Collecting GFI LanGuard event logs

GFI EventsManager enables you to monitor events generated by GFI LanGuard. GFI LanGuard is a network vulnerability scanner that audits your network for weaknesses that can be exploited by users for malicious purposes. During network audits, GFI LanGuard creates events in the ‘Application Log’ of the machine where it is installed.

For each machine scanned by GFI LanGuard, an ‘Application log’ entry having ‘Event ID: 0’ and ‘Source’ set as GFI LanGuard will be generated. These events denote network vulnerability information extracted from scanned computers including:

Gathered Information	Description
Threat level	Gather information about the overall network threat level. This rating is generated through an extensive algorithm after GFI LanGuard audits the network.
Missing patches and service packs	Find out which machines have missing updates and which updates need to be installed to strengthen the security level.
Open ports	Discover any unwanted open TCP and/or UDP ports.
Antivirus operational and malware definition status	GFI LanGuard is able to check if your virus database definitions are up to date. If it is not, you will be alerted and GFI LanGuard will attempt to update it.
Applications detected on scanned targets	GFI LanGuard enumerates applications installed on scan targets. You can create an inventory of wanted and/or unwanted applications and configure GFI LanGuard to automatically uninstall applications categorized as unwanted.

How to enable GFI LanGuard event logging?

There are two key steps needed to enable event log integration between GFI LanGuard and GFI EventsManager:

• Step 1: Enable logging
• Step 2: Configure GFI EventsManager to collect Application Logs

Step 1: Enable GFI LanGuard logging

To enable GFI LanGuard to output event logs on completion of system audits:

1. Add the machine where GFI LanGuard is installed as an event source.

2. Click Start > Run and key in regedit. Press Enter.

Enabling GFI LanGuard logging through the registry

3. Go to the following registry key and edit the value to enable event logging:

• Windows^® x86 platforms:

• HKEY_LOCAL_MACHINE\SOFTWARE\GFI\LNSS[n]\Config
• Set value of REG_DWORD EventLog to 1
• Windows^® x64 platforms:
• HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GFI\LNSS[n]\Config
• Set value of REG_DWORD EventLog to 1

Step 2: Configure GFI EventsManager to collect Application logs

GFI LanGuard outputs windows event logs to the ‘Application Log’ category. Ensure that the collection of Application logs is enabled on the GFI LanGuard event source.

To enable processing of GFI LanGuard events:

1. Open GFI EventsManager Management Console.

2. Click Configuration tab > Event Sources.

3. Right-click on the GFI LanGuard event source and select Properties.

Add Windows^® Application logs

4. From Windows^® Event Log tab, click Add and select Windows^® Logs. Click OK.

Add GFI LanGuard rules

5. Select Process using these rule sets. Expand Windows Events > GFI Rules node and select GFI LanGuard rules.

6. Click OK.

Testing and troubleshooting

To check if GFI LanGuard events are being generated:

1. Open GFI LanGuard and run a security audit scan on the localhost.

2. When the scan finishes, open Event Viewer from Start > Run and key in eventvwr. Press Enter.

3. Go to Event Viewer (local) Windows Logs Application.

4. Once the stored events are loaded, search for an entry with:

• Source: GFI LanGuard
• Event ID: 0.

In case the event log is not created, typically the GFI LanGuard scan was already initiated once the registry key to output event logs was modified. Re-run the scan. Alternatively ensure that the registry value was created in the right location as the location for x86 platforms is different from that of x64 platforms.