Getting Started
- System Requirements
- Installation
- Registration
- Version Support Policy
- Assign Service Logon As Credentials
Agent-Based Management
Data Providers
- Data Provider Properties
- SQLite Properties
- MySQL Properties
- Microsoft SQL Server Properties
- File System Properties
Directory Services
Event Log Archiving for JSIG and CMMC Compliance
Auditing
- Audit Work Items
- Self-Auditing
- Group Policy Auditing
Hosts
- Adding Hosts
- Host Properties
- Batch Update Hosts
- Agent Properties
- Logon As Properties
- SFTP Properties
- FTP/S Properties
- SNMP Device Connection Properties
- WMI
- Contact
- Exclusions
- Inventory
- Docker
- Host Assignments
Templates
- Template Properties
- Batch Update Templates
- Assign Templates
- Log Management Templates
- SCAP Compliance Monitor
- File and Directory Monitor Templates
- Windows Monitor Templates
- Windows Management Instrumentation (WMI) Templates
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Windows Accounts Templates
Monitors
- Monitor Hierarchy
- Temporarily Suppress Monitors Actions
Reports
- Report Properties
- Artificial Intelligence Reports
  - AI Anomaly Detection Report
    - AI Anomaly Detection Report (Template Triggers)
- Security Reports
- Generic Log Reports
- SIEM Report
- SIEM Chart Report
- Azure Active Directory Audit Log Report
- Event Log Report
- SNMP Trap Report
- Syslog Report
- Databse Log Report
- Event Log Summary Report
File and Permission Reports
- File and Directory Access Permissions Report
- Duplicate Files Report
- File Activity Report
- Largest Files Report
- Sorted Files Report
Summary Reports
- Host Inventory Report
- Summary Report
- Collection Report
- Hash Check Reports
Auto-Configurators
Filters
- Simple Filters
- Complex Filters
Actions
- Database Actions
- Desktop Actions
- Email Actions
- Event Log Actions
- Executable Actions
- File Actions
- IIS IP Address Restriction Actions
- Microsoft Teams Actions
- PowerShell Actions
- Report Actions
- Service Actions
- SMS Actions
- SNMP Trap Actions
- Syslog Actions
- Template Actions
- IIS IP Address Restriction Actions
- Action Variables
Schedules
- Fixed Schedules
- Range Schedules
- Real-Time Schedules
Environment Variables
Options
- Email Settings
- Security Settings
- Syslog Server Settings
- SNMP Trap Server Settings
- Log Viewer Settings
- Web Proxy Settings
- Miscellaneous Settings
Account Lockout Monitoring and Reporting
Merging Logs
SNMP
- SNMP Browser
SSH Shell
Syslog
Exporting and Importing Configuration Objects
Shared Views
- Active Directory User and Group Filters
- Assign Actions
- Assign Azure Audit Logs
- Assign Consolidated Logs
- Assign Directories
- Assign Disks
- Assign Event Logs
- Assign Files
- Assign Services
- Assign Shares
- Auto-Config Host Assignment Properties
- Define CSV and W3C Log Entry Columns
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Executable Status
- Executable Timeline
- Explicitly Assigned Logs
- File Explorer
- General Executable Properties
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Target Files and Sub-Directories
Command Line Interface
Server Configuration
Agent Configuration
Troubleshooting
- Arithmetic Overflow
- Access Denied
- MySQL: Fatal error encountered during command execution
- Invalid Class
- No Such Interface Supported
- Quota Violation
- The File Exists Errors
- The Interface is Unknown
- The RPC Server is Unavailable
- NetBIOS Errors
Terminology

Event Log Monitor Template

Event Log Monitoring is the process of subscribing too or polling Windows Event Log Entries, filtering entries, then, executing notification and remediation actions. The Event Log Monitor Template is used by network administrators and security compliance auditors that want to pro-actively monitor their network infrastructure and Security Event Logs for un-authorized activity.

In this Topic

Event Log Monitoring Methods
How to create an Event Log Monitor
How to enable Real-Time Event Log Monitoring
How to use the Corner Bowl Server Manager Agent instead of WMI

Event Log Monitoring Methods

Server Manager offers several different methods to monitor Windows Event Logs.

Method	Agent-Based	Is Security Threat	Description
Remote WMI Event Subscriptions	No	Yes Source	Supported out-of-the-box on all versions of Windows.
Remote WMI Queries	No	Yes Source	Supported out-of-the-box on all versions of Windows.
Local WMI Event Subscriptions	Yes	No	Using our Agent Service, the Agent opens a persistent connection to the Management Server, locally subscribes to Event Logs through local WMI, then when an entry is received, applies filters then sends each entry that passes to the Management Server to execute notifications and remediation actions.
Local WMI Queries	Yes	No	Using our Agent Service, the Agent connects to the Management Server at a configured frequency, connects to the Event Log through local WMI, filters entries, then passes all filtered entries to the Management Server in a batch to execute notifications and remediation actions.

How to create an Event Log Monitor

From the Menu Bar, select File | New. The Create New Object View displays.
From the Create New Object View, expand Templates | Log Management and finally select Log Monitor. The New Template View displays.
The Template Properties View contains 7 tabs.

How to enable Real-Time Event Log Monitoring

Select the General Tab
From the Schedule Drop-Down, expand the Real-Time Group then select Real-Time.

General Tab showing a Real-Time Schedule assignment.

Select the Options Tab
When configuring a Microsoft Application Log, check the Enable WMI API checkbox.

Important

When this option is set, several required Windows Registry entries are added to the managed host prior to downloading.

Use the Assignments View to assign the target hosts or groups of hosts.
Click the Save button, then, if you want to use the Agent instead of remote WMI, from the Object Explorer, find the target server or group of servers, right click, then select Host Properties. The Host Properties Viewdisplays.
From the Host Properties View, select the General Tab, scroll down until you see the Agent Settings group. First, verify the Agent version is listed. If not, RDP into the remote server, verify the Corner Bowl Server Manager Agent is installed then locate the agent.log file. Take a look at the end of the log file for detailed information on the connection status. Often the issue is related to:
- A mis-configured hostname in the tcpserver.json
- A DNS name resolution issue
- A rolling IP on the Management Server
- A firewall blocking port 21843, or, on the server-side, the configured Host Identification Method.
For more information see Agent-Based Monitoring.
Once the installed version is verified, check the Keep agent connected Checkbox then click the Save Button to save your changes.

Note

Once saved, each assigned Agent will automatically start the Real-Time Event Log Monitor the next time it connects to the Management Server.

Host Properties View showing the Agent Settings

How to use the Corner Bowl Server Manager Agent instead of Remote WMI (DCOM)

Select the Agent Template Tab
Check the Enabled Checkbox

Agent Template Tab in an Enabled state