ELA: How to reduce size of Index
Hey, I found this guidance (see below) on reducing INDEX size (PG/SQL). Do you have any updated guidance for more recent releases, i.e. 11.10 or 11.12? Cheers https://pitstop.manageengine.com/portal/community/topic/patch-for-index-data-purging-in-ela-build-8000-8010-8011-8050-8051
TWTQ: In-built ticketing console views
Hey guys! Here's This Week's Top Question (TWTQ): Q: What is the meaning of the various views in the Alerts tab? A: EventLog Analyzer contains a built-in ticketing console which helps you streamline your incident management process. The module allows you to: Raise security incidents as tickets Automatically assign them to the concerned owner Track the status of the ticket Add supplementary notes regarding the incident details All of these features allow you to quickly and efficiently resolve security
Settings:Admin Settings:Working Hour Settings
I have attempted to set our working hour settings from the default of 10 & 20 hours to our working hours with what seems to be no change. If I go to another field and then back to the working hour settings I get the same result 10 & 20; is this being updated correctly and not posting correctly? Is there any way to check setting that may be in a file on the server?
TWTQ: Integrating with external help desk software
Q: How do I send incident information to external help desk software? A: EventLog Analyzer allows you to streamline your security incident handling process with its incident management feature. With this feature, you can bridge the gap between security incident detection and response. This allows you to resolve incidents quickly and efficiently. EventLog Analyzer allows you to manage all detected security incidents by using the built-in ticketing console, or by forwarding incident information to
TWTQ: Conducting forensic investigations with correlation reports
Hey everyone! Here's This Week's Top Question (TWTQ): Q: How can I conduct effective log forensic investigations with correlation reports? A: When any incident is detected, the first course of action to be taken is a forensic investigation. This involves combing through your logs to identify a log trail, which tells you how an attacker breached your network and accessed your critical data and resources, and any other actions he/she might have taken. The correlation module of EventLog Analyzer vastly
EventLog Analyzer and Firewall Analyzer Integration
Hello, We have both EventLog Analyzer and Firewall Analyzer. We are wondering if there is any sort of integration between the two systems? Our firewall logs are presently going to Firewall Analyzer but we would like them in EventLog Analyzer as well to correlate events. Before duplicating the logs in both systems, I wanted to see what other options we may have. Thanks, Matt
TWTQ: Enable and disable correlation rules, alerts, and reports
Hey everyone! Here's This Week's Top Question (TWTQ): Q: How do I enable/disable correlation rules, alerts, and reports? A: As EventLog Analyzer processes millions of network logs, its correlation engine matches them against various known security incident patterns. When a sequence of logs from your network matches one of these patterns, it is a possible attack. It then notifies you immediately via email or SMS and generates a detailed incident report. For instance, a brute force attack occurs when
TWTQ: Customizing correlation reports
Hey everyone! Here's This Week's Top Question (TWTQ): Q: How do I customize the correlation reports to suit my requirements? A: As you know, every security incident is composed of a sequence of distinct events, or actions. For instance, if attackers try to steal data from your database, then they must first intrude into your network. They can do this by various means. For instance, they may use a VPN to get access to the network. They then log into your database by cracking the credentials or using known
Free online training: Strengthen security with our latest features!
Hey everyone! We are pleased to announce the Log360 training and certification program, starting May 2. Log360 is ManageEngine's comprehensive SIEM offering, which integrates EventLog Analyzer with ADAudit Plus. Besides ensuring network security and compliance, Log360 allows you to delve in-depth into your AD environment and monitor employee and privileged user activity. The new training series includes demonstrations of all our latest features - event correlation, SQL autodiscovery, threat intelligence,
Cannot access after upgrate to the latest service pack
Does anyone have had problems with log in after upgrade to the latest service pack. I applied the service pack witn out problem, but after that i recieve a message that the admin password is incorrect. I have a backup of the database. May I replace the database with the old one or there are changes over the structure and objects in the service pack?
SAP Hana
Does ELA support the SAP HANA device?
Apache Struts 2 Vulnerability
Hello. We use ELA MSP and on our Managed server, our weekly vulnerability scanner flagged it as having a critical vulnerability, and suggested the Apache Struts be updated to version 2.3.28 or higher. Is there a fix for this specific one (whether special patch or just an update that is needed)? The exact message is: "Apache Struts 2 Tag Attribute Double OGNL Evaluation RCE Description The remote web application appears to use Apache Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation
TWTQ: Automatic ticket assignment
Hello everyone! Here's This Week's Top Question (TWTQ): Q: How do I automatically assign incident tickets to the concerned user? A: EventLog Analyzer's built-in incident management module allows you to manage all security incident alerts as tickets. You can assign the incident tickets to any of the product users, track their status on a central dashboard, add notes relevant to the incident resolution, and more. You can create rules to automatically assign incident tickets to any of the product users.
