Release Notes for WhatsUp Log Management Suite 10.x

In this File

Release Notes for WhatsUp Log Management Suite v10.2 Release

Release Information

Product name	WhatsUp Log Management Suite v10.x includes four modular log management titles: WhatsUp Event Archiver WhatsUp Event Analyst WhatsUp Event Alarm WhatsUp Event Rover
Version	v10.x
Release dates	v10.2 June 25, 2015 v10.1 Service Pack 8 (v10.1.8) June 3, 2014 v10.1 Service Pack 7 (v10.1.7) April 15, 2014 v10.1 Service Pack 6 (v10.1.6) January 9, 2014 v10.1 Service Pack 5 (v10.1.5) October, 2013 v10.1 Service Pack 4 (v10.1.4) March, 2013 v10.1 Service Pack 3 (v10.1.3) October, 2012 v10.1 Service Pack 2 (v10.1.2) July, 2012 v10.1 Service Pack 1 (v10.1.1) March, 2012

Introducing the WhatsUp Log Management Suite

The WhatsUp Log Management Suite is a modular set of applications that can automatically collect, store, analyze and report on Windows Event and Syslog files for near real-time security event detection and response, as well as help satisfy compliance regulations and forensic needs. Additional support for the collection and review of W3C/IIS log files is also provided. Depending on your environment and the specific challenges you are facing, you can select individual products that independently provide pinpoint solutions or opt for the comprehensive suite that gives you everything you need.

With the WhatsUp Log Management Suite you can:

• Collect Windows event log data(from Windows systems and hosted applications), Syslog messages (from routers, switches, firewalls, IDS, IPS and Unix and Linux servers), and W3C/IIS log file data for comprehensive analysis and audit purposes
• Create and schedule both pre-built and custom reports for review by IT personnel, compliance officers and even law enforcement agencies
• Monitor network security threats in real-time and facilitate appropriate incident response
• Provide on-the-fly access to event log data for routine viewing or operational triage
• Analyze, filter and report on network security and regulatory compliance goals
• Automate the warehousing and cleansing of log data over time as per regulatory requirements
• Manage end-to-end IT operations in conjunction with WhatsUp Gold and related plug-ins:
  • WhatsUp Event Archiver automatically collects Windows event logs, Syslog messages, and W3C/IIS log files and archives them in flat file and/or database formats.
  • WhatsUp Event Analyst prepares ad hoc and scheduled reports using your log data for security and/or compliance purposes.
  • WhatsUp Event Alarm sends alerts when security, compliance, or other critical events are logged on your Windows computers or syslog devices.
  • WhatsUp Event Rover can search individual Windows event logs to find incidents or perform forensic analysis on Windows log files after an event occurs.

New in WhatsUp Log Management Suite v10.2

For more information about the WhatsUp Log Management Suite 10.2 release, see the Release Notes.

New in WhatsUp Log Management Suite v10.1.8

For more information about the WhatsUp Log Management Suite 10.1 Service Pack 8 (v10.1.8) release, see Service Pack 8 Release Notes.

New in WhatsUp Log Management Suite v10.1.7

For more information about the WhatsUp Log Management Suite 10.1 Service Pack 7 (v10.1.7) release, see Service Pack 7 Release Notes.

New in WhatsUp Log Management Suite v10.1.6

For more information about the WhatsUp Log Management Suite 10.1 Service Pack 6 (v10.1.6) release, see Service Pack 6 Release Notes.

New in WhatsUp Log Management Suite v10.1.5

WhatsUp Log Management v10.1.5 provides support for Microsoft Windows Server 2012 and Microsoft SQL Server 2012. Microsoft Vista is no longer a supported operating system.

If you want to use WhatsUp Log Management on Microsoft Windows Server 2012 or with Microsoft SQL Server 2012, you must first upgrade to 2012 and then install WhatsUp Log Management v10.1.5. Previous version of WhatsUp Log Management are not compatible with Windows Server 2012 or SQL Server 2012.

