Introduction
System Requirements
Assign Service Logon As Credentials
Server Configuration
Agent-Based Monitoring
Data Providers
- Data Provider Properties
- SQLite Properties
- MySQL Properties
- Microsoft SQL Server Properties
- File System Properties
Directory Services
Audit Work Items
Hosts
- Adding Hosts
- Host Properties
- Batch Update Hosts
- Logon As Properties
- SFTP Properties
- FTP/S Properties
- SNMP Device Connection Properties
- WMI
- Contact
- Template Exclusions
- Inventory
- Docker
- Host Assignments
Templates
- Template Properties
- Batch Update Templates
- Log Management Templates
- File and Directory Monitor Templates
- Windows Monitor Templates
- Network and Application Monitor Templates
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
Monitors
- Monitor Hierarchy
- Temporarily Suppress Monitors Actions
Reports
- Report Properties
- Security Reports
- Generic Log Reports
- File and Permission Reports
- Summary Reports
Auto-Configurators
Filters
- Simple Filters
- Complex Filters
- C# Script Filters
Actions
- Desktop Actions
- Email Actions
- Event Log Actions
- Executable Actions
- File Actions
- IIS IP Address Restriction Actions
- Microsoft Teams Actions
- Service Actions
- SMS Actions
- SNMP Trap Actions
- Syslog Actions
- Template
- IIS IP Address Restriction
- Action Variables
Schedules
- Fixed Schedules
- Range Schedules
- Real-Time Schedules
Environment Variables
Options
- Email Settings
- Security Settings
- Syslog Server Settings
- SNMP Trap Server Settings
- Log Viewer Settings
- Web Proxy Settings
- Miscellaneous Settings
Account Lockout Monitoring and Reporting
SNMP
- SNMP Browser
SSH Shell
Exporting and Importing Configuration Objects
Shared Views
- Auto-Config Host Assignment Properties
- General Executable Properties
- Assign Actions
- Assign Directories
- Assign Disks
- Assign Shares
- Assign Files
- Assign Consolidated Logs
- Assign Event Logs
- Assign Azure Audit Logs
- Target Files and Sub-Directories
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Define CSV and W3C Log Entry Columns
- Active Directory User and Group Filters
- Explicitly Assigned Logs
- File Explorer
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Executable Timeline
Command Line Interface
Troubleshooting
- Arithmetic Overflow
- Access Denied
- MySQL: Fatal error encountered during command execution
- Invalid Class
- No Such Interface Supported
- Quota Violation
- The File Exists Errors
- The Interface is Unknown
- The RPC Server is Unavailable
- NetBIOS Errors
- Windows Service Log File
Terminology

Azure Audit Log Consolidation Template

Azure Audit Log consolidation is the process of downloading Azure Audit Logs and saving them to a Data Provider, also known as a Log Database.

How to Configure Azure Audit Log Consolidation:

From the Menu Bar, select File | New. The Create New Object View displays.
From the Create New Object view, expand Template | Log Management then select Log Consolidation. The New Log Consolidation Template Properties view displays.
From the New Log Consolidation Template Properties view, use the Sub type drop-down to select Azure AD Audit Log. The Template Properties view now contains 7 tabs.
- General
- Logs
- Options
- Monitor
- Actions

Logs Tab

The Logs Tab enables you to configure the Azure AD connection then select the logs to consolidate. Before you can configure the software to download Azure AD Audit Logs, you must create an App Registration in your Azure Portal. For more information see: Tutorial: Register an app with Azure Active Directory from Microsoft.

To create an App Registration in Azure:

Log into your Azure Portal at https://portal.azure.com/
Select Azure Services | Azure Active Directory. The Overview displays.
Click Manage | App Registrations. The App Registrations view displays.
Click New Registration. The Register an application view displays.

Use the name field to specify a name (e.g. CBSM), then click Register. The Properties view displays.

Copy the Application (client) ID for later use.
Copy the Directory (tenant) ID for later use.

Select API Permissions. The API Permissions view displays.
Click Add a permission. The Request API permissions view displays.
Select Microsoft Graph then select Application permissions.
From the Select permissions text box type AuditLog.Read.All then check the option.
From the Select permissions text box type IdentityRiskEvent.Read.All then check the option.
Click Add permissions. Once the permissions are added, the API permissions view displays.
Click Grant admin consent then when prompted to confirm click Yes.
Click Manage | Certificates & secrets. The Certificates & secrets view displays.
Click New client secret. The Add a client secret view displays

Specify a name (e.g. MySecret) and an expiration date then click Add.

Copy your new secret Value then save for later use.

To configure the Azure AD connection:

Use the Client ID text box to specify your Azure App registration's Application (client) ID.
Use the Tenant ID text box to specify your Azure App registration's Directory (tenant) ID.
Use the Client secret text box to specify your App registration's secret.

To select the logs to save:

Check the Audit Logs check box to select the Audit log.
Check the Sign-Ins check box to select the Sign-Ins log.
Check the Identity Risk Events check box to select the Identity Risk Events log.

Options Tab

Optionally assign a Consolidation filter to dump entries you do not want saved to the Log Database. When assigned, only entries that pass the assigned consolidation filter are saved to the Log Database.

Use the Initial number of days to download to configure the initial download. Subsequent downloads always pull from the last saved entry forward.

If you have a heavily loaded domain controller you may need to limit the initial download of the Security Event Log to one day then build the database from that point on, otherwise you may receive a Quota Violation. You also have the option of specifying 0 days. When set to 0, Server Manager downloads the last hour of entries which should resolve any Quote Violation errors.

Use the Download in batches of option to minimize WMI results sizes. This option is yet another attempt to work around Quota Violation errors.

If you are unable to resolve Quota Violation errors using the hourly batch method increase the Windows host's WMI Quota. For more information see: WMI Properties.

Use the Clear the remote Event Log after each download to clear the actual Event Log from managed hosts once the download is complete.
Use the Log Entry Retention Policy drop-down to select the retention policy. The retention policy is another template that defines the number of days to retain in the Primary and Archive Log Databases, for example, archive entries older than 30 days and retain entries for 150 days for a total of 180 days. Assign multiple retention policies to remove entries that match filter criteria defined in each retention policy. For more information see: Log Entry Retention Policy Template