- Related Products
- ADManager Plus
- ADAudit Plus
- ADSelfService Plus
- Exchange Reporter Plus
- AD360
- Log360
Click here to expand
Before starting EventLog Analyzer in your environment, ensure that the following are taken care of.
EventLog Analyzer requires the following ports to be free for web server, syslog, and PostgreSQL/MySQL:
| Port Numbers | Ports Usage | Description |
| 8400 (TCP) | Web server port | This is the default web server port used by EventLog Analyzer. This port is used for connecting to EventLog Analyzer using a web browser. |
| 513, 514 (UDP) | Syslog listener port | These are the default Syslog listener ports for UDP. Ensure that devices are configured to send Syslogs to any one of these ports. |
| 514 (TCP) | Syslog listener port | This is the default Syslog listener port for TCP. Ensure that devices are configured to send Syslogs to this port. |
| 33335 (TCP) | PostgreSQL/MySQL database port | This is the port used for connecting to the PostgreSQL/MySQL database in EventLog Analyzer. |
EventLog Analyzer uses the following ports for WMI, RPC, and DCOM:
| Port Numbers | Ports Usage | Description |
|
135,445,139(TCP) |
WMI,DCOM,RPC |
Outgoing traffic ports in EventLog Analyzer server. The same ports will be used as incoming traffic ports in the devices and must be opened. Windows services DCOM, WMI, RPC uses these ports and EventLog Analyzer in turn uses these services to collect logs from Windows machines in default mode (Event Log mode). |
| 49152-65534 (TCP) | WMI,DCOM,RPC | Incoming traffic ports in EventLog Analyzer server. The same ports will be used as outgoing traffic ports in the devices and must be opened. DCOM uses callback mechanism on random ports between 49152-65534 for Windows Server 2008 and 1024-65534 for previous versions. |
EventLog Analyzer uses the following ports for local agent to server UDP communication:
| Port Numbers | Ports Usage | Description |
| 5000,5001,5002(UDP) | UDP ports for EventLog Analyzer local agent-server communication | EventLog Analyzer uses these UDP ports internally for agent to server communication. Ensure that the ports are free and not occupied by other local applications running in the machine. Some additional higher range ports (1024-65534) will be opened to connect with these ports for internal communication. |
EventLog Analyzer uses the following ports for remote agent to server TCP communication:
| Port Numbers | Ports Usage | Description |
| 8400(TCP) | TCP port for EventLog Analyzer remote agent-server communication | EventLog Analyzer uses this TCP port for remote agent to server communication. Ensure that the port is free and not occupied by other local applications running in the machine. The port must be opened both ways for the remote agent to send the collected logs in a zip file to the server and for the server to push agent updates.
This port should be opened in the firewall. |
Note: During automatic agent installation, the WMI, RPC, and DCOM ports are used once.
