GFI EventsManager 8 review - Work smart, not hard!
by Adrian Grigorof, B.Sc., MCSE, Senior Consultant for www.eventid.net
They say that work is for tractors and computers, but the latest version of EventsManager seems designed to do the work and the thinking, too. Let's go through the features of the latest monitoring software from GFI and understand what they really mean in a sentence.
1. Centralized event logging - Keep all the logs together,
and have the ability to see the "whole picture"
2. Analysis of event logs including SNMP Traps, Windows Event logs, W3C logs and
Syslog - Add more devices to your monitoring capabilities: printers, routers,
switches, firewalls, web servers and more
3. Certified for Windows Server 2008; Supports Vista - These operating systems
use a new event log programming interface and not many logging tools are able to
process them properly
4. Deeper granular control of events - Have specific rules for specific events
as opposed to treating all with some generic rules.
5. Support for new Devices - Compared to version 7, now SNMP traps and SQL
server logs are supported
6. SQL Server Auditing - Monitors SQL activity such as new table creation
7. Translates" cryptic windows events - For some events, it provides a plain,
"English" translation of the event description
8. High performance scanning engine - Many logging tools work fine for a small
volume of events but crash when the volume increases. EventsManager was designed
for a large volume of events
9. Real-time alerts - Alerts you when certain events are recorded
10. Collect events data distributed over a WAN into one central database -
Provides the ability to collect the data locally and then upload it to a central
location as opposed to using an expensive WAN connection for every event
11. Rule-based event log management - Customize the actions that the monitoring
software takes based on the type of event recorded
12. Advanced event filtering features - Ability to filter "known" events with
high granularity
13. Event log scanning profiles - Some computers are more important than other
and may require special scanning rules
14. View reports on key security information happening on your network - Use
pre-configured reports or build your own
15. Helps to comply with PCI DSS and other regulations - Keep auditors happy
* * *
We took advantage of the free trial offered by GFI and installed EventsManager on our internal network, replacing the older version. The installation went smoothly, and at the end, the installer took us through the initial configuration (the user for the service, the database server to use - we had MS SQL 2005 installed on this system, the administrator to be notified for various alerts and the type of alerts to be sent. While the SMS and network messenger where available as well, we chose to use the email (SMTP).
After the initial setup was finished we went to the
Event Sources tab to add some of our computers to the list of devices to be
monitored by EventsManager. The list included one domain controller (Windows
2003), one stand-alone file server (Windows 2000) and two workstations (W2K and
XP). The computers were added to the the Computer groups already preconfigured
within EventsManager (the software comes with 21 groups). Each group is
customized to reflect the type of device. For example:
Windows 2003 Domain Controllers:
- Real-Time scanning, every 5 seconds (the Workstations group is scanned once
every 30 minutes)
- Operational time (9:00 – 5:00 for regular user logon/logoff)
- Event logs scanned: System, Application, Security, Directory Service, DNS
Server, File Replication
- Process the logs through several sets of rules before archiving:
- Noise reduction
- Security
- System health
- Security Applications
- Infrastructure Server
- Terminal Services
- File Replication
- Directory Service
Each set of rules contains rules specific to a certain
function. For example, the System Health contains:
- Disk issues
- Memory dumps
- TCP/IP issues
- Unexpected system shutdowns
- Applications crashing or hanging
- Windows updates
- Performance logs and alerts
- Shutdown/reboot/logoff actions
Once the computers are added to a group, the scanning of the events starts
according to how the computer group was configured. The notifications may start
showing up right now (we got quite a few as the software went through the whole
list of events not just the new ones - this should not be the default in my
opinion).
Event Processing Rules
There is plethora of rules preconfigured within EventsManager. These rules allow for special processing of certain events before being archived. The rules are grouped as sets and each set can be enabled for various computer groups. For example, the "TCIP/IP issues Rule Set" is configured to monitor for known TCP/IP events that may affect the functionality of servers and workstations. Within this set of rules there are rules for: IP conflicts, Security limit imposed on the number of concurrent connections and General TCP/IP errors and warnings. Each rule is configured to look for certain combinations of event ids, sources and types and if the conditions are met, initiate the configure action. Basically the rules can be as details or generic as necessary for a certain task. The Security limit imposed on the number of concurrent connections rule is configure to check the System event log for event id 4226 from source Tcpip. This is considered worth monitoring as it may indicate a compromised computer trying to infect other hosts (see http://www.eventid.net/display.asp?eventid=4226&eventno=4252&source=Tcpip&phase=1 for details).
Options
Here you can set various configuration parameters for such as Alerting, security
of EventsManager itself, turn on/off the built-in syslog server, turn on/off the
ability to receive SNMP traps, maintain the database used by EventsManager and
many other options. We used the Alerting Options to change the format of the
email message for Windows events. The default was too generic (just the
description of the message):
%DESCRIPTION_ID%
We replaced it with:
Event id: %EVENTID%
Source: %SOURCE%
Type: %TYPE%
Date and time: %EVENT_DATE% %EVENT_TIME%
Description: %DESCRIPTION_ID%
Link: http://www.eventid.net/display.asp?eventid=%EVENTID%&source=%SOURCE%
This way, for event id 4226, instead of an email alert stating just:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
we now receive:
Event id: 4226
Source: Tcpip
Type: Warning
Date and time: 5/20/2008 11:03:27 AM
Description: TCP/IP has reached the security limit imposed on the number of
concurrent TCP connect attempts.
Link:
http://www.eventid.net/display.asp?eventid=4226&source=Tcpip
The event id was mentioned in the email subject but we preferred to have it displayed in the message body as well.
After the initial configuration is completed, the computers added in the various groups are scanned and if applicable, the notifications start arriving. However, one can use the EventsManager Events Browser GUI to access the entire list of events collected by EventsManager:
The events list is color coded for easier identification of the critical events and once an event is selected, the right panel displays additional information, including a link to www.eventid.net for further information on that event. The Queries displayed in the left panel allow for quick filtering of the events based on their type (i.e. Security vs. DNS events). Of course, one can create new queries to further customize the view but EventsManager comes with quite a few preconfigured.
The Status interface allows for a quick view on what is happening with the computers monitored by EventsManager along with the nice pie charts that the managers love so much.
Conclusion
We were pleasantly surprised on the ease of installation and configuration of EventsManager. Without any additional configuration aside from adding computers to various lists, the product is offering a solid start in monitoring your network to the standards that would satisfy most auditors.
The next article will explore the Syslog and web log monitoring capabilities built into GFI EventsManager 8.0.