I would like to control the naming of the pdf attachments of Events Manager scheduled reports. Previous versions of Events Manager and SELM were consistent with their attachment names (i.e. always named sched0_xxxxx.pdf, sched1_xxxxxx.pdf, etc.). This allowed us to run a script to rename them to something descriptive i.e. AAA - Account Lockout Report.pdf. We have several customers who we perform network monitoring for and the automated renaming script, although not ideal, was efficient.

With Events Manager 2012 there is no consistency in the names of the report attachments. Since they are completely random we are unable to know which report is which. This is becoming terribly inefficient for our network monitoring staff.

Ideally we would like to control the name of the pdf attachment from the scheduled reports. At the very least we would like to have the reports named like they were in all previous versions so we can key on the names to perform a scripted rename.

We don't look at system every day because we don't have a policy (or staff) yet that requires auditing daily. So we usually only look at it when there is a problem or something needs researched.

In the old version we had this happen a couple times and already had it happen once in 2012 version, where events would just stop being collected and we wouldn't know about it until we needed something and it wasn't there. This is a big problem for devices that don't have local storage for syslogging and only send to GFI. It is also a big problem for very busy Windows systems that overwrite security logs within a few hours, like domain controllers.

I would like a way for EventsManager to notify an admin if there are no events recorded within a certain time frame. Preferably, both the number of events and the time frame should be configurable. I suppose this could be a "null" report, but I can't find a way to create one that will "only" send if empty. But it should be an option in the application anyway.

In active directory we have a separate Organizational Unit for our Servers and client machines. An option I would like to have an option to have events manager automatically update it's collection sources based on these OU's.

For example:
I have a WebServers OU under a main OU called Servers under the default domain. All of our web servers are naturally under this OU and are all configured the same.

In EventsManager I would like to have an event source that can be named something like WebServers and this group is configured to sync from Active Directory from the WebServers OU. That way when I deploy a new server I don't have to go in to the EventsManager console and automatically add this server to the event source.

In our environment, it would be very beneficial to create "Event Sources Groups" inside other "Event Sources Groups" all while keeping "Inherit from Parent" as an available option across ALL configuration items in that sub-group.

This is the reason behind this request. I manage multiple domains. The default groups you have in place are nice, but I end up tweaking credentials for servers in our different domains to use the correct login information.

What I wanted to do was something like:

domain1 - Set the default properties for the group here, i.e. Login Information, Active Monitoring Alerts, etc.
- domain1\Domain Controllers - A group within the domain1 group. Settings here would add to or override the defaults for the domain1.lan group for my domain controllers, i.e., DNS events log capture
- domain1\Web Servers
- etc.

Then I could have a similar tree of groups for domain2, domain3, etc.

Also hugely beneficial would be the ability to create a new group based off the of settings of an existing group. So in this case, I could simply copy domain1 for the domain2 group and all I would really need to update is the logon credentials. I then would copy the domain1\Domain Controllers subgroup to create my domain2\Domain Controllers sub-group.

I'm sure I'm not alone in thinking most if not all the capture setting I want configured would be that same for all of my domain controllers in all of my domains.

Heck, copying the entire settings group tree from domain1 to a new group tree for domain2 would be even better to minimize the copying and creating all accross the board.

When preparing custom reports or adjusting the available ones, GFI EM2k13 should have the ability for users to have it much easier to prepare effective custom reports much quicker.

As described here http://manuals.gfi.com/en/esm2013administrator/content/ACM/Topics/Reporting/Creating_custom_reports.htm if one criteria in General tab is e.g. Event ID = 4624, then when we want to check for IP (or other columns), under the Layout tab the selection criteria should be narrowed down only to columns which event ID 4624 provides.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624#examples

Right now, selecting from existing columns is an ugly mess because event IDs have various names for same columns.
E.g. EID 4624 has: source network address as a column for IP, but when searching for address, you have all sorts of similar columns: ip address, source address, network address etc... which do not correspond to the event ID that you selected in the General tab.

I hope this makes sense and gets started to be implemented in GFI EM2k13.

Thanks,
Val.

A more robust command-line tool.

We have been using EventsManager for several years and the management console is very slow to load, change tabs and limited in what you are allowed to see and manipulate.

This is a problem in itself, but my suggestion is to offer sys admins a more robust alternative to the GUI interface. I recognize GFI does offer some command-line tools (such as ESMCmdConfig.exe, EsmDlibM.exe, etc.), but these only allow control of general management settings and are mostly used to manipulate the event database.

Specifically, it would be helpful to have the following cmd-line features (in order to script management):
- Move event sources from one group to another based on parameters (e.g. "Name includes *DC*")
- Start/Stop scan of both individual event source or group
- Display in terminal running and queued jobs
- Start/stop jobs based on parameters
- Automatically delete event sources based on parameters (e.g. computers that are offline or not responding)
- Create custom reports in a terminal window and redirect/append them to a specified file.

All of the above would be much faster to do in a terminal window than in the graphical interface.