- Related Products
- ADManager Plus
- ADAudit Plus
- ADSelfService Plus
- Exchange Reporter Plus
- AD360
- Log360
Before starting EventLog Analyzer in your environment, ensure that the following are taken care of.
PORT | INBOUND | OUTBOUND | Additional Rights and Permissions |
HTTP/8400 (configurable) | EventLog Analyzer Server |
|
Ports Usage:
|
PORT | INBOUND | OUTBOUND | Additional Rights and Permissions |
TCP/9300-9400 (configurable) | EventLog Analyzer Search Engine Management Node [ SEM Node ] | EventLog Analyzer Server |
Ports Usage:
|
PORT | INBOUND And OUTBOUND | Additional Rights and Permissions |
UDP/5000 (configurable) | EventLog Analyzer Server |
Ports Usage:
|
PORT | Additional Rights and Permissions |
TCP/33335 |
Ports Usage:
|
PORTS | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
TCP/135 | Windows Device | EventLog Analyzer Server | RPC |
UserGroups:
User Permissions: For root\cimv2 in WMI Properties:
Firewall Permissions:
|
TCP/139 | Windows Device | EventLog Analyzer Server | NetBIOS session RPC/NP | |
TCP/445 | Windows Device | EventLog Analyzer Server | SMB RPC/NP | |
Dynamic ranges of RPC ports - TCP/49152 to 65,535 | Windows Device | EventLog Analyzer Server | RPC randomly allocates high TCP ports for Windows Server 2008 and later versions, as well as for Windows Vista and subsequent versions |
PORTS | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
UDP/514 (configurable) | EventLog Analyzer Server | Target Device | Syslog |
User Permissions:
|
UDP/513 (configurable) | EventLog Analyzer Server | Target Device | Syslog | |
TLS/513 (configurable) | EventLog Analyzer Server | Target Device | Syslog | |
TCP/514 (configurable) | EventLog Analyzer Server | Target Device | Syslog |
PERMISSION | USAGES |
Ensure that the algorithm mentioned below is present in the sshd_config file. File Location: /etc/ssh/sshd_config Key exchange (KEX): diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group14-sha256 , diffie-hellman-group15-sha512, diffie-hellman-group16-sha512, diffie-hellman-group17-sha512, diffie-hellman-group18-sha512 , ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp52 Ciphers: aes128cbc, aes128ctr, aes192cbc, aes192ctr, aes256cbc, aes256ctr, arcfour128, arcfour256, blowfishcbc, tripledescbc MAC: hmacmd5, hmacmd596, hmacsha1, hmacsha196, hmacsha256, hmacsha512 *This will be Required for all Linux Communications. |
|
PORTS | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
TCP/22 | Linux Device | EventLog Analyzer Server | SSH |
User Rights: Service restart rights for 'rsyslog' or 'syslog' service. User Permissions:
|
PORTS | INBOUND | OUTBOUND |
TCP/446-449 | AS400 Server | EventLog Analyzer Server |
TCP/8470-8476 | AS400 Serve | EventLog Analyzer Server |
TCP/9470-9476 | AS400 Serve | EventLog Analyzer Server |
PORTS | INBOUND | OUTBOUND | SERVICES | Additional Rights and Permissions |
UDP/162 (configurable) | EventLog Analyzer Server | Network Device / Application | SNMP |
User Permissions:
|
PORTS | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
TCP/135 | IIS Server | EventLog Analyzer Server | RPC |
User Permissions:
|
TCP/139 | IIS Server | EventLog Analyzer Server | NetBIOS session RPC/NP | |
TCP/445 | IIS Server | EventLog Analyzer Server | SMB RPC/NP |
PORTS | INBOUND | OUTBOUND | Additional Rights and Permissions |
HTTP/8400 (configurable) | EventLog Analyzer Server | EventLog Analyzer Agent Machine |
Environment Permission:
|
Communication includes tasks such as agent synchronization and checking agent status.
PORTS | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
TCP/135 | EventLog Analyzer Agent Machine | EventLog Analyzer Server | RPC |
User Permissions:
|
TCP/139 | EventLog Analyzer Agent Machine | EventLog Analyzer Server | NetBIOS session RPC/NP | |
TCP/445 | EventLog Analyzer Agent Machine | EventLog Analyzer Server | SMB RPC/NP | |
Dynamic ranges of RPC ports - TCP/49152 to 65,535 | EventLog Analyzer Agent Machine | EventLog Analyzer Server | RPC randomly allocates high TCP ports for Windows Server 2008 and later versions, as well as for Windows Vista and subsequent versions |
Management involves actions like starting, stopping, or uninstalling the agent software.
