LOGbinder Blog

Updates, Tips and News   RSS Feed  

LOGbinder releases updates to Exchange & SharePoint solutions

Fri, 22 Aug 2014 15:30:43 GMT

Summary: New updates offer substantial performance improvements. Customers with Maintenance contracts received notice of availability at no additional cost.

LOGbinder™ announces significant upgrades for two of its application security intelligence solutions for SIEM, LOGbinder SP 5.0 and LOGbinder EX 2.5. The updates bring performance improvements most beneficial to large enterprise environments.

Both versions benefitted from an extensive Enterprise Preview program LOGbinder instituted earlier this year. “Our enterprise customers who’ve installed the pre-release versions have been very pleased with the new performance improvements,” said Randy Franklin Smith, CEO of Monterey Tech Group, Inc., the parent company of LOGbinder Software. “In enterprise scale scenarios it is very challenging to keep Exchange and SharePoint audit data moving so that it reaches your SIEM as close to real-time as possible.  Our development team has crafted enterprise-class software that, with proprietary caching, multi-threading and asynchronous scheduling, does the right thing at the right time, which we have found to be of critical importance in large monitored environments.”

Both new versions of LOGbinder EX and LOGbinder SP have built-in protection against bogging down production environments when installing for the first time and trying to process a potentially massive backlog of events.  In addition:

  • LOGbinder EX™ 2.5, the solution for getting Exchange Server security intelligence to SIEM, adds greatly enhanced technology to improve audit log query intelligence. It also improves mail handling if Exchange’s audit result comes back with errors.

  • LOGbinder SP™ 5.0, the solution for getting SharePoint security intelligence to SIEM, introduces new technology to better handle large numbers of site collections, both in application start-up and in managing the automatic audit policy configurations. In addition, customers are now able to make their own ad-hoc application performance tweaks by adjusting query levels.

With these updates LOGbinder continues its practice of releasing major updates for its technology at least once a year. The last round of major updates released September 2013 included full compatibility with Microsoft’s most recent versions of Exchange, SharePoint and SQL Server. Minor updates have been released throughout the year.

How customers can get the updates

Customers with current maintenance & support agreements receive their upgrade at no cost. Emails were sent to the technical contact on file. Information is also available via the Summer 2014 Updates page.

LOGbinder and SolarWinds LEM featured in Randy's blog

Mon, 07 Jul 2014 08:52:41 GMT
There's a new blog post featuring LOGbinder SP and SolarWinds LEM.  Click here to read Randy's new post.

New Syslog Features in LOGbinder SP 4.0.5

Mon, 17 Mar 2014 11:06:43 GMT

We have a quick update to LOGbinder SP for all of you who are using Syslog to forward your SharePoint audit log to your favorite SIEM.

LOGbinder SP version 4.0.5 adds the following new features:

  • Alternate Output Data Folder: It is now possible to change the default data folder, which is also used for the output data. This is the folder where LOGbinder stores its outputs that are written in files, as well as the diagnostic files. Now you can store these in a different folder, or on a different hard drive, or even in shared folder on a different server. You will find this useful, if you need to separate software and data, or you have the requirement of using minimal disk space on the hard drive where your programs are installed.
  • Network locations for Syslog output: As a result of the above change, it is now possible to use network location for Syslog outputs, such as Syslog-Generic (File) and Syslog-CEF (File). These files, in turn, can be easily accessed by your SIEM.
  • Test button for Syslog output: A "Test" button is now available for Syslog outputs that sends a test Syslog message using the specified address/port. When setting up LOGbinder to output to a Syslog server for your SIEM to collect the logs, the most difficult part can be to ensure that firewalls and other settings don't block the traffic from LOGbinder to the Syslog server. The "Test" button will assist you in setting up and testing this connection.
  • Output file name clarification: The sample file name for the Syslog (File) outputs now correctly indicates that the date is included in the file name.

If you would like to take advantage of the above feature, please go ahead and download LOGbinder SP.

