Introduction
System Requirements
Assign Service Logon As Credentials
Server Configuration
Agent-Based Monitoring
Data Providers
- Data Provider Properties
- SQLite Properties
- MySQL Properties
- Microsoft SQL Server Properties
- File System Properties
Directory Services
Audit Work Items
Hosts
- Adding Hosts
- Host Properties
- Batch Update Hosts
- Logon As Properties
- SFTP Properties
- FTP/S Properties
- SNMP Device Connection Properties
- WMI
- Contact
- Template Exclusions
- Inventory
- Docker
- Host Assignments
Templates
- Template Properties
- Batch Update Templates
- Log Management Templates
- File and Directory Monitor Templates
- Windows Monitor Templates
- Network and Application Monitor Templates
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
Monitors
- Monitor Hierarchy
- Temporarily Suppress Monitors Actions
Reports
- Report Properties
- Security Reports
- Generic Log Reports
- File and Permission Reports
- Summary Reports
Auto-Configurators
Filters
- Simple Filters
- Complex Filters
- C# Script Filters
Actions
- Desktop Actions
- Email Actions
- Event Log Actions
- Executable Actions
- File Actions
- IIS IP Address Restriction Actions
- Microsoft Teams Actions
- Service Actions
- SMS Actions
- SNMP Trap Actions
- Syslog Actions
- Template
- IIS IP Address Restriction
- Action Variables
Schedules
- Fixed Schedules
- Range Schedules
- Real-Time Schedules
Environment Variables
Options
- Email Settings
- Security Settings
- Syslog Server Settings
- SNMP Trap Server Settings
- Log Viewer Settings
- Web Proxy Settings
- Miscellaneous Settings
Account Lockout Monitoring and Reporting
SNMP
- SNMP Browser
SSH Shell
Exporting and Importing Configuration Objects
Shared Views
- Auto-Config Host Assignment Properties
- General Executable Properties
- Assign Actions
- Assign Directories
- Assign Disks
- Assign Shares
- Assign Files
- Assign Consolidated Logs
- Assign Event Logs
- Assign Azure Audit Logs
- Target Files and Sub-Directories
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Define CSV and W3C Log Entry Columns
- Active Directory User and Group Filters
- Explicitly Assigned Logs
- File Explorer
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Executable Timeline
Command Line Interface
Troubleshooting
- Arithmetic Overflow
- Access Denied
- MySQL: Fatal error encountered during command execution
- Invalid Class
- No Such Interface Supported
- Quota Violation
- The File Exists Errors
- The Interface is Unknown
- The RPC Server is Unavailable
- NetBIOS Errors
- Windows Service Log File
Terminology

SIEM Reports

SIEM Reports enable you to scan the consolidated log database for specific entries from multiple log types. This report is typically used by network administrators to track down events that pass through multiple hardward devices.

SIEM Reports optionally use Regular Expressions to parse log entries, extract values, validate subject and target accounts in Active Directory (when applicable), then, finally, filter entries using each assigned log type's native filters.

How to create a SIEM Report

From the Menu Bar select File | New. The Create New Object View displays.
From the Create New Object View, expand Reports.

Expand Report | Log Consolidation Reports then select SIEM Report. The Properties View displays.

Unlicensed report types appear in gray text. If you would like to create a report that is not currently licensed, please contact Corner Bowl Software to upgrade your license.

The Properties View contains 6 configuration tabs.

General
Explicitly Assigned Logs

Sample Windows Security Log and Linux Audit Log assignment

Columns

Sample Windows/Linux Success Logon Report column definitions

If you apply regular expressions column definitions in your corresponding log consolidation templates, and the column keys are identical between log types, you do not need to re-apply the regular expressions in the report.

Options
Date/Time Range
Actions

The Options Tab

Use the Filters drop-down to select all of the filters you would like to apply to the report.

Filters are only applied to corresponding log entries types. For example, when you have assigned both an Event Log and a Text Log to the report, Event Log Filters are only applied to Event Log Entries while Text Log Filters are only applied to Text Log Entries.

Sample regular expression driven new Windows success login filter with exclusion.

Sample regular expression driven new Red Hat Linux success login filter with exclusion.

Assign report filters

Once a filter is assigned, use the Include entries that pass drop-down to select the filter method.

The following filter options are available:

Option	Description
All	Include each entry that passes all assigned filters of the same type.
Any	Include each entry that passes any filter of the same type.
None	Include each entry that does not pass any of the filters of the same type.
Ignore	Include all entries.

Sample SIEM Success Logon Report properties

Sample Windows/Linux Success Logon Report

Use the Select distinct count controls to define a composite key to select a distinct count of entries that match your composite key. For example, generate a report that displays the number of each unique event type, Information, Warning, Critical, Audit Success and Audit Failure or the number of unique entries keyed by Event ID and Source on each assigned host).

Generate a report that displays the number of entries grouped by Event ID and Source.
Use the Query by controls to optimize SQL statements. For example, if the column you want to search for was added using a regular expression column defnition, specify the column key and the value to search for. Once executed, only rows that match your search criteria are returned from the database engine.

Apply select where clauses to optimize SQL.

Table of Contents

SIEM Reports

How to create a SIEM Report

The Options Tab