Product: ManageEngine EventLog Analyzer
Product Homepage: click here
IT professionals know that knowledge is power, and when you’re managing a complex network, it’s important to have all the information possible on what’s going on with your systems. Luckily, we have logging mechanisms that record events, including security-related events. Those logs contain data that can help you track down the origins of security breaches (or attempted breaches), determine whether, when and by whom the network, systems and particular objects were accessed, policies were changed, files were modified or deleted, and so forth.
The bad news is that these logs are huge in volume and sorting through them to know what really happened can be time consuming and tedious. Increasingly, however, you don’t have a choice; regulatory requirements in many industries mean you have to be able to make sense of all that information in order to document compliance. The good news is that there’s a whole new category of software designed to help you do that. Security Information and Event Management (SIEM) is getting a great deal of buzz lately, but there are so many SIEM solutions on the market that it’s hard to choose the right one.
I recently tested a SIEM product called EventLog Analyzer from ManageEngine that serves a number of purposes. It works as a protective layer by performing threat monitoring, file integrity monitoring, and privileged user monitoring as well as sending real-time alerts. After the fact, it provides for collection and archiving of logs, parsing and indexing and comprehensive log search. It allows you to do forensics examinations of logs and even makes the onerous task of generating compliance reports easier.
EventLogAnalyzer monitors Windows, UNIX and CISCO events, among others. In fact, it can support practically any human-understandable log format. You can find a list of supported devices here. It can be installed on both Windows and Linux; I tested the Windows version on Windows Server 2012.
Installation and Setup
One thing I noticed was that the installation process was easy. You get the choice of either “one-click” installation or advanced installation.
If you select the one-click option, that’s all there is to it. The software is installed to a default location on the C: drive. If you choose the advanced installation, you get to make some choices. If you’re just trying it out, you can select which edition to install: the free edition (limited to 5 hosts/applications and fewer features, but doesn’t expire), the standalone edition (full feature set and unlimited number of hosts/apps, but in 30 days reverts to the free edition if you don’t buy a license), or distributed edition for large enterprises (trial expires in 30 days). I went with the standalone edition for this test.
With the advanced install, you can choose a destination folder where the software will be installed. A message will pop up telling you to define an exception for the program’s directory in your antivirus scanner. You can then define the web port to be used, language (English, Simplified or Traditional Chinese, Japanese or “other”), and the web protocol (http or https). By default, EventLog Analyzer is installed as a service. You can uncheck this box if you want to install it as an application instead. Next, you select a program folder where program icons will be added (by default, a folder named ManageEngine EventLog Analyzer 8 is created). That’s it – review the settings and click Next to start the installation. As you can see, even the advanced installation isn’t complicated, unlike with some products I’ve tested, where I ran into obstacles and spent hours just trying to get the program installed.
If you installed as a service, the “Finish” dialog box gives you the option to start the service but this is not checked by default. You can start it through the Administrative Tools | Services; click the Start button. If you installed as an application and change your mind, you can convert it to a service.
The web client should open to the splash screen page on the local machine. It will take a while to initialize modules. Internet Explorer may block the page from running ActiveX controls, in which case it will seem to be hung. Be sure to enable running of ActiveX for the page. You log in with a default password the first time.
Next you’ll see the tabbed interface that’s shown in the screenshot below. It’s simple to navigate; my only minor complaint would be that I’d prefer if the navigation pane on the left remained in place while you’re performing all task; it sometimes disappears and the entire window is occupied by the dialog box instead. Of course, you can still use the tabs across the top to navigate.
The first thing you have to do is add the devices that you want to monitor. You can type in the host names (comma-separated) or you can choose to “Pick hosts” and have the software scan the domain or the entire network and present you with a list of hosts.
You’ll need the user name (administrator) and password to access the hosts. You can set the frequency (monitor interval) for getting the logs from the host computers. You have to import application logs, although some can also be imported automatically at set intervals. You can import logs from the local machine or remote hosts. It’s a pretty simple process.
To import a log file (through the Imported Log Files selection in the left pane), you need to choose the log format, the time interval (just once, every hour, every day or every X number of minutes), and the log type (application, security, system, DNS server, file replication server, directory service). You can enter the file location or browse for it in the file system. It can take quite a while to import a large log file, but you’ll see turning arrows and “In progress” under the Report Type field during the importation.
Notice the “Need Help?” tab at the left side. You can click that at any time and it slides out a little dialog box where you can type in your question, your email address and phone number. I like this idea a lot; it’s a quick and easy way to contact ManageEngine for support. You don’t have to go hunting for tech support contact info. There is also a Support link at the top of the page, which takes you to a number of helpful links with troubleshooting tips, online forms, contact info, the user forum and the ability to create a support information file. You can also join a live meeting from this page, and there’s even a link to submit a request for new features in future releases.
