Event Log Reports
Learn how to use Syskit Monitor to track all user activities performed on the file system.
The Event Log Reports are used to track security-related information and events on a computer system. These include:
- Auditing successful and failed logon attempts.
- Tracking when and why the users restart or shutdown their computers, as well as how long a Microsoft Windows system has been powered on without a restart.
- Monitoring of operations performed on the file system.
- Preventing attackers from guessing users’ passwords, and decreasing the likelihood of successful attacks on your network.
Syskit Monitor allows you to monitor all user activities performed on the file system. The Event Log reports will show you all read, write, append and delete operations performed on selected files and folders. Administrators can select the paths they want to monitor as well as file types that will be included in these reports. This kind of reports also include Blocked IP Addresses report.
Currently available reports are:
- Logon Audit – This report will show you a complete logon history overview on all computers – track successful and failed logon events.
- Restart Log – This history report will show you a complete list of every time the Windows Servers have restarted or shutdown and the reason why, including the user account who initiated a restart or shutdown.
- System Uptime – This report will show you how long a Microsoft Windows system has been powered on without a restart or if a reboot has been applied to the system recently.
- File Access Audit Log – Shows file access history and actions performed on files,as well as the exact time.
- File Access Audit – Summarizes the number of Read, Write, and Update actions per file and user.
Syskit Monitor detects potentially malicious IP addresses – this report shows the list of blocked IP addresses via Windows Firewall rules.
In order to be able to see this report, you should necessarily have the Extract Event Log system job enabled and running.
- 1.Navigate to the File > Manage > System Jobs.
- 2.In the System Jobs dialog double click Extract Event Log. Check in the Collect Event log data and Block malicious IP addresses option. Set after how many failed attempts to block the malicious IP address and after how many hours to unblock the same address.
The next option that needs to be enabled for this feature’s good performance is Public IP Fetching.
- 1.Navigate to the File > Configuration > Options > General.
- 2.Check in the Enable public IP fetching option and click Save to confirm the changes.
After every Event Log system job run, each IP address that had more than or exactly X failed attempts will be blocked for Y hours. You will be able to see the malicious IP addresses in the Block IP Addresses report. (In this case after the 5 failed logon attempts, malicious IP address will be blocked for the next 24 hours.)