PORTS | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
TCP/22 | EventLog Analyzer Agent Machine | EventLog Analyzer Server | SSH |
Sudo User Permissions:
|
PORTS | INBOUND | OUTBOUND | Additional Rights and Permissions |
TCP/22 | EventLog Analyzer Server | EventLog Analyzer Server |
User Permissions:
|
HTTP/8400 (configurable) | EventLog Analyzer Server | EventLog Analyzer Agent Machine |
PORTS | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
TCP/137 | Target Device | EventLog Analyzer Server | NetBIOS name resolution RPC/named pipes (NP) |
User Permissions:
|
TCP/138 | Target Device | EventLog Analyzer Server | NetBIOS datagram | |
TCP/139 | Target Device | EventLog Analyzer Server | NetBIOS session RPC/NP | |
TCP/445 | Target Device | EventLog Analyzer Server | SMB RPC/NP |
PORTS | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
TCP/20 | Target Device | EventLog Analyzer Server | FTP/SFTP |
User Permissions:
|
TCP/21 | Target Device | EventLog Analyzer Server | FTP/SFTP |
PORTS | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
TCP/389 | Domain Controller | EventLog Analyzer Server | LDAP |
User Permissions:
|
PORTS | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
TCP/135 | Workgroup Server | EventLog Analyzer Server | RPC |
User Permissions:
|
TCP/139 | Workgroup Server | EventLog Analyzer Server | NetBIOS session RPC/NP | |
TCP/445 | Workgroup Server | EventLog Analyzer Server | SMB RPC/NP | |
TCP/1024-65535 | Workgroup Server | EventLog Analyzer Server | RPC randomly allocated high TCP ports |
PORTS | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
TCP/135 | Target Windows Device | EventLog Analyzer Server | RPC |
User Permissions:
|
TCP/137 | Target Windows Device | EventLog Analyzer Server | NetBIOS name resolution RPC/named pipes (NP) | |
TCP/138 | Target Windows Device | EventLog Analyzer Server | NetBIOS datagram | |
TCP/139 | Workgroup Server | EventLog Analyzer Server | NetBIOS session RPC/NP | |
TCP/445 | Workgroup Server | EventLog Analyzer Server | SMB RPC/NP |
PORTS | INBOUND | OUTBOUND | Additional Rights and Permissions |
UDP/1434 | MSSql Server | EventLog Analyzer Server |
User Permissions:
|
TCP/1433 | MSSql Server | EventLog Analyzer Server |
PORTS | INBOUND | OUTBOUND | Additional Rights and Permissions |
UDP/162 | Network Devices | EventLog Analyzer Server |
Ports Usage::
|
PORTS | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
TCP/445 | IIS Server | EventLog Analyzer Server | SMB RPC/NP |
Ports Usage:
|
PORTS | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
TCP/135 | MySql Server | EventLog Analyzer Server | RPC |
User Permissions:
|
TCP/445 | MySql Server | EventLog Analyzer Server | SMB RPC/NP |
PORTS | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
TCP/22 | MySql Server | EventLog Analyzer Server | SMB RPC/NP |
User Permissions:
|
BLOCK | PORT | INBOUND | OUTBOUND |
PING DEVICE | ICMP/No ports | Audited Windows / Linux Device | EventLog Analyzer Server |
TRACE ROUTE WINDOWS | ICMP/No ports | Audited Windows Device | EventLog Analyzer Server |
TRACE ROUTE LINUX | UDP/33434 -33534 | Audited Linux Device | EventLog Analyzer Server |
BLOCK | PORT | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
LogOff | TCP/135 | Audited Windows Device | EventLog Analyzer Server | RPC |
UserGroups:
User Permissions: For root\cim v2 In WMI Properties:
Environment Permission:
|
TCP/139 | Audited Windows Device | EventLog Analyzer Server | NetBIOS session RPC/NP | ||
TCP/445 | Audited Windows Device | EventLog Analyzer Server | SMB RPC/NP | ||
RPC ports - TCP/1024 to 65,535 | Audited Windows Device | EventLog Analyzer Server | RPC randomly allocated high TCP ports | ||
Shutdown and Restart | TCP/135 | Audited Windows Device | EventLog Analyzer Server | RPC |
UserGroups:
User Permissions: For root\cim v2 In WMI Properties:
Environment Permission:
|
TCP/139 | Audited Windows Device | EventLog Analyzer Server | NetBIOS session RPC/NP | ||
TCP/445 | Audited Windows Device | EventLog Analyzer Server | SMB RPC/NP | ||
RPC ports - TCP/1024 to 65,535 | Audited Windows Device | EventLog Analyzer Server | RPC randomly allocated high TCP ports | ||
Execute Windows Script | TCP/135 | Audited Windows Device | EventLog Analyzer Server | RPC |
UserGroups:
User Permissions: For root\cim v2 In WMI Properties:
Environment Permission:
|
