GFI Software/GFI EventsManager

GFI EventsManager is a results oriented event log management solution which integrates into any existing IT infrastructure, automating and simplifying the tasks involved in network-wide events management.

http://www.gfi.com

GFI EventsManager 2010 Online documentation


The aim of this book is to provide access to important information that can help users make the best use of GFI EventsManager. Wikibookians are therefore encouraged to update this content and/or send feedback, ideas and comments on how this documentation can be further improved via the wiki discussion board, GFI Forums, or by sending an email to documentation@gfi.com.

All feedback is welcome! Please contribute your topics with the above principles in mind.

Introduction

edit

The enormous volume of system events generated daily is of growing importance to organizations whose business is required to record information for forensic purposes and the ever-growing reach of regulatory compliance. Increased threats to business continuity call for an approach that includes real-time monitoring of the network; and you also need the ability to analyze and report event data to address any incidents or security concerns.

GFI EventsManager helps you meet legal and regulatory compliance including SOX, PCI DSS, Code of Connection and HIPAA. This award-winning solution automatically processes and archives logs, collecting the information you need to know about the most important events occurring in your network. It supports a wide range of event types such as W3C, Windows events, Syslog, SQL Server audit logs and SNMP traps generated by devices such as firewalls, routers and sensors as well as by custom devices.

How does GFI EventsManager work?

edit
 
Stage 1 - Event Collection

During the Event Collection stage, GFI EventsManager collects logs from specific event sources. This is achieved through the use of 2 event collection engines: The Event Retrieval Engine and the Event Receiving Engine.

The Event Retrieval Engine - The Event Retrieval Engine is used to collect Windows Event Logs and W3C logs from networked event sources. During the Event Collection process this engine will:

  1. Log-on to the event source(s)
  2. Collect events from the source(s)
  3. Send collected events to the GFI EventsManager Server
  4. Log-off from the event source(s).

The Event Retrieval Engine collects events at specific time intervals. The event collection interval is configurable from the GFI EventsManager management console.

The Event Receiving Engine - The Event Receiving Engine acts as a Syslog and an SNMP Traps server; it listens and collects Syslog and SNMP Trap events/messages sent by various sources on the network. As opposed to the Event Retrieval Engine, the Event Receiving Engine receives messages directly from the event source; therefore it does not require to remotely log-on to the event sources for event collection. Further to this, Syslog and SNMP Trap events/messages are collected in real-time and therefore no collection time intervals need to be configured.

By default, the Event Receiving Engine listens to Syslog messages on port 514 and to SNMP Trap messages on port 162. Both port settings are however customizable via the GFI EventsManager management console.

 
Stage 2 - Event Processing

During this stage, GFI EventsManager will run a set of Event Processing Rules against collected events. Event Processing rules are instructions that:

  • Analyze the collected logs and classify processed events as Critical, High, Medium, Low or Noise (unwanted or repeated events)
  • Filter events that match specific conditions
  • Trigger email, SMS and network alerts on key events
  • Trigger remediation actions such as the execution of executable files or scripts on key events
  • Optionally archive collected events in the database backend.

GFI EventsManager can be configured to archive events without running Event Processing rules. In such cases, even though no rules will be applied against collected logs, archiving will still be handled by the Event Processing stage. After processing the rules, GFI EventsManager can be configured to store the collected events in a storage folder. The administrator can configure the path of the storage folder and configure which events are stored. This function will minimize database growth, and allows the administrator to store only important events in the database.

For more information on GFI EventsManager, refer to How does GFI How dows GFI EventsManager work?

Manual for GFI EventsManager 2010

edit

The aim of the GFI EventsManager Manual is to help you install, use and configure GFI EventsManager. It describes:

  • How to install GFI EventsManager.
  • How to browse collected events.
  • How to generate reports.
  • How to configure and manage event sources.
  • How to configure and use event processing rules.
  • How to manage rule-sets.
  • How to customize alerts and actions.
  • How to configure users and groups.
  • How to monitor GFI EventsManager status.
  • Troubleshooting information on common issues.

The following links enables you to browse GFI EventsManager manual.

Chapter 1: Provides an overview of this manual and how GFI EventsManager works.

