EventLog Analyzer is a log management and IT compliance solution for your enterprise. It's web-based, and it employs both agentless and agent-based mechanisms to collect logs from log sources across your network while also providing you with in-depth reports, alerts, and security analyses.
The main modules EventLog Analyzer has to offer:
- Parsing engine: Filters logs which aren't needed—as configured by the administrator—and normalizes raw logs into a standard format.
- Central database: Stores raw and normalized logs from all devices and applications across your network as well as report data and global threat data. The default database that comes installed with the product is PostgreSQL. Alternatively, users have the option of migrating to Microsoft SQL Server or MySQL databases.
- Report builder: Processes the raw and normalized logs to build over a thousand predefined reports—including compliance reports—and custom reports as well. EventLog Analyzer generates and sends out scheduled reports, and it exports reports when needed.
- Alerts and incident management: Sends out email and SMS notifications based on configured alert profiles; assigns incidents to designated technicians, and stores the statuses and related information for every incident.
- Log search engine: Searches through millions of logs in seconds. The search engine is based on Elasticsearch.
- File integrity monitoring: Uses file server logs to monitor all activity occurring in critical files and folders and generates detailed file integrity reports.
- Correlation engine: Correlates logs from heterogeneous sources to identify potential attacks, and generates in-depth aggregated incident reports and security alerts.
- Threat intelligence: Regularly retrieves and stores threat data from popular STIX/TAXII-based threat feeds as well as other open source feeds. The module compares this data with network events and then generates threat alerts when malicious entities are discovered interacting with your network.
EventLog Analyzer's distributed edition is useful when your network consists of over a thousand log sources, or if it's spread across multiple geographic regions. It's also the perfect model for managed security service providers (MSSPs) to deploy. It follows a distributed architecture with multiple managed servers being controlled by a single, central admin server.
- Admin server: A central server that provides the administrator with control over the entire network.
- Managed server: Each managed server oversees a smaller portion of the network, and it works exactly like the standalone edition described above.