Setup the Product
Prerequisites

What is in this guide
Introduction
- Overview
- Release Notes
Setup the Product
- What's in this section
- System Requirements
- Prerequisites
- Install and Uninstall
- Start and Shutdown
- Connect to Server
- Backing up database
- Increasing Product Memory
- License Details
- Get Started
- Service Account Permission
Add Log Sources
- What's in this section
- Adding Windows Devices
- Adding Syslog Devices
- Adding CEF devices
- Adding Other Devices
- Adding IBM iseries(AS400) devices
- Adding VMware(Exsi) devices
- Adding vCenter
- Adding Application Sources
- Adding AWS EC2 Windows instance
- Configuring Syslog Service
User Interface
- Tabs
- Dashboard Views
- Customize Dashboard Views
- Log Receiver
- Global Search
EventLog Analyzer Reports
- Reports - Overview
- Configuring out-of-the-box reports
- Managing Predefined Reports
- Managing Report Views
- Create Custom Reports
- Schedule Reports
- Mark report as favourite
- Available Reports
Threat Intelligence Data Analytics
- Overview
- FireEye Threat Solutions
- Symantec Endpoint Solutions
- Symantec DLP Applications
- Malwarebytes Solutions
- CEF format
- Configuring McAfee solutions for analysis
Vulnerability Data Analytics
- Overview
- Vulnerability reports
Real-time Event Correlation
- Understanding Correlation
- Correlation Reports
- Last Ten Incidents Overview
- Activity Reports
- Creating Custom Correlation Rules
- Managing Correlation Rules
Compliance
- Compliance Reports
- Risk Posture
  - Overview
  - SQL Server
Search Logs
- Overview
- How to Search Logs
- How to Extract New Fields
- How to Tag Fields
Threat investigation
- Incident workbench
- Device Summary
Alerts
- Overview
- Create Alert Profile
- View Log Alerts
- Alert Notification & Remediation
- Ticketing Tools Integration
- Manage alert Profiles
- Bulk Deleting/Updating Alerts
Incident Management
- Create and assign workflow profiles
- Incident Workflow Management
Framework Integration
- MITRE ATT&CK TTP(S) Framework Integration
Configurations
- What's in this section
- Device Management
- Applications
- Database Audit
- File Integrity Monitoring
- Manage security applications
- Adding custom threat sources
- Advanced Threat Analytics
- Threat Whitelisting
- Threat Import
- Switching threat stores
- Manage Vulnerability Data
- Device Group Management
- VM Management
- Log Forwarder
- Manage Cloud Sources
Admin Settings
- Admin Settings
- Privacy Settings
- Agent Administration
  - Agent Administration
  - Agent Settings
- Archive
- Technicians and Roles
- Logon Settings
- Security hardening
- Reset Account Settings
- Domains and Workgroups
- Working Hour Settings
- Product Settings
- API Settings
  - API Settings
  - Get log sources
  - Get log fields
  - Get log types
  - Synchronous search
  - Asynchronous search
  - Jobs endpoint
  - Jobs Result endpoint
  - Get alert profiles
  - Synchronous alerts
  - Asynchronous alerts
- Retention Settings
- Log Collection Filter
- Log Collection Alerts
- Report Profiles
- Custom Log Parser
- Tags
- Profiles
- Database settings
  - Database auto backup
  - Database migration
System Settings
- System Settings
- Notification Settings
- Manage Account TFA
- Install EventLog Analyzer as a service
- Connection Settings
- Re-branding
- System Diagnostics
- Port Management
Help, Questions, and Tips
- Troubleshooting Tips
- Frequently Asked Questions
- EventLog Analyzer Help
Additional Utilities
- Additional Utilities
- Data Migration
- Working with HTTPS
- Configure MS SQL Database
- Migrate data from PostgreSQL to MS SQL database
- Migrate data from MySQL to MS SQL database
- Move Database to Different Directory in the Same Server
- Move Installation to Another Machine
- Configurations after changing the EventLog Analyzer server Hostname/IP address
- Move Installation to Different Directory in the Same Server
- Configuring NAT Settings
- Disk monitoring for search nodes
- SSL/TLS Settings for Elasticsearch
- Configuring DNS servers
Distributed Edition
- Introduction to Distributed Edition
- Prerequisites for converting EventLog Analyzer standalone to distributed edition
- Converting standalone installation to Admin Server
- Converting standalone installation to Managed Server
- Manage Server Settings
- Setting up auto upgrade
- Auto-upgrade guidelines
- Frequently Asked Questions
- Centralized log archival
Search Engine - Elasticsearch
- Data Upgrade
Technical Support
- Technical Support
- Create SIF offline
- Contact Support

Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Download PDF lhs-panel

Click here to expand

Prerequisites

Before starting EventLog Analyzer in your environment, ensure that the following are taken care of.