Chapter 2: How to install GFI EventsManager, including system requirements, pre-install actions required and how to upgrade from previous versions.

Chapter 3: How to configure GFI EventsManager for first time use, including how to configure the database backend and how to process event logs for the first time.

Chapter 4: How to use the built-in events browser to analyze events stored in the GFI EventsManager database backend.

Chapter 5: How to enable the GFI EventsManager ReportPack to create reports that further analyze the events stored in the GFI EventsManager database backend. In addition describes how to configure a user to receive GFI EventsManager Daily Digest email.

Chapter 6: How to customize the event sources to be monitored.

Chapter 7: How to use event processing rules.

Chapter 8: How to create, edit and delete event processing rules.

Chapter 9: How to set the alerts and actions that will be triggered on particular events.

Chapter 10: How to configure alert recipient parameters including; Personal details, normal working hours and alerts that will be sent to every recipient.

Chapter 11: How to analyze the status of GFI EventsManager as well as view statistical information and processed events.

Chapter 12: How to centralize events collected by other remote GFI EventsManager instances and how to optimize database backend performance.

Chapter 13: Miscellaneous options such as permissions, command line operations and licensing.

Chapter 14: Explains what main sources of information are available to help administrators troubleshoot product issues.

Chapter 15: Technical terms used within GFI EventsManager.

Troubleshooting

edit

This section explains how you should go about resolving issues that you might encounter while using GFI EventsManager. The main sources of information available are:

  • The manual - most issues can be solved by reading GFI EventsManager manual
Download product manuals from www.gfi.com
  • GFI Knowledge Base articles
GFI maintains a Knowledge Base, which includes answers to the most common problems. If you have a problem, please consult the Knowledge Base first. The Knowledge Base always has the most up-to-date listing of technical support questions and patches. To access the Knowledge Base, visit http://kbase.gfi.com/.
  • Web forum
User to user technical support is available via the web forum. The forum can be found at http://forums.gfi.com/.
  • Contacting GFI Technical Support
If you still cannot solve issues with the software, contact the GFI Technical Support team by filling in an online support request form or by phone.
NOTE: Before you contact our Technical Support team, please have your Customer ID available. Your Customer ID is the online account number that is assigned to you when you first register your license keys in our Customer Area at https://customers.gfi.com/login.aspx.
GFI support will answer your query within 24 hours or less, depending on your time zone.

Common issues

edit
Issue Encountered Solution
Error message: Not connected to the database or connection was lost. Description

This error is encountered when GFI EventsManager is unable to connect with the SQL database or the database connection was interrupted.

Solution

The following links contain information on how this issue can be solved.

How do I debug Failed to connect to database?

http://kbase.gfi.com/showarticle.asp?id=KBID002855

How do I configure SQL Server 2005/2008 to accept SQL Authentication?

http://kbase.gfi.com/showarticle.asp?id=KBID002804

How do I configure SQL Server 2000 to accept SQL Authentication?

http://kbase.gfi.com/showarticle.asp?id=KBID002805

Enabling TCP/IP on Microsoft SQL Server 2005

http://kbase.gfi.com/showarticle.asp?id=KBID002920

How to create a new database in Microsoft SQL Server

http://kbase.gfi.com/showarticle.asp?id=KBID003379

Error message: Primary Filegroup Full. Description

This error is encountered when GFI EventsManager database backend has a maximum file size limitation and is unable to store any further data.

Solution

Configure the database backend to allow larger file size. This can be done on both Microsoft SQL Server and Microsoft SQL Server Express edition. For more information on how to change the maximum file size, refer to http://kbase.gfi.com showarticle.asp?id=KBID003670

Error message: Could not complete cursor operation because the table schema changed after the cursor was declared Description

This error is encountered when the administrator is performing maintenance tasks on the GFI EventsManager databases while the GFI EventsManager service is running.

Solution

  1. Stop GFI EventsManager service
  2. Perform the maintenance tasks in Microsoft SQL server
  3. Restart GFI EventsManager Service once the Microsoft SQL maintenance tasks are finished.

