A packet sniffer like Microsoft Network Monitor IPMon or Wireshark see network packets before they are analyzed by Windows and the Windows Firewall. As such it39s possible that packets are blocked by the Windows Firewall even when they show up in a packet sniffer. In most cases adding exceptions to the Windows Firewall will cause the incomi...
In order to monitor a different subnet with the ARP component of the network services first install the network services on a host in the subnet which needs to be monitored: KB275 Once completed install the WinPcap drivers which are required by the ARP daemon. The WinPcap drivers can either be downloaded from the web https://www.wi...
EventSentry 3.2 and newer use a different installation method for the network services please see knowledge base article 306. To install the network services on a remote host first add the host in the other subnet to the EventSentry management console machine and deploy the agent. Once you have deployed the agent open the EventSentry insta...
On the EventSentry server use the command prompt to run: nslookup 192.168.1.1 replace 192.168.1.1 with the IP address of a Syslogsending device or server This will tell you which DNS server is being utilized by your EventSentry server. You can then manually create an A record in that DNS server to specify the Syslogsending device39...
EventSentry 3.5 to 4.2 use different installation files for the network services please see knowledge base article 384https://www.eventsentry.com/kb/384. EventSentry 5.0 and newer use different installation files for the network services please see knowledge base article 470https://www.eventsentry.com/kb/470. To install the network...
Starting with version 3.2 of EventSentry the network services component service is available as both a 32bit and 64bit executable. New installations will automatically install the 64bit binary on 64bit operating systems but existing 32bit services will not automatically upgraded at this time. If you wish to update an existing 32bi...
Not all Cisco network devices are capable of producing NetFlow or sFlow data. Please refer to your particular device39s product documentation to see if your device is capable of producing either NetFlow or sFlow data. If your device does produce NetFlow or sFlow data using a standardized format you can capture this data in EventSentry. Cis...
Yes by using the regular expression and subject override feature in event log filters the email subject can show select properties from Snort alerts. A typical Snort alert will look similar to the one shown below: syslogfirewall.yourcompany.localauth/security.warning: May 24 19:20:05 snort47626: 119:31:1 httpinspect DOUBLE DECOD...
Starting with version 3.3.1.84 the maximum size of the debug log file located in SYSTEMROOT\system32\eventsentry\logs can be adjusted with the debuglevelnsmaxsize registry value. This DWORD value specifies the maximum size of each debug log file in megabytes consequently the total disk space used will be twice the size of the registry val...
EventSentry 3.4 and older use different installation files for the network services please see knowledge base article 306https://www.eventsentry.com/kb/306 EventSentry 5.0 and newer use different installation files for the network services please see knowledge base article 470https://www.eventsentry.com/kb/470. To install the netwo...
Requires: EventSentry NetFlow license pfSense 2.4 or later psexec kittyportable Starting with EventSentry v4.0.3 EventSentry can log events when a potentially malicious IP address has been detected via NetFlow. This event can subsequently be used to trigger a process that remotely logs into the pfSense firewall to block the IP addr...
In a production environment it can be important to know if and when a VM is reverted to a snapshot. If the VMWare ESXi host is configured to send Syslog messages to a log hosthttps://docs.vmware.com/en/VMwarevSphere/6.7/com.vmware.esxi.upgrade.doc/GUID9F67DB52F469451FB6C8DAE8D95976E7.html like EventSentry then it will send a message s...
In a production environment it can be important to know if and when a snapshots of a VM are added to deleted. If the VMWare ESXi host is configured to send Syslog messages to a log host like EventSentry then it will send a message that will include the text shown below when a snapshot is added or removed: Snapshot Added State Transit...
Failed login attempts on VMWare ESXi hosts can be monitored via Syslog and the EventSentry Network Services Syslog daemon. First the VMWare ESXi Host must be configured to send SYSLOG messages to the EventSentry Network Services SYSLOG daemon hostname or IP address of the management console machine. If the VMWare ESXi hosts are not alrea...
EventSentry 3.4 and older use different installation files for the network services please see knowledge base article 306https://www.eventsentry.com/kb/306. EventSentry 3.5 to 4.2 use different installation files for the network services please see knowledge base article 384https://www.eventsentry.com/kb/384. To install the network...
In a production environment it can be important to know when a VIB package is installed on an ESXI host. If the VMWare ESXi host is configured to send Syslog messages to a log hosthttps://docs.vmware.com/en/VMwarevSphere/6.7/com.vmware.esxi.upgrade.doc/GUID9F67DB52F469451FB6C8DAE8D95976E7.html like EventSentry then it will send a mes...
Yes a selfsigned certificate can be substituted for the certificate that is automatically generated by the Network Services when you enable Syslog TLS. You will need to provide a passwordprotected PKCS12 archive file with a .PFX extension. Download the Microsoft PSEXEC utility and copy the utility to the machine where the EventSentry N...
Yes please navigate to https://www.eventsentry.com/support/documentation to download the help file and/or quickstart guide. Both documents are available in the following formats: Microsoft Help.chm Adobe PDF.pdf HTML.htm Multimedia Help.exe
Yes it is recommended that you uninstall EventSentry Light with the setup application prior to installing the trial or full version of EventSentry. You will not need to uninstall the agents service from remote machines simply use Remote Update to update the agents on the remote machines once you have installed the trial version.
If you use the builtin Postgres database you may need to optimize it: https://www.eventsentry.com/kb/232 If you use Microsoft SQL as your database you may need to optimize it: https://www.eventsentry.com/kb/35 If the recommended optimizations do not help please contact our support department for more indepth assistance. If you have a...
This error reported by Windows usually appears when Client for Microsoft Networks and/or NetBIOS are not installed on the management workstation and target machines for example when using Novell software. You will need to make sure that the Client for Microsoft Networks is installed when using remote update to install agents on remote...
The EVENTSENTRYSVC.LOG file located in the SYSTEMROOT directory usually c:\winnt or c:\windows is the debug log file of the EventSentry agent. To reduce the size of this file set the Debug Level option in Service Control to None or Low and restart the EventSentry service. The contents of this file are always cleared when the ...
It is important that filters using summary notifications are NOT configured to notify All Targets. When using summary notifications make sure that one and only one target is present in the filters Targets list of the General tab.
After making configuration changes on your management workstation you will need to use the Update Configuration feature of remote update to push the updated configuration to your remote machines. Rightclick the Computers container of the group you want to update and select Update Configuration. In the next dialog make sure that the co...
When using ODBC targets you will need to make sure that: The System DSN referenced in the ODBC target is present on all computers writing to the database. This requirement does not apply to version 2.50 and higher which also supports connection strings. Otherwise you can use AutoAdministrator to push out DSN names to remote machines. ...