What are the ports required for EventLog Analyzer?

1. Primary Ports

Web Server Port

PORT

INBOUND

OUTBOUND

Additional Rights and Permissions

HTTP/8400 (configurable)

EventLog Analyzer Server

EventLog Analyzer Technician Machine.
EventLog Analyzer Agent Machine.

Ports Usage:

The ports will by default be used for communication between the admin server and managed server, as well as between the agent and server.
The port can be customized by the user. The acceptable range for the value is between 1024–65535.

Elasticsearch

PORT

INBOUND

OUTBOUND

Additional Rights and Permissions

TCP/9300-9400 (configurable)

EventLog Analyzer Search Engine Management Node [ SEM Node ]

EventLog Analyzer Server

Ports Usage:

The Elasticsearch server in EventLog Analyzer uses this port. EventLog Analyzer Server and SEM can coexist on the same server.
The port can be customized by the user. The acceptable range for the value is between 1024–65535.

Internal Communication

PORT

INBOUND And OUTBOUND

Additional Rights and Permissions

UDP/5000 (configurable)

EventLog Analyzer Server

Ports Usage:

These UDP ports are used internally by EventLog Analyzer for agent-to-server communication.
The port can be customized by the user. The acceptable range for the value is between 1024–65535.
Internal port bound to localhost, firewall port need not be opened.

Database

PORT

Additional Rights and Permissions

TCP/33335

Ports Usage:

Utilization of PostgreSQL/MySQL database port in order to connect to the PostgreSQL/MySQL database in EventLog Analyzer.
Firewall port need not be opened since the internal port is bound to localhost.

2. Log Collection

Windows Log Collection

PORTS	INBOUND	OUTBOUND	SERVICE	Additional Rights and Permissions
TCP/135	Windows Device	EventLog Analyzer Server	RPC	UserGroups: Event Log Readers Distributed COM Users User Permissions: For root\cimv2 in WMI Properties: Enable Account Remote Enable Read Security. Firewall Permissions: Predefined Rule: Windows Management Instrumentation (WMI)
TCP/139	Windows Device	EventLog Analyzer Server	NetBIOS session RPC/NP
TCP/445	Windows Device	EventLog Analyzer Server	SMB RPC/NP
Dynamic ranges of RPC ports - TCP/49152 to 65,535	Windows Device	EventLog Analyzer Server	RPC randomly allocates high TCP ports for Windows Server 2008 and later versions, as well as for Windows Vista and subsequent versions

Note:

It is not necessary to open outbound ports on the EventLog Analyzer agent machine and inbound ports on the EventLog Analyzer server.
For Windows 2000, Windows XP, and Windows Server 2003, dynamic RPC ports range from 1025 to 5000.
To enhance security across a broad spectrum of open ports, it is advisable to include the Server IP address within the firewall's scope. This ensures that only authorized traffic from the designated server is permitted through the firewall. Moreover, predefined rules with process and service filters, such as WMI,RPC,HTTP/HTTPS,Remote Event Log Management can further bolster security by allowing only specific processes or services to communicate through the designated ports. If the Server IP undergoes any changes, it is imperative to promptly update the corresponding firewall rule accordingly.

Syslog Collection

PORTS	INBOUND	OUTBOUND	SERVICE	Additional Rights and Permissions
UDP/514 (configurable)	EventLog Analyzer Server	Target Device	Syslog	User Permissions: The port is customizable by the user.
UDP/513 (configurable)	EventLog Analyzer Server	Target Device	Syslog
TLS/513 (configurable)	EventLog Analyzer Server	Target Device	Syslog
TCP/514 (configurable)	EventLog Analyzer Server	Target Device	Syslog

SSH Communication

PERMISSION

USAGES

Ensure that the algorithm mentioned below is present in the sshd_config file.

File Location: /etc/ssh/sshd_config

Key exchange (KEX): diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group14-sha256 , diffie-hellman-group15-sha512, diffie-hellman-group16-sha512, diffie-hellman-group17-sha512, diffie-hellman-group18-sha512 , ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp52

Ciphers: aes128cbc, aes128ctr, aes192cbc, aes192ctr, aes256cbc, aes256ctr, arcfour128, arcfour256, blowfishcbc, tripledescbc

MAC: hmacmd5, hmacmd596, hmacsha1, hmacsha196, hmacsha256, hmacsha512

*This will be Required for all Linux Communications.

