Knowledge Base




A packet sniffer like Microsoft Network Monitor IPMon or Wireshark see network packets before they are analyzed by Windows and the Windows Firewall. As such it39s possible that packets are blocked by the Windows Firewall even when they show up in a packet sniffer. In most cases adding exceptions to the Windows Firewall will cause the incomi...

KB-ID 261
Category: Network Services
Applies to: All Versions

In order to monitor a different subnet with the ARP component of the network services first install the network services on a host in the subnet which needs to be monitored: KB275 Once completed install the WinPcap drivers which are required by the ARP daemon. The WinPcap drivers can either be downloaded from the web https://www.wi...

KB-ID 265
Category: Network Services
Applies to: 3.0.1 or newer

EventSentry 3.2 and newer use a different installation method for the network services please see knowledge base article 306. To install the network services on a remote host first add the host in the other subnet to the EventSentry management console machine and deploy the agent. Once you have deployed the agent open the EventSentry insta...

KB-ID 275
Category: Network Services
Applies to: 3.0 and 3.1

On the EventSentry server use the command prompt to run: nslookup 192.168.1.1 replace 192.168.1.1 with the IP address of a Syslogsending device or server This will tell you which DNS server is being utilized by your EventSentry server. You can then manually create an A record in that DNS server to specify the Syslogsending device39...

KB-ID 292
Category: Network Services
Applies to: All versions

EventSentry 3.5 and newer use different installation files for the network services please see knowledge base article 384. To install the network services on a remote host in another subnet first add the host in the other subnet to a group in the EventSentry management console and deploy the agent. Once you have deployed the agent open the...

KB-ID 306
Category: Network Services
Applies to: 3.2 through 3.4

Starting with version 3.2 of EventSentry the network services component service is available as both a 32bit and 64bit executable. New installations will automatically install the 64bit binary on 64bit operating systems but existing 32bit services will not automatically upgraded at this time. If you wish to update an existing 32bi...

KB-ID 327
Category: Network Services
Applies to: 3.2 and higher

Not all Cisco network devices are capable of producing NetFlow or sFlow data. Please refer to your particular device39s product documentation to see if your device is capable of producing either NetFlow or sFlow data. If your device does produce NetFlow or sFlow data using a standardized format you can capture this data in EventSentry. Cis...

KB-ID 334
Category: Network Services
Applies to: 3.3.1.70 and newer

Yes by using the regular expression and subject override feature in event log filters the email subject can show select properties from Snort alerts. A typical Snort alert will look similar to the one shown below: syslogfirewall.yourcompany.localauth/security.warning: May 24 19:20:05 snort47626: 119:31:1 httpinspect DOUBLE DECOD...

KB-ID 349
Category: Network Services
Applies to: 3.3 and later

Starting with version 3.3.1.84 the maximum size of the debug log file located in SYSTEMROOT\system32\eventsentry\logs can be adjusted with the debuglevelnsmaxsize registry value. This DWORD value specifies the maximum size of each debug log file in megabytes consequently the total disk space used will be twice the size of the registry val...

KB-ID 353
Category: Network Services
Applies to: 3.3.1.84 and higher

EventSentry 3.4 and older use different installation files for the network services please see knowledge base article 306. To install the network services on a remote host in another subnet first add the host in the other subnet to a group in the EventSentry management console machine and deploy the agent. Once you have deployed the agent ...

KB-ID 384
Category: Network Services
Applies to: 3.5 and newer

Requires: EventSentry NetFlow license pfSense 2.4 or later psexec kittyportable Starting with EventSentry v4.0.3 EventSentry can log events when a potentially malicious IP address has been detected via NetFlow. This event can subsequently be used to trigger a process that remotely logs into the pfSense firewall to block the IP addr...

KB-ID 402
Category: Network Services
Applies to: 4.0.3

In a production environment it can be important to know if and when a VM is reverted to a snapshot. If the VMWare ESXi host is configured to send Syslog messages to a log hosthttps://docs.vmware.com/en/VMwarevSphere/6.7/com.vmware.esxi.upgrade.doc/GUID9F67DB52F469451FB6C8DAE8D95976E7.html like EventSentry then it will send a message s...

