EventLog Analyzer

IT Compliance & Event Log Management Software for SIEM

EventLog Analyzer Resources Zone

Request demoRequest support

Knowledge Base

General
  1. Where do I find the log files to send to EventLog Analyzer Support?
  2. I find that EventLog Analyzer keeps crashing or all of a sudden stops collecting logs. What could be the reason?
  3. How to create SIF (Support Information File) and send the file to Manageengine, if you are not able to perform the same from the Web client?
  4. How to register dll when message files for event sources are unavailable?
Installation
  1. What are the recommended minimum system requirements for EventLog Analyzer?
  2. Can I install EventLog Analyzer as a root user?

    EventLog Analyzer can be started as a root user, but all file permissions will be changed, and later you cannot start the server as another user.

  3. When I try to access the web client, another web server comes up. How is this possible?

    The web server port you have selected during installation is possibly being used by another application. Configure that application to use another port, or change the EventLog Analyzer web server port.

  4. How to configure EventLog Analyzer as service in Windows, after installation?
  5. How to configure EventLog Analyzer as service in Linux, after installation?
  6. Is a database backup necessary, or does EventLog Analyzer take care of this?

    The archiving feature in EventLog Analyzer automatically stores all logs received in zipped flat files. You can configure archiving settings to suit the needs of your enterprise. Apart from that, if you need to backup the database, which contains processed data from event logs, you can run the database backup utility, BackupDB.bat/.sh present in the /troubleshooting directory.

  7. How to take database backup?
    MySQL database

    To take a backup of the existing EventLog Analyzer MySQL database, ensure that the EventLog Analyzer server or service is stopped and create a ZIP file of the contents of /mysql directory and save it.

    MSSQL database

    Steps to take backup of MSSQL database:

    Find the current location of the data file and log file for the database eventlog by using the following commands:

    use eventlog
    go
    sp_helpfile
    go

    Detach the database by using the following commands:

    use master
    go
    sp_detach_db 'eventlog'
    go

    Backup the data file and log file from the current location ( \data\eventlog.mdf and \data\attention-grabbing) by zipping and saving the files.

  8. EventLog Analyzer displays "Enter a proper ManageEngine license file" during installation

    This message could be shown in two cases:

    Case 1: Your system date is set to a future or past date. In this case, uninstall EventLog Analyzer, reset the system date to the current date and time, and re-install EventLog Analyzer.

    Case 2:You may have provided an incorrect or corrupted license file. Verify that you have applied the license file obtained from ZOHO Corp.

    If neither is the reason, or you are still getting this error, contact licensing@manageengine.com

  9. Unable to bind EventLog Analyzer server to a specific interface.

    To bind EventLog Analyzer server to a specific interface follow the procedure given below:

    For Eventlog Analyzer running as application:

    • Open the runSEC.exe/sh file.
    • Add the following parameter in the line in any place before %* or $*: bin\SysEvtCol.exe loglevel 3 -port 513 514 %*

    bindip<IP Address of the interface to which the EventLog Analyzer needs to be bound>

    Example entry is as given below:

    bin\SysEvtCol.exe -loglevel 3 -bindip 192.168.111.153 -port 513 514 %*

    For Eventlog Analyzer running as service:

    • Stop the Eventlog Analyzer service.
    • Open the startDB.bat file which is under <Eventlog Analyzer Home>\bin directory, add option '--bind-address=<ip-address>' in the mysqld start command that starts with @start and save the file.

    Open the stopDB.bat file which is under \bin directory, add '-h

    <ip-address>>' to the command arguments and save the file.

    After the change the line should like the one given below:

    • set commandArgs=-P %PORT% -u %USER_NAME% -h <ip-address>

    Open the wrapper.conf file which is under <Eventlog Analyzer Home>\server\default\conf and follow the below steps:

    Uncomment the second application parameter'

    wrapper.app.parameter.2=-L../lib/AdventNetDeploymentSystem.jar'.
    Add the following new application parameters
    wrapper.app.parameter.3=-c default
    wrapper.app.parameter.4=-b <ip-address>
    wrapper.app.parameter.5=-Dspecific.bind.address=<ip-address>
    and save the file.

    • Note: Remove '#' symbol for uncommenting in the .conf file.
    • Open the mysql-ds.xml file which is under <Eventlog Analyzer Home>\server\default\deploy directory, replace 'localhost' inconnection-url tag with the <ip-address> to which you want to bind the application and save the file.
    • Start the Eventlog Analyzer service.
    • Verify the setting by executing the 'netstat -ano' command in the command prompt.
Start up and Shut down
  1. MySQL-related errors on Windows machines

    Probable cause:An instance of MySQL is already running on this machine.
    Solution:Shut down all instances of MySQL and then start the EventLog Analyzer server.
    Probable cause:Port 33335 is not free
    Solution: Kill the other application running on port 33335. If you cannot free this port, thenchange the MySQL port used in EventLog Analyzer.