Linux Agent Installation
Linux Agent Management & Communication
Configuring Automatic SysLog Forwarding
Linux MYSQL Server Discovery

Configure Automatic SysLog Forwarding

PORTS

INBOUND

OUTBOUND

SERVICE

Additional Rights and Permissions

TCP/22

Linux Device

EventLog Analyzer Server

SSH

User Rights:

Service restart rights for 'rsyslog' or 'syslog' service.

User Permissions:

"rw" permission should be enabled to files (/etc/ rsyslog.conf or /etc/syslog.conf).
Permissions for SSH Communication

AS400 Log Collection

PORTS	INBOUND	OUTBOUND
TCP/446-449	AS400 Server	EventLog Analyzer Server
TCP/8470-8476	AS400 Serve	EventLog Analyzer Server
TCP/9470-9476	AS400 Serve	EventLog Analyzer Server

SNMP Trap Collection

PORTS

INBOUND

OUTBOUND

SERVICES

Additional Rights and Permissions

UDP/162 (configurable)

EventLog Analyzer Server

Network Device / Application

SNMP

User Permissions:

User can customize the port.

IIS Log Collection

PORTS	INBOUND	OUTBOUND	SERVICE	Additional Rights and Permissions
TCP/135	IIS Server	EventLog Analyzer Server	RPC	User Permissions: Read access to the IIS log folder should be enabled. Permissions for the system 32/inetsrv should be enabled Administrator share privileges are required eg : Admin$,c$
TCP/139	IIS Server	EventLog Analyzer Server	NetBIOS session RPC/NP
TCP/445	IIS Server	EventLog Analyzer Server	SMB RPC/NP

3. Agent orchestration

Windows Agent Log Collection and Communication

PORTS

INBOUND

OUTBOUND

Additional Rights and Permissions

HTTP/8400 (configurable)

EventLog Analyzer Server

EventLog Analyzer Agent Machine

Environment Permission:

8400 port should be open in both Agent machine and in Server machine.

Note:

Communication includes tasks such as agent synchronization and checking agent status.

Windows Agent Installation & Management

PORTS	INBOUND	OUTBOUND	SERVICE	Additional Rights and Permissions
TCP/135	EventLog Analyzer Agent Machine	EventLog Analyzer Server	RPC	User Permissions: Read, write and modify permissions to files in \\<ipaddress>\Admin$\TEMP\EventLogAgent should be enabled. Access "Remote Registry" service At least read control should be granted for winreg registry key. (Computer \HKEY_LOCAL _MACHINE\ SYSTEM\ CurrentContro lSet\Control\ SecurePipe Servers\winreg). Read/Write registry keys - SOFTWARE\\ Wow6432Node \\ZOHO Corp\\EventLog Analyzer\\ (or) SOFTWARE \\ZOHO Corp \\EventLog Analyzer\\. There should be access to remote services.msc
TCP/139	EventLog Analyzer Agent Machine	EventLog Analyzer Server	NetBIOS session RPC/NP
TCP/445	EventLog Analyzer Agent Machine	EventLog Analyzer Server	SMB RPC/NP
Dynamic ranges of RPC ports - TCP/49152 to 65,535	EventLog Analyzer Agent Machine	EventLog Analyzer Server	RPC randomly allocates high TCP ports for Windows Server 2008 and later versions, as well as for Windows Vista and subsequent versions

Note:

Management involves actions like starting, stopping, or uninstalling the agent software.

Linux Agent Installation

PORTS

INBOUND

OUTBOUND

SERVICE

Additional Rights and Permissions

TCP/22

EventLog Analyzer Agent Machine

EventLog Analyzer Server

SSH

Sudo User Permissions:

"rwx" permission is required for /opt/ManageEngine/ for transferring files.
Permissions for SSH Communication

Linux Agent Management & Communication

PORTS

INBOUND

OUTBOUND

Additional Rights and Permissions

TCP/22

EventLog Analyzer Server

User Permissions:

SFTP permissions to transfer files to /opt/Manage Engine/EventL ogAnalyzer_ Agent and /etc /audisp/plugins.d
Service start/stop/restart permission for auditd.
Permissions for SSH Communication

HTTP/8400 (configurable)

EventLog Analyzer Server

EventLog Analyzer Agent Machine

4. Importing logs

Importing Logs using SMB

PORTS	INBOUND	OUTBOUND	SERVICE	Additional Rights and Permissions
TCP/137	Target Device	EventLog Analyzer Server	NetBIOS name resolution RPC/named pipes (NP)	User Permissions: Network access: Do not allow anonymous not allow anonymous enumeration of SAM accounts and shares. Sometimes, connecting to different workgroup needs credentials even to view the shared resources.
TCP/138	Target Device	EventLog Analyzer Server	NetBIOS datagram
TCP/139	Target Device	EventLog Analyzer Server	NetBIOS session RPC/NP
TCP/445	Target Device	EventLog Analyzer Server	SMB RPC/NP

Importing logs using FTP

PORTS

INBOUND

OUTBOUND

SERVICE

Additional Rights and Permissions

TCP/20

Target Device

EventLog Analyzer Server

FTP/SFTP

User Permissions:

SAuthentication for the FTP server should be enabled.

