EventTracker 6.x – Release Notes

The EventTracker engineering team continues to monitor changes in operation management, enterprise applications, and regulation compliance standards. Version upgrades are made based on customer feedback and experience in the field, providing you the best solution possible.

Enhancements:

  • Added event log backup option in EventTracker Agent running on Windows Vista or above.
  • Purging Collection Point CAB files on Collection Master. (ET64P11-037)
  • Customization of the ELC Site link shown in report notification email. (ET64P12-050)

Bug Fixes:

  • TCP syslog receiver is combining multiple syslog messages in one event.
  • Security setting issues in Agent configuration. (ET64P10-017)
  • Export/Import issues with scheduled reports configuration. (ET64P10-018)
  • License exhaust issues during Remote Agent deployment. (ET64P10-020)
  • Date Time format issues while reading solaris audit log via DLA. (ET64P10-021)
  • In System Manager, Editing groups removes systems from managed list. (ET64P10-022)
  • EC file processing issue due to lengthy system names. (ET64P10-023)
  • EventTracker Agent exceptions while sending Events. (ET64P10-024)
  • Enterprise Activity crash while parsing large event descriptions and for issue where it generates event id 2043 even if the system is reporting (ET64P10-025)
  • EventVault issues (Failed and huge sized cache mdb files) (ET64P10-026)
  • Import/Export missing notifications in exported alert configuration. (ET64P10-027)
  • Enterprise Activity crash. (ET64P10-028)
  • Checkpoint report processing issues (ET64P10-029)
  • EventTracker Receiver crash when service gets restarted (ET64P10-030)
  • Missing CAB files when commit failed on EventVault. (ET64P10-031)
  • Message translation issues with EventTracker Agent in 64 bit systems. (ET64P10-032)
  • Error when generating report on reports for a Collection Master (ET64P10-033)
  • EventTracker Agent identifies total disk space, available disk space and huge memory sizes improperly. (ET64P10-034)
  • Exceptions while reading VMware events from EventTracker Agent. (ET64P11-035)
  • EventTracker agent message translation issue in 64-bit version of Windows 2003 (ET64P11-038)
  • EventTracker Diagnostics locking cache files and causing EC file backlog. (ET64P11-039)
  • Invalid IP addresses parsed by Enterprise Activity Monitoring. (ET64P11-040)
  • EventTracker Receiver high CPU usage while processing TCP connections. (ET64P11-041)
  • E-Mails are quarantined by email gateway due to the wrong MIME format. (ET64P11-042)
  • Alerts issue where duplicate notifications are sent when a system belongs to multiple groups and filters are not getting applied to system groups. (ET64P11-043)
  • System type for Solaris BSM agent is not assigned properly. (ET64P11-044)
  • Some ec2 files are not getting processed (ET64P11-045)
  • EventTracker Receiver issue where IP address is incorrectly resolved for some Syslog sources. (ET64P11-046)
  • Launching the application UI displays “User Access Control” message with publisher as unknown. (ET64P12-047)
  • Launching TrapTracker UI displays “User Access Control” message with publisher as unknown. (ET64P12-048)
  • Launching EventTracker Correlation Configuration UI displays “User Access Control” message with publisher as unknown. (ET64P12-049)
  • Memory leak in vista agent if LFM processing fails for a file. (ET64P12-051)
  • Incorrect system files issue during Remote Agent deployment on 64-bit systems. (ET64P12-052)

Bug Fixes

  • Fix for Management console crash.
  • Fix for duplicate alerts when configured with multiple systems.
  • Restarting Rxer service after adding alert using “Add as alert” menu from Management console.
  • Showing exact alert rule using “Show Alert” menu option.
  • Alert “EventTracker: Out of ordinary activity found” modified with Event id 2037 instead of 2038.
  • Fix for time duration display issues in Enterprise Activity console.

Enhancements

  • Added new event “2043” to identify systems not reported for 24 hrs.
  • Added exception to prevent excessive “New IP Address” alerts.

Bug Fixes

  • Fix for inconsistent date/time formats in reports/analysis/search.
  • Fix for Receiver performance issues in processing alerts.
  • Fix for Active-X error in event viewer of management console.
  • Fix for scheduled report failures during export.

