SIEM solutions need to aggregate and correlate logs, alert engineers in real-time of security issues, provide insight into data through dashboards and easy to use reports and help with a variety of compliance requirements.
EventSentry is SIEM
EventSentry covers all these requirements and more, making it one of the most comprehensive, reliable and affordable SIEM solutions on the market today. Ranking consistently among the top three winners at the annual WindowSecurity.com Readers' Choice awards, EventSentry is trusted by companies across the globe and monitoring tens of thousands of critical hosts around the clock.
White Paper: Security Information & Event Management - A Best Practices Approach. View / Download.
EventSentry offers the following SIEM-related functionality
- Real-Time Windows Event Log Monitoring with local rule processing
- Real-Time Log File Monitoring (with local rule processing)
- Powerful and fast rules engine
- Complete Log Consolidation (Event Log, Log Files, Syslog, SNMP)
- Correlation of various Windows security events
- Presentation of Windows events in easy to read reports
- Built-In Compliance package for real-time alerts on critical events
- Forensic analysis of collected data through powerful search queries
- Secure data transmission to central repository
- RBAC to web-based reporting
Real Time Log & Event Log Monitoring
The EventSentry agents monitor Windows events and log files in real time, and transmit the captured log data to the central repository. Since all filtering rules are processed by the agents, only relevant data is transmitted over the network.
Windows event logs can also be backed up in their native .evt or .evtx format; hashes of the backup files are automatically generated to protect against tampering. Logs from Non-Windows device like *nix hosts, firewalls, routers, switches can be collected via Syslog (UDP+TCP) and SNMP traps.
Powerful Filtering and Reporting Syntax
EventSentry features a powerful filtering engine on the agent-side with includes support for regular expressions, date & time-based filtering, thresholds, recurring events, filter times, custom event log support and more. The rules engine is optimized and extremely fast, and a single EventSentry agent can process hundreds of events per second.
On the reporting side, EventSentry offers the powerful Lucene query language to create & schedule reports.
Compliance & Log Correlation
Many Windows events can be complicated, and looking at individual events does often not tell the whole story. EventSentry includes a parsing engine for many security events, which will automatically normalize and correlate many Windows security events and display them in an easy-to-understand format.
Out of the box EventSentry, includes rules for real-time alerts (e.g. when a member is added to the Administrators group) as well as numerous customizable compliance reports which show logon statistics, user account changes, policy changes and more. These customizable compliance reports can be executed on demand or scheduled.
The web-based reporting supports a variety of dashboards to visualize log data and identify trends and patterns. EventSentry supports network-centric and computer-centric dashboards.
Role-Based Access Control
EventSentry includes a granular access control to the web reports, allowing you to give individuals only access to the reports they need to have access to. Individuals can be allowed to access only certain features (e.g. account management history) or specific reports you create. Alternatively you can give users access to all features/reports, but restrict access so that they can only see data from certain hosts.