TCP/139 | Audited Windows Device | EventLog Analyzer Server | NetBIOS session RPC/NP | ||
TCP/445 | Audited Windows Device | EventLog Analyzer Server | SMB RPC/NP | ||
RPC ports - TCP/1024 to 65,535 | Audited Windows Device | EventLog Analyzer Server | RPC randomly allocated high TCP ports | ||
Disable USB | TCP/135 | Audited Windows Device | EventLog Analyzer Server | RPC |
UserGroups:
User Permissions: For root\cim v2 In WMI Properties:
Environment Permission:
|
TCP/139 | Audited Windows Device | EventLog Analyzer Server | NetBIOS session RPC/NP | ||
TCP/445 | Audited Windows Device | EventLog Analyzer Server | SMB RPC/NP | ||
RPC ports - TCP/1024 to 65,535 | Audited Windows Device | EventLog Analyzer Server | RPC randomly allocated high TCP ports | ||
ALL SERVICE BLOCK | TCP/135 | Audited Windows Device | EventLog Analyzer Server | RPC |
UserGroups:
User Permissions: For root\cim v2 In WMI Properties:
|
TCP/139 | Audited Windows Device | EventLog Analyzer Server | NetBIOS session RPC/NP | ||
TCP/445 | Audited Windows Device | EventLog Analyzer Server | SMB RPC/NP | ||
RPC ports - TCP/1024 to 65,535 | Audited Windows Device | EventLog Analyzer Server | RPC randomly allocated high TCP ports | ||
START PROCESS | TCP/135 | Audited Windows Device | EventLog Analyzer Server | RPC |
UserGroups:
User Permissions: For root\cim v2 In WMI Properties:
|
TCP/139 | Audited Windows Device | EventLog Analyzer Server | NetBIOS session RPC/NP | ||
TCP/445 | Audited Windows Device | EventLog Analyzer Server | SMB RPC/NP | ||
RPC ports - TCP/1024 to 65,535 | Audited Windows Device | EventLog Analyzer Server | RPC randomly allocated high TCP ports | ||
STOP PROCESS | TCP/135 | Audited Windows Device | EventLog Analyzer Server | RPC |
UserGroups:
User Permissions: For root\cim v2 In WMI Properties:
|
TCP/139 | Audited Windows Device | EventLog Analyzer Server | NetBIOS session RPC/NP | ||
TCP/445 | Audited Windows Device | EventLog Analyzer Server | SMB RPC/NP | ||
RPC ports - TCP/1024 to 65,535 | Audited Windows Device | EventLog Analyzer Server | RPC randomly allocated high TCP ports | ||
TEST PROCESS | TCP/135 | Audited Windows Device | EventLog Analyzer Server | RPC |
UserGroups:
User Permissions: For root\cim v2 In WMI Properties:
|
TCP/139 | Audited Windows Device | EventLog Analyzer Server | NetBIOS session RPC/NP | ||
TCP/445 | Audited Windows Device | EventLog Analyzer Server | SMB RPC/NP | ||
RPC ports - TCP/1024 to 65,535 | Audited Windows Device | EventLog Analyzer Server | RPC randomly allocated high TCP ports |
BLOCK | PORT | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
Shutdown and Restart | TCP/Specified port. | Audited Linux Device | EventLog Analyzer Server | - | Environment Permission: The user should be the root user. |
Execute Windows Script | TCP/Specified port. | Audited Linux Device | EventLog Analyzer Server | - | Environment Permission: Sudo permission for user. |
ALL SERVICE BLOCK | TCP/Specified port. | Audited Linux Device | EventLog Analyzer Server | - | Environment Permission: Sudo permission. |
START PROCESS | TCP/Specified port. | Audited Linux Device | EventLog Analyzer Server | - | Environment Permission: The permission to execute the command should be available for the user whose credentials are provided. |
STOP PROCESS | Specified port. | Audited Linux Device | EventLog Analyzer Server | - | Environment Permission: The permission to execute the command should be available for the user whose credentials are provided. |
TEST PROCESS | TCP/Specified port. | Audited Linux Device | EventLog Analyzer Server | - | - |
BLOCK | PORT | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
Pop Up WINODWS | TCP/135 | Audited Linux Device | EventLog Analyzer Server | RPC |
UserGroups:
User Permissions For root\cim v2 In WMI Properties:
Environment Permission:
|
RPC ports - TCP/1024 to 65,535 | Audited Windows Device | EventLog Analyzer Server | RPC randomly allocated high TCP ports | ||
Pop Up LINUX | TCP/Specified port. | Audited Linux Device | EventLog Analyzer Server | - | Environment Permission: Sudo permission for user. |
Send Email WINDOWS & LINUX | TCP/Port mentioned while config using SMTP server | Audited Linux Device | EventLog Analyzer Server | - | Environment Permission: SMTP server should be configured on Event log analyzer server |
Send SMS WINDOWS & LINUX | - | - | - | - | Environment Permission: SMS Server should be configured in the product. |