In addition, if you want to migrate an existing WhatsUp Log Management database to Windows Server 2012, you must follow these steps in order:

1. First, back-up your existing database.
2. Second, install SQL Server 2012.
3. Third, install WhatsUp Log Management v10.1.5.
4. Finally, copy your backed-up database into SQL Server 2012.

For complete information about installing and / or migrating to WhatsUp Log Management v10.1.5, view the WhatsUp Log Management Installation and Migration Guide.

New in WhatsUp Log Management Suite v10.1.4

There are no new features for 10.1.4. The WhatsUp Log Management 10.1.4 release is a defect-fix driven release. For information on defects fixed in v10.1.4, see the Previously Known Issues in v10.1.3 fixed in v10.1.4.

New in WhatsUp Log Management Suite v10.1.3

• The WhatsUp Log Management v10.1.3 release introduces the newly developed Getting Started Archiving WhatsWizard. This wizard is designed to greatly simplify the process of archiving new logs to a SQL Server database. The wizard runs with minimal user interaction, and it does not require in-depth knowledge of the archiving process. It automatically chooses the settings most appropriate for your system.
• WhatsUp Log Management v10.1.3 corrects a v10.1.2 Active Directory defect. For more information, view the KB article that addresses the defect.
• WhatsUp Log Management v10.1.3 allows for an update from any v10.x release.

New in WhatsUp Log Management Suite v10.1.2

The WhatsUp Log Management Suite v10.1.2 patch release address three issues:

• Custom domains not displaying in the Setup Archiving for Multiple Computers at Once wizard
• Processing performance of UDP Syslog message in environments generating a high number of Syslog messages
• Addresses an issue where WhatsUp Event Alarm notifications would stop being generated.

Note: The WhatsUp Log Management v10.1.2 patch release applies only to issues found in WhatsUp Log Management v10.1.1.

New in WhatsUp Log Management Suite v10.1.1

The WhatsUp Log Management Suite v10.1.1 adds five new reporting categories for compliance and data protection legislation found in the European Union. Specifically, these reporting categories include:

• The United Kingdom Data Protection Act of 1998
• The United Kingdom Corporate Governance Code of 2010
• The German Federal Data Protection Act of 2009
• The French Data Protection Act of 2004
• The French Financial Security Law of 2003

After installing WhatsUp Log Management v10.1.1, the above mentioned categories are listed in the WhatsUp Event Analyst application, as well as the suggested reports for each category.

New in WhatsUp Log Management Suite v10.1

The WhatsUp Log Management version 10.1 release has four main purposes: the addition of a key Syslog Device Wizard and companion service that allows for the rapid inclusion of Syslog events from multiple devices on your network (more details below), to add additional pre-defined Cisco IOS related filters and alarms, to add additional compliance categories for Event Analyst’s reports (more details below), and to fix defects discovered after the v10.0 release. Below is a more detailed list of what's new in WhatsUp Log Management release 10.1.

• Syslog Device Wizard

  This is a new wizard and companion service that can scan one or more IPv4 or IPv6 networks for potential Syslog-generating devices, while performing reverse address lookup against those IP addresses, in order to add them to the Approved Syslog Sender device lists in both WhatsUp Event Archiver and WhatsUp Event Alarm.WhatsUp

  In addition, this utility comes with the companion WhatsUp Syslog Hostname Resolver Service. The WhatsUp Syslog Hostname Resolver Service periodically scans the Syslog Devices added to WhatsUp Event Alarm and WhatsUp Event Archiver to see if their hostname has changed in DNS, and updates the Approved Syslog Sender device lists in both WhatsUp Event Archiver and WhatsUp Event Alarm accordingly.

