GFI Software/GFI EventsManager
GFI EventsManager is a results oriented event log management solution which integrates into any existing IT infrastructure, automating and simplifying the tasks involved in network-wide events management.
The aim of this book is to provide access to important information that can help users make the best use of GFI EventsManager. Wikibookians are therefore encouraged to update this content and/or send feedback, ideas and comments on how this documentation can be further improved via the wiki discussion board, GFI Forums, or by sending an email to email@example.com.
All feedback is welcome! Please contribute your topics with the above principles in mind.
The enormous volume of system events generated daily is of growing importance to organizations whose business is required to record information for forensic purposes and the ever-growing reach of regulatory compliance. Increased threats to business continuity call for an approach that includes real-time monitoring of the network; and you also need the ability to analyze and report event data to address any incidents or security concerns.
GFI EventsManager helps you meet legal and regulatory compliance including SOX, PCI DSS, Code of Connection and HIPAA. This award-winning solution automatically processes and archives logs, collecting the information you need to know about the most important events occurring in your network. It supports a wide range of event types such as W3C, Windows events, Syslog, SQL Server audit logs and SNMP traps generated by devices such as firewalls, routers and sensors as well as by custom devices.
How does GFI EventsManager work?
During the Event Collection stage, GFI EventsManager collects logs from specific event sources. This is achieved through the use of 2 event collection engines: The Event Retrieval Engine and the Event Receiving Engine.
The Event Retrieval Engine - The Event Retrieval Engine is used to collect Windows Event Logs and W3C logs from networked event sources. During the Event Collection process this engine will:
The Event Retrieval Engine collects events at specific time intervals. The event collection interval is configurable from the GFI EventsManager management console.
The Event Receiving Engine - The Event Receiving Engine acts as a Syslog and an SNMP Traps server; it listens and collects Syslog and SNMP Trap events/messages sent by various sources on the network. As opposed to the Event Retrieval Engine, the Event Receiving Engine receives messages directly from the event source; therefore it does not require to remotely log-on to the event sources for event collection. Further to this, Syslog and SNMP Trap events/messages are collected in real-time and therefore no collection time intervals need to be configured.
By default, the Event Receiving Engine listens to Syslog messages on port 514 and to SNMP Trap messages on port 162. Both port settings are however customizable via the GFI EventsManager management console.
During this stage, GFI EventsManager will run a set of Event Processing Rules against collected events. Event Processing rules are instructions that:
GFI EventsManager can be configured to archive events without running Event Processing rules. In such cases, even though no rules will be applied against collected logs, archiving will still be handled by the Event Processing stage. After processing the rules, GFI EventsManager can be configured to store the collected events in a storage folder. The administrator can configure the path of the storage folder and configure which events are stored. This function will minimize database growth, and allows the administrator to store only important events in the database.
For more information on GFI EventsManager, refer to How does GFI How dows GFI EventsManager work?
Manual for GFI EventsManager 2010
The aim of the GFI EventsManager Manual is to help you install, use and configure GFI EventsManager. It describes:
- How to install GFI EventsManager.
- How to browse collected events.
- How to generate reports.
- How to configure and manage event sources.
- How to configure and use event processing rules.
- How to manage rule-sets.
- How to customize alerts and actions.
- How to configure users and groups.
- How to monitor GFI EventsManager status.
- Troubleshooting information on common issues.
The following links enables you to browse GFI EventsManager manual.
Chapter 5: How to enable the GFI EventsManager ReportPack to create reports that further analyze the events stored in the GFI EventsManager database backend. In addition describes how to configure a user to receive GFI EventsManager Daily Digest email.
Chapter 7: How to use event processing rules.
Chapter 15: Technical terms used within GFI EventsManager.
This section explains how you should go about resolving issues that you might encounter while using GFI EventsManager. The main sources of information available are:
- The manual - most issues can be solved by reading GFI EventsManager manual
- Download product manuals from www.gfi.com
- GFI Knowledge Base articles
- GFI maintains a Knowledge Base, which includes answers to the most common problems. If you have a problem, please consult the Knowledge Base first. The Knowledge Base always has the most up-to-date listing of technical support questions and patches. To access the Knowledge Base, visit http://kbase.gfi.com/.
- Web forum
- User to user technical support is available via the web forum. The forum can be found at http://forums.gfi.com/.
- Contacting GFI Technical Support
- If you still cannot solve issues with the software, contact the GFI Technical Support team by filling in an online support request form or by phone.
