• Features
• How It Works
  • Collection
  • Consolidation
  • Knowledge
  • Correlation
  • Storage
  • User Interface
• Where It Fits
• Editions

How It Works

Knowledge Architecture

While collection, storage and access to event log data is critical, it is equally important for a SIEM solution to enable a user to easily make sense of the collected information. Log data is varied and each device or application vendor's log content is unique and often cryptic.

The knowledge that a SIEM vendor supplies combined with the ability of the knowledge to be extended by both vendor and user is critical to success. EventTracker combines an extensive body of knowledge along with a simple, yet powerful capability that enables the knowledge to be expanded

Fundamental to EventTracker Knowledge are 2 concepts: the Category and the Knowledge Pack.

A Category is the most basic knowledge type and is simply a description of the structure of a log. Categories are defined in simple Regular Expressions that describe the keywords within the log. EventTracker uses these log descriptions when examining incoming logs and assigns them to the correct category for display within the EventTracker UI. Categories within EventTracker are flexible and can consist of a single log or collections of logs or even collections of categories. EventTracker provides categories for over 20,000 event types with more being added continuously

A Knowledge Pack builds on these Categories and combines them with prebuilt EventTracker alerts, rules and reports. There is a wide variety of Knowledge Packs, from device types such as Cisco PIX, IT infrastructure like Active Directory or Oracle, compliance standards like FISMA, resource usage or applications and many others.

All Categories and Knowledge Packs are included with the EventTracker base product and are expanded with each new release. All EventTracker users are able to construct their own Knowledge Packs in addition.

EventTracker Knowledgebase

Integrated into EventTracker is the EventTracker Knowledgebase. The Knowledgebase (KB) contains descriptions on over 20,000 events and is the largest repository of event knowledge on the internet with over 50,000 registered users. The Knowledgebase, hosted and maintained by Prism Microsystems, is available free of charge to the general public. Access to the knowledgebase is fully integrated into EventTracker and users with a single click of the mouse are able to look up log descriptions, as well as get pointers to additional specialized knowledge. These definitions can be used to configure additional rules or as a convenient look-up for unknown event types.

KnowledgeBase Event Detail