lhs-panel Click here to expand

Activity Monitoring


EventLog Analyzer processes log data across your network and provides reports on session activity of your network devices and users. You can access these reports by clicking on Activity Monitoring under the Correlation tab.

Activity Monitoring Rules

You can either use the predefined rules in EventLog analyzer to generate reports on session activity or you can build your own rules with individual actions.

Predefined activity rules

  • Navigate to Correlation > Manage Rules > Activity Rules.
  • Select the predefined rules which you wish to use, click the enable icon, and confirm the same.
session-activity-predefined-rules

Custom activity rules

To open the activity rule builder, navigate to Correlation > Manage Rules > Activity Rules > Create Activity Rule.

  1. Select the individual actions that make up the rule, from the categorized list of actions on the left of the screen.
    • You can also search for actions using the search bar on top of the list.
    • You can drag and drop the actions to rearrange their order, or delete the action by clicking on the delete icon on its right.
    • To detect repetition of the same action within a particular time interval, tick the Threshold limit check box and enter the number of occurrences and time interval.
  2. For each action, specify the time interval within which it is to be followed by the next action, under the Followed by within label. You can specify the time interval in seconds or minutes by using the provided dropdown.
  3. To configure advanced options for any of the selected actions, click Filters on the top right corner of the action.
  4. The first rule starts the session and the last rule ends the session. The duration of the session is the time-interval between the first and the last rule.

Advanced options

Each action in a activity rule corresponds to a log. Logs contain various fields, and each field has a specific value. With advanced options (found under Filters on the right of the action), you can provide filter criteria for each field of the log/action and specify a threshold limit on the minimum number of repetitions of the action.

  1. You can select a filter field from the dropdown list provided. The fields provided in the dropdown may vary based on the action selected. 
  2. You can select the comparison type as equals, not equals, contains, starts with, ends with, link to, or is constant, from the dropdown provided. 
Note: When you provide more than one value for an equals comparison, the set of values provided are treated as a list of possible values and the action is accepted if any one value from the list is true. The same holds true for the contains, starts with, and ends with comparisons.

When you provide more than one not equals comparison, the set of values provided need to hold true for the action to be accepted.

Link to

The link to comparison type is used to check the value of the selected field against the value of a field in another action (belonging to the same rule or the primary action of the other rule). For instance, if the field Device type of Action 1 is linked to Action 2's Device type value, then Action 1 would get triggered only if the value of both the linked fields are the same.

When you choose link to, the icon appears at the end of the filter. Clicking on the icon will present a new tab.

Note: At least one field of the starting rule should be linked to a field in the ending rule.

Click the check box corresponding to the field of the second action against which you want to compare the value of the previous action. Click OK to complete linking the two actions.

Is constant

The is constant option is used to treat the specific field as constant. By selecting this option, a set of repeated actions are accepted by the rule only if this field's value remains constant throughout all the iterations. For instance, if the Target User field is kept as constant, then the action gets triggered only when the value of this field remains constant in all the iterations. The action doesn't get triggered if the event is generated with different values.

Activity Monitoring Reports

EventLog Analyzer's Activity Monitoring Reports provide information on Windows, Unix and VPN Sessions. The reports provide details such as Device name, Username, Start Time, End Time, Status, and Duration.

EventLog Analyzer provides the following reports for activity monitoring:

  • Interactive Sessions, Remote Interactive Sessions, and PMP Sessions for Windows machines.
  • Unix Session Reports to provide you all details about all the Unix sessions.
  • VPN Session reports such as Cisco VPN Sessions, Fortinet VPN Sessions, Sonicwall VPN Sessions, Huawei VPN Sessions, H3C VPN Sessions, Meraki VPN Sessions, PaloAlto VPN sessions, and WatchGuard VPN sessions for the respective VPN devices.
  • Custom reports are also displayed under the activity monitoring section, if any.

The calendar widget allows you to select the time period for which you want to review the session activity for the selected devices/users. You can also schedule an activity monitoring report. The activity monitoring report can be exported in the PDF and CSV formats, by clicking Export as.

To know more details of a particular session, you can click on View History. This tab displays all the details as given below:

This page contains the Configure Fields and Advanced View tabs. The Configure Fields tab allows you to view similar logs generated in a session by extracting logs that have the same field value (Domain, Device Name, Logon ID, and Username). You can choose the field by which you want to retrieve logs by clicking on the desired options from the drop-down box. By clicking on the Advanced View tab, you can drill down and view the raw logs of that session.

Viewing Activity Monitoring Reports

EventLog Analyzer allows you to view the Activity Monitoring Reports for Windows, Unix, and VPN Sessions based on users and devices in the form of User-Based View and Device-Based View, in addition to the default view.

In the User-based view, you can analyze the weekly login and logout activities of a particular user. You can hover your mouse pointer over a generated user-based report in the table to find the Weekly Login View tab. Clicking on this tab displays a timeline graph for every day of the week in which you can view a particular user's active session duration, login time, and logout time for any given day. This view also provides the number of hours the user was active per day and for the entire week. The Weekly Login View report is available only for all system-generated reports.

Copyright © 2020, ZOHO Corp. All Rights Reserved.

Get download link