Dorian Log Healer Technology for EVTX File Data

Event Rover - Windows Log File Forensics and Event Viewing by Dorian Software

WhatsUp Event Rover - Advanced Log Review Capability for all Networks and IT Budgets

WhatsUp Event Rover ® provides a revolutionary new way to view and mine event logs for routine review or for emergency incident response. It is an easy-to-use tool that enables "hands-free" sorting and minimizes potential harm to original event log stores while doing forensics or just routine log review. And, in versions 2.5 and later, the EVTX log file format is supported – enabling the hassle-free transition from EVT format logs ( Windows NT, XP ® and Windows Server 2003 ®) to the EVTX format (Windows Vista®, Windows Server 2008®, Windows 7® and later) . And with WhatsUp Event Rover’s attractive pricing, log review capability is available for networks and IT budgets of all sizes.

With WhatsUp Event Rover you can:

Effortlessly sort and filter Windows log files using grouped tree views
Perform routine review and spot audits without affecting the integrity of master log files
Export and run basic HTML format reports right out of the box
Discover potential security incidents that match to previously defined event patterns
Define, save and run filters during initial load to speed up log viewing
Recover and view damaged log files without changing the original copy
Use it standalone or as part of the complete WhatsUp family of Event Log Management Solutions

WhatsUp Event Rover Features	Supported
Log Mining and Viewing
Review data from active and previously saved event log (.EVT and .EVTX) files
Review log data from the WhatsUp Event Archiver stored database
Sort event log data effortlessly into user-customizable trees of grouped fields
Dynamically regroup event log data on the fly based on field groupings
Export related data to comma-delimited text
Export grouped event log data to an HTML report, with the ability to add comments explaining the data contained within the report
Filter log data at load using an absolute or relative date range
Filter log data by other event log fields
Create friendly descriptions for common event identifier numbers
Management and Administration
Present summary information (log size, number of events, number of events of a specific type, user accounts found) to the administrator upon log opening
Save frequently used filters to a local database for easy access
Perform NTFS compression of the local event logs database to maximize storage
Locally cache saved event log information to speed future review and allow for offsite review of saved event logs
Enable quick access for researching of event identifiers at www.eventlogs.com - WhatsUp Event Log Management event logs resource site, as well as other valuable online resources
New Features in Event Rover 3.0
LogRefiner technology has been expanded to allow Event Rover to read EVTX log files while installed on legacy operating systems. Admins running 2000, 2003, XP can review log files from Windows ® 7, Vista ®, and 2008 without difficulty.
Report output format has been overhauled and improved

Key Capabilities of WhatsUp Event Rover include:

Simplified Mining of Log Data Using Tree-Views

At the heart of WhatsUp Event Rover's revolutionary approach to log file review is its tree-view structure. With WhatsUp Event Rover, accuracy is improved and the opportunities for error are minimized. WhatsUp Event Rover takes the guess work out of spot checking log files for security events too - all common security event identifiers have friendly descriptions paired with them throughout the application.

Export of Event Log Data

Basic ad-hoc reporting and data exporting are available in WhatsUp Event Rover right out of the box, with no additional configuration needed. HTML reports can rapidly be generated from any branch of the currently viewed tree - with on-screen values reproduced faithfully in the report. Related groups of events can be exported to comma-delimited text for further review or import into spreadsheets, databases, or the WhatsUp Event Analyst ® application. Network administrators and forensic examiners can add comments to any reports they create, in order to further explain what the data represents.

Maintains Log File Integrity During Review

WhatsUp Event Rover provides the additional assurance that routine review or spot audits will not affect the integrity of log file stores. All review is done with a backup copy of the log file copied to the local computer. No clearing of the active log file occurs with WhatsUp Event Rover. If the event log yields important findings, administrators can easily add the backup copy with any modifications to WhatsUp Event Rover's library of saved logs for further review or forensic analysis.

Cutting Edge EVTX Log Handling Capabilities

With version 2.5 and later, WhatsUp Event Rover features WhatsUp Gold’s exclusive LogRefiner ™ and LogHealer ™ Technologies. This means WhatsUp Event Rover can now work with EVTX log files when installed on a Windows Vista ® or later operating system. And, through WhatsUp Gold’s LogHealer ™ technology, it can even alert the administrator to a potentially corrupt EVTX file at load. It also performs repairs to a copy of the file automatically for viewing in WhatsUp Event Rover, leaving the master unchanged.

Critical Security Incident Discovery

Often, network administrators need to determine if a log file contains a pattern of events. For example, multiple logon failures in a very short period of time might constitute a brute force password attack. Or, a flood of error messages from the same source within a few minutes could indicate a potential hardware or software problem. WhatsUp Event Rover allows the administrator to define and save "incidents" and look for these event patterns. Once a log is loaded into memory, a WhatsUp Event Rover user can elect to scan the log for any incident occurrences that match these criteria and then review the individual events that make up each occurrence. From there, an administrator only needs to press one additional button to export those events to a CSV file or to build an HTML report of the findings.