Registry Key for Reports May Cause Windows Updates to Fail and Revert
A recommended registry change for EventLog Analyzer has recently caused our Windows Hyper-V host servers to fail e very time they applied Microsoft updates. The server O/S was Windows Server 2012 Data Center. This is a report of the situation and what was done to fix it. On page http://help.eventloganalyzer.com/configuring-out-of-the-box-reports in the User Guide for EventLog Analyzer, there is a recommendation to add certain keys to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Service > eventlog.
TWTQ: The correlation dashboard
Q: How do I interpret the information given in the correlation dashboard? A: The correlation dashboard loads as soon as you select the Correlation tab on EventLog Analyzer. It gives you an overview of the various security incidents encountered on your network in a selected time period: A security incident is detected by matching a sequence of logs to the correlation rules defined in the product. The dashboard shows you the various security incidents detected, and the total count of logs matched,
TWTQ: Correlation rules vs. alert profiles
Hey everyone, Here's This Week's Top Question (TWTQ): Q: Which should I choose - correlation rules or alert profiles? A: In essence, the main difference between correlation rules and alert profiles is that correlation rules are useful when you wish to check for anomalies or security incidents across multiple device types. On the other hand, alert profiles are useful to detect specific security incidents on individual, critical resources. Here is a comparison between alert profiles and correlation
TWTQ: Accessing threat feed alerts
Hello everyone! We're back for This Week's Top Question (TWTQ): Q: Where do I view threat feed alerts? A: EventLog Analyzer processes multiple threat feeds and alerts you when a malicious IP, URL, or domain is detected in your network. View the alerts by going to: Alerts > Profile based alerts > Default threat The built-in Default Threat alert profile is pre-enabled and it doesn't require any configuration. It starts checking your network for malicious IPs, URLs, and domain traffic, right after
TWTQ: How the STIX/TAXII feed processor works
Hey everyone, Here's This Week's Top Question (TWTQ): Q: What are STIX and TAXII? How does EventLog Analyzer's STIX/TAXII feed processor work? A: The Structured Threat Information eXpression (STIX) protocol describes a structured language for describing threats, and the Trusted Automated Exchange of Indicator Information (TAXII) protocol describes how this threat information can be communicated. Simply put, STIX and TAXII are global standards for identifying and sharing threat information. Together,
How can i change SSL certificate used by EventLog Analyzer?
I was able to generate and install SSL certificate a year ago with help in the forums by using keytool to import SSL certificate and CA certificate into Eventlog.keystore and then copying it into /conf folder and editing server.xml accordingly. This certificate is expiring today, so i want to change it, but i can't make EvLA use new one. I have generated new CSR, then generated new certificate using that CSR. Copied new certificate into jre/bin folder and used keytool to import it into Eventlog.keystore,
Print Server Application Logs - Windows Server 2008 R2 not collecting print server events
I cant seem to get the Windows 2008 R2 - Print Server Logs to collect as Print Server Application logs.
Talk to our experts about log management.
Hey everyone! Here's introducing the first ever edition of "Talk with Experts" - a unique event taking place on March 14th and 15th, where you can talk with our in-house IT security experts, engage with other IT admins and security professionals, and get answers to all your questions. If you aren't part of our community yet, do sign up - it only takes a minute :-) So, what are we going to talk about? The theme for the first edition is log management. As you know, log management comprises of several
Log360 makes it to the finals of SC Media awards
We are excited to let you know that Log360 has been nominated as a finalist in the Best Security Information and Event Management Solution category in the SC Awards 2018 by SC Media. We thank all our Log360 customers for making this happen. ManageEngine Log360 ensures that an organization's network is secure with its log management, monitoring and analysis capabilities. The solution helps organizations, including leading enterprises and Fortune 500 companies: Combat internal security threats with
TWTQ: Correlation threshold limit
Hey everyone! We're back for TWTQ, or This Week's Top Question: Q: What's the use of the "threshold limit" for actions when I'm creating or modifying correlation rules? A: Let's understand how a correlation rule is structured. A correlation rule is a pattern used to detect possible security incidents in your network. This pattern is made up of a sequence of log events - a Windows logon event, a firewall denied connection, a table created in a database, etc. EventLog Analyzer collects logs from the
Security notice
Dear Users, ManageEngine released EventLog Analyzer 11.12 on 7th March 2018, with the following vulnerabilities fixed. Cross Site Scripting (XSS) in the search and reports page (CVE-2018-7405) raised by Suresh Khutale has been fixed. Remote code execution when uploaded by an agent (DDI-VRT-2018-10).Download or update to EventLog Analyzer 11120.
