GFI EventsManager collects, centralizes, normalizes, consolidates and analyzes a wide range of log types, such as World Wide Web Consortium (W3C) and any text-based formats, Windows events, SQL Server and Oracle audits, and syslog and simple network management protocol (SNMP) traps generated by devices, such as firewalls, servers, routers, switches, sensors, SQL server systems, PCs and custom devices. GFI EventsManager includes an active network and server monitoring feature providing administrators with real-time, active monitoring of assets, network infrastructure, applications and services. This new functionality enables IT administrators to understand why a problem is occurring, and it also provides information to help remediate it.
EventsManager (like most SIEMs) provides real-time discovery and alerting of security incidents. However, it also provides critical information for risk assessment and mitigation. Administrators have the ability to assign specific computers to each EventsManager user, enabling administrators to limit users' access to only the configuration, reporting and log-browsing data coming from computers they manage. EventsManager can be deployed in highly distributed environments - even where there is no persistent connection between sites - due to its ability to export data to encrypted files that can be forwarded by secure file transfer applications during times when the network is available. EventsManager includes some fairly unique features, including process debug information generated during process failure dumps, as well as built-in Visual Basic scripting. Other strong features include the use of two-factor access into log data and the use of international information blocking for privacy.
Documentation provided for this evaluation included administrator, evaluation, installation and smart guides. Each was excellent making the installation and operation tasks easy. GFI EventsManager can be deployed on machines running any Microsoft Windows OS version - from Windows XP SP3 onwards. The install is performed in two stages: Install the database and install EventsManager. GFI recommended installation into the customer's domain if possible. After firewall settings were enabled, computers were selected (alternative credentials were set for systems not in the domain). GFI did a good job of maintaining the familiar look and feel of other GFI products. During the setup, GFI recommended running scans to generate log events. After creating users and groups, the next task was to open the event processing rules dropdown.
It should be noted that creating or modifying rules is possible but difficult, and GFI recommended working with the prepared rules if possible. The dashboard was intuitive and rich in features. Once the events were imported and normalized, the system was ready for use. Another great asset was the "Anonymization" feature. This assists in complying with privacy laws that require personal data be accessible to named individuals. The Anonymizer is used to encrypt the personal data found in Windows Security logs, SQL server and Oracle audit logs. Further, the EventsManager Audit for Windows tracks inactive users, inactive systems within the domain, IPsec policies that are not active, and inactive Microsoft firewalls.
