Eventlog Analyzer Latest Features

Release notes

2022
- May
- Apr
- Mar
- Mar
- Mar
- Feb
- Jan
2021
- Dec
- Dec
- Dec
- Nov
- Nov
- Oct
- Oct
- Sep
- Sep
- Aug
- Aug
- Jul
- Jul
- Jun
- Mar
- Jan
- Jan
2020
- Nov
- Oct
- Aug
- Jul
- Jun
- May
- May
- Apr
- Apr
- Mar
- Mar
- Feb
- Jan
2019
- Dec
- Nov
- Oct
- Aug
- Jul
- Jun
- May
- Mar
- Feb
- Jan
2018
- Nov
- Nov
- Oct
- Sep
- Sep
- Jul
- Jun
- May
- May
- May
- Apr
- Mar
- Mar
- Mar
- Feb
- Jan
- Jan
2017
- Dec
- Nov
- Oct
- Sep
- Sep
- Aug
- Aug
- Aug
- Jul
- May
- May
- Apr
- Mar
- Feb
- Feb
- Jan
2016
- Dec
- Nov
- Aug
- Jul
- Jun
- Apr
- Mar
- Jan
2015
- Nov
- Oct
- May
- Jan
2014
- Apr

Build 12226

Released on 19 May 2022

Standalone Edition

Distributed Edition

Enhancements

The version of Spring Framework jar bundled with the product has been upgraded to 5.3.18.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12225

Released on 20 Apr 2022

Standalone Edition

Distributed Edition

Enhancements

The GUI of EventLog Analyzer's log collection module has been updated to enhance user experience.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12220 (Service Pack Build)

Released on 29 Mar 2022

Standalone Edition

Distributed Edition

Fixes

Minor issues in archiving have been fixed.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12219

Released on 24 Mar 2022

Standalone Edition

Distributed Edition

Fixes

Issues due to security hardening during agent upgrade are fixed.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12218

Released on 4 Mar 2022

Standalone Edition

Distributed Edition

New features

EventLog Analyzer now allows you to configure Log Collection Filters for internal applications.

Enhancements

DCOM Security Hardening feature has been updated. The WMI authentication level has been increased as suggested by Microsoft.

Issue fixes

Parsing issues in SonicWall, Unix FTP and Palo Alto have been fixed.
The issue with column integrity monitoring reports not being generated has been fixed.
Schema name has been added to MSSQL tables.
The issue with MSSQL logs being displayed as Windows logs has been fixed.
False positives on monitoring /bin folders in Linux FIM have been controlled and useradd/userdel commands not being audited on /etc/passwd has been fixed.
Device details export status was shown wrongly in pdf. This has been fixed.
Issues occurring in Windows agents startup and log collection after a long interval in communication between agent and server have been fixed.
A device configured to collect Windows events and syslog, failed to collect Windows events. This issue has been fixed.
Mail server synchronization from Log360 to EventLog Analyzer took place only after a restart operation. This issue has been fixed.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12216

Released on 9 Feb 2022

Standalone Edition

Distributed Edition

New features

EventLog Analyzer now includes a Security Hardening tab to manage and configure all security settings from one place.
Mandatory default password change for built-in admin account.

Enhancements

The Settings UI in EventLog Analyzer has been revamped to enhance user experience.
For WAF adoption and to enhance security, internal code refactoring has been done.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12215

Released on 7 Jan 2022

Standalone Edition

Distributed Edition

Fix

This release includes a fix for the Apache Log4j vulnerability (CVE-2021-44832).

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12214

Released on 24 Dec 2021

Standalone Edition

Distributed Edition

Issue fix

This release includes a fix for the Apache Log4j vulnerability (CVE-2021-45105).

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12213

Released on 17 Dec 2021

Standalone Edition

Distributed Edition

Issue fix

This release includes a fix for the Apache Log4j vulnerability (CVE-2021-45046).
JAR-hell issue post 12212 service pack is fixed.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12212

Released on 14 Dec 2021

Standalone Edition

Distributed Edition

Fix

This release includes a fix for the Apache Log4j vulnerability (CVE-2021-44228).

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12211

Released on 26 Nov 2021

Standalone Edition

Distributed Edition

Features

EventLog Analyzer now has out-of-the-box compliance reports for the Cybersecurity Maturity Model Certification (CMMC).

Fixes

Minor bugs have been fixed to resolve performance issues in the log processing, indexing and alert processing modules.
Issues in parsing Oracle logs for Linux based File Integrity Monitoring (FIM) have been fixed.
Issues in Windows agents startup and log collection, created after longer gap in communication between agent and server have been fixed.
Issues in Check Point attack report have been fixed.
Issues in parsing SonicWall and Unix devices have been fixed.
Issues in auditing file/folder deletions from a share location, with Windows FIM have been fixed.
ZVE-2021-3375 - Unauthorized command injection vulnerability in EventLog Analyzer service installation has been fixed.
Issue with update in IP geolocation has been fixed.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12206

Released on 8 Nov 2021

Standalone Edition

Distributed Edition

Enhancements

The version of PostGreSQL bundled with the product has been upgraded to 10.18.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12204

Released on 12 Oct 2021

Standalone Edition

Distributed Edition

Fix

Internal code refactoring has been done.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12203

Released on 4 Oct 2021

Standalone Edition

Distributed Edition

Fix

Internal code refactoring has been done.
Issue in the Reports tab in EventLog Analyzer instances with 500 or more devices, has now been fixed.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12201

Released on 9 Sep 2021

Standalone Edition

Distributed Edition

Security Issue fix

An authentication bypass vulnerability affecting REST API URLs, rated critical, has now been fixed.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12200

Released on 1 Sep 2021

Standalone Edition

Distributed Edition

Features

EventLog Analyzer now supports historical log collection for AS/400 and customized historic log collection for Windows.
An intuitive Apache overview dashboard to provide real-time insights on Apache web server activities.
Support for logs from Dell and Forcepoint devices.
EventLog Analyzer now supports logs from Qualys-Vulnerablity Management.

Enhancements

The performance of XML file import has been enhanced and the size restriction in Manage Vulnerability Details has been removed.
Parsing and support for new Huawei devices has been enhanced.
Option to stop sending emails with Empty Reports.
A Correlation Diagnostics pop-up has been added to provide information on the memory consumed by the Correlation module.
The Alerts and the Manage Profile columns can now be resized.

Fixes

Issues in parsing logs from PaloAlto and Stormshield devices have been fixed.
Issues in parsing logs from Oracle WMI and Syslog have been fixed.
Search filtering in IIS Logs is fixed.
Search to custom report redirection issue is fixed.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12166

Released on 11 Aug 2021

Standalone Edition

Distributed Edition

Fix

EventLog Analyzer was not loading properly when accessed from Log360's apps pane. This issue was observed in builds released post 12160 and 5220 of EventLog Analyzer and Log360 respectively. It has now been fixed.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12165

Released on 5 Aug 2021

Standalone Edition

Distributed Edition

Fix

This release includes a fix for the pre-authenticated remote code execution (RCE) vulnerability (CVE-2021-37539) in SmartCard, reported by bmtd from ECQ.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12164

Released on 30 Jul 2021

Standalone Edition

Distributed Edition

Fixes

This release also includes a fix for the arbitrary file upload issue in Smart Authentication (ZVE-2021-2428) that led to remote code execution vulnerability, reported by Duc from ECQ.

The updates for the Distributed Edition - Managed Server the same as the Standalone Edition.

Build 12163

Released on 6 Jul 2021

Standalone Edition

Distributed Edition

Fixes

Issues related to categorization of Windows Workstation reports if a device is identified as a workstation with some delay are fixed.
Issues related with reports of network devices including Juniper, Fortinet, Barracuda, Paloalto, pfSense and Syslog Applications due to complications in parsing are fixed.
Issues related to device selections on configuring custom reports for AS400 are fixed.
Distributed editions are now allowed to have different databases among Admin and Managed servers.
Issues related to installing agents in Linux machines, if the audit version is 3.0, are now resolved.
Issues while integrating JIRA desk ticketing tool with ELA are now fixed.
Issues with TLS log collection, when PFX is configured, have been resolved.
Issues related to Windows system reports, alerts, and correlation from Chinese OS are fixed.
Issue in file or folder modified reports from Linux devices for Linux kernel version greater than 3.10 is now fixed.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12160

Released on 3 Jun 2021

Standalone Edition

Distributed Edition

New features

EventLog Analyzer provides reports for Sysmon application.
EventLog Analyzer will now assign a dedicated access key from Log360 feeds and provide sign up instructions for threats.
A new ATA Whois Info tab has been added to provide exhaustive information on URL and Domain sources.

Enhancements

Custom Pattern enhancements

The Custom log parsing UI has been enhanced for better user experience.
You can now use delimiters to extract additional fields while parsing logs.
An Auto-Identify option has been included to detect standard fields and key-value pair logs.

Application & Windows Reports Enhancements

The Application and File Monitoring device drill down can now be viewed under Reports.
Reports for Windows File Monitoring have been added.
You can now get All Events and Important Reports for Applications.
Windows Reports have now been regrouped to provide significant information.

The packet capture tool for troubleshooting in Syslog Viewer has been enhanced for better filtering.
The performance of the log collector has been enhanced to ensure optimum utilization of resources.
The service pack installation has been made secure by checking the PPM file for any tampering.
EventLog Analyzer now supports vCenter version 7.
EventLog Analyzer now supports SMB version 3.

Fixes

Issue with incorrect or null field values being sent via SMS notification has been fixed.
It was observed that Archives were being wrongly flagged as tampered during unanticipated shutdowns of EventLog Analyzer. This has been fixed.
A memory issue while loading archived logs with parsed fields has been fixed.
The incorrect log count issue in device drill down of Application and File Integrity Monitoring in log sources has been fixed.
The issue of excessive storage consumption of databases has been fixed.
Issue in HSTS and XSS has been fixed.
SQL injection and RCE vulnerabilities have been fixed.
Parsing issues in Unix, Firepower, Oracle and PaloAlto have been fixed.
The issue with importing eventlog archives in import page has been resolved.
Duplicate windows agent was created automatically due to multiple IP addresses. This issue has been resolved.
It was observed that verification was successful even with spurious credentials. This issue has been fixed.
The issue with Removable disk auditing reports has been resolved.
It was observed that the Admin Server did not get timed out even after the session timeout. This issue has been resolved.
While loading archive files, the 'To' field value changed into loading time value. This issue has been fixed.
Issues with parsing 'date' and 'time' fields in Cisco logs while loading archive files have been resolved.
IIS Log collection issues have been fixed.
The Stored XSS vulnerability (ZVE-2021-1220) has been fixed.
Issue with parsing AD object access logs (Event ID 4662) has been fixed.
Issues with data authorization for File Integrity Monitoring (FIM) Configurations have been fixed.
Sensitive Data Exposure issue (ZVE-2021-0879) reported by Kevin Dawe has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12157

Released on 16 Mar 2021

Standalone Edition

Distributed Edition

Enhancements

The version of JSON jar bundled with the product has been upgraded to 20190722.0.0.
The version of PostGreSQL bundled with the product has been upgraded to 10.15.
The EventLog Analyzer build image has been upgraded.
Predefined VPN reports have now been added for CheckPoint and Barracuda Firewall.
The threat detection in Correlation tab has been enhanced for improved performance.
Logon reports for Firepower have now been added.
The Windows and Linux agent versions have been upgraded to 4.5 and 1.3 respectively.
You can now use either the Auto detect option or use the server time to revert the timezone.
The performance of STIX/TAXII threat feeds operations and Advanced Threat Analytics has been enhanced.
EventLog Analyzer now supports in-memory threat look-ups. This can be availed by getting in touch with support@eventloganalyzer.com.

