Event Analyst Features

Event Analyst is a tool for reporting on event log data, filtering log entries, and examining log files. Its special event log "windowing" technology enables administrators to examine different cross sections of event log records from multiple sources simultaneously without sacrificing speed. Event Analyst's highly intuitive interface allows the administrator to seek quickly through the logs, jumping to specific dates or rapidly scrolling through the logs chronologically.

Even with hundreds of thousands of entries, administrators can now pinpoint the specific network events of concern. Event Analyst provides room for local storage of frequently sought after events and event filters, allowing administrators to file away definitions for commonly examined events. After being stored, network administrators can summon the same filters as needed to quickly zero in on events of interest. In fact, Event Analyst ships with many predefined filters that are of immediate use to almost every network administrator.

Event Analyst works with a wide-variety of event log data formats. It can view, filter, convert between, and report on saved EVT log files, comma-delimited text files, and EVT log information from active computers.

Dorian's exclusive LogRefiner technology can help you in the migration from the log formats of earlier operating system versions to the newer EVTX format included in Windows Vista and Windows Server 2008. Be sure to read more about this groundbreaking technology.

Providing even more flexibility for log data management strategies, event logs stored by Event Archiver or Event Alarm in Microsoft Access, Microsoft SQL Server, or Oracle database tables can be analyzed by Event Analyst.

Once filtered, network professionals can generate reports based on pre-designed modules or user-customized ones. Event Analyst's clear and printer-friendly HTML and CSV reports prove invaluable for explaining network phenomena to managers and compliance officers, as well as providing security information to law enforcement agencies.

To save the administrator even more time, Event Analyst's prepackaged report modules can be scheduled using the Event Analyst Service. Scheduling a report is as easy as choosing a scheduled time and day, the source of the log records, a filter, and output folder. Reports may even be emailed automatically to a list of specified recipients.

Imagine coming into the office each morning and having the reports you need waiting for you and anyone else who has requested it. Why drop everything again to deal with another report request from an auditor or supervisor? Why not let this Monday morning be the first that Event Analyst prepare those reports automatically for you?

A List of Just Some of the Powerful Features

When used in conjunction with Dorian Software's Event Archiver or Event Alarm software, Event Analyst is one component of the patented Total Event Log Management Solution ™ for monitoring, collecting, consolidating, and auditing event logs and syslogs. And, just as our other SEM (security event management) solutions work independently, Event Analyst alone can prove to be a powerful tool for your organization.
 

 Event Analyst 8 and later includes:

  • Windows Vista and Windows Server 2008 Reporting Ability
    Many are still unaware that the Event IDs in the Windows Vista and Windows Server 2008 security logs have been completely renumbered, breaking automation and significantly changing the way events are loggged when compared to prior Microsoft operating systems.

    Using Dorian's exclusive LogRefiner technology, many reports now work with the equivalent Vista and Server 2008 versions of these events. Moreover, these reports can correlate similar activities across all operating systems - from Windows NT 4.0 to Windows Server 2008 - when used in conjunction with Event Archiver and its database collection features.

    Visit our sample reports page for a listing of these and other reports.

     
  • Active Directory Reporting with Windows Server 2008
    Six reports focused on Active Directory activity have been retrofitted to work with the equivalent Windows Server 2008 versions of these events. Moreover, these reports can correlate similar activities across all operating systems - from Windows NT 4.0 to Windows Server 2008 - when used in conjunction with Event Archiver and its database collection features.

    Those commonly sought reports include:

    Computer Account Management
    Group Management
    Group Membership Activity
    Logon Failures - Active Directory (Kerberos)(Condensed)
    Logon Failures - Active Directory (Kerberos)(Detailed)
    User Account Management

     
  • Dramatically Expanded Correlation Ability
    PrecisionParser capability - a component of Dorian's LogRefiner technology - now ships with Event Analyst and enables correlation across related, but different security events.