TCP/21

Target Device

EventLog Analyzer Server

FTP/SFTP

5. Discovery

Windows Domain Discovery

PORTS

INBOUND

OUTBOUND

SERVICE

Additional Rights and Permissions

TCP/389

Domain Controller

EventLog Analyzer Server

LDAP

User Permissions:

User should have read permission to Active Directory Domain Objects.
Permission to run LDAP query in ADS_ SECURE_AUTHENTICATION mode should be present.

Windows Workgroup Discovery

PORTS	INBOUND	OUTBOUND	SERVICE	Additional Rights and Permissions
TCP/135	Workgroup Server	EventLog Analyzer Server	RPC	User Permissions: User should have read permission to Active Directory Domain Objects. Permission to run WinNT query in ADS_ SECURE_ AUTHENTI CATION mode should be given.
TCP/139	Workgroup Server	EventLog Analyzer Server	NetBIOS session RPC/NP
TCP/445	Workgroup Server	EventLog Analyzer Server	SMB RPC/NP
TCP/1024-65535	Workgroup Server	EventLog Analyzer Server	RPC randomly allocated high TCP ports

Event Source Discovery

PORTS	INBOUND	OUTBOUND	SERVICE	Additional Rights and Permissions
TCP/135	Target Windows Device	EventLog Analyzer Server	RPC	User Permissions: The winreg registry key should at the very least be given read control.
TCP/137	Target Windows Device	EventLog Analyzer Server	NetBIOS name resolution RPC/named pipes (NP)
TCP/138	Target Windows Device	EventLog Analyzer Server	NetBIOS datagram
TCP/139	Workgroup Server	EventLog Analyzer Server	NetBIOS session RPC/NP
TCP/445	Workgroup Server	EventLog Analyzer Server	SMB RPC/NP

MSSQL Server Discovery-Windows

PORTS

INBOUND

OUTBOUND

Additional Rights and Permissions

UDP/1434

MSSql Server

EventLog Analyzer Server

User Permissions:

Can be configured to use dynamic TCP ports for communication.

TCP/1433

MSSql Server

EventLog Analyzer Server

Network Device Discovery

PORTS

INBOUND

OUTBOUND

Additional Rights and Permissions

UDP/162

Network Devices

EventLog Analyzer Server

Ports Usage::

Fetches a list of live SNMP-enabled IP devices that responds to the SNMP ping.

IIS Discovery

PORTS

INBOUND

OUTBOUND

SERVICE

Additional Rights and Permissions

TCP/445

IIS Server

EventLog Analyzer Server

SMB RPC/NP

Ports Usage:

The Server Message Block (SMB) protocol uses this port to read the log files.

MYSQL Server Discovery-Windows

PORTS

INBOUND

OUTBOUND

SERVICE

Additional Rights and Permissions

TCP/135

MySql Server

EventLog Analyzer Server

RPC

User Permissions:

WMI permission is needed to find the MySQL server configuration file using SFTP.

TCP/445

MySql Server

EventLog Analyzer Server

SMB RPC/NP

MYSQL Server Discovery-Linux

PORTS

INBOUND

OUTBOUND

SERVICE

Additional Rights and Permissions

TCP/22

MySql Server

EventLog Analyzer Server

SMB RPC/NP

User Permissions:

Read permission to the MySQL server configuration file using SFTP.
Permissions for SSH Communication

6. Incident Workflow Management

NETWORK ACTIONS

BLOCK	PORT	INBOUND	OUTBOUND
PING DEVICE	ICMP/No ports	Audited Windows / Linux Device	EventLog Analyzer Server
TRACE ROUTE WINDOWS	ICMP/No ports	Audited Windows Device	EventLog Analyzer Server
TRACE ROUTE LINUX	UDP/33434 -33534	Audited Linux Device	EventLog Analyzer Server

