![]() |
|||||||||||||||||||||||||||||||||||||||||||||||||||||
WhatsUp Event Rover - Advanced Log Review Capability for all Networks and IT BudgetsWhatsUp Event Rover ® provides a revolutionary new way to view and mine event logs for routine review or for emergency incident response. It is an easy-to-use tool that enables "hands-free" sorting and minimizes potential harm to original event log stores while doing forensics or just routine log review. And, in versions 2.5 and later, the EVTX log file format is supported – enabling the hassle-free transition from EVT format logs ( Windows NT, XP ® and Windows Server 2003 ®) to the EVTX format (Windows Vista®, Windows Server 2008®, Windows 7® and later) . And with WhatsUp Event Rover’s attractive pricing, log review capability is available for networks and IT budgets of all sizes. With WhatsUp Event Rover you can:
Key Capabilities of WhatsUp Event Rover include: Simplified Mining of Log Data Using Tree-Views At the heart of WhatsUp Event Rover's revolutionary approach to log file review is its tree-view structure. With WhatsUp Event Rover, accuracy is improved and the opportunities for error are minimized. WhatsUp Event Rover takes the guess work out of spot checking log files for security events too - all common security event identifiers have friendly descriptions paired with them throughout the application.
Export of Event Log Data Basic ad-hoc reporting and data exporting are available in WhatsUp Event Rover right out of the box, with no additional configuration needed. HTML reports can rapidly be generated from any branch of the currently viewed tree - with on-screen values reproduced faithfully in the report. Related groups of events can be exported to comma-delimited text for further review or import into spreadsheets, databases, or the WhatsUp Event Analyst ® application. Network administrators and forensic examiners can add comments to any reports they create, in order to further explain what the data represents.
Maintains Log File Integrity During Review WhatsUp Event Rover provides the additional assurance that routine review or spot audits will not affect the integrity of log file stores. All review is done with a backup copy of the log file copied to the local computer. No clearing of the active log file occurs with WhatsUp Event Rover. If the event log yields important findings, administrators can easily add the backup copy with any modifications to WhatsUp Event Rover's library of saved logs for further review or forensic analysis.
Cutting Edge EVTX Log Handling Capabilities With version 2.5 and later, WhatsUp Event Rover features WhatsUp Gold’s exclusive LogRefiner ™ and LogHealer ™ Technologies. This means WhatsUp Event Rover can now work with EVTX log files when installed on a Windows Vista ® or later operating system. And, through WhatsUp Gold’s LogHealer ™ technology, it can even alert the administrator to a potentially corrupt EVTX file at load. It also performs repairs to a copy of the file automatically for viewing in WhatsUp Event Rover, leaving the master unchanged.
Critical Security Incident Discovery Often, network administrators need to determine if a log file contains a pattern of events. For example, multiple logon failures in a very short period of time might constitute a brute force password attack. Or, a flood of error messages from the same source within a few minutes could indicate a potential hardware or software problem. WhatsUp Event Rover allows the administrator to define and save "incidents" and look for these event patterns. Once a log is loaded into memory, a WhatsUp Event Rover user can elect to scan the log for any incident occurrences that match these criteria and then review the individual events that make up each occurrence. From there, an administrator only needs to press one additional button to export those events to a CSV file or to build an HTML report of the findings.
Log Mining and Viewing
Management and Administration
LogRefiner ™ Technology and EVTX Compatibility
Incident Discovery Often, it is useful to determine if a log file contains a pattern of events. For example, multiple logon failures in a very short period of time might constitute a brute force password attack. Or, a flood of error messages from the same source within a few minutes could indicate a potential hardware or software problem.
WhatsUp Event Rover now allows the administrator to define and save "incidents" and look for these event patterns. Once a log is loaded into memory, a WhatsUp Event Rover user can elect to scan the log for any incident occurrences that match these criteria and then review the individual events that make up each occurrence. From there, an administrator only needs to press one additional button to export those events to a CSV file or to build an HTML report of the findings.
Quick Filtering At Load WhatsUp Event Rover 2.5 supports the quick filtering of logs at load by Event ID ranges. Administrators can define and save quick filters that target inclusive and exclusive lists of Event IDs - all by simply checking them off a predefined list complete with friendly descriptions. While quick filtering at load is fastest with the new EVTX format, quick filters also work with legacy EVT files to greatly speed load time. Now administrators can work with auditors to build lists of events that must be reviewed and then save those lists as a quick filter. Time and effort is greatly reduced by only loading the events you need.
LogHealer ™ Technology and Surrogate Message File Loading Aid Forensic Analysis In some situations, EVTX log files can experience corruption which may make them unreadable using the native event viewer. A common example is when an EVTX log file is recovered from a machine that was shutdown "dirty," as can happen during "pull the plug" investigations. Even if the traditional event viewer can read the log file, it may automatically change data structures in the recovered file at load without prompting for confirmation, leading to an unintended change in the original evidentiary log file. Dorian Software's exclusive LogHealer ™ Technology alerts the administrator to a potentially corrupt EVTX file at load and allows them to make repairs to a copy of the file, leaving the master unchanged. The repaired copy is then loaded into WhatsUp Event Rover for review and analysis.
Specify Alternate Computer Lookups Another new feature that is helpful to forensic examiners is the ability to specify an alternate computer for message file and metadata lookups. Both EVT and EVTX log file formats contain references to message file data that must be resolved and loaded in order to present completely parsed information. In the case of a log file that came from a foreign network, the original computer will be inaccessible for these lookups. So as an alternative, a forensic examiner can specify a different computer on the local network that matches the OS version of the machine where the recovered log file came from. Doing so will allow message file lookups to function properly. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||