• Event Analyst
  • The following reporting taxonomies have been added for reporting ease:
    • FERPA
    • NERC CIP
    • NISPOM
  • Filters/Alarms that match the predefined Cisco IOS reports for Syslogs found in WhatsUp Event Analysr have been added.
• WhatsUp Log Management Installer
  • The WULM common installer now installs the above mentioned Syslog Device Wizard.
  • The WULM common installer has been updated to test for the presence of other applications listening on common Syslog ports (514), and if not port conflicts are detected, to set the Syslog Listener Service to start automatically.
• WhatsUp Event Alarm

  The WhatsUp Event Alarm Service has been updated to start the Syslog Listener Service on demand as opposed to creating a service dependency.

• Database Update Tool

  The Database Update Tool, located under the Programs Group of both WhatsUp Event Analyst and WhatsUp Event Alarm, is a utility which updates the internal database schemas of each product, from older versions to the most recent versions. This tool executes automatically during in-place upgrades, but if you performed a manual upgrade from a prior version to the current version, you may wish to run this tool manually, after the installation of the current version.

New in WhatsUp Log Management Suite v10

• The WhatsUp Log Management Suite now ships with a consolidated Syslog Listener Service. The Syslog Listener Service has two handlers that the user can enable/disable for use with WhatsUp Event Alarm and WhatsUp Event Archiver. The WhatsUp Event Alarm Syslog handler allows Syslog messages to flow directly to the WhatsUp Event Alarm Service for evaluation, monitoring, and notifications based on the criteria you set. The WhatsUp Event Archiver Syslog handler allows Syslog messages to flow directly to the WhatsUp Event Archiver Service for recording in the Archived Syslog Messages custom Windows event log, as well as storage in flat file and database table formats. WhatsUp Event Archiver provides the ability to easily collect and consolidate Syslog messages.

  Note: If WhatsUp Event Alarm and WhatsUp Event Archiver are installed on the same computer, the Syslog Listener Service is dependent on the WhatsUp Event Alarm Service running for proper operation. Therefore, stopping the WhatsUp Event Alarm service also stops the Syslog Listener Service, which can affect the receipt and storage of syslog messages by WhatsUp Event Archiver. Ipswitch recommends leaving the WhatsUp Event Alarm Service running at all times when syslog collection or monitoring is required.

• The WhatsUp Log Management Suite also ships with the WhatsUp Log Management Suite Service Manager. This tool provides one interface for the administrator to stop/start key WhatsUp Log Management Services, as well as disable/enable Syslog handlers and configure ports and protocols used by the Syslog Listener Service.
• WhatsUp Event Archiver, via the Syslog Listener Service, can now collect and consolidate Syslog messages directly into a custom Windows event log, text file, or ODBC database source.
• The WhatsUp Log Management Suite now offers support for receiving Syslog messages over TCP, UDP, and over custom ports.
• The WhatsUp Log Management Suite now provides IPv6 support when receiving Syslog messages over TCP and UDP.
• WhatsUp Event Alarm provides a more direct way of monitoring Syslog messages, along with a new class of alarm definitions custom tailored for Syslog message data.
• WhatsUp Event Analyst provides seven new Cisco IOS device reports, including:
  • Cisco User Lockouts/Unlocks
  • Cisco Remote Configuration Changes
  • Cisco Failed Logon Attempts
  • Cisco Successful Logon Attempts
  • Cisco USB/USB Flashing Connection Methods
  • Cisco Reboots/Restarts
  • Cisco IOS Messages.
• WhatsUp Event Analyst now supports much more robust filtering and custom reporting for Syslog device messages received by WhatsUp Event Archiver and WhatsUp Event Analyst. A special class of filters for Syslog data is available, including the ability to filter on Priority, Facility, Level, Sender Hostname, Sender IP Address, and message data. Likewise, custom reports can include fields representing the Sender Hostname, Sender IP Address, Sender RFC Header, and Syslog Priority Code.
• WhatsUp Event Analyst now has a more intuitive display of pre-built reports, allowing users to easily view reports most relevant to their compliance regulations. Pre-built reports now display in a tree structure with top nodes named according to compliance categories. Compliance categories include:
  • HIPAA
  • Sarbanes-Oxley
  • PCI DSS
  • FISMA
  • MiFID
  • Gramm-Leach Bliley
  • Syslog (Cisco)
  • All Reports
  • Custom Reports
• WhatsUp Event Archiver is updated to support the collection, compression, and storage of WC3/IIS log files into database tables. WhatsUp Event Archiver supports collection of WC3/IIS log files produced by versions of IIS corresponding to WhatsUp Event Archiver supported operating systems.
• WhatsUp Event Archiver now provides the option for using either an MD5 checksum hash or SHA-256 checksum hash. Customers requiring FIPS 140-2 validated encryption techniques can use SHA-256 checksum hash generated against FIPS 140-2 validated libraries. When a Windows operating system is placed in FIPS mode, SHA-256 checksum hashing can be enabled and performed against all archived log files.
• Previous releases of the WhatsUp Log Management Suite have provided the ability to import and export filters from Event Alarm. Now, this same functionality is available in WhatsUp Event Analyst. Event Analyst now provides the ability to import/export filters. In addition, the exported INI file structure is now standardized, allowing either program to import from the other.
• The WhatsUp Auditing Volume Analyzer tool now supports profiling of log growth rates on Microsoft Vista and later operating systems, providing an intuitive way to determine the amount of Windows event log data being generated on a daily and monthly basis.

