When any of the Windows Event Log file is full, EventTracker™ will back up the specific event log file and then clear the log file. Logging of events continues and event log monitoring never stops.

Eg: Assume that the application log file (AppEvent.Evt) is full. First a back up file is created as AppEvent<Time Ticks>.Evt into the EventTracker™ Agent directory. Content of the application log file - which is full - is copied into this new file. For example, it can have a sample name as “AppEvent1035280039.evt”. ('C:\Program Files\Prism Microsystems\Tracker\Agent' is the path if default installation directory in the Agent was chosen). Then the application log file is cleared and is ready to log subsequent events.

BACK TO TOP

Ports used by Client component.
14506 - TCP, Bi-directional

Ports used by Manager component.
14505 - UDP, Uni-directional from Client to Manager. Port used to receive the events.
514 - UDP, Unidirectional from Client to Manager. Port used to receive SYSLOG messages.

BACK TO TOP

The syntax for defining program exceptions in Windows Firewall Group policy settings is ProgramPath:Scope:Enabled|Disabled:ApplicationName

The settings required to configure EventTracker as an exception are:
%Program Files%\Prism
Microsystems\EventTracker\ETconsole2.exe:*:Enabled:EventTracker Manager %Program Files%\Prism Microsystems\EventTracker\Agent\etagent.exe:*:Enabled:EventTracker Agent %Program Files%\Prism Microsystems\EventTracker\Agent\etaconfig.exe:*:Enabled:EventTracker
AgentConfig
%Program Files%\Prism
Microsystems\EventTracker\ETArchive.exe:*:Enabled:EventTracker Archiver

The syntax for defining port exceptions in Windows Firewall Group policy settings is Port#:TCP|UDP:Scope:Enabled|Disabled:PortName

The settings required to configure EventTracker ports are:
14506:TCP:*:Enabled:EventTracker_TCP
14505:UDP:*:Enabled:EventTracker_UDP

BACK TO TOP

The EventTracker™ agent is a highly tuned agent, which monitors the events on each system in any enterprise. It consumes virtually no resources (less than 0.5 CPU and 0.0001% Network bandwidth). The agent has been carefully designed and consists of a multithreaded architecture that makes sure that all events are monitored in an optimum way and in real-time.

The main functions of the EventTracker™ agent are:
- Immediately after an event in the system, only the event detail is forwarded to the central console. No other Network traffic is generated.
- Monitors Intrusion Detection, incoming Network connection, chatting, web surfing
- Monitors all events from Windows Event log while providing an option to filter out non-critical events
- It does not perform the expensive “poll” from Windows Event log. Instead, whenever an event is written into the event log, it catches it and forwards it to the central EventTracker™ console.
- Monitors and reports about processes. Helps you monitor runaway processes that are consuming critical system resources.
- Monitors and reports software install/uninstall.
- Monitors and can automatically restart the Windows services.
- Monitors system resources (Memory, CPU, Disk space) and reports usage exceeding specified threshold limits.
- Automatically backs up and clears the event log that reaches maximum capacity.
- Can forward events seamlessly to multiple managers – like HP OpenView, Tivoli Netview, Unicenter
The EventTracker Agent is available as part of the 21 day trial version. Click here.

BACK TO TOP

The EventTracker™ agent can be installed remotely or manually in the systems. EventTracker™ agent can be remotely installed on systems in the same domain or on `trusted’ domains. If a system is outside the domain, the EventTracker™ agent is manually installed using EventTracker™ Installation Kit.
For EventTracker™ Agent related information Please refer this question.

BACK TO TOP

Earlier agent less architecture did not fulfill the increasing monitoring and security needs of our customers. Without the agent, this software cannot achieve the goal of reliability, scalability, security and performance that is required to manage any enterprise. Some casual event management tool uses the agent-less architecture to poll the events and do few useful thing but it cannot provide your organization the “total event management” solution needed by an enterprise. Besides the Agent-less solutions requirement of polling for events not only consumes lot more Network bandwidth but also generates a significant performance load on systems which are being monitored if you want to monitor the events in real-time.

BACK TO TOP

Click Here to view the custom events generated by EventTracker™.

BACK TO TOP

After EventTracker™ is deployed on numerous systems in a large Network it is very likely that you notice EventTracker™ receiving millions of events. Actually a majority of these events would be of little use to you. Using appropriate priority you can filter out unnecessary events to improve utility. `Filtering unnecessary events’ is a powerful feature based on priority configured by you.

Traffic Analyser is a tool that is part of the EventTracker™ Console. It helps to find the details of the most common events and to set your order of priority. Accordingly create filters for non-essential events that are just increasing traffic but have little value.

Filtering is a continuous process. Priority may vary from one system to another. Over a period of time, with your experience, priority events can be separated from non-priority events in a specific system. Repeating this process every week enables you to receive only events of value in optimizing your operations. When non-priority events are filtered out EventTracker™ functions optimally.

BACK TO TOP

Yes. EventTracker™ Agents can forward events to any system over the Internet or intranet. The following deployment diagram will give you a better picture of a possible deployment.

DEPLOYMENT DIAGRAM

Yes, events can be imported into the EventTracker™ database.

