6 Customizing event sources : 6.3 Configuring event source properties
6.3
Configuring event source properties
GFI EventsManager allows you to customize the event source parameters to suit the operational requirements of your infrastructure. You can configure of these parameters on a:
Computer by computer basis.
Computer group by group basis.
Event source properties that can be customized include:
General event source properties such as computer group name
Alternative domain administrator credentials required to remotely access the event logs of a target computer.
Event source operational time. Through these parameters GFI EventsManager can identify key events that occur outside normal operational time such as failed logons. As a result alerts and notifications can be generated and dispatched to administrators for immediate attention.
Windows, W3C , SNMP and Syslog event processing parameters.
To configure event source properties:
1. Click on the Configuration tab.
Screenshot 39 – Group type
2. From the Group Type drop-down select Event Sources Groups.
3. To configure the parameters of a:
Computer group: Right-click on the computer group to be configured and select Properties.
Particular computer in a group:
o
Click on the computer / database server group to which the computer group belongs.
o
From the right pane, right-click on the required computer and select Properties.
4. Click on the required tabs and configure the respective parameters accordingly. More information on how to configure these parameters is provided in the coming sections.
6.3.1
Configuring general event source properties
Screenshot 40 – Event sources properties dialog
Use the General tab in the properties dialog to:
Change the name of a computer group.
Enable/disable log collection and processing for the computers in a group.
Configure log collection and processing frequency.
6.3.2
Configuring alternative domain administrator credentials
During event processing, GFI EventsManager must remotely log-on to the target computers. This is required in order to collect log data that is currently stored on the target computers and to pass this data on to the event processing engine(s).
To collect and process logs, GFI EventsManager must have administrative privileges over the target computers. By default, GFI EventsManager will log-on to target computers using the credentials of the account under which it is currently running; however, certain network environments are configured to use different credentials to log on to workstations and servers with administrative privileges. As an example for security purposes, network administrators can setup a dedicated account that has administrative privileges over workstations only and a different account that has administrative privileges over servers only.
Screenshot 41 - Configuring alternative logon credentials
GFI EventsManager, allows you to configure a dedicated set of logon credentials for individual target computers as well as for computer groups. To configure a set of credentials for a particular computer group:
1. Right click on an event source and click on Properties
2. Click on the Logon Credentials tab
3. Specify the login name and password which will be used to log-on and collect logs from the target computer(s).
6.3.3
Configuring event source operational time
GFI EventsManager includes an Operational Time option through which you specify the normal working hours of your event sources. This is required so that GFI EventsManager can keep track of the events that occur both during and outside working hours. Use the operational time information for forensic analysis and to identify network computers that are being misused outside normal working hours. For example, through this information, you can discover unauthorized user access, illicit transactions carried out outside normal working hours and other potential security breaches that might be taking place on your network.
Screenshot 42 - Specify operational time
Operational time is configurable on computer group basis. Configuration is achieved through the Operational Time tab provided in the computer group properties; Operational time is configured by marking the normal working hours on a graphical operational time scale which is divided into 1 hour segments.
6.3.4
Configuring event processing parameters
To configure event processing parameters:
Screenshot 43 – Event-processing configuration tabs
1. Bring up the (computer/computer group) properties dialog
2. Use the Windows Event Log tab, W3C Logs tab, Syslog tab and SNMP Traps to configure the required event processing parameters. For more information on how to configure these parameters refer to the ‘Configuring event processing rules’ chapter.