  Note: If you wish to profile Microsoft Vista or later operating systems with this tool, you must install the tool on a Microsoft Vista or later operating system.

• The WhatsUp Event Archiver Importer tool now supports processing custom (in addition to Core 6) Windows event logs, including archived Syslogs, and WC3/IIS logs.
• WhatsUp Event Analyst now includes a series of prebuilt reports targeting commonly sought after Syslog data particularly relevant to *Nix administrators. New reports include:
  • Critical Syslog Level Events. Displays high-level or critical syslog events logged from various daemons. Filters can be applied prior to running the report to limit the hosts or daemons in the report.
  • Application-Defined Syslog Messages. Displays application-defined syslog messages reported via the Local0 to Local7 facilities. Filters can be applied to the report to limit the hosts or applications in the report.

Known Issues

Known Issues in WhatsUp Log Management v10.1.5

When upgrading to WhatsUp Log Management v10.1.5, the installer does not overwrite the existing Alarm and Analyst config.mdb files, but instead saves the existing ones from the previous installation and uses them for the upgrade.

A utility and an associated readme file have been created to address this issue.

Known Issues in WhatsUp Log Management v10.1.4

If you install WhatsUp Log Management v10.1.4 using an existing version of Microsoft SQL Server and later decide to uninstall WhatsUp Log Management, you may have to manually remove the WhatsUp Log Management instance from your existing version of Microsoft SQL Server.

An error may occur after WhatsUp Event Archiver attempts to process zipped logs. If processing fails, WhatsUp Event Archiver continues its attempt to process the zipped log multiple times. If processing fails after multiple attempts, the following error message displays: "ZIP file compression encountered a severe failure; please attempt an 'Archive Now' instead." As the error message indicates, using the Archive Now! function should properly process the zipped log.