Log Mining and Viewing

Review data from active and previously saved event log (. EVT and . EVTX) files
Review log data from the WhatsUp Event Archiver stored database
Sort event log data effortlessly into user-customizable trees of grouped fields
Dynamically regroup event log data on the fly based on field groupings
Export related data to comma-delimited text
Export grouped event log data to an HTML report, with the ability to add comments explaining the data contained within the report
Filter log data at load using an absolute or relative date range
Filter log data by other event log fields
Create friendly descriptions for common event identifier numbers

Management and Administration

Present summary information (log size, number of events, number of events of a specific type, user accounts found) to the administrator upon log opening
Save frequently used filters to a local database for easy access
Perform NTFS compression of the local event logs database to maximize storage
Locally cache saved event log information to speed future review and allow for offsite review of saved event logs
Enable quick access for researching of event identifiers at www.eventlogs.com - WhatsUp Gold’s event logs resource site, as well as other valuable online resources

LogRefiner ™ Technology and EVTX Compatibility

EVTX Log Format Support for Windows Vista, Windows Server 2008, Windows 7 and Beyond
with LogRefiner ™ Technology
Dorian's exclusive LogRefiner ™ Technology enables WhatsUp Event Rover to now work with EVTX log files when installed on a Microsoft Windows Vista ® or later operating system. Copies are made of live EVTX log files from Windows Vista, Server ® 2008 and Windows 7 systems, which are then transferred locally to the machine running WhatsUp Event Rover for fastest processing. Previously saved EVTX log files from a local or foreign network can also be read and processed.

Downlevel EVT File Processing in Windows Vista, Server 2008 and Windows 7
Dorian's exclusive LogRefiner ™ technology can read, filter and report on EVT files from down level systems directly alongside the EVTX files from Windows Vista and newer operating systems. This stands in contrast to the native event viewer that requires a format conversion before being able to seek through a down level EVT file.

With WhatsUp Event Rover's exclusive new technology, no information goes missing when reading and displaying EVT log data – all event log fields are processed properly the first time.

Field Consistency Across Logs
In the Windows Vista, Server 2008 or Windows 7 Security Log, no information about the user performing the action (or affected by the action) is recorded in the User field when an event is logged. Instead, all user information is placed in the ‘Description; field of the event.

WhatsUp Event Rover, however, has the ability to place the most relevant user information back into the User field as it reads and processes EVTX files. By helping maintain the consistency of log data and its formatting, this feature greatly aids the administrator or compliance officer in charge of periodically reviewing logs for critical forensic information.

Success Audits Versus Failure Audits Defined
Another major change in the Windows security event log (in Vista and later) is that all events are recorded as “Informational.” To discern whether or not the event represents a failed or successful action, the administrator must refer to the ‘Keyword’ of the event.

But, WhatsUp Event Rover - when working with security EVTX Files - has the ability to properly record whether or not the event was a Success Audit or Failure Audit, greatly aiding the reviewer of log data generated from both EVT and EVTX log files.

Incident Discovery

Often, it is useful to determine if a log file contains a pattern of events. For example, multiple logon failures in a very short period of time might constitute a brute force password attack. Or, a flood of error messages from the same source within a few minutes could indicate a potential hardware or software problem.

WhatsUp Event Rover now allows the administrator to define and save "incidents" and look for these event patterns. Once a log is loaded into memory, a WhatsUp Event Rover user can elect to scan the log for any incident occurrences that match these criteria and then review the individual events that make up each occurrence. From there, an administrator only needs to press one additional button to export those events to a CSV file or to build an HTML report of the findings.

Quick Filtering At Load

WhatsUp Event Rover 2.5 supports the quick filtering of logs at load by Event ID ranges. Administrators can define and save quick filters that target inclusive and exclusive lists of Event IDs - all by simply checking them off a predefined list complete with friendly descriptions. While quick filtering at load is fastest with the new EVTX format, quick filters also work with legacy EVT files to greatly speed load time.

Now administrators can work with auditors to build lists of events that must be reviewed and then save those lists as a quick filter. Time and effort is greatly reduced by only loading the events you need.

LogHealer ™ Technology and Surrogate Message File Loading Aid Forensic Analysis

In some situations, EVTX log files can experience corruption which may make them unreadable using the native event viewer. A common example is when an EVTX log file is recovered from a machine that was shutdown "dirty," as can happen during "pull the plug" investigations. Even if the traditional event viewer can read the log file, it may automatically change data structures in the recovered file at load without prompting for confirmation, leading to an unintended change in the original evidentiary log file.

Dorian Software's exclusive LogHealer ™ Technology alerts the administrator to a potentially corrupt EVTX file at load and allows them to make repairs to a copy of the file, leaving the master unchanged. The repaired copy is then loaded into WhatsUp Event Rover for review and analysis.

Specify Alternate Computer Lookups

Another new feature that is helpful to forensic examiners is the ability to specify an alternate computer for message file and metadata lookups. Both EVT and EVTX log file formats contain references to message file data that must be resolved and loaded in order to present completely parsed information. In the case of a log file that came from a foreign network, the original computer will be inaccessible for these lookups. So as an alternative, a forensic examiner can specify a different computer on the local network that matches the OS version of the machine where the recovered log file came from. Doing so will allow message file lookups to function properly.