Getting Started
- System Requirements
- Installation
- Registration
- Version Support Policy
- Assign Service Logon As Credentials
Agent-Based Management
Data Providers
- Data Provider Properties
- SQLite Properties
- MySQL Properties
- Microsoft SQL Server Properties
- File System Properties
Directory Services
Event Log Archiving for JSIG and CMMC Compliance
Auditing
- Audit Work Items
- Self-Auditing
- Group Policy Auditing
Hosts
- Adding Hosts
- Host Properties
- Batch Update Hosts
- Agent Properties
- Logon As Properties
- SFTP Properties
- FTP/S Properties
- SNMP Device Connection Properties
- WMI
- Contact
- Exclusions
- Inventory
- Docker
- Host Assignments
Templates
- Template Properties
- Batch Update Templates
- Assign Templates
- Log Management Templates
- SCAP Compliance Monitor
- File and Directory Monitor Templates
- Windows Monitor Templates
- Windows Management Instrumentation (WMI) Templates
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Windows Accounts Templates
Monitors
- Monitor Hierarchy
- Temporarily Suppress Monitors Actions
Reports
- Report Properties
- Artificial Intelligence Reports
  - AI Anomaly Detection Report
    - AI Anomaly Detection Report (Template Triggers)
- Security Reports
- Generic Log Reports
- SIEM Report
- SIEM Chart Report
- Azure Active Directory Audit Log Report
- Event Log Report
- SNMP Trap Report
- Syslog Report
- Databse Log Report
- Event Log Summary Report
File and Permission Reports
- File and Directory Access Permissions Report
- Duplicate Files Report
- File Activity Report
- Largest Files Report
- Sorted Files Report
Summary Reports
- Host Inventory Report
- Summary Report
- Collection Report
- Hash Check Reports
Auto-Configurators
Filters
- Simple Filters
- Complex Filters
Actions
- Database Actions
- Desktop Actions
- Email Actions
- Event Log Actions
- Executable Actions
- File Actions
- IIS IP Address Restriction Actions
- Microsoft Teams Actions
- PowerShell Actions
- Report Actions
- Service Actions
- SMS Actions
- SNMP Trap Actions
- Syslog Actions
- Template Actions
- IIS IP Address Restriction Actions
- Action Variables
Schedules
- Fixed Schedules
- Range Schedules
- Real-Time Schedules
Environment Variables
Options
- Email Settings
- Security Settings
- Syslog Server Settings
- SNMP Trap Server Settings
- Log Viewer Settings
- Web Proxy Settings
- Miscellaneous Settings
Account Lockout Monitoring and Reporting
Merging Logs
SNMP
- SNMP Browser
SSH Shell
Syslog
Exporting and Importing Configuration Objects
Shared Views
- Active Directory User and Group Filters
- Assign Actions
- Assign Azure Audit Logs
- Assign Consolidated Logs
- Assign Directories
- Assign Disks
- Assign Event Logs
- Assign Files
- Assign Services
- Assign Shares
- Auto-Config Host Assignment Properties
- Define CSV and W3C Log Entry Columns
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Executable Status
- Executable Timeline
- Explicitly Assigned Logs
- File Explorer
- General Executable Properties
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Target Files and Sub-Directories
Command Line Interface
Server Configuration
Agent Configuration
Troubleshooting
- Arithmetic Overflow
- Access Denied
- MySQL: Fatal error encountered during command execution
- Invalid Class
- No Such Interface Supported
- Quota Violation
- The File Exists Errors
- The Interface is Unknown
- The RPC Server is Unavailable
- NetBIOS Errors
Terminology

Event Log Summary Report

An Event Log Summary Report is defined as a report that displays a count of the top entries with a short description next each entry. This report is typically used by network administrators and compliance and audit professionals to view a summary of the top logged events on Windows Servers.

Event Log Summary Reports are an implementation of the standard Event Log Consolidation Report with options set to generate the summary of unique events. The combination of each Source and Event ID defines an Event as unique. In other words, within each Event Log, each Source must be unique, then, within each Source, each Event ID must be unique. The result is a composite key comprised of the Source and Event ID.