Dealing with large amount of audit backlog when first starting LOGbinder EX

Wed, 12 Feb 2014 17:38:19 GMT

If you have had auditing enabled on your Exchange server for a while when you install LOGbinder EX (and administrator audit logging is enabled by default), you might have large amount of audit data accumulated, depending on your audit retention period. (See AuditLogAgeLimit for mailboxes, and AdminAuditLogAgeLimit for the administrator audit log.)

When starting LOGbinder EX for the first time, LOGbinder will collect and process all audits existing in your Exchange system. If there is a large amount of audit logs, this can take up a considerable time and computational resources on your Exchange server. How can you find out how much audit data you have in your Exchange environment, and what can you do if you do not want to process large amount of backlogs?

Assessing size of audit data

The following Exchange PowerShell command displays the mailboxes with the 20 largest audit data size. It only queries the mailboxes that have auditing enabled.

Get-Mailbox -Filter {AuditEnabled -eq $true} | Get-MailboxFolderStatistics | where {$_.Name -eq "Audits"} | Sort-Object FolderSize -Descending | Select-Object Identity, ItemsInFolder, FolderSize -First 20

The following Exchange PowerShell command displays the size of the administrator audit log.

Get-Mailbox -Arbitration | Get-MailboxFolderStatistics | where {$_.Name -eq "AdminAuditLogs"} | Select-Object Name, ItemsInFolder, FolderSize

If you find that any of the above seems too large (for example, you have hundreds of megabytes of mailbox audit data in some mailboxes), then you might want to consider bypassing those past events, and start the audit log collection with LOGbinder EX from this point forward.

Omitting past audit logs

If you decide that you would like to omit the past audit logs and let LOGbinder EX start processing only new logs, please contact us at support@logbinder.com, so we can set up LOGbinder for you to start processing from a given time and date.

In the near future, a new feature will be included in a LOGbinder EX release that enables specifying the start time, just like it is already done in our other products: LOGbinder SP and LOGbinder SQL.

SQL Server Audit Support in Different Editions and Versions

Sat, 23 Nov 2013 14:02:05 GMT
SQL Server 2012 made SQL Server Audit partially available to all editions. Until SQL Server 2012, this true, native auditing feature (introduced in SQL Server 2008) was only available in Enterprise and Datacenter editions. Starting with SQL Server 2012,the server-level auditing portion of SQL Server Audit was made available to all editions, leaving only the more granular database-level auditing still exclusive to the Enterprise edition.

SQL Server Audit is based on actions and action groups. The audit can contain server-level audit specification and database-level audit specifications:
  • Server-level auditing consists of server-level audit action groups, which include server operations, such as security operations involving logins, roles and permissions, logon and logoff operations, database backup and restore,manipulation of certain database-, server-, and schema objects.
  • Database-level auditing is auditing at the database scope, and it is set on each database individually. This feature is not available in all editions of SQL Server, only in Enterprise editions. Database-level auditing utilizes database-level audit action groups, and database-level audit actions.
    • The database-level audit action groups cover some similar areas as the server-level audit groups, if applicable, but at the database level.
    • Additionally to auditing action groups,database-level auditing also enables auditing certain individual actions, such as SELECT, INSERT, UPDATE, DELETE, EXECUTE, RECEIVE, and REFERENCES. These database-level audit actions can be restricted to a specific database, an object (such as table, view, stored procedure), or a schema.
Here is a summary of the SQL Server Audit support in the different editions:

 Edition  SQL Server 2008 and 2008 R2  SQL Server 2012
Server- and database-level Server- and database-level
 Evaluation Server- and database-level Server- and database-level
 Developer Server- and database-level Server- and database-level
 Datacenter Server- and database-level N/A
 Business Intelligence  None  Server-level
 Standard  None  Server-level
 Web  None  Server-level
 Express  None  Server-level

So where does LOGbinder SQL fit into the SQL audit equation? LOGbinder SQL can be installed on any Windows server running SQL Server 2008 or later regardless of the edition, including Express. It does not need to be installed on Enterprise edition. The requirement is that the SQL Server that is being audited is:

  1. Set to produce audit events.
  2. Set to output these audit events to a location accessible to LOGbinder SQL.
The audit file can then be accessed and processed by LOGbinder SQL and made available for your SIEM / log management solution.

To summarize, audit logs could move the following way:

previous | next

powered by Bloget™