SpectorSoft Log Manager Help

(1)

SpectorSoft Log Manager

Help

(2)

Getting Started ... 1

About ... 1

How it Works ... 3

Upgrading from Network Event Viewer ... 4

System Requirements ... 6 Registration ... 6 Update Service ... 7 Best Practices ... 7

Tutorials ... 9

Event Log Management Tutorial... 10

Encrypting and Password Protecting Event Log Backups ... 20

Printing Logs for Auditors ... 22

Monitoring a File for Inactivity ... 31

Receiving a Monthly Event Log Error Count Report (Grouped by Event ID/Source) ... 34

Receiving a Monthly Event Log Error Count Report... 35

Starting a Process when a Particular Entry is Logged ... 36

Consolidating Logs to SQL Server ... 37

Consolidating Logs to MySQL ... 42

Using Gmail as a Backup Email Server ... 47

How To ... 48

User Interface Components ... 48

Actions, Alerts and Notifications ... 49

Active Directory ... 51

Active Directory Filters ... 52

Auto Configurator ... 53

Backing Up and Restoring the Configuration ... 54

Browsing Computers ... 54

Browsing Text Logs ... 55

Configuration Templates ... 55

Displaying Logs... 56

Emailing Logs ... 57

Encrypting Communications ... 57

EVT and EVTX Files ... 59

Exporting Logs ... 61

Filters ... 61

Frequency Reports ... 64

Frequency Rules ... 65

Groups ... 66

Importing a Computer List ... 66

Log Entry Retention Policy ... 67

Log Properties... 67

Managing Event Logs ... 69

Managing Syslogs ... 70

Managing Text Logs ... 71

Manually Downloading Event Logs... 74

Mapping Computers ... 75

Monitoring and Consolidating Logs ... 76

Monitoring CSV Files ... 77

(3)

Table of Contents Printing Logs ... 78 Regular Expressions ... 78 Replacement Tags ... 79 Reports ... 85 Schedule Distributor ... 86 Schedules ... 87 Searching Logs ... 87

Selecting Specific Computers ... 88

Selecting Specific Logs ... 89

SNMP Traps ... 90

Standard Reports ... 90

Tray Icon ... 91

Views ... 92

Security Event Log Reports ... 93

Success Logon Reports ... 93

Failed Logon Reports ... 94

Account Lockout Reports ... 95

New User Account Reports ... 95

Logon/Logoff Reports ... 96

Account Management Reports ... 97

Options ... 98

Web Proxy Server Configuration ... 102

Windows Service ... 103

Change Service Logon ... 103

Windows Service Log File ... 103

Starting and Stopping the Windows Service ... 104

Troubleshooting ... 105

Common Event Log Management Errors ... 105

The RPC Server is Unavailable ... 106

Access Denied ... 107

Quota Violation ... 109

Common Filter Issues ... 110

Common Action Issues ... 110

Security ... 111

Configuring the Windows Firewall ... 112

Technical Support ... 112

SpectorSoft Information ... 113

Contact Us ... 113

Copyrights and Trademarks ... 114

(4)

(5)

Getting Started

About

SpectorSoft Log Manager is a network-wide log monitoring, consolidation, auditing and reporting tool enabling System Administrators to proactively monitor their networks while satisfying regulatory agency auditing requirements.

Features at a Glance

§ Monitor logs in real-time or per user defined schedule

§ Create and assign simple or complex regular expression filters § Fire multiple types of alerts or actions including SNMP traps § Consolidate Event Logs, Syslogs, text logs and CSV files § Automatically truncate and archive consolidated logs § Schedule detailed reports

§ Includes Security Event Log reports § Merge multiple log files into a single view § View Windows Event Log files (EVT and EVTX)

§ View large log files quickly with minimal system resources

§ Monitor Active Directory and automatically configure new computers § Single installation monitors entire network

§ No installation required on managed computers

Event Log Management

The Windows operating system and many 3rd party Windows Services and applications use the Windows Event Log system to log informational, warning, and error information used by Systems Administrators to help identify application errors. SpectorSoft Log Manager monitors (real-time or scheduled), consolidates and archives Event Logs to SQL Server, MySQL, Oracle or the

proprietary file system.

Syslog Management

SpectorSoft Log Manager includes a self-contained syslog server that can be used to collect, monitor and consolidate syslog messages from both computers and devices such as network routers and firewalls.

Text Log Management

SpectorSoft Log Manager supports both delimited and non-delimited text log files. Delimited files follow a specific format enabling programmatic parsing over multiple lines.

Many applications create log files using a date driven naming mechanism. SpectorSoft Log Manager enables you to monitor files within a directory that match user defined file name masks such as <yyMMdd>.txt and *.log. When a new file is detected, the service automatically starts monitoring the file contents.

(6)

Advanced Filtering

Powerful filtering searches through consolidated logs allowing you to pinpoint log entries of interest or remove noise. Both simple and complex regular expression filters are offered. Selectively flag and add notes to log entries of interest.

Compliance

Many regulatory agencies require organizations to archive critical logs for future reference. SpectorSoft Log Manager archives your logs in their entirety or as a subset of a central SQL Server, MySQL or Oracle database, as well as to CSV, EVT, EVTX, HTML, TXT, or XML files.

Alerts, Notifications and Actions

SpectorSoft Log Manager supports several different alerts and actions when key log entries are detected. Trigger actions such as sending a fully customizable email, exporting to a file, displaying a message box, playing a sound, writing key log entries to a user defined database table,

forwarding key log entries to log consolidation hardware via syslog, displaying a system tray popup message, sending a SMS notification through an email-to-SMS gateway or firing an SNMP trap.

Report Generation

Generate reports that contain filtered log entries from a set of computers. For example, receive a daily report that contains a list of all failed login attempts to your domain controllers for the last 24 hours. Customize the report content using HTML email templates. Run reports on-demand or schedule.

For more information, see: How it Works

(7)

How it Works

Components

SpectorSoft Log Manager consists of three (3) major components:

§ The User Interface is used to configure log managemernt, generate reports and watch logs in real-time.

§ The Windows Service monitors and parses log entries, fires actions, generates scheduled reports, and automatically starts to monitor newly discovered computers.

§ The Tray Icon fires user interface alerts such as message box, sound, and system tray popups.

Implementation

Log Manager uses Microsoft’s Windows Management Instrumentation (WMI) to real-time monitor, download and manage remote Event Logs.