KB-ID 408
Category: Network Services

Yes please navigate to https://www.eventsentry.com/support/documentation to download the help file and/or quickstart guide. Both documents are available in the following formats: Microsoft Help.chm Adobe PDF.pdf HTML.htm Multimedia Help.exe

KB-ID 4
Category: General
Applies to: All Versions

Yes it is recommended that you uninstall EventSentry Light with the setup application prior to installing the trial or full version of EventSentry. You will not need to uninstall the agents service from remote machines simply use Remote Update to update the agents on the remote machines once you have installed the trial version.

KB-ID 5
Category: Installation

If you use the builtin Postgres database you may need to optimize it: https://www.eventsentry.com/kb/232 If you use Microsoft SQL as your database you may need to optimize it: https://www.eventsentry.com/kb/35 If the recommended optimizations do not help please contact our support department for more indepth assistance. If you have a...

KB-ID 6
Category: Web Reports
Applies to: All

This error reported by Windows usually appears when Client for Microsoft Networks and/or NetBIOS are not installed on the management workstation and target machines for example when using Novell software. You will need to make sure that the Client for Microsoft Networks is installed when using remote update to install agents on remote...

KB-ID 8
Category: Installation

The EVENTSENTRYSVC.LOG file located in the SYSTEMROOT directory usually c:\winnt or c:\windows is the debug log file of the EventSentry agent. To reduce the size of this file set the Debug Level option in Service Control to None or Low and restart the EventSentry service. The contents of this file are always cleared when the ...

KB-ID 7
Category: General
Applies to: up to v2.43

It is important that filters using summary notifications are NOT configured to notify All Targets. When using summary notifications make sure that one and only one target is present in the filters Targets list of the General tab.

KB-ID 9
Category: Configuration

After making configuration changes on your management workstation you will need to use the Update Configuration feature of remote update to push the updated configuration to your remote machines. Rightclick the Computers container of the group you want to update and select Update Configuration. In the next dialog make sure that the co...

KB-ID 10
Category: Configuration
Applies to: All Versions

When using ODBC targets you will need to make sure that: The System DSN referenced in the ODBC target is present on all computers writing to the database. This requirement does not apply to version 2.50 and higher which also supports connection strings. Otherwise you can use AutoAdministrator to push out DSN names to remote machines. ...

KB-ID 11
Category: Notifications

Starting with EventSentry version 2.70 you can view the native event log files usually with a .evt extension with the builtin event log viewer of EventSentry. Simply rightclick the Event Log Viewer container and select Open Log File. If you are running EventSentry v2.60 or earlier then you will need to open the event log files with th...

KB-ID 12
Category: Usage

You can export and thus backup the EventSentry configuration by selecting Export from the Home menu of the EventSentry management application. This will save the entire configuration from the registry in a .reg file. Once EventSentry is installed using the wizard on the alternate server you can select Home Import from within th...

KB-ID 13
Category: Configuration
Applies to: All Versions

You can be notified when a remote web site certificate is about to expire using checkurl.exe from EventSentry SysAdmin Tools. For that we are going to: 1. Install EventSentry SysAdmin tools to user checkurl.exe feature. 2. Create an User Embedded Scrip 3. Create an application schedule to run the script on certain schedule. 4. Creating ...

KB-ID 431
Category: Network Monitoring
Applies to: 4.1 and later

Yes any user with administrative privileges can view and change the EventSentry configuration. The entire EventSentry configuration is stored on a permachine basis so it doesn39t matter which user logs on to the computer where the EventSentry management application is installed. The only settings that are store on a peruser basis are th...

KB-ID 14
Category: Configuration

No restarting the EventSentry service on any machine will have no effect on other machines since the agent only works with the local event logs. The EventSentry agent does write a few events to the local machine39s Application event log upon a service restart however.

KB-ID 15
Category: Usage