- Related Products
- ADManager Plus
- ADAudit Plus
- ADSelfService Plus
- Exchange Reporter Plus
- AD360
- Log360
EventLog Analyzer comes packaged with over 1,000 predefined reports that help organizations view consolidated security events, conduct security audits, and meet various compliance requirements. These reports help organizations visualize security events in their network and meet various security and compliance requirements.
In this help document, you will learn to set up Windows report generation.
In EventLog Analyzer, most Windows reports get generated automatically when the device is added for monitoring and the event source is configured. To learn how to add a device, check out this page. To learn how to configure an event source, check out the How to configure event source files in a device? section in this page.
There are certain reports, mentioned in the table below, that will require manual creation of keys in your Windows Registry. To set up the generation of these reports, follow the steps given below.
Reports | New keys | Audit policies | Other prerequisites |
Application Whitelisting Reports |
|
Enable AppLocker under Application Control Policies |
|
Windows Firewall Auditing Reports |
|
Enable Audit MPSSVC Rule - Level Policy change, under Advanced Audit Policy Configuration > Policy Change. | To Enable Windows Firewall logs, execute the below commands in the target device from where the logs are to be collected.
Copy to Clipboard
auditpol.exe /set /subcategory:"MPSSVC rule-level policy change,Filtering Platform policy change" /success:enable /failure:enable
Copy to Clipboard
auditpol.exe /set /subcategory:"IPsec Main Mode,IPsec Quick Mode,IPsec Extended Mode" /success:enable /failure:enable
Copy to Clipboard
auditpol.exe /set /subcategory:"IPsec Driver,Other system events" /success:enable /failure:enable
Copy to Clipboard
auditpol.exe /set /subcategory:"Filtering Platform packet drop,Filtering Platform packet drop" /success:enable /failure:enable |
Removable Disk Auditing |
|
Enable Audit Handle Manipulation, Audit Removable Storage and Audit File System (required for auditing delete operation in NT Version 6.2), under Advanced Audit Policy Configuration > Object Access. | To start logging removable storage events, navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage and add new DWORD registry key named as HotPlugSecureOpen and set value as 1. |
Registry changes | Enable Audit Registry, under Advanced Audit Policy Configuration > Object Access. | Set SACL for the registry key by right-clicking on the required registry and navigating to Permission > Advance > Auditing in Registry Editor. | |
Windows Backup & Restore Reports |
|
No modification required. | |
Windows System Events |
|
No modification required. | |
Hyper-V Server Events Hyper-V VM Management Reports |
|
No modification required. | |
Program Inventory Reports |
|
No modification required. | |
IIS |
|
No modification required. | To access IIS reports, open EventLog Analyzer and navigate to Reports > IIS W3C web server > IIS Admin Configuration Reports. |
Print service |
|
No modification required. | |
Terminal |
|
No modification required. |
EventLog Analyzer will now start generating the reports mentioned in the table.
Copyright © 2020, ZOHO Corp. All Rights Reserved.