1. How many devices can be audited in EventLog Analyzer?

Answer: You are limited to audit the devices based on the license procured and there is no upper limit for purchasing the license. A single instance of EventLog Analyzer can handle log flow based on tested factor and Hardware used. Refer System Requirement to know more.

Free edition of EventLog Analyzer is limited up-to 5 log sources with limitations in features. Refer EventLog Analyzer - Edition Comparison to know more.

2. Does EventLog Analyzer provide an option to whitelist source logs so that only whitelisted sources can send syslog to EventLog Analyzer?

Answer: EventLog Analyzer does not provide application-level restrictions for onboarding log sources. However, you can configure such restrictions at the OS level on the server where EventLog Analyzer is installed by limiting incoming traffic on the syslog listener ports. For detailed steps, please refer to your respective OS vendor’s documentation.

3. How does a device name is determined during initial auto addition once syslog packet reaches EventLog Analyzer?

Answer:

The value/name that you are able to see in the User interface is "Display name" which will be same as device name value initially. Display name can be changed based on requirement using Update device option.

Device name value will be auto identified based on the source information available in the syslog packet and DNS resolution. There are two scenarios with two cases.

Scenario 1: Source information has Hostname of Syslog device. EventLog Analyzer attempts to resolve with DNS to get the IP address.

Case 1: EventLog Analyzer server is able to resolve the Hostname with IP address using DNS.

Device will be added with "Device name" value as "Hostname" and "IP address" value with its "IP address"

Case 2: EventLog Analyzer server is unable to resolve the Hostname with IP address using DNS. (Due to unavailablity of DNS server or internal DNS resolution issue)

Device will be added with "Device name" value as "Hostname" and "IP address" value with its "Device name"

Scenario 2: Source Information has IP address of Syslog device. EventLog Analyzer attempts to resolve with DNS to get the Hostname.

Case 1: EventLog Analyzer server is able to resolve the IP address with Hostname using DNS.

Device will be added with "Device name" value as "Hostname" and "IP address" value with its "IP address"

Case 2: EventLog Analyzer server is unable to resolve the IP Address with Hostname using DNS.

Device will be added with "Device name" value as "IP Address" and "IP address" value with the "IP address"

4. Why is the Update Device option grayed out in EventLog Analyzer, preventing us from updating the device name?

Answer: "Device name" value in Update Device page is a non-editable option. This is created while adding the device based on DNS name resolution or by fetching the machine details locally(agent based log collection). This is only for associating the events collected and other meta data in the application database. If you would like to have a user friendly name, you can consider updating the Device name value.

5. How does EventLog Analyzer collect MSSQL logs?

Answer: EventLog Analyzer collects MSSQL logs in two ways:

1. From the Event Viewer of the MSSQL server:
   
1. When the MSSQL host server is added as a log source under the Windows category, EventLog Analyzer collects events such as DDL/DML operations and logons from the Event Viewer.
   
2. You can configure the Monitoring interval as either Scheduled or Real-Time monitoring.
   
2. From the SQL instance (Advanced Auditing):
   
1. EventLog Analyzer queries the SQL instance to retrieve advanced auditing events.
   
2. This includes detailed reports such as Column Modification Reports, Last Login Time Report, Schema Change History, and Object Change History.
   
3. These events are collected once daily at 11:00 PM (EventLog Analyzer server time).
   

​

6. Does EventLog Analyzer support dynamic IP address or DHCP environment?

Answer:  Yes. EventLog Analyzer supports log collection in DHCP environments using Domain Name System (DNS) resolution. Log collection from Windows, Syslog (Linux/Unix), and network devices such as firewalls, routers, or switches is mapped to the device’s hostname as resolved through DNS. When an IP address changes dynamically, DNS ensures that the new IP is correctly mapped to the hostname, and the collected logs continue to be associated with the device name. EventLog Analyzer automatically refreshes the IP addresses at regular intervals, and you also have the option to perform a manual refresh if required.