  2. EventLog Analyzer displays "Port 8400 needed by EventLog Analyzer is being used by another application. Please free the port and restart EventLog Analyzer" when trying to start the server

    Probable cause:The default web server port used by EventLog Analyzer is not free.
    Solution: Kill the other application running on port 8400. If you cannot free this port, then change the web server port used in EventLog Analyzer.

  3. EventLog Analyzer displays "Can't Bind to Port <Port Number>" when logging into the UI.

    Probable cause:The syslog listener port of EventLog Analyzer is not free.

    Solution:

    • Check for the process that is occupying the syslog listener port, using netstat -anp -pudp . And if possible, try to free up this port.
    • If you have started the server in UNIX machines, please ensure that you start the server as a root user.
    • or, configure EventLog Analyzer to listen to a different syslog listener port and ensure that all your configured hosts send their syslog to the newly configured syslog listener port of EventLog Analyzer.
  4. When the application is started, configureODBC.vbs throws script error or opens with another application. How to overcome this?

    Probable cause: (File opens with other program)The configureODBC.vbs file may be set to open with a program other than "wscript.exe" in WINDOWS\system32 folder (for example: Notepad.exe), hence the file was unable to execute during the application start.

    Solution:

    • Stop the Eventlog Analyzer server/service.
    • Go to the Eventlog Analyzer installation folder <EventLog Analyzer Home>\bin(default path) and right click the "configureODBC.vbs" file and choose Open (or) Open With and choose the windows programwscript.exe from your Windows\System32 folder.
    • Start the Eventlog Analyzer server/service.

    Probable cause: (File not having execute permission) The configureODBC.vbsfile may not have execute permission.

    Solution:

    • Stop the Eventlog Analyzer server/service.
    • Go to the Eventlog Analyzer installation folder <EventLog Analyzer Home>\bin(default path) and right click the configureODBC.vbs file and change the permission to execute the file.
    • Start the Eventlog Analyzer server/service.
Configuration
  1. How do I add hosts to EventLog Analyzer so that it can start collecting event logs?

    For Windows hosts, enter the host name and the authentication details, and then add the host. For Unix hosts, enter the host name and the port number of the syslog service, and then add the host. (Ensure that the syslog service is running, and that it is using the same port number specified here.)

  2. How do I see session information of all users registered to log in to EventLog Analyzer?

    The session information for each user can be accessed from the User Management link. Click the View link under Login Details against each user to view the active session information and session history for that user.

  3. How to move EventLog Analyzer to a different machine/server?

    Please follow the below steps to move an existing EventLog Analyzer server to a new machine/server.

    MySQL database
    1. Stop the existing EventLog Analyzer server/service
    2. Ensure that the process 'java.exe', 'mysqld-nt.exe' and 'SysEvtCol.exe' are not running/present in the task manager, kill these processes manually if some of them are still running
    3. As a precautionary measure, copy the following complete folders (including the files and sub-folders) to another drive or to a mapped network drive. This will help us to restore to the settings and data in-case of any issue with the new machine installation.
      • The folder, MySQL located under <EventLog Analyzer Home>\ directory
      • The folder, Archive located under <EventLog Analyzer Home>\archive directory
      • The folder, Indexes located uncer <Eventlog Analyzer Home>\server\default directory
        if MySQL password is set in the old server
      • startDB.bat and configureODBC.vbs located under <Eventlog Analyzer Home>\bin directory.
      • myodbc3.dll and myodbc3s.dll located under <Eventlog Analyzer Home>\lib directory.
      • mysql-ds.xml located under <Eventlog Analyzer Home>\server\default\deploy directory
    4. Please download and install in the new machine/server the latest build of Eventlog Analyzer from the following link: http://www.manageengine.com/products/eventlog/download.html
    5. Do not start the newly installed EventLog Analyzer server/service.
    6. In the newly installed EventLog Analyzer machine/server, rename the folder MySQL located under <EventLog Analyzer Home>\ as OldMySQL.
    7. Copy the MySQL folder (including the files and sub-folders), which is located under <EventLog Analyzer Home>\ , from the old machine/server to the newly installed Eventlog Analyzer machine/server. Note: Kindly take extra care that the EventLog Analyzer is not running on both the systems while performing this operation.
    8. Start the EventLog Analyzer on the new machine and check whether the data and configurations are intact.
    MSSQL database
    1. Stop Eventlog Analyzer server/service.
    2. Download and install the latest build of Eventlog Analyzer in the new server using the following link: http://www.manageengine.com/download.html
    3. Once you install the application in the new machine, kindly make sure that you do not start the application or shutdown the Eventlog Analyzer if started.
    4. Please configure the MSSQL server credentials of the earlier Eventlog Analyzer server installation as explained in the Configuring MSSQL Database topic.
    5. Start the Eventlog Analyzer server/service on the new machine and check whether the data and the configurations are intact.

