Event Log Manager 2021 Overview

Overview

Event Log Manager is targeted to IT professionals that want to:

• Monitor log files in real-time or near real-time.
• Consolidate native Windows Event Log files such as evtx files to a central file server.
• Consolidate Windows Event Log Entries to a centralized consolidation database such as MySQL or Microsoft SQL Server.

Event Log Manager supports:

• Windows Event Log Files
• Windows Application Log Files
• Text log files
• syslogs
• Azure Active Directory Audit Logs

System Requirements

Event Log Manager is a 64-bit Windows Application that installs on Windows Server 2019, 2016, 2012 and 2008 R2. The software can also be installed on the equivalent Windows 10 through Windows 7 SP1 operating systems.

We suggest a minimum of 8GBs of memory, however larger installations will benefit with more memory.

Templates

Let's take a look at the types of templates you can create: If I select File -> New, the Create New Object view displays. This view enables you to add or create all the various types of components.

If I expand Templates I can see four sections, Log Management, Windows Monitors, Network and Application Monitors and SSL Certificate Monitors. Now you might be asking, well there is quite a bit more functionality outside of log management and you are correct. If you already have a Server Manager license or purchase a Server Manager license instead of an Event Log Manager license you will gain access to the Server Manager functionality which includes: Windows Monitors such as CPU, Memory Disk Space and soon to come Services and processes, Network and Application Monitors such as ping and DNS blacklist monitors and many more soon to come, and finally, various SSL Certificate Monitors.

Expanding Log Management reveals Log Consolidation, Log Entry Retention Policy, Log Backup, Log Monitor and Active Directory Account Lockout Monitor.

Rather than creating a new template from scratch I am going to show you some of the pre-installed templates.

Back in the Explorer View, expanding Templates reveals Samples Templates. Under that group we can see various Account Logout Monitor Templates, Log Consolidation Templates and Real-Time Monitor Templates.

Now earlier I mentioned Reports, Event Log Manager also pre-installs over 85 different reports for monitoring and audit compliance requirements. There is a report for each Advanced Security Audit policy group as defined by Microsoft as well as normalized reports for Account Lockouts, success logons, failed logons, logon sessions and various account management entries.

Event Log Management

Let's briefly take a look at three templates, Event Log Consolidation, Push Event Log Consolidation Agent and Event Log Backup.

Native Event Log Consolidation

The event log consolidation template contains 6 tabs that enable you to:

• Configure the frequency to run
• Select the logs to consolidate
• Specify download options including a filter to remove unwanted entries and the number of days to initially download
• Log entry retention policy
• Post consolidation filters and actions for notification as entries are download
• Push Template which I will talk about in just a minute
• Actions which enable you to trigger actions when each monitor starts, completes, errors and recovers

The right side enables you to assign hosts and host groups to the template.

Agent Based Event Log Consolidation

The Push Event Log Consolidation Agent Template, enables you to automatically install an agent on remote windows machines. The agent is able to push Event Log Entries 12 times faster than the native Windows technology, WMI. If necessary you can manually install the agent as well as route packets through an Azure Relay Hybrid Connection enabling you to download logs from any computer on the internet. Selecting the Push Template tab reveals the push template options is enabled.

Event Log File Backup

Moving on to Event Log Backup we can see options to:

• Specify the centralized destination location
• Compress to ZIP
• Encrypt and password protect
• Digitally sign
• Automatically delete old backups no longer needed for audit compliance requirements
• Clear the remote event log

Syslog Monitoring

Moving on to Syslog, you have the option to automatically add devices to the software as they push syslog messages to this server or if you prefer the servers can dump messages if the device has not already been added to the system. Just like the Event Log Consolidation Template you have the option to filter out messages you are not interested in saving to the database. You have the option of running both UDP and TCP syslog servers and configuring message and attribute value delimiters. Filter and action rules can also be applied.

Text Log Monitoring

Next let's take a brief look at Text Log Monitoring.

Selecting the Logs tab reveals controls to select the text log files. When selecting a Windows Server, Windows Shares are returned, when selecting a Linux Server or other SFTP enabled device the file system is returned through SFTP over SSH. The software supports defining many different types of entry delimiters and includes other monitors such as maximum size and idle file.

Log Repository Databases

Event Log Manager supports saving consolidated log entries to MySQL, Microsoft SQL Server, and SQLite. The software uses two databases, a primary database which contains the latest entries and an archive database that contains older log entries for audit compliance requirements. When expanding a data provider we can see the list of hosts and consolidated logs.

Wrap-Up

There is quite a bit more functionality to show but in the interest of keeping this introduction as short please take a look at our other articles and online videos. Thank you for reading and please direct any questions you have to info@cornerbowlsoftware.com.