WhatsUp Gold TechnologyLog Management
Comprehensive log management for network security event response, compliance audit, investigation and reporting
With the acquisition of Dorian Software Creations Inc, WhatUp Gold now offers a complete set of modular, flexible and scalable event and log monitoring, collection, storage and reporting tools that can help you start and grow your chosen log management strategies. Just like other WhatsUp Gold software, these tools are highly cost-effective, intuitive and easy to use and available for a 30 day free trial so you can be sure of what you are getting in return for your money. And with more than a decade of experience and customer focused development behind it across thousands of real networks, WhatsUp Event Log Management may be the solution you were waiting for.
The WhatsUp Event Log Management suite offers the following key capabilities:
A Wide Selection of Tools to Suit your Need and Your Budget
Event logs are useful in multiple ways – they can help detect and stop malware and other security threats from penetrating your network; provide visibility into event patterns that shape the security policies for your organization; or collect and store log data for critical compliance audit and reporting. Whatever the need, WhatsUp Event Log Management offers the right tools that can work independently or as part of a total event log management solution. These include Event Archiver, Event Alarm, Event Analyst and Event Rover.
Ability to Manage Both Windows Event Logs and Syslog
Many security and event log management solutions work with one type of log format and not as well with the other. WhatsUp Event Log Management’s log management capability extends to cover both Windows Event logs (generated by Windows hosts and applications) and Syslog messages (generated by Unix and Linux hosts and typical network devices like routers, switches and firewalls). For example, WhatsUp Event Alarm can monitor both Windows Events and Syslog messages in real-time and inform operators if it detects a network security event of interest.
Dual Agentless and Hosted Agent Architecture Support
Hosted agent architectures are costlier to acquire, deploy and manage. Yet, sometimes that is the only option available – especially when network policies restrict remote log management across the subnets or the WAN. Unlike log management solutions that necessarily require hosted agents, WhatsUp WhatsUp Event Log Management supports both agentless and agent-based architectures in the same deployment for maximum flexibility and cost-effectiveness.
Standard Database Support
Using a proprietary database is one of the chief causes of vendor ‘lock-in’. Having historical compliance data sitting in a proprietary database can make it impossible to transition to a new software solution without the costs of parallel licenses, monitoring and storage. WhatsUp Event Log Management solutions support standard databases like MS Access, MS SQL and Oracle to meet the requirements of small to large organizations. This also ensures that the organization has easy access to requisite skills for database maintenance. In fact, WhatsUp Event Log Management applications inherently support some routine maintenance tasks like database purging and clearing – giving a head start to network personnel in charge of managing large event log archives.
Coverage across Multiple Types of Event Logs
As any network administrator knows - threats come in many forms. Yet, many log management tools rely or have relied on the Microsoft definition of a "security" event - specifically, one that occurs in the Security Log of a Windows NT or XP system for instance. However, compliance with many of today's regulations and best security practices require a comprehensive view of network health and security, and data of interest isn't found in the Security Log alone. WhatsUp Event Log Management solutions monitor and collect from comprehensive log sources including security, administrative, operational and application logs as needed across both EVT (for Windows NT 4.0, Server 2003, XP, 2000) and EVTX (for Windows Vista, Server 2012 R2 and later) log formats.
Windows Event Log Management:
Microsoft Windows operating systems generate a variety of event log messages that aid in maintaining security operations, document application and system access, and more. If your environment includes Windows servers and workstations, it is critical that your log management solution support Windows events across its multiple versions in one solution.
Windows EVT Event Log Format
The Windows NT, XP, 2000 and 2003 server and workstation versions support the EVT log format. These logs can be viewed using the Windows Event Viewer across local or remote machines. However without intelligent filtering, multiple log viewing and comparison, and other capabilities, this process is cumbersome at best and unusable at its worst. Typical log sources include system, security and application log types. Each event type - for example, when a user authentication fails or system component fails to start - is recognized through its unique Event id.
Windows EVTX Event Log Format
With the launch of Windows Vista and Server 2008 versions, Microsoft changed their log management format to EVTX and the system is commonly called the Windows Event Log. While this new format supports a well defined structure and offers expanded fields to better enable applications to precisely log events and administrators to more easily interpret them – it breaks away from the earlier EVT format in a number of respects. EVTX has different event ID’s, a higher number of fields and supports different sources for logging of events data. Working with both EVT and EVTX formats in the same environment requires normalization to a common data structure. This need is met by WhatsUp Event Log Management’s patented and exclusive Log Refiner™ Technology.
With WhatsUp Event Log Management solutions for Windows you can:
- Monitor, collect, analyze, report and store Windows event log files across both the EVT and EVTX versions
- Enable the identification and detection of network security events like repeated logon failures or unexpected change in role privileges for a group or an individual user
- Make comprehensive Windows event log data and reports available for internal and regulatory compliance audit to internal management and auditors
- Provide user friendly capabilities for routine event log review, analysis and scheduled reporting
- Manage Windows event logs remotely from a central location or locally on a host machine as required
- Assign segmented log administration and viewing rights to team members based on organizational needs and management structure
Log Refiner™ Technology:
There are a number of complications associated with existing log strategies - usually designed only for the soon-to-be "legacy" EVT format - and the log data being generated by Windows Vista, Server 2008 and later versions via the new EVTX format. WhatsUp Event Log Management’s exclusive LogRefiner™ technology enables you to move to the EVTX format at your speed and on your terms. Many compliance standards require that log data be maintained for a period of multiple years. Therefore, in most cases, maintaining EVTX and EVT formats alongside each other will be necessary at least for some more time.