Enhancements

  • Added Alerts Dashboard feature.
  • Adding XML contents in event description from Vista Event logs.
  • Reading custom event logs from non-vista systems.
  • Offline agent configuration updates.
  • New Event ID 3278 for multiple agent config change requests.
  • New Event ID 2042 for offline agent config update status.

Bug Fixes

  • Fix for CP/CM cab transfer slowness issues.
  • Fix for Agent failures due to exceptions & LFM failures.
  • Fix for Excel Report Export failures due to limitations.
  • Fix for Printer usage reports failure in Windows Vista/2008.

Categories & Alerts

  • New category groups “Motorola Wireless Switch”, “Juniper JUNOS” added
  • New Alerts “Cisco Catalyst”, “Cisco IOS” added
  • Added new WhatChanged categories

Enhancements

  • Added Enterprise Activity Dashboard.
  • Agent health status check enhancements.
  • Updated VMware categories and added VMware alerts.
  • Added “Cisco ASA”, “Windows Backup”, “Cisco Aironet”, “Cisco Director”, “F-Secure”, “MSSQL Server”, “WatchGuard” knowledge packs.
  • Event Filters to permanently filter from storing them in archives.
  • Archive Indexer for Local and Collection Points.
  • Changes in Log Volume Analysis to have one line event descriptions.
  • New audit event 3276 for system type change notification.
  • New audit event 3277 for remote agent install/upgrade.
  • Extended license availability.

Critical Fixes

  • Receiver high memory usage issues & dropping events.
  • EventVault service struck issues while creating/purging CAB files.
  • Remote deployment issues with Agent Installer.
  • Scheduled Report execution, status, e-mailing and timing overlap issues.
  • Append Archives utility crash.
  • Blank report on Agent Management Tool when group name contains “-“.
  • Fix for Syslog Receiver crashes.
  • Receiver drops events when more number of agents connected.
  • User Activity Monitoring events are being sent to Syslog Receivers causing port conflicts.
  • Invalid 2007 events from correlator receiver.

New Features

Major

  • WHOIS DNS added for custom column resolution.
  • Logs from syslog sources are stamped with “-syslog” in the system name to accept multiple sources (eg SYSLOG/BSM) from same system.
  • Alert action “Forward events as SYSLOG messages”.
  • New EC2 format of event cache files, fix for EventVault issues.
  • Syslog Raw Forward option in syslog VCP configuration.
  • Manual Collection Point option.
  • Tag Cloud feature in Log Search.
  • VMWARE log monitoring feature in Agent in LFM section. [This requires .NET framework v2.0 or above]

Minor

  • Option to enable/disable overwriting domain/user fields from description.
  • Query optimization in log search to enhance performance.
  • Option to exclude default report copy in mail for no matching records.
  • Configurable option to Encrypt/Decrypt data transfer in CP-CM.
  • Option to ignore systems during scheduled report import/export.
  • Optimization to User activity logs, memory utilization.
  • Enhanced Vista agent to include only active channels.
  • Added distinct, total counts for refine data entities in log search.
  • Limited error log file sizes.
  • Option to specify the Syslog forward msg length, it can be set through “fwd_syslog_packet_size” in evtrxer.ini.
  • Option to Store/Show only active alerts.
  • Support for Agentless deployment in VISTA/2K8.
  • Refine/Filter expressions to Report contents.
  • Added stisvc (Windows Image Acquisition) in service exception.
  • Config for duplicate alert suppression in Manager config (dialog restructured).
  • Option to store individual alerts in Alerts Archive (Alerts wizard custom tab).
  • Removed “Platform Specific” in reports and moved all the categories under Operations.
  • Removed purging option from CollectionPoint console (will be taken care only by EventVault).
  • Changed default config for System & Process monitoring in Agent.
  • Added optional category import facility during upgrade.
  • Removed Export to Legacy option in Import/Export Utility.
  • Changes in syslog port configuration to define single port for UDP/TCP pair.
  • Changes to include vista events in legacy traffic analyzer.
  • Registry settings made by default to restart rxer instances on high mem usage.
  • Option to enable/disable event forwarding to Correlator, User Activity from Rxer (send_to_viewers = 0 in evtrxer.ini).
  • Option to enable/disable ROI Updates (RoiUpdates=1 in registry under Manager key).
  • Removed system information updates once in 10 mins.
  • Added enhanced logging when Rxer instance terminated on high mem usage.
  • Configurable reg value for rxer high mem usage (RxerPeakMemValue = 250 on Manager key).

