Collecting GFI LanGuard event logs

GFI EventsManager enables you to monitor events generated by GFI LanGuard. GFI LanGuard is a network vulnerability scanner that audits your network for weaknesses that can be exploited by users for malicious purposes. During network audits, GFI LanGuard creates events in the ‘Application Log’ of the machine where it is installed.

For each machine scanned by GFI LanGuard, an ‘Application log’ entry having ‘Event ID: 0’ and ‘Source’ set as GFI LanGuard will be generated. These events denote network vulnerability information extracted from scanned computers including:

Gathered Information Description
Threat level Gather information about the overall network threat level. This rating is generated through an extensive algorithm after GFI LanGuard audits the network.
Missing patches and service packs

Find out which machines have missing updates and which updates need to be installed to strengthen the security level.

Open ports

Discover any unwanted open TCP and/or UDP ports.

Antivirus operational and malware definition status GFI LanGuard is able to check if your virus database definitions are up to date. If it is not, you will be alerted and GFI LanGuard will attempt to update it.
Applications detected on scanned targets GFI LanGuard enumerates applications installed on scan targets. You can create an inventory of wanted and/or unwanted applications and configure GFI LanGuard to automatically uninstall applications categorized as unwanted.


For more information about GFI LanGuard, refer to


GFI EventsManager can process events generated by GFI LanGuard version 9.5 or later.

How to enable GFI LanGuard event logging?

There are two key steps needed to enable event log integration between GFI LanGuard and GFI EventsManager:

Step 1: Enable GFI LanGuard logging

To enable GFI LanGuard to output event logs on completion of system audits:

1. Add the machine where GFI LanGuard is installed as an event source.

2. Click Start > Run and key in regedit. Press Enter.

Enabling GFI LanGuard logging through the registry

3. Go to the following registry key and edit the value to enable event logging:

  • Windows® x86 platforms:
  • Set value of REG_DWORD EventLog to 1
  • Windows® x64 platforms:
  • Set value of REG_DWORD EventLog to 1


[n] is the major version number of GFI LanGuard.

Example: HKEY_LOCAL_MACHINE\SOFTWARE\GFI\LNSS9\Config\EventLog = 1(dword)


To stop GFI LanGuard from generating ‘Application Log’ entries, remove the registry value described above or change the registry value to 0.

Step 2: Configure GFI EventsManager to collect Application logs

GFI LanGuard outputs windows event logs to the ‘Application Log’ category. Ensure that the collection of Application logs is enabled on the GFI LanGuard event source.

To enable processing of GFI LanGuard events:

1. Open GFI EventsManager Management Console.

2. Click Configuration tab > Event Sources.

3. Right-click on the GFI LanGuard event source and select Properties.

Add Windows® Application logs

4. From Windows® Event Log tab, click Add and select Windows® Logs. Click OK.

Add GFI LanGuard rules

5. Select Process using these rule sets. Expand Windows Events > GFI Rules node and select GFI LanGuard rules.

6. Click OK.


GFI EventsManager has built-in processing rules for GFI LanGuard events that are enabled by default. To monitor events generated by GFI LanGuard, select Status tab > General and locate the Critical and High Importance Events section.


To configure GFI LanGuard event processing rules, click Configuration tab > Event Processing Rules. From the left pane select GFI Rules > GFI LanGuardrules. For more information refer to Events Processing Rules.

Testing and troubleshooting

To check if GFI LanGuard events are being generated:

1. Open GFI LanGuard and run a security audit scan on the localhost.

2. When the scan finishes, open Event Viewer from Start > Run and key in eventvwr. Press Enter.

3. Go to Event Viewer (local) Windows Logs Application.

4. Once the stored events are loaded, search for an entry with:

  • Source: GFI LanGuard
  • Event ID: 0.

In case the event log is not created, typically the GFI LanGuard scan was already initiated once the registry key to output event logs was modified. Re-run the scan. Alternatively ensure that the registry value was created in the right location as the location for x86 platforms is different from that of x64 platforms.