Accessing the portal:

Open a browser on any machine with network access to the EventLogCentral server and navigate to one of the following URLs:

Replace <server-address> with the hostname or IP address of your EventLogCentral server.

Logging in:

1. Enter your Username
2. Enter your Password
3. Click Sign In

Default administrator credentials (first login only):

Change the default password immediately after first login. See the Admin article for instructions.

Password requirements:

Account lockout and session management:

If your account is locked after failed login attempts, wait 15 minutes before trying again or contact your administrator to unlock the account.

Sessions expire after 60 minutes of inactivity and use sliding expiration — any activity within the session extends the timeout. You will be automatically redirected to the login page when your session expires.

Main navigation:

The portal uses a left-side navigation menu with the following sections:

Troubleshooting login issues:

Accessing the Clients page:

In the left navigation menu, click Clients.

Client list overview:

The client list displays the following information for each registered agent:

Client status indicators:

If a client shows as Offline, check the following:

• Confirm the EventLogAgent service is running on that machine
• Confirm the agent appsettings.json points to the correct EventLogCentral server address
• Check for network connectivity issues between the agent and the server

Review the agent logs for errors:
C:\Program Files\Blue Lance 2-0\LTA_EventLogAgent\logs

Searching and sorting clients:

Use the search bar to filter clients by machine name, IP address, or group name:

Example: Type “SQL” to find all SQL servers

Click any column header to sort the client list by that field. Click again to reverse the sort order — ascending and descending indicators show the current sort direction.

Pagination:

Control how many clients are displayed per page by selecting 10, 25, 50, or 100 items per page. Use the page navigation at the bottom of the list to browse multiple pages.

Viewing client details:

Click on any client name to view its full details:

• Registration information — when the agent registered with EventLogCentral
• Current configuration version — the version of the configuration the agent is running
• Applied audit policies — the audit policies currently active on this client
• Event log collection settings — which Windows Event Logs are being collected
• File audit rules — any file system monitoring rules applied to this client

Client actions:

From the client list, the following actions are available via the actions menu next to each client:

Configuration sync timing:

After making configuration changes in EventLogCentral, agents receive updates on their next heartbeat cycle. The default heartbeat interval is 5 minutes. If changes need to be applied immediately, use the Force Configuration Sync action on the relevant client.

Best practices:

• Monitor the Last Heartbeat column regularly to identify agents that have stopped checking in
• Use the search function to quickly locate specific machines or groups of machines by name or role
• Investigate any client showing as Offline promptly — an offline agent represents a monitoring gap on that machine
• Use Force Configuration Sync when deploying urgent policy changes rather than waiting for the next heartbeat cycle
• Use descriptive machine naming conventions so the client list is easy to navigate in large environments

[Your administrator should establish a routine check of the Clients page — at minimum weekly — to confirm all expected agents are online and reporting correctly.]

Accessing the Targets page:

In the left navigation menu, click Targets.

The Targets page displays all configured syslog destinations with their name, server address, port, and protocol.

Adding a new target:

1. Click Add Target
2. Fill in the target details:
   • Name — a descriptive name for the target (e.g., Production LT Auditor ^MP, Splunk Cluster)
   • Syslog Server — the hostname or IP address of the destination server
   • Port — the syslog port on the destination server (default: 514)
   • Protocol — select the transport protocol:

3. Click Save Target

TLS configuration:

For TLS targets, additional configuration is required. TLS settings are managed via SenderConfig.json files or through the web interface if configured.

Required TLS configuration on the EventLogCentral server:

[Your administrator should coordinate with your PKI or security team to obtain the appropriate certificates before configuring TLS targets.]

Common target configurations:

LT Auditor ^MP (recommended):

Splunk:

QRadar:

Testing a target:

Before assigning a target to a group, test connectivity to confirm the destination is reachable:

1. Click the ⋮ menu next to the target
2. Select Test Connection
3. Review the test results

If the test fails:

• Confirm the server address and port are correct
• Confirm no firewall is blocking outbound traffic from the EventLogCentral server to the target on the configured port
• Confirm the target syslog server is running and accepting connections

Editing a target:

1. Click the ⋮ menu next to the target
2. Select Edit
3. Modify the target settings as needed
4. Click Update

Changes to a target take effect immediately for all groups assigned to that target.

Deleting a target:

Ensure no groups are currently using a target before deleting it. Deleting a target that is assigned to a group will stop event forwarding for all clients in that group.

1. Click the ⋮ menu next to the target
2. Select Delete
3. Confirm the deletion

Best practices:

• Create a dedicated target for LT Auditor ^MP and name it clearly so it is easy to identify when assigning to groups
• Use TCP or TLS rather than UDP in production environments for reliable event delivery
• Test connectivity to every new target before assigning it to a group
• Review configured targets periodically to remove any that are no longer in use
• Use TLS for all targets in environments with strict data security requirements
• Document each target’s purpose, server address, port, and protocol so the configuration is auditable

[Your administrator should confirm the LT Auditor ^MP syslog listener port and protocol before creating the LT Auditor ^MP target, and ensure the EventLogCentral transformation rule in LT Auditor ^MP is configured to match.]

Accessing the Admin section:

In the left navigation menu, click Admin, then select Users.

User roles:

EventLogCentral uses role-based access control with three roles:

Role permissions reference:

Viewing users:

The user list displays the following for each account:

Adding a new user:

1. Click Add User
2. Fill in the user details:
   • Username — unique username (required)
   • Email — the user’s email address
   • Password — must meet complexity requirements
   • Confirm Password — re-enter the password
   • Role — select Administrator, Operator, or Viewer
3. Click Create User

Editing a user:

1. Click the ⋮ menu next to the user
2. Select Edit
3. Modify any of the following:
   • Email address
   • Role assignment
   • Password reset (if needed — check Reset Password and enter a new password)
4. Click Update

Disabling a user:

To prevent a user from logging in without permanently deleting their account:

1. Click the ⋮ menu next to the user
2. Select Edit
3. Uncheck Active
4. Click Update

The user will no longer be able to log in but their account and configuration history are preserved.

Deleting a user:

User deletion is permanent and cannot be undone.

1. Click the ⋮ menu next to the user
2. Select Delete
3. Confirm the deletion

Resetting a user password:

1. Click the ⋮ menu next to the user
2. Select Edit
3. Check Reset Password
4. Enter the new password
5. Click Update

Password requirements:

Best practices:

• Change the default administrator password immediately after first login if not already done
• Use strong passwords that meet or exceed the complexity requirements
• Assign the least privileged role necessary for each user — use Viewer for team members who only need to monitor, Operator for those who need to make configuration changes, and Administrator only for those who need full system access
• Disable user accounts promptly when team members leave or change roles rather than deleting them — this preserves the audit history associated with their account
• Review user accounts and role assignments periodically to ensure access remains appropriate
• Use unique accounts for each administrator rather than sharing a single admin account — this ensures the audit log accurately reflects who made each configuration change

[Your administrator should establish a process for onboarding and offboarding EventLogCentral users as part of your organization’s standard user lifecycle management procedures.]