How to disable auto-detect?
How do i make it so EventLog Analyzer does not auto-add my firewall syslog? I have a standalone, program that gathers the syslog for my firewall on port 514. When I launch EventLog Analyzer, it automatically adds my firewall as a Host. This is causing my other program to stop collection the syslog files. is there a way to disable the auto-add host?
Window NT 4 Domain not collecting data
1.) I am Running the 4020 Build of the Software. 2.) WMI is installed and working on the domain controllers. 3.) EventLogAnalyzer has them both at a green status 4.) I manually scanned multiple times with no success 5.) I have deleted the servers and readded them. I verified the login on both and it is successful, but still no logs. 6.) The NT 4.0 servers show a login success audit entry in the Security Log when EventLog Analyzer tries to connect. I am at a loss as to why this is not working. All
User Login and Logout report
Dear Support, I tried both Evenlog analyzer and desktop central to get a report on the user login and logout time but no luck. We have windows 2000 server and many workstations running win 2k prof. Which of your product can show actual login and logout report (not domain login, workstation login). Pls suggest
bug in generating reports?
Hello I believe there is a small bug in the custom generating reports page, when I select the unix group and then I try to generate the report just for a subset of syslog messages (like crit, err, warn.) the result contains lots of records that are blank, please see the picture in attachment. This slows down the creation of the report and also makes it very difficult to read.
Event Logs
Started to look at the Event Log Analyzer and like the SOX reports from the security log. Why does it not by default import the app / system logs. I have tried to import and the windows evt type did not import. Thanks Trevor
Cisco Routers and Switches Syslog Analysis
Folks, Hope you are aware that EventLog Analyzer can also collect syslogs from Cisco Devices (Routers and Switches), over and above its capability for collecting Windows Event Logs and Unix/Linux syslogs. EventLog Analyzer by default listens to port 513 for syslog messages, whereas the Cisco Devices by default would be sending their syslogs to port 514. So in order to receive these Cisco Device logs, EventLog Analyzer provides you with a facility of adding a virtual syslog server which listens to
Will not collect Windows NT 4.0 Logs
1) I installed WMI according to your EventLogAnalyzer instructions, and it says it's running fine on both NT 4.0 servers 2) EventLogAnalyzer has them both at a green status 3) I manually scanned multiple times with no success 4) I have deleted the servers and readded them. I verified the login on both and it is successful, but still no logs. 5) The NT 4.0 servers show a login success audit entry in the Security Log when EventLog Analyzer tries to connect. 6) I restarted the WMI service on both NT
Compatibility ELA and Snare
I am evaluating eventlog analyzer in our environment. I have Snare agent install on windows and I have verified it is sending syslog message on UDP 514 to the Eventlog Analyzer (by sniffing via Ethereal on the client). However, it is not showing up as a host on the Eventlog Analyzer. Do I have to manually add the windows host? I would rather not do that to avoid setting up administrative access from ELA server for security reason. In short, is ELA compatible with Snare agent? Snare agent is sending
Evt Importing in ELA
Hi, ManageEngine EventLog Analyzer have obliged to many of our customers who had requested us to provide facility to import their already collected windows event log files (in .evt format) and analyze & provide reports on them. This will be useful to those who want to look at their * Older windows logs * Log files saved for forensic purpose * Searching a random event * Logs from busy/high performing servers and * Logs from machines connected through low bandwidth/across firewall * Logs from machines
Unable to run EventLog Analyzer
I'm having a fairly difficult time to get Analyzer to run. I downloaded a previous version, which would eventually crash after ~5 minutes of boot, inserting the following error into the eventlog: Event Type: Error Event Source: Application Error Event Category: (100) Event ID: 1000 Date: 11/21/2006 Time: 9:11:48 AM User: N/A Description: Faulting application mysqld-nt.exe, version 0.0.0.0, faulting module mysqld-nt.exe, version 0.0.0.0, fault address 0x0018eca2. I noticed that a newer version was
Properties for COM Internet Services
Hi All Before I started using Eventlog Analyzer, I secured some AD traffic by restricting the Port Range of 'Connection-oriented TCP/IP'> 'Properties for COM Internet Services' to 50004-50100. I can not add these AD Controller to Eventlog Analyzer. I can, however, add any host which I have not restricted the ports. Is there a way to get Eventlog Analyzer to talk to my 'secured' hosts. Thanks Patrick :D
Eventlog Reports
First ... thank you for pulling out the 'default' information that was being included in the custom reports! It makes these reports better. However, the reports still have formatting problems with a lot of white space. Is there any way to clean out the blank spaces? Is there any way to generate a report in a format other than pdf? If not, please consider allowing the ability to generate reports in a format other than pdf. (doc, xls or even txt would be good) That way it could be formatted based on
Logon Failures not showing up but SOX report being sent out