    Virtually any type of security event can now have its key subfields parsed out, grouped, and sorted inside Event Analyst's custom reporting engine. Want to group your 529 logon failures by Source IP Address and Authentication Package? No problem. Need to sort file access events by Handle ID? We've got that covered as well.

    There are many benefits to PrecisionParser capability. Read more about it and its parent technology, LogRefiner.

     
  • Easy-to-Use Custom Report Designer
    More easily visualize the grouping and sort order of your layouts with a grid-style editor. You can immediately test your layout against sample data after you create it.

    And, with PrecisionParser capability, important details from the description field of Windows security events can be extracted for custom reports. Design compelling custom reports for management, and like never before, correlate events with ease.

    Now, you can even have Event Analyst automatically aggregate similar event fields on the final row of your custom reports. For instance, management may want to see the number of events each user generates in the security log, grouped by User, then Event ID. Event Analyst's new aggregation feature makes that very easy to design.

     
  • New Advanced Filter Features

    Additional Relative Date Ranges
    In the past, administrators could create advanced filters that returned log data a given number of days from the time the filter or report was actually executed. Now, administrators can create advanced filters that return log data a given number of days from the day prior to when the filter or report is run (e.g. from 12:00:00AM to 11:59:59PM), providing them with a clearer data boundary for scheduled report generation.

    Quick Event ID Lookup
    When building Advanced Filters that target one or more Event IDs, administrators can now multi-select them from the Friendly Event ID Manager, making it much easier to find the exact Event IDs that should be targeted.

    Quick Computer Lookup
    When building Advanced Filters that target one or more computers, administrators can now select them directly from a domain controller, browse list, OU, or custom domain listing.
     

  • Report History Viewer
    The recent history of Event Analyst's scheduled report operations are now simply a menu click away. In addition, administrators can filter the entries by type - information, warning, or error messages, for example - and then export them to HTML if necessary.
     
  • Custom Domain Creation
    As networks grow and merge, domain and workgroup structures expand in size and complexity. Event Analyst tackles this problem by allowing network administrators to create "custom domains" - logical groups of related computers.

    For example, delegation of administration may require that an administrator manage specific servers in three different organizational units of a larger domain. Using Event Analyst, she can now map these individual computer names to a custom domain. Then, she can easily reference that custom domain whenever she needs to summon one of the computers' logs for analysis or reporting.
     
  • Scheduled Report "Test" Feature
    Now, after administrators create scheduled reports, they can immediately test them with a click of the button to see if they produce the results desired. Additionally, if reports must be run again, this feature reduces workload for the administrator.
  • Pre-Built Report Summary Exporter
    Event Analyst supports the export of all pre-built report titles and what those reports target, making it easy for administrators to share this information with compliance or security officers.

. . . all this in addition to existing features that have made Event Analyst an industry standard for event log and security log reporting:

  • Ships With Many Commonly Requested Reports - We've focused on providing the most commonly requested reports for you already. Find out more on our sample reports page.
     
  • Comma-Delimited (CSV) Reporting - Generate reports in both HTML and CSV formats. For administrators or compliance officers who need to document examples of audited activity, the CSV format is especially useful, as it can be manipulated directly in spreadsheet software.
     
  • Direct Reporting - Users can still open up a log source in one of Event Analyst's log viewing windows before generating a report. Or, users can select a log source and immediately generate a report against it, bypassing the need to examine the data directly first. For those desiring immediate report generation, this feature saves significant time.
     
  • Friendly Event ID Definitions for Custom Reports - The Friendly Event ID Manager allows the creation of special definitions for specific event identifiers (Event IDs) that correspond to event sources in certain log types. The Friendly Event ID Manager ships with over 100 definitions already in place, with almost the entire range of security log events predefined for user convenience. When custom reports are prepared, if a friendly definition exists for a specific Event ID, Event Analyst automatically places the definition alongside the number for better report readability.
     
