Event Manager 7 Report pack not showing events
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Event Manager 7 Report pack not showing events - 26.Oct.2006 3:46:14 PM
|
|
|
srsb
Posts: 4
Score: 0
Joined: 26.Oct.2006
Status: offline
|
some events are not showing in the Event Manager Report Pack. I have account lockouts but they do not show in the event browser on the Evnet Manager Console or in the default reports of the Report Pack. I have checked the server event log and they are being logged. I am running the current build for both applications.
Any ideas?
|
|
|
|
|
RE: Event Manager 7 Report pack not showing events - 27.Oct.2006 3:18:39 AM
|
|
|
Arielle
Posts: 294
Score: 0
Joined: 15.Sep.2006
Status: offline
|
Hi,
This is a known issue which has been fixed and will be available in the next build.
For a temporary workaround, please follow these steps:
1. Go to Configuration > Event Processing Rules
2. Create a new folder and name it something like 'Workaround'
3. Increase the priority of this folder (ctrl+up) to the top of the list, above the 'Noise Reduction' rule set
4. In the folder 'Workaround' create a new rule set 'Workaround Rules'
5. Create a new rule for log security and triggering event 644 (account lockout), classified as 'Critical importance event' and use the default classification actions.
6. In Configuration > Event Sources add the folder 'Workaround' to the computer groups you are scanning. This is done from the properties of a computer group in the 'Windows Event Log' tab under 'Process using these rule sets'
7. Restart the GFI EventsManager service and reset scanning for the target workstation in issue
You should now be able to start viewing the events with ID 644 (or what event you created the workaround for) in the Events Browser.
< Message edited by Arielle -- 27.Oct.2006 3:21:37 AM >
_____________________________
Arielle Bonnici - Quality Metrics Analyst
GFI Software - www.gfi.com
|
|
|
|
|
RE: Event Manager 7 Report pack not showing events - 1.Nov.2006 8:13:02 AM
|
|
|
rishishah
Posts: 66
Score: 0
Joined: 19.Jun.2005
From: UK
Status: offline
|
I cannot see Failed Logons or the Logoff Events. How would i write the workaround for this?
|
|
|
|
|
RE: Event Manager 7 Report pack not showing events - 1.Nov.2006 8:44:48 AM
|
|
|
Arielle
Posts: 294
Score: 0
Joined: 15.Sep.2006
Status: offline
|
Hi,
A newer build that solves this issue is located at http://ctp.gfi.com/2006_10_27_EventsManager7.exe
Please update to this build and let us know if it fixes your problem.
Note: this build is a CTP build at the moment and not given out as a release build yet.
_____________________________
Arielle Bonnici - Quality Metrics Analyst
GFI Software - www.gfi.com
|
|
|
|
|
RE: Event Manager 7 Report pack not showing events - 1.Nov.2006 9:46:59 AM
|
|
|
rishishah
Posts: 66
Score: 0
Joined: 19.Jun.2005
From: UK
Status: offline
|
Why does this upgrade not retain all existing settings after the upgrade?
|
|
|
|
|
RE: Event Manager 7 Report pack not showing events - 1.Nov.2006 9:53:46 AM
|
|
|
rishishah
Posts: 66
Score: 0
Joined: 19.Jun.2005
From: UK
Status: offline
|
Although Account Lockputs are displayed, Failed Logons are still not displayed. Is there a workaround for this by any chance?
|
|
|
|
|
RE: Event Manager 7 Report pack not showing events - 1.Nov.2006 10:00:45 AM
|
|
|
Arielle
Posts: 294
Score: 0
Joined: 15.Sep.2006
Status: offline
|
When updating to the new build, the ..\GFI\EventsManager 7\Data folder that holds the configuration settings is renamed to Data_Olds. You can import the settings of the previous installation of EventManager by:
1. Open GFI EventsManager and go to File > Import and Export Configurations > Import from another instance.
2. Choose 'Import from another instance' and click Next
3. Select the folder ..\GFI\EventsManager 7\Data_Old and and click Next
4. The license key needs to be entered manually after the settings are imported
5. After the settings are imported, it is recommended that the UI is restarted
_____________________________
Arielle Bonnici - Quality Metrics Analyst
GFI Software - www.gfi.com
|
|
|
|
|
RE: Event Manager 7 Report pack not showing events - 1.Nov.2006 10:22:26 AM
|
|
|
rishishah
Posts: 66
Score: 0
Joined: 19.Jun.2005
From: UK
Status: offline
|
Thanks for this. I fyou can now give me a workaround on how to get the Failed Logons to show than it should all be sorted! Thanks.
|
|
|
|
|
RE: Event Manager 7 Report pack not showing events - 1.Nov.2006 10:42:52 AM
|
|
|
Arielle
Posts: 294
Score: 0
Joined: 15.Sep.2006
Status: offline
|
1. Go to Configuration > Event Processing Rules
2. Create a new folder and name it something like 'Workaround'
3. Increase the priority of this folder (ctrl+up) to the top of the list, above the 'Noise Reduction' rule set
4. In the folder 'Workaround' create a new rule set 'Workaround Rules'
5. Create a new rule for log security and triggering event 529 (failed logon), classified as 'Critical importance event' and use the default classification actions.