To avoid this, ensure that GFI EventsManager service is stopped whilst performing any maintenance tasks on the GFI EventsManager database. For more information refer to http://kbase.gfi.com/showarticle.asp?id=KBID003011

Error message 1:Error connecting to machine MACHINENAME, Error 0x35, Message: The network path was not found.

Error message 2:Error connecting to machine MACHINENAME, Error 0x52E, Message: Logon failure: unknown user name or bad password.

Error message 3:Critical error encountered: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)

Error message 4:Unexpected error when connecting to machine MACHINENAME; remote W3C logs path is: PATH\*.*

Description

These errors are encountered when GFI EventsManager tries to collect events from a machine that is not accessible over the network or the credentials are invalid.

Possible solution 1

  1. Check that the credentials are correct
  2. Check that the machine name or IP address are correct
  3. Try to collect events

Possible solution 2

When using a personal firewall, check that the required firewall ports are configured to allow traffic. For more information refer to http://kbase.gfi.com/showarticle.asp?id=KBID002770 When using Windows firewall, check that all the required firewall permissions are enabled. For more information refer to http://kbase.gfi.com/showarticle.asp?id=KBID003688

Possible solution 3

Ensure that GFI EventsManager is installed on a supported environment. For more information on where GFI EventsManager can be installed, refer to http://kbase.gfi.com/showarticle.asp?id=KBID002842

No event logs are being collected by GFI EventsManager. Description

This issue can be caused by various factors and is dependent on the environment where GFI EventsManager is installed. For a checklist on how to resolve this issue, refer to http://kbase.gfi.com/showarticle.asp?id=KBID002819

Error message 1: A timeout was reached (60000 milliseconds) while waiting for the GFI EventsManager service to connect.

Error message 2: Error 1053: The service did not respond to the start or control request in a timely fashion.

Description

The GFI EventsManager executables are digitally signed by default. When trying to start the service, the application must download the Certificate Revocation List to authenticate. If the download fails due to network connectivity or security reasons the service will fail to start by timing out.

Possible solution 1

Increase the default service timeout settings as described in the following Microsoft knowledgebase article http://support.microsoft.com/kb/941990

Possible solution 2

Disable Certificate revocation list (CRL).

  1. Download Microsoft Setreg application from

http://ftp.gfisoftware.com/support/setreg.zip

  1. Login to the GFI EventsManager server using the GFI EventsManager service user.
  2. Open command prompt
  3. Change the directory to the directory storing setreg.exe
  4. Run the following command: setreg.exe 3 FALSE

Note: The setting above can be reverted by running the following command: setreg.exe 3 TRUE For more information refer to http://kbase.gfi.com/showarticle.asp?id=KBID003365

Error message: The maintenance job failed! Description

GFI EventsManager uses an ASP.Net Library called GZipStream to compress and export data from the GFI EventsManager databases. GZipStream is unable to compress data larger than 4GB. GFI EventsManager will return this error when trying to export data which is larger than 4GB.

Solution

In order to export the data required, use the GFI EventsManager Advanced Filters to reduce the number of Events exported. Therefore eventually reducing the size of the data which is being compressed. For more information, refer to Configuring data filter conditions section in this manual.

Error message: Event Log Records could NOT be retrieved: The RPC server is unavailable Description

This error may occur if:

  • The remote computer may be shut down.
  • There may be a network hardware problem.
  • There may be no common transports.
  • The remote computer does not exist.
  • A DNS entry does not exist for the remote computer in the DNS server (Try pinging the remote machine from another computer by using its host name and not its IP).

Investigate each possible problem and make the necessary changes. Then try to collect events from target computers. For more information, refer to http://kbase.gfi.com/showarticle.asp?id=KBID002820

GFI EventsManager reports an error number 1069. Description

When installed, GFI EventsMananger asks for a valid username and password. This error is encountered when an invalid password is submitted in the installation wizard.

Solution

  1. Click Start ► Run, key-in services.msc and click Ok. This will launch Services window.
  2. Double Click on the GFI EventsManager service.
  3. Select the Log On tab.
  4. Ensure that the This account radio box is selected.
  5. Key-in a valid password for the specified User account.
  6. Press OK to close the Properties window.
  7. Close Services window.