Getting Started
- System Requirements
- Installation
- Assign Service Logon As Credentials
- Registration
- Version Support Policy
Agent-Based Management
Common Tasks
- Account Lockout Monitoring and Reporting
- Event Log Archiving for JSIG and CMMC Compliance
- Exporting and Importing Configuration Objects
- Importing Event Log Files for JSIG and CMMC Auditing
- Merging Logs
- RDP Session Monitoring and Reporting
- Amazon S3 Bucket Support
- Azure File Share Support
Data Providers
- Data Provider Properties
- SQLite Properties
- MySQL Properties
- Microsoft SQL Server Properties
- File System Properties
Directory Services
Auditing
- Audit Work Items
- Self-Auditing
- Group Policy Auditing
- Password Expiry Auditing
Hosts
- Adding Hosts
- Host Properties
- Batch Update Hosts
- Agent Properties
- Logon As Properties
- SFTP Properties
- FTP/S Properties
- SNMP Device Connection Properties
- WMI
- Contact
- Exclusions
- Inventory
- Docker
- Host Assignments
Templates
- Template Properties
- Batch Update Templates
- Assign Templates
- Log Management Templates
- SCAP Compliance Monitor
- Active Directory User Monitor Templates
- File and Directory Monitor Templates
- Windows Monitor Templates
- Network and Application Monitor Templates
- SSL Certificate Monitor Templates
- Database Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Windows Accounts Templates
Monitors
- Monitor Hierarchy
- Temporarily Suppress Monitors Actions
Reports
- Report Properties
- Security Reports
- Generic Log Reports
- File and Permission Reports
- Summary Reports
- Artificial Intelligence Reports
  - AI Anomaly Detection Report
  - AI Anomaly Detection Report (Template Triggers)
Auto-Configurators
Filters
- Simple Filters
- Complex Filters
Actions
- Database Actions
- Desktop Actions
- Disconnect RPD Session Actions
- Email Actions
- Event Log Actions
- Executable Actions
- File Actions
- IIS IP Address Restriction Actions
- Microsoft Teams Actions
- PowerShell Actions
- Report Actions
- Service Actions
- SMS Actions
- SNMP Trap Actions
- Syslog Actions
- Template Actions
- Action Variables
Schedules
- Fixed Schedules
- Range Schedules
- Real-Time Schedules
Environment Variables
Options
- Email Settings
- Security Settings
- Syslog Server Settings
- SNMP Trap Server Settings
- Log Viewer Settings
- Web Proxy Settings
- Miscellaneous Settings
- Logging Settings
SNMP
- SNMP Browser
SSH Shell
Syslog
System Reset
Shared Views
- Active Directory User and Group Filters
- Assign Actions
- Assign Azure Audit Logs
- Assign Consolidated Logs
- Assign Directories
- Assign Disks
- Assign Event Logs
- Assign Files
- Assign Services
- Assign Shares
- Auto-Config Host Assignment Properties
- Define CSV and W3C Log Entry Columns
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Executable Status
- Executable Timeline
- Explicitly Assigned Logs
- File Explorer
- General Executable Properties
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Target Files and Sub-Directories
Command Line Interface
Server Configuration
Agent Configuration
Troubleshooting
- Arithmetic Overflow
- Access Denied
- MySQL: Fatal error encountered during command execution
- Invalid Class
- No Such Interface Supported
- Quota Violation
- The File Exists Errors
- The Interface is Unknown
- The RPC Server is Unavailable
- NetBIOS Errors
Best Practices
Terminology

Log Monitor Template

The Log Monitor Template enables you to fire actions when specific entries are detected. Some of the Log Consolidation Templates, such as Event Log Consolidation, Azure AD Audit Log Consolidation and Text Log Consolidation, include post consolidation monitors enabling you to scan consolidated log entries as they are received rather than creating multiple templates, one for consolidation and one for monitoring. Since Syslog monitoring is real-time, Syslogs are the exception to this rule. Log Monitoring is configured via the Monitor Tab found within each supported template's properties view.

To create a new Log Monitor Template

From the Menu Bar, select File | New. The Create New Object View displays.
From the Create New Object View, expand Templates | Log Management and finally select Log Monitor. The New Template View displays.
Use the Sub type drop-down to select the log type.
Use the Monitor Tab to assign multiple log monitor rules.

Log Monitor Rules

Use the Rules control to manage your log monitor rules.

To add a new log monitor rule

From the Rules control, click the Add button to add a new rule. A new line item is added to the table.
Use the Name text box to specify a friendly name for the rule.

Note

To include the log monitor rule name in the subject line of an email notification, insert the {MONITOR_RULE_NAME} variable tag in the action's email subject line.

Use the Rule drop-down to specify the rule type. The following options are available:

Option	Description
Default	Assigned actions are triggered when entries pass the assigned filter. Scheduled monitors, such as Event Log Monitors and Azure AD Audit Log Monitors, group all entries that pass the filter into a table then include the table in assigned action content. Real-Time monitors, such as Syslog Monitors, trigger an action each time an entry passes the filter and include the entry in the assigned action content.
Frequency	Assigned actions are fired after the configured threshold has triggered. The less than operand is executed 30 seconds after the top of the minute.
Column Frequency	When custom columns are defined, for example when monitoring IIS Log Files, unique column values are grouped, then frequency rules applied to each group. This option enables you to, for example, get notified when there is an ongoing DoS attack on your web server.
Proximity	Assigned actions are fired after the first filter is triggered then after the second filter is triggered. This option enables you to get notified when the time span between two entries is too great or non-existent. For example, get notified when a text log contains a started message but does not contain a completed message within the configured time span.

To configure a Default rule type

Use the Filter drop-down to select the filter to apply.

To configure a Frequency rule type

Use the Filter drop-down to select the filter to apply.
Use the Frequency controls to apply the frequency rules (e.g. > 100 times every 5 minutes or < once an hour).

To configure a Column Frequency rule type

Use the Filter drop-down to select the filter to apply.
Use the Column Key text box to specify the key of custom column to target.

Note

For Example: When monitoring W3C IIS log files, to get notified when there is an ongoing DoS attack, specify c-ip, the key of the column that contains the client's IP address. In this example, to include the IP address in the subject line of an email notification, insert the {c-ip} variable tag in the action's email subject line.

Use the Frequency controls to apply the frequency rules. Frequency rules are applied to each unique value found in the column.

To configure a Proximity rule type

Use the Filter drop-down to select the first filter to apply.
Use the Proximity Filter drop-down to select the second filter to apply.
Use the Frequency controls to apply the frequency rules to entries that pass the Proximity Filter.

To configure a actions

Use the Set monitor state to drop-down to configure the state to set the monitor to once triggered. If you do not want to trigger the state, set the state to OK.
Use the On Trigger drop-down to assign the actions to fire once the monitor triggers.
Use the Limit to check box to limit the number of times the actions are fired within the configured time span.

Sample W3C IIS Log File Monitor Rule Properties View

Table of Contents