Support
 
Support Get Quote
 
 
 
 

Other Resources

    Manage Correlation Rules


    Out-of-the-box correlation rules

    EventLog Analyzer provides more than 50+ pre-defined rules on various categories such as File Management, Group Management, User Management, Machine Management, Authentication, Windows Firewall rules, Authorization, Audit Policy and Software Management.

    The Rules Overview window provides you with

    • Intuitive drill-downable graphical dashboard on correlation rules.
    • Rules Table provides the list of predefined correlation rules, event count and last occurrence time of the event.
    • The users can also configure, set notifications, enable/disable the rules from this window.
    • You can drill down to the raw logs of any particular rule, by clicking on the event count of the corresponding rule

    Category/Rule View

    To view the rules based on the above specified categories, click on the 'Category View' link at the top

    To view the entire rule list without the category based classification, click on the 'Rule View' link

    Enabling/Disabling rules

    By default, all the predefined rules are enabled for all log data source added to EventLog Analyzer server. If the you want to disable a rule/set rules, then

    1. Select the rule/group rules that you need to disable
    2. Rule Settings option will appear at the top of the Rules Table

    Click on the Disable link. Similary to enable the disabled rule, the user can select the rule/set of rules and click on the Enable link to activate the rule(s)

    Rules Report

    To get the report of any correlation rule, click on that rule.

    The Rules Report page provides you with the intuitive graphical dashboard on Event Count Vs Destination host

    The detailed Rules report table lists you the Host type, Destination/Source host, Source user, Time of occurrence of the event, Message, Logon Type, Logon ID, and more depending on the correlation rule

    Note: The users can toggle between the List and the Grid report views

     

    EventLog Analyzer enables the users to perform search on the correlation rule raw log with its interactive Search window

     

    1. Select the search criteria (Host type, Destination host, Source user Logon type and more) from the existing list
    2. Choose the relational operator
    3. Provide the search value for the specified criteria
    4. Search using multiple criteria and relate them with boolean operators
    Note: You can save the search results as reports and schedule them

    Saving and Scheduling rules reports

     

    1. At any time you can also directly export the report in PDF and CSV format by clicking on the appropriate icons

    2. Click on the Save Report link to save and schedule the rules report/search results

    Scheduling rules report

     

    1. Provide the name for the report
    2. You can refine your Rules Report by specifying Include/Exclude criteria
      1. Select the search criteria (Host type, Destination host, Source user Logon type and more) from the existing list
      2. Choose the relational operator
      3. Provide the search value for the specified criteria
      4. Search using multiple criteria and relate them with boolean operators
    3. Schedule the report generation on an hourly/daily/weekly/monthly basis. Choose the 'Only once' option if you want to generate reports once at a specified time.
    4. Specify the date and time at which the report is to be generated
    5. Select the time period for which the report is to be generated
    6. Choose the report format (PDF/CSV)
    7. You can also redistribute the report through email. Provide the email to which the report is to be sent. Specify multiple email ids separated by a comma
    Note: If you have not configured the Email Server or if you want to reconfigure it, click on the Configure or Reconfigure link

    Configuring Rule Filters

    With EventLog Analyzer, the users can apply filters and customize the existing correlation rules to meet their internal security policy. To configure the rule filter,click on the Configure icon Rule Filter corresponding to the rule for which you need to apply the filters

    The Configure Rule Filter Window has the Rule Description and provides option to user to exclude user, source and destination hosts.

    1. Specify the Source User(s), who are to be excluded from the correlation rule processing.
    2. Specify the Source Host(s), which are to be excluded from correlation rule processing.
    3. Specify the Destination Host(s), which are to be excluded from correlation rule processing

    Note:

    • Specify the host which are already added to EventLog Analyzer server
    • Click on Pick Host link to select the host from EventLog Analyzer server.
    • Specify multiple user/host name separated by a comma

    Source Host means the machine from which the event is originating

    Destination Host means the machine at which the originated event is supposed to happen

    Rule Notification

    EventLog Analyzer helps you to mitigate security threats proactively with its real-time alert notifications. EventLog Analyzer's Real-time Correlation Engine provides you with two alert notification mechanisms

    • Notification via Email
    • Notification via SMS

    Apart from these alert mechanisms, EventLog Analyzer also provides you with Automatic Alert Remediation method which triggers a script/program (which is specified by the user) that remediates alert condition

    Note: 

    Each rule can have separate alert notification mechanism. You can also configure the alert mechanism for a specific rule or set of rules by,

    • Selecting the rule(s) for which you need to configure the alert mechanism
    • Select the appropriate Notification Mechanism (Email,SMS, Automatic Alert Remediation) from the Notification Settings link at the top of the Rules Table

    Configuring Email Notification

    To configure Email Notification settings, click on the Email icon Email Settings icon  corresponding to the rule for which you need to configure Email Alert. You can also configure Email Settings by selecting the rule/group of rules from the Rules Overview window and selecting the Email Option from the Notification Settings link.