WINDOWS ACTIONS

BLOCK	PORT	INBOUND	OUTBOUND	SERVICE	Additional Rights and Permissions
LogOff	TCP/135	Audited Windows Device	EventLog Analyzer Server	RPC	UserGroups: Distributed COM Users User Permissions: For root\cim v2 In WMI Properties: Execute Methods Enable Account Remote Enable Read Security Environment Permission: The computer should not include EventLog Analyzer Installed server.
	TCP/139	Audited Windows Device	EventLog Analyzer Server	NetBIOS session RPC/NP
	TCP/445	Audited Windows Device	EventLog Analyzer Server	SMB RPC/NP
	RPC ports - TCP/1024 to 65,535	Audited Windows Device	EventLog Analyzer Server	RPC randomly allocated high TCP ports
Shutdown and Restart	TCP/135	Audited Windows Device	EventLog Analyzer Server	RPC	UserGroups: Distributed COM Users User Permissions: For root\cim v2 In WMI Properties: Execute Methods Enable Account Remote Enable Read Security Environment Permission: The computer should not include EventLog Analyzer Installed server
	TCP/139	Audited Windows Device	EventLog Analyzer Server	NetBIOS session RPC/NP
	TCP/445	Audited Windows Device	EventLog Analyzer Server	SMB RPC/NP
	RPC ports - TCP/1024 to 65,535	Audited Windows Device	EventLog Analyzer Server	RPC randomly allocated high TCP ports
Execute Windows Script	TCP/135	Audited Windows Device	EventLog Analyzer Server	RPC	UserGroups: Distributed COM Users User Permissions: For root\cim v2 In WMI Properties: Execute Methods Enable Account Remote Enable Read Security Environment Permission: The user should have read,write and modify access to the shared path in the script.
	TCP/139	Audited Windows Device	EventLog Analyzer Server	NetBIOS session RPC/NP
	TCP/445	Audited Windows Device	EventLog Analyzer Server	SMB RPC/NP
	RPC ports - TCP/1024 to 65,535	Audited Windows Device	EventLog Analyzer Server	RPC randomly allocated high TCP ports
Disable USB	TCP/135	Audited Windows Device	EventLog Analyzer Server	RPC	UserGroups: Distributed COM Users User Permissions: For root\cim v2 In WMI Properties: Execute Methods Enable Account Remote Enable Read Security Environment Permission: Remote Registry Service should be running. Full Control permission to HKEY_LOCAL_ MACHINE\SYSTEM\ CurrentControlSet\ Services\USBSTOR
	TCP/139	Audited Windows Device	EventLog Analyzer Server	NetBIOS session RPC/NP
	TCP/445	Audited Windows Device	EventLog Analyzer Server	SMB RPC/NP
	RPC ports - TCP/1024 to 65,535	Audited Windows Device	EventLog Analyzer Server	RPC randomly allocated high TCP ports
ALL SERVICE BLOCK	TCP/135	Audited Windows Device	EventLog Analyzer Server	RPC	UserGroups: Distributed COM Users Administrators User Permissions: For root\cim v2 In WMI Properties: Execute Methods Enable Account Remote Enable Read Security
	TCP/139	Audited Windows Device	EventLog Analyzer Server	NetBIOS session RPC/NP
	TCP/445	Audited Windows Device	EventLog Analyzer Server	SMB RPC/NP
	RPC ports - TCP/1024 to 65,535	Audited Windows Device	EventLog Analyzer Server	RPC randomly allocated high TCP ports
START PROCESS	TCP/135	Audited Windows Device	EventLog Analyzer Server	RPC	UserGroups: Distributed COM Users User Permissions: For root\cim v2 In WMI Properties: Execute Methods Enable Account Remote Enable Read Security
	TCP/139	Audited Windows Device	EventLog Analyzer Server	NetBIOS session RPC/NP
	TCP/445	Audited Windows Device	EventLog Analyzer Server	SMB RPC/NP
	RPC ports - TCP/1024 to 65,535	Audited Windows Device	EventLog Analyzer Server	RPC randomly allocated high TCP ports
STOP PROCESS	TCP/135	Audited Windows Device	EventLog Analyzer Server	RPC	UserGroups: Distributed COM Users User Permissions: For root\cim v2 In WMI Properties: Execute Methods Enable Account Remote Enable Read Security
	TCP/139	Audited Windows Device	EventLog Analyzer Server	NetBIOS session RPC/NP
	TCP/445	Audited Windows Device	EventLog Analyzer Server	SMB RPC/NP
	RPC ports - TCP/1024 to 65,535	Audited Windows Device	EventLog Analyzer Server	RPC randomly allocated high TCP ports
TEST PROCESS	TCP/135	Audited Windows Device	EventLog Analyzer Server	RPC	UserGroups: Distributed COM Users User Permissions: For root\cim v2 In WMI Properties: Execute Methods Enable Account Remote Enable Read Security
	TCP/139	Audited Windows Device	EventLog Analyzer Server	NetBIOS session RPC/NP
	TCP/445	Audited Windows Device	EventLog Analyzer Server	SMB RPC/NP
	RPC ports - TCP/1024 to 65,535	Audited Windows Device	EventLog Analyzer Server	RPC randomly allocated high TCP ports

