12.2 Why database maintenance? Consolidation of events for a WAN 12.3 Create maintenance jobs 12.3.1 Move to database 12.3.2 Export to file Export filename 12.3.3 Import from file 12.3.4 Delete data 12.3.5 Configuring data filter conditions Example: Windows Event Log filter Advanced conditions 12.4 Edit existing maintenance jobs Job activity status 12.4.1 Changing maintenance job priority 12.4.2 Deleting a maintenance job 13 Miscellaneous 13.1 Enabling permissions on target computers manually 13.1.1 Microsoft Windows XP 13.1.2 Microsoft Windows Vista Step 1: Enable Firewall permissions Step 2: Enable additional auditing features 13.1.3 Microsoft Windows 7 Step 1: Enable Firewall permissions Step 2: Enable additional auditing features 13.1.4 Microsoft Windows Server 2003 Enable Firewall permissions 13.1.5 Microsoft Windows Server 2008 (including R2) Enable firewall permissions 13.2 Setting permissions on target computers automatically via GPO 13.2.1 Windows Server 2003 13.2.2 Windows Server 2008 (including R2) Firewall permissions 13.3 Disable UAC to scan target machines 13.4 Command line operations 13.4.1 Exportdata.exe 13.4.2 Importdata.exe 13.4.3 ImportSettings.exe 13.4.4 ExportSettings.exe 13.4.5 ExportRules.exe 13.4.6 Customizing unique identifiers 13.5 Auto updating GFI EventsManager 13.6 Product licensing Licensing Page 13.6.1 To update license key 13.6.2 To obtain a free 30-day trial license key 13.6.3 To view license details 13.6.4 To update license type 13.6.5 To purchase a license key 13.7 Version information 13.7.1 Checking for newer builds 14 Troubleshooting 14.1 Introduction 14.2 Common issues 14.3 Knowledge Base 14.4 Web Forum 14.5 Request technical support 14.6 Build notifications 15 Glossary