Fixes

Application sources from which the agent collects logs, have been added to local log collection poll where it can be used for syslog collection.
SysEvtCol wasn't starting after the version upgrade. This issue has been fixed.
It was noticed that the Syslog devices when pinged, continued to ping until the device is restarted. This issue has been fixed.
Issues in the IPSec VPN reports have been fixed.
Issue in parsing of Source IP field for Cisco Failed VPN Logon events has been fixed.
Issues in Archive Integrity Cycle have been fixed.
Issue in parsing PaloAlto VPN logs has been fixed.
Log collector down alert was wrongly generated when a syslog device was added as a LinuxFIM. This issue has been fixed.
The timezone issue while fetching data for Dashboard has been fixed.
Issues in Apache web server attack reports have been fixed.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12155

Released on 13 Jan 2021

Standalone Edition

Distributed Edition

New features

EventLog Analyzer now provides reports and alert profiles based on the MITRE ATT&CK framework.

Streamlining security incident management

Investigate and track security incidents
- You can create incidents and assign technicians to investigate them.
- Track the status, severity, and the progress made in the investigation of incidents.

Automate incident creation using incident rules

Configure incident rules to automatically create incidents when specific alerts get triggered within a given time frame.

Map alerts as incidents

You can also map triggered alerts, reports, and log search results as incidents and assign a technician to investigate them.

Enhancements

To mitigate the cross-site scripting vulnerability, jQuery has been upgraded to version 3.5.1

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12150

Released on 4 Jan 2021

Standalone Edition

Distributed Edition

New features

Attack detection and mitigation

New out-of-the-box correlation rule:
- Prebuilt correlation rule to detect Ragnar Locker ransomware attack has been added.

Workflow actions:
- The workflow profiles now support Cisco ASA firewalls. You can now take remedial action of adding inbound or outbound firewall rules on Cisco ASA firewall with pre-built workflow profile.

Remote employee monitoring

VPN usage monitoring dashboard:
- Exclusive VPN activity dashboard that provides insights into VPN usage trends and VPN user activity.

Session activity view and reports:
- Session activities can now be viewed using the Weekly View timeline graph.
- Session activity reports on Palo Alto Networks and WatchGuard devices have been added.

Enhanced user experience

Custom user roles:
- You can create multiple user roles in EventLog Analyzer in addition to the existing Admin, Operator, and Guest roles and define permissions to them.

Log collection filters:
- Create log collection filters with multiple field criteria and logical operators to collect or exclude logs from select devices.

Enhancements

The Calendar feature has been enhanced to display the day's records when you click on the Today option.
Get contextual threat data for specific IP addresses or URLs from the search result.
Cookie based Active Directory (AD) sync has been enabled to resolve license restriction issues.

Fixes

Pre-defined alert criteria migration issue that arose in the 12000 PPM release has been fixed.
The auto-resetting of the member server while changing tabs has been fixed.
The latest build release notifier for local Linux builds has been fixed.
The Zip Slip vulnerability reported by zhighest has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12147

Released on 13 Nov 2020

Standalone Edition

Distributed Edition

Fixes

This release includes a fix for the unrestricted file upload issue that led to remote code execution vulnerability, which allowed unauthorized access to the server, as reported by Zhighest.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12146

Released on 20 Oct 2020

Standalone Edition

Distributed Edition

New features

Prepackaged Stormshield device reports:

EventLog Analyzer now provides out-of-the box reports for Stromshield device events such as Logon, Firewall Rule Management, System Event, Severity, and more.

Enhancements

Correlation metadata will now be stored in ElasticSearch instead of the product database for better performance.
The version of Tomcat bundled with the product has been upgraded to 8.5.57
The version of PostgreSQL bundled with the product has been upgraded to 10.12

Fixes

Issue in Geo location performance has been fixed.
Issues in Unix parser have been fixed.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12145

Released on 27 Aug 2020

Standalone Edition

Distributed Edition

Enhancements

New report groups for monitoring logons, failed logons, processes, and scheduled tasks in Windows workstation devices have been added.
Quick links to MSSQL Server Events, IIS Webserver Events, Terminal Server Events, and Printer Events have been added.

Fixes

Issue in collecting Applocker eventlogs has been fixed.
Issue with parsing usernames in eventlogs is now fixed.
Port update issue in the agent during connection changes in the EventLog Analyzer server is fixed.
Issue with populating usernames in Linux File Integrity Monitoring reports is fixed.
A logon failure on clicking "Verify Credential" during device updates is resolved.
False positives while generating alerts for missing archive files have been fixed.
Issue in importing a compressed CSV file is fixed
Issue related to delay in start up of EventLog Analyzer server due to collection of OS related information is fixed.
The "URL Site" field has now been added to the SonicWall Denied connections report.
Issue with CEF Destination IP parsing has been fixed.
Issue with generating the Anyconnect VPN report has been fixed.
Issue with parsing Firepower traffic logs is now fixed.
The destination IP address will now be shown in Trend Micro reports.
Issue with loading the server diagnostics page has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12141

Released on 31st Jul 2020

Standalone Edition

Distributed Edition

Enhancements

Agent Enhancement

Filters for Agent Status, Domains, etc. have been added to Agent Administration.

Device Group Enhancement

Device Group pages now offer filters for Device Type, Device Groups, and Sub Type.
Option to export and import correlation rules.

Enhancements to IIS Configuration Report

Out-of-the-box report to view IIS Configuration changes such as Logging Changes, Modules Changes, SSL Changes, and more.

Enhanced FIM module

The File Integrity Module user interface has been enhanced for improved user experience.

Reports enhancement

Top and Trend, User Based, and Device Schedule Reports' UI have been enhanced for better user experience.
Option to not notify the customers over email when the report has no data.

Dashboard enhancements

Dashboard tile customization: Flexibility to customize the dashboard tiles to view multiple reports.
The graphs will be updated in real-time when new data is available.

Enhanced archive process

The archive process has now been enhanced. It also includes notification to intimate details on the storage space while unarchiving.

Import Log(s) performance enhancement

The performance of Import Log(s), IIS, and MySQL modules' has been enhanced to reduce the file read time thereby lessening the time taken for importing the logs.

Usability Enhancements

Upgrade notification

You will receive in-product notification as soon as a new update is available for upgrade.

Fixes

This release includes fixes for issues related to:

VPN

Issue in session logs not getting recorded when a user disconnects VPN, has been fixed.
Fortinet session reports were not available under New Report. This issue has been fixed.
Issue in username field value in predefined Fortinet VPN Session reports has been fixed.
Issue in populating Fortinet VPN logoff report has been fixed.

Agent

Due to delay in synchronization, agent status was displayed wrongly in the UI. This has been fixed.
In Linux agents, issues related to high CPU usage have been fixed.

Syslog

Issue in Syslog getting disabled in log collector even when enabled in the UI has been fixed.
Issue in Syslog devices being unreachable has been fixed.

Log parsing

Parsing support has been included for Fortimail logs.
For Unix logs, milliseconds will be considered while sorting the logs.
Support provided now for the latest versions of Symantec log structures.
Out-of-the box support has been provided for F5 Application Security Manager.

Vulnerability fixes

PostgreSQL has been upgraded to version 10.12 for Linux.
The older versions (1.x and 2.x) of JQuery have been removed.

Other fixes

You can now specify the number of days, weeks, or months in the 'log retention period' option for the archives loaded by the user. EventLog Analyzer will unload these logs after the specified period.
Issue in TLS log collection when the password is encrypted. This has been fixed.
Issue in username missing from the logs has been fixed.
Issue in filter when eventlog ID and message are requested has been fixed.
Issues in newly added devices taking old hostnames have been fixed.
Issue in auto updating of IP in host table has been fixed.
Event log collection failures were observed when the number of cores exceeded a certain limit. This issue has been fixed.
The Repo (repository) folder was not getting cleared when product logs off while unarchiving data. This has been fixed.
Issue in device count displayed on the dashboard for Managed Servers has been fixed.
Issues in indexing were observed when ES connection is reset. This has been fixed.
In Linux, the service auto startup issue has been fixed.
When all the associated devices are disabled, Agent Down notification will be skipped.
The archive data loaded in the centralized archive can now be viewed flawlessly.
Issue in configuring multiple SQL Server instances that are listening on the same port of a machine has been fixed.

Appropriate notifications will be displayed for different connectivity issues between the admin server and the managed server.

Build 12137

Released on 9th Jun 2020

Standalone Edition

Distributed Edition

New features

NIST compliance

EventLog Analyzer now has out-of-the-box compliance reports for meeting NIST standards.

PDPA compliance

EventLog Analyzer now has out-of-the-box reports to comply with the Philippines Data Privacy Act.

Correlation rules to detect ransomware

EventLog Analyzer now has correlation rules to detect the MailTo and Coronavirus ransomware execution.

Enhancements

SQL Performance

SQL Server Advanced Auditing performance has been enhanced to optimize CPU usage.

WMI Log Collection Performance

There will be a higher throughput of logs collected via WMI from windows devices.

Fixes

VPN logon reports have been fixed and new VPN logoff reports have been added.
The issue with configuration of devices with device names in Japanese has been fixed.
Removing the auto-log forward entry for the devices deleted from EventLog Analyzer is fixed.
Disabling radius authentication for disabled users has been fixed.
Issue with detecting domain names in the login page has been fixed.
Issue with updating the status of files in the central archive following integrity checks has been fixed.
Exporting applications reports for the current date irrespective of time range is possible now.
Suspicious URLs that were not flagged in Advanced Threat Analytics will be detected now.
Hostname handling issues while adding a threat source has been fixed.
Blocks in the incident management workflow with regard to SNMP localhost forwarding, URL validation, and port validation are now refined.
A mismatch with the log count and the issue with the popup in the application log sources page has been fixed.
Issue with the parsing of logs for Linux File Integrity Monitoring in RedHat has been fixed.
Issue with configuring event sources has been fixed.

Appropriate notifications will be displayed for different connectivity issues between the admin server and the managed server.

Build 12136

Released on 15th May 2020

Standalone Edition

Distributed Edition

Fixes

This release includes fix for the CVE-2020-24786 vulnerability, which allowed unauthenticated changes to integration system configuration, reported by Florian Hauser.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12135

Released on 6th May 2020

Standalone Edition

Distributed Edition

New features

Custom VPN sessions alert

You can now create custom alert profile for VPN sessions in EventLog Analyzer to trigger an alert when:

The number of active VPN sessions exceeds a custom threshold value.
A VPN connection is established from a blacklisted VPN source location.

Correlation alerts

You can now create alert profiles to trigger correlated alerts when:

Multiple VPN logon failures occur from a user account within a specific period.
Multiple successful connections have been established by the same user from different locations within a specific period.

Fixes

The Remote Code Execution vulnerability in the product pages has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12130

Released on 13th April 2020

Standalone Edition

Distributed Edition

New features

Trend Micro-deep security support

Out-of-the-box reports on Trend Micro-deep security devices.

Smart card- based authentication

If you have a smart card authentication system enabled in your environment, you can configure EventLog Analyzer to authenticate users through it, bypassing other first-factor authentication methods.