Problem- Eventloganalyzer
Hi , There is a problem with Eventloganalyzer (Build version 11.11) in the Manage Agent \ Pick Devices section does not appear on the domain. Re-Scan should typically bring the domain name within 2-3 minutes. But in this section ( Manage Agent \ Pick Devices )all domain name is disappeared.
Losing WMI Connections
I have over 50 workstations being monitored with EventLog Analyzer. Over time, workstations drop off with "Access Denied" or with "RPC Server unavailable". Since there aren't many changes to the workstations, I rather suspect Windows Updates have cause at least some of these. I used to be able to use my checklist and/or script to reset machines that had dropped out like this. Lately however, I'm not able to find a fix. Tests with WBEMTEST fail at the same time. Because of that, Zoho says it's my
TWTQ: Selecting correlation rules for your business
Hey everyone! We're back with This Week's Top Query (TWTQ): Q: How do I know which correlation rules to enable? A: EventLog Analyzer provides you with over 30 predefined correlation rules, and we are working on adding more everyday. Every organization has different security requirements. To understand which rules are most relevant to you, you can first look at the rule description on the Manage Rules page (accessible by going to the Correlation tab -> Manage Rules). Click on the icon shown to enable/disable
TWTQ: Applying rule to select users
Hey everyone! Here's This Week's Top Query (TWTQ): Q: I want to apply my correlation rule to a specific set of users. How do I do this? A: When you wish to apply a correlation rule to a specific set of entities (users, devices, etc.), you can make use of the field-based filters within the rule. If this is for a rule you're building from scratch, go to: Correlation -> Manage rules -> +Create rule If this is for an existing rule, go to: Correlation -> Manage rules -> Selecting the Update icon next
TWTQ: Correlation field-based conditions
Hello everyone! We are happy to share that we're starting a new weekly feature on this forum, called "This Week's Top Question". Each week, we will select one or more popular questions which we receive from our customers, and share the answer with you right here on the forum. So, getting right to it: Q: What are field-based conditions in event correlation? How and when do I use them? A: Field-based conditions are useful when you are building correlation rules. So first, let's understand how a correlation
Open ports
Does Port 8400 have to be open on the PC from which I want to collect Windows log events? How do I test for that?
Number of node for ELA server
Hi, I need to collect data from 1,100 Windows server using Ela. I will configure db filter in order to collect only more or less 5% of Windows EventLog events. Can I do this using only 1 ELA server or I need to install 2 or more ELA servers? Best regards, Sutot
Detect security attacks with event correlation
Hey everyone, We recently enhanced EventLog Analyzer's correlation engine, and it's now better than ever before. In our new exclusive webinar, "Detecting security attacks with correlation", we explain how you can put correlation into use to secure your network against various attacks. Register now December 7th 2 PM GMT In this webinar, we talk about: The basics of log correlation Detecting ransomware, brute force attacks, and more with predefined rules In-depth incident reports and alerts provided by EventLog
MySQL or PostgreSQL?
Dear Support, in order to setup a Distributed Architecture for ELA, is better to use a MySQL or PostgreSQL database? Thanks, M.
How correlation can help you prevent ransomware, brute force, and more.
Correlating log data from disparate log sources is an effective method to discover various types of attacks. EventLog Analyzer's enhanced correlation includes 25 predefined rules that help you detect ransomware, brute force attacks, worm activity, and much more. Our free security attack handbook explains just how you can detect and mitigate these attacks on your network. Open the free handbook This handbook gives you information on: The importance of log correlation EventLog Analyzer's correlation
MSP Implementation
Dear Support, we are evaluating EventLog Analyzer as MSSP for our customer. There is some kind of special/different licensing for this purpose or not? Thanks and regards, M,
Syslog TCP support
Does ELA support TCP connection for syslog records? If so how is it configured?
Microsoft Exchange Logging
Dear Support, can I have some kind of monitoring/reporitng of Microsoft Exchange with Evenlog Analyzer? Thanks and regards, M.
GDPR Compliance
Dear Support, can we achieve (partially or totally) GDPR compliance via using EventLog Anlyzer or we need to use an additional tool like FileAudit Plus? Thaks and regards, M.
Free Webinar: Implement ASD's mitigation strategies with auditing and identity management tools
Security threats can stem from many fronts, from both external as well as internal actors. The Australian Signals Directorate (ASD) has prescribed security controls for businesses to adopt. This will help you identify the technology that is lacking in your enterprise and chart out a clear cut security strategy. Join us for our free webinar to learn how our suite of real-time auditing and identity management tools can help you implement some of these strategies to ensure you can thwart security threats
Upgrade from Event Log Analyzer version 9 to 11
Hi, is possible to upgrade directly from Event Log Analyzer version 9 to version 11 without data lost?
Next Page