Understanding your log management solution | Online help - EventLog Analyzer

Understanding your log management solution


Key log terminologies


When managing logs, there are terminologies that will help you make the most of the product in hand. Following are the list of such terms and their definitions as used in EventLog Analyzer.
 

Agentless and agent-based log collection

Agent-based collectionThe agent-based collection method is utilized to collect logs from demilitarized zones (DMZs) or critical resources in the network that don't support direct log ingestion. This method is also adopted for critical resources for which the performance shouldn't be affected. The agents in EventLog Analyzer help reduce log size by consuming less bandwidth and resources, pre-processing, and zipping the file before sending it to the server. Agents also ensure secured transportation of log data to EventLog Analyzer's server by adopting HTTPS and TCP for log transmission. Log data security is ensured during transmission with encryption algorithms like AES, RSA, and SHA256 integrity checksum. 

Agentless collection: In this method, log data is directly ingested from Windows, Linux/Unix, other Syslog devices, and applications. EventLog Analyzer's built-in log collection module fetches log data from the sources directly. Users can utilize the solution's automatic log source discovery feature to detect the devices in the network and provide appropriate administrator credentials to start collecting the logs. For the Windows environment, the logs will be ingested using the WMI, DCOM, and RPC protocols. Read more about the agentless collection here

Log correlation

 
The correlation engine analyzes relationships between network activities using predefined or custom rules to provide visibility into the network. EventLog Analyzer is comprised of over 70 predefined rules based on indicators of compromise and provides the option to configure custom rules to detect complex patterns from the collected logs. Whenever the tool observes a deviation, you will receive real-time alerts on the events.   
 

Log forensic analysis


Log forensic analysis is the process of investigating and analyzing log data to identify the specific details of an attack. It aims at finding the entry-point, time, and extent of damage caused in the network by recreating the crime scene. It also helps in identifying the attack pattern and the data affected by the attack. 

File integrity monitoring

 
File integrity monitoring provides details regarding the changes or modifications in a file or folder and the user responsible for the actions. EventLog Analyzer monitors files and tracks the changes in real time to ensure that any suspicious activity is noted instantly. The user can configure the tool to send instant alerts when sensitive files are accessed by unauthorized users. 

Privileged user monitoring


Enterprise data, irrespective of multi-level security, is vulnerable to internal as well as external threats. EventLog Analyzer equips you with the details you need to drill down to the investigate object and user access. Privileged user monitoring tracks the suspicious behavior of users with high-level access within the network. It helps determine who performed certain operations, the result, and from where it happened. 

Quick screen tour

Let's take a quick screen tour to understand EventLog Analyzer better. 

  1. Intuitive dashboards




Visualize log data with a customizable dashboard that displays the stats most relevant to your organization. The dashboard features three different tabs, which provide an overview of events, network, and security. 

  1. Extensive reports




EventLog Analyzer provides more than 1,000 prebuilt report templates with the option to generate custom reports. There are selections for scheduling reports to be generated and emailed periodically, and marking particular reports as favorites. 

  1. Out-of-the-box compliance management




Security compliances mandate organizations to maintain audit reports and submit them regularly for audits. EventLog Analyzer offers predefined reports for prevalent IT regulations, including FISMA, PCI-DSS, SOX, HIPAA, GLBA,  ISO 27001:2013, GPG, GDPR, NRC, Cyber Essentials, COCO, NERC, FERPA, NIST. Read more about EventLog Analyzer's compliance reports here.





A flexible search module is an important part of a log management tool as it facilitates easy retrieval of relevant logs during an investigation. EventLog Analyzer has basic and advanced search options. 

  1. Powerful correlations




The correlation feature in EventLog Analyzer enables you to detect complex patterns of security incidents advancing across the network. The tool provides incident and session activity reports. You can build new rules and enable or disable existing correlation rules. 

  1. Critical alert profiles



EventLog Analyzer tracks security events to help thwart harmful actions in the network. It sends prompt notifications via SMS and email when suspicious activities take place. You can create an alert profile, integrate ticketing tools, and build an incident response and management system to streamline security incident management. 

Take a look at the detailed screen tour of EventLog Analyzer here.  


          • Related Articles

          • Enabling historic log collection in EventLog Analyzer

            EventLog Analyzer collects all the logs present in the Windows Event Viewer (i.e., Windows Logs > Application, Security, System) when the historic log collection option is enabled. To enable historic log collection, follow the steps below:  Navigate ...
          • Introduction to EventLog Analyzer

            What is log management?  An enterprise network consists of different entities—perimeter devices, workstations, servers, applications, and more. Each entity records every activity that unfolds within it in the form of logs. These logs hold information ...
          • Log collection failure alerts

            Device down alert:   When configured devices don't respond to pings from EventLog Analyzer, it implies either of the following: The selected Syslog devices are not sending logs to EventLog Analyzer. EventLog Analyzer has not collected logs from the ...
          • Application and services log collection

            EventLog Analyzer supports the collection of application and services logs from the Event Viewer. For example, to successfully collect PowerShell logs from Windows, you have to add a key inside the registry of the respective client machine from which ...
          • Windows device status: RPC server is unavailable

            The RPC server is unavailable error will be displayed in the device status field if there isn’t any communication between the EventLog Analyzer server and the respective machine from which the logs should be collected. This lack of communication ...