1.  Filter out events with Mouse gestures:

Position:  Drill down on any counts against the hosts configured, to grab them in a filtered view /export

Purpose: Filter out any events based on severity, or message strings, to create a quick report.

Let’s tour this feature now, and make your day easier with a sample scenario.

We know that, Eventlog Analyzer application is designed to report on Event logs, from hosts like Windows, Syslog devices (UNIX, Cisco’s, Solaris, Routers/Switches, etc) and application logs (SQL, IBM AS400, IIS and FTP server logs).

Our predefined reports are designed to provide you an overall picture of your enterprise’s activity (Compliance, Top N reports, etc).

For instance, you will see all the hosts collecting logs on ELA, and respective counts on severity, with log collection status on the Home tab itself.

Clicking on a host name should drill down to important events collected and counts of events.  Second level drill down should enable you to view in detail, exact transactions against the hosts. You can also export this page to a PDF or a CSV on demand. Again, I am sure, you are aware on this.

But, do you know we have a user friendly feature on this page, called Mouse gesture?

Try doing a mouse gesture by left clicking your mouse on any attributes, which will filter only the selection you have made, and export it to a PDF or CSV on demand.  You can do a second mouse gesture on this filtered search, to further drill down!! (Event ID is selected as 529, and message contains “a specific string” for unsuccessful user logons.). This feature is available for all the hosts, when you drill down for reports. Refer to some screen shots below.

•      Creating a custom report based on Event Id’s with message filters is a time consuming, but one time affair. In reality, you at least have more than 1 try/attempt, to create a report based on your requirement. Now, you can use this feature by using your simple mouse clicks on any attributes available and do quick sample exports, then use the same attributes on your report profile, once done, and schedule it.  To be short, fill it, schedule it and get your reports based on your schedules.

•     Consider a host with anomalous counts of failed logon and an IT manager should be interested on a report on such transactions (of course, we recommend creating alert profiles to get notifications on such instances).  All you do is drill down to these events, and either export this as a report on demand, or further filter out any important hosts/event id’s / or even message contents, on a couple of clicks, and the job is done. 

After the down slide of US economy, there is lull now. Even the noted economist are not sure which way it will turn. Even in the uncertain economic times, the IT security cannot be compromised. It is a good sign that the companies are considering the IT/data security far too important. 

Gartner Survey Results

This is evidently clear from the results of the recent Gartner survey on budget allocation towards security software and services. Definitely there will be  an increase. It is around 4%. Even though there is an increase in budget, the increase is limited. But during the tough times, you do not have the luxury of big budget. The limited budget, the companies can set aside, need to be spent on the security software judiciously. This was reflected by the Gartner analysts in their report.

Running through my daily read lists, while on Network World Asia I came across the featured article 'How to maintain security without increasing the operational load on IT staff' by Joe Golden an IT manager. Golden's pain points were his increasing network load and minimal staffing to handle this load.

This didn't surprise me at all, I hear many IT managers and administrators with the same woes. More users are logging into the network, applications are many and devices of all types are jostling for network space. Almost like an out of control crowd at a rock concert with the bouncers trying their best to keep them storming the stage or from starting a brawl.They are valid ticket holders yet can disrupt the whole show. Its a hard job!

In addition, you've got backstage pass holders, crew members and all sorts of official pass holders who also need to move around the restricted areas. How's a bunch of tough looking bouncers going to manage it all?

Time for the reinforcements folks! Golden has listed out a few great pointers on how operational load can be reduced in some areas with the help of tools. One of them is the use of automated password reset tools which can save companies thousands of dollars and a huge amount of time as opposed to using help desk to perform the same task.

ManageEngine's ADSelfService Plus (ADSSP) is one such great password management tool. As the name suggests, ADSSP is completely self serviced enabling end users to reset their passwords bypassing the helpdesk. No more frantic midnight calls to helpdesk to reset a password.

Another area Golden finds that staff can be relieved from is Log compilation. Programs that automatically process log data to keep staff updated on any possible threat to the network can significantly reduce staff overload whilst ensuring greater security.