6. In Configuration > Event Sources add the folder 'Workaround' to the computer groups you are scanning. This is done from the properties of a computer group in the 'Windows Event Log' tab under 'Process using these rule sets'
7. Restart the GFI EventsManager service and reset scanning for the target workstation in issue
This procedure can be applied to other events that you might have a problem with at the moment, just create the rule in step 5 to trigger the event you want.
Thanks
_____________________________
Arielle Bonnici - Quality Metrics Analyst
GFI Software - www.gfi.com
|
|
|
|
|
RE: Event Manager 7 Report pack not showing events - 2.Nov.2006 2:07:17 PM
|
|
|
srsb
Posts: 4
Score: 0
Joined: 26.Oct.2006
Status: offline
|
I have installed the Build 20061027 and I am still having the same problem with event ids not showing in the reports. If I use the browser option in Event Manager 7 I can see the failure audits for ID # 675, but none of them show up in the Default Reports for the Failed Logons.
It makes me wonder what other event ID's are missing from the reports, there are quite a few of them that show nothing at all
|
|
|
|
|
RE: Event Manager 7 Report pack not showing events - 3.Nov.2006 1:33:44 AM
|
|
|
rishishah
Posts: 66
Score: 0
Joined: 19.Jun.2005
From: UK
Status: offline
|
I agree with SRSB, Although i now have parts of it working there are still plently of events that are totally blank within the EventManager.
What can we do?
|
|
|
|
|
RE: Event Manager 7 Report pack not showing events - 3.Nov.2006 2:32:20 PM
|
|
|
dsj
Posts: 11
Score: 0
Joined: 1.Nov.2006
Status: offline
|
I'm having the exact same issue and I just posted a new topic before I saw this one. The "workarounds" don't seem practical because it seems it would have to be done for every missing event. It doesn't seem like this product is quite ready for primetime yet.
|
|
|
|
|
RE: Event Manager 7 Report pack not showing events - 6.Nov.2006 2:53:12 AM
|
|
|
Calin Ghibu
Posts: 1194
Score: 0
Joined: 15.Dec.2002
Status: offline
|
Hi guys,
Regarding the reportpack:
------
At the moment, the reports in issue list the events in the Logon/Logoff category.
The kerberos events you mention are part of the Account Logon category.
We will add those events either in a separate report, or modify the current one to cover Account Logon category too.
For the moment, you can use the following workaround:
The report pack contains a default set of reports called "All critical messages". In it, there is a report called "All critical Windows events".
If the event(s) you need to see in reports (be it 675 or any other) are categorized as critical events, you should see them in that report. If they are not classified as critical, you can create a custom report based on that report, which shows events in other categories than critical.
Although you can not filter by event id in the report, in both situations, you can refine the results by selecting only the Windows log type where the required event is logged, and further filter by type, for example, or User Name.
-----
Regarding both the ReportPack and the EventsManager:
---
Important note: usually the 675 event is logged by user System. In order to have it archived /classified, you need to disable the rule in the Noise reduction -> User based noise group which ignores events generated by the system, OR, modify it not to ignore the events you are interested in. In order to do this, you can specify ranges of events to be ingored, or enumeration, or both.
For example say you do not want events 644 and 675 ignored by this rule (both are logged by the System user). In this case you modify the rule mentioned above as follows:
- add a restriction in the Event id field of the rule as follows:
0-643,645-674,676-1000
(security event id is not larger than 1000) .
----
Let me know if I can help you any further. When the adition of Account Logon events will be made to the EventsManager ReportPack, I will post a message to this thread containing details about what was been implemented and where to get the build.
Best regards,
Calin
< Message edited by Calin Ghibu -- 6.Nov.2006 2:56:19 AM >
|
|
|
|
|
RE: Event Manager 7 Report pack not showing events - 6.Nov.2006 8:15:04 PM
|
|
|
PCPlumber
Posts: 14
Score: 0
Joined: 25.Oct.2006
Status: offline
|
I was having the same problem. All the lock out and failed logon events are not being reported or alerting. I followed the instruction and upgrade to the newer version. For a while (4 housrs), I was getting the event in the viewer, reports, alerts.
Now, there is no activity. I restarted the service, and rebooted the server, but still no activity. There are new events on the my dcs, but the GFI is just not going over there to read the events anymore.
Any ideas?
|
|
|
|
|
RE: Event Manager 7 Report pack not showing events - 7.Nov.2006 2:45:52 AM
|
|
|
Calin Ghibu
Posts: 1194
Score: 0
Joined: 15.Dec.2002
Status: offline
|
Hi,
Do you get any scanning errors in the EventsManager Monitor?
Can you check the Log Browsers to see if there are any new events?
Best regards,
Calin
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
