Host details

Overview

Here you get an overview of the most important key data and analysis results of your host. Among other things, you will find concrete recommendations for action and the rating on security vulnerabilities, updates, network activities and configurations (A++, A+, A, B, C, F).

Use the sidebar on the left to access the detailed views of the respective analyses.

Issues

A list of alarms triggered by the individual host is available here. The issue overview across all assets is available at Issues.

Device Information

Here you get system information that the mainboard provides. The information serves you for a better identification of the host, for example via the model designation or the serial number of the mainboard.

Metrics

Here you will find the classic monitoring curves about CPU, RAM, SWAP, network, hard disk usage and performance. For each host, the number of hard disks is automatically determined and then a separate diagram for utilization and performance is created for each hard disk.

You can manually set the start and end time of the metrics. You can also switch to live mode.

For each metric you will receive a Quick Alarm button. This allows you to create an alarm for each metric with just a few clicks.

Custom Metrics

In this overview you can see all user-defined metrics you have created.

With the help of Custom Metrics, you can monitor any data of your host, which can be displayed in a time history. This can be data from a SQL database, backups, software license metrics, the number of currently logged in users, the duration of individual requests, sensor data, etc. Of course, alerts can be created for all user-defined metrics, if desired also via Quick Alarm Button. You can also set the start and end time of the metrics manually.

To create a custom metric, all you have to do is create a plugin that reads the data on the corresponding host. Just go to the Plugins item under Hosts. When you create the plugin, you can already select a template for a custom metric.

Afterwards you can define a cronjob for the plugin on the host to collect the data regularly. You can read more about plugins here.

Software

Here you will find an inventory of your software with the software name, version and source of the software. Such an inventory can be helpful e.g. for software license management or for the creation of a procedure directory according to DSGVO.

You also want to inventory software that has not been installed with a regular installer? Enable Advanced Software Monitoring in the settings of the individual host or via the Policy Manager.

Normally Enginsight checks the installed software every 60 minutes. If you want to manually update your software inventory, simply click the "Manual refresh" button.

You can switch the following alarms to software:

  • Installed/uninstalled software Receive notification when software is installed/uninstalled.

  • Software is installed Receive a notification when the software is installed.

  • Software is not installed Receive a notification when a software is not installed.

Autostarts

Autostarts provides you an overview of software that is automatically started when your host reboots.

On the one hand, an autostart influences the performance, but can also be critical from a security perspective. Software running on a server or client always increases the attack surface for possible attacks. Therefore, also from a security point of view, the number of autostarts should be limited to the necessary software. Servers usually have almost no autostarts. Also, malicious software, e.g. a Trojan, wants to be restarted on every reboot and can therefore appear in the list.

You can delete Autostarts directly from our platform. Just click on the trashcan icon behind the entry.

New autostarts, especially for servers, should always be checked for their necessity and legitimacy. The "New Autostart" alert can therefore be used to notify you if an autostart is added. It is best to switch the alert via tag to all your monitored servers.

Services

Services provides you an overview of all running and stopped services of your server or client and their starttype. You can start, restart and stop the services directly from the platform.

A service is a program that is automatically started when the computer is started and runs in the background without the user interacting with it. It waits to do its job and usually has no graphical user interface. Many services are provided by the operating system to ensure the basic functions of the computer. Services can also be installed later, e.g. with the installation of new software.

Not every service that is stopped can be classified as problematic. Therefore, you can manually define which services are system relevant. By default, all services are assumed to be system relevant and a corresponding warning is displayed in the sidebar and the host overview when they are stopped. However, if you deselect the system relevant option, no warning is displayed if the service is stopped.

Alerts

Alerts can also be switched to services. You can be notified if a service is running or not running. With the alarm "System relevant service is not executed" you can switch a common alert to all system relevant services.

If a service produces false alerts, you can put it on the exception list so that it will be ignored by monitoring in the future.

Extended service monitoring

By default, the Enginsight Pulsar Agent only monitors automatically started services on the hosts, as this is sufficient for most cases. If you want to monitor all services with Enginsight, enable the "Extended service monitoring" option in the host's advanced settings.