Syslog messages are received by pointing the hardware generating the messages to the server on which Log Manager is installed. The Log Manager Service opens UDP port 514 and listens for syslog messages.

Text Logs are monitored in real-time or by way of polling the file as frequently as every second or as in-frequent as once a month. Text logs change subscriptions and reads are done using either Microsoft Networking on Windows or Samba on Linux/Unix.

Once messages are received the Log Manager Service applies filters and fires any appropriate actions. Next, consolidation filters are applied. All entries that pass the consolidation filter are stored in the log repository.

Reports are on-demand or automatically generated against the consolidated logs contained within the log repository.

For more information, see: Monitoring and Consolidating Logs Reports

User Interface Components System Requirements

(8)

Upgrading from Network Event Viewer

To reduce the amount of effort for users to upgrade to SpectorSoft Log Manager we have included a function to import your Network Event Viewer configurations and log repository data. Please review the list below to see what is and what is not converted.

Converted:

§ Email settings

§ Web proxy server settings § Computer mappings

§ Database connection settings § Log repository

§ Auxiliary data source connection settings § Actions

§ Filters

§ Download configurations § Real-Time configurations § Reports

§ Directory Service connection settings Not Converted

§ Configuration templates

§ Auto Configurator configurations

Conversion Notes

Email and HTML Output

All reports and actions that point to custom email and HTML templates are set to the SpectorSoft Log Manager defaults.

The default email subject is applied to all converted email alerts. Filters

When converting filters date based criteria is dropped.

All filters that are applied to syslog configurations or reports are broken out into 2 filters, one for Event Logs the other for Syslogs.

Reports

When converting reports the first date based criteria found within the legacy filter is applied to the report.

All reports that contain both Event Logs and Syslogs are broken out into 2 reports, one for Event Logs the other for Syslogs.

(9)

Upgrading from Network Event Viewer

Log Repository (File System)

When storing Event Logs to the file system, the conversion program can point to NEV’s log repository. NEV offered an option to backup previous downloaded logs files rather than append. This format of the log repository is not supported within SpectorSoft Log Manager and can not be read. The conversion function offers the capability to convert the file system to either SQL Server, MySQL or Oracle. If you are interested in using a database rather than the file system, this is a good time to convert. Stored syslog files are not converted but will show up in the repository as Event Logs. New files will be automatically created when syslog messages are received and will be displayed in the repository under Syslogs.

Log Repository (Database)

Prior to running any import functions below BACK UP YOUR DATA. This includes your NEV configurations and your log repository database(s) or file system.

File System

If you are using our file system format, there is no need to convert the data. Database

If you use SQL Server or MySQL the NEV tables must be imported to new tables that SpectorSoft Log Manager can read. You can continue to use the same database without interfering with NEV. One major change between the software versions is NEV stored archived entries to the same database. SpectorSoft Log Manager stores archived entries to an alternate database. If you were archiving old log entries with NEV you must create a new database to write these entries. If you do not, by default the archived entries will be loaded into our file system format in the default archive location. If you choose to delete the NEV data once imported the database should decrease in size by approximately 50% otherwise it will increase by 50%. If you want to leave the NEV database unchanged, point the target to another database.

To upgrade

From SpectorSoft Log Manager Select Import from Network Event Viewer.

The Network Event Viewer service will be stopped prior to running the import functions. We highly recommend you either uninstall NEV or disable the NEV service once complete.

There are 3 optional steps. Answer the following questions to decide which steps to run:

Do you want to continue to use the same repository? If so run Step 1. If storing logs to a database be sure to set the Target archive data provider otherwise archived data will be stored to our file system format.

Do you want to import the data that was consolidated by NEV? If so run Step 2. If storing logs to a database be sure to set the Target archive data provider otherwise data previously archived by NEV will be copied to our file system format.

Do you want to import all the configurations you created with NEV? If so run Step 3. Once you have completed step 3 either disable the NEV service or uninstall NEV.

(10)

System Requirements

Supported Operating Systems

Windows Server 2008 R2, Server 2008, 7, Vista, Server 2003 or XP.

Supported CPUs (64-Bit and 32-Bit)

Our software is compiled with the latest version of the .Net Framework which allows us to compile the program once for any CPU meaning SpectorSoft Log Manager runs natively on both 64-bit and 32-bit hardware.

Memory

2 GBs of available memory, 4 GBs suggested for large networks.

Microsoft .NET Framework 3.5 Service Pack 1

The installation detects if the .Net Framework 3.5 Service Pack 1 is already installed. If not, the framework is automatically downloaded from Microsoft and then installed. Please note the framework takes a significant amount of time to install. Please be patient while the installation completes.

Domain Administrator Account

To access remote logs both the logged in user and the Windows Service must have domain administrator rights. The first time the application is run, you will be prompted to assign domain administrator credentials to the service.

Windows Management Instrumentation (client and server)

Event Logs are consolidated and managed using Microsoft's Windows Management Instrumentation (WMI) API. WMI is preinstalled on all supported operating systems. For more information, see: How it Works

Registration

To register your software, visit www.spectorsoft.com and purchase a license. You will receive your license key by email. After you receive your license key, select Register from the Help menu. When prompted, specify the email address the license key was mailed to and the license key. Click Submit.

If you are running on an isolated or secure network, please contact SpectorSoft Technical Support and have your your order information and target system’s MAC address ready.

(11)

Update Service

If you are moving your license from one computer to another, please contact SpectorSoft

Technical Support.

For more information, see: Update Service

Update Service

All or our software supports automatic updates. At startup, each of our user interfaces downloads an XML file from our web server. Using version information, our software determines if an update is necessary. License information may be transmitted to our registration web service, also running on web server, to determine upgrade eligibility. If eligible, our software will download the latest version from our web server.

Each license comes with access to updates and major releases for 1 year. After that, you can purchase a maintenance contract that provides you access to updates and major releases for 1 more year.

For more information, see: Registration

Best Practices

Log management is typically very CPU and memory intensive. Please consider some of the following suggestions when managing logs:

Consolidation

Consolidate often. The more often you consolidate Event Logs and text logs, the easier it is on the target server, the network, the database server and the management console.

Event Log entries are received from the target computer in a random order. When using the file system to store logs or when applying post consolidation filters the entries must be sorted in memory. For this reason we suggest using SQL Server, MySQL or Oracle to store your logs and configuring reports in place of post consolidation filters. If a database is not a viable option, you are forwarding entries to a log management device or you must use post consolidation filters for some other reason, schedule the Event Log downloads or text log polling as frequent as once an hour in large networks or once a day in smaller networks.