Send SNMP Trap WINDOWS & LINUX | UDP/Port specified in workflow block | Audited Windows / Linux Device | EventLog Analyzer Server | - | Environment Permission: The port mentioned in workflow configuration should be open. |
BLOCK | PORT | INBOUND | OUTBOUND | SERVICE | Additional Rights and Permissions |
DELETE AD USER WINDOWS | TCP/389 | Audited Domain Controller | EventLog Analyzer Server | LDAP |
User Permissions:
|
DISABLE AD USER WINDOWS | TCP/389 | Audited Domain Controller | EventLog Analyzer Server | LDAP |
User Permissions:
|
DISABLE USER COMPUTER WINDOWS & LINUX | TCP/389 | Audited Domain Controller | EventLog Analyzer Server | LDAP | User Permission:
|
BLOCK | PORT | INBOUND | OUTBOUND | Additional Rights and Permissions |
WRITE TO FILE WINDOWS | TCP/135 | Audited Windows Device | EventLog Analyzer Server |
UserGroups:
User Rights:
User Permissions: For root\cim v2 In Properties:
Environment Permission:
|
RPC ports - TCP/1024 to 65,535 | Audited Windows Device | EventLog Analyzer Server | ||
WRITE TO FILE LINUX | TCP/Specified port. | Audited Linux Device | EventLog Analyzer Server | Environment Permission:
|
HTTP WebHook | - | - | - | Environment Permission:
|
FORWARD LOGS | TCP/Specified Port | Audited Windows / Linux Device | EventLog Analyzer Server | - |
CSV LOOKUP | TCP/Specified Port | Audited Windows / Linux Device | EventLog Analyzer Server | User Permissions:
|
BLOCK | PORT | INBOUND | OUTBOUND | Additional Rights and Permissions |
Cisco ASA deny inbound/Outbound rules | https/443 | Firewall Device | EventLog Analyzer Server |
Ports User Customizable Additional Rights: https://www.manageengine.com/products/eventlog/help/StandaloneManagedServer-UserGuide/IncidentManagement/incident-workflow.html#ciscoCredentials |
Fortigate deny Access rules | https/443 | Firewall Device | EventLog Analyzer Server |
Ports User Customizable Additional Rights: https://www.manageengine.com/products/eventlog/help/StandaloneManagedServer-UserGuide/IncidentManagement/incident-workflow.html#fortigateCredentials |
Palo Alto deny Access rules | https/443 | Firewall Device | EventLog Analyzer Server |
Ports User Customizable Additional Rights: https://www.manageengine.com/products/eventlog/help/StandaloneManagedServer-UserGuide/IncidentManagement/incident-workflow.html#paloAltoCredentials |
Sophos XG deny Access rules | https/443 | Firewall Device | EventLog Analyzer Server |
Ports User Customizable Additional Rights: https://www.manageengine.com/products/eventlog/help/StandaloneManagedServer-UserGuide/IncidentManagement/incident-workflow.html#sophosXGCredentials |
Barracuda deny Access rules | https/8443 | Firewall Device | EventLog Analyzer Server |
Ports User Customizable Additional Rights: https://www.manageengine.com/products/eventlog/help/StandaloneManagedServer-UserGuide/IncidentManagement/incident-workflow.html#fortigateCredentials |
PORT | INBOUND | OUTBOUND | Additional Rights and Permissions |
HTTP/8400 (configurable) | EventLog Analyzer Managed Server Machine | EventLog Analyzer Admin Server Machine |
User Permissions:
|
HTTP/8400 (configurable) | EventLog Analyzer Admin Server Machine | EventLog Analyzer Managed Server Machine |
User Permissions:
|
PORT | INBOUND | OUTBOUND | Additional Rights and Permissions |
SSH/8080 (configurable) | EventLog Analyzer Admin Server Machine | EventLog Analyzer Managed Server Machine |
User Permissions:
|
To ensure unhindered functioning of EventLog Analyzer, you need to add the following files to the exception list of your Antivirus application:
Path | Need for whitelisting | Impact if not whitelisted |
<ELA_HOME>/ES/data | Elasticsearch indexed data is stored. | All the collected logs will not be available if the data is deleted. |
<ELA_HOME>/ES/repo | Elasticsearch index snapshot is taken at this location. | Snapshots and Elasticsearch archival feature will fail if the files at this location are deleted. |
<ELA_HOME>/ES/archive | Elasticsearch archives are stored here. | Archived log data will not be available if the files located here are deleted. |
<ME>/elasticsearch/ES/data | Elasticsearch indexed data is stored. | Reports would be affected if the data is deleted. |
<ME>/elasticsearch/ES/repo | Elasticsearch index snapshot is taken at this location. | Snapshots and Elasticsearch archival feature will fail if the files at this location are deleted. |