Previously Known Issues in v10.1.3 fixed in v10.1.4

Category	Issues	Defect ID
Suite	The new database setup wizard implemented in v10.1.3 had an issue in that the ability to multi-select groupings of computers to remove from the inclusion list did not work, making it cumbersome to remove each computer individually. The ability to select multiple computers for removal now works correctly.	21043 Item 1
Analyst	The new database setup wizard schedules computers in WhatsUp Event Archiver, but neglects to add corresponding database table links in WhatsUp Event Analyst, forcing the user to add the links manually before any analysis or reporting functions worked properly in WhatsUp Event Analyst. This issue is resolved. Now, when scheduling computers in WhatsUp Event Archiver, the corresponding database table links are added to WhatsUp Event Archiver	21043 Item 2
Analyst	The new database setup wizard created a defect in WhatsUp Event Analyst in that the auto-recognition of Event Archiver database wizard causing WhatsUp Event Archiver to no longer auto-index and add the appropriate tables.	21043 Item 3
Analyst	A Run Time error would display in WhatsUp Event Analyst when running the Top Ten report from an EVTX file on a Microsoft Windows 7 machine. This issue is resolved.	20908
Analyst	When generating custom reports using custom fields, an error displayed indicating the report is unparsable. The error displayed when working with EVTX files because the WhatsUp Log Management parsing algorithm was designed for an older format of the Security Log entries. Now, both the old and new format parse properly.	20887

Previously Known Issues in v10.1 Fixed in v10.1.1

The following few minor defects and errata found in version 10.1 were fixed in version 10.1.1:

• Run-time error when attempting to enumerate UNC shares during the Setup Archiving for Multiple Computers at Once wizard. This error only affected clients running WhatsUp Event Archiver in a non-domain environment, who attempted to use the Share Browsing dialog in the wizard. Manually entering the UNC share path name did not generate the error.
• After completing the Adjust Settings for Multiple Computers at Once wizard in WhatsUp Event Archiver, sometimes clients would receive an erroneous error message stating "An Error Occurred while attempting to modify this entry in the WhatsUp Event Archiver Database."
• In some cases, username data present in EVTX security logs would not properly get relocated from the Description field to the Username field during conversion by WhatsUp Event Archiver, even if the appropriate transformation option was enabled in the WhatsUp Event Archiver Preferences dialog.
• In some cases, the Number of Dedicated Scanning Processes setting could not be adjusted in the WhatsUp Event Alarm Preferences dialog. However, scanning processes could still be adjusted manually in the registry as desired.

Known Issues in WhatsUp Log Management v10.1.1

Microsoft SQL tables beginning with a number

In WhatsUp Event Archiver, Microsoft SQL tables used to store collection log data cannot begin with a number. If you create SQL tables beginning with a number, WhatsUp Event Archiver generates an error. To avoid this error, only create SQL tables beginning with letters.

Error when upgrading from v10.1 to v10.1.1

An error may display when upgrading from v10.1 to v10.1.1 that references the WEvtRedr.dll component. This error does not impact the upgrade process; even if this error is received, the upgrade completes successfully. This error can occur when InstallShield attempts to deregister the WEvtRedr.dll component on non-Windows Vista (e.g. XP/2003) or later machines where the component was never installed.

System requirements

Software requirements

The WhatsUp Log Management Suite runs on several 32-bit and 64-bit Windows operating systems. The following is a list of the Windows operating system and release requirements for the WhatsUp Log Management Suite.

• Microsoft Windows 7 Professional / Ultimate
• Microsoft Windows XP Professional SP2
• Microsoft Windows Server 2003 SP2
• Microsoft Windows Server 2003 R2 SP2
• Microsoft Windows Server 2008 SP2
• Microsoft Windows Server 2008 R2 SP1
• Microsoft Windows Server 2012
• Microsoft Windows Server 2012 R2 (support added in 10.1.8)

Database requirements

The WhatsUp Log Management Suite v10 has been tested against and supports:

• Microsoft SQL Server Express 2005 (local installation only)
• Microsoft SQL Server 2005 Workgroup or greater installation (local or remote installation)
• Microsoft SQL Server Express 2008 R2 (local or remote installation)
• Microsoft SQL Server 2008 Workgroup or later edition (local or remote installation)
• Microsoft SQL Server 2008/R2 Standard or Enterprise Editions (local or remote installation)
• Microsoft SQL Server 2012 Express, Standard, or Enterprise Editions (local or remote installation) (support added in 10.1.5)
• Microsoft Access MDB files for small implementations

For small organizations with 5 or fewer servers who do not own a license of Microsoft SQL Server, Microsoft SQL Server Express 2008 R2 is the recommended platform, as it provides the greatest maximum database size (e.g. 10GB) in a free version. However, networks who wish to collect and analyze logs from over 5 servers should acquire license(s) for the Workgroup or later edition of Microsoft SQL Server 2005 or 2008, as there is no maximum database size limit in those versions.