Filters

Creating vague filters will allow many entries to pass. Keep your filters tight so only those that you are really interested in pass or those that are of no interest are removed.

(12)

Reports

One of the most common issues we see is reports run with vague filters over large date ranges. This scenario typically causes the system to run out of memory as the email is generated. Keep the filter tight and the date range short. This will limit the amount of data sent in your email reports.

Archiving

Many of our users store their logs for at least a year. When storing logs more than 90 days, we suggest entries be archived frequently. Use the built in archive functionality to move entries from your primary database or file system to an archive database or network location. Schedule the archive function to run once a week during off hours. Every 90 or 180 days backup the database or network location and prune all the archive data. Doing so will increase both the user interface and the archive process performance.

Displaying Logs

When displaying logs within the viewer, limit the number of days per page - 1 day per page is best. When very little data appears, increase the number of days per page to suite your needs.

(13)

Tutorials

Event Log Management Tutorial

Encrypting and Password Protecting Event Log Backups Printing Logs for Auditors

Monitoring a Rolling Text Log File (IIS) Monitoring a File for Inactivity

Monitoring a File for Maximum Size

Receiving a Monthly Event Log Error Count Report (Grouped by Event ID/Source) Receiving a Monthly Event Log Error Count Report

Starting a Process when a Particular Entry is Logged Consolidating Logs to SQL Server

Consolidating Logs to MySQL

(14)

Event Log Management Tutorial

This tutorial shows you how to configure real-time monitoring, save log entries to a central database, and configure log entry retention policy.

When you have completed this tutorial you will have understanding of how to monitor Security Event Logs for multiple failed logon attempts, save all audit failure and error events to a central database, receive notification when warning and error System Event Log entries are downloaded, and lastly, configure log entry retention policy.

Start the Log Management Wizard…

Select New Log Monitor from the File menu item.

From the Log Management Wizard select Windows Event Logs. Click Next.

Choose the method to select the computers. Once selected, the computers will display in the list.

Click Next.

If the any of the selected remote computers are off domain, use the Computer combo-box to select each off-domain computer. Once selected specify the appropriate credentials to access the logs. When complete, select (All) in the Computer combo-box.

(15)

Click Next.

Specify a group to add the computers to and check the logs you want to consolidate to your database. For this tutorial check the Security and System Event Logs.

Click Next.

To consolidated the Event Logs check the Save entries to the log repository option. If you only want to save specific Event Log entries, for example, audit failure and error events, select Save all

entries that pass the consolidation filter. In the Consolidation filter combo-box select the filter to

apply. If you have not yet created the filter, click the configure filters button and create your consolidation filter.

For this tutorial we only want to save audit failure and error entries so let’s create the filter now. Once created your filter should look like the following screen shot:

(16)

Click Close and save your changes.

Next schedule the frequency to download the Event Logs. If configuring many downloads, click the

Distribute Schedules button to evenly distribute the schedules over a time period. For example:

Next limit the initial download (or first download) to the previous X number of days. When

downloading domain controller Security Event Logs you may need to minimize this number of days as domain controller Security Logs tend to be quite large causing potentially significant CPU load, memory load, and processing time. Lastly, choose to clear the remote Event Log upon download completion. When you have finished configuring this page your wizard should look something like the following:

(17)

Click Next.

For performance reasons, reports should be used to notify users on a daily or hourly basis of events of interest; however, there are many cases when you may want to be notified immediately upon download completion of specific events. In these rare cases, assign post consolidation filters and actions.

For this tutorial we want to be notified of all warning and error events downloaded from the System Event Logs. Create the filter now. Once created your filter should look like the following screen shot:

Click Close and save your changes.

(18)

Click OK.

The wizard should now look like the following screen shot:

Click Next.

Many regulatory agencies require companies to store Event Log entries for up to a year or even more. Use the Entry Retention Policies tab to configure how many days of entries are saved. Once configured the service will truncate the saved log tables or files according at the interval or

schedule you define. Incorporated in the retention policy is the concept of archiving. Archiving allows you to move entries from the tables or files you regularly review to archive tables or files. This format enables you to query the system for recent entries very quickly and when necessary query the system for older entries from what is typically quite larger tables and files requiring more memory and processing time. Choose to either Remove or Archive entries within the tables or files. Choose the maximum number of days to store. If you choose Remove, the entries are removed from the tables or files when executed. If you choose Archive, the entries are moved from the primary tables or files and appended to the archive tables or files. Use the Options dialog to configure the location the archive database or file system resides. Schedule the frequency to apply the data retention rules. If configuring many downloads, click the Distribute Schedules button to evenly distribute each entry retention policy execution over a time period, for example:

(19)

When you have finished configuring this page your wizard should look something like the following:

Click Next.

The Remote EVT and EVTX File Back Up page should now be displayed. This page enables you to schedule native backups of EVT and EVTX files. For a detailed tutorial on this functionality please see the Encrypting and Password Protecting Event Log Backups tutorial.

(20)

Click Next.

If you want to real-time monitor specific logs select each computer and log from the appropriate combo-boxes and check Real-Time monitor the Event Log for new entries. Please note a thread will be burned for each log being real-time monitored and if the network fails, entries will be lost. Once checked, configure any times or days you want to exclude the real-time monitor from running, for example during weekly maintenance windows. If you are applying frequency rules, for example when you want to be notified when a specific entry is received 10 times within an hour, choose to either shutdown the monitor or suppress actions during the exclusion period. Shutting down the monitor will reset the frequency rule. All entries that match the real-time monitor filters are then ignored. If, however, you want the frequency rules to continue executing but simply do not want to receive any alerts, choose Suppress actions during exclusion period.

For this tutorial select the Security Event Log from the Event Log combo box and check Real-Time

monitor the Event Log for new entries.

You will notice there is also an option to poll the Event Log entries. If you have no plans to

consolidate log entries, you can use the poll option to scan logs for entries. This format guarantees results. Unlike the real-time monitor, when there is a network outage, entries will be downloaded the next time the schedule runs.

(21)

Click Next.

If you elect to real-time monitor an Event Log, use the Computer and Event Log combo-boxes to apply the appropriate filter and action to each log. If you want to apply the same filter to the same log on multiple computers, in the Computer box select (All) and in the Event Log combo-box select the specific log. Assign the filters and actions. For more information on assigning filters and actions see Monitoring and Consolidating Logs.

