Q1. When Windows Event Log is full, how does EventTracker™ function?
When any of the Windows Event Log file is full, EventTracker™ will back up the specific event log file and then clear the log file. Logging of events continues and event log monitoring never stops.
Eg: Assume that the application log file (AppEvent.Evt) is full. First, a backup file is created as AppEvent
Q2. What are the ports used by EventTracker™? Since I am using a
personal firewall, I have to exempt these ports for EventTracker™ to work on my system?
14506 – TCP, Bi-directional
Ports used by Manager component.
14505 – UDP, Uni-directional from Client to Manager. Port used to receive the events.
514 – UDP, Unidirectional from Client to Manager. Port used to receive SYSLOG messages.
14507/TCP – Collection Master optional and can be configured to any TCP port
14509/TCP – Correlation Receiver
14502 (TCP bi-directional) – EventTracker – Change Audit Agent to transfer snapshot between client and Server.
14508 (TCP bi-directional) – used for real-time comparison of any system with the golden snapshot located at the server.
14503/TCP – License Server
Q3. How do I configure program exceptions in Windows Firewall Group Policy for EventTracker?
The settings required to configure EventTracker as an exception are:
%Program Files%\Prism Microsystems\EventTracker\ETconsole2.exe:*:Enabled:EventTracker Manager
%Program Files%\Prism Microsystems\EventTracker\Agent\etagent.exe:*:Enabled:EventTracker Agent
%Program Files%\Prism Microsystems\EventTracker\Agent\etaconfig.exe:*:Enabled:EventTracker AgentConfig
%Program Files%\Prism Microsystems\EventTracker\ETArchive.exe:*:Enabled:EventTracker Archiver
The syntax for defining port exceptions in Windows Firewall Group policy settings is Port#:TCP|UDP:Scope:Enabled|Disabled:PortName The settings required to configure EventTracker ports are:
Q4. What is the EventTracker™ agent? What is its function? Can I use EventTracker Installation kit?
- Immediately after an event in the system, only the event detail is forwarded to the central console. No other Network traffic is generated.
- Monitors Intrusion Detection, incoming Network connection, chatting, web surfing
- Monitors all events from Windows Event log while providing an option to filter out non-critical events
- It does not perform the expensive “poll” from Windows Event log. Instead, whenever an event is written into the event log, the event logs are redirected to central EventTracker™ console.
- Monitors and reports about processes. Helps you monitor runaway processes that are consuming critical system resources.
- Monitors and reports software install/uninstall.
- Monitors and can automatically restart the Windows services.
- Monitors system resources (Memory, CPU, Disk space) and reports usage exceeding specified threshold limits.
- Automatically backs up and clears the event log that reaches maximum capacity.
- Can forward events seamlessly to multiple managers – like HP OpenView, Tivoli Netview, Unicenter
Q5. How is EventTracker agent used?
Q6. Why do I need an agent to monitor events?
Q7. What are the custom events generated by EventTracker?
Q8. How do I optimize EventTracker? Can I use filter and Traffic Analyzer?
Traffic Analyzer is a tool that is part of the EventTracker™ Console. It helps to find the details of the most common events and to set your order of priority. Accordingly create filters for non-essential events that are just increasing traffic but have little value.
Filtering is a continuous process. Priority may vary from one system to another. Over a period of time, with your experience, priority events can be separated from non-priority events in a specific system. Repeating this process every week enables you to receive only events of value in optimizing your operations. When non-priority events are filtered out EventTracker™ functions optimally.
Q9. Can I have EventTracker™ Agents sitting on remote systems (outside my LAN/Domain) & capable of forwarding events to a single EventTracker™ Manager located in our HQ?
Q10. Is it possible to import existing event log files (evt format) into EventTracker™?
- Download the following Import Utility from -http://www.prismmicrosys.com/exes/Import.zip
- Unzip the contents of this (zip) file into a temp directory (say c:\import)
- Open a command prompt and go to c:\import
- Execute the following command – allevt i.e. allevt followed by the system name or IP Address of the system hosting the EventTracker™ Manager.
For example: If EventTracker™ Manager is installed on system JOHN_01 that has an IP Address 220.127.116.11 then the command should be “allevt JOHN_01” or “allevt 18.104.22.168”
Note: This process has to be repeated from all systems from where you would like to import the log files. For Example if the EventTracker™ Manager is installed on the system JOHN_01 and there are EventTracker™ Agents installed on OLIVER_01 and THOMAS_01 then first run this from OLIVER_01 giving JOHN_01 as the manager and then repeat the process for OLIVER_01
Q11. Can we collect event logs in a secure manner?
Q12. Does EventTracker provide a method to include multiple match strings in Filters, Alerts & Categories?
In all the above features the Description field can take multiple strings separated with && or ||.
&& stands for AND condition
|| stands for OR condition
Let us take an example, consider that you want to be alerted for all events that have the words “Logon” and “password”, then you have to provide the Description field of the Alert as follows
Logon && password
Similarly if you want to be alerted if either Logon or password is present then enter the Description field as follows
Logon || password
These conditions can also be used together in the same alert/filter/category description
Another Example of this features is
UPS || Visual Studio Analyzer && service
This will match any string that contains either
(UPS and service)
(Visual Studio Analyzer and service)
Q13. How does Agentless feature work?
