How GFI EventsManager works
The operational functionality of GFI EventsManager is divided in the following stages:
Stage 1: Event Collection
During the Event Collection stage, GFI EventsManager collects logs from specific event sources. This is achieved through the use of two event collection engines: The Event Retrieval Engine and the Event Receiving Engine.
| Engine | Description |
|---|---|
|
The Event Retrieval Engine |
Used to collect Windows® Event Logs and Text Logs from networked event sources. During the Event Collection process this engine will: 1. Log-on to the event source(s) 2. Collect events from the source(s) 3. Send collected events to GFI EventsManager Server 4. Log-off from the event source(s). The Event Retrieval Engine collects events at specific time intervals. The event collection interval is configurable from the GFI EventsManager management console |
|
The SQL Server® Listener |
The listener receives trace messages from the scanned Microsoft® SQL Server® in real time. On receipt, GFI EventsManager processes the message immediately. |
|
The Oracle Retrieval Engine |
The Oracle Retrieval Engine connects periodically to Oracle servers and collects audits from a specific auditing table. Similar to the Microsoft® Windows® Event Retrieval Engine, GFI EventsManager processes events generated by the Oracle server. |
|
Log Receiving Engine |
The Event Receiving Engine acts as a Syslog and an SNMP TrapsNotifications/alerts generated and transmitted by active network components (Example: hubs, routers and bridges) to SNMP server(s) whenever important events such as faults or security violations occur. Data contained in SNMP Traps may contain configuration, status as well as statistical information such as number of device failures to date. server; it listens and collects Syslog and SNMP Trap events/messages sent by various sources on the network. As opposed to the Event Retrieval Engine, the Event Receiving Engine receives messages directly from the event source; therefore it does not require to remotely log-on to the event sources for event collection. Further to this, Syslog and SNMP Trap events/messages are collected in real-time and therefore no collection time intervals need to be configured. By default, the Event Receiving Engine listens to Syslog messagesNotifications/alerts most commonly generated and transmitted to a Syslog server by UNIX and Linux-based systems whenever important events occur. Syslog messages can be generated by workstations, servers as well as active network devices and appliances such as Cisco routers and Cisco PIX firewalls to record failures and security violations amongst other activities. on port 514 and to SNMP Trap messages on port 162. Both port settings are however customizable via the GFI EventsManager management console. |
Stage 2: Event Processing
During this stage, GFI EventsManager runs a set of Event Processing Rules against collected events. Event Processing rules are instructions that:
- Analyze collected logs and classify processed events as Critical, High, Medium, Low or NoiseRepeated log entries which report the same event. (unwanted or repeated events)
- Filter events that match specific conditions
- Trigger email, SMS and network alerts on key events
- Trigger remediation actions such as the execution of executable files or scripts on key events
- Optionally archive collected events in the database backend.
GFI EventsManager can be configured to archive events without running events processing rules. In such cases, even though no rules are applied against collected logs, archiving is still handled at the Event Processing stage.
Important
Some of the key modules in GFI EventsManager must run under administrative privileges. For more information on these modules refer to the following article: http://go.gfi.com/?pageid=esm_process_rights