Overview
This article provides detailed information about the operational functionality of the GFI EventsManager.
Environment
- EventsManager 8
- EventsManager 2010
- EventsManager 2011
- EventsManager 2012
Information
The operational functionality of GFI EventsManager is divided into 2 stages:
- Stage 1: Log Collection
- Stage 2: Log Processing
Stage 1: Log Collection
During the Log Collection stage, GFI EventsManager collects logs from specific event sources. This is achieved through the use of 2 log collection engines:
- The Event Retrieval Engine
- The Event Receiving Engine
The Event Retrieval Engine
The Event Retrieval Engine is used to collect Windows event logs and W3C logs from networked event sources. During the Event Collection process this engine will:
- Log on to the event source(s).
- Collect events from the source(s).
- Send collected events to the GFI EventsManager Server.
- The Event Retrieval Engine collects events at specific time intervals. The event collection interval is configurable from the GFI EventsManager management console. Log off from the event source(s).
The Event Receiving Engine
The Event Receiving Engine acts as a Syslog and an SNMP Traps server. It listens and collects Syslog and SNMP Trap events/messages sent by various sources on the network. As opposed to the Event Retrieval Engine, the Event Receiving Engine receives messages directly from the event source. Therefore, it does not require to remotely log on to the event sources for event collection. Further to this, Syslog and SNMP Trap events/messages are collected in real-time and therefore no collection time intervals need to be configured.
By default, the Event Receiving Engine listens to Syslog messages on port 514 and to SNMP Trap messages on port 162. Both port settings are however customizable via the GFI EventsManager management console.
Stage 2: Event Processing
During this stage, GFI EventsManager will run a set of Event Processing Rules against collected events. Event Processing Rules are instructions that:
- Analyze the collected logs and classify processed events as Critical, High, Medium, Low or Noise (unwanted or repeated events).
- Filter events that match specific conditions.
- Trigger email, SMS and network alerts on key events.
- Trigger actions such as the execution of executable files or scripts on key events.
- Optionally archive collected events in the database backend.
Note: GFI EventsManager can be configured to archive events without running Event Processing rules. In such cases, even though no rules will be applied against collected logs, archiving will still be handled by the Event Processing stage.
Related Articles: