7 Configuring event processing rules 7.1 Introduction GFI EventsManager allows you to collect and process: Windows Event Logs, W3C logs, Syslogs, SNMP Traps and Microsoft SQL Server audit logs. All supported log types record events in a different and proprietary format; therefore every log type requires different configuration settings and parameters. You can configure log collection and processing parameters: • On a computer by computer basis • On a computer group by computer group basis. During event processing, GFI EventsManager runs a configurable set of rules against the collected logs in order to classify events and trigger alerts/actions accordingly. By default, GFI EventsManager ships with a pre-configured set of event processing rules that allow you to gain network-wide control over computer logs - with negligible configuration effort. Event processing rules Event processing rules are instructions/checks that: • Analyze the collected logs. • Classify the severity of processed events. Classification is based on the configuration settings of the processing rule. • Filter events that match specific criteria. For example, you can create and run a rule which filters out low severity events and noise (duplicate events). • Generate alerts and actions based on event severity. For example, you can configure GFI EventsManager to send both SMS and Email alerts whenever an event is classified as critical; but limit the product to send only email alerts when an event is classified as high in severity. For more information on how to configure alerts and actions refer to the ‘Configuring alerting and actions’ chapter. • Optionally archive filtered events. Event archiving is based on the severity of the event and on the configuration settings of the event processing rules. For example, you can configure GFI EventsManager to archive only events that are classified critical or high in severity and discard all the rest. In GFI EventsManager, event processing rules are organized into ‘Rule-sets’; and every rule-set can contain one or more specialized rules which can be run against collected logs. Screenshot 53 - Rule-sets folder and Rule-sets Rule-sets are further organized into ‘Rule-sets Folders’. This way you can group rule-sets according to the functions and actions that the respective rules perform. By default, GFI EventsManager ships with pre-configured folders, rule-sets and event processing rules that can be further customized to suite your event processing requirements. Event classification GFI EventsManager classifies events in 5 categories: • Critical • High • Medium • Low • Noise (unwanted or repeated log entries). Event classification is based on the configuration of the rules that are executed against the collected logs. Events that don’t satisfy any event classification conditions are tagged as unclassified and can be set to trigger the same alerts and actions available for classified events. Event processing, classification and actions flowchart The flowchart chart below illustrates the event processing stages performed by GFI EventsManager. Screenshot 54 - Log processing, classification and actions flowchart
