Out-of-the-box Reports - USB Device Plugged In
I've finished evaluating ELA and we recently purchased the product. Today I built the production server that will be our main log collector, and I'm starting to set up my own PC again in terms of
being analyzed.
One of the requirements we had was that the custom reports for USB devices work. During my evaluation phase, I actually spent a good deal of time on phone with support while they assisted in getting this working properly for me. Sadly, now that I've "started from scratch" again, this doesn't seem to work.
I may end up calling support again, but I'm hoping either someone else has gone through this (and thus we can document and preserve those steps here) or that simply a solution will be found that ultimately CAN be documented here.
So let me first start by saying the production environment is a fresh installation. The only thing at this point I've customized is that I have AD-based authentication and I've pushed the agent to my PC for auditing. I'm using group policy to enable global object auditing, and in ELA I've create a new File Monitoring template to check C:\ (our requirement is to do this and keep it for 7 days).
Starting with the User Guide, at this location:
http://help.eventloganalyzer.com/configuring-out-of-the-box-reports
While not completely clear, I do remember going through this with the support person a couple of weeks back. Under HKLM\SYSTEM\CurrentControlSet\Services\EventLog I create a number of empty keys such that the new structure looks like this:
HKLM\SYSTEM\CurrentcontrolSet\Services\EventLog\Microsoft\Windows\DriverFrameworks\UserMode/Operational
When I open the event log I can drill down to find "DriverFrameworks-UserMode" and when expanded I see an "Operational" log. I need to right click and "Enable Log" in order for it to start recording entries. Which I've done.
After plugging in a USB stick, I see this log, in the Windows Event Log Viewer, fill up with entries. So I know that part is working.
In ELA, however, there are no entries.
Somewhere, something is not talking quite right. My client PC is Windows 10 Enterprise.
One of the requirements we had was that the custom reports for USB devices work. During my evaluation phase, I actually spent a good deal of time on phone with support while they assisted in getting this working properly for me. Sadly, now that I've "started from scratch" again, this doesn't seem to work.
I may end up calling support again, but I'm hoping either someone else has gone through this (and thus we can document and preserve those steps here) or that simply a solution will be found that ultimately CAN be documented here.
So let me first start by saying the production environment is a fresh installation. The only thing at this point I've customized is that I have AD-based authentication and I've pushed the agent to my PC for auditing. I'm using group policy to enable global object auditing, and in ELA I've create a new File Monitoring template to check C:\ (our requirement is to do this and keep it for 7 days).
Starting with the User Guide, at this location:
http://help.eventloganalyzer.com/configuring-out-of-the-box-reports
While not completely clear, I do remember going through this with the support person a couple of weeks back. Under HKLM\SYSTEM\CurrentControlSet\Services\EventLog I create a number of empty keys such that the new structure looks like this:
HKLM\SYSTEM\CurrentcontrolSet\Services\EventLog\Microsoft\Windows\DriverFrameworks\UserMode/Operational
When I open the event log I can drill down to find "DriverFrameworks-UserMode" and when expanded I see an "Operational" log. I need to right click and "Enable Log" in order for it to start recording entries. Which I've done.
After plugging in a USB stick, I see this log, in the Windows Event Log Viewer, fill up with entries. So I know that part is working.
In ELA, however, there are no entries.
Somewhere, something is not talking quite right. My client PC is Windows 10 Enterprise.