New logon security options

CAPTCHA support - Flexibility to display a CAPTCHA always, or after a certain number of invalid login attempts. Besides image, you can also enable Audio CAPTCHA.
Account lockout: Option to lock user accounts for a specific duration after a certain number of invalid or failed login attempts. The locked out user account cannot be used to access EventLog Analyzer until the specified duration is completed.

IP geo location for IIS logs

EventLog Analyzer now enables you to know the location of your visitors from their IP addresses.

Enhancements

Revamped alerts

The Alert tab now features a revamped GUI to facilitate improved management and faster response to alerts created.

Juniper structured log format

Support for structured logs from Juniper firewall .

Fixes

HTTP vulnerabilities in ES have been fixed.
Issue in listing IBM AS400 in report scheduler has been fixed.
Issue in parsing Oracle logs has been fixed.Issue in parsing NPS (Network Policy Server) logs have also been fixed.
The problem with file auditing when the 'username' field is enabled has been fixed.
Issue in generating USB report in Chinese machines have been fixed.
Issue in generating FIM report in German machines have been fixed.
Issue in deleting import logs, and importing logs has been fixed.
Issue in removing custom pattern has been fixed.
Agent startup issue has been fixed.
In the Oracle Predefined reports, issue in presenting all the search fields in 'Add/Remove columns' has been fixed.
In agent auditing, incorrect device-down alerts sent via mail has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12126

Released on 3rd April 2020

Standalone Edition

Distributed Edition

New features

VPN sessions monitoring report

When employees work from home, it's mandatory to accurately monitor their VPN sessions. EventLog Analyzer has added an exclusive "VPN Session Monitoring" analytical report that gives information on:

Number of active VPN sessions
Duration of each VPN session
Status of individual user's VPN connection

These information help not only in monitoring and auditing VPN user activities but also in VPN capacity planning.

EventLog Analyzer supports Cisco, Fortinet, SonicWall, Huawei, Meraki, and H3C VPNs right out of the box.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12125

Released on 19th March 2020

Standalone Edition

Distributed Edition

Enhancements

The Log receiver option is now enabled only for administrators.
Read access is now provided for the current archive file, so that other applications can access it.
OpenSSL has been upgraded from openssl_1_1_0c to openssl_1_1_0l.
Option to disable the population of trend tables (tables containing hourly log count) has been added.
Parser rules for Windows Event ID 800 has been added.

Fixes

Issue with switching the managed server in the Compliance page has been fixed.
Issues with parsing of severity information from old Windows archive files have been fixed.
The dashboard now renders perfectly for all date formats.
Sophos, pfSense, and Juniper devices' logs can now be parsed without errors.
The Syslog Viewer no longer stops displaying incoming logs when the language is changed from English.
Issue which caused log collection to be stopped when an existing ELA installation was migrated to a different device has been fixed.
Issue in deletion of custom fields created from preview of import log has been fixed.
Issue which caused the alert dumps to accumulate when a correlation rule is built with "is variable" condition has been fixed.
Updates and improvements to ensure ELA works in the "High Availability" mode when started as a service.
Fixes to ensure archive logs don't get corrupted when Java virtual machine hangs or shuts down abruptly.
Problems concerning crashes in native logger have been fixed.
Problem of disconnection of SSH during agent sync has been fixed.
Problem with Linux File Integrity Monitoring filters has been fixed.
Problems with permissions being escalated for non-privileged users while importing logs have been fixed.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12123

Released on 6th March 2020

Standalone Edition

Distributed Edition

Fixes

The issue with processing of cached records created before 12120 build has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12121

Released on 19th February 2020

Standalone Edition

Distributed Edition

Enhancements

Enhanced performance with redundant log prints detection, centralized log entry point, and more.

Fixes

Reduced Elasticsearch recovery time, and product startup time.

Fixes

Issues with changing a managed server in the reports tab has been fixed.
Issues with viewing the last 10 events of a managed server in the admin server has been fixed.

Build 12120

Released on 16th January 2020

Standalone Edition

Distributed Edition

New features

FERPA compliance

EventLog Analyzer now has out-of-the-box compliance reports for the Family Educational Rights and Privacy Act (FERPA).

Enhancements

Agent administration

EventLog Analyzer's agent has been upgraded to make it more versatile and achieve the following:

You can deploy Windows agents from EventLog Analyzer running on a Linux server.
The agent administration UI has been enhanced to facilitate easier agent installation, uninstallation, restart, and upgrade.
You can now collect syslogs from applications running on Windows machines.
You can upgrade the EventLog Analyzer agent deployed in demilitarized zones (DMZs).
Communication between the agent and EventLog Analyzer is now more secure.
You can collect logs of Oracle applications running in Windows devices.

New blocks in workflow including Send SNMP Trap, HTTP Request, CSV Lookup, and Forward Logs have been added.
You now have the option of collecting only the application logs from Windows devices.
The log collector's dependency on databases has been eliminated.
The product settings UI has been revamped for easier configuration.

Fixes

Traces of clickjacking vulnerability have been removed.
Issue in 'Save to folder' option for scheduled reports has been fixed.
Issue in the SonicWall web traffic dashboard widget has been fixed.
Issues in parsing HTML tags and logs from recent Windows versions have been fixed.
Issue in log correlation for imported logs has been fixed.
Issue which caused Linux agent to crash has been fixed.
Issue in notification for AMS license expiry has been fixed.
Issue in importing vulnerability logs from the Windows agent has been fixed.

Fixes

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12115

Released on 14th December 2019

Standalone Edition

Distributed Edition

New features

Support for IBM Db2 logs

EventLog Analyzer now supports IBM Db2 logs and provides out-of-the-box reports.

Threat whitelisting

You can configure EventLog Analyzer with an index of approved IPs, URLs, and domain names to minimize false positives.

Enhancements

The alerts section now has a set of default alert profiles.
The dashboard has predefined profiles for Cisco devices and SQL and IIS servers.
The dashboard gets a new dark theme for better visual experience.

Fixes

Issue with zipping AS/400 archive logs has been fixed.
Issue with categorizing IIS FTP server logs has been fixed.

Fixes

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12110

Released on 6th November 2019

Standalone Edition

Distributed Edition

New features

Support for F5 devices

Out-of-the-box reports are now available for F5 devices.

CCPA compliance reports

Predefined reports for CCPA compliance are now available.

Enhancements

Receive email notifications to monitor user actions in EventLog Analyzer.
Option to customize the existing correlation rules to detect sophisticated threats.
All the generated alerts are now stored in Elasticsearch instead of database, for faster search and retrieval of data.
Custom reports can now be shared with other users.
Alert retention is now configurable.

Fixes

Issues with multiple admin-managed server synchronization has been fixed.
An option has been added to enable or disable periodic email alerts when a device is down.
Issue with taking backups of the built-in pgSQL database in EventLog Analyzer while upgrading to versions 12000 and above has been fixed.
Issue with displaying executed commands for older library versions of Linux File Integrity Monitoring has been fixed.
Issue with viewing the last 10 events in machines with Turkish operating systems has been fixed.
Issue wit sending emails from EventLog Analyzer using TLS 1.2 has been fixed.
Issue with displaying agent log counts has been fixed.
Issue with displaying Configuration Changes Reports in Checkpoint devices has been fixed.
Issue with updating the values in alert profiles has been fixed.
Issue with displaying event log counts for PCI DSS compliance has been fixed.
Issue with processing alert profiles created with Regex pattern criteria has been fixed.

Enhancements

The process of converting a standalone server to a managed server has been enhanced for improved user experience.

Fixes

Issue in updating the managed server with compatible service packs from the admin server has been fixed.
Connection failure issue after updating managed server credentials in admin server has been fixed.
Issue with automatically updating managed server devices to the admin server has been fixed.

Build 12100

Released on 8 October 2019

Standalone Edition

Distributed Edition

New features

Customizable dashboard

EventLog Analyzer's dashboard now has a range of customization options.

Dashboard data will be updated in real time.
New tabs can be created with predefined widgets or with a blank template where any report can be pinned to the tab.
The color of the charts can be customized for more visual impact.

Advanced Threat Analytics

Crucial information on the severity of threats can be obtained when potentially malicious URLs, domains, and IP addresses intrude into the network.

Enhancements

Enhanced archival process

The log archival process has been enhanced for better usability, reporting, and for ensuring the integrity of log data. With the enhanced archive:

Multiple archives can be loaded and unloaded simultaneously.
The data in the loaded archive files is now searchable and reports can be generated.
An alert will be raised if the archived logs are tampered with.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12060

Released on 23 August 2019

Standalone Edition

Distributed Edition

New features

Automatic discovery of MySQL servers.
SAP ERP logs and McAfee ePolicy Orchestrator syslogs support.

Enhancements

Support for seamlessly processing syslogs that have different encodings and are from different time zones.
REST API support for ServiceDesk Plus, an Incident Management tool.
Performance of searching through compressed log data has improved.

Fixes

Issue of creating alert profiles using custom fields has been fixed.
SQL server audit reports not being populated with data has been resolved.
Issue of parsing username with sudo commands has been fixed.
Issue of identifying false positives when the log collector is manually stopped has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12050

Released on 26 July 2019

Standalone Edition

Distributed Edition

New features

Incident workflow management

Create and manage incident workflows in EventLog Analyzer. These workflows are automatically executed when the associated incident alerts are triggered. You can even track the execution of each workflow and view its status.

CoCo and NERC compliance reports

Predefined compliance reports have been added for CoCo and NERC regulations.

Enhancements

Technician audit logs are now maintained separately in the database, to facilitate future forensic investigations if needed.
Alert severity can now be passed as an argument to scripts in the run program option, or to be displayed in email and SMS notifications.

Fixes

Issue with displaying the Next 10 archives in the Archive Settings page has been fixed.
Issue with loading the Malware Detected report under Windows Defender has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12041

Released on 20 June 2019

Standalone Edition

Distributed Edition

Enhancements

The Search tab has a new UI with enhanced Advanced Search Criteria, Save Search, and Tag settings, for better user experience.

Fixes

Issue in the terminal server agent has been fixed.
Issue in migrating from PostgreSQL to Microsoft SQL Server has been fixed.
Issue in Microsoft SQL Server Auditing Configuration when SSL is enabled in a SQL Server instance has been fixed.
Issue in changing EventLog Analyzer's back-end database to SQL Server when SSL is enabled has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the Standalone Edition.

Build 12040

Released on 31 May 2019

Standalone Edition

Distributed Edition

New features

Support for Arista switches

EventLog Analyzer now offers predefined event-based reports on Arista switches.

Enhancements

The settings tab has been refurbished for enhanced user experience.
The reporting module has been tweaked to process queries faster.

Fixes

Issue in archiving correlated data has been fixed.
Issue in sending a test email without authentication has been fixed.
Timestamp issue in forwarded Windows logs has been fixed.
Issue in scheduled reports exported with empty PDF attachments has been fixed.

Enhancements

Synchronized data will be auto-recovered in the admin server if synchronization fails.

Fixes

Issue in synchronizing data and service pack if the admin server is down during managed server startup has been fixed.
Issue in device reports in the admin server dashboard has been fixed.
Issue in removing managed servers configured with applications from the admin server has been fixed.
Synchronization issues between the admin server and managed servers have been fixed.