Defect Resolution

  • Option to restart Rxer process when mem usage exceeds 250 MB.
  • EC files processing failures (PDU extraction failed).
  • Management console crashes when installed in other than default path.
  • Error in Log Search when the refine criteria doesn’t have any result to display.
  • Highlighting errors while refining systems in log search.
  • No matching records in Alerts category, when alerts category is too long.
  • Empty window displayed in quick view when the event count is in the multiples of 1000.
  • Redundant values displayed in Syslog fwd action configuration.
  • Installation issues due to syslog config changes.
  • RTE in Manager configuration while opening syslog VCP configuration.
  • Agentless offset errors/log clearing issues.
  • Event truncation issues in VISTA/2K8.
  • Event description contains log type desc in VISTA/2K8.
  • Delay in alert processing, writing into cache in Rxer.
  • Searching paths those ends with “\” in log search.
  • Invalid duration in scheduled run-now option.
  • Correlator service high CPU usage.
  • Archives purging issues, which causes EventVault service failures.
  • Updated Log Volume Analysis with VISTA/2008 events.
  • Event ID’s are not displayed in the Report generation wizard of log volume analysis after upgradation.
  • Error message is thrown when we click on to the refresh systems option while events are being flooded in the Correlated Events and Alerts category in the Management console.
  • File not found message box is thrown when we try to send the published HTML report through mail.
  • Report audit trail event (3283) issues.
  • Syslog systems report processing issues.
  • RTE in alerts while configuring multiple actions.
  • TrapTracker licensing expiry issue.
  • Changes to consider syslog TCP ports after upgrade.
  • Refine option is missing in the quick view window of Alerts detail/Summary.
  • Repeated events in LFM.
  • CAG reports missing Alphabetical list of reports.
  • Duplicate event counts in log analysis when multiple (having similar rule sets) categories selected.
  • Logs Summary for Event User (Vista event id: 4768) backslash missing.
  • Duplicate event counts on Rxer load file (etw) for syslogs.

New Features

  • Added BEA Weblogic logs support in DLA
  • Added service monitoring exception for Windows Modules Installer, Windows Update, BITS

 Defect Resolution

  • Fix for Agent Upgrade issues on retaining configurations
  • Fix for Log backup when Eventlog is full.
  • Fix for Agent crash while applying remote agent configurations
  • Fix for retaining DLA configuration on upgrade.
  • Fix for ‘Built-in’ user name in USB tracking events.

New Features

  • Added top N records view in Smart Viewer
  • Added event 3249 in Agent configuration changes category

Defect Resolution

  • Fix for agent configuration issues with remote systems due to access rights.
  • Fix for alert import not updating alerts category
  • Fix for edit analysis doesnt retain categories on tree.
  • Fix for System Manager remote agent installation issues
  • Fix for report/analysis upgrade issues
  • Fix for evtProcessEcFile.exe crash
  • Fix for UK timezone report issues
  • Fix for smart viewer issue(unknown column, no matching records)
  • Fix for report/analysis issue with upgrade
  • Fix for Rxer crash in TCP mode
  • Fix for Agent Management tool crash in VISTA/2k8
  • Fix for custom column report issues
  • Fix for log search context menu issues
  • Fix for issue, CP not transfering log type details table to CM
  • Fix for CAB purging issues with CP due to empty folders (ET62P09-030)
  • Fix for DLA data truncation (ET62P08-029)
  • Fix for Agent deployment & user credential issues with System Manager
  • Fix for WhatChanged report listing issues after upgrade(which causes ELC tab listings too)
  • Fix for overwritting DLA configuration after upgrade.
  • Fix for missing Uninstall warning msg about the deployed agents.