To import existing event log information into the EventTracker™ database please do the following
1. Download the following Import Utility from - http://www.prismmicrosys.com/exes/Import.zip
2. Unzip the contents of this (zip) file into a temp directory (say c:\import)
3. Open a command prompt and go to c:\import
4. Execute the following command - allevt <System name>
i.e. allevt followed by the system name or IP Address of the system hosting the EventTracker™ Manager.
For example: If EventTracker™ Manager is installed on system JOHN_01 that has an IP Address 167.134.32.43 then the command should be "allevt JOHN_01" or "allevt 167.134.32.43"

Note: This process has to be repeated from all systems from where you would like to import the log files. For Example if the EventTracker™ Manager is installed on the system JOHN_01 and there are EventTracker™ Agents installed on OLIVER_01 and THOMAS_01 then first run this from OLIVER_01 giving JOHN_01 as the manager and then repeat the process for OLIVER_01.

Yes, you can. Please refer to our white paper on Secure Collection of Event Logs.

Multiple string match feature has been added into Alerts, Filters & categories.

In all the above features the Description field can take multiple strings seperated with && or ||.

&& stands for AND condition
|| stands for OR condition

Let us take an example, consider that you want to be alerted for all events that have the words "Logon" and "password", then you have to provide the Description field of the Alert as follows

Logon && password

Similarly if you want to be alerted if either Logon or password is present then enter the Description field as follows

Logon || password

These conditions can also be used together in the same alert/filter/category description

Another Example of this features is

UPS || Visual Studio Analyzer && service

This will match any string that contains either
(UPS and service)
or (Visual Studio Analyzer and service)

The Agentless event monitoring feature has been added into the EventTracker framework. This is in addition to the Agent based monitoring.

Agentless monitoring of a system can be done from the Client Manager utility that is used for Agent deployment. In the wizard that assists in installation one of the steps is to choose between Agent Based & Agentless monitoring. For Agentless monitoring the user has to provide a login information that will have administrative privileges on all the systems selected for Agentless monitoring.

Agentless monitoring is done on a periodic polling method, hence is NOT real-time. If real time monitoring is of importance then please opt for Agent based monitoring.

Agentless monitoring provides only basic functionality, hence you will only receive events that have been logged in the respective systems event log by the OS or applications that are running on it. All the custom EventTracker events will not be available from such systems.

EventTracker provides various forms of alerts, using the "Custom action" alert option you can achieve this.

Configuring EventTracker to execute a WAV file when an ERROR event occurs. To create this configuration perform the following steps
- Click the Alerts button or choose the Options -> Alerts
- Click the Add button
- Click on the “Custom” check box in the Actions section at the bottom
- Browse and select the mplayer2.exe (default media player for Windows 2000) or any other player capable of playing wave files followed by the path to the wave file that you would like to play. You could also have a batch file that executes the media player passing the desired Wav file path.

Example: "C:\Program Files\Windows Media Player\mplayer2.exe" "C:\Program Files\GetRight\sounds\all_done.wav"

- Click the OK button.
- Click the OK button to complete that creation of the Custom Alert.

Yes. EventTracker is designed to receive SYSLOG events as well as SNMP traps from Cisco PIX firewall. PIX Firewall can send syslog messages to EventTracker console. You can also further customize events, send an alert or generate appropriate report using extended framework provided by EventTracker. EventTracker also contains special categories (knowledge pack) to manage PIX events.

Three steps to send Syslog Messages to a EventTracker Console

1. Configure syslogd to send syslog messages to EventTracker (The Configuration Guide for the Cisco Secure PIX Firewall Version describes the procedure for configuring syslogd)

logging host EventTracker 192.168.1.1
2. Set the logging level with the logging trap command; for example:

logging trap errors
3. Start sending messages with the logging on command. To disable sending messages, use the no logging on command.

EventTracker provides the facility of generating user configurable alerts for events received by the EventTracker. This feature is very useful in case the user is not always available at the Manager Console.
In case the multiple instances of an event with a configured alert are received in a short period of time then a large number of alerts will be generated, this could confuse the user.
Duplicate Alert Suppression feature will handle such a deluge of alerts by suppressing any alert in case it is a duplicate of an alert received earlier, within a particular time-frame.

The "Duplicate Alarm Suppression" feature is not GUI driven, but has to be configured manually. The configuration settings are present in the evtrxer.ini. This configuration file is located in the directory where the EventTracker is installed. Typical example would be: "C:\Program Files\Prism Microsystems\EventTracker"

The evtrxer.ini file has the following settings by default:
dup_suppr_interval = 0
max_alerts_allowed = 0

dup_suppr_interval: This is the interval during which duplicate alerts will be suppressed. The interval can be defined in seconds
- value 0 DISABLES the suppression feature.

max_alerts_allowed: This is the maximum number of duplicate alerts that will be allowed during the interval set in dup_suppr_interval.
- 0 value causes all duplicate alerts to be suppressed, which means that only one alert will be allowed during the Suppression Interval.

NOTE: The ETReceiver service has to be restarted once any change is made to the evtrxer.ini file. If the service is not restarted the changes made will not be taken in by the service.

Sample Alert Suppression setting
dup_suppr_interval = 300
max_alerts_allowed = 5

The above settings informs the EventTracker to allow a MAXIMUM of 5 DUPLICATE alerts to be triggered within a timeframe of 300 seconds. An alert is considered a duplicate only if it is triggered by the same event.

Alarm suppression can be customized per alert through the "Alert based on Count" option available under Custom tab in the Alert Group Configuration console (Management Console -> Configure menu -> Configure Alerts -> Alert Groups -> Alert Group Configuration -> Custom tab), but the global settings done in Receiver config file (evtrxer.ini) takes  priority over the custom settings.

Yes, through the "Time Interval" option available under Custom tab in the Alert Group Configuration console (Management Console -> Configure menu -> Configure Alerts -> Alert Groups -> Alert Group Configuration -> Custom tab).