| Port Numbers | Ports Usage |
| 446-449, 8470-8476, 9470-9476 (TCP) | Keep the mentioned ports opened for access to IBM AS/400 machines. |
| Port Numbers | Ports Usage |
| 445 (TCP) | The Server Message Block (SMB) protocol uses this port to read the log files. |
To ensure unhindered functioning of EventLog Analyzer, you need to add the following files to the exception list of your Antivirus application:
| Path | Need for whitelisting | Impact if not whitelisted |
| <ELA_HOME>/ES/data | Elasticsearch indexed data is stored. | All the collected logs will not be available if the data is deleted. |
| <ELA_HOME>/ES/repo | Elasticsearch index snapshot is taken at this location. | Snapshots and Elasticsearch archival feature will fail if the files at this location are deleted. |
| <ELA_HOME>/ES/archive | Elasticsearch archives are stored here. | Archived log data will not be available if the files located here are deleted. |
| <ME>/elasticsearch/ES/data | Elasticsearch indexed data is stored. | Reports would be affected if the data is deleted. |
| <ME>/elasticsearch/ES/repo | Elasticsearch index snapshot is taken at this location. | Snapshots and Elasticsearch archival feature will fail if the files at this location are deleted. |
| <ME>/elasticsearch/ES/archive | Elasticsearch archives are stored here. | Data will not be available if the files located here are deleted. |
| <ELA_HOME>/data/za/threatfeeds | Bundled files containing a list of malicious IPs, domains and URLs that will be used in case there is no internet connectivity will be stored here. These files will be deleted on the first default threat feed synchronization. Whitelisting is required only till first synchronization. | If the files are removed and if there is no internet connectivity, then the list of malicious threat sources will be missed from the dataset. |
| <ELA_HOME>/data/AlertDump | Formatted logs are stored before processing for alerts. Might be detected as false positive by Antivirus applications. | If the file is quarantined or deleted, related alerts would be missed. |
| <ELA_HOME>/data/NotificationDump | Formatted logs are stored before processing for notification. Might be detected as false positive by Antivirus applications. | If the file is quarantined or deleted, notification for triggered alerts would be missed. |
| <ELA_HOME>/bin | All binaries are included here. Some Antivirus applications might block them as false positive. | Product might not function. |
| <ELA_HOME>/data/imworkflow | Binaries uploaded by users for workflow execution are stored here. | Script Alert workflow might not work as intended. |
| <ELA_HOME>/pgsql/bin | Postgres binaries are included here. Might be detected as false positive by Antivirus applications. | Product might not start. |
| <ELA_HOME>/lib/native | All binaries are included here. Some Antivirus applications might block them as false positive. | Product might not function. |
| <ELA_HOME>/archive (If the archive folder is moved to a new location, add the new location) | Antivirus applications might slow down frequent write operations. | Performance issues might occur in the product if the Antivirus applications slow down write operations. |
| <ELA_HOME>/troubleshooting | All troubleshooting binaries are included here. Some Antivirus applications might block them as false positive. | Some troubleshooting batch files might not work. |
| <ELA_HOME>/tools | All tools binaries are included here. Some Antivirus applications might block them as false positive. | Some tools might not work if the files are removed by Antivirus applications. |
| <ELA_HOME>/ES/CachedRecord | Antivirus applications might slow down frequent write operations. | Performance issues might occur in the product if the Antivirus applications slow down write operations. |
| Path | Need for whitelisting | Impact if not whitelisted |
| C:\Program Files (x86)\EventLogAnalyzer_Agent\bin | Agent binaries are stored here. | The Agent might not work if the files are quarantined. |
| C:\Program Files (x86)\EventLogAnalyzer_Agent\bin\data | Antivirus applications might slow down frequent write operations. | Performance issues might occur in the product if the Antivirus applications slow down write operations. |
| C:\TEMP\\EventLogAgent | Agent installation files are moved for installation and upgrade. | Agent might not upgrade/not install if the files are quarantined. |
| Path | Need for whitelisting | Impact if not whitelisted |
| C:\Program Files\EventLogAnalyzer_Agent\bin | Agent binaries are stored here. | The Agent might not work if the files are quarantined. |
| C:\Program Files (x86)\EventLogAnalyzer_Agent\bin\data | Antivirus applications might slow down frequent write operations. | Performance issues might occur in the product if the Antivirus applications slow down write operations. |
| C:\TEMP\\EventLogAgent | Agent installation files are moved for installation and upgrade. | Agent might not upgrade/not install if the files are quarantined. |
| Path | Need for whitelisting | Impact if not whitelisted |
| /opt/ManageEngine/EventLogAnalyzer_Agent/bin | Agent binaries are stored here. | The Agent might not work if the files are quarantined. |
| /opt/ManageEngine/EventLogAnalyzer_Agent/bin/data | Antivirus applications might slow down frequent write operations. | Performance issues might occur in the product if the Antivirus applications slow down write operations. |