4 Event browsing 4.1 Introduction The Event Browsing option allows you to access and browse processed or unprocessed events/logs that are currently stored in the main or backup database backbends. Screenshot 14 - GFI EventsManager: Events Browser Use the Events Browser for forensic analysis of events. All events accessible through the events browser are organized (by log type) in 4 tabs; Windows Events Browser tab, W3C Events Browser tab Syslog Events Browser tab, SNMP Traps Events Browser tab and Microsoft SQL Server audit Browser tab. This way you can quickly access the events belonging to a particular log type. Event data is organized into columns and clicking on a particular event will show additional information in a dedicated events description pane. Screenshot 15 - Event details provided on the web-page Windows events, descriptions are organized in two tabs accessible from the events description field: • General tab – Contains events information in the legacy format that was standard for pre-Microsoft Windows Vista event logs. • XML Data tab - Contains events information in the new XML based Microsoft Windows Vista format. Use the link provided in the event description pane to access: • A more detailed description of the event • Information and links that explain what causes this type of event • Hints and tips on how to possibly solve any existing issues. Event browsing tools Event analysis is quite a demanding task; GFI EventsManager is equipped with specialized tools that simplify the search for specific events as well as enable the export of events to CSV files. These specialized tools include: • An event filter/query builder • Event color-coding options • Event finder tool • Export events tool. Event filter/query builder Screenshot 16 – Custom query builder Use the event query builder that ships with GFI EventsManager to create custom filters that sift events data and display only the information that you need to browse – without deleting one single record from your database backend. Further to this GFI EventsManager ships with pre-configured queries that can filter events without any configuration effort – just click and go. Screenshot 17 - Default and custom event queries Event color-coding options Screenshot 18 – Event color coding filters Use the event color-coding tool to tint key events in a particular color. This way the required events are easier to locate during event browsing. For example, you can create a query that shows events classified as Critical or High and at the same time color in red all Critical events having event ID 231. The configuration of color-codes is carried out through a dedicated query builder. Use this query builder to specify: • The conditions that define which events must be colored • The colors to be used when showing these events. Event finder tool Screenshot 19 – Event finder tool Use the event finder tool to locate events that match a specific search string. For example, you can search events that have a specific ID or which contain specific keywords in the description. Export events tool Screenshot 20 – Export events tool Use the export events tool to save events data to CSV file . For more information refer to the ‘Export events tool’ section in this manual.
