This is what the competitors does (for example Arcsight, EMC...). I know that this is very complex but it would be a nice Feature and selling point. An expample: You log in via VPN (Syslog/SNMP), connect via RDP (Windows event) and send an email message (W3C).

If this is possible you can better track user activities and do a better forensic analysis.

We run SBS 2008 (and previously 2003). It'd be really nice if there was a default Event Source group with pre-defined filtering rules for SBS servers. Trying to decide if SBS is an infrastructure server, database server, print server, wweb server, or file server is always a tough call, since it's really all of the above, and trying to copy the default settings from each of these groups to make one for SBS is a pain. I left a bit too much enabled the last time I reinstalled and crippled our network because EM was collecting so much data.

The GFI EventsManager need a default PCI compliance ruleset for unix/linux/syslog in EventsManager

include the ability/option to prevent reports with "No events were found matching the filtering criteria." from being generated or being sent

An evaluating customer suggested that we add the NERC CIP standards to the choices of pre-defined reports. Here is a link:http://www.nerc.com/page.php?cid=2|20 and the requirements crossmap over to PCI, HIPAA, etc. Our competitors have this type of report available (just google NERC CIP)...

I've discussed with some distributors in emea, that it would be a good idea to implement or to open a location (e.g. in the User Forum) to share customer created rulesets. I think that will be a big improvement, because if someone has spend some time and work to create a ruleset for a special product or vendor, it will make it easy to share this work with other customers.

I have a client that uses EventManager to audit administrative file access from users w/ admin rights. They would like a way to be notified if GFI services are stopped, or even trap such an occurrence, to ensure that those people with adminstrative rights aren't circumnavigating GFI's file access logging.

I suggest you to allow defining more than one SID on a Oracle events source. At the moment we can define only one SID on a host, and we can't add the same host specifying another SID, because the host is already defined. We can partially bypass the problem inserting two entries for the same host, one with the host name and the other one with the ip address, anyway using this solution there is no way to collect events for more then two SID's on the same host.

Since the main purpose of this tool is for reviewing logs, is there a facility to add comments to the logs (for e.g. what action we have taken for that particular event etc & then generate a report to show as evidence for log reviewing to Auditors).

I suggest you...provide a detailed upgrade installation document which includes screen shots of the installation wizard so we know what to expect and can gather the necessary information to answer the prompts.

Will we lose our existing db? Do we need to create a new db?
will our config settings be retained, or if not can we import a backup copy from the previous version?
Will all our custom rules be retained?

Those of us who have gone through past upgrades and lost data bases, and config settings now need reassurance each time.

EventsManager should have an offline mode, so that consultants could import saved logs and analyze them just as if they were collected online.

We have a group of long list of users that need to be monitored login/logout.
Instead of define manually a filter by user/account in wich write a row for each user that belongs to thist group, with need a filter where define one or more groups.
GFI EvManager will ask to ActiveDir in order to get the users that belong to that specific group and will produce a report sorted by user.

II would like the ability to perform a silent installation to be re-instated in EventsManager 2012, ideally just like it used to be with previous versions, i.e.:
EventsManagern /s /f1C:path.iss

As servers move towards being headless - having a GUI will merely be an option in Windows Server 8 - it seems a backwards step to disallow silent installation.

Add the ability to export or import a single Event Processing rule or Event Processing Rule folder. This would allow customers to share custom rules with each other such as on the support forum, or allow GFI support to provide rules for special situations.

Database operation schedule now can configure only one schedule. Why not each operation job has its own schedule?
If it is not possible, please consider to provide command line tool and we can use Windows schedule to run it!

Currently we cant know which alert send and when/who it sends from GUI. Please add it.

provide the ability to apply custom "actions profile" actions to mulitple rules instead of having to change one rule at a time.

Provide a dialog box to allow the user to specify which database to import events into. This would allow a user to import and review old data in a way that ensures the data set does not get mixed with live data.

Provide a function for a user to select a monitored windows log and to "save" in EVT format, but have GFI do an event collect just before the log is saved/cleared. Our admins need to save EVT in binary format. This causes a concern about event collection timing and the possibility of missing uncollected events if the log is manually cleared.