LINUX ACTIONS

BLOCK	PORT	INBOUND	OUTBOUND	SERVICE	Additional Rights and Permissions
Shutdown and Restart	TCP/Specified port.	Audited Linux Device	EventLog Analyzer Server	-	Environment Permission: The user should be the root user.
Execute Windows Script	TCP/Specified port.	Audited Linux Device	EventLog Analyzer Server	-	Environment Permission: Sudo permission for user.
ALL SERVICE BLOCK	TCP/Specified port.	Audited Linux Device	EventLog Analyzer Server	-	Environment Permission: Sudo permission.
START PROCESS	TCP/Specified port.	Audited Linux Device	EventLog Analyzer Server	-	Environment Permission: The permission to execute the command should be available for the user whose credentials are provided.
STOP PROCESS	Specified port.	Audited Linux Device	EventLog Analyzer Server	-	Environment Permission: The permission to execute the command should be available for the user whose credentials are provided.
TEST PROCESS	TCP/Specified port.	Audited Linux Device	EventLog Analyzer Server	-	-

NOTIFICATIONS

BLOCK	PORT	INBOUND	OUTBOUND	SERVICE	Additional Rights and Permissions
Pop Up WINODWS	TCP/135	Audited Linux Device	EventLog Analyzer Server	RPC	UserGroups: Distributed COM Users User Permissions For root\cim v2 In WMI Properties: Execute Methods Enable Account Remote Enable Read Security Environment Permission: "AllowRemoteRPC" should be 1 for HKEY_ LOCAL_MACHINE\ SYSTEM\Current ControlSet\Control\Terminal Server.
Pop Up WINODWS	RPC ports - TCP/1024 to 65,535	Audited Windows Device	EventLog Analyzer Server	RPC randomly allocated high TCP ports
Pop Up LINUX	TCP/Specified port.	Audited Linux Device	EventLog Analyzer Server	-	Environment Permission: Sudo permission for user.
Send Email WINDOWS & LINUX	TCP/Port mentioned while config using SMTP server	Audited Linux Device	EventLog Analyzer Server	-	Environment Permission: SMTP server should be configured on Event log analyzer server
Send SMS WINDOWS & LINUX	-	-	-	-	Environment Permission: SMS Server should be configured in the product.
Send SNMP Trap WINDOWS & LINUX	UDP/Port specified in workflow block	Audited Windows / Linux Device	EventLog Analyzer Server	-	Environment Permission: The port mentioned in workflow configuration should be open.

AD ACTIONS

BLOCK	PORT	INBOUND	OUTBOUND	SERVICE	Additional Rights and Permissions
DELETE AD USER WINDOWS	TCP/389	Audited Domain Controller	EventLog Analyzer Server	LDAP	User Permissions: The user should have "Delete" Right in the AD to delete other Accounts. The user to delete should not have "Protect Object from accidental deletion" checked.
DISABLE AD USER WINDOWS	TCP/389	Audited Domain Controller	EventLog Analyzer Server	LDAP	User Permissions: The User account provided should have "Read","Write ","modify owners" and "modify permissions" permissions enabled.
DISABLE USER COMPUTER WINDOWS & LINUX	TCP/389	Audited Domain Controller	EventLog Analyzer Server	LDAP	User Permission: The User account provided should have "Read", "Write" , "modify owners" and "modify permissions" permissions enabled.

MISCELLANEOUS ACTIONS

BLOCK	PORT	INBOUND	OUTBOUND	Additional Rights and Permissions
WRITE TO FILE WINDOWS	TCP/135	Audited Windows Device	EventLog Analyzer Server	UserGroups: Distributed COM Users User Rights: Act as part of the operating system Log on as a batch job Log on as a service Replace a process level token. User Permissions: For root\cim v2 In Properties: Execute Methods Enable Account Remote Enable Read Security Environment Permission: The user should have read,write and modify access to the shared path.
WRITE TO FILE WINDOWS	RPC ports - TCP/1024 to 65,535	Audited Windows Device	EventLog Analyzer Server
WRITE TO FILE LINUX	TCP/Specified port.	Audited Linux Device	EventLog Analyzer Server	Environment Permission: Sudo permission for user
HTTP WebHook	-	-	-	Environment Permission: A "connect" Socket Permission to the host/port combination of the destination URL or a "URL Permission" that permits this request.
FORWARD LOGS	TCP/Specified Port	Audited Windows / Linux Device	EventLog Analyzer Server	-
CSV LOOKUP	TCP/Specified Port	Audited Windows / Linux Device	EventLog Analyzer Server	User Permissions: Read permission to the specified CSV file.