Build 12030

Released on 27 Mar 2019

Standalone Edition

Distributed Edition

New features

Compliance reports for NRC and Cyber Essentials

EventLog Analyzer offers out-of-the-box reports for complying with the mandates prescribed in the Nuclear Regulatory Commission RG 5.71 and Cyber Essentials.

Enhancements

You can now import logs stored in Amazon Simple Storage Service (Amazon S3) buckets.
EventLog Analyzer now supports server message block (SMB) 2.0 for importing logs, discovering IIS Servers, and file integrity monitoring.

Fixes

Issue in log collector caused by packet size being bigger than the buffer size has been fixed.
Issue in sending test emails from the product has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the above.

Build 12020

Released on 8 Feb 2019

Standalone Edition

Distributed Edition

New features

Support for SNMP traps and MySQL logs

EventLog Analyzer now has the ability to process SNMP traps, and also supports import and analysis of MySQL general and error logs.

H3C device support

EventLog Analyzer now provides out-of-the-box support for H3C devices.

Enhancements

The different views of a report, such as table, summary, matrix, and multi-report, can now be exported as PDFs.
Option to enable or disable headers in CSV files has been added.
Option to select log file name patterns while periodically importing log data has been added.

Fixes

Issue in deleting log import schedules has been fixed.
Issue in adding multiple email addresses in the recipient field of the Log Collection Failure alert has been fixed.
Issue in alert processing has been fixed.
Issues in report schedules and severity-based pivot reports have been fixed.
Issue in log collection schedules when collecting Syslog from Windows devices has been fixed.
Issue in parsing Firepower and Check Point logs has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the above.

Build 12012

Released on 23 Jan 2019

Standalone Edition

Distributed Edition

New features

Two-factor Authentication

EventLog Analyzer's login security has been bolstered with two-factor authentication via email, SMS, Duo Security, RSA SecurID, and Google Authenticator.

Enhancements

Mail notification settings have been completely revamped for enhanced user experience.
Option to configure proxy server has been added.
SMS notification settings now supports additional protocols such as HTTP, SMTP, and SMPP.
jQuery version has been upgraded to 3.3.1 for greater security.

Fixes

Issue in connecting to a Microsoft SQL database when the password size exceeds 15 characters has been fixed.
Issue in sending alerts to Windows Event Viewer has been fixed.
Issue in MySQL backup has been fixed.
Issue in forwarding logs from AS/400 devices has been fixed.
Issues in parsing logs for file integrity monitoring and SQL column integrity monitoring have been fixed.
Issue in resolving IP addresses which caused the log collector to quit has been fixed.
Issue in scheduling predefined reports has been fixed.
Issue in loading archived logs has been fixed.
Issue in sorting report profiles has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the above.

Build 12010

Released on 30 Nov 2018

Standalone Edition

Distributed Edition

New features

Linux File Integrity Monitoring

Predefined reports to track creation, modification, deletion, renaming, and permissions changes in files and folders on Linux devices.

Enhancements

The File Integrity Monitoring module configuration has been enhanced for better user experience.
The capability to audit all activities of users with Technician roles in the File Integrity Monitoring module.
ICMP traffic logs are now parsed.

Fixes

Issue in the scheduler when multiple criteria are selected for File Integrity Monitoring has been fixed.
Issue which caused a mismatch in the number of events displayed in the File Integrity Monitoring dashboard and the underlying data has been fixed.
Issues in graph and data in exported reports in the CSV format has been fixed.
Issue in exporting reports with more than eight columns has been fixed.
Issue in parsing Palo Alto logs without serial numbers has been fixed.
Issue in displaying Symantec system events in the appropriate report has been fixed.
Issue in parsing Unix device logs to track file uploads has been fixed.
Issue in displaying the content in alerts mails has been fixed.
Issue in updating the time at which logs were last received from Windows devices with third-party agents has been fixed.
Issue in displaying the status of log collection of the syslog receiver has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the above.

Fixes

Issue in configuring centralized log archival from the Admin server using some browsers has been fixed.

Build 12000

Released on 13 Nov 2018

Standalone Edition

Distributed Edition

New features

Brand-new UI for reports

A completely revamped reports tab with a fresh UI and the ability to:

Create custom reports more swiftly and also view them in four different formats— Table, Summary, Matrix, and Multi-report.
Generate new views for the prebuilt reports.

ISLP compliance reports

EventLog Analyzer now has out-of-the-box reports to help you comply with Information Security Level Protection's (ISLP) requirements.

Support for Cisco Firepower & pfSense

Ability to process logs from Cisco Firepower and pfSense, along with exclusive reports and alert profiles to easily audit events from these devices.

Enhancements

Correlation rules have been enhanced with the option to add these new conditions: less than, greater than, between, not contains, not starts with, not ends with, not between, and is variable.
Advanced auditing of Microsoft SQL supports all collations.
The Favorite reports category has been enhanced to become user-specific.
All the report categories have been enhanced for better usability and searching.
The GPG compliance reports under the Windows reports category have now been moved to the dedicated group under the Compliance tab.

Fixes

Issue in user-specific language settings has been fixed.
Issue causing the unavailability of EVTX log files' description has been resolved.
Issue in parsing DHCP and Huawei logs has been fixed.
Issue in updating report summary in database has been resolved.
Issue causing log collector to shut down while processing logs collected using TLS 1.0 has been fixed.
Issue in editing the log collection filters page has been resolved.
Issue causing inconsistency in Application page's severity log reports has been resolved.
Issues in selecting fields for search and changing work-hour configurations in Internet Explorer browser have been fixed.
Issue in fetching data for previous day's non-working hours reports has been fixed.
Issue in searching while having space in field names has been resolved.
Issue in Save to Folder option in scheduled reports has been fixed.
Issue in time format when exporting user-based reports has been fixed.
Issue in rearranging actions in correlation rules has been fixed.
Issue in deleting correlation rules in the off-heap mode has been fixed.
Issue in saving search criteria that contain regex expressions as an alert has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the above.

Fixes

Issue in View Old Data option in the managed server correlation tab has been fixed.

Build 11212

Released on 5 Oct 2018

Standalone Edition

Distributed Edition

Enhancements

Log processing has now been made faster for enhanced performance and user experience.

Fixes

Issue with scheduled imports of multi line logs has been fixed.
Issues in building custom alerts have been fixed.
Issue with parsing SonicWall logs has been fixed.
Issue with emailing scheduled reports has been fixed.
Issue with populating data in reports pertaining to ManageEngine Password Manager Pro has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the above.

Build 11211

Released on 28 Sep 2018

Standalone Edition

Distributed Edition

Fixes

Issue in viewing events of the correlation history in Build 11210 has been fixed.
Issue in applying the service pack in Build 11210 has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the above.

Build 11210

Released on 10 Sep 2018

Standalone Edition

Distributed Edition

New features

HP switch monitoring

EventLog Analyzer offers predefined reports and alert profiles to monitor the security events of HP switches exclusively. It also comes with the capability to analyze log data of HP switches.

Enhancements

The import log module now supports multiple file encodings.
An option to specify the imported log data's timezone.
Date format can now be set in the product.

Fixes

Issue with importing EVTX format files from a shared path has been fixed.
Issue with importing files from a shared path when the device credentials have already been configured has been fixed.
Issue in displaying data for compliance reports in the free version of the product has been fixed.
Issue in timestamp when scheduled compliance reports are saved has been fixed.
Issue in not parsing the username field in Windows application logs has been fixed.
Issue in reports not populating data from IBM AIX systems has been fixed.
Issue in fields of the Windows Services reports in the compliance report section has been fixed.
Issue in not being able to import CRT files into the ssl.keystore has been fixed.
Issue in product not starting when HTTPS is enabled and the password contains a special character has been fixed.
Issue in parsing Barracuda device logs has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the above.

Build 11204

Released on 30 Jul 2018

Standalone Edition

Distributed Edition

New features

Threat Management

EventLog Analyzer's threat intelligence module has been further enhanced by extending support for real-time updates from custom STIX/TAXII servers.

Fixes

Issue in saving scheduled reports and also changes to favorite reports has been fixed.
Sparsely-occurring issue while loading archive logs has been fixed.
Issue causing malfunction of TLS log collection server when PFX certificate has certificate chain has been fixed.
Issue in parsing H3C logs has been fixed.
Issue encountered while resetting passwords has been fixed.
Issue in alert mail rebranding has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the above.

Build 11200

Released on 18 Jun 2018

Standalone Edition

Distributed Edition

New features

Selective activity monitoring

Monitor Windows and Unix sessions of users with predefined or custom session activity rules.

Meraki security appliances auditing

Predefined reports and alert profiles to audit security events of Meraki security appliances easily.

Support for CEF format logs.

Enhancements

The scope of Microsoft SQL Server auditing has been widened with the ability to audit and track more activities such as logins, integrity of data on the server, and more.
Reports on session activity have been enhanced for better usability.
The correlation scheduler has been given a facelift.

Fixes

Issue in establishing an ODBC Connection when TLS 1.0 is disabled has been fixed.
Issue which identified other application logs as Microsoft SQL Server logs has been fixed.
Issue in data not being displayed in reports if the table header and database name exceeds fifty characters has been fixed.
Issue in monitoring interval scheduler for AS400 devices has been fixed.
Issue in AIX reports not showing accurate data has been fixed.
Issue in VPN user reports not populating data for network devices has been fixed.
Issue in the format of the Palo Alto logon report has been fixed.
Vulnerability issues in the product settings have been fixed.
Cross-Site Scripting vulnerability (CVE-2018-10075) that allowed remote attackers to inject arbitrary web script or HTML via the import logs function has been fixed.
Cross Site Scripting vulnerability (CVE-2018-10076) that allowed remote attackers to inject arbitrary web scripts or HTML via the search function has been fixed.

The updates for the Distributed Edition - Managed Server are the same as the above.
Issue in copying the service pack and license from the Admin server to Managed servers has been fixed.

Build 11140

Released on 25 May 2018

Standalone Edition

Distributed Edition

New features

Password protection can be enabled for reports that are exported in PDF and CSV formats.
Users with administrator privileges can now audit the report export activities.
Guest users will not be able to export reports.

Enhancements

When you enable the GDPR configuration settings, you will be prompted for consent during third party tool integrations.

The new features and enhancements for the Distributed Edition - Managed Server are the same as the above.

Build 11134

Released on 21 May 2018

Standalone Edition

Distributed Edition

New features

A rich text editor has been provided in the alert profile configuration page to compose the alert email.

Enhancements

The correlation rule builder has been revamped for better usability.
The correlation engine can now detect malicious IP addresses from threat feeds.
The alert mail content has been enhanced.

Fixes

The issue in the correlation alert mail has been fixed.
Several other minor issues have been fixed.

The updates for the Distributed Edition - Managed Server are the same as the above.

Build 11133

Released on 11 May 2018

Standalone Edition

Distributed Edition

New features

Support for more ticketing tools

EventLog Analyzer's incident management module now supports Jira Service Desk, Zendesk, Kayako, and BMC Remedy Service Desk.

Enhancements

The user interface of the Incident Management tab has been enhanced for better user experience.

The updates and fixes for the Distributed Edition - Managed Server are the same as the above.

Build 11130

Released on 13 April 2018

Standalone Edition

Distributed Edition

New features

IIS web site auto discovery which makes it easier to configure IIS web sites for monitoring.