We couldn't have agreed more, sifting and analyzing logs are not what staff should be spending time on. Specially when you can get great reports and set up alerts by letting ManageEngine's EventLog  Analyzer do the laborious work.

Let ManageEngine act as the security guys at your network's concert.

Maybe now you and your staff will have more free time to go have some fun at a real concert than watch it on Youtube!

Go check out our goodies while I find tickets for the next concert.

Log management for Compliance requirements is an increasingly vital process for enterprises across verticals. There are several implications to having an ineffective log management process, both tangible and intangible.

Enterprises that analyze their log data efficiently can easily recognize the value and impact on their IT and overall operations. The insight gained by log analysis and reporting can help enterprises determine their existing security implementation, cut down on costs on extensive regulatory audits and recovery measures, if any. Up to date log data analysis provides insight into the health and accessibility of network(s), system and applications.

A strong log management solution that handles voluminous and variety of logs is a necessary tool for enterprises to maintain the integrity of all data.

Let’s look at a checklist to ensure log management is applied effectively to ensure compliance.

Do’s

1. Make Log management a daily routine and not just to satisfy compliance requirements

If log management is not done only for the sake of meeting regulatory requirements then we can cover our bases much more effectively. It will take care of any overlapping frameworks and reduce the time to meet all regulatory requirements. This will also cover any condition that is overlooked in the impression that another regulatory requirement covers it. Reports and alerts ensure that the security threat posed is brought to your attention, including those beyond the scope of regulatory compliance.

2. Ensure alerts are set up as per the requirements of the enterprise

Ensure all alerts are set up correctly and for the specific requirements of the enterprise and not just to meet compliance requirements. If any critical data is suspected to have been accessed by an unauthorized user it must be alerted instead of ignoring it if it doesn’t meet a specific regulatory requirement. The alert set up must be reviewed and reassessed periodically.

3. Review reports regularly to identify any gaps in the set up and regulatory requirements.

All reports must be checked not just for the expected data but also for any anomalies in them. Reports must be maintained also for what doesn’t meet the requirements and reviewed frequently.

4. Conduct periodic tests to determine the effectiveness of the set up.

The network must be tested for effectiveness and efficiency in managing and analyzing logs in order to ensure that compliance requirements are met appropriately. A robust log management solution is a vital key towards staying compliant. The test must also be highlighted and validated by the system.

5. Have a representative from the legal department to check if all regulatory requirements are understood and met by the IT department.

Not all regulatory requirements are easy to comprehend and hence might be misunderstood by those defining the IT compliance requirements. This is a pitfall that must be avoided hence all legal aspects must be simplified.

6. Have a consistent approach to managing and analyzing the logs.

Make sure there are defined set of rules on how logs must be managed and analyzed. This must be dependent on the enterprise and not on the authorized personnel. If any change in authority takes place the set of rules for log handling mustn’t be changed as this can lead to loss of log data.

7. Check for unauthorized programs installed by users within the network.

Most breaches are caused due to malicious code planted in the network through unauthorized programs. Users are mostly unaware of the potential threat in installing seemingly harmless programs. A log management solution can help detect such unauthorized programs and alert the administrator before any harm is done.

Don’ts

1. Give access to unauthorized users to view, edit and delete any information.

Access to the network must be strictly monitored and only given to authorized members. Data should be classified appropriately and access to them regulated and monitored. All unauthorized access must be alerted promptly by the log management solution.

2. Provision any Team/group access to any critical data.

No authorization must be provided on a team/group level as this is a greater exposure to risks and provide room for human error. Any changes made on one-on-one level will be lost if not communicated on team/group level.

3. Keep unnecessary ports open in the network.

All redundant ports must be closed in the network(s) in order to protect it from any malicious attack. Ports must be periodically reviewed to ensure only those required are accessible.

4. Run unused services in vital servers.

In order to keep the network(s) efficient and easy to manage all unused services must be stopped to avoid any conflict with essential services. Any redundant service poses a risk in interfering with the operation of critical resources, which will lead to failure of required processes.