There were a few aspects of the interface that I found just a little confusing. If you look back at Figure 3, that screen appears to be the Settings screen. However, if you click that Settings tab, it takes you to a control panel type Settings page that has many different options for Configurations, Admin Settings and System Settings, shown in Figure 5.
From this screen, you can do many of the same tasks you get to from that left navigation panel. It reminds me a little of Windows, in that there are many different ways to accomplish the same thing. Once you figure that out, it’s good to have options, but it can be slightly perplexing to a first-time user.
Of course, the real value of SIEM solution lies in its ability to aggregate and evaluate the log data from different sources, notify you in real-time of important events and trends, and to produce reports that provide you with information you can use to make security decisions.
EventLog Analyzer lets you create alert profiles for specific security-related events. You’ll need to configure the mail server and define the criteria for the alert or use one of the predefined alerts (I counted more than fifty of them). You can exclude specific event IDs and set the occurrence rate (i.e., number of occurences within a specific time frame).
There are several different predefined reports in EventLog Analyzer that you can use and you can create custom reports (which you’ll find in the “My Reports” section). Predefined reports include top network activities, user activity reports, trend reports, detailed application reports, detailed host reports, important events, or all events (classified by type). This includes “Top” reports (top hosts, top users, top processes by various criteria), User Activity reports, Trend reports, Detailed Application reports, and Detailed Host reports. For many, compliance reports are vital. EventLog Analyzer includes FISMA, PCI, SOX, HIPAA and GLBA reporting.
But these predefined reports aren’t always enough. You can also do a free-form search of the logs and you can create custom reports, including customized compliance reports. The Search feature allows you to search for specific terms in specific fields and you can use Boolean operators and wildcards. The Advanced Search lets you search by event IDs, severity, user, source, log type, message or user field.
Creating custom reports is fairly easy. There is a step-by-step wizard type interface that walks you through the process.
For compliance reports, once again there are two ways to do it: You can create a new report from the Reports tab and select “Compliance” as the type, or you can add a new compliance report from the Compliance tab.
Once you’ve defined your reports, they can be produced in HTML format or if they’re set up to be automatically run and emailed, they will be generated as PDF attachments. You can also export the HTML reports to PDF or CSV.
I’ve focused on the security features of EventLog Analyzer here because that’s my primary field of interest, but there’s more to it than that. You can also create all sorts of trend reports: hourly and weekly, both current and historical and they can be based on event categories, severity or triggered alerts. In addition to their security relevance, these can provide important information about performance and usage and help you track down system or application problems. The Active Directory log monitoring capability is also useful for troubleshooting as well as monitoring of security-related information.
And EventLog Analyzer, despite its name, does a lot more than just analyze event logs. It can also be used to monitor files and folders for changes (including changes to attributes). You can exclude specific files, as well. Agent software is installed on the host machine where the monitored files reside. An agent can also be used to collect event log data on the other side of a firewall or across a wide area network link, but the default method is agentless and uses WMI/DCOM. If your security policy doesn’t permit the use of those technologies, you can use the agent.
Something that can be particularly useful to new users is the “Ask Me” link in the Settings control panel interface that we saw in Figure 5. This takes you to a list of quick questions that help you get commonly desired information, such as which machine has a high number of login failures or which users modified or cleared the security audit log. Once again, there’s a handy link where you can submit suggestions for more questions to be included in this list.
I guess what I like most about EventLog Analyzer is the attention to details that make the user experience better, which are apparent throughout the interface. They have really gone above and beyond to ensure that you can get help when you need it, and that help isn’t offered in just one or two forms. I also like the solicitation for suggestions that’s built directly into the software in various places – it makes me feel as if the vendor actually cares about what the IT pros using their solution want and need. My only (very minor) quibble here would be that it would be useful if the Quick Start Guide included more screenshots (there are screenshots in the linked pages, but I’d like to see them included in the main content of the Guide).
This solution manages to be extremely full featured without being complicated. Despite a couple of moments of confusion as I got acquainted with the interface, I never encountered one of those dialog boxes that makes you want to pull your hair out because you don’t know what it’s asking for, and I never had to puzzle for long over how to accomplish any task.
Previous versions of EventLog Analyzer have won awards from SC and Info Security Products Guide, and this version deserves WindowSecurity.com Gold Award with 4.5 rating.
WindowSecurity.com Rating: 4.5/5
More information about ManageEngine EventLog Analyzer