Changes

  • Fixes in Receiver and Agent to avoid event loss in GED mode
  • Installation Changes to skip correlator receiver/config when correlator not installed.
  • Reserved port (configurable) for receiving Correlator events.
  • Option to view logs processed today in log search
  • Install option to add diagnostics to startup programs
  • Moved “CISCO IOS” category/report to operation tab in reports
  • Log Search enhancements

New Categories Added

  • Agent configuration changes category

Removed

  • Removed View Filter option from console (feature no more relavent)
  • Removed readme link in remote agent deployment.

Defect Resolution

  • Fix for TCP mode event losses
  • Report processing optimization for smart viewer
  • Fix for overwritting agent configurations on upgrade.
  • Fix for Management console event display issues
  • Changes in Management Console Alerts display, Loading upto view limit, updating only new alert events
  • Fix for report migration error “input string was not in a correct format” during upgrade.
  • Fix for checksum verfication issues with log search.
  • Fix for Management console flickers while adding events in display
  • Fix for Log Search failures over RDP
  • Fix for checksum failures of cab files transfered from CP to CM
  • Fix for issue, service monitoring config not retained after upgrade from 6.1 to 6.3
  • Fix for Collection Point info database upgrade issues

New Features

  • Log Search
  • SHA1 support
  • Console Enhancement
  • Smart Viewer for Summary Reports
  • Support for VISTA Log Types
  • Agent configuration change audit event logged
  • All categories installed by default
  • Archiver Purge option
  • GUI for Direct Log Archiving
  • Log Analysis Custom Column Resolution (kb port, kb site)
  • Logs Analysis User Configurable Summary Block
  • Option to configure scheduled/defined reports from published reports
  • Option to enable/disable User Activity Monitoring and filter Users
  • Option to view All Alerts or only Active Alerts in Console
  • Order of Analysis Reports changed
  • Reformatting Report Header Details (Refine/Filter/Description/Checksum/Cab file missing)
  • Regex Refine/Filter
  • Reports in Excel – Export Formatting (Header/Footer/Title/Description)
  • Show Alert right click option in Console for easy location of alert causing rule
  • Software Usage Detail Report Presentation Changes (Sorted By Comp, User, Apps)

 New Reports

  • “Idle Time Report” added under Operations
  • USB Device Disabled Report
  • USB Device Report (Summary / Detail)
  • User Activity
  • User Activity Summary Report (with following chapters Successful interactive logins, Failed interactive logins, Successful non-interactive logins, Applications used, Websites visited, Correlated events, Printer activity, Software installed, Software uninstalled, Files Deleted, USB activity, Group policy activity, Idle Time)

 New Alerts

  • Direct Log Archiver
  • EventTracker: Agent configuration changed, DLA File processing failed

 New Knowledge Packs

  • Certificate Services (Group with 16 categories)
  • CISCO IOS (Group with 27 categories)
  • EventLogCentral: Login failure, Role config changes, User Logoff, User
  • logon, Agent configuration changes, Custom column config changes
  • EventTracker: Direct Log Archiver, Report/Analysis config changes, Windows log backup and clear

 Updated Knowledge Packs

  • ELC Logon Category
  • Windows Group Policy
  • Windows System: patches and hotfixes
  • WhatChanged

 New event id’s

3241 : Windows log backup and clear
3244 : DLA started processing.
3245 : DLA successfully processed the files
3246 : DLA stopped processing
3247 : DLA failed to process the following files
3248 : Windows patches and Hotfix
3249 : Event Tracker Agent Configuration changes
3280 : ELC User logon
3281 : ELC Login failure
3282 : ELC User logoff
3283 : Addition of new Report/Analysis
3284 : Modification of Report/Analysis
3285 : Deletion of Report/Analysis
3286 : Addition of new custom column
3287 : Modification of custom column
3288 : Deletion of custom column
3289 : Modification of Report Configuration
3290 : Addition of new Role
3291 : Modification of Role
3292 : Deletion of Role

Updated Configuration – Correlator for VISTA/2008 events Updated Report – Added a new chapter “Idle Time” to User Activity Report