Connections

Connections provides you an overview of the open ports of your servers and clients that have the status LISTEN. You should check these regularly to detect potential hacker gateways or unwanted open connections. You will get information about the status, the local address (LADDR), the destination address (RADDR) and the process name of the open ports.

In general, the more ports are open, the more sensitive the system is to hacker attacks, since the software behind the port can potentially have vulnerabilities. Therefore (especially for servers) the number of open ports should be limited to the necessary minimum.

By marking a connection as system relevant, you document that the open port is ok. You will then no longer receive a warning in the menu.

Enginsight automatically detects which service is involved. The information is used to scan for cyberattacks with the Intrusion Detection System in a focused and resource-efficient way.

If automatic detection of a service is not possible, you can add the service manually. In this way, the performance of the IDS can be optimized.

Alerts

With the alert "New open port" you can be alerted when a new port is opened. We recommend to set the alarm via tag to all your monitored servers.

If a service produces false alarms, you can put it on the exception list so that it will be ignored by monitoring in the future.

Processes

Here you will find a list of all processes running on your system (including process ID), the process name, any sub-processes and the user. It is also possible to create alerts that involve specific processes. For example an email alert when a certain process is no longer available on your host. You can also use the Quick-Alarm button for this. It is also possible to close processes directly from the platform (KILL).

Configuration

Here you get a checklist about the configurations of your host. Incorrectly set configurations can be a gateway for hackers. Checking and correcting them should therefore be a central part of any IT security strategy.

Enginsight already provides configuration guidelines for the following operating systems:

  • Microsoft Windows Server 2008, 2012, 2016, 2019

  • Microsoft Windows 10

  • Chanonical Ubuntu 16

  • Red Hat Enterprise Linux 6, 7

  • SUSE Linux Enterprise Server 12

For each configuration you will receive a description as well as a check and fix text. Click on "Configuration details". For some configurations, Enginsight supports an automatic conversion directly from the platform, just click on "AUTOFIX". To fix the configuration manually, click on "MANUALLY REMOVE", add a comment and confirm your fix. An overview of the fixed configurations can be found under the tab "Fixed configurations".

You can also create your own policies and assign them to your hosts using lists. You can find all information about this here.

Vulnerabilities

Vulnerabilities provides you the results of our CVE scanner (vulnerability scanner).

For each vulnerability you get the CVE score and the ID of the vulnerability. Each CVE has a link to a source where you can get in-depth information about the vulnerability, for example the National Vulnerability Database of the National Institute of Standards and Technology (NIST).

We also provide information on access and impact.

See Actions for help on how to get to the latest version of the software affected by the CVE. For Windows systems, the corresponding update is linked here for Windows-specific security updates. If there is a cumulative update, you can install it directly from the platform. For third-party software, you will find a link to download the current version on the manufacturer's website. For Linux systems, both the native updates and third-party software can be patched directly from the platform. For more information about the update function within the Enginsight platform, please click here.

It can happen that security vulnerabilities are permanently displayed although they have no relevance. This is the case when there is a CVE in the original software, but it is not present in the specific implementation and therefore is not fixed by the vendor. Linux systems (Ubuntu, Debian) are particularly affected by this.

System events

Here you get an overview of all detected system events of the individual host. These are for example failed or successful login attempts.

For more information about the System Events feature and the overview of events on all monitored hosts please click here.

Network Anomalies

In Network Anomalies, you can find the analysis results of the individual host's network traffic. Use the search bar to filter the results by category, continent and risk level. You can also limit the selection to a specific time period.

Click on an attack to get to the detailed view.

An overview of the analysis results of all monitored hosts is also available. All information about this and further explanations of the network anomalies feature can be found here.

Updates

A list of the updates that can be installed with Enginsight can be found in the Updates section. Select the desired updates and patch your software by clicking on "Update Packages".

You can be informed about new available updates with the alarm "New updates available". Just use the Quick-Alarm-Button.

