Getting Started
- System Requirements
- Installation
  - Linux Agent Installation
  - Linux Server Installation
- Registration
- Assign Service Logon As Credentials
- Server Configuration
Agent-Based Management
Data Providers
- Data Provider Properties
- SQLite Properties
- MySQL Properties
- Microsoft SQL Server Properties
- File System Properties
Directory Services
Auditing
- Audit Work Items
- Self-Auditing
Hosts
- Adding Hosts
- Host Properties
- Batch Update Hosts
- Agent Properties
- Logon As Properties
- SFTP Properties
- FTP/S Properties
- SNMP Device Connection Properties
- WMI
- Contact
- Template Exclusions
- Inventory
- Docker
- Host Assignments
Templates
- Template Properties
- Batch Update Templates
- Assign Templates
- Log Management Templates
- File and Directory Monitor Templates
- Windows Monitor Templates
- Network and Application Monitor Templates
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Windows Accounts Templates
Monitors
- Monitor Hierarchy
- Temporarily Suppress Monitors Actions
Reports
- Report Properties
- Artificial Intelligence Reports
  - AI Anomaly Detection Report
    - AI Anomaly Detection Report (Template Triggers)
- Security Reports
- Generic Log Reports
- SIEM Report
- SIEM Chart Report
- Azure Active Directory Audit Log Report
- Event Log Report
- SNMP Trap Report
- Syslog Report
- Databse Log Report
- Event Log Summary Report
File and Permission Reports
- File and Directory Access Permissions Report
- Duplicate Files Report
- File Activity Report
- Largest Files Report
- Sorted Files Report
Summary Reports
- Host Inventory Report
- Summary Report
- Collection Report
- Hash Check Reports
Auto-Configurators
Filters
- Simple Filters
- Complex Filters
Actions
- Desktop Actions
- Email Actions
- Event Log Actions
- Executable Actions
- File Actions
- IIS IP Address Restriction Actions
- Microsoft Teams Actions
- PowerShell Actions
- Report Actions
- Service Actions
- SMS Actions
- SNMP Trap Actions
- Syslog Actions
- Template Actions
- IIS IP Address Restriction Actions
- Action Variables
Schedules
- Fixed Schedules
- Range Schedules
- Real-Time Schedules
Environment Variables
Options
- Email Settings
- Security Settings
- Syslog Server Settings
- SNMP Trap Server Settings
- Log Viewer Settings
- Web Proxy Settings
- Miscellaneous Settings
Account Lockout Monitoring and Reporting
Merging Logs
SNMP
- SNMP Browser
SSH Shell
Syslog
Exporting and Importing Configuration Objects
Shared Views
- Active Directory User and Group Filters
- Assign Actions
- Assign Azure Audit Logs
- Assign Consolidated Logs
- Assign Directories
- Assign Disks
- Assign Event Logs
- Assign Files
- Assign Services
- Assign Shares
- Auto-Config Host Assignment Properties
- Define CSV and W3C Log Entry Columns
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Executable Status
- Executable Timeline
- Explicitly Assigned Logs
- File Explorer
- General Executable Properties
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Target Files and Sub-Directories
Command Line Interface
Troubleshooting
- Arithmetic Overflow
- Access Denied
- MySQL: Fatal error encountered during command execution
- Invalid Class
- No Such Interface Supported
- Quota Violation
- The File Exists Errors
- The Interface is Unknown
- The RPC Server is Unavailable
- NetBIOS Errors
Terminology

Event Log Consolidation Template

Event Log consolidation is the process of downloading Event Log entries then saving them to the Log Database. The Log Databases are configured under the Explorer View's Data Providers tree node.

Tutorials

Event Log Management (Part 1: Consolidation)

Sample Templates

Server Manager includes several different sample Templates to quickly configure Event Log Management out-of-the-box. The sample templates can be found in the Explorer View under the Templates | Sample Templates tree node.

Folder	Description
Log Consolidation	Contains Agent-Based and Agentless log consolidation templates that filter out common wasteful Security Event Log Entries then save for 150 days.
NIST/JSIG / Windows	Contains Agent-Based and Agentless log consolidation templates save all log entries for either 1 year or 5 years.

How to Use the Sample Templates

Assign the target sample Template to the Host or Host Group you want to manage. For more information see: Assigning Templates.

Create your own Template

From the Menu Bar select File | New. The Create New Object View displays.
From the Create New Object View, select Template | Log Management | Log Consolidation. The Template Properties view displays.
The Template Properties view contains 7 tabs.
- General
- Logs
- Options
- Columns
- Monitor
- Agent Template
- Actions

Note

By default this template downloads entries every hour and evenly distributes each download over the hour among the assigned hosts. For example, if you assign 60 hosts to this template the software will download entries form a single and different server every minute. After 60 minutes the first server will be downloaded again.

The Options Tab

Optionally assign a Consolidation filter to dump entries you do not want saved to the Log Database. When assigned, only entries that pass the assigned consolidation filter are saved to the Log Database.
Use the Initial number of days to download to configure the initial download. Subsequent downloads always pull from the last saved entry forward.

Important

If you have a heavily loaded domain controller you may need to limit the initial download of the Security Event Log to one day then build the database from that point on, otherwise you may receive a Quota Violation. You also have the option of specifying 0 days. When set to 0, Server Manager downloads the last hour of entries which should resolve any Quote Violation errors.

Use the Download in batches of option to minimize WMI results sizes. This option is yet another attempt to work around Quota Violation errors.

Important

If you are unable to resolve Quota Violation errors using the hourly batch method increase the Windows host's WMI Quota. For more information see: WMI Properties.

Use the Clear the remote Event Log after each download to clear the actual Event Log from managed hosts once the download is complete.
When configuring a Microsoft Application Log, use the Enable WMI API checkbox to access the log using WMI rather than the .Net EventLogSession API.

Important

When this option is set, several required Windows Registry entries are added to the managed host prior to downloading. If this option is not set, each downloaded Event's message may not be properly display.

Use the Log Entry Retention Policy drop-down to select the retention policy. The retention policy is another template that defines the number of days to retain in the Primary and Archive Log Databases, for example, archive entries older than 30 days and retain entries for 150 days for a total of 180 days. Assign multiple retention policies to remove entries that match filter criteria defined in each retention policy. For more information see: Log Entry Retention Policy Template

Event Log Consolidation Options Tab

Table of Contents

Event Log Consolidation Template

In this Topic

Tutorials

Sample Templates

How to Use the Sample Templates

Create your own Template

The Options Tab