Hardware requirements

• Dual-core 2GHz or faster processor
• 2 GB RAM or greater
• 4 GB available hard disk space minimum for data and/or database storage. The hard disk space required is completely dependent on the volume of log data stored, how long the data is stored, and how the data is stored (e.g. in compressed EVT/EVTX files and/or in database tables)

Installing and upgrading the WhatsUp Log Management Suite

Installing and upgrading the WhatsUp Log Management Suite

Refer to the WhatsUp Log Management Installation and Migration guide for details about installation, upgrade, and product activation.

Activating the WhatsUp Log Management Suite

Activation of the WhatsUp Log Management Suite is done manually on a product by product basis. To start this process, please enter your information, including the service number provided by Ipswitch customer service after your purchase, in the Licensing Dialog. Here's how to access the licensing dialog in each product:

WhatsUp Event Archiver - From the Help menu, select Register WhatsUp Event Archiver...

WhatsUp Event Analyst - From the Help menu, select Register WhatsUp Event Analyst...

WhatsUp Event Alarm - From the Help menu, select Register WhatsUp Event Alarm...

WhatsUp Event Rover - From the Help menu, select Register WhatsUp Event Rover...

To later add licenses to any installed instance of one or more of the above products, visit the Help menu, and this time, select Upgrade WhatsUp [Product Name] Licenses...

For complete help on how to use the Licensing Dialog, press F1 when this dialog is actively displayed.

Uninstalling the WhatsUp Log Management Suite

To uninstall any of the individual log management titles:

1. Start the un-install program:
   Navigate to the Windows system Control Panel, select Add/Remove Programs (on Windows 2003 or earlier operating systems) or Programs and Features (on Windows Vista or later operating systems). Select WhatsUp Event Archiver, WhatsUp Event Analyst, WhatsUp Event Alarm, WhatsUp Event Rover, WhatsUp Resource Tools, or WhatsUp Log Management Suite Installer, and click Uninstall. The setup dialog prompts you with the following question, Do you want to completely remove the selected application and all its features?
2. Click Yes. The un-install program runs and the Uninstall Complete dialog appears.
3. Click Finish. The setup program closes.

Note: You can also uninstall the individual setup packages associated with each log management title from disk. To do this, repeat the steps above, this time selecting the WhatsUp Log Management Suite from the list. This does not uninstall the individual log management titles, only the setup packages.

For more information and updates

The following are information resources for the WhatsUp Log Management Suite.

• Context-sensitive Help. From within each log management title. Pressing F1 from within WhatsUp Event Archiver, WhatsUp Event Analyst, WhatsUp Event Alarm, or WhatsUp Event Rover displays that product's help system.
• User Guide. Each log management title ships with its own comprehensive User Guide. These can be found under the Program group for each log management title in the Start Menu.
• Quick Setup Guide. Each log management title also ships with a Quick Setup Guide that helps users quickly configure each program and other network/security settings for optimal performance. These can be found under the Program group for each log management title in the Start Menu.
• Creating a Microsoft SQL Server Database. For log management titles that can utilize a database server, this guide explains how to create, configure, and initially size a Microsoft SQL Server database for use with WhatsUp Event Archiver, WhatsUp Event Analyst, or WhatsUp Event Alarm. These can be found under the Program group for each log management title in the Start Menu.
• Technical Support. Use the WhatsUp Gold Support Site for a variety of WhatsUp Gold product help resources. From here you can view product documentation, search Knowledge Base articles, access the community site for help from other users, and get other Technical Support information. The Support Site is available on the WhatsUp Gold web site