For this tutorial click the Add button. Once the Assign Filter and Action dialog loads, click the Configure Filters button . Use the Filters Manager dialog to create a new Failed Logon Event Log filter as seen below. Make sure you set the Group by option to User. This will enable the real-time monitor to group failed logon attempts by each unique user name enabling you to receive notification when the same user attempts to logon multiple times without success.

(22)

Assign your newly created filter and apply the frequency rule as seen below. The frequency rule will enable you to receive notification when any user attempts to logon with their username unsuccessfully 3 or more times unsuccessfully. Next assign an action.

Click OK.

The wizard should now look like the following screen shot:

Click Next.

Lastly, choose to send error notification emails upon download or entry retention policy execution failure.

(23)

(24)

Encrypting and Password Protecting Event Log Backups

Overview

Many regulatory compliance agencies require companies to backup and archive Event Log files from mission critical systems. Some of these agencies require backup data to be encrypted and password protected. With these requirements in mind, we added scheduled Event Log backup support to SpectorSoft Log Manager.

In this tutorial we will show you how to schedule SpectorSoft Log Manager to automatically backup Event Log files from the remote computers they reside, compress the backups, encrypt and password protect the output file, and lastly decrypt and view the backed up Event Log files.

Assumptions

This tutorial assumes you have already configured Event Log consolidation for the target computers.

The Tutorial

From the Navigation view select the Configuration Explorer tab. If applicable, expand the group.

Expand the Event Logs tree node and check each computer to configure. Right-click and select

Log Management Properties.

Once the Event Log Management Wizard opens click through the wizard until you reach the

Remote EVT and EVTX File Back Up page.

From this page check the Backup option.

To compress the output to ZIP format, check the compress option.

To encrypt the output, check the encrypt option and specify a strong password. When encrypted, each Event Log file is output to a proprietary file format. You must use the viewer to decrypt the Event Log, however once decrypted, you can use either Windows Event Viewer or SpectorSoft Log Manager to view the decrypted Event Log.

Specify the output filename. You can save the files to the local disk or a remote disk. If saving to a remote location do not use mapped drive letters but instead specify the UNC path. For example: \\servername\c$\EVTBackups

The directory or filename can contain any combination of the following replacement strings:

{HOST} _{The host name the log resides}

{LOG} _{The name of the log file, for example, Security} {DATE} _{The current date in yyyyMMdd format}

{TIME} _{The current time in hhmmss format}

(25)

Encrypting and Password Protecting Event Log Backups

To automatically clear the remote Event Log after backed up, select the Clear option.

Next schedule the backups. If scheduling many backups use the Schedule Distributor to distribute the backup schedules evenly over a period of time.

Please see the sample screen shot for reference:

Finally, click the Next button and resume through the wizard.

Verifying the Event Logs are Backing Up

To verify the backups are executing properly, review the service log file for entries that contain ‘Event Log Backup Manager’ or open Windows Explorer and verify the existence of the backups. Depending on the options you selected, the files will be in one of the following formats:

.evt Windows Server 2003, Windows XP, Windows 2000 and Windows NT Event Log file format.

.evtx Windows Server 2008 and Windows Vista Event Log format. .zip Compressed ZIP file that contains a single .evt or .evtx file .cbx Encrypted password protected Event Log file that may or may not be

compressed.

Viewing Event Log Back Up Files

Select Tools | Event Log Backups | View Backed Up Event Log.

Select the ‘.evt’ file to view. To view an encrypted ‘.evt’ file select the ‘.cbx’ that contains the encrypted Event Log file and when prompted specify the decryption password.

NOTE: When viewing ‘.evt’ files that were generated from a remote computer the Event Log entries may not display correctly. For more information see http://support.microsoft.com/kb/165959

(26)

Printing Logs for Auditors

Overview

In this tutorial we will show you how to print log entries for auditors. When you are finished with this tutorial you will know how to query a log for a specific time range, print log content, and customize print output.

Assumptions

This tutorial assumes you have already consolidated log entries.

How does Printing Work?

The print function works by taking the entries you have displayed in the viewer, exporting them to a temporary HTML file and then opening the file in your Internet browser. You then use your Internet browser to print the log entries.

Displaying Event Log Entries

From the Navigation view select Log Repository.

Check each log you want to print. Please note you can only merge logs of the same type. If printing a single log right click and select View Consolidated Log. If printing multiple logs, right click and select Merge and View Consolidated Logs.

If printing Event Logs or Syslogs, when prompted select all levels or priorities. Lastly, select the filter you want to apply to the view.

Once the viewer displays the log entries, navigate to the page of interest or use the Days per page text box in the upper right corner of the viewer to increase or decrease the number of days

displayed.

Printing the Current Page

From within the view, right click and select Print.

The view will be exported to HTML and displayed in your Internet browser.

Customizing the Output

If you want to customize the output you will need to change the HTML template. An example of a typical modification is to remove the message from the output.

Select Options from the Tools menu item. Select the HTML Template tab.

Expand and navigate to the appropriate HTML Template under the Save View heading. Highlight the filename and press Ctrl-C as seen in this screen shot:

(27)

Printing Logs for Auditors

Using Notepad, select Open from the File menu time. Paste the previously copied filename into the open dialog and click OK.

Select Save As from the File menu item. Specify your own filename, for example

my-event-log-view.html.

Select Replace from the Edit menu item. Search for {MESSAGE} and replace with an empty string. Select Save from the File menu item and close Notepad.

From within the Options dialog within SpectorSoft Log Manager update the appropriate HTML template value. For example:

From this point forward your template will be used when printing the current page, exporting the current page to HTML and emailing the current page.

(28)

Monitoring a Rolling Text Log File (IIS)

Many applications such as IIS log to a daily log file. Each day the application creates a new file that contains the date within the name, for example ex100625.log or 2010 June 25th. This format is simple to implement and enables system administrators to easily archive log files. This tutorial will show you how to monitor rolling text log files by configuring Log Manager to monitor IIS logs.

Requirements

Server 2008 with IIS7 installed

The Tutorial

The first step is to find the directory our log files reside. To do this you must log onto the target server and check the target log location within IIS7.

To check the location Logon to the target server.

From the Start menu select Administrative Tools | Internet Information Services (IIS) Manager. From the left pane select the target web site.

From the right pane double-click Logging.

