LOGbinder Blog

Updates, Tips and News   RSS Feed  

Comparison: SQL Server Audit vs. SQL Trace Audit for security analysts

Thu, 25 Sep 2014 12:50:05 GMT

Security analysts must have meaningful, relevant audit data from the mission critical applications such as SQL Server. Database admins must have no disruptions nor degradation to the performance of the mission critical instances of SQL Server. Beginning with SQL Server 2008,versions of Microsoft SQL Server offer a new, superior SQL audit capability custom-built to meet demands from both parties.

Many, if not most, organizations have gotten comfortable with SQL Trace. They have satisfied themselves with its inefficiencies, and cobbled together custom routines to reduce its voluminous output. Outweighed by whatever problems that may exist with SQL Trace is one simple fact: it doesn’t hurt the database(s) to keep it going. Nobody wants to run the risk of disrupting the current process. It may not be great, but it’s what is comfortable.

Here’s the problem: SQL Trace leaves big gaps that compromise organizations’ InfoSec and compliance policies.

So, many organizations are taking a hard look at the risks vs. rewards of moving away from SQL Trace and implementing SQL Server Audit as part of the application security intelligence SIEM deployment. To help inform the professionals charged with this decision, our founder Randy Franklin Smith, and Tamas Lengyel, one of our software engineers, have collaborated in writing a white paper, Comparison: SQL Server Audit and SQL Trace Audit. This detailed resource will help both security analysts and database admins to get a better understanding of the superior SQL Server Audit function. The white paper presents the options available to both audit logs and then provides specific benefits that come with SQL Server Audit:

  • Easy administration and predefined activities
  • Granularity, Specificity
  • Performance improvements
  • Better (and more) output options, centralized storage of audit logs
  • Audit trail integrity

The short story is that SQL Server Audit hits the sweet spot for both database admins and security analysts: it’s a low impact process that yields better results.

Get the full story, download the whitepaper. It may also be helpful to read why LOGbinder solves a critical problem in SQL Server security intelligence at logbinder.com.

LOGbinder releases updates to Exchange & SharePoint solutions

Fri, 22 Aug 2014 15:30:43 GMT

Summary: New updates offer substantial performance improvements. Customers with Maintenance contracts received notice of availability at no additional cost.

LOGbinder™ announces significant upgrades for two of its application security intelligence solutions for SIEM, LOGbinder SP 5.0 and LOGbinder EX 2.5. The updates bring performance improvements most beneficial to large enterprise environments.

Both versions benefitted from an extensive Enterprise Preview program LOGbinder instituted earlier this year. “Our enterprise customers who’ve installed the pre-release versions have been very pleased with the new performance improvements,” said Randy Franklin Smith, CEO of Monterey Tech Group, Inc., the parent company of LOGbinder Software. “In enterprise scale scenarios it is very challenging to keep Exchange and SharePoint audit data moving so that it reaches your SIEM as close to real-time as possible.  Our development team has crafted enterprise-class software that, with proprietary caching, multi-threading and asynchronous scheduling, does the right thing at the right time, which we have found to be of critical importance in large monitored environments.”

Both new versions of LOGbinder EX and LOGbinder SP have built-in protection against bogging down production environments when installing for the first time and trying to process a potentially massive backlog of events.  In addition:

  • LOGbinder EX™ 2.5, the solution for getting Exchange Server security intelligence to SIEM, adds greatly enhanced technology to improve audit log query intelligence. It also improves mail handling if Exchange’s audit result comes back with errors.

  • LOGbinder SP™ 5.0, the solution for getting SharePoint security intelligence to SIEM, introduces new technology to better handle large numbers of site collections, both in application start-up and in managing the automatic audit policy configurations. In addition, customers are now able to make their own ad-hoc application performance tweaks by adjusting query levels.

With these updates LOGbinder continues its practice of releasing major updates for its technology at least once a year. The last round of major updates released September 2013 included full compatibility with Microsoft’s most recent versions of Exchange, SharePoint and SQL Server. Minor updates have been released throughout the year.

