EventTracker 7.6 – Release Notes

The EventTracker engineering team continues to monitor changes in operation management, enterprise applications, and regulation compliance standards. Version upgrades are made based on customer feedback and experience in the field, providing you the best solution possible.

EventTracker 7.6 (Build 26)

  • In Change Audit providing an option to merge or overwrite configuration sections. This option will be available on selection of “Apply system configuration to selective systems” option.
  • Description of EventTracker Agent system monitoring event (Event id 3207) and network monitoring events (Event id 3223, 3224, 3225, 3226 and 3227) indicate the services running under hosting processes (svchost.exe, lsass.exe etc.) if the event is generated for a hosting process.
  • Enhanced synchronization of Change Audit agent configuration.
  • Change Audit configuration can be applied by selecting a system group.
  • Support for multiline log in Agent LFM.
  • Ability to provide the UNC path manually for EventVault storage.
  • Appending source event details in new activity event. (Update ET76U14-008)
  • A new event id 3506 is generated by EventTracker agent to indicate the status of applying configuration.
  • Added process Id and user name in the description of “High memory utilization” events (Event id 3217 and 3219) and “High CPU utilization” events (Event id 3218 and 3220).
  • Performance enhancements in Direct Log Archiver.
  • Description of EventTracker Agent performance monitoring events indicates the services running under hosting processes (svchost.exe, lsass.exe etc.) if the event is generated for a hosting process.
  • Support for mapping system name in Direct Log Archiver. (Update ET75U14-055)
  • Bulk acknowledging of the incident search results.
  • Additional search options in the Incident advanced search
  • Admin users can view all generated reports of other users in “My EventTracker->Reports Dashboard”.
  • Storage path of the SparseMatrix index data is configurable.
  • Usability changes/enhancements in Preinstaller.
  • Option to change the drive letter in install and archive path.
  • Option to install SQL Express on a custom path using Preinstaller.
  • Added new option in Preinstaller to search a group in Active Directory.
  • Built-in Administrator is provided with sysadmin permission when SQL is installed via pre-install check.
  • Configuring dashboard based on Event Vault Explorer data.
  • Users can import/export the index based dashboard configuration.
  • Excel export of the summary data based on the generated scheduled reports. Can be accessed in the reports dashboard.
  • Added Port Configuration utility. It can be accessed from “EventTracker Control Panel”.
  • Import-Export of Token template.
  • Reports Wizard: Configurable Disk Cost Analysis information in Report and Analysis wizard.
  • Extract complete domain name instead of considering till first ‘.’ (dot character) while extracting username for default activities. (User, Admin, Process activity)
  • Changed all filter comparisons (Event Filters, Filter Exceptions, NCM include list etc) in EventTracker Agent to be case insensitive.
  • The first snapshot is NOT taken immediately after the fresh installation of Change Audit Agent. The first snapshot will be taken as the default scheduled local time i.e. 2 AM.
  • Log volume and disk space status reports configured during installation will include offline systems.
  • For custom behavior rules configured in learning mode, new activity and out of ordinary activity events are generated even if learning is not complete.
  • Handle leak during archive purging if value for purge frequency is not set.
  • Reset behavior data fails to reset the data for out of ordinary activity and new activity. (Update ET76U14-009)
  • Fix for issue where archiver backlog happens whenever cache mdb gets corrupted.
  • Fix for high memory usage in Agent LFM when processing IIS advanced logs. (Update ET75U14-059)
  • On migrating/renaming Collection Master system; it retrieves incorrect SQL server instance name for storing Collection Point data.
  • Amazon JSON logs processed via Direct Log Archiver do not contain the original Log time from configured log.
  • EventTracker Agent configuration UI: Advanced filters added without Event Id criteria are not evaluated correctly.
  • Fix for error thrown while importing large number of system/groups.
  • Fix for wrong import/export data when advanced search filter is provided for a flex report.
  • EventTracker Agent stops reporting when configuration changes are fetched from manager.
  • The hard disk summary is shown incorrectly in pre installer installation summary window.
  • Fix for Remote Agent Installer issues. (ET76U14-011)
  • Non admin user is not able to view the 1st dashlet in incidents dashboard.
  • New Activity of Collection Point is not shown in Collection Master.
  • On clicking out of ordinary activity graph of Collection Point on Collection Master, comes up with the message “No data found” for out of ordinary and New observed activities.
  • Usability issues in StatusTracker.
  • If the scheduled flex report doesn’t contains data (No record), on exporting the report on Extended summary and clicking on “Click to see report” comes up with message “Failed while opening this File”.
  • (UK)Adding notes and flags in change policy shows date in mm/dd format.
  • Flex reports are not shown under flex history after deleting a specific site.
  • Incorrect license usage error is displayed if license contains unlimited number of CheckPoint or Vmware license.
  • Non admin user who doesn’t have the Collection Master permission is not able to see the Collection Point data in keyword dashboard.
  • Incorrect pop up message being displayed while saving token template from parsing rule.
  • Hide options “Deploy SCAP” & “Deploy WinSCP” for Upgrade agent -> Change Audit.
  • The pre-installer fails to detect the drive which has more free space for Archive disk.
  • Direct Log Archiver fails to read a record which is enclosed within the square brackets for multiline.
  • The Activation time is updated incorrectly for Windows Interactive Logon Activity behavior rule.
  • Direct Log Archiver considers field value along with enclosed within double quotes instead of omitting double quotes for field value.
  • Standard token values are not shown when user refines the search result.
  • Adding a group in status tracker shows a blank group name in Incidents tabular. (Non US regional settings)
  • Data is not shown correctly for all the groups present in Incidents tabular. (Non US regional settings)
  • Hiding Host Name/IP type in new activity of behavior details page.
  • Change Audit – Results Summary Console does not run in elevated mode when launched directly.
  • Disabling IIS express option in Windows server 2003 64 bit machine.