WhatsUp Event Log Management’s exclusive and patented LogRefiner™ technology offers the following key capabilities:
Down level EVT File Processing in Windows Vista and Later Versions
LogRefiner technology can read, filter, and report on EVT files from down level systems directly alongside the EVTX files from Windows Vista and newer operating systems in the WhatsUp Event Analyst application. No information goes missing when converting down level EVT files into new formats and all event log fields are processed properly the first time.
Streamlined Fields between EVT and EVTX Logs
The EVTX log format supports more field types than the EVT version. LogRefiner™ technology helps to automatically consolidate the expanded Keyword and Opcode fields specifically - into the Task (Category) field so that there is a common data structure when working with EVT and EVTX log files.
Field Consistency across Logs
In the Windows Vista Security Log, no information about the user performing the action or affected by the action is recorded in the ‘User’ field when an event is logged. Instead, all user information is placed in the ‘Description’ field of the event. LogRefiner™ technology adds the ability to place the most relevant user information back into the ‘User’ field as it reads and processes EVTX files. By helping maintain the consistency of log data and its formatting, this capability greatly aids the network security administrator or compliance officer review the consolidated data.
Success Audits versus Failure Audits
Another major change in the Windows Vista security log is that all events are recorded as "Informational." To discern whether or not the event represents a failed or successful action, the administrator must refer to the ‘Keyword’ field of the event. LogRefiner™ provides the ability to properly record whether or not the event was a Success Audit or Failure Audit even in the case of EVTX files, greatly aiding the reviewer of log data generated from different Windows host systems.
PrecisionParser Capability Expands Correlation of both EVT and EVTX Logs
PrecisionParser - a component of LogRefiner Technology was introduced primarily to expand its correlation capability. Though an offshoot of LogRefiner, users don't have to wait until they work with the EVTX format to benefit from this powerful capability. With PrecisionParser, virtually any type of security event can now have its key subfields parsed out, grouped, and sorted inside WhatsUp Event Analyst's custom reporting engine.
WhatsUp PrecisionParser™ capability offers numerous benefits including:
True Log Format Independence
Parsable security log data formats include native EVT and EVTX files, comma-delimited text files produced by Event Archiver and Event Analyst, and Microsoft Access, SQL, or Oracle database tables produced by Event Archiver and Event Analyst. Dorian's multiple log format support stands in stark contrast to other vendor packages, which depend on multiple database table schemas in attempt to normalize log data at time of collection, rather than normalizing data at time of analysis.
True Operating System and Service Pack Level Independence
PrecisionParser technology can handle virtually all security log data collected from different Microsoft operating systems - from Windows NT 4.0 to Windows Server 2012. This is important as Microsoft frequently expands reported data in security log events over time, often after service packs are applied. If a custom-defined subfield is not present in a legacy operating system event, the custom reporting engine adapts gracefully, simply indicating that the field was not found.
Correlation across Related, Yet Different Security Events
Correlation is possible among different security events that share common subfields in their descriptions. For example, many security event logs handle identifiers, logon identifiers, and IP addresses. Custom reports paired with advanced filters can be designed using PrecisionParser technology to show a variety of event activity that is in fact related via these fields.
Support for Multiple Occurrences of the Same Subfield
While less common in legacy security events, Windows Vista and Windows Server 2012 and later versions now often include the same subfield name twice in the ‘Description’ field. For instance, Event ID 4724 describes the resetting of user passwords by an administrator. Yet the order of the user listing in the ‘Description’ field determines whose password was reset, and who actually reset the password. When defining custom fields for reports, based on the PrecisionParser™ technology, WhatsUp Event Analyst allows you to make this subtle distinction by indicating if you would like to parse out the second, third, or ‘nth ’ occurrence of that field.
If your security policies require you to collect, monitor and analyze event log files from network equipment like routers and switches, your chosen log management solution has to support Syslog monitoring. Further, if your environment also hosts Unix and Linux systems, Syslog monitoring becomes even more critical. Syslog is a standard for forwarding log messages in an Internet Protocol (IP) computer network. It is a client-server protocol with a logging application transmitting a small text message to a Syslog receiver or server. These messages may be sent via the User Datagram Protocol (UDP) or the Transmission Control Protocol (TCP).
Just like Windows event logs, Syslog is typically used for computer system management and security auditing. While it has a number of shortcomings, Syslog is supported by a wide variety of devices and receivers across multiple platforms. Because of this, Syslog can be used to integrate log data from many different types of systems into a central repository. Syslog specifications are now standardized within a dedicated working group of the IETF. With WhatsUp Event Log Management suite you can:
- Monitor, analyze and alert on both Windows event logs and Syslog events from a single console with the WhatsUp Event Alarm application.
- Review and support spot check audits with WhatsUp Event Rover application on Syslog data stored within the Event Alarm database.
- Filter, analyze and report on stored Syslog data within the Event Alarm database using the WhatsUp Event Analyst application
- Together, the WhatsUp Total Event Log Management solution provides you the capability to manage Windows event logs and Syslogs from a single log management application