- What’s your ENow AppGov Score? Free Microsoft Entra ID app security assessment - Thu, Nov 30 2023
- Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
- dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
What is EventSentry?
First, what is EventSentry? The EventSentry platform is a versatile Security Information and Event Management (SIEM) monitoring solution that can monitor event logs, log files, system health, Active Directory, and NetFlow data. It offers full SIEM functionality by helping admins and SecOps monitor and visualize operating systems, databases, applications, and other logs in real-time.
In addition to providing rich Windows monitoring capabilities, you can also monitor non-Windows devices using Syslog, SNMP, or SSH. EventSentry not only provides log aggregation but also log correlation. In the security world, this is crucial, correlating logs from different points and systems in the network to see the overall picture of security-related events.
EventSentry offers organizations the following features and capabilities:
- Monitor Windows logs in real-time with local rule processing
- Monitor files in real-time (with local rule processing)
- A rules engine that provides powerful capabilities in a performant way
- Ability to consolidate logs (event log, log files, syslog, SNMP)
- Correlate Windows security events to capture an overall security picture
- Complete system health & inventory functionality
- Detailed reporting that allows IT and SecOps to present reports that are meaningful and easy to understand
- Built-in compliance package for real-time alerts on critical events
- Ability to perform forensic analysis on collected data with search queries
- Securely store data in a central repository
- Role-based access control for web-based reporting
Below is a look at the example “Overview” dashboard, which shows the health and security of your infrastructure estate.
New features in EventSentry 5
The EventSentry 5.0.1 update brings many new features and upgrades to the platform. Note the following full feature list for EventSentry 5.0.1:
- The EventSentry installer and program components have been migrated to 64-bit
- The built-in database has been upgraded to PostgreSQL v14.2
- New ADMonitor: Group and computer inventory
- New ADMonitor: User Info page
- Management Console: LAPS integration
- Enhanced process monitoring with VirusTotal integration
- Disk space monitoring now supports host-based overrides
- Console logon tracking can now utilize RDP gateways
- Service (daemon) monitoring of non-Windows hosts through SSH
- Enhanced system inventory for non-Windows hosts through SSH
- Web Reports: RADIUS integration
- Web Reports: New menu
- Web Reports: Additional dashboard visualizations
- Web reports: Improved performance and reduced resource utilization
Let's look at a few of the major new features in EventSentry 5.0.1.
Fully 64-Bit with the latest PostgreSQL database
With the EventSentry 5.0.1 release, Netikus has transitioned EventSentry to a full 64-bit platform. While most components were already transitioned to 64-bit prior to version 5.0.1, version 5 has migrated all components to 64-bit. Don't worry about your 32-bit hosts, you can still monitor and add 32-bit hosts to your EventSentry 5.0.1 platform, even Windows XP is still supported.
In addition to the 64-bit upgrade of EventSentry, version 5.0.1 now includes the latest PostgreSQL database, v14. With the new 64-bit upgrades and the latest PostgreSQL platform, this is the most performant and robust release of EventSentry to date.
Web Reports updates
EventSentry's web reports have received new upgrades, including:
- Additional dashboard visualizations
- Improved performance—Part of the improvements "underneath the hood" include a faster database connection pool, updated backend libraries with enhanced throughput, improved memory usage, and reduced page response time
- RADIUS integration
- Enhanced security—With the updated backend libraries, there have been many security enhancements
Many improved integrations exist throughout the EventSentry platform, including the configuration of web report authentication. In addition, web report authentication can now be integrated with any RADIUS server, allowing organizations to provide authentication to enterprise users using either LDAP or RADIUS.
Another great feature is the ability to integrate the management console with the Microsoft Local Administrator Password Solution (LAPS). You can now use LAPS password integration in the management console for remote update functionality when managing remote Windows hosts.
Improved inventory and connectivity
New with the EventSentry 5.0.1 release is the ability to monitor services in non-Windows devices using SSH logins. This new feature extends the ability to monitor the non-Windows estate.
There are also much-improved inventory capabilities in EventSentry 5.0.1. For example, you can now see a complete inventory of all your Active Directory Domain Services users, computers, and groups. In addition, there is a new Account Details page that displays user information on the user inventory dashboard. The Account Details screen displays essential user information that is a bit more cumbersome to get in Active Directory Users and Computers and shows everything in a single-pane-of-glass view.
Account Details screen in the new EventSentry 5.0.1 release
In the overview dashboard, you can quickly and easily see relevant security-specific information, such as admin accounts, accounts set to "password never expires," disabled accounts, password must change, locked out, and many other details.
EventSentry provides great inventory dashboards, giving a clear picture of your users, groups, and computers
Impressions of EventSentry and new features
One of the pain points I have seen time after time with securing environments is providing visibility into what is happening across the board with accounts, events, servers, network traffic, etc. In addition, SIEM solutions are generally very complex to configure and tweak and usually have a long time to value.
Subscribe to 4sysops newsletter!
EventSentry provides excellent visibility without the steep learning curve, tweaking, and configuration. It is highly intuitive and covers many areas that businesses will be looking to gain visibility into - if they do not already have a SIEM solution in place. The new platform upgrades in EventSentry 5 help modernize the solution's underlying infrastructure and provide new features and capabilities, including new inventory features, improved integrations, new connectivity, and more detailed Active Directory reporting.