Enhancements

Multiple files can now be imported simultaneously.
Server Message Block (SMB) protocol has been added as one of the protocols to access files.
Customization options have been added for scheduling of log imports.
Dynamic patterns and numerical increments for file rollovers have been added.
Option to import and store logs for short durations has been added.

Fixes

Issue in the device name and display name fields in custom reports has been fixed.
Issue in adding syslog hosts has been fixed.
Parsing issue in Cisco device logs has been fixed.

The updates and fixes for the Distributed Edition - Managed Server are the same as the above.

Build 11123

Released on 27 March 2018

Standalone Edition

Distributed Edition

New features

Secure archival of log files

Checksums are now used to maintain the integrity of archived log files, thus helping meet compliance requirements.

Supports Huawei firewall

Predefined reports and alert profiles help easily audit security events of Huawei firewalls.

Supports Malwarebytes

Predefined reports and alert profiles help in auditing logs from Malwarebytes, thereby improving the threat detection mechanism.

Enhancements

Kerberos has been added as an authentication method for log collection.
Removable Disk Auditing now supports more device types.
The object access policies enabled by default in an agent have been optimized to reduce log dropping.
The IP address of the remote device has been added as a field in file integrity monitoring logs.
Permission changes for files are now audited.
All logs generated during agent downtime will be collected from the Event Viewer, once the agent recovers.

Fixes

Issue with restarting of the log collector has been fixed.
Issue in specifying multiple entries in the fields of database filters has been fixed.
Issue in log collection filter for Windows logs forwarded as syslog has been fixed.
Consistency issue in deletion events of folders with child objects has been fixed.

Sync issue between the admin server and managed servers has been fixed.
The new features, enhancements, and bug fixes for the Distributed Edition - Managed Server are the same as that of the Standalone Edition.

Build 11122

Released on 19 March 2018

Standalone Edition

Distributed Edition

New features

The correlation module now supports logs from ManageEngine OpManager and Password Manager Pro.
Forensic analysis can be performed on the actions of the user(s) and device(s) involved in a successfully correlated event.

Enhancements

Reports of network devices can now also be viewed in the Compliance tab.
An option to enable or disable the out of memory alert notification.
The mail subject of low disk space and out of memory alerts can be customized.
Automatic assignment of alerts to technicians based on alert profiles.
An option to delete generated alerts, when deleting the alert profile that they are associated to.
Exporting compliance reports has been made faster.
The compliance report scheduler has been enhanced.

Fixes

Issue in parsing of File Integrity Message in the alert mail has been fixed.
Issue in automatically adding agent has been fixed.
Issue which generated alerts with wrong criteria for AS400 has been fixed.
Issue in Compliance report scheduler has been fixed.

The new features, enhancements, and bug fixes for the Distributed Edition - Managed Server are the same as that of the Standalone Edition.

Build 11120

Released on 7 March 2018

Standalone Edition

Distributed Edition

New features

SQL Server auto discovery

which makes it easier to configure SQL servers for monitoring.

Column Integrity Monitoring in SQL Server

Track changes in a monitored column including who changed the value, at what time the value was changed, and the database table in which the value was changed.

SQL Server Advanced Audit reports

SQL Server Advanced Audit reports provide information on the history of schema and object changes, most used tables, and more.

Enhancements

Auditing can now be enabled only for the selected SQL Server instances.
Audit policies can now be created or deleted from EventLog Analyzer.
The user interface of the Manage Applications tab has been enhanced for better user experience.

Fixes

Issue in password with special characters entered during the configuration of mail server has been fixed.
Issue which added duplicate entries to reports exported in CSV format has been fixed.
Issues in parsing and indexing of SolarWinds and Snare logs have been fixed.
Cross Site Scripting (XSS) in the search and reports page (CVE-2018-7405) raised by Suresh Khutale has been fixed.
Vulnerability issue of remote code execution when uploaded by an agent has been fixed.

The new features, enhancements, and bug fixes for the Distributed Edition - Managed Server are the same as that of the Standalone Edition.

Build 11110

Released on 9 February 2018

Standalone Edition

Distributed Edition

New features

Supports Barracuda devices: Predefined reports and alert profiles help easily audit security events of Barracuda Firewalls, Web Application Firewalls, and Email Security Gateway.
Implementation of slow query graphs for the dashboard.

Enhancements

Provision to customize the subject, content of email, and SMS alerts.
Add alerts and manage alerts pages have been enhanced for improved user experience.

Fixes

Issue in handling special characters in Microsoft SQL migration has been fixed.
Issue in wildcard search has been fixed.
Issue in triggering alerts when the buffer size is reached has been fixed.
Issues in parsing Sonicwall signature ID, Cisco Firepower custom fields, and denied traffic in Fortinet have been fixed.
Issue in SQL Login Altered report has been fixed.
Issue in updating aggregated data in MySQL database has been fixed.
Issue which caused multiple UDP ports to listen has been fixed.

The new features, enhancements, and bug fixes for the Distributed Edition - Managed Server are the same as that of the Standalone Edition.

Build 11102

Released on 24 January 2018

Standalone Edition

Distributed Edition

New features

Integration with Log360 Cloud
- The logs collected by EventLog Analyzer can now be stored and managed on a secure cloud platform - Log360 Cloud.

New features

The new features for the Distributed Edition - Managed Server is the same as the Standalone edition (Build 11102).

Build 11101

Released on 12 January 2018

Standalone Edition

Distributed Edition

New features

Three new predefined correlation rules that detect suspicious SQL backup, installation of services and software.
Logs from syslog and other devices can be forwarded to any server including file servers and Windows servers.

Enhancements

Parsing of new fields in Juniper and Fortinet firewall logs.
Support for Snare in the RFC 5424 format.

The new features for the Distributed Edition - Managed Server is the same as the above.

Build 11100

Released on 9 December 2017

Standalone Edition

Distributed Edition

New features

GDPR compliance reports

Offers predefined report templates to help you easily comply with the GDPR's requirements.

Enhancements

A new report for Juniper application tracking has been added.
Mail subject can now be added in the custom report scheduler.

Fixes

The alignment issue in reports exported as CSV files from the search tab has been fixed.
The issue in parsing SonicWall botnet logs has been fixed.
WatchGuard firewall logs are now parsed.
The issue with not being able to view devices in the admin server when the user logs in via AD has been fixed.
The issue in displaying the report fields for Oracle devices has been fixed.
The issues in parsing the timestamp of imported logs have been fixed.

Fixes

The new feature for the Distributed Edition - Managed Server is the same as the above.

Build 11090

Released on 29 November 2017

Standalone Edition

Distributed Edition

New features

Supports Sophos-UTM, Sophos-XG, and Cyberoam devices

Predefined reports and alert profiles help easily audit security events of Sophos-UTM, Sophos-XG, and Cyberoam devices.

Provides an option to discover and configure event sources for individual devices.

Enhancements

The mechanism of recording the log flow rate has been optimized.
An extra field "Display name" has been added to the pre-defined reports and search section.

Fixes

The issue with parsing of fields for NPS events occurring on Windows Server 2016 has been fixed.
Addition of VMware reports for created and deleted VMs (Event IDs: 13002 and 13003).
The issue with the Solaris user account management report and SUDO command execution report has been fixed.
Issue with populating web traffic reports for WatchGuard has been fixed.
The issue with the policy changes report for Symantec devices has been fixed.
The issue with exporting reports from the "My Reports" category has been fixed.

New features

The new features are same as in the Standalone Edition.

Fixes

All fixes to the Standalone Edition are applicable to the Distributed Edition as well.

Build 11080

Released on 17 October 2017

Standalone Edition

Distributed Edition

New features

The Correlation Engine has been completely upgraded to bring you complex attack detection across all devices on your network, enhanced field-level correlation, improved incident reports with timeline view, and much more:

Multiple log format support

Correlation is now carried out across multiple log formats, enabling you to correlate logs from Windows and Unix systems, network devices, and more.

Enhanced field-level correlation

Correlation can be done based on multiple log field values to provide fine-grained attack detection.

Predefined rules

The module is packaged with 25 predefined complex attack patterns.

Custom rule builder

The custom correlation rule builder has been upgraded to include over 250 predefined network actions and advanced filters.

Check for unique, constant, or shared field values among the actions that make up a rule.
Use multiple comparison conditions for fields, namely 'equals', 'not equal to', 'starts with', or 'ends with'.
Create rules for individual log types using specific network actions, or rules common to all log types with generic network actions.

Incident management integration

All correlation alerts can be viewed and managed with the in-built incident management console.

Enhancements

The correlation user interface has been upgraded with an all new look and feel, incorporating all the above new features.
The time between each individual pair of actions can now be specified when creating a rule.

New features

The new features are same as in the Standalone Edition.

Fixes

All fixes to the Standalone Edition are applicable to the Distributed Edition as well.

Build 11073

Released on 4 October 2017

Standalone Edition

Distributed Edition

New features

EventLog Analyzer now supports WatchGuard firewall devices. Exhaustive reports and predefined alert profiles makes it easier to audit WatchGuard firewall.

Fixes

White space characters that caused issue in mail server configuration has been fixed.
Predefined Symantec reports now display graphs.
"Windows unexpected shut down" report was not updated. This issue has been fixed now.
I18N issue in the device and status tab of admin server fixed.
Issue with exporting loaded archives in admin server fixed.
Issue with parsed product names in Checkpoint logs fixed.
Receiving alerts that logs are not being collected from various servers while they are actually being collected. This issue has been fixed.
Display issue with EventLog Analyzer's centralized archive page in Linux has been fixed.
Issue with "root" being not accepted as a username in centralized admin server is fixed.
Changes made in centralized archives setting page was not saved. This bug has been fixed.
Operator access to Syslog Listener Port Settings restricted.

New features

The new features are same as in the Standalone Edition.

Fixes

All fixes to the Standalone Edition are applicable to the Distributed Edition as well.

Build 11072

Released on 22 September 2017

Standalone Edition

Distributed Edition

Enhancements

EventLog Analyzer's security is further strengthened by using unique key to encrypt database for every installation.
The solution now correlates the logs from Cisco firewalls with that of the threat feeds and global IP threat database data to instantly detect traffic from malicious URLs and domains.
Custom log patterns (or regex patterns) can be created for specific devices and can be saved for future log imports.
Symantec Endpoint Protection support is now enhanced with the set of prebuilt reports on successful logons, failed logons, admins added, admins modified, admin deleted and policy changes.

Fixes

Multiple vulnerability issues including XSS, XML injection, authorization issues, and path traversal has been fixed.
New entries in registry were not added when databases was changed. This issue has been fixed.
All fields in 'Manage Agents' under 'Admin Settings' tab now supports non-ASCII characters as well.
IP address of configured devices were not updated properly. This issue has been fixed.
Parsing errors occurred when importing multi-line logs. This issue has been fixed.

Enhancements

The enhancements are same as in the Standalone Edition.

Fixes

All fixes to the Standalone Edition are applicable to the Distributed Edition as well.

Build 11070

Released on 29 August 2017

Standalone Edition

Distributed Edition

New features

Transport layer security (TLS) based log collection is now supported.
Port management options have been enhanced for better usability.
Out-of-the-box support for NetScreen and Checkpoint firewall devices log data. The new version comes with exclusive predefined reports and alert profiles that makes NetScreen and Checkpoint device auditing and monitoring easier.
The new version supports Nexpose vulnerability scanner log imports.
Exclusive reports for monitoring SonicWall VPN activities comes bundled with the new version.
The new version includes predefined reports that provide information on web traffic for Cisco firewall and routers.