How customers can get the updates

Customers with current maintenance & support agreements receive their upgrade at no cost. Emails were sent to the technical contact on file. Information is also available via the Summer 2014 Updates page.

LOGbinder and SolarWinds LEM featured in Randy's blog

Mon, 07 Jul 2014 08:52:41 GMT
There's a new blog post featuring LOGbinder SP and SolarWinds LEM.  Click here to read Randy's new post.

New Syslog Features in LOGbinder SP 4.0.5

Mon, 17 Mar 2014 11:06:43 GMT

We have a quick update to LOGbinder SP for all of you who are using Syslog to forward your SharePoint audit log to your favorite SIEM.

LOGbinder SP version 4.0.5 adds the following new features:

  • Alternate Output Data Folder: It is now possible to change the default data folder, which is also used for the output data. This is the folder where LOGbinder stores its outputs that are written in files, as well as the diagnostic files. Now you can store these in a different folder, or on a different hard drive, or even in shared folder on a different server. You will find this useful, if you need to separate software and data, or you have the requirement of using minimal disk space on the hard drive where your programs are installed.
  • Network locations for Syslog output: As a result of the above change, it is now possible to use network location for Syslog outputs, such as Syslog-Generic (File) and Syslog-CEF (File). These files, in turn, can be easily accessed by your SIEM.
  • Test button for Syslog output: A "Test" button is now available for Syslog outputs that sends a test Syslog message using the specified address/port. When setting up LOGbinder to output to a Syslog server for your SIEM to collect the logs, the most difficult part can be to ensure that firewalls and other settings don't block the traffic from LOGbinder to the Syslog server. The "Test" button will assist you in setting up and testing this connection.
  • Output file name clarification: The sample file name for the Syslog (File) outputs now correctly indicates that the date is included in the file name.

If you would like to take advantage of the above feature, please go ahead and download LOGbinder SP.

Dealing with large amount of audit backlog when first starting LOGbinder EX

Wed, 12 Feb 2014 17:38:19 GMT

If you have had auditing enabled on your Exchange server for a while when you install LOGbinder EX (and administrator audit logging is enabled by default), you might have large amount of audit data accumulated, depending on your audit retention period. (See AuditLogAgeLimit for mailboxes, and AdminAuditLogAgeLimit for the administrator audit log.)

When starting LOGbinder EX for the first time, LOGbinder will collect and process all audits existing in your Exchange system. If there is a large amount of audit logs, this can take up a considerable time and computational resources on your Exchange server. How can you find out how much audit data you have in your Exchange environment, and what can you do if you do not want to process large amount of backlogs?

Assessing size of audit data

The following Exchange PowerShell command displays the mailboxes with the 20 largest audit data size. It only queries the mailboxes that have auditing enabled.

Get-Mailbox -Filter {AuditEnabled -eq $true} | Get-MailboxFolderStatistics | where {$_.Name -eq "Audits"} | Sort-Object FolderSize -Descending | Select-Object Identity, ItemsInFolder, FolderSize -First 20

The following Exchange PowerShell command displays the size of the administrator audit log.

Get-Mailbox -Arbitration | Get-MailboxFolderStatistics | where {$_.Name -eq "AdminAuditLogs"} | Select-Object Name, ItemsInFolder, FolderSize

If you find that any of the above seems too large (for example, you have hundreds of megabytes of mailbox audit data in some mailboxes), then you might want to consider bypassing those past events, and start the audit log collection with LOGbinder EX from this point forward.

Omitting past audit logs

If you decide that you would like to omit the past audit logs and let LOGbinder EX start processing only new logs, please contact us at support@logbinder.com, so we can set up LOGbinder for you to start processing from a given time and date.

In the near future, a new feature will be included in a LOGbinder EX release that enables specifying the start time, just like it is already done in our other products: LOGbinder SP and LOGbinder SQL.

previous | next

powered by Bloget™