Agentless monitoring of a system can be done from the Client Manager utility that is used for Agent deployment. In the wizard that assists in installation, one of the steps is to choose between Agent Based & Agentless monitoring. For Agentless monitoring, the user has to provide a login information that will have administrative privileges on all the systems selected for Agentless monitoring.
Agentless monitoring is done on a periodic polling method, hence is NOT real-time. If real time monitoring is of importance then please opt for Agent based monitoring.
Agentless monitoring provides only basic functionality, hence you will only receive events that have been logged in the respective systems event log by the OS or applications that are running on it. All the custom EventTracker events will not be available from such systems.
Q14. How do I configure to play a sound file when I receive a certain
Configuring EventTracker to execute a WAV file when an ERROR event occurs. To create this configuration perform the following steps
- Click the Alerts button or choose the Options -> Alerts
- Click the Add button
- Click on the “Custom” check box in the Actions section at the bottom
- Browse and select the mplayer2.exe (default media player for Windows 2000) or any other player capable of playing wave files followed by the path to the wave file that you would like to play. You could also have a batch file that executes the media player passing the desired Wav file path.
Example: “C:\Program Files\Windows Media Player\mplayer2.exe” “C:\Program Files\GetRight\sounds\all_done.wav” – Click the OK button. – Click the OK button to complete that creation of the Custom Alert.
[/wpspoiler][wpspoiler name=”Q15. Can we receive events from CISCO PIX firewall into EventTracker?” ]Yes. EventTracker is designed to receive SYSLOG events as well as SNMP traps from Cisco PIX firewall. PIX Firewall can send syslog messages to EventTracker console. You can also further customize events, send an alert or generate appropriate report using extended framework provided by EventTracker. EventTracker also contains special categories (knowledge pack) to manage PIX events.
Three steps to send Syslog Messages to a EventTracker Console
- Configure syslogd to send syslog messages to EventTracker (The Configuration Guide for the Cisco Secure PIX Firewall Version describes the procedure for configuring syslogd)Logging host EventTracker 192.168.1.1
- Set the logging level with the logging trap command; for example: Logging trap errors
- Start sending messages with the logging on command. To disable sending messages, use the no logging on command.
Q16. What does “Duplicate Alert Suppression”, mean?
In case the multiple instances of an event with a configured alert are received in a short period then a large number of alerts will be generated, this could confuse the user. Duplicate Alert Suppression feature will handle such a deluge of alerts by suppressing any alert in case it is a duplicate of an alert received earlier, within a particular time frame.
Q17. How do I use the feature Duplicate Alarm Suppresion?
The evtrxer.ini file has the following settings by default:
dup_suppr_interval = 0
max_alerts_allowed = 0
dup_suppr_interval: This is the interval during which duplicate alerts will be suppressed. The interval can be defined in seconds
– value 0 DISABLES the suppression feature.
max_alerts_allowed: This is the maximum number of duplicate alerts that will be allowed during the interval set in dup_suppr_interval.
– 0 value causes all duplicate alerts to be suppressed, which means that only one alert will be allowed during the Suppression Interval.
NOTE: The ETReceiver service has to be restarted once any change is made to the evtrxer.ini file. If the service is not restarted the changes made will not be taken in by the service.
Sample Alert Suppression setting
dup_suppr_interval = 300
max_alerts_allowed = 5
The above settings informs the EventTracker to allow a MAXIMUM of 5 DUPLICATE alerts to be triggered within a timeframe of 300 seconds. An alert is considered a duplicate only if it is triggered by the same event.
Q18. Can I set different 'Duplicate Alarm Suppression' per Alert?
Q19. Can I set Alerts for specific timings?
Q20. I get 'Server Error' as below when I launch EventTracker Enterprise.
- Open EventTrackerweb Folder available in EventTracker install path (..\Prism Microsystems\EventTrackerweb).
- Open web.config in text editor.
Find (compilation debug=”True”) value and change it to (compilation debug=”False”).
Q21. I get 'Server Error' after I login to EventTracker Enterprise and trying to access various pages (Analysis/Reports etc).
Parser Error Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.
Parser Error Message: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
- Stop IIS service.
- Delete the folders available under “C:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\”..
- Start IIS service.
Q22. How to disable Auto complete in Internet Browser.
- Open Microsoft Internet Explorer.
- Click Tools and then Internet Options.
- In the Internet Options window click the Content tab.
- Click the AutoComplete button.
- Check or uncheck the options you wish have or not have AutoComplete.
Below is a brief explanation of what each of the options are for
Turn Off Auto Complete feature in Firefox:
- At the top of the Firefox window, click on the Firefox button (Tools menu in Windows XP) and then click Options.
- Select the Privacy panel.
- Set Firefox will: to Use custom settings for history.
- Remove the check mark from the box that says Remember search and form history.
- Click OK to close the Options window .
Q23. I get 'Error: Access denied' when I launch EventTracker Enterprise.
- BUILTIN\Guests should not be in the list of “Deny access to this computer from the network” policy. As IUSR_ is member of guests group and by default IIS uses this account. If you deny access to Guests group then by default IUSR_ will be denied access and will not be able to access the application.
- Grant “Logon as batch job” and “Logon as service” rights to the user which is used for EventTracker configuration.