Enhancements

External agent support is now being provided for Windows server core machines.
TLS 1.2 is used for enhanced agent-server communication.
File integration monitoring support has been extended for Windows file servers.
It is now possible to get the details of the users who renamed the file or folder in the predefined file integrity monitoring reports.
You can now directly apply the self-signed certificate directly from within EventLog Analyzer web-console.
EventLog Analyzer now extends the log querying capability to Nessus, OpenVas, Nmap and Qualys vulnerability scanner log data.
Reports for "Host migration in vCenters" and "VM Relocated Events" is now provided.
Option to search for a specific managed server from admin server console is now being provided.
Device display name enhancements has been done.

Fixes

The following bug fixes are done in addition to a range of minor bug fixes.

The issue in displaying host count in the "Home" tab of "Device details" page in distributed edition is fixed.
Occasional sync error between managed server and admin server in distributed edition is fixed.
Log count aggregation in trend table has been revamped.
File integrity monitoring report profile now accepts file extension with spaces.
Bugs in Apache report's status code has been fixed.
The issue with log format icon in log collection filter profile is rectified.
Multiple bugs fixed for Fortinet and Juniper firewalls reports.
Bug fix for the summary count in the scheduled file integrity monitoring reports.
The Username is now parsed for event IDs 4658 and 4952 in event logs.
False alerts for "log collection failure" fixed for syslog.
Encoding issue for non-English languages in CSV export reports is fixed.
Multiple log parsing issues fixed.

Enhancements

Managed Server contains all the features of EventLog Analyzer Standalone Edition Version 11.7 Build 11056.
No changes specific to Distributed Edition Admin Server in this release.

Build 11066

Released on 15 August 2017

Standalone Edition

Distributed Edition

Enhancements

Enhanced threat intelligence platform

The solution now supports STIX/TAXII threat feeds. The global threat feed database will be updated automatically.

Malicious IP and URL alerts

Upon analysing the threat feeds and log data from the network, the solution sends out real-time alerts if suspicious traffic or out going traffic to malicious domain is detected.

Enhancements

Enhanced threat intelligence platform

The solution now supports STIX/TAXII threat feeds. The global threat feed database will be updated automatically.

Malicious IP and URL alerts

Upon analysing the threat feeds and log data from the network, the solution sends out real-time alerts if suspicious traffic or out going traffic to malicious domain is detected.

Build 11065

Released on 04 August 2017

Standalone Edition

Distributed Edition

Enhancements

Elastic Search is enhanced to handle unprocessed files.
In the search option, custom fields are pre-populated with values that are previously configured by users.
In a current session, if you navigate to other tabs while viewing a specific report, the 'Reports' tab saves the view and shows it to you when you're back.

Fixes

Issues with Cisco parsing have been fixed.
Issues in parsing VNC logs from Mac OS have been fixed.
The values used in the compliance reports are directly taken from the indices to avoid value mismatch.

Enhancements

The enhancements are same as in the Standalone Edition.

Fixes

All fixes to the Standalone Edition are applicable to the Distributed Edition as well.

Build 11060

Released on 19 July 2017

Standalone Edition

Distributed Edition

New features

EventLog Analyzer now offers exclusive reports and alert profiles for Fortinet device to help to detect anomalous activities, monitor user activities, changes in configuration, and ,more.

Enhancements

EventLog Analyzer supports all SonicWall device log format. Previously, we had been supporting only SonicWall firewall logs.
Active Directory user import feature has been revamped for better user experience.
Configuring domains and workgroups is made easy with a dedicated log configuration page for the same.
The solution can now import AD users at regular intervals using schedules along with provisions to view the schedule history.

Fixes

The following issues have been fixed:

The alert profiles that are being created as tickets in ServiceDesk Plus have been provided with the l18n option.
The values for graphical representation in the dashboard is directly taken from the indices to avoid value mismatch.
Issue with loading archives in MSSQL Windows authentication has been fixed.
The issue with importing users with same username from multiple domains has been fixed.
Issue with adding users has been fixed now.
When users were moved to different host groups, the change wasn't reflected in the 'All host group' list. This issue has been fixed.
Issues with the single-sign-on feature have been fixed now.
Importing users from some organizational unit had some issues . This has been fixed now.
Authentication of users imported from AD groups didn't happen. This has been fixed now.
Technician roles can be assigned to multiple users at one go.
Vulnerabilities in 'Keep me signed in' option in the login page has been fixed using dynamic key based encryption.
Issues with log collector have been fixed.
False positives for Windows device down alerts has been fixed.
You can now collect event logs through a fully qualified domain name (FQDN).
Issues with index archiving have been fixed now.
Issue with searching a renamed device in 'Device' page, has been fixed.
Synchronization issues with Admin and Managed server in MSSQL database have been fixed.
In File Monitoring Summary page, the device names were not listed, if it's included in the DHCP device list. This issue has been fixed.

Enhancements

Admin servers can now be assigned groups from multiple managed servers.
Exact host count was not reflected in the licence page of admin server. This has been fixed now.
Managed Server contains all the features of EventLog Analyzer Standalone Edition Version 11.6 Build 11060.

Build 11056

Released on 30 May 2017

Standalone Edition

Distributed Edition

Enhancements

Reports to track user VPN connections and disconnections on Cisco ASA devices have been added.
The 5424 log format is now supported for Juniper devices.
Juniper traffic reports have been enhanced.

Fixes

The log collector quit occasionally while parsing Oracle logs. This has been fixed.
SSL versions 2 and 3 have been removed.
SSL weak cipher suites have been changed.
The following vulnerabilities have been removed from several pages of the product:
- Stored and reflective cross site scripting
- Cross site request forgery
- Clickjacking
- Username harvesting

Enhancements

Managed Server contains all the features of EventLog Analyzer Standalone Edition Version 11.5 Build 11056.
No changes specific to Distributed Edition Admin Server in this release.

Build 11055

Released on 3 May 2017

Standalone Edition

Distributed Edition

New features

EventLog Analyzer now comes with an in-built ticket-based incident management system.

A separate ticket can be created for each incident, and assigned to any specific administrator for resolution.
Includes a provision to add notes, in the ticket, once it is resolved. This makes it easier to resolve similar issues that might arise in the future.
Integrates with popular help desk tools – ServiceNow and ManageEngine’s ServiceDesk Plus to allow creation of tickets using them.

Enhancements

The GUI of alerts reporting page has been enhanced for better usability.
Users can now configure the alert profiles based on time frames viz., working hours, non-working hour, and even custom time range.

Enhancements

Managed Server contains all the features of EventLog Analyzer Standalone Edition Version 11.5 Build 11055.
No changes specific to Distributed Edition Admin Server in this release.

Fixes

Users with roles other than the default admin and guest were not able to view the dashboard. This has been fixed.

Build 11050

Released on 17 Apr 2017

Standalone Edition

Distributed Edition

New features

EventLog Analyzer supports:

Juniper and Palo Alto device logs; offers predefined reports and alert profiles exclusively for Juniper and Palo Alto devices to audit them easily.
TCP based log collection for Syslog devices.

Enhancements

New SonicWall device reports have been added for IDS/IPS and under the user account management category.
View the top and least values of the log data fields in all the predefined reports.
Full support for SolarWinds Windows Log Forwarder.

Fixes

The issue with IBM AS/400 date format has been fixed.
AS400 alerts were getting sent for devices not specified in the alert profile. This has been fixed.
Shared files and folders deleted via right clicks were not showing in the reports. This has been fixed.
The elastic search engine now resets the date in the log message and shows the results for the last 30 days if the start or end time in the log message time stamp exceeds the elastic search engine time range limit.
The issue with working of FTP scheduled import option when the file is specified as the root path has been fixed.
The issue with the working of Windows Snare agent has been fixed.
The issue with the working of log filter for Windows log collection via Snare agent has been fixed.
The issues with the update of 'Last Message Time' for devices in the Device Management page have been fixed.
The issue with generation of removable disk auditing reports has been fixed.

Enhancements

Managed server contains all the features of EventLog Analyzer Standalone Edition Version 11.5 Build 11050.

Fixes

Users with roles other than the default admin and guest were not able to view the dashboard. This has been fixed.

Build 11045

Released on 30 March 2017

Standalone Edition

Distributed Edition

New features

The 'Settings' tab now has a search option with which you can search for options available in configuration, system, and product settings sections.

Enhancements

The GUI of 'Settings' page has been enhanced for easy accessibility.
I18N is now supported for "Log Me" tab.

Fixes

Issues in archiving log data from Elasticsearch index has been fixed.
Minor i18n issues have been fixed.

Enhancements

There are no changes specific to Distributed Edition Admin Server in this release
Managed Server contains all the features of EventLog Analyzer Standalone Edition Version 11.4 Build 11045

Build 11043

Released on 28 Feb 2017

Standalone Edition

Distributed Edition

Fixes

The logs processed using SolarWinds logs forwarder was only partially compatible. This has been fixed now.
Issue in receiving Cisco logs that represented severity with numbers instead of letters has been fixed.
While scheduling reports, filter option wasn't working consistently in non-English user interfaces. This has been fixed.
While searching for logs using event numbers, the search bar malfunctioned in non-English user interfaces. This has been fixed.

Enhancements

No changes specific to Distributed Edition Admin Server in this release
Managed Server contains all the features of EventLog Analyzer Standalone Edition Version 11.4 Build 11043

Build 11042

Released on 9 Feb 2017

Standalone Edition

Distributed Edition

New features

EventLog Analyzer simplifies the log collection and device configuration by automatically discovering Syslog devices on your network based on the IP and CIDR range values. SNMP (Version 1) credentials is used for automatic device discovery.
The solution also enables automatic log forwarding for UNIX devices with the root credentials.

Enhancements

Email notification option has been provided for the default threat alert profile.

Fixes

The issue with EventLog Analyzer's log collector when the database password is encrypted has been fixed.
The issue in updating IBM AS400 password has been fixed.

Enhancements

Managed Server contains all the features of EventLog Analyzer Standalone Edition Version 11.4 Build 11042
No changes specific to Distributed Edition Admin Server in this release

Build 11040

Released on 6 Jan 2017

Standalone Edition

Distributed Edition

New features

EventLog Analyzer now offers out-of-the-box support for:

SonicWall firewall. You can now use exhaustive reports and predefined alert profiles that make SonicWall firewall auditing easier.
RFC 5424 log format for Unix and Linux machines.

Enhancements

Syslog data processing performance has been enhanced.
‘Pick device' option has a new filter, 'username', for enhanced usability.
CSV files with just two columns can also be imported.
For devices that use agent for log collection, "Device down" alerts are enabled.
'Network Logon' event has been included under one of the rules in 'Correlation'.
Error message for logon authentication failure events is displayed for firewall devices.

Fixes

Issues with event source based database filter have been fixed.
Issue when exporting alert profile into XML format have been fixed.
Issues with Run Program Notification Setting in correlation have been fixed.
Issue with the SysEvtCol process in Linux-64 bit machine has been fixed now.
When alert profile is set up for certain devices in a group, all the devices in that group are included in the 'Devices' criteria. This issue has been fixed.
The issue with the 'Archive>Settings' option in Chrome browser has been fixed now.
Issues with the administrator and operator privileges for managing alert profiles have been fixed.
The issue with 'contains' filter option in log search has been fixed now.
Issues with generating File Integrity Monitoring reports for DHCP agents have been fixed now.
File or folder rename events were not reflected in File Integrity Monitoring reports. This has been fixed now.