How to create an Event Log Report

The Sample Reports include an implementation of an Event Log Summary Report. To view the sample report:

From the Explorer View find the root Reports node then expand Sample Reports then Summary Reports. Once expanded, you will find the Event Log Summary report.
Right click on the Event Log Summary report then select Properties. The Report Properties View displays.
The Properties View contains 8 configuration tabs.

The Logs Tab

Selecting the Logs Tab reveals the Application, Security and System log files are selected. For more information on the Logs Tab see Assign Event Logs.

The Columns Tab

Selecting the Columns Tab reveals the column definitions, sort rules and group by rules.
Notice, the first column in the list of columns is Count. This column displays the count of distinct entries.
To extract and display a summary of each Event, a custom column keyed DESCRIPTION has been added that is a string type, has a maximum length of 64 characters and is populated using a regular repression result. The expression simply returns the first line of the log entry, then, the maximum length is used to truncate the results to the first 64 characters. If you would like to display more characters, increase this value.

Event Log Summary Report, Column Definitions View

Next, the Sort by Controls define the sort order of the results. Since this is a summary report of unique Events defined as the combination of each Source and Event ID, the following three columns are defined:

Columns	Description
Count	Displays the count of unique entries and is sorted descending so the most common Event log entry is displayed on the top and the least common entry displayed at the bottom of the report.
Event	Displays the Event ID and is sorted ascending so the distinct counts that have the same number (e.g. 1 entry), are displayed in order of Event ID).
Source	Displays the Event Source which is sorted ascending so entries with the same count and Event ID are then sorted by the Event Source.

Event Log Summary Report, Sort by View

Next, the Group by Controls define how we would like to group each result set of data. This report is designed to be run against multiple servers so it groups results by host, enabling you to view the top entries for each host in one report.

Event Log Summary Report, Group by View

Lastly, at the very bottom we can see the Regular expression Controls. In certain scenarios, a regular expression may be detached from a column. This view displays all configured regular expressions. In this report's case, there is just the one DESCRIPTION regular expression defined.

Event Log Summary Report, Regular expressions View

The Options Tab

Selecting the Options Tab reveals the filters, select distinct count and query by rules.
Two filters have been automatically assigned:

Filter	Description
Audit Entries	Targets Success Audit and Failure Audit entries found mostly in Security Logs however these Event types can be seen in any log.
Event Log Warning +	Targets Warning and Error Event types.

Event Log Summary Report, Filters View

Next, the filter option is set to pass all entries that pass Any of the filters.

Note

Other options include, creating a single filter that targets Warning, Error, Success Audit and Failure Audit Events or creating a filter that targets Informational Events then set the filter option to None.

Next, the Select distinct count Controls define the composite database key. In this case we are defining a unique entry as the combination of the Event ID and Event Source, listed as EVENT and SOURCE.

Event Log Summary Report, Select distinct count View

Just below we have the option of displaying the latest or the oldest entry in the report. The report defaults to the latest so we see the most recent unique entry in the report.
Finally, we see the Query by Controls which for this report are left blank since the report is summarizing all Events.

Host Assignment

Use the Assignments View to assign individual hosts or host groups to the report. For more information see: Host Assignments.

Important

This report requires each assigned host be assigned an Event Log Consolidation Template.

Sample Report

Once saved, you can view the report directly within the Management Console by clicking the View Report button.

Event Log Summary Report View

Once displayed, notice the report is actually showing the current day rather than the period configured in the report. When generic Event Log Consolidation Reports, such as this report, are displayed within the Management Console, they display in pages of days and always begin with today. This is done on purpose so large reports are viewed in pages, vastly minimizing memory and CPU requirements. If you want to view the last seven days in one page, click the Date Toolbar Button, set the date you would like to start looking inclusively backward from, then, set the Days per page to 7.

Log Viewer Days per page Paging Control

Table of Contents