    In-case of any issues while performing the above steps, please do not continue any further and contact eventlog-support@manageengine.com to assist you better.

  4. How can I assign password to 'root' user in the EventLog Analyzer database?
    The procedure to set a password for the Eventlog Analyzer’s MySQL database. This procedure is applicable for Eventlog Analyzer version 6.0 onwards.
    1. Stop the EventLog Analyzer server /service.
    2. Click on Start > Control panel > Administrative Tools > Data Sources (ODBC) > User DSN > Select the name CherrySADSN and ‘Remove’ it.
    3. Rename the files <EventLog Analyzer Home>\bin\configureODBC.vbs as configureODBC_old.vbs and \lib\myodbc3.dll as myodbc3_old.dll
    4. Now download the *.zip file from the below link and place the files in the following locations
      http://bonitas.zohocorp.com/patches/cherry/15Sep2009/Mysql_Password_Set_ELA_6.zip
      1. configureODBC.vbs > \bin folder
        Note: Please use the appropriate configureODBC.vbs (either 32 bit or 64 bit) file based on the platform you are running the Eventlog Analyzer under
      2. myodbc3.dll and myodbc3s.dll > \lib folder
      3. MysqlPwdSet.bat > \mysql\bin folder
    5. Open a command prompt window, go to the folder <EventLog Analyzer Home>\bin and run the command 'startDB.bat' to start the database.
    6. In the command prompt window, go to the folder <EventLog Analyzer Home>\mysql\bin folder and execute the 'MysqlPwdSet.bat' as given below:
      <EventLog Analyzer Home>\mysql\bin> MysqlPwdSet.bat <mysql password>
    7. In the command prompt window, go to <EventLog Analyzer Home>\tools folder, execute the 'changeDBServer.bat' provide the <mysql password> in the Password field and click on 'Test'. If the connection is established click 'Save'. Please ignore the error message 'database already exists'.
    8. Edit (in Wordpad) 'stopDB.bat', located in <EventLog Analyzer Home>\bin folder, as given below. This entry is used only for stopping the current instance of mysql database.
      Old Entry:
      set PASSWORD=%4
      New Entry:
      set PASSWORD=<mysql password>
    9. In the command prompt window, go to the folder <EventLog Analyzer Home>\bin and execute the command 'stopDB.bat', to stop the database.
    10. Edit (in notepad) again the ‘stopDB.bat’ and redo the above change as given below Old Entry:
      set PASSWORD=
      New Entry:
      set PASSWORD=%4
    11. Restart the EventLog Analyzer Server/Service.
    This procedure is applicable only for Eventlog Analyzer version less than 6.0

    To assign/change MySQL Database password, follow the below given steps:

    • Connect to EventLog Analyzer's MySQL. Go to /mysql directory, execute the following command
      ./bin/mysql -u root- h localhost-- port=33335 -D EVENTLOG
    • Execute the following queries in the database
      USE mysql
      update user set password=password ('New Password') where user = 'root';
      FLUSH PRIVILEGES;
    • Stop EventLog Analyzer.
    • Go to /data directory, edit dbparam.conf file and change the password to the 'New' password.
    • Restart EventLog Analyzer.
  5. While adding host for monitoring, the 'Verify Login' action throws RPC server unavailable error
  6. While adding host for monitoring, the 'Verify Login' action throws 'Access Denied' error.
  7. When WBEM test is carried out. it fails and shows error message with code 80041010 in Windows Server 2003.
  8. How to enable Object Access logging in Linux OS?
  9. What are commands to start and stop Syslog Deamon, in Solaris 10?
Log collection and Reporting
  1. Why am I seeing empty graphs?

    Graphs are empty if no data is available. If you have started the server for the first time, wait for at least one minute for graphs to be populated.

  2. What are the types of report formats that I can generate?

    Reports can be generated in HTML, CSV, and PDF formats. All reports are generally viewed as HTML in the web browser, and then exported to CSV or PDF format. However, reports that are scheduled to run automatically, or be emailed automatically, are generated only as PDF files.

  3. I've added a host, but EventLog Analyzer is not collecting event logs from it
  4. I get an Access Denied error for a host when I click on "Verify Login" but I have given the correct login credentials
  5. I have added an Custom alert profile and enabled it. But the alert is not generated in EventLog Analyzer even though the event has occured in the host machine
  6. When I create a Custom Report, I am not getting the report with the configured message in the Message Filter
  7. MS SQL server for EventLog Analyzer stopped
  8. I successfully configured Oracle host(s),still cannot view the data
  • Devank Kumar
  • Syed Islam
  • Dimitri Yioulos
  • Joseph Graziano MCSE CCA VCP
  • Benjamin Shumaker
  • Satoshi Kinugawa