This isn’t a comprehensive checklist of course but if you don’t have one, this might be a good place to start. Each enterprise needs to get started with log management with their customized set of checklists to ensure the enterprise IT network(s) is optimally secured. Merely being compliant isn’t enough; it also requires staying more vigilant and having stringent security measures in place.

http://www.windowsecurity.com/news/WindowSecurity-Readers-Choice-Award-Event-Log-Monitoring-EventSentry-Feb09.html

PR for the Award:

http://www.marketwire.com/press-release/Manageengine-985914.html

http://linux.sys-con.com/node/952966

Website: http://www.eventloganalyzer.com

Follow us on Twitter http://twitter.com/LogAnalyzer

The event ids of Vista and 2008 servers compared to its predecessors generally follow a 'offset by 4096' rule, i.e the good old logon event represented by id 528 is now 4624(4096+528) and so on. However, this offset rule is not a universal change and there are a few gotchas that surface here and there. For example, logon failures in pre-vista systems were represented by a multitude of event ids ranging from 529 to 537(each indicating a specific reason for the failure), this has now been unified to a single event, namely 4625 and a new field 'Failure Reason' has been added to the message under the category 'Failure Information' highlighting the reason. Another example of this is the 'Audit Log Cleared' event. This event is logged with the id 517 in pre-vista machines but is now changed to 1102 with the source being 'EventLog'(this is another change that skipped mention, the 'Source' of the Security log which till now is 'Security' has been refined to a more meaningful field, the security audit events take the source 'Microsoft Windows Security Auditing', while as mentioned audit logs cleared is logged with source 'Eventlog'.)

The following KB article is a handy reference describing the various security and audit based events in Vista and 2008 servers.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;947226

Scrolling down to the "Notes" section at the bottom of the article, you will find information about a useful command line utility 'wevtutil', which when used in the form mentioned in the article(wevtutil gp Microsoft-Windows-Security-Auditing /ge /gm:true) fetches a detailed description of every security based event id.

That just about wraps up this post, oh. . and just one more thing. We have set out a small initiative to get you, the real users of the product, tell us what you want from the product over here. The idea behind this is to listen to what improvements you want and if enough users agree, we will work on it on a priority basis. The whole thing is very much in a nebulous state with no entries yet, we encourage you to use this facility to tell us what you would like.

Until next time, ciao.

But, once a regulatory body of your domain formulates compliance acts, you should ensure that your network is secured and compliant with the regulatory act. This will also instill confidence in your customers that you are following standard practices to keep your network secured.

At the next level, if a national government promulgates a law to counter the computer related offenses and if you operate in that country, you have to abide by the act. Failing which you will attract penal action and punishment.

One such example is 'Computer Crime Act B.E 2550 (2007)' of Thailand government.

Enterprises with computer networks and service providers should scout for a Security Information Management (SIM) solution which fulfills the requirements of the government act.

The SIM solution application should be,

• easy to use
• should be able to install on any platform 
• access the application from anywhere (should we say web-based)
• should require minimum manual intervention to operate
• collect the security information (logs) from a central location
• agent should not be required 
• should collect information from heterogeneous devices
• analyse, normalise, and aggregate the log information
• provide multi-format, canned, customisable, scheduled, and distributable reports
• generate alerts for anomalous and specific log information
• notify the alerts by Email or other means
• flexible archiving of log information to suit the requirements of government act
• importing the log information from archive or any other system which is not monitored by the application
• analysing and generating reports for imported log information
• exhaustive search feature to cater for forensic analysis requirements of government act
• above all, it should not pinch your pocket

Wonder whether some such SIM solution is available? Give ManageEngine EventLog Analyzer a try.

AdventNet ManageEngine is hosting Roadshows in countries across the European Union.

If security of your enterprise IT infrastructure is your concern, then you must visit ME Euro Roadshow 2008.

We are available in your town. Feel free to seek any information about EventLog Analyzer.  Join us at the Roadshow in your country, register here 

Check complete details about the Roadshow, visit the link: http://manageengine.adventnet.com/euroroadshow/