EventTracker 7.6 (Build 21)

  • Knowledge Objects: Enables display of interesting information in log search
  • Log Watch for watching specific logs of interest in real time
  • Centralized view of Behavior data for all sites on collection master
  • Support for parsing multiline log files
  • Centralized Event-o-Meter for all sites on collection master
  • Support for parsing JSON log files
  • Centralized dashboard of all sites on collection master
  • Versioning of Categories and alerts
  • Direct Log Archiver enhancements: starting line offset, custom separator.
  • Windows event generation configuration from various modules.
  • Custom duration selection in behavior.
  • Log Search: Capability to search category along with standard tokens.
  • Parameterized Dashlets for added system criteria for dashboard parameters.
  • Log search option to search for “Event Id does not contain”.
  • Different archive purge settings can be specified for each VCP.
  • Different incident and archive purge settings can be specified for each site.
  • Search option added in Parsing Rules screen.
  • Option for self rotation of Event-o-Meter, incidents and behavior screens.
  • Option in Log search to search with regular expression.
  • While using run now option for a report, option provided to generate a single report instead of multiple reports.
  • Option in Behavior engine to allow the user to suppress correlation check for custom rules.
  • Ability to specify different VCP ports for real-time and file-transfer events from the same agent.
  • Support for multiple CheckPoint/VMware sources in Agent LFM.
  • Ability to run multiple instances of CM to collect CP data.
  • Option to select GED Cache Space (Manager TAB) both in [MB] and (%) in EventTracker Agent Configuration.
  • Feature update for configurable EventTracker copyright and help links. (Update ET75U14-045)
  • Feature update for generating system report of collection point systems on collection master (Update ET75U14-046)
  • Implemented Agent to Console “Apply Configuration” requests. Agent connects to ET Console and fetches pending “Apply Configuration” requests.
  • Tag cloud option removed from EventVault Explorer and Log Search.
  • Event-O-Meter is default home page after logging to application.
  • Crystal reports upgraded to version VS 2013 (13.0.2000.0).
  • Prerequisite .NET framework version changed from 2.0 to 4.0.
  • Change in Printer usage Report to consider additional event (id:307 source:Microsoft-Windows-PrintSpooler)
  • Added support for Windows 8.1 and Windows Server 2012 R2.
  • Restart the services after saving the alerts, if user clicked on ‘Tune Alerts’ option in Incident Tabular View.
  • Disabled the generation of event id 3279 for successful file transfer in default EventTracker Agent configuration.
  • Changed the disk space threshold from 90% to 1 GB in default EventTracker Agent configuration.
  • Added event id 3223, 3229 and 3240 to filter exception list in default EventTracker Agent configuration.
  • EventVault warehouse manager throws error on changing the Archive path of the CM.
  • Reports do not generate when 20 users are given for filtering.
  • Report generation fails when tag name is given as “Domain”.
  • The Data size shown in Event-O-Meter is blank when the size is less than 1KB.
  • The duplicate template tokens are getting added in define template when we edit token from the define template list.
  • Editing and saving the existing policy name in change audit VB console throws run time error.(UK regional settings).
  • Application Resources report available on StatusTracker Resource Summary report lists the IP range discovered as an application on the generated report.
  • The System Resources report fails to list the website status which is monitored via status tracker.
  • Log search from custom behavior not showing results. (Update ET75U14-044)
  • Archives of Collection Point are not getting purged on Collection Master. (Update ET75U14-047)
  • Receiver process stops with unhandled exception while receiving certain events in TCP mode. (Update ET75U14-048)
  • Diagnostics package is not getting saved correctly on Windows Server Core. (Update ET75U14-049)
  • Wrong data issue when a flex is configured using tagged tokens and having PCRE based category as criteria (Update ET75U14-051)