 Defect Resolution

  • Collection Point merging issue
  • EtaManage crash in VISTA/2008
  • GetAllEvt crash in VISTA/2008
  • Handle leakage in GED mode Agent
  • Log Rollover
  • Made Architectural changes to resolve issue of creation of corrupt .EC files and the archiver getting stuck on some corrupt file
  • Printer usage reports
  • Reports Date/Time issue for Non-US time zones

New Features

  • Added facility to read .evt files in Direct Log Archiver.
  • Added new report “USB Device Disabled Report”
  • Added DoubleTake backup application categories

 Defect Resolution

  • Fix for USB Tracking event user issues
  • Fix for issue in importing alerts with remedial actions

USBTracker

  • Removed Active Users per transaction.
  • Fix for duplicates in Active Users

 Etaconfig

  • Increased the width of the Combo box for displaying the local port and remote port in Network Conection Detail window.

 Agent/ Vista Agent

  • Disabled Logging from thread.
  • Agent Crash Fix.
  • Added Exception Handling for the Disable USB Thread.

 Category Corrections

  • Case changes in CISCO-VPN category
  • Made Firewall categories Not Installed and as the base node

New Features

  • Added USB exception list in case for disable USB feature
  • New report for USB Activities.
  • Feature to generate default reports in case if no matching records found
  • Support for wild card in SNAM exception list

Defect Resolution

  • Fix for Append archives, Archiver re-indexer utilities to support CAB files generated by multiple ports.
  • Fix for email failures in alerts in case default reports not installed.
  • Fix for “invalid use of null” issue in system manager during agent deployment.
  • Fix for upgradation issue, Checkpoint configurations are not retained.
  • Fix for issue, Archiver not updating bin file when deleting CAB files in EventVault.
  • Fix for issue, RSS feed configuration not getting retained.

New Features

  • VCP capability (Multiple receivers and archivers)
  • Custom column separator and terminators in custom column analysis.
  • Time Range facility provided for all reports
  • Support for Vista and W2K8
  • Trend Analysis added.
  • Index.bin replaced with Index.mdb with more information to enhance speed
  • TrapTracker and Correlator included into EventTracker
  • Added Default Alerts & Reports during install.
  • Added Remedial action feature in Agent and configurations in Alert
  • Added Alphabetical Reports tab in Reports Console
  • Added new LFM facility for XML files
  • Changes in Log Search console to provide “All event” search (exists in build 42 too)
  • SMTP Port validations at default reports screen
  • Receiver service enhanced to take care of Alerts notification database updates
  • Added Event-o-Meter
  • VCP (multiport) GUI added in Manager configuration
  • Added new default alert for user added/removed from admin group
  • Event count display in About Box and Management Console splash screen.
  • EventTracker Console modified to support Multiple Rxers including syslog.
  • Made different Rxer load files (.etw files) per Rxer and changed the data format to CSV.
  • Change in Archiving method, storing archives in respective port folders
  • Considering custom SMTP port configured during installation
  • Change in Eventvault GUI to display more information about Archives.
  • Enhanced Support & Diagnostic Tool
  • Added VISTA events in default alerts.
  • Adding default alert events in ***Alerts category
  • Test email facility in default alerts & reports configuration
  • Added new LFM facility for reading CSV files.
  • Remedial action configuration GUI changes
  • Added activity detail dialog in User Activity Viewer to view individual events.
  • Added Next, Prev buttons in activity detail dialog of User Activity Console.
  • Collection Master changes for VCP architecture
  • Collection Point/Master changes for automated cab file transfer
  • Auto focus on Alerts category while opening Management Console.
  • Changing default position to all categories when no alert events to display
  • Added tool button for Event-o-Meter in Management Console
  • Added sorting facility in EventVault Manager
  • Added ETW file data purging facility (data older than 7 days)
  • Added Dbl Click facility to bring up on demand screen in reports.
  • Extended trap buffer size in Receiver and Correlator.
  • Removed Excess UDP/TCP connection rule from correlator.
  • Reports removed Published and Dashboard from right click menu
  • Reports change “If Scheduled is selected, start wizard for this report to become a Scheduled Report”
  • Reports change “If Defined is selected, start wizard for this report to become a Defined Report”
  • EventTracker Receiver, Correlator and TrapTracker service exe changed (does not use srvshell any more)
  • Added GetAllEvt utility for VISTA/W2K8
  • Vista agent changes to include new features (XML, CSV facilities in LFM and Remedial actions)
  • Included changes to forward traps to EventTracker in TrapTracker
  • Changes in Correlator configuration file for spell mistakes & invalid references
  • Changed correlator service maintenance restart by daily basis (earlier it was once in 2 hrs)