I am evaluating the ELA4 product (build 4020) and have found a couple of issues. 1) When creating a Database Filter, if one selects the checkbox to process a specific Event ID only and enters the Event ID into the supplied text box, the Event ID is *not* saved when saving the filter. One has to edit each filter individually and re-enter the Event ID or IDs and then save the filter again. 2) During testing Account Logon Failures, I notice that the failures do not show up anywhere in the interface
Log Filtering
I am currently evaluating ELA for our institution but continue to have several questions. When using the GLBA reports for user login and logoff I am getting information nonrelated to actual users. The report displays all users that have logged in and logged off but also displays computers/servers that have lgged in/out of the network. Does ELA currently have any way to filter data? Example: If I would want my report to display users not computers that have logged in/out? Thank you,
Saved evt files
Hi, We currently use another method to archive the event logs off the workstations. They are compressed and archived away. This tool looks like something we can use, however is it possible to analyse those .evt files and not the host? One other thing, we create our own Windows Event audit log is it possible to include that as in the analysis? Look forward in hearing from you all, Cheers Kev
Permissions
Hi there, It appears that when you create an additional "Operator" user in EventLog Analyzer, they can still access the Database Console feature even though it's meant to be disabled to all except an Admin. See pic attached. Also I'd argue that an Operator should not be able to change mail server settings, yet they can do so - is that meant to be? Regards, Lee
ManageEngine EventLog Analyzer SP 2 (Build 4020) Released!
We are happy to announce the availability of ManageEngine EventLog Analyzer Service Pack 2 (Build 4020). The new release enhances the log forensic capabilities of EventLog Analyzer, empowers Network Administrators to import windows event logs and generate instant reports, and supports enhanced reports for SOX Compliance and Cisco Devices To get the complete build (4020) follow the below URL. http://manageengine.adventnet.com/products/eventlog/download.html Customers using earlier builds of EventLog
GLBA Compliance Reports are different after SP2 install
The GLBA compliance reports have less items after SP2 upgrade. The following are missing: Object access System events Host session data Successful user account validation Unsuccessful user account validation Is this by design or is there a way to make these itmes appear under GLBA Reports again. Thanks, Bill
Change Name in header Eventlog Webpages
Hello, Is it possible to change the name in the header in the webpages Eventlog we have to servers running Eventlog and want to see the difference in the Header, Regards, Marck www.ccv.nl
Advanced text filtering in Alert profile
To monitor link errors in Eventlog analyzer, we currently have configured an alert profile which is triggered on text (log message contains): "%LINK-3-UPDOWN: Interface Serial" The problem is that both Link up and link down messages hit this Alert. We would like to specify a Link up mesage in another profile then an link down message. Also, the Serial interface is specified in the syslog message (eg. Serial0/0 or Serial 0/1 or Serial 1/3 etc), which makes every syslog message Unique. To solve this
General question and RDP
I have a strange question. Does that dos windows have to be open for eventlog analyzer to work? (when you start it from the start menu) What is the service for? It seems to work even if the service is not running. This is all very confusing to me, can someone please clear this up for me? Also, when I start the evenlog analyzer server from an rdp session the system tray icon does not show up and there is an error on the console (not the rdp session) that says: Windows script host script: c:\adventnet\me\eventlog\bin\configureodbc.vbs
Domain Users and File Access
I have just installed Eventlog Analyzer 4 and installed the latest hotfix to make it build 4011. I am monitoring two domain contrllers and another server that has miscelanious services running on it. Been two days of monitoring. I have two imediate concerns: 1. Domain User logon/logoffs do not seem to be recorded anywere in Eventlog Analyzer anywere. 2. I do not seem to see anywere to set up monitoring of successful or failed file or object access. Thank you so much for your time and help
Running Eventlog + Firewall Analyzer As Non root
How is it possible to run Eventlog + Firewall Analyzer as a non root user ? Marck www.ccv.nl
Running Event Log Analyzer as a Service in SUSE Linux 10.1
When EventLog Analyzer is installed and set to run as a Service in SUSE Linux 10.1 you will find that EventLog does NOT automatically run as a service after at boot time nor is it started correctly at the end of the installation. There is a problem the way EventLog is treated by SUSE Linux to run as a Service by not being able to establish a correct run level. Rather than execute the shell script run every time you reboot it is easier to correct the service by assigning it a Run Level. Eventlog is
Question about security event (lsass.exe)
I have multiple computers and print workstations networked together and recently I've been seeing multple counts under the failure heading: The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\WINDOWSsystem32lsass.exe Process Identifier: 808 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: UDP Port Number: 2320 Allowed: No User notified: No I get lots of those events happening every 10 minutes or
Keep original hostnames in syslog messages via Syslog-ng evt