Enhancements

Managed Server contains all the features of EventLog Analyzer Standalone Edition Version 11.4 Build 11040
No changes specific to Distributed Edition Admin Server in this release

Build 11030

Released on 19 Dec 2016

Standalone Edition

Distributed Edition

New features

Auto-discovery of domain and non-domain devices for enhanced user experience in adding Windows devices.

Enhancements

Devices management and configuration has been improved for better usability. You can now check the log collection status, change the log monitoring interval, and enable or disable the device from a single window.
FIM events for agent directory folders are excluded by default.

Fixes

The following issues have been fixed:

Archive location path containing special characters has been aligned with Windows standards.
XSS vulnerability issue in rebranding and index pages has been fixed.
Server has been optimized for FIM folders exclusion to accept several agent requests.
JVM crashes no longer occur when importing log files.
Changes in filenames are dynamically reflected while updating the schedule.
Trend Reports does not reflect event counts with zero logs.
The issue with the count in the report export list has been fixed.
IP address based device search is now possible.

Enhancements

Managed Server contains all the features of EventLog Analyzer Standalone Edition Version 11.3 Build 11030
No changes specific to Distributed Edition Admin Server in this release

Build 11025

Released on 17 Nov 2016

Standalone Edition

Fixes

The file integrity monitoring template update has been fixed.
Working of script notifier in Linux installations has been fixed.
Displaying the archive status during archive loading has been fixed.
Export report download (due to special character references in the report name) has been fixed.
Compliance report graph's drill-down functionality has been fixed.
Time criteria for archive report exports has been fixed.
Syslog collection has been fixed.
The email address field now has a limit of 250 words.
We now monitor SSH2 sessions as well for Unix/Linux SSH session reports.
If Oracle application log data contains raw commands executed in the database, then that log data will not be categorized under reports.

Build 11020

Released on 26 Aug 2016

Service Pack build 11023 released on 24 Oct 2016

Standalone Edition

Distributed Edition

New features

Threat analysis

Without any configuration, automatically get alerted whenever you receive traffic from blacklisted or suspicious IPs.

All new UI

EventLog Analyzer now comes with a flat user interface

Monitor log data of EventLog Analyzer

Offers the capability to forward EventLog Analyzer's log data (in syslog format) to any source.

Enhancements

Log search engine performance has been enhanced.
The product's log trend graph, event category graph and host count variable are now directly loaded from the 'Elastic Search' module so as to facilitate better
Now, the report, alerts for the client console uses the local (client) machine's time zone for better interpretation.
IBM AS400 BRMS log parsing is now supported.
EventLog import for non-english languages is now supported.

Fixes

Alignment issues in 'Settings', 'Hosts', 'Search' and 'Correlation' tabs had been fixed.
The log search event count mismatch when hovered over the graph has been fixed.
The issue in knowing the exact number of event types in dashboard graphs has been fixed.
The issue with triggering action upon clicking 'Calendar' icon has been fixed.
Alignment issues in displaying the content
The export as report feature was not working for archive search results when using MSSQL database. This has been fixed.
Edit report feature under My Reports section was not working when reports were sorted. This has been fixed.
When exporting reports in PDF format, username fields above 8 characters were getting truncated. This has been fixed.
Some hosts were not getting listed under the Hosts tab due to a data mismatch. This has been fixed.
Parsing timestamp from Apache logs has been tuned.
The issue in parsing timestamp from ESXi logs has been fixed.
The issue in parsing Unix FTP logs has been fixed.
When upgrading an agent, if any error is encountered, an error message is now displayed under the Agent Status.
Issues causing agent installation and upgrade failure have been fixed.
Issues with agent deletion, and agent association when its corresponding host was renamed, have been fixed.
The issue in displaying File Monitoring for Shared Deleted Events for Windows 2012 R2 has been fixed.
The issue with registering when file monitoring is in DHCP environment has been fixed.
The issue with event log skipping after applying Windows anniversary update, or when recordID is wrapped in WMI, has been fixed for both agent and agentless methods.
The issue with logon failure when logs are being collected from EventLog Analyzer has been fixed.
Script notification under alert profiles was not working in case of space constraints in the installation directory. This has been fixed.
Multiple issues with File Integrity Monitoring configuration and templates have been fixed.
The issue with syncing after editing Managed Server details in Admin server has been fixed.
Logagent quit when path length in File Integrity Monitoring was very large. This has been fixed.
The record ID mismatch between multiple hosts in an agent has been fixed.
Auditing is now enabled when adding hosts for File Integrity Monitoring, instead of when enabling the username.
SQL Injection vulnerability in Hosts tab has been fixed.
Session ID getting exposed in Access Log vulnerability has been fixed.

Enhancements

The features, enhancements and fixes are same as in Standalone Edition.

Build 11012

Released on 23 Jul 2016

Standalone Edition

Distributed Edition

Enhancements

EventLog Analyzer now provides you with an option to export the generated alert messages.
You now have the option to select all the available host groups while creating a report, alert profile, or filter.
We have now enhanced the edit, disable, and delete icons available in the alert message section.
EventLog Analyzer's calendar will be automatically updated every 10 minutes.
You can now edit the report schedules to change the report formats (PDF or CSV).
Help card is now added to assist the vulnerability import option.

Fixes

The alignment in CSV reports has been fixed
The deletion of original file while importing application logs using Internet Explorer browser has been fixed.
Scheduling the predefined reports for large number of hosts has been fixed.
The 'Pick host' option in correlation rule filter page has been fixed.
The option to disable AD authentication has been fixed.
Archive status change in Internet Explorer 11 has been fixed.
'View Per Page' option in 'Hosts' page has been fixed.
Selected hosts count in 'the Search' and 'Pick host' feature has been fixed.
Feature request link for Log360 has been fixed.

Enhancements

The enhancements are same as in the Standalone Edition.

Fixes

All fixes to the Standalone Edition are applicable to the Distributed Edition as well.

Build 11010

Released on 17 Jun 2016

Standalone Edition

Distributed Edition

Enhancements

The EventLog Analyzer web client language is automatically set based on the language setting of the browser. Also, the server side language is automatically set based on the machine in which it is installed.
Search option added within Pick Hosts option (found in add new report/alert/filter and report schedule pages).
vCenter log collection process enhanced in performance.
Support for AS400 log collection through secure ports.
CEF format support for FireEye logs.
'Message' column added to FireEye overview report.
'Username' column added to following Windows predefined reports: Software installed/uninstalled/updated, Failed software installation due to privilege mismatches.

Fixes

Username was not getting parsed from logs with event ID 104. This has been fixed.
Username is now parsed from the object string if not present in log message.
The issues in parsing time and source from syslog messages are now fixed.
Logs from add-on sources were not getting parsed upon restart of the log collector service. This has been fixed.
The issue causing failure in updating logs to the database, due to inaccessible data files, has been fixed.
Only Key_Read permission (rather than all permissions) is granted when required to read RemoteRegistry values.
Issue with agent-server communication in DHCP environment has been fixed.
Log collection status shown as 'Access Denied' if a filter was created which dropped all logs. This has been fixed.
The issues causing memory leak due to object access events are fixed.
Historic log collection was not occurring for few log types. This has been fixed.
Multiple log collector crashes fixed.
Invalid log types were queried during the log collection process. This has been fixed.
Log indexing was not occurring if device type was changed manually from Syslog to Cisco. This has been fixed.
Unnecessary escape characters were added while importing archived logs from PGSQL. This has been fixed.
Application log archive files were getting duplicated due to scheduling clash. This has been fixed.
Loading status would not be updated when attempting to access an archive file that was moved or deleted. This has been fixed.
The issue in using the 'AND' boolean operator in predefined report searches has been fixed.
Search page queries with single quotes were not working. This has been fixed.
The issue causing failure to refine data by double-clicking host names in reports has been fixed.
Application sub tab under Reports was not opening. This has been fixed.
Criteria field was missing under edit predefined reports schedule window. This has been fixed.
Uploading of log files to database was not occurring if PGSQL database was password protected. This has been fixed.
Vulnerability fixes:
- Guest user could change the admin password. This has been fixed.
- Reflected XSS and Store XSS vulnerabilities are fixed.
- Clickjacking vulnerability has been fixed.
- Username harvesting vulnerability has been fixed.

Enhancements

The enhancements are the same as in Standalone Edition.

Fixes

Centralized archive issue in Admin Server has been fixed.
All fixes to standalone edition are applicable to Distributed Edition as well.

Build 11005

Released on 28 Apr 2016

Standalone Edition

Fixes

The issue leading to LogAgent crash while decrypting the password for the added host has been fixed.
The issue leading to LogAgent crash while decoding the server response has been fixed.
The issue leading to LogAgent does when File Integrity Monitoring is set up has been fixed.
The issue causing LogAgent memory growth has been fixed.

Build 11001

Released on 7 Mar 2016

Service Pack Build 11003 released on 15 Mar 2016

Standalone Edition

Enhancements

EventLog Analyzer and ADAudit Plus have been integrated into a single log management and auditing solution viz., Log360.

Fixes

The issue with edit filter has been fixed.
The users can now provide space in the account name while logging into EventLog Analyzer.
The issue related to the import action after the field extraction operation has been fixed.
The issue with auto upgrade of LogAgent while applying the PPM over 8.0 has been fixed.
The issue during the application of SACL from LogAgent for huge folders has been fixed.
While applying PPM, the issue related to agent's auto upgrade when domain name is NULL has been fixed.
The issue with report zipping when the save type is 'Save Alone' has been fixed.
The issue related to parsing of cisco logs when the device type is manually changed, has been fixed.
The issue with the log collector stopping the remote registry service of the host from which it is collecting logs, has been fixed.
The issue related with the password update while editing the host details has been fixed.
The issue related with log parsing when Cisco meraki logs are forwarded from the relay server, has been fixed.
File Integrity Monitoring can now record the registry events as well.
The vulnerability issue of guest user changing the admin credentials has been fixed.
In LogAgent, if the users are providing any other credentials other than administrator, and if they do not have credentials to access the WMI namespace, then log collection will fail.
In SysEvtCol, if the local host is added with a user who doesn't have credentials to access WMI namespace, then log collection will fail.
The issue related to back up and restoration operation for MS SQL 2012 server has been fixed.
During log collection, if a single log is not returned within 2 seconds, then the log collection will be skipped after retrying 5 times with the same interval of 2 seconds.
The issue related with the installation of FIM agent after renaming the host, has been fixed.
The issue of considering the DB filter string's tab sequence as a space has been fixed.
The issue with advanced search criteria not getting updated in the database has been fixed.
The time delay with the log collection while applying FIM with user name option on a folder which contains many sub folders, has been fixed.
Only image file formats can now be uploaded for rebranding.
The issue with html tags injection through error messages has been fixed.
Fixed various SQL injection vulnerabilities.
Fixed the alert script arguments issue.
Fixed the bug related to 'Keep me signed in' option for AD and radius login.
Fixed directory traversal vulnerability through URL parameter.
Fixed the issue with the import file check for evt files.
Restricted non administrator users from accessing other users' data via parameter manipulation.

