Event Log Manager 2021 Overview
Hello this is Mike Janulaitis founder of Corner Bowl Software and in this article I am going to provide you with an overview of our latest software package Corner Bowl Event Log Manager 2021.
Table of Contents
Event Log Manager is targeted to IT professionals that want to:
- Monitor log files in real-time or near real-time.
- Consolidate native Windows Event Log files such as evtx files to a central file server.
- Consolidate Windows Event Log Entries to a centralized consolidation database such as MySQL or Microsoft SQL Server.
Event Log Manager supports:
- Windows Event Log Files
- Windows Application Log Files
- Text log files
- Azure Active Directory Audit Logs
Event Log Manager is available for a 30 day trial from our website under the Downloads menu item or at:
Event Log Manager is a 64-bit Windows Application that installs on Windows Server 2019, 2016, 2012 and 2008 R2. The software can also be installed on the equivalent Windows 10 through Windows 7 SP1 operating systems.
We suggest a minimum of 8GBs of memory, however larger installations will benefit with more memory.
Tutorials for this software can be found on our website under the Tutorials menu item or at:
Once you install the software you will be promoted configure several components including service credentials, email server connection properties and the centralized log repository database. Rather than walk you through the configuration process I am going to show you some of the product highlights.
The software includes an Explorer view which lists all configured computers, templates, reports log repositories and so on. With that in mind, I am going to explain how this software works.
Hosts are added to the software through your Active Directory tree or can be manually added to the system. Templates contain configuration settings such as the logs to download, the frequency to download log files and the filters and actions to apply to a monitored log. Template are then assigned to hosts. Next, Reports scan consolidated log entries, apply filters then generate results for example a list of all successful domain administrator logins that occurred yesterday.
Let's take a look at the types of templates you can create: If I select File -> New, the Create New Object view displays. This view enables you to add or create all the various types of components.
If I expand Templates I can see four sections, Log Management, Windows Monitors, Network and Application Monitors and SSL Certificate Monitors. Now you might be asking, well there is quite a bit more functionality outside of log management and you are correct. If you already have a Server Manager license or purchase a Server Manager license instead of an Event Log Manager license you will gain access to the Server Manager functionality which includes: Windows Monitors such as CPU, Memory Disk Space and soon to come Services and processes, Network and Application Monitors such as ping and DNS blacklist monitors and many more soon to come, and finally, various SSL Certificate Monitors.
Expanding Log Management reveals Log Consolidation, Log Entry Retention Policy, Log Backup, Log Monitor and Active Directory Account Lockout Monitor.
Rather than creating a new template from scratch I am going to show you some of the pre-installed templates.
Back in the Explorer View, expanding Templates reveals Samples Templates. Under that group we can see various Account Logout Monitor Templates, Log Consolidation Templates and Real-Time Monitor Templates.
Now earlier I mentioned Reports, Event Log Manager also pre-installs over 85 different reports for monitoring and audit compliance requirements. There is a report for each Advanced Security Audit policy group as defined by Microsoft as well as normalized reports for Account Lockouts, success logons, failed logons, logon sessions and various account management entries.
Event Log Management
Let's briefly take a look at three templates, Event Log Consolidation, Push Event Log Consolidation Agent and Event Log Backup.
Native Event Log Consolidation
The event log consolidation template contains 6 tabs that enable you to:
- Configure the frequency to run
- Select the logs to consolidate
- Specify download options including a filter to remove unwanted entries and the number of days to initially download
- Log entry retention policy
- Post consolidation filters and actions for notification as entries are download
- Push Template which I will talk about in just a minute
- Actions which enable you to trigger actions when each monitor starts, completes, errors and recovers
The right side enables you to assign hosts and host groups to the template.
Agent Based Event Log Consolidation
The Push Event Log Consolidation Agent Template, enables you to automatically install an agent on remote windows machines. The agent is able to push Event Log Entries 12 times faster than the native Windows technology, WMI. If necessary you can manually install the agent as well as route packets through an Azure Relay Hybrid Connection enabling you to download logs from any computer on the internet. Selecting the Push Template tab reveals the push template options is enabled.
Event Log File Backup
Moving on to Event Log Backup we can see options to:
- Specify the centralized destination location
- Compress to ZIP
- Encrypt and password protect
- Digitally sign
- Automatically delete old backups no longer needed for audit compliance requirements
- Clear the remote event log
Moving on to Syslog, you have the option to automatically add devices to the software as they push syslog messages to this server or if you prefer the servers can dump messages if the device has not already been added to the system. Just like the Event Log Consolidation Template you have the option to filter out messages you are not interested in saving to the database. You have the option of running both UDP and TCP syslog servers and configuring message and attribute value delimiters. Filter and action rules can also be applied.
Text Log Monitoring
Next let's take a brief look at Text Log Monitoring.
Selecting the Logs tab reveals controls to select the text log files. When selecting a Windows Server, Windows Shares are returned, when selecting a Linux Server or other SFTP enabled device the file system is returned through SFTP over SSH. The software supports defining many different types of entry delimiters and includes other monitors such as maximum size and idle file.
Log Repository Databases
Event Log Manager supports saving consolidated log entries to MySQL, Microsoft SQL Server, CosmosDB as well as elasticsearch. The software uses two databases, a primary database which contains the latest entries and an archive database that contains older log entries for audit compliance requirements. When expanding a data provider we can see the list of hosts and consolidated logs.
Event Log Manager includes robust log entry viewers that enable you to page data by a number of entries or number of days. Filters can be applied entries searched and data paged. Entries can be grouped by columns for example Source, message preview disabled, and duplicate count displayed
Real quick I want to show you some reports. Here is a sample Success Logon report:
Here is a sample Failed Logon report:
Here is a generic Event Log waring and higher report:
There is quite a bit more functionality to show but in the interest of keeping this introduction as short please take a look at our other articles and online videos. Thank you for reading and please direct any questions you have to firstname.lastname@example.org.