  • Condensed Versions of Selected Reports - In direct response to the requests of our clients, Dorian Software has created condensed versions of certain reports. Find out more on our sample reports page.
     
  • Optimized Report Generation - Although, of course, results vary based on a number of network-specific variables, Event Analyst's reports and custom reports are engineered for the fastest possible generation. For scheduled reports that must process large volumes of data, this optimization is a critical time-saver.
     
  • Report Link Emailing - To minimize potential issues with reports as attachments, Event Analyst can send links to reports via a UNC share path. When enabled, the default scheduled reports folder in Event Analyst is shared, and emails contain a reference to the report files in that share. However, users can select other UNC paths for report creation and linking as desired.
     
  • Filter Name Inclusion in Report Filenames - To better distinguish between scheduled reports of the same type, Event Analyst can be configured to automatically append the filter name used when generating the report to the filename.
     
  • True Organizational Unit Support - Larger domains with administrative control distributed among different OUs in Active Directory can configure Event Analyst to work within an OU and its children. The Event Analyst Service account can be configured to run as an OU Admin (with local administrative control over computers in the OU), and administrators can limit the computer accounts retrieved by Event Analyst in various operations to a specific OU, as opposed to the entire domain.
     
  • Faster Analysis and Reporting With Local Backups of Active Event Logs - In many cases, working with a local backup copy of an event log can speed analysis and reporting. Therefore, when opening an active event log on a network computer for analysis, Event Analyst now provides the option to make a backup copy of the event log or transfer it to the machine running Event Analyst for analysis.
     
  • Automatic Opening of Zipped EVT Files - Automatically uncompress and open archived EVT files that were compressed by Event Archiver – Dorian Software’s companion log collection tool.
     
  • Advanced Filter Cloning - A cloning feature for rapid duplication of filters is included to help in defining multiple advanced filters with similar characteristics.
     
  • Single-Click Report Scheduling - With a single menu click or button press, an administrator can schedule a report against the log source he or she is viewing inside Event Analyst. All characteristics of the log source, including computer names, database links, filters, etc are transferred into the report scheduling dialog automatically. All the administrator must do is choose the report desired and the schedule when it is generated, greatly reducing the potential for error.
     
  • Compression for Emailed Reports - Report files can now automatically be compressed before being sent by email. This is good for minimizing network traffic demands or for accommodating strict email policies.
     
  • Advanced Emailing Options - Scheduled reports set for automated email have additional customizable settings. Administrators can specify the sender address Event Analyst uses when relaying mail through an SMTP server, in order to meet internal SMTP security standards. Additionally, administrators can craft a custom email subject line to help them differentiate between similar reports that come from different log sources.
     
  • Charts Included in Many Reports - Easy to read charts allow for quick review of problem areas and issues before digesting the more detailed, tabular information that follows. And, charting can be enabled/disabled globally when desired.
     
  • Cloning Scheduled Reports - Event Analyst supports convenient cloning of scheduled reports. Users can quickly use a previously scheduled report as a template for a new report if only a few minor details need to be changed.
     
  • Faster Reporting Through Auto-Configuration of Event Archiver Database Tables - For faster reporting, Event Analyst can automatically index and configure tables when connected to an Event Archiver database in Microsoft Access or Microsoft SQL.
  • Simple Viewing of Log Sources - Through an easy-to-use inventory of database and table links, finding and managing log database sources is simple.
     
  • Oracle Database Support - Tables that you create for Oracle 9i with Event Archiver can be managed with native support in Event Analyst.
     
  • Customization Capability and Ready-to-Use Filters - Mine for data using custom sorting to focus only on the data you need.
     
  • Event Log Entry Research Capability - Utilizing the Event Research Window and by way of www.eventlogs.com, users can research and decipher event log files and get recommendations for related Event Analyst Summary Reports.
     
Ipswitch
UID 3365048 | US | 38.107.191.96 | Site 2 | © Copyright 2010 PNLTools Limited