Build 10081

Released on 12 Jan 2016

Service Pack build 10081 released on 12 Jan 2016

Standalone Edition

Distributed Edition

Enhancements

EventLog Analyzer server can now be configured to run in the HTTPS protocol as well. Option to provide the corresponding port numbers is also available.
Option to encrypt the Keystore password is now available.
You can now set the web session expiry time limit.
The solution now provides you the flexibility to change the language of EventLog Analyzer web client, after the solution had been installed.
Get to know the status of the report export process with the help of sleek progress bar.
We've now provided an option to get administrator credentials during service mode installation.
Log collection capability is strengthened to include both log type and time in the query mechanisms.

Fixes

File Integrity Monitoring feature
- The 'Select All' option in the 'Settings' tab wasn’t working. This issue has been fixed.
- The 'Back' button issue in the drill down pages has been fixed.
The issue related to the inclusion of Japanese, Chinese characters in 'Schedule' names has been fixed.
The blank home page issue when the Managed Servers are down has been fixed.

Enhancements

Managed Server contains all the features of EventLog Analyzer Standalone Edition Version 10.8 Build - 10080
No changes specific to Distributed Edition Admin Server in this release

Build 10072

Released on 5 Nov 2015

Standalone Edition

Enhancements

Application Local User Enable / Disable option integrated.
Agent Installation error and status messages in the tool-tip.
Apache logs common log format supported.

Fixes

Test port not working in SMS configuration in Alerts (due to the page being opened in new window) - has been fixed.
Criteria for scheduling Predefined Reports - OR function not working properly - has been fixed.
Unix mail server reports - username classified as undefined - has been fixed.
Uninstallation of agent with different username (from the username used for installation) not working - has been fixed.
Loss of data during transfer from agent due to check-sum error - has been fixed.
All check box selection functions have been fine tuned.
AllLogsCurrentHourlyTrend and AllLogsHistoricalHourlyTrend are ordered by hour.
FIM - Not able to enable username for the directories with space - has been fixed.
When same agents are installed, slid is not updated during fresh install in agent side - has been fixed.

Build 10071

Released on 25 Sep 2015

Build 10070 released on 25 Sep 2015

Standalone Edition

Distributed Edition

New features

High availability feature has been integrated within the product.

Fixes

Fixed the issue in field extraction that arise while creating more than two fields or whenever a special cha racter is included in the field value
Fixed issue with alert delay in case of slow log rate
Fixed time stamping issue for syslogs.
Fixed the time range selection issue in report and correlation data generation
Guest user promotion as Admin by accessing user management page has been fixed
Vulnerabilities on session hijacking using cookie value JSESSIONID has been fixed
XSS vulnerability in EventLog Analyzer server login page has been fixed

Enhancements

Managed Server contains all the features of EventLog Analyzer Standalone Edition Version 10.6 Build 10600
No changes specific to Distributed Edition Admin Server in this release

Build 10060

Released on 29 May 2015

Standalone Edition

Distributed Edition

New features

Supports vulnerability data analytics

EventLog Analyzer 10.6 supports log collection and analysis of vulnerability scanners such as Nessus, Qualys, NMAP, and OpenVas.It provides 50+ predefined reports and alert conditions exclusively for vulnerability data analytics that help prioritizing the vulnerabilities and thus help to proactively mitigate security attacks.

Supports threat intelligent solution's log data

The latest version of EventLog Analyzer supports log data analysis of endpoint security solutions such as FireEye, Symantec Endpoint solution, and Symantec DLP application. The solution provides predefined reports and alert criteria that helps identifying and containing security threats at the earliest

vCenter log monitoring

EventLog Analyzer 10.6 supports vCenter log monitoring. It provides on-the-fly reports and alert conditions that help monitoring vCenter activities such as Datastore changes, permission changes, host changes, Resourcepool changes and more.

Supports GPG13 compliance

as EventLog Analyzer now provides out-of-the-box reports and alerts that help HMG organizations comply to GPG13 compliance.

Enhancements

Added new rule to parse the shun-attacks.

Fixes

Fixed the issue of Database folder increase due to improper cleaning of throwaway tables.
Fixed Firefox Unix icon display issue.
Fixed the issue associated with Universal Log Parsing and Indexing (ULPI) for user specified logs.
Fixed the parsing issue with IBM AS400.
Issues related to juli log growth and serverout growth had been fixed.
emoved weak cipher 'Ephemeral DH ciphers' from the secure connection.
Fixed the time order issue on trend reports.
Fixed the false disk space alert with remote desktop connection.
Issue related to RunQuery.do has been fixed.

Enhancements

Managed Server contains all the features of EventLog Analyzer Standalone Edition Version 10.7 Build 10070
No changes specific to Distributed Edition Admin Server in this release

Build 10000

Released on 23 Jan 2015

Standalone Edition

Distributed Edition

New features

Log collection and processing rate has been improved to 10x from the previous mark. EventLog Analyzer version 10 and above can handle 20,000 logs per second with the peak log handling capacity of 25,000 logs per second
1000+ out-of-the-box reports for security, compliance and operations needs
Enhanced real-time event response system with 600+ predefined alert criteria for Windows, Linux/Unix, Applications and Network Device environment.

Enhancements

File Integrity Monitoring

Ability to filter critical changes to files/folders based on the file type
Ability to display the process name and domain name in file integrity monitoring reports
Option to enable and disable File Integrity Monitoring
Addition of more default templates
Ability to save/edit alert and report enhancement with option to select User Name & Change Type
Ability to drill down the file integrity monitoring report graph
File attribute changes and ownership changes are now being captured under critical file/folder changes

Search

Ability to save the search results as alerts
Inclusion of auto suggestions for field values
Sorting of the index data for improved search performance

Correlation

Custom correlation rule builder that allows to create pattern based alerting by selecting the existing correlation rules
Ability to specify the threshold limits for each rule in the defined pattern.

Session Activity Changes

Added Duration and Log off time fields at 'Session Activity' page
Ability to search through the session activity reports
Session activity reports can now be saved

Fixes

Fix to enabling AD authentication issue while importing user from AD groups.
Fix to the search pagination issue
Vulnerability fixes - URL Injection
- Authentication problems
- Database injection
- Stored password encryption changes
- Agent zip extraction
Fix to the User based and iSeries User based Reports breaks while exporting with no user name in the database
Fix to the PDF export issue that occurred after mouse hover search from Custom Reports, while exporting all the events instead of filtered events.
Fix to Event ID based direct export breaks when severtity parameter is not appended in URL
Custom alert 'Not Equals' was not working for option 'Type'. This issue was fixed.

Enhancements

Managed Server contains all the features of EventLog Analyzer Standalone Edition Version 10.0 Build 10000
No changes specific to Distributed Edition Admin Server in this release

Build 9000

Released on 23 Apr 2014

Standalone Edition

Distributed Edition

New features

Real-time Event Correlation
- Real-time correlation for proactive threat management
- 50+ out-of-the-box correlation rules on various categories viz., File Management, Group Management, Authentication, Authorization, Audit Policy, Software Management and more
Out-of-the-box reports for ISO 27001:2013 Standards
Supports Terminal Server Log Analysis out-of-the-box
Supports EventLog Analyzer user audit trail

Enhancements

File Integrity Monitoring
- File Integrity Monitoring reports now include the name of the user who made the change
- Modified File Integrity Monitoring Report page
Field Extraction for SFTP application log import is now added
Archive encryption using AES 256 algorithm is now supported
Supports EventLog Analyzer user audit trail
Reports Enhancements
- Performance of Report Extraction in PDF and CSV format is enhanced
- Summary details for User Based Reports is now included
Adding Hosts
- Supports import of host list from a CSV file
- Existing hosts that are added will be automatically hidden from the Pick List Window
Customize Notification settings
- Supports sending notification only once and pausing the notification for a day/week/month

Fixes

The following issues have been fixed in this release:

In predefined compliance alert profile creation can now have the Windows 2008 type event IDs
EventLog Analyzer version 9.0 can now handle the string '\' in Log message fields of reports, alerts and filters
Issue with the resetpwd.bat file in troubleshooting folder is fixed
Out of memory error during log import is fixed
'Notes' field in the Custom Report Creation wizard now has the character limit of 250
Issue with the specification of multiple log messages separated by a comma, in report creation wizard is fixed
Issue with the working of Radius Authentication is fixed
Supports syslog import with 'Automatically Identify' option
Issue in log import schedule for a multiline log is now fixed
Issue in archive purging of Postgres database is fixed
'Advanced Alert' option in 'Custom Alert Profile' creation page
- Supports specification of multiple Event IDs separated by a comma
- Supports alert criteria edit even if the criteria is specified within double quotes
Issue with updation of SQL information in ChangeDBServer.bat file with $ in the password section is fixed
Specific Scheduled AD User import issue is fixed

Enhancements

GA release of EventLog Analyzer Distributed Edition.

Managed Server contains all the features of EventLog Analyzer Standalone Edition Version 9.0 Build 9000
No changes specific to Distributed Edition Admin Server in this release

Try out our latest features now!

Download the service pack

Be our voice

Tell us your story

Fill simple case studies and win exciting gifts.

Do it now!

We are all ears

Would you take a moment and write a review for us?

Yes, I'd love to

Be a part of our alpha group

You can access our beta builds exclusively before we release them.

Subscribe now

Did you know?

QWhat is the difference between the Free and Paid editions?

A
The Free Edition of EventLog Analyzer is limited to handling event logs from a maximum of five log sources, whereas the Standalone and Distributed editions can handle event logs from 10 - 1,000 log sources and 50 - unlimited number of log sources respectively.
QDoes the trial version have any restrictions?

A
The trial version is a fully functional version of EventLog Analyzer Standalone edition. When the trial period expires, EventLog Analyzer automatically regresses to the Free Edition.
QDo I have to reinstall EventLog Analyzer to upgrade from the free version to the paid version?

A
No, you do not have to reinstall or shut down the server. You just have to upload the new license file.

Events

We can't wait to meet you!

Upcoming events

Resources

Get your hands on the latest ebooks, whitepapers, and videos curated by our experts

Get resources now

Expert talks

We've demystified cybersecurity. Dwell into these easy reads and be at the top of your IT security game.

Take me there

What's new in EventLog Analyzer?

Release notes

Build 12226

Enhancements

Build 12225

Enhancements

Build 12220 (Service Pack Build)

Fixes

Build 12219

Fixes

Build 12218

New features

Enhancements

Issue fixes

Build 12216

New features

Enhancements

Build 12215

Fix

Build 12214

Issue fix

Build 12213

Issue fix

Build 12212

Fix

Build 12211

Features

Fixes

Build 12206

Enhancements

Build 12204

Fix

Build 12203

Fix

Build 12201

Security Issue fix

Build 12200

Features

Enhancements

Fixes

Build 12166

Fix

Build 12165

Fix

Build 12164

Fixes

Build 12163

Fixes

Build 12160

New features

Enhancements

Custom Pattern enhancements

Application & Windows Reports Enhancements

Fixes

Build 12157

Enhancements

Fixes

Build 12155

New features

EventLog Analyzer now provides reports and alert profiles based on the MITRE ATT&CK framework.

Streamlining security incident management

Automate incident creation using incident rules

Map alerts as incidents

Enhancements

Build 12150

New features

Attack detection and mitigation

Remote employee monitoring

Enhanced user experience

Enhancements

Fixes

Build 12147

Fixes

Build 12146

New features

Prepackaged Stormshield device reports:

Enhancements

Fixes

Build 12145

Enhancements