Windows event auditing
For the many organizations that use Windows devices, most activity within the company happens on Windows networks. With so many Windows devices in use, several proprietary applications—such as the native Windows firewall, backup, and hypervisor applications—are also popular across organizations. Auditing log information from Windows devices can prove valuable in several ways, for instance by:
- Providing an overview of all network activities, across Windows event log severity levels.
- Securing networks with information on potential breaches, vulnerabilities, and anomalies.
- Summarizing user activity and data captured by various native applications.
- Protecting organizations from data theft and monitoring removable device usage.
- Pinpointing events of concern, such as multiple failed logons or application crashes.
- Tracking all system events and registry changes.
With its vast collection of predefined reports and alerts, EventLog Analyzer automates the otherwise laborious task of auditing Windows device information.
Auditing Windows devices with EventLog Analyzer
EventLog Analyzer provides:
- Support for both the older EVT and newer EVTX event log formats. This includes audit logs from server and client versions of Windows NT, XP, Vista, 2000, 2003, 2008, 2012, 7, 8, and 10.
- Activity analysis for various native applications including Windows Firewall, Windows Backup and Restore, and Microsoft Hyper-V.
- Agentless technology to collect event logs, with the option to install agents if necessary.
- Central log storage and data normalization.
- Hundreds of predefined reports, including reports for regulatory compliance.
- Log archiving that is secure and encrypted, yet flexible.
- Real-time alerts sent via email or SMS for notable events such as failed logons, object accesses, network anomalies, and more.
- Simple and advanced log search options for in-depth log forensics.
Windows device auditing features
- Windows event logs are collected using an agentless mechanism.
- View a summary of all collected logs on the product dashboard.
- Monitor the number and type of logs (such as warnings or failures) collected from each Windows device on the dashboard.
- EventLog Analyzer offers more than 120 predefined reports for Windows device auditing, covering a wide range of events.
- Reports are easy to understand, with both graphical and tabular representations.
- Customize, schedule, and distribute reports via email. Export reports in both PDF and CSV formats.
- Receive alerts about notable events in real time, including high profile threats like potential security breaches, sent as email or SMS.
- Customize alert profiles by setting alert priority levels, choosing which conditions generate alerts, and more.
- Designate automated program responses, such as generating an SNMP trap, or triggering a sound alarm.
Real-time event correlation
- EventLog Analyzer features real-time event log correlation, which correlates events on multiple devices and raises an alert if a potential attack pattern is detected.
- With over 70 predefined correlation rules, use a simple drag-and-drop interface to create complex rules that recognize possible attack patterns.
- Use predefined reports to meet several compliance regulations, including PCI DSS, HIPAA, SOX, GLBA, FISMA, ISO 27001:2013, and GPG.
- Generate alerts for all compliance policy-related events, such as changes to user accounts or clearing of audit logs.
- Create custom compliance reports to keep up with future compliance requirements.
- EventLog Analyzer features a powerful search engine with several flexible search options, facilitating root cause analysis. Easily discover the time, location, and person that caused a security event.
- Search both raw and formatted logs.
- Save search results as one-time reports or set a schedule to generate recurring reports. Create alert profiles based on searches.
- Logs are securely compressed and archived so they are tamper-free.
- Customize log archive files, including when they are created and later deleted, and where they are stored.
- Load, search, and report on archive files at any time to learn more about the scope of events.
Windows device reports
More than 120 predefined reports for Windows devices are categorized into logical report groups for easy access. Reports are available in the following categories:
- Windows severity reports: View all Windows event logs, including the severity level (success, failure, information, critical, etc.) for each event.
- Windows system events: Track several important system events, such as startups and shutdowns, service and software installations, Windows updates, and many more.
- Threat reports: Identify network attacks—like denial of service (DDoS) or downgrade attacks—and other events that impact network security, such as the event logging service being shut down or user accounts being locked out.
- Removable disk auditing: Thoroughly monitor the usage of removable disks on a network, including all data operations performed on removable disks, such as creation, modification, removal, and more.
- Network policy: Monitor events that occur as a result of network policies, such as granted or denied network access and account lockouts due to repeated logon failures.
- Registry changes: Track Windows registry usage and view all changes to registry values.
- Windows Backup and Restore: Audit all activity on the native Windows backup software, Windows Backup and Restore.
- Application crashes: Track the reasons behind various application crashes, such as the Blue Screen of Death (BSOD) error, an application hang, system errors, and other application errors.
- Application whitelisting: View detailed information about applications that ran successfully or failed.
- Program inventory: Keep track of application installs, updates, and removals.
- Windows Firewall: Audit Windows Firewall and track changes to rules and policies. Identify various attacks prevented by the firewall, such as spoof attacks, flood attacks, ping of death attacks, and more.
- Antivirus reports: Find detailed information about threats detected by various popular antivirus software, including ESET, Kaspersky, Sophos, Norton, and the native Windows antivirus and anti-malware applications.
- Data theft: Reveal data theft from various points of access, such as printers, removable media, database backups, and more.
- Hyper-V auditing: Audit the activity on Microsoft Hyper-V servers and virtual machines, such as partition creation, Hyper-V switch creation, VM creations, imports, and more.