LOGbinder

LOGbinder 3.6 released!

info@logbinder.com — Thu, 14 Mar 2013 21:35:49 GMT

An exciting new version of LOGbinder SP has been released. Here is what’s new in LOGbinder SP 3.6:

First of all, there are now more output options. Besides the LOGbinder SP event log and the Security log, LOGbinder SP (and all other LOGbinder products, such as LOGbinder EX and LOGbinder SQL) can now send outputs to your Syslog server and also has the ability to output in to a Syslog text file. These Syslog outputs can also be formatted in ArcSight CEF (Common Event Format). Yes, LOGbinder SP is now ArcSight CEF certified.

· Added output options:

o Syslog-Generic and Syslog-Generic (File)

o Syslog-CEF and Syslog-CEF (File)

Additional improvements:

· Added new features:

o Option for adjusting properties of multiple inputs – If multiple inputs are selected, and then Properties is opened, the audit policy can be adjusted for all of the selected site collections at the same time.

o Option to exclude personal sites from default audit policy – With this option set, the default audit policy can exclude personal site collections, such as those with “/sites”, “/my”, and “/my/personal” prefixes.

o Central Administration site collection monitoring – Site collection(s) contained in Central Administration can now be monitored by LOGbinder SP.

o Option to “Conserve resources with lookups”– If enabled, certain high-cost lookups are skipped—which speeds up processing and reduces memory consumption. (Please note that since some details in certain events will be omitted with this option, this should be chosen only in cases when performance problems become completely unacceptable.)

· Added new events:

o Event #63 “Content type imported” – This event was added based on our customers’ requests.

o Event #550 “LOGbinder process report” – Each time all the site collections have been processed, LOGbinder SP will write this event to the Application event log. It lists the number of site collections processed, the start and end time, and the time elapsed.

o Event #558 “LOGbinder process warning” – This warning message will be written to the Application log if any site collections have been behind in its processing for more than 24 consecutive hours.

· Fixed several small issues

If you are a LOGbinder SP 3.x user already, upgrading is easy:

1. Stop the LOGbinder service

2. Close the LOGbinder control panel

3. Install LOGbinder 3.6 on top of your current version.

If you are not a LOGbinder SP user yet, why not give it a try for 30 days?

Please download LOGbinder today or contact us for a demo.

ArcSight Connector for Exchange PowerShell and LOGbinder EX

info@logbinder.com — Tue, 05 Mar 2013 22:34:04 GMT

ArcSight is an excellent tool, and together with ArcSight Connector, you can collect and process data from a variety of sources. But in some cases, you can do better.

The following paper looks at how you can significantly improve your experience with ArcSight when processing logs from Exchange Servers. In this brief comparison, we examine how you will benefit by replacing ArcSight Connector for Exchange Powershell with LOGbinder EX, our CEF certified product. It also highlights the potential impacts you will avoid by doing so.

Download Comparison: ArcSight Connector for Exchange PowerShell and LOGbinder EX.

ArcSight Connector for SQL Server Audit and LOGbinder SQL

info@logbinder.com — