EventSentry Cookbook II

Part 2: User Information

Note: This applies to EventSentry version 3.5.1.32

HOW TO:

Find a stale RDP session on a server that is locking out an account:

  • Open the EventSentry Web reports and log in
  • Navigate to Reports -> Compliance
  • Click on the Terminal Services Logons report in the HIPAA section (or click Run, on the right side)
  • The Search filter will already have type:”Terminal Services” in it. Add the following after a space: AND user:<domain>\<username> to filter for a specific user
  • Any session still logged in will show “still logged on…” in the Logout column

Produce a report that shows all logon events for a specified user ID:

  • Open the EventSentry Web reports and log in
  • Navigate to Reports -> Compliance
  • Click on Account Authentication Analysis (bottom of the HIPAA section)
  • Click the Detailed button in upper left
  • The Search filter will already have computertype:”Terminal Services” in it. Add the following after a space: AND account:<username> to filter for a specific user

See a top 20 list of both successful and failed logons:

  • Open the EventSentry Web reports and log in
  • Navigate to Dashboard -> Overview -> User Activity
  • Click on a server’s tile to view its statistics on the left side

See all user lockouts over a given time period:

  • Open the EventSentry Web reports and log in
  • Navigate to Reports -> Compliance
  • Click on User Account Lockouts (middle of the NIST 800-171 section)
  • Adjust the time range in the upper right

See more at: https://www.eventsentry.com/

EventSentry Cookbook I

Part 1: Computer Information

Note: This applies to EventSentry version 3.5.1.32

HOW TO:

Produce a list of all servers in EventSentry:

  • Open the EvenSentry Management Console on your EventSentry server
  • Click the Groups tab
  • Click the Export button; this creates a comma-delimited text file in the format: server group,name,IP

Remove a server that no longer exists from the Heartbeat Monitor dashboard:

  • Open the EvenSentry Management Console on your EventSentry server
  • Find the computer name in the list; right-click and choose delete
  • Since the computer is no longer up and uninstalling the agent isn’t possible, choosing “Delete Computer(s) Only” is appropriate
  • In the ribbon or on the Home tab, click Save
  • Open services.msc and restart the EventSentry Heartbeat Monitor service

View the dashboard info for a specific server (gives basic hardware/OS stats, recent errors, disk space, logged on users, etc.):

  • Open the EventSentry Web reports and log in
  • Navigate to Dashboard -> Overview -> Computer Dashboard
  • Click [Change] next to the computer name to choose a target server

Get a quick overview of all servers, showing current OS, CPU and disk usage:

  • Open the EventSentry Web reports and log in
  • Navigate to Dashboard -> Overview -> Network Status

Show a heatmap of all servers to quickly spot hosts with warning/error conditions:

  • Open the EventSentry Web reports and log in
  • Navigate to Dashboard -> Overview -> Health Matrix
  • Click on a server’s tile to view its statistics on the left side

Produce a report showing point-in-time network status of a server, with availability metrics:

  • Open the EventSentry Web reports and log in
  • Navigate to Network -> Heartbeat -> Status

Produce a report showing when the EventSentry Heartbeat monitor detected packet loss:

  • Open the EventSentry Web reports and log in
  • Navigate to Network -> Heartbeat -> History
  • Click Detailed button in upper left
  • Default view is of any status changes within the past 24 hours
  • Use the drop-down in the upper right to change the time range
  • To view heartbeat history for a specific server, in the Search box along the top type:
    • Computer:<servername> (entering the appropriate server’s NetBIOS name)
    • Click the Search button in the upper right

Produce a graph showing a history of a server’s response time on the network:

  • Open the EventSentry Web reports and log in
  • Navigate to Network -> Heartbeat -> Response Times
  • Choose a server in the drop-down box in the upper left

See if any servers have rebooted recently:

  • Open the EventSentry Web reports and log in
  • Navigate to Reports -> Built-in
  • Click on the “Recent Reboots” report
  • Choose the appropriate time frame from the drop-down in the upper right

Produce a report showing a history of server restarts, including uptime and who/what initiated the restart:

  • Open the EventSentry Web reports and log in
  • Navigate to Network -> Heartbeat -> Uptime
  • Click Detailed button in upper left
    • Default view is of any status changes within the past 24 hours
    • Use the drop-down in the upper right to change the time range
  • To view heartbeat history for a specific server, in the Search box along the top type:
    • Computer:<servername> (entering the appropriate server’s NetBIOS name)
    • Click the Search button in the upper right

Produce a report showing all IPs and MAC address associations on the monitored network:

  • Open the EventSentry Web reports and log in
  • Navigate to Network -> ARP -> Status

Produce a report showing a history of a server’s statistics over time (CPU & memory usage, network utilization, disk queue, CPU or memory by application, etc.):

  • Open the EventSentry Web reports and log in
  • Navigate to Health -> Performance -> Trends
  • Choose a server in the drop-down box in the upper left
  • Choose a performance counter to view in the list along the left side
    • If more than one counter is desired at a time, click the multi-select switch on the bottom left; part of the switch icon will turn blue when it is toggled on
  • By default, “last 12 hours,” “last 2 days,” and “last week” are shown. A specific time range can be chosen from the drop-down in the upper right

Compare a particular performance statistic between two or more servers:

  • Open the EventSentry Web reports and log in
  • Navigate to Health -> Performance -> Trends
  • Click the Counter button on the lower left (it toggles off Computer when you do)
  • Choose a performance counter to view in drop-down on the top left
  • Select which servers to view in the list along the left side
  • By default, “last 12 hours,” “last 2 days,” and “last week” are shown. A specific time range can be chosen from the drop-down in the upper right

Collect historical performance statistics to include in a custom spreadsheet:

  • Open the EventSentry Web reports and log in
  • Navigate to Health -> Performance -> History
  • WARNING: for all counters in one server over a week’s time, this will produce thousands of results, so filtering is highly advised
  • In the Search box, filter your results by Computer:<servername> AND <insert counter here>; you can choose from the prompts that appear as you start to type
  • Choose the time range in the upper right
  • Click on the CSV link in the upper left to export result to a comma separated values file

Show current drive usage and a prediction on when each drive would fill up:

  • Open the EventSentry Web reports and log in
  • Navigate to Health -> Diskspace -> Usage
  • Click the Detailed button in upper left
  • By default, this gives all drives on all servers
  • Filtering by server name in the Search box (computer:<servername>) will refine the results to all drives on that server

Get a visual representation of drive usage trends over several days:

  • Open the EventSentry Web reports and log in
  • Navigate to Health -> Diskspace -> Trends
  • Choose the server from the drop-down in the upper left
  • A specific time range can be chosen from the drop-down in the upper right

Find the largest individual files on any given server:

  • Open the EventSentry Web reports and log in
  • Navigate to Health -> Diskspace -> Large Files
  • Click the Detailed button in upper left
  • If you wish to filter by a specific file, note that you have to “escape” the backslash character when using it in the Search box, e.g.
    • file:C:?\pagefile.sys

Get a comprehensive list of every driver or service that is either running or stopped:

  • Open the EventSentry Web reports and log in
  • Navigate to Health -> Services -> Status
  • Click the Detailed button in upper left
  • To get a list of, for example, all stopped drivers, in the Search box enter: driver:Yes AND status:Stopped

Produce an inventory report of every server with an EventSentry agent installed on it, including name, OS, make, model, serial number, and BIOS version:

  • Open the EventSentry Web reports and log in
  • Navigate to Health -> Inventory -> Hardware / OS
  • Click the Detailed button in upper left

View detailed inventory info for a specific server (shows hardware info including specific expansion cards and drives installed, as well as a software inventory):

  • Open the EventSentry Web reports and log in
  • Navigate to Health -> Inventory -> Host
  • Click [Change] next to the computer name in the upper left to choose a target server

See all scheduled tasks on a given server as well as their states and most recent results:

  • Open the EventSentry Web reports and log in
  • Navigate to Health -> Scheduled Tasks -> Status
  • WARNING: this shows ALL scheduled tasks, including those created and used by the system. Even a stock server could have well over 200.
  • In the Search box, filter your results by Computer:<servername>; you can choose from the prompts that appear as you start to type

Check to see if any Task Scheduler tasks have been altered within a given period:

  • Open the EventSentry Web reports and log in
  • Navigate to Health Scheduled Tasks History
  • Click the Detailed button in upper left
  • Adjust the time range in the upper right and/or filter by server in the Search box

See a list of all installed software:

  • Open the EventSentry Web reports and log in
  • Navigate to Health -> Software -> Installed Software
  • Click the Detailed button in upper left
  • If desired, filter your results by typing Computer:<servername> in the Search box, or Application: and choosing from the drop-down prompt

Check to see if any applications have been altered in a given time period:

  • Open the EventSentry Web reports and log in
  • Navigate to Health -> Software -> Software History
  • Click the Detailed button in upper left
  • Adjust the time range in the upper right and/or filter by computer in the Search box

See a list of all Microsoft patches installed:

  • Open the EventSentry Web reports and log in
  • Navigate to Health -> Software -> Installed Patches
  • Click the Detailed button in upper left
  • If desired, filter your results by typing Computer:<servername>; results can be ordered by Install Date

Check to see if any Microsoft Patches have been installed during a given period:

  • Open the EventSentry Web reports and log in
  • Navigate to Health -> Software -> Patch History
  • Click the Detailed button in upper left
  • Adjust the time range in the upper right and/or filter by server in the Search box

See if any system files have been changed:

  • Open the EventSentry Web reports and log in
  • Navigate to Search -> File Activity -> Checksum History (FIM)
  • Click on the Change Detection (FIM) report in the PCI-DSS section (or click Run, on the right side)
  • Click the Detailed button in upper left
  • Adjust the time range in the upper right and/or filter by server in the search box

See more at: https://www.eventsentry.com/

Hello world!

For an IT blog, this is actually an appropriate first title. Thanks WordPress!

In an industry built on precision, I have found over the years that we sometimes forget how to boil down what we’re saying to what really needs to be said.

It’s not always easy for me, either; I have a tendency to want to be complete rather than sparing with my writing. This is a growth process for me, and maybe you’ll find something worthwhile among my ramblings.

Like nearly everyone else in IT, I’m making this up as I go along. Let’s see what happens…