The EventSentry agent is installed on every Windows-based computer and monitors event logs, log files, system health and other subsystems of Windows based on the settings configured in the Management Console.
EventSentry ships with a limited, free database ("GeoLite2") which provides the approximate geolocation of an IP address. The GEO IP database is located in the %SYSTEMROOT%\system32\eventsentry directory and utilized by the NetFlow component of the network services and the collector.
The installed GeoLite2 database can be replaced with a more accurate database which can be purchased from MaxMind.
GUI (Graphical User Interface / Front-end / Administration)
EventSentry consists of two major components -
•the GUI (EventSentry Management Console)
•the service (agent)
The GUI is used to configure EventSentry. It writes configuration information to the registry of the local and remote computers and allows you to control and update the service. The GUI does not have to be installed on a computer for EventSentry to work. If EventSentry was installed with the remote update feature then the GUI will not be present.
Most events logged by Windows and 3rd party software utilize so-called message DLLs which store the templates of their respective events. Message DLLs enable language support as well as the separation of log messages from the application. Event templates with their corresponding insertion strings can be viewed with the "Event Message Browser" which is included in the management console (Tools -> Options -> Event Message Browser) and also available as a stand-alone application as part of the EventSentry SysAdmin Tools. Insertion strings are also explained in this blog post.
Event Template |
Dynamic Content |
Complete Event |
The computer attempted to validate the credentials for an account.
Authentication Package: %1 Logon Account: %2 Source Workstation: %3 Error Code: %4 |
%1 = MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 %2 = Administrator %3 = WORKSTATION4733 %4 = 0xc0000064
|
The computer attempted to validate the credentials for an account. |
The computer from where a EventSentry installation is rolled out from using the Remote Update feature.
Because the installation files (eventsentry_svc_x64.exe) that are copied to the remote server(s) are taken from the local installation, EventSentry needs to be properly installed before any type of remote installation can be started.
OS (Operating System)
Operating System, such as Windows Server 2012 or Windows 8.1.
A service name, contrary to the display name, is the "internal" name of the service. For example, the service name for the Server service is lanmanserver. You can find the service name by double-clicking a service display name in the Services application, found in the Administrative Tools. The service name is shown in the first line of the dialog.