Defect Resolution

  • User Activity issues with purging, console display
  • Import Export issue with Rss Feeds
  • Making IIS as a prerequisite
  • Dot Net download link changes.
  • Vista/2k8 Agent (event translation issues)
  • ELC role info issue on database
  • Fix for Feature selection issue in installation.
  • Fix for Mgmt Console Error msg, “bad file or number”
  • Fix for VISTA agent SID translation issue.
  • Removed Agent filters with $ in description part.
  • Fix for Archiver Re-Indexer to consider new cab files & to update DB.
  • Fix for bin file import issue into archiver index database.
  • Removed License Activation in Trial builds.
  • Removed Activation from collection point console.
  • Fix for DB Compaction Utility issues.
  • Fix for Collection Point cab file transfer issues.
  • Removed Direct Archiving Utility from maintenance tools.
  • Included fix for ec files failure
  • Included FQDN fix in Rxer (Mismatch in event detail & system name)
  • Removed database size config, AYS, STS, Enterprise Explorer, Security Policy editor from management console & from installations.
  • Fix for User Authentication for email delivery in case of schedule reports.
  • Fix for trap buffer overflow issue in Rxer.
  • Fix for 100% CPU utilization issues in VISTA/2k8
  • www.eventlogmanager.com changed to www.prismmicrosys.com in splash screens.
  • Added Version info & signed EventTracker components
  • Fix for VISTA agent filter issue
  • Version info & code sign changes for TrapTracker Components (for VISTA Certification)
  • Fix for service monitoring issue after upgrade.
  • Fix for Correlator Memory utilization issues

New Features

  • Performance enhancements and purging options in User activity console

Defect Resolution

  • Fix for syslog events display in management console
  • Fix for Import/Export issue with Rss feed configurations

Defect Resolution

  • Fix for ODBC error while scheduling reports in Reports Console
  • Fix for issue with importing schedule reports

New Features

  • Purging user activity data files based on configured frequency
  • Console supports events from multiple Rxers, except syslog
  • User Activity console changes to display only selected days records

Defect Resolution

  • My favorites & easy reports Defect resolution

New Features

  • Multi port receiver capability added (changes in Receiver, Correlator, Event Generator and User Activity)
  • GED cache file limitations

Defect Resolution

  • Bug fixed in Agent GED events time accuracy issue
  • Reports Console Defect resolution for MyFavs issues
  • User Activity Monitoring Defect resolution to handle large number of users.
  • Weblinks corrected (help, FAQ)

Defect Resolution

  • New “My Favorites” link in the Reports Console
  • Receiver INI file corruption recovery capability added
  • User Activity now installs by default
  • Correlation module is available as an optional install
  • For a fresh install, all categories will be installed by default.
  • Resolved 64 bit Windows problem with Reports Console
  • Auto population of Title in Reports
  • System Manager now prompts for credentials (support for cross domain agent installs)
  • New reports for WhatChanged data

Defect Resolution

  • Resolved issues for 64 bit operating system installation

New Features

  • Cross-site reporting feature added
  • “All Systems” option added in the analysis system selection

New Features

  • Checkpoint agent
  • Reports Console enhancements,
    • Enhanced presentation.
    • New Power Viewer.
    • Integrated analysis
    • Informative dashboard
  • Integrated User Activity Monitoring
  • Option to customize category selection based on user requirement during installation.
  • RSS feature included from EventTracker

 Other changes

  • Category changes
  • EventTracker Console menu rearranged
  • Control panel changes
  • Alternate console removed from Control Panel
  • Import Export utility enhanced
  • Historical Report removed
  • Following features have been made configurable from the EventTracker Console
    • Alert notification status
    • Alert events cache purge frequency for alert analysis
  • Kb website change for events.