Q. What is the procedure to upgrade from EvLog version 2.0?
A. You can run EvLog 2.0 and EvLog 3.0 in parallel as the installation of version 3 will not overwrite the one for EvLog 2. To use an existing configuration, from the EvLog 3 GUI open the desired configuration, and adjust it as necessary. EvLog will automatically create a copy of the configuration in its folder.
Q. What type of event logs are supported?
A. EvLog supports the Application, System, Security, DNS Server, File Replication Service and Directory Services event logs.
Q. How many systems can I monitor with EvLog 3?
A. Theoretically, there is no limit (at least there is not limit imposed by us in EvLog) - it all depends on how many your network can support.
Q. I think that the program can be improved. Can I send a suggestion?
A. Yes, please send any suggestions to [email protected]. We are very flexible on adding new features.
Q. I need to monitor events on computer located behind a firewall. What ports do I have to open on the firewall?
A. EvLog requires the same ports as Microsoft Event Viewer. These are TCP/135, TCP/137 and UDP/137.
Q. I have some technical problems with EvLog. What information do I need to send you?
A. Here are few things that we may need in order to troubleshoot the problem:
- Does Microsoft Event Viewer work fine in the same conditions? (if applicable)
- What error message do you get?
- Did it work before but recently stopped working?
- What operating system do you use on the computer creating the problem?
Send this information to [email protected].
Q. How can I obtain the full access to the links displayed in EvLog reports?
A. A subscription to www.eventid.net is required.
Q. I would like to schedule the reports to run at regular intervals. Is it possible?
A. Yes, you can use the Microsoft Task Scheduler to schedule the reports to run as desired. The schedule has to use an account that has the right to access the Windows event logs. For more information, see how to create a task in Microsoft Task Scheduler for Windows 7.
Q. How do I send the reports to multiple emails?
A. You can specify multiple email addressess separated by a comma (,). Do not use semicolon (;).
Q. What are the most common issues with EvLog 3?
A. The most common problems with EvLog are:
The Microsoft .Net Frameworks is not up-to-date (EvLog requires version 3.5 or higher - as of June 1, 2013, the latest version is 4.5). See Microsoft .Net Framework for details.
The command line prompt used to run EvLog is opened without administrative rights (these are required in order to access the Windows event logs).
The user modifies the XML configuration file but it does not closes the XML tags properly. Every <> tag has to be closed accordingly. This will cause errors when EvLog 2 is attempting to read the configuration. For example:
Incorrect (the closing tag is not right, the right bracket is missing): <ReportWarning>true</ReportWarning
When the XML file contains an error, EvLog 3 will display an error message similar to:
Error opening the configuration file: There is an error in XML document (35, 38).
"35" indicates the line in the config file where the error is present.
The EvLog3 path configured in .cmd does not match the actual location
The account configured to run the task does not have the required permissions to access the logs (if a remote computer is specified in the configuration file, the account has to be able to reach the logs over the network and for example, the local admin account does not have that type of permission)
The email server does not accept relaying (authentication details have to be configured). Emails problems are not always that obvious but from our experience the common problem when the reports are created but not emailed is the SMTP server not accepting the emails from the specified account.
Q. What is the meaning of the various variables used in the EvLog report names and email subject configuration, such as %year%, %month%, etc?
A. These variables are placeholders for various data compiled during the report. These placeholders will be replaced with the actual data obtained during the report. Here is the list of supported placeholders:
%year% - The current year
%mm% - The current date (numerical format, ie: 01, 02,....12)
%dd% - The current day
%computer% - The name of the computer being analyzed
%number_events% - The number of events included in the report
For example, if the current date is Jan 29, 2015, the computer name is WIN08TOR1 and there were 5 reported events, if the email subject is set as EvLog3 Report - %computer% - %yyyy%-%mm%-%dd% - %number_events%, the actual received email will have the subject: EvLog3 Report - WIN08TOR1 - 2015-01-29 - 5 events
Q. How to update the license key for all the system where EvLog is deployed?
A. To update the license information, copy the EvLog3.license file from a computer where the EvLog license has been updated, to all the computers where EvLog is installed, overwriting the existing one (if present).
Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.
Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.