FIREWALL ACTIONS

BLOCK	PORT	INBOUND	OUTBOUND	Additional Rights and Permissions
Cisco ASA deny inbound/Outbound rules	https/443	Firewall Device	EventLog Analyzer Server	Ports User Customizable Additional Rights: https://www.manageengine.com/products/eventlog/help/StandaloneManagedServer-UserGuide/IncidentManagement/incident-workflow.html#ciscoCredentials
Fortigate deny Access rules	https/443	Firewall Device	EventLog Analyzer Server	Ports User Customizable Additional Rights: https://www.manageengine.com/products/eventlog/help/StandaloneManagedServer-UserGuide/IncidentManagement/incident-workflow.html#fortigateCredentials
Palo Alto deny Access rules	https/443	Firewall Device	EventLog Analyzer Server	Ports User Customizable Additional Rights: https://www.manageengine.com/products/eventlog/help/StandaloneManagedServer-UserGuide/IncidentManagement/incident-workflow.html#paloAltoCredentials
Sophos XG deny Access rules	https/443	Firewall Device	EventLog Analyzer Server	Ports User Customizable Additional Rights: https://www.manageengine.com/products/eventlog/help/StandaloneManagedServer-UserGuide/IncidentManagement/incident-workflow.html#sophosXGCredentials
Barracuda deny Access rules	https/8443	Firewall Device	EventLog Analyzer Server	Ports User Customizable Additional Rights: https://www.manageengine.com/products/eventlog/help/StandaloneManagedServer-UserGuide/IncidentManagement/incident-workflow.html#fortigateCredentials

7. Distributed communication Setup

Distributed

PORT

INBOUND

OUTBOUND

Additional Rights and Permissions

HTTP/8400 (configurable)

EventLog Analyzer Managed Server Machine

EventLog Analyzer Admin Server Machine

User Permissions:

Managed server to Admin server communication via default webserver port.
The default port number is 8400.
The port can be customized by the user.

HTTP/8400 (configurable)

EventLog Analyzer Admin Server Machine

EventLog Analyzer Managed Server Machine

User Permissions:

Admin server to Managed server communication via default webserver port
User can customize the port. The value should be between 1024 and 65535.

Centralized Archiving Port

PORT

INBOUND

OUTBOUND

Additional Rights and Permissions

SSH/8080 (configurable)

EventLog Analyzer Admin Server Machine

EventLog Analyzer Managed Server Machine

User Permissions:

Managed server transfers the archive files to Admin Server via SSH 8080.
User can customize the port. The value should be between 1024 and 65535.

Using EventLog Analyzer with Antivirus Applications

To ensure unhindered functioning of EventLog Analyzer, you need to add the following files to the exception list of your Antivirus application:

Path	Need for whitelisting	Impact if not whitelisted
<ELA_HOME>/ES/data	Elasticsearch indexed data is stored.	All the collected logs will not be available if the data is deleted.
<ELA_HOME>/ES/repo	Elasticsearch index snapshot is taken at this location.	Snapshots and Elasticsearch archival feature will fail if the files at this location are deleted.
<ELA_HOME>/ES/archive	Elasticsearch archives are stored here.	Archived log data will not be available if the files located here are deleted.
<ME>/elasticsearch/ES/data	Elasticsearch indexed data is stored.	Reports would be affected if the data is deleted.
<ME>/elasticsearch/ES/repo	Elasticsearch index snapshot is taken at this location.	Snapshots and Elasticsearch archival feature will fail if the files at this location are deleted.
<ME>/elasticsearch/ES/archive	Elasticsearch archives are stored here.	Data will not be available if the files located here are deleted.
<ELA_HOME>/data/za/threatfeeds	Bundled files containing a list of malicious IPs, domains and URLs that will be used in case there is no internet connectivity will be stored here. These files will be deleted on the first default threat feed synchronization. Whitelisting is required only till first synchronization.	If the files are removed and if there is no internet connectivity, then the list of malicious threat sources will be missed from the dataset.
<ELA_HOME>/data/AlertDump	Formatted logs are stored before processing for alerts. Might be detected as false positive by Antivirus applications.	If the file is quarantined or deleted, related alerts would be missed.
<ELA_HOME>/data/NotificationDump	Formatted logs are stored before processing for notification. Might be detected as false positive by Antivirus applications.	If the file is quarantined or deleted, notification for triggered alerts would be missed.
<ELA_HOME>/bin	All binaries are included here. Some Antivirus applications might block them as false positive.	Product might not function.
<ELA_HOME>/data/imworkflow	Binaries uploaded by users for workflow execution are stored here.	Script Alert workflow might not work as intended.
<ELA_HOME>/pgsql/bin	Postgres binaries are included here. Might be detected as false positive by Antivirus applications.	Product might not start.
<ELA_HOME>/lib/native	All binaries are included here. Some Antivirus applications might block them as false positive.	Product might not function.
<ELA_HOME>/archive (If the archive folder is moved to a new location, add the new location)	Antivirus applications might slow down frequent write operations.	Performance issues might occur in the product if the Antivirus applications slow down write operations.
<ELA_HOME>/troubleshooting	All troubleshooting binaries are included here. Some Antivirus applications might block them as false positive.	Some troubleshooting batch files might not work.
<ELA_HOME>/tools	All tools binaries are included here. Some Antivirus applications might block them as false positive.	Some tools might not work if the files are removed by Antivirus applications.
<ELA_HOME>/ES/CachedRecord	Antivirus applications might slow down frequent write operations.	Performance issues might occur in the product if the Antivirus applications slow down write operations.