    1. Specify the Email id to which the alert has to be sent. If you want to enter multiple email ids, separate the email ids with a comma
    2. Specify the subject of the email
    3. Click on the drop down arrow to select the Message that has to be sent as an email alert, from the predefined list of messages
    4. Click on Apply to set the email alert notification for the selected rule

    Configuring SMS Notification

    To configure SMS Notification settings, click on the  SMS Settings icon corresponding to the rule for which you need to configure the SMS Alert. You can also configure SMS Settings by selecting the rule/group of rules from the Rules Overview window and selecting the SMS Option from the Notification Settings link.

    1. Specify the number, to which the SMS has to be triggered
    2. Click on the drop down arrow to select the Message that has to be sent as an email alert, from the predefined list of messages
    3. Click on Apply to set the SMS alert notification for the selected rule

    Configuring Automatic Alert Remediation

    To configure automatic Alert Remediation with a script, click on the Automatic Alert Remediation  icon  corresponding to the rule for which you need to remediate the alert automatically. You can also configure Automatic Alert Remediation Settings by selecting the rule/group of rules from the Rules Overview window and selecting the Run Program Option from the Notification Settings link.

    1. Use the Choose File button to browse and load the program/script that can remediate the alert condition
    2. Click on the drop down arrow to select the Arguments that has to be passed
    3. Click on Apply to set automatic alert remediation mechanism for the selected rule

    Note:

    Alert notification can be enabled/disabled for a specific rules or a set of rules. To do this,

    • Select the rule(s) for which alert notification has to be enabled/disabled
    • Notification Settings link will appear at the top of the Rule Table
    • Click on Enable/Disable link as per your requirement

    Deleting Rule Notification

    To delete notification for a specific rule or a set of rules,

     

    1. Select the rule or rules that are to be deleted
    2. Notifications Settings link will appear at the top of the Rule Table. In that, select Delete link to delete the notification for the corresponding rule(s)
    Customer Speaks
    • Credit Union of Denver has been using EventLog Analyzer for more than four years for our internal user activity monitoring. EventLog Analyzer provides great value as a network forensic tool and for regulatory due diligence. This product can rapidly be scaled to meet our dynamic business needs.
       
      Benjamin Shumaker
      Vice President of IT / ISO
      Credit Union of Denver
    • The best thing, I like about the application, is the well structured GUI and the automated reports. This is a great help for network engineers to monitor all the devices in a single dashboard. The canned reports are a clever piece of work.
       
      Joseph Graziano, MCSE CCA VCP
      Senior Network Engineer
      Citadel
    • EventLog Analyzer has been a good event log reporting and alerting solution for our information technology needs. It minimizes the amount of time we spent on filtering through event logs and provides almost near real-time notification of administratively defined alerts.
       
      Joseph E. Veretto
      Operations Review Specialist
      Office of Information System
      Florida Department of Transportation
    • I love the alerts feature of the product. We are able to send immediate alerts based on pretty much anything we can think of. We send alerts when certain accounts login, or when groups are changed, etc. That has been very helpful. Also the automatic archive of the log files has been very helpful and has taken the worry out of keeping old logs. The “Ask Me” function is very nice as well. It is great to have some natural language queries built in where you can just click a button and get an answer.
       
      Jim Earnshaw
      Senior Computer Specialist
      Department of Chemistry
      University of Washington
    • Windows Event logs and device Syslogs are a real time synopsis of what is happening on a computer or network. EventLog Analyzer is an economical, functional and easy-to-utilize tool that allows me to know what is going on in the network by pushing alerts and reports, both in real time and scheduled. It is a premium software Intrusion Detection System application.
       
      Jim Lloyd
      Information Systems Manager
      First Mountain Bank

    EventLog Analyzer Trusted By

    A Single Pane of Glass for Comprehensive Log Management