- NOTE: Before you contact our Technical Support team, please have your Customer ID available. Your Customer ID is the online account number that is assigned to you when you first register your license keys in our Customer Area at https://customers.gfi.com/login.aspx.
- GFI support will answer your query within 24 hours or less, depending on your time zone.
|Error message: Not connected to the database or connection was lost.||Description
This error is encountered when GFI EventsManager is unable to connect with the SQL database or the database connection was interrupted.
The following links contain information on how this issue can be solved.
How do I debug Failed to connect to database?
How do I configure SQL Server 2005/2008 to accept SQL Authentication?
How do I configure SQL Server 2000 to accept SQL Authentication?
Enabling TCP/IP on Microsoft SQL Server 2005
How to create a new database in Microsoft SQL Server
|Error message: Primary Filegroup Full.||Description
This error is encountered when GFI EventsManager database backend has a maximum file size limitation and is unable to store any further data.
Configure the database backend to allow larger file size. This can be done on both Microsoft SQL Server and Microsoft SQL Server Express edition. For more information on how to change the maximum file size, refer to http://kbase.gfi.com showarticle.asp?id=KBID003670
|Error message: Could not complete cursor operation because the table schema changed after the cursor was declared||Description
This error is encountered when the administrator is performing maintenance tasks on the GFI EventsManager databases while the GFI EventsManager service is running.
To avoid this, ensure that GFI EventsManager service is stopped whilst performing any maintenance tasks on the GFI EventsManager database. For more information refer to http://kbase.gfi.com/showarticle.asp?id=KBID003011
|Error message 1:Error connecting to machine MACHINENAME, Error 0x35, Message: The network path was not found.
Error message 2:Error connecting to machine MACHINENAME, Error 0x52E, Message: Logon failure: unknown user name or bad password.
Error message 3:Critical error encountered: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
Error message 4:Unexpected error when connecting to machine MACHINENAME; remote W3C logs path is: PATH\*.*
These errors are encountered when GFI EventsManager tries to collect events from a machine that is not accessible over the network or the credentials are invalid.
Possible solution 1
Possible solution 2
When using a personal firewall, check that the required firewall ports are configured to allow traffic. For more information refer to http://kbase.gfi.com/showarticle.asp?id=KBID002770 When using Windows firewall, check that all the required firewall permissions are enabled. For more information refer to http://kbase.gfi.com/showarticle.asp?id=KBID003688
Possible solution 3
Ensure that GFI EventsManager is installed on a supported environment. For more information on where GFI EventsManager can be installed, refer to http://kbase.gfi.com/showarticle.asp?id=KBID002842
|No event logs are being collected by GFI EventsManager.||Description
This issue can be caused by various factors and is dependent on the environment where GFI EventsManager is installed. For a checklist on how to resolve this issue, refer to http://kbase.gfi.com/showarticle.asp?id=KBID002819
|Error message 1: A timeout was reached (60000 milliseconds) while waiting for the GFI EventsManager service to connect.
Error message 2: Error 1053: The service did not respond to the start or control request in a timely fashion.
The GFI EventsManager executables are digitally signed by default. When trying to start the service, the application must download the Certificate Revocation List to authenticate. If the download fails due to network connectivity or security reasons the service will fail to start by timing out.
Possible solution 1
Increase the default service timeout settings as described in the following Microsoft knowledgebase article http://support.microsoft.com/kb/941990
Possible solution 2
Disable Certificate revocation list (CRL).
Note: The setting above can be reverted by running the following command: setreg.exe 3 TRUE For more information refer to http://kbase.gfi.com/showarticle.asp?id=KBID003365
|Error message: The maintenance job failed!||Description
GFI EventsManager uses an ASP.Net Library called GZipStream to compress and export data from the GFI EventsManager databases. GZipStream is unable to compress data larger than 4GB. GFI EventsManager will return this error when trying to export data which is larger than 4GB.
In order to export the data required, use the GFI EventsManager Advanced Filters to reduce the number of Events exported. Therefore eventually reducing the size of the data which is being compressed. For more information, refer to Configuring data filter conditions section in this manual.
|Error message: Event Log Records could NOT be retrieved: The RPC server is unavailable||Description
This error may occur if:
Investigate each possible problem and make the necessary changes. Then try to collect events from target computers. For more information, refer to http://kbase.gfi.com/showarticle.asp?id=KBID002820
|GFI EventsManager reports an error number 1069.||Description
When installed, GFI EventsMananger asks for a valid username and password. This error is encountered when an invalid password is submitted in the installation wizard.