For Windows agent machine - 64 bit,

Path	Need for whitelisting	Impact if not whitelisted
C:\Program Files (x86)\EventLogAnalyzer_Agent\bin	Agent binaries are stored here.	The Agent might not work if the files are quarantined.
C:\Program Files (x86)\EventLogAnalyzer_Agent\bin\data	Antivirus applications might slow down frequent write operations.	Performance issues might occur in the product if the Antivirus applications slow down write operations.
C:\TEMP\\EventLogAgent	Agent installation files are moved for installation and upgrade.	Agent might not upgrade/not install if the files are quarantined.

For Windows agent machine - 32 bit,

Path	Need for whitelisting	Impact if not whitelisted
C:\Program Files\EventLogAnalyzer_Agent\bin	Agent binaries are stored here.	The Agent might not work if the files are quarantined.
C:\Program Files (x86)\EventLogAnalyzer_Agent\bin\data	Antivirus applications might slow down frequent write operations.	Performance issues might occur in the product if the Antivirus applications slow down write operations.
C:\TEMP\\EventLogAgent	Agent installation files are moved for installation and upgrade.	Agent might not upgrade/not install if the files are quarantined.

For Linux agent,

Path	Need for whitelisting	Impact if not whitelisted
/opt/ManageEngine/EventLogAnalyzer_Agent/bin	Agent binaries are stored here.	The Agent might not work if the files are quarantined.
/opt/ManageEngine/EventLogAnalyzer_Agent/bin/data	Antivirus applications might slow down frequent write operations.	Performance issues might occur in the product if the Antivirus applications slow down write operations.

8. Advanced threat analytics

PORT

Additional Rights and Permissions

HTTPS/443

To fetch the "Log360 Cloud Threat Analytics" feeds, the below URLs will be used

Prerequisites

What are the ports required for EventLog Analyzer?

1. Primary Ports

Web Server Port

Elasticsearch

Internal Communication

Database

2. Log Collection

Windows Log Collection

Syslog Collection

SSH Communication

Configure Automatic SysLog Forwarding

AS400 Log Collection

SNMP Trap Collection

IIS Log Collection

3. Agent orchestration

Windows Agent Log Collection and Communication

Windows Agent Installation & Management

Linux Agent Installation

Linux Agent Management & Communication

4. Importing logs

Importing Logs using SMB

Importing logs using FTP

5. Discovery

Windows Domain Discovery

Windows Workgroup Discovery

Event Source Discovery

MSSQL Server Discovery-Windows

Network Device Discovery

IIS Discovery

MYSQL Server Discovery-Windows

MYSQL Server Discovery-Linux

6. Incident Workflow Management

NETWORK ACTIONS

WINDOWS ACTIONS

LINUX ACTIONS

NOTIFICATIONS

AD ACTIONS

MISCELLANEOUS ACTIONS

FIREWALL ACTIONS

7. Distributed communication Setup

Distributed

Centralized Archiving Port

Using EventLog Analyzer with Antivirus Applications

For Windows agent machine - 64 bit,

For Windows agent machine - 32 bit,

For Linux agent,

8. Advanced threat analytics

On this page

Don't see what you're looking for?

Visit our community

Request additional resources

Need implementation assistance?