Table of Contents Introduction About this manual How is this manual structured Glossary of terms used in this manual About GFI EventsManager Key Features Extended event log support Rule-based event log management Event log scanning profiles Allow granular configuration of rules Translates cryptic Windows events Enhanced event scanning engine Automatic noise reduction Enhanced real-time actions Advanced event filtering features Event centralization User access privileges SQL Server audit Database operations (WAN Connector) Management Information Base How does GFI EventsManager work? Stage 1: Event Collection Stage 2: Event Processing Operational privileges Navigating the GFI EventsManager management console Installation Introduction Where can I install GFI EventsManager on my network? Deployment of GFI EventsManager on a local area network Deployment of GFI EventsManager on a demilitarized zone Managing Microsoft Windows Vista & Windows Server 2008 events Hardware requirements Software requirements Software requirements - Installation machine(s) Software requirements - Scanned machine(s) Upgrading from a previous version Installation procedure Getting Started Introduction What is a computer log? What is a log? What are Windows Event Logs? What are W3C logs? What are Syslogs? What are SNMP Traps? What are SQL Server audit logs? Getting started: Running GFI EventsManager for the first time Step 1: Configure the database backend Step 2: Launch events processing Processing events from the local computer Processing events from selected machines Step 3: Analyze events and generate reports Navigating the Quick Launch Console Event browsing Introduction Event browsing tools Event filter/query builder Event color-coding options Event finder tool Export events tool Accessing and browsing stored event logs Applying event queries Creating custom event queries Customizing the event viewer pane Selecting columns to be displayed Customize the position of the description window Configuring event color coding Assigning a color-code to a specific event Assigning different color-codes to multiple events Event finder tool Export events tool Backup events Switching databases Clear all events Generating reports Introduction Download the GFI EventsManager ReportPack Launching the GFI EventsManager ReportPack Customizing event sources Introduction Adding new event sources to the computers group Configuring event source properties Configuring general event source properties Configuring alternative domain administrator credentials Configuring event source operational time Configuring event processing parameters Adding a new SQL Servers group Configuring SQL Servers event source properties Adding new SQL Servers to the default group Removing SQL Servers from the default group Configuring database server properties Configuring event processing rules Introduction Event processing rules Event classification Event processing, classification and actions flowchart Collecting and processing Windows events Overview Selecting the events to be collected Archiving Windows events Selecting Windows event processing rules Configuring custom event logs Collecting and processing W3C logs Selecting the events to be collected and processed Archiving W3C events Selecting W3C event processing rules Collecting and processing Syslogs Archiving Syslog events Selecting Syslog processing rules Configuring the Syslog server communications port Collecting and processing SNMP Traps Archiving SNMP Trap events Selecting SNMP Trap processing rules Configuring the SNMP Trap server settings Archiving events Archive events without processing logs Archiving events after processing Selecting event processing rules Triggering event source scanning manually Customizing event processing rules Introduction Create a new rule-set folder Renaming and deleting folders Creating a new rule-set Editing a rule-set Deleting a rule-set Creating a new Windows Event Log rule Creating a new W3C rule Creating a new Syslog rule Creating a new SNMP Trap rule Creating a new SQL Server audit log Changing the configuration settings of a rule Advanced event filtering parameters Windows events conditions Syslog categories Customizing alerts and actions Introduction Default classification actions Generating actions through event processing rules Supported actions Configuring default classification actions Configuring actions through event processing rules Configuring alerting options Configuring email alerts Configuring network alerts Configuring SMS alerts Configuring SNMP alerts Configuring users and groups Introduction Configuring the administrator account Creating a new user Changing user properties Deleting users Configuring groups Changing user group properties Deleting user groups Enabling and disabling the GFI EventsManager login system Enabling and disabling user action auditing Status monitoring Introduction Accessing the status monitor General status view EventsManager service status EventsManager servers status Database backend status Global event count Events type by classification Activity overview Job activity view Active jobs Queued jobs Server message history Operational history Maintenance jobs Statistics view Events count for today Events count by log type Events count by classification Windows events count by event log Database Operations Introduction Why is there a need for database maintenance? Consolidation of events for a WAN Configuring Database Operations Creating maintenance jobs Move to database Export to file Export filename Import from file Delete data Configuring data filter conditions Example: Windows Event Log filter Advanced conditions Viewing scheduled maintenance jobs Job activity status Editing a maintenance job Changing maintenance job priority Deleting a maintenance job Miscellaneous Command line operations Exportdata.exe Importdata.exe Importsettings.exe Customizing unique identifiers Licensing Entering license key after installation Version information Checking for newer builds Troubleshooting Introduction Knowledge Base Web Forum Request technical support Build notifications