The log file path is listed within the Directory text box. By default the path is: %SystemDrive%\inetpub\logs\LogFiles

Which expands to:

c:\inetpub\logs\LogFiles

IIS writes the log files to a sub-directory called W3SVC1 which is the directory you want to monitor. Now that you have the location, you need to configure Log Manager to monitor the directory. To configure the monitor

From the File menu item select New Log Monitor.

From the Log Management Wizard select Text Log Files followed by Directory. Click the Next button.

The Select Computers page should now be displayed. This page enables you to select the computers to monitor. Select the method to find your computers:

§ Browse Network § Browse Active Directory § Browse Mapped Computers § Map Computer

§ Select Localhost

Select the computer IIS7 is installed. If Log Manager is installed on the same computer as IIS7, select Select Localhost.

(29)

Click the Next button.

The Specify Logon As Credentials page should now be displayed. This page enables you to specify alternate logon as credentials when necessary. Please note you only need to specify alternate credentials if the target computer is off-domain as the service should already have domain administrator credentials assigned.

The Select Directories page should now be displayed. This page enables you to select the directory the log files are located. Navigate to the target directory, check it and then click the Add button. The directory should now be listed at the bottom of the page.

(30)

The Specify Friendly Name… page should now be displayed. This page enables you to specify a user friendly name to apply to the directory monitor, select a group to assign the computer too, and most importantly add the filename masks. Specify the following values:

Friendly name: IIS7 Logs Mask: u_ex<yyMMdd>.log

Please note the replacement tags within the mask value. If today were 2010 June 25th, the following file would be found when clicking the Test button:

u_ex100625.log

(31)

The Specify Entry Delimiters… page should now be displayed. This page enables you to configure the method to delineate each entry. By default Log Manager treats each line as a single log entry. Since IIS log entries are limited to a single line leave the entry pattern recognition disabled. Change the read method to Beginning of File.

The Schedule Parameters page should now be displayed. This page enables you to configure the frequency to poll the file. Please note if you poll the file faster that once a minute, for example once every second, a thread is dedicated to monitoring the file. Configure the monitor to poll the file every 5 minutes.

(32)

The Assign Filters and Actions page should now be displayed. This page enables you to apply filters and assign actions to fire when specific entries are read. For this tutorial we will send an email notification every time a client requests the ‘hello.aspx’ page. To create the filter, click the

Add button. From the Assign Filter and Action dialog click the Filters Manager button. From the Filters Manager dialog click the New button. Specify the following parameters:

Name: GetHello.aspx Type: Text Log

Criteria: Message Contains GET /hello.aspx

Apply the new filter and assign an email action. Please note if you have not created an email action create one now.

(33)

Click the OK button. The Assign Filters and Actions page should now list your filter and action assignment.

Click through to the Log Consolidation and Retention Policies page.

The Log Consolidation and Retention Policies page should now be displayed. This page enables you to configure Log Manager to automatically consolidate entries to the log repository. Check

Save entries to the log repository and check Remove entries older than 30 days.

The Logical Filename page should now be displayed. This page enables you to specify a logical name to save the dated filenames to. If you do not specify a logical name the log repository will contain a log for each day. Both scheduled reports and auto-archiving require a fixed log name

(34)

within the log repository. When configuring directory monitors we highly suggest you specify a logical name.

For this tutorial enable the logical filename and set the value to: u_ex.log

Click the Close button. When prompted save your changes.

The configuration is now complete. Next verify the monitor starts correctly. From the View menu select Service Output. The Service Output status view should now be displayed. You should see the following message within 1 minute:

Info 6/25/2010 4:31:01 PM [Text Log Monitor] -

\\KAMAS\C$\inetpub\logs\LogFiles\W3SVC1\u_ex<yyMMdd>.log -

\\kamas\c$\inetpub\logs\logfiles\w3svc1\u_ex100625.log - Polling... Every 5 minutes

The monitor should also display the current log file within the Configuration Explorer as seen below:

(35)

Monitoring a File for Inactivity

Now test the monitor, filter and action. Open a browser and type the following in the address bar then press enter. You should receive a 404 error in your browser.

http://localhost/hello.aspx

The next time the monitor scans the file you should receive an email that includes the corresponding IIS log entry. If you don’t receive the email, review the Service Output view for errors. Please note if the email server connection settings have not been set causing the monitor to error when sending the email alert, you must request the page again before the monitor will attempt to fire another alert.

Monitoring a File for Inactivity

This tutorial will show you how to configure this software to monitor a file for inactivity. When you have completed this tutorial, you will receive notification every 20 minutes a file remains idle or dormant.

From the Log Management Wizard select Text Logs. Click the Next button.

The Select Computers page should now be displayed. Select the computer that contains the file of interest. Click the Next button.

The Specify Logon As Credentials page should now be displayed. If the remote computer is off domain, use this page to specify or update the logon as credentials. Click the Next button. The Select Files page should now be displayed. Navigate to the file of interest, check the file then click the Add button. Click the Next button.

The Specify Friendly Name… page should now be displayed. If the computer the file resides has other file monitors they will all be listed in the Logs combo-box. Select the log of interest from the

Logs combo-box. Click the Next button.

The Schedule Parameters page should now be displayed. Specify the schedule to poll the file, for example, once a minute. Do not subscribe to updates. Click the Next button.

The Optionally Assign Filters and Actions page should now be displayed. Click the Add button. From the Assign Filter and Action dialog, click the Filters Manager button. From the Filters Manager dialog, create a new Text Log filter. Set the name to Empty. Set the type to Text Log.

(36)

Click the Close button. When prompted, save your changes.

Back in the Assign Filter and Action dialog select your newly created filter. Select Fire the action

after an entry passes the filter < 1 times every 20 minutes. This rule configures the service to fire

an alert every 20 minutes the file receives no new entries. Lastly, assign an action.

Click the OK button.

Back in the Optionally Assign Filters and Actions page, click the Close button and save your changes when prompted.

You have successfully completed this tutorial. Your action should now be fired every 20 minutes the file remains inactive.

(37)

Monitoring a File for Inactivity

This tutorial will show you how to configure this software to monitor a file for maximum size. When you have completed this tutorial, you will receive notification every 20 minutes a file exceeds 10 MBs.

From the Log Management Wizard select Text Logs. Click the Next button.

The Select Computers page should now be displayed. Select the computer that contains the file of interest. Click the Next button.