More information about updates with Enginsight can be found here.

Notice the possibility of AutoUpdates with Enginsight.

Machine Learning

Here you will find the profiles of the metrics you monitor with the Machine Learning module.

Here you will learn how to set up monitoring.

Settings

Make your personal configurations under Settings.

To effectively edit the settings of multiple hosts, you can use the Policy Manager.

General Settings

Assign an alias and description to make it easier to associate the host.

Use tags to group your hosts. For example, you can use tags for alerts and the Policy Manager.

Responsibilities

Assign responsibilities. The technical responsible receives a notification when an alert is triggered to the corresponding host if the "Notify Responsible Persons" option is active. You can also set responsibilities for the entire organization.

Location

For documentation purposes, you can define the host location (country, city, street, building, floor, room, abbreviation, hoster).

Advanced settings

In the advanced settings you will find the following settings:

  • Customize API URL: Define the API URL to which the agent should send its results. An adjustment may be necessary if the API URL changes. This may be the case, for example, when configuration changes are made to on-premises instances.

  • Extended service monitoring: Activate this option to monitor all services and not only those that are started automatically, contrary to the default setting.

  • Advanced software monitoring: Let scan files to detect more software. This allows you to inventory even those software that are not installed with a regular installer. These can be programs embedded in other applications or portable apps, for example.

  • Shield: Specify whether the Shield module is allowed to restrict network traffic and block connections.

  • Run custom plug-ins: Specify whether custom plugins are allowed to run on the host.

  • Recording of security relevant events: Specify whether the Pulsar Agent is allowed to access logs. Enable the option to use system events.

Use Policy Manager to manage multiple host settings more easily.

Exception lists

Specific software used on a host may trigger unwanted effects or require different configurations due to its behavior on the system. Exception lists help you to eliminate the side effects, especially to reduce false alarms.

Wildcards help you to define the items to exclude more easily. Just abbreviate your entries with a *_, for example systemd* _ .

  • AutoUpdate: Specify software that should not be updated automatically, i.e. ignored by AutoUpdates.

  • Services: Define services that should not be included in alerts and actions. The option is significant should a service trigger false alerts on the "System relevant service is not running" alert.

  • Connections: Certain software permanently opens and closes new ports. This behavior causes false alerts if you have enabled the New Open Port alert on the host. Enter the process name in the exception list to exclude the corresponding software. You can obtain the process name under Connections.

  • Disks: To exclude disks from monitoring (i.e. suppress all alerts for this disk), enter the disks to be ignored here.

Autoupdate

Enable automatic system updates to have Enginsight automatically apply current software versions to the host.

You can limit the automated updates to security-related updates. Feature updates will then not be applied automatically.

You can use an exception list to exclude updates from automatic updating.

Some updates require a reboot to complete the installation. Select the "Restart the system after the update" option to trigger an automatic restart by Enginsight after applying updates that require a restart.

Be careful and check thoroughly whether an automatic restart is possible without negative consequences on the system before enabling the "Restart the system after the update" option.

You use a cron expression to specify when and how often the automated system updates should be performed.

Use Policy Manager to manage multiple host settings more easily.

Network recording

To use Enginsight's Intrusion Detection System (IDS), you must enable network logging and specify which attacks to detect.

Learn more about network monitoring and network anomaly detection here.

If you like or if compliance regulations require it, you can anonymize the attackers' IP addresses, which are determined during detection.

Use Policy Manager to manage multiple host settings more easily.

Reports

Enginsight's analysis results can also be output as a PDF report. Simply click on 'Create Report' to get an up-to-date overview of your host.

A host report includes:

  • Metrics and custom metrics

  • Configurations

  • CVEs / Vulnerabilities

  • Network activities

  • Updates

Jobs

Here you will find a history of all scripts executed on your host. For example, if the Enginsight Pulsar Agent on your system has been updated or if you have executed a script on some hosts yourself, you will find a corresponding entry here. The entry also contains a log file with the standard output (stdout) and the error output (stderr), if occurred.

Last updated