<ME>/elasticsearch/ES/archive | Elasticsearch archives are stored here. | Data will not be available if the files located here are deleted. |
<ELA_HOME>/data/za/threatfeeds | Bundled files containing a list of malicious IPs, domains and URLs that will be used in case there is no internet connectivity will be stored here. These files will be deleted on the first default threat feed synchronization. Whitelisting is required only till first synchronization. | If the files are removed and if there is no internet connectivity, then the list of malicious threat sources will be missed from the dataset. |
<ELA_HOME>/data/AlertDump | Formatted logs are stored before processing for alerts. Might be detected as false positive by Antivirus applications. | If the file is quarantined or deleted, related alerts would be missed. |
<ELA_HOME>/data/NotificationDump | Formatted logs are stored before processing for notification. Might be detected as false positive by Antivirus applications. | If the file is quarantined or deleted, notification for triggered alerts would be missed. |
<ELA_HOME>/bin | All binaries are included here. Some Antivirus applications might block them as false positive. | Product might not function. |
<ELA_HOME>/data/imworkflow | Binaries uploaded by users for workflow execution are stored here. | Script Alert workflow might not work as intended. |
<ELA_HOME>/pgsql/bin | Postgres binaries are included here. Might be detected as false positive by Antivirus applications. | Product might not start. |
<ELA_HOME>/lib/native | All binaries are included here. Some Antivirus applications might block them as false positive. | Product might not function. |
<ELA_HOME>/archive (If the archive folder is moved to a new location, add the new location) | Antivirus applications might slow down frequent write operations. | Performance issues might occur in the product if the Antivirus applications slow down write operations. |
<ELA_HOME>/troubleshooting | All troubleshooting binaries are included here. Some Antivirus applications might block them as false positive. | Some troubleshooting batch files might not work. |
<ELA_HOME>/tools | All tools binaries are included here. Some Antivirus applications might block them as false positive. | Some tools might not work if the files are removed by Antivirus applications. |
<ELA_HOME>/ES/CachedRecord | Antivirus applications might slow down frequent write operations. | Performance issues might occur in the product if the Antivirus applications slow down write operations. |
Path | Need for whitelisting | Impact if not whitelisted |
C:\Program Files (x86)\EventLogAnalyzer_Agent\bin | Agent binaries are stored here. | The Agent might not work if the files are quarantined. |
C:\Program Files (x86)\EventLogAnalyzer_Agent\bin\data | Antivirus applications might slow down frequent write operations. | Performance issues might occur in the product if the Antivirus applications slow down write operations. |
C:\TEMP\\EventLogAgent | Agent installation files are moved for installation and upgrade. | Agent might not upgrade/not install if the files are quarantined. |
Path | Need for whitelisting | Impact if not whitelisted |
C:\Program Files\EventLogAnalyzer_Agent\bin | Agent binaries are stored here. | The Agent might not work if the files are quarantined. |
C:\Program Files (x86)\EventLogAnalyzer_Agent\bin\data | Antivirus applications might slow down frequent write operations. | Performance issues might occur in the product if the Antivirus applications slow down write operations. |
C:\TEMP\\EventLogAgent | Agent installation files are moved for installation and upgrade. | Agent might not upgrade/not install if the files are quarantined. |
Path | Need for whitelisting | Impact if not whitelisted |
/opt/ManageEngine/EventLogAnalyzer_Agent/bin | Agent binaries are stored here. | The Agent might not work if the files are quarantined. |
/opt/ManageEngine/EventLogAnalyzer_Agent/bin/data | Antivirus applications might slow down frequent write operations. | Performance issues might occur in the product if the Antivirus applications slow down write operations. |
PORT | Additional Rights and Permissions |
HTTPS/443 |
To fetch the "Log360 Cloud Threat Analytics" feeds, the below URLs will be used |
Copyright © 2020, ZOHO Corp. All Rights Reserved.