If you perform Agent based log collection, for agent installed machines, the hostname, IP address will be auto fetched by the agent and for associated device, EventLog Analyzer log processor engine/server will resolve the IP address to Hostname & viseversa.


7. Is there anyway I can automatically add or remove the devices in EventLog Analyzer by syncing with Active Directory?


Answer: From Build number 13000, EventLog Analyzer offers Auto allocation settings for Domain & Workgroup servers that can auto add the device based on the defined Auto Allocation policy. You can configure a policy to automatically add devices from a specific Domain and OU, while also defining an upper limit (maximum device count, to be planned based on the license). Auto allocation policy has its strong dependency on the agent/Log collector as each Log collector (Local log collector and remote log collector) can auto allocate and associate upto 100 log source. EventLog Analyzer does not offer an option to auto delete a device as deleting a device will remove all the configurations associated with them. When a device is removed or decommissioned in Active Directory, its status will be flagged as Decommissioned in EventLog Analyzer, and the consumed license will be released.



8. Can we monitor Microsoft 365 in EventLog Analyzer?


Answer: From Build 13000, EventLog Analyzer is equipped with Microsoft 365 auditing that offers centralized visibility into user activities, administrative actions, and security events across Microsoft 365. It collects audit logs from services such as Microsoft Entra ID (formerly known as Azure Active Directory (Azure AD)), Exchange Online, SharePoint Online, M365 General (including Teams, OneDrive, and other M365 services), and Exchange MailTrace, consolidating them into a single platform for monitoring, analysis, and compliance. For more details, refer Microsoft 365 Auditing.

9. I got a notification as "This is a 5 Devices/Applications Free Edition. You are currently managing [X] Devices/applications which is more than the permitted number, log collection will be temporarily suspended till you remove the additional devices.". How to resolve it?

Ans: When EventLog Analyzer is converted to free edition, certain features such Log import, Application tabs cannot be accessed. If you have configured any such log file/ Application you will not be able to access them., which could be the possible reason for receiving this notification.
 
Please refer EventLog Analyzer - Edition Comparision to know the difference in edition.
 
In order to resolve this, you can request for a trail extension license from this link, once you receive the license you can apply it on EventLog Analyzer instance. Verify/validate the number of Log Sources configured before the trail extension expires & procure/renew the license to continue the unintrupted operation.



10. Does EventLog Analyzer support widely used syslog ports like TCP 514?


Answer: Yes. EventLog Analyzer offer predefined syslog listener ports like UDP 513, 514, 162(for SNMP trap),TCP 514, and TLS 513. You can configure any desired ports as per your requirement, provided, the port must be available unused in EventLog Analyzer/ Agent installed server(s).




11. Can I view/investigate/audit the events that occurred before adding the log source in EventLog analyzer/Log360 or before deploying EventLog Analyzer/Log360?

Answer: Yes, you can audit the events that occurred before adding the log source in EventLog analyzer/Log360 or before deploying EventLog Analyzer/Log360 if you have the events available with you in the following way.
Windows OS: While onboarding the device, if the events are available in Event Viewer.
Windows OS: If the Event Viewer logs are retained as EVT archives.
Other log sources: If the events are recorded and available as plain text file, the logs can be imported in the application using Log import feature.



Refer to the following documents to know more.
How to collect historic logs from Windows devices in EventLog Analyzer
How to import logs in EventLog Analyzer from a local path
How to import logs in EventLog Analyzer from Remote path
How to import logs in EventLog Analyzer from S3 bucket

12. Can I audit MSSQL instance hosted in Linux/Unix flavor OS?


Answer: No, EventLog Analyzer offers auditing capabilities with MSSQL hosted in Windows OS only. The Standard logs are collected using WMI queries from Event Viewer and Advanced Auditing events are fetched directly using JDBC(Java Database Connectivity) which is not supported for Linux OS. You can consider performing Custom onboarding of log source in this case.