We want to sent Syslog messages to syslog-ng on 514 there we have configured two flters to sent all messages to Eventlog the Firewall messages need to go to Firewall. But we see the original hostnames are gone and all messages are received with the same hostname (the hostname of the syslog-ng server). We already configured keep_hostnames in syslog-ng. Syslog-ng is running on port 514 Eventlog is running on port 2514 Firewall is running on port 1514 Marck
Devices >> Syslog Ng (514)>> Eventlog + Firewall
Hello, I Am Marck Burgers Sysadmin at CCV Holland we have bought tools for logging eventlog + firewall log. We want to use syslog-ng as frontend on udp port 514 and want to distribute the records via filters in syslog-ng to both applications listening on the following ports: Eventlog on 50000 Firewall log on 50001 Is this possible ? If yes how? Regards, Marck CCV www.ccv.nl
Eventlog Analyzer + Firewall Analyzer on Suse SLES 10
Hello, Today we discovered that the Eventlog Analyzer + Firewall Analyzer together on Suse SLES 10 is not working. Is this a known issue ? We are now testing on Suse 10.1 Professional, Please Advice, Marck www.ccv.nl
custom eventlogs
Iam currently doing my first steps with the analyzer, but cannot see a way to analyze costum eventlogs. I have several applications that dont make use of the Application log, but created thier own custom eventlog. I have to analyze theese in order to make performance statistics. Is there any way to manage it using the analyzer ? thanks for comments, Matze
Windows path slashes not escaped
Unfortunately, eventlog analyzer does not know to escape the slashes used by windows for its paths. I think it is important that a hot fix to be produced to address this bug because it could have security implications over the computer that run the eventlog analyzer or/and the client viewing the data.
Feature Request: AD Integration for user accounts
Hi there, Thanks for a great product. I have a feature request for your next version: When creating accounts to allow access to EventLog Analyzer, it would be extremely helpful to use LDAP accounts instead of local acounts for access. Another option would be to pass authentication through to Actve Directory, or whatever LDAP backend that a site is using. Our site has been driving the concept of single sign on and it is a pity that such a good application as yours cannot support this. Best Rergards,
Build 4020
Hi there - do you know when will build 4020 of EventLog Analyzer will be released? Of all things I think being able to rename devices is quite important so I'm looking forward to that feature being available!
How to customize the front page of a report
Hello, I am testing the Event Log Analyzer from Adventnet to see whether it is suitable for my company (a bank). I would like to know if there is any method to customize the front page of a report? Now, every time I generate the report into PDF format , the front page is always associated with the big Adventure Logo. Can I have my bank's logo and any customised title on it instead? Thanks Lee
no logon events from RHEL4 host
I have just installed EventLog Analyzer on RHEL4, and configure several hosts with RHEL4 to send syslog messages to it. Everythigh looks fine, but no logon events determined in any report type, but when I open all events from host, I find some events Auth facility (auth through pam_unix, when connecting to sshd). Which login types can EventLog Analyzer determine?
No data available
Hi, We have an issue with our Eventlog analyzer. None of the servers are mentioned under active hosts and there is no Eventlog data available. If I want to show the last 10 events of a random server, I'll get the error below: Could someone please look in to this, we are monitoring about 79 servers with this program. Kind regards, Rolf HTTP Status 500 - -------------------------------------------------------------------------------- type Exception report message description The server encountered
API Report
I think your product can get a big burst if you provide an API that allow the users to build their own reports and if you provide a way to add this reports templates to the list of reports that can be used for report generation.
Getting eventlog from localhost (W2K3)
I'm testing Eventlog Analyzer at home (serveral W2k(3) systems, no domain, all in the same workgroup) I have the following problem: The analyzer collects events from all the systems, except the local system. When i run the WMI test tool i can connect to all the other systems, but when i try it on the local system (where EA runs) i get an error 0x80041064. When i look for this error on the MS site i get: "The user specified a username, password or authority for a local connection. The user must use
ODBC Support
Will ELA offer an ODBC output option in the near future? Is there a list of planned feature additions I can view online? Can the polling interval be chaned for Windows hosts in ELA? (How often it gathers events from Windows hosts)
Custom Report
Is there a way to create a custom report that will look at a specific host, and tell me how many times a specific phrase was found in an eventlog from a certain source?
Process number & cisco's log
Hello! I'm currently evaluating EventLog Analyzer and I'm trying to analyze logs from cisco devices. When I go to Host->Details and select my device, then I go to All events and see unusable table like process error warning etc. 12 13 14 15 and much more because cisco sends logs rows with sequental number of event, which is revealed by EventLog as process number. So my question is can I reconfigure EventLog Analyzer to use another field from cisco logs as a process name? For instance I would like
Next Page