The Specify Logon As Credentials page should now be displayed. If the remote computer is off domain, use this page to specify or update the logon as credentials. Click the Next button. The Select Files page should now be displayed. Navigate to the file of interest, check the file then click the Add button. Click the Next button.

The Specify Friendly Name… page should now be displayed. If the computer the file resides has other file monitors they will all be listed in the Logs combo-box. Select the log of interest from the

Logs combo-box. Click the Next button.

The Schedule Parameters page should now be displayed. Specify the schedule to poll the file, for example, once a minute. Do not subscribe to updates. Click the Next button.

The Optionally Assign Filters and Actions page should now be displayed. Click the Next button. The Configure File Size Monitor page should now be displayed. Set the following options:

§ Fire the alert when the file size exceeds 10 MB § Automatically clear alerts after 20 minutes § Assign an action

Click the Close button and save your changes when prompted.

You have successfully completed this tutorial. Your action should now be fired every 20 minutes the file exceeds 10 MBs.

(38)

Receiving a Monthly Event Log Error Count Report

(Grouped by Event ID/Source)

This tutorial will show you how to create a monthly Event Log report that shows a total count of Event Log errors grouped by the unique combination of Event IDs and Sources for the previous month.

From the File menu item select New Report.

Once the Report Wizard opens, select Event Log then click Next. Specify a report name such as Monthly Event Log Errors.

Click the Schedule button. From the Report Schedule dialog select Monthly. By default the report will run on the first day of the month at 12:00 AM. Click OK.

Next configure the date range to include. To configure the date range to include in the report select

Last month from within the Date/Time combo box at the bottom of the page then click Next.

Next add the computers to include in the report then click Next. Next check the logs to include in the report then click Next.

From the Select Filter and Output page click the Filters Manager button . From the Filters

Manager dialog specify a name then from the Type combo box select Event Log (Simple). Click Add Criteria. From the Add Simple Filter Criteria dialog de-select Information, Warning, Audit Success, and Audit Failure. Click OK then click Select Filter and save your changes. Back in the Report Wizard check Hide entries with the same Source and Event ID then assign an email or file

output action. When you are finished click Close and save your changes.

The report is now complete. To test the report, from the Reports and Views pane within the

Navigation view right click on the new report and select Report Properties Wizard, click past the Welcome page then check the option to run the report within the next minute.

To view the report progress select View -> Service Output. Once complete download your email and review the report. When reviewing the report note that last error entry for each Event ID and Source combination is displayed along with a count of all Errors on the left side of the report.

(39)

Receiving a Monthly Event Log Error Count Report

This tutorial will show you how to create a monthly Event Log report that shows a total count of Event Log errors for the previous month.

From the File menu item select New Report.

Once the Report Wizard opens select Event Log (Frequency) then click Next. Specify a report name such as Monthly Event Log Errors.

Click the Schedule button. From the Report Schedule dialog select Monthly. By default the report will run on the first day of the month at 12:00 AM. Click OK.

Next configure the date range to include. To configure the date range to include in the report select

Last month from within the Date/Time combo box at the bottom of the page then click Next.

Next add the computers to include in the report then click Next. Next check the logs to include in the report then click Next.

From the Select Filters page click the Filters Manager button . From the Filters Manager dialog specify a name then from the Type combo box select Event Log (Simple). Click Add Criteria. From the Add Simple Filter Criteria dialog de-select Information, Warning, Audit Success, and

Audit Failure. Click OK then click Select Filter and save your changes. Back in the Report Wizard

configure the report to Pass the entry when it occurs more than 0 times in 31 days. When you are finished, click Next.

Click Next past the Day and Time Exclusions page.

From the Select Output page add an email or file output action then click Close and save your changes.

The report is now complete. To test the report, from the Reports and Views pane within the

Navigation view right click on the new report and select Report Properties Wizard, click past the Welcome page then check the option to run the report within the next minute.

To view the report progress select View -> Service Output. Once complete download your email and review the report. When reviewing the report note that last error entry is displayed along with a count of all error entries on the right side of the report.

(40)

Starting a Process when a Particular Entry is Logged

This tutorial will show you how to start a process when a particular entry is logged to an Event Log. Select New Log Monitor from the File menu item.

From the Log Management Wizard select Event Logs. Click the Next button.

The Select Computers page should now be displayed. Select the computer that contains the log of interest. Click the Next button.

The Specify Logon As Credentials page should now be displayed. If the remote computer is off domain, use this page to specify or update the logon as credentials. Click the Next button.

The Select Event Logs page should now be displayed. Check the log of interest and click the Next button.

The Event Log Monitoring Schedule page should now be displayed. Check the Real-Time monitor

the Event Log for new entries option and then click the Next button.

The Assign Event Log Monitor Filters and Actions page should now be displayed. Click the Add button. From the Assign Filter and Action dialog click the Filters Manager button. From the Filters

Manager dialog create a Simple Event Log Filter that only displays errors and select it.

Next click the Actions Manager button. From the Actions Manager, click New, specify a name and select the Start Process type. In the Filename text box enter the full UNC path to the executable or batch file for example, \\myserver\c$\temp\startmyprocess.bat. Next, if the target computer is off domain check Run As and specify admin credentials for the remote machine, otherwise do not specify credentials as the service should already have domain administrator credentials assigned. Check Run on remote computer and specify the target host name or IP address.

(41)

Consolidating Logs to SQL Server

From the Assign Filter and Action dialog select the new action and click the OK button. Close the

Log Management Wizard and save your changes when prompted.

You have successfully completed this tutorial. Your process should now be fired every time an entry passes your filter.

Consolidating Logs to SQL Server

In this tutorial, we walk you through the process of configuring SQL Server. Once completed, we will configure SpectorSoft Log Manager to use SQL Server as its Event Log repository. Lastly, we will download logs to the SQL Server database and verify entries were written to the database.

Step 1: Create a new primary and archive database

From the Start menu, navigate to the Microsoft SQL Server shortcut folder and select Microsoft

SQL Server Management Studio and login to your database server.

From the left pane called the Object Explorer, right click on Databases and select New Database. Specify CBLM in the Database name text box. When you are finished you should see the

following:

Create another database called CBLM_ARCHIVE with the same options.

Step 2: Create the database user

(42)

Specify the cblmuser in the Login name text box. Select SQL Server authentication.

Specify a password.

De-select Enforce password policy.

