Note on Licensing: Cost Centers should be aware, DOI is currently investigating an Enterprise Security Information and Event Management (SIEM) Solution. It is not known what product the solution will use, or if it will entirely replace the need for other SIEMs in the USGS. However, since Zoho ManageEngine is now offering a perpetual licensing model, Cost Centers are advised to continue to use the Annual Renewal Licensing Model rather than perpetual licensing until the scope and costs of any Enterprise SIEM is understood.
EventLog Analyzer is a Security Information and Event Management (SIEM) application. With EventLog Analyzer, you can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, correlating, searching, reporting, and archiving from one centralized console. This software helps monitor file integrity, conduct log forensics analysis, monitor privileged users, and comply with different compliance regulatory bodies. It does so by analyzing logs to instantly generate a number of reports such as user activity reports, historical trend reports, and more.
EventLog Analyzer TST pages are offered as general guidelines. Since it is not an Enterprise Application, sites should purchase maintenance and support through ManageEngine to be able to get application updates, patches, and expert-level support. The screenshots and information below are based on Build Version 12.2.1. To see the most updated information, please refer to the official EventLog Analyzer User Guides
Assessment and Authorization (A&A)
EventLog Analyzer helps with meeting a number of A&A controls in the Auditing and Accountability Policy and Procedures (AU) family of controls. More information on the Control Family Digests and the AU – Auditing and Accountability control set can be found on the Assessment & Authorization (A&A) website. Verify EventLog Analyzer is configured based on the instructions within this page. EventLog Analyzer helps meet the following A&A Controls:
Basic Configuration for A&A Requirements
AU-04 Audit Storage Capacity
1) To to meet this security control in Eventlog Analyzer, click on Settings–Admin Settings–Retention Settings–Current Storage Size set to 180 Days.
AU-05 Response To Audit Processing Failures
1) To meet this security control in Eventlog Analyzer, apply the configurations shown here: Log Collection Alerts
AU-06 Audit Monitoring, Analysis, and Reporting
Using a combination of gathering, reporting, and real-time alerting, EventLog Analyzer is able analyze events across all systems and generate reports or alerts based on the results of those analysis.
1) To meet this security control in Eventlog Analyzer, click on the Alerts- Add Alert Profile.
2) Click Select Alert–Compliance Alerts-Compliance Type FISMA, select all and Save.
3) Set Send Notification to Once a week, select Email Notification, enter To and Subject fields then Save Profile.
4) Complete the same steps above to add a compliance alert for NIST by selecting Compliance TypeNIST for step 3.
AU-07 Audit Reduction and Report Generation/AU-07(01) Automatic Processing
1) To meet this security control in Eventlog Analyzer, click the Compliance tab to display the FISMA Comprehensive Audit Reports.
2) To search the logs, click on the Search tab and enter the desired search parameters for your on-demand query. In this example, Windows devices were chosen and the Advanced search was performed to look for Event Type “Application”. The results show up in the Graph, and Event Messages/Details are listed below that.
AU-11 – Audit Record Retention
The log files processed by the EventLog Analyzer are archived periodically for internal, forensic, and compliance audits. The archival interval and retention period are configurable. The archive file can be encrypted and time-stamped to make it secure and tamper-proof. The logs are written in to flat files at the specified time period and are compressed and zipped (20:1 ratio).
To meet this security control, verify settings are configured as described under the AU-04 Audit Storage Capacity section and the Post Installation section for archives.
To view 180 days of logs, select Settings–Data Storage–Archives, select the Calendar icon and enter 180 days.
SI-07(02)(a) Software, Firmware, And Information Integrity
To to meet this security control in Eventlog Analyzer, click on the Compliance tab
Many built-in reports are available.
To meet the SI-07[02][a] “Provide output showing tool for monitoring information system software in use, such as screen capture of report or event log showing change.”
The FISMA Configuration Management (CM)/Other Softwares/Software Installed report can be used.
Select a Date Range
Select a Device
The report will show all the Software Installed for this device within the date range you specified.
EventLog Analyzer comes in two editions: Premium(aka Standalone) and Distributed. This page is focused on the Premium Edition which is an annual subscription. You will need to purchase as many Windows Workstations, Windows Servers and Syslog Devices you need to cover at your site. A workstation would be your client, and a Syslog could be a server (eg: Oracle server, MS SQL server) or a device (eg: router, switch) or an application (eg: Active Directory, IIS, Apache).
Request federal government pricing for a possible discount.
1) Start the ManageEngine_EventLogAnalyzer_64bit.exe program. The program will begin extracting and installing. Agree to the terms and conditions of the license agreement. Select the folder to install the product.
2) Select OK for the Antivirus scanner pop up.
3) (Optional) Register the application.
4) Select the following options and click Finish.
5) ManageEngine EventLog Analyzer will begin to initialize.
6) The icon will show up in the taskbar.
7) The application can also be launched by navigating to the <EventLog Analyzer Home>\bin folder, and invoke the run.bat file from the administrative cmd prompt.
Post-Installation
Note – EventLog Analyzer will use an available and active NIC for it’s IP address. If there are multiple NICs then the IP address can change when the ManageEngine service is restarted or the system is restarted. Contact ManageEngine support to configure a static IP address.
1) From your local workstation, connect to the EventLog Analyzer instance via http, IP, and port 8400.
2) Sign in for the first time using admin/admin:
3) Follow your emailed instructions to install the license.
4) Follow pop up prompts to change the administrator password.
6) ManageEngine Support recommends running the product as a service because there might be parsing and log collection restrictions when running the product as an application.
Open the command prompt with admin privileges.
Navigate to the Eventloganalyzer\bin folder and execute the below batch file.
Service.bat -i
Start the service called “ManageEngine EventLog Analyzer…”
7) Adjust the Archive Retention Period based on storage space requirements (minimum requirement is 90 days). Click Settings-Admin Settings-Archives-Settings-Archive Retention Period.
9) Click the Settings tab, then search for “ssl” in the search bar. Click on Manage HTTP ports, SSL connections, Proxy settings….
Check the box to enable SSL. Make sure the port is 8445.
Click the Advanced drop down and deselect versions TLSv1/TLSv1.1 Click Save Settings when finished. Complete the SSL configuration by following the SSL Certificate Installation section.
Adding Log Sources
EventLog Analyzer can collect logs from the following devices: Windows, Linux/Unix, IBM AS400, Cisco devices, and any Syslog device.
To collect logs an active directory administrative account is needed for authentication, using a service account is recommended.
1) Click Settings > Admin Settings > Domains and Workgroups. Under Actions, click Update (pencil icon) for gs.doi.net. Select Authentication and Enter your service account credentials.
2) Under Actions, click Reload domain objects for gs.doi.net, select all objects and Reload. It may take some time to for the domain objects to populate.
Manage Syslog Listener Ports on Eventlog Analyzer Server
On Eventlog Analyzer Server navigate to Settings-System Settings-Listener Ports
Ensure port 514 is listening on both UDP and/or TCP.
Note **Ensure firewall rules on EventLog Analyzer Server allows for port 514 on UDP and/or TCP**
Installation of rsyslog on Linux Server
On a Linux Server verify rsyslog is running. Example: systemctl status rsyslog
Next open rsyslog configuration file as sudo/root: sudo vim /etc/rsyslog.conf
At the end of config file append the following. *.* @ipaddress:514 # Use @ for UDP protocol *.* @@ipaddress:514 # Use @@ for TCP protocol **Note you only need to use either UDP or TCP.**
Restart rsyslog service sudo systemctl restart rsyslog
Installation on Network Device
Follow network device guidelines to setup log forwarding to EventLog Analyzer. Example ArubaOS-Switch Command: Iogging IP ADDRESS
Verify EventLog is receiving logs
Under Settings-Log Source Configuration- Devices
If everything is configured correctly including DNS resolution, you should start to see the hostname populate and logs collection started.
Security Control Compliance Reports
ManageEngine EventLog Analyzer includes canned reports for Security Control Compliance. This feature makes it quick and easy to see compliance reports for Security Controls. These canned reports can be used to define custom reports as shown in the Report Configuration section on this page.
Some of the options below are not available in earlier versions of EventLog Analyzer. It is recommended to update to the latest version before proceeding.
If you haven’t already, request a signed SSL certificate following the instructions on the AD Certificate Services page. Make sure to also export the certificate in .PFX format (explained in the last chapter of the SSLCert-Script.mp4 video) so you can import it into EventLog Analyzer (ELA).
Logon to the ELA console, navigate to settings and search “SSL” in the search box, then click Manage HTTP ports, SSL connections, Proxy settings…
Click the SSL Certification Tool
Select the Apply Certificate option, and the Individual Certificate upload option. Browse to the location of the certificate you exported in PFX format in Step 1 and upload it. Add the certificate password you created when you exported the PFX. Click Apply when finished.
You should see a notification similar to the one below if the certificate successfully installed. You may see a message that the host name does not match the certificate, but as long as you included the appropriate aliases when you requested the certificate, this message can generally be ignored. The ELA services will need to be restarted to complete the installation.
It is recommended to clear your browser cache, then access the ELA URL. The connection should show as secure with the new valid SSL certificate installed.
Smart Card Authentication
Follow these instructions to configure smart card authentication in EventLog Analyzer