  • Incorrect warning message for Agent less license usage. (Update ET75U14-053)
  • Agent less issue where events are not collected if target system is rebooted. (Update ET75U14-054)
  • List import utility failing when called through script (Update ET75U14-056)
  • StatusTracker Resource Summary report detects MS Exchange application incorrectly.
  • The cabs raw data (KB) shows as 0 in EventVault warehouse manager as well as database after upgrade.
  • Log search comes as ‘NO record found’ when it is done through ‘Activities from’ column for Logon failure events.
  • The CP cab index files are not getting deleted when the archives are deleted from collection master console.
  • The user is not allowed to add/monitor FTP websites in StatusTracker.
  • Windows Server 2012 R2 is detected as XP in system manager
  • Port Number is not considered when the user performs a log search via behavior Windows Network activity.
  • The user is allowed to add system(s) for StatusTracker monitoring even if the ST license is exhausted.
  • The user is not able to change the status of a website added on StatusTracker.
  • Remote EventTracker agent upgrade over IP option fails to upgrade the agent.
  • Reset behavior data fails to reset the data for out of ordinary activity.
  • When the user tries to save the EventTracker Diagnostics and if Obfuscate Output is enabled, it throws a message stating “Could not find a part of the path”.
  • Reports are not getting displayed in Compliance Dashboard for non-admin user.
  • Logsearch issue, related to not able to filter data if text contains “[” symbol.
  • New KP for Cisco IronPort ESA (New Category, Alerts, Flex Reports, Smart Tokens)
  • New KP for Cisco IronPort WSA (New Category, Alerts, Flex Reports, Smart Tokens)
  • New KP for Clavister Security Gateway (New Category, Alerts, Flex Reports, Smart Tokens)
  • New KP for SonicWALL UTM (New Category, Alerts, Flex Reports, Smart Tokens)
  • New KP for Symantec Endpoint Protection Manager (New Category, Alerts, Flex Reports, Smart Tokens)
  • New KP for Centrify Server Suite (New Category, Alerts, Flex Reports, Smart Tokens)
  • New KP for LOG Binder SQL (New Category, Alerts, Flex Reports, Smart Tokens)
  • New KP for Trend Micro Office Scan (New Category, Alerts, Flex Reports, Smart Tokens)
  • New KP for Fortigate Firewall, support for Forti OS 5 added (New Category, Alerts, Flex Reports, Smart Tokens)
  • New KP for Cisco ISE (New Category, Alerts, Flex Reports, Smart Tokens)
  • New KP for WebSense WSG (New Category, Alerts, Flex Reports, Smart Tokens)
  • Apache access log
  • ArrayOS SPX
  • Centrify AD client
  • Check Point
  • Cisco ACE
  • Cisco ACS
  • Cisco Firewall
  • Cisco IOS
  • Cisco ISE
  • Clavister
  • Clearing Event Logs
  • EventTracker
  • FortiAnalyzer
  • Fortigate
  • Imperva DAM
  • Juniper OS
  • LOGbinder SP
  • Logbinder SQL
  • McAfee EPO
  • McAfee Intrushield IPS
  • Palo Alto
  • Sharepoint Server
  • Snort
  • Sonicwall
  • SQL Server
  • Symantec EndPoint Protection
  • Teradata
  • Vmware
  • VOIP
  • Websense WSG
  • Cisco PIX: User login failed
  • Cisco PIX: User account locked out
  • Syslog: Object access failed
  • Syslog: Object creation failed
  • Syslog: Object deletion failure
  • Syslog: Object modification failure
  • *Security: User account unlocked
  • Cisco ASA: System password changed
  • Cisco ASA: User account locked out
  • Cisco ASA: User login failed
  • Cisco PIX: User account locked out
  • Cisco PIX: User login failed
  • Cisco Switch: User login failed
  • Syslog: Object access failed
  • Syslog: Object creation failed
  • Syslog: Object deletion failure
  • Syslog: Object modification failure
  • *Security: User account unlocked
  • Windows-AD object access detail report
  • EventTracker-New enterprise activity report
  • EventTracker-Out of ordinary activity report
  • Change Audit: Windows startup change
  • ArubaOS: DHCPD Died
  • ArubaOS: Protocol Indepent Multicast
  • Cisco Switch: VLAN Mesaages
  • Digital Persona Pro: Connection to Sever Failed
  • Forefront UAG: User Login Successful*
  • Hyper V: Network Adaptor Failed
  • Hyper V: Network Adaptor Started
  • IIS: Protocol Adaptor Configuration Error
  • WatchGuard: Tunneld and GRE Messages
  • Cisco NAC: Roque AP report Error
  • DELL OMSA: Chasis Intrusion Alert
  • RSA SecurID: Successful PIN resets