In the Default database combo box select CBLM. When you are finished you should see the following:

Step 3: Assign the user to the CBLM and CBLM_ARCHIVE databases

From the Object Explorer expand Databases\CBLM. Right-click on Security and select New User. Specify the cblmuser in the User name text box.

Specify the cblmuser in the Login name text box.

From within the Database Role Membership list check db_owner. When you are finished you should see the following:

(43)

Repeat the above steps for the CBLM_ARCHIVE database.

Step 4: Initialize SQL Server to work with SpectorSoft Log Manager

Open SpectorSoft Log Manager, select Options from the Tools menu item and then select the Data

Providers tab. Use this page to add the primary and archive log repositories (CBLM and

CBLM_ARCHIVE).

Create the primary log repository

Click the new data provider button .

Use the Name text box to specify a user friendly name that uniquely identifies the data provider, for example, SQL Server.

Under the Provider combo-box SQL Server. Under the Type combo-box select Log Repository.

Use the Host text box to specify the host name the database resides. If you are using SQL Express use the following format: [HOSTNAME]\SQLExpress. For example,

servername\sqlexpress.

Type cblm in the Database text box. Type cblmuser in the Username text box.

Type the password you assigned the user when created within SQL Server Management Studio. Once complete click the Test Connection button. If you were unable to connect, verify you created and assigned the user to the database as well as typed the connection information correctly.

(44)

Once you have successfully tested the connection, click the Initialize button. When you are finished you should see the following:

When you clicked the Initializebutton SpectorSoft Log Manager should have created 6 tables. They are:

Table Description

level Contains a list of the Event Log levels (Information, Warning, Error, Audit Success, and Audit Failure).

facility Contains a list of the Syslog facilities. priority Contains a list of the Syslog priorities.

event_logs Contains an index of consolidated Event Logs. syslogs Contains an index of consolidated Syslogs. text_logs Contains an index of consolidated Text Logs.

Each log file is consolidated to its own table. Event Log and Syslog tables follow the following naming conventions:

Event Log: [host]_evt_[log] Syslog: [host]_syslog

Since the only thing that uniquely identifies a text log is the filename a GUID is used in place of the filename. The Text_Logs table maps the consolidated Text Log’s filename to the GUID.

(45)

Follow the steps above again but this time under the Type combo-box select Archive. After you have configured and initialized the database you should see the following:

Step 5: Test and verify the configuration

From the Navigation view within Log Manager, select the Configuration Explorer tab. Navigate to a server and highlight the Application log. From the File menu item select Download Event Logs. Once the download is complete you will be prompted to display the log. Click Yes. When prompted to apply a filter, select all Levels and clear the filter option. You should now see all the newly downloaded Event Log entries.

Go back to your Microsoft SQL Server Management Studio, from the Object Explorerview expand Databases\cblm\Tables, right click on the Tables node, select Refresh then expand the Tables node. You should now see a new table called [servername]_evt_application where [servername] is the name of the server you downloaded the logs from. If you see this table, you have successfully downloaded the Event Log and saved it to your SQL Server database.

(46)

Consolidating Logs to MySQL

In this tutorial, we walk you through the process of downloading, installing and configuring MySQL. Once completed, we will configure SpectorSoft Log Manager to use MySQL as its Event Log repository. Lastly, we will download logs to the MySQL database and verify entries were written to the database.

Step 1: Download and install MySQL Community Server

Download and install MySQL Community Server from:

http://mysql.com/downloads/mysql/

Step 2: Download and install MySQL Workbench

The MySQL Workbench enables you to configure and manage MySQL. Download and install from: http://mysql.com/downloads/workbench/

Step 3: Create new server instance

The first time you open the workbench you must add the connection to your database. From the

Home page select New Server Instance. Follow the wizard adding in your connection information.

Step 4: Create a new primary and archive database

From the Home page, under the SQL Development column, double-click on the connection to your database. The SQL Editor should now be displayed. From the Object Browser, right click and select Create Schema. Specify the name CBLM. Select utf8 - default collation. Click Apply, Apply

SQL, Finish and finally Close. Create another database called CBLM_ARCHIVE with the same

(47)

Step 5: Create the database user and assign privileges

From Home page, under the Server Administration column, double-click on the server instance. The Server Status page should now be displayed. Click on the Accounts tab. From the Server

Access Management tab select Add Account. Specify the username cblmuser, enter a password,

lastly click Apply. Select the Schema Privileges tab then select the cblmuser user. Click Add Entry, select Selected schema, select CBLM, then OK. Highlight the new entry then click Select All followed by Save Changes. Repeat this step for the CBLM_ARCHIVE database. When you are finished you should have 1 new user and 2 schema privileges assigned as seen below.

(48)

You have now completed configuring MySQL.

Step 6: Initialize MySQL to work with SpectorSoft Log Manager

Open SpectorSoft Log Manager, select Options from the Tools menu item and then select the Data

Providers tab. Use this page to add the primary and archive log repositories (CBLM and

CBLM_ARCHIVE).

Create the primary log repository Click the new data provider button .

Use the Name text box to specify a user friendly name that uniquely identifies the data provider, for example, MySQL Log Repository.

Under the Provider combo-box select MySQL. Under the Type combo-box select Log Repository.

Use the Host text box to specify the host name the database resides. Type cblm in the Database text box.

Type cblmuser in the Username text box.

Type the password you assigned the user when created within MySQL Workbench.

Once complete click the Test Connection button. If you were unable to connect, verify you created and assigned the user to the database as well as typed the connection information correctly.

(49)

Once you have successfully tested the connection, click the Initialize button. When you are finished you should see the following:

When you clicked the Initializebutton Log Manager should have created 6 tables. They are:

Table Description

level Contains a list of the Event Log levels (Information, Warning, Error, Audit Success, and Audit Failure).

facility Contains a list of the Syslog facilities. priority Contains a list of the Syslog priorities.

event_logs Contains an index of consolidated Event Logs. syslogs Contains an index of consolidated Syslogs. text_logs Contains an index of consolidated Text Logs.

Each log file is consolidated to its own table. Event Log and Syslog tables follow the following naming conventions:

Event Log: [host]_evt_[log] Syslog: [host]_syslog

Since the only thing that uniquely identifies a text log is the filename a GUID is used in place of the filename. The Text_Logs table maps the consolidated Text Log’s filename to the GUID.

Create the archive log repository

Follow the steps above again but this time under the Type combo-box select Archive. After you have configured and initialized the database you should see the following:

(50)

Step 7: Test and verify the configuration

From the Navigation view within Log Manager, select the Configuration Explorer tab. Navigate to a server and highlight the Application log. From the File menu item select Download Event Logs. Once the download is complete you will be prompted to display the log. Click Yes. When prompted to apply a filter, select all Levels and clear the filter option. You should now see all the newly downloaded Event Log entries.

Go back to your MySQL Workbench, within the SQL Editor, expand the CBLM database, right click on the Tables node, select Refresh All then expand the Tables node. You should now see a new table called [servername]_evt_application where [servername] is the name of the server you downloaded the logs from. If you see this table, you have successfully downloaded the Event Log and saved it to your MySQL database.

(51)

Using Gmail as a Backup Email Server

This tutorial will show you how to configure this software to use your Gmail account to send email alerts when your primary email server is unavailable or unable to send.

To configure Gmail

From the Tools menu item select Options. Select the Email tab.

At the bottom of the tab check Use a backup email server when this servers unavailable or unable

to send.

Click the Configure Backup button.

You should now see the Configure Email Settings (Backup) dialog. This dialog enables you to configure your backup email server. Specify the following values:

§ Email server (SMTP): smtp.gmail.com:465 § Check Use Secure Socket Layer (SSL)

§ Username: Enter your username excluding @gmail.com § Password: Enter your password

§ Once complete enter the email address you want to send the alert to. Typically this would be your Gmail account, for example, [email protected].

Click the Test button.

The packets will output to the Test Status window. Once complete a message will popup that shows the success or failure.

(52)

How To

User Interface Components

The user interface consists of several views:

Event Log Explorer

This view enables you to navigate their network, discover available Event Logs, download Event Logs and save them to the log repository and select logs to review.

Configuration Explorer

This view lists all configured computers, devices and logs. You can sort by computer or group configurations by log type. When sorted by computer use drag and drop to move computers from one display group to another. Use this view to re-configure logs, download Event Logs and select logs to review.

Log Repository

This view lists each repository followed by computer or device followed by log type. Use this view to select logs to review.

Reports and Views

This view lists all configured reports and view. Use this view to create new reports and views as well as execute reports and views on demand.

Service Output

The SpectorSoft Log Manager Windows Service writes status messages to a log file. This view tails the log file and displays each status message. The log file is located in the following directory:

§ Window XP/Server 2003: \documents and settings\all users\application data\SpectorSoft\Log Manager\cblmsrv.log

§ Windows Server 2008/7/Vista:\programdata\SpectorSoft\Log Manager\cblmsrv.log

Manual Event Log Management Output

When manually downloading or clearing an Event Log or a set of Event Logs, this view displays all status messages. Status messages are grouped by log, enabling users to quickly review all status messages associated with each log.

For more information, see: How it Works

(53)

How To

Actions, Alerts and Notifications

When log entries pass filter criteria an action, alert, or notification is fired. By our definition actions, alerts and notifications are one in the same. Writing an entry to a CSV file or database table is more of an action than an alert while sending an email notification is more of an alert or notification than an action, however; the software does not see these as different hence the term action is used stand-alone throughout the application and this help file.

The following actions are available:

Database _{Writes each filtered log entry to a database table. Please note error} alerts cannot be written to a database table.

Email _{Sends a simple notification message or a detailed message that} contains the filtered log entries or alert.

Event Log Entry _{Writes the filtered log entries to a Windows Event Log. Please} note you have the option to include the hostname or IP address of which each log entry was generated within the Event Log Source. To include the hostname or IP address, include one of the following tags to the source field: {HOST}, {IPv4}, {IPv6}. For example: Log Monitor on {HOST}.

File _{Exports the filtered log entries to CSV, EVT, HTML, TXT, or XML.}

Message Box _{Displays a message box on the local machine that optionally} includes the filtered log entries or alert.

Pager (SMS) _{Sends a text message using one of several web SMS online} gateway services.

Sound _{Plays a sound.}

SNMP Trap _{Sends a SNMP trap via Microsoft’s SNMP Service.}

Start Process _{Starts a background process. Please note you have the option to} start a process for each entry contained within the action. In the arguments field specify any of the following fields: {HOST}, {IPv4}, {IPv6}, {MESSAGE}. These fields are replaced with the appropriate values within each entry prior to the process being

(54)

started. Please note there is a maximum limit of 20 processes that will start per action execution.

Syslog Message _{Forwards each filtered log entry or alert to a syslog server.}

Tray Popup _{Displays a balloon window above the tray icon that optionally} includes the filtered log entries or alert.

To create, modify, or remove an action

Select Configure Actions from the Tools menu item. Use this dialog to create, modify, and remove actions.

To assign actions to a monitor or report

You must assign an action when configuring real-time monitoring, post consolidation filters or scheduling reports.

When prompted to assign an action click the Add button to add and assign an action or double-click on an already assigned action to modify or review the action.

If prompted, select the filter to apply. Most actions support frequency rules, for example, receive notification when a specific entry is received more than 5 times within 1 hour or an expected entry is not received within a 24 hour period (called a less than frequency rule). To set this option, select the Fire the action after an entry passes the filter option. Select the frequency rule: either greater than (>) or less than (<), the value and lastly, the time period. For more information see Monitoring

and Consolidating Logs.

When assigning an action to a real-time monitor you have the option to limit the number of actions fired within a time period. For example, you can limit the number of email notifications you will receive to 5 every hour. To set this option, check the Limit action frequency to check box and use the following controls to set the action limits.

When assigning an action to a text log monitor you have the option to include a number of previous and following entries within the action. For example, you can include the previous 3 entries every time an entry passes your filter for a total of 4 entries that will be included in your alert.

For more information see: Monitoring and Consolidating Logs Reports

(55)

How To

Active Directory

SpectorSoft Log Manager interfaces with Active Directory and other generic LDAP servers in several ways. By default our software automatically connects to the Active Directory server on your domain controller. If you are not connected to a domain or want to use another LDAP server you can configure the connection via the Options dialog. You can configure as many Active Directory and LDAP servers as you need.

Once connected you can use Active Directory to: § Browse the Event Log Explorer

§ Browse for computers within the configuration wizards and optionally recursively scan, apply

an Active Directory Filter and automatically select a list of computers

§ Use the Auto Configurator to automatically manage new computers and optionally apply an

Active Directory Filter to limit which computers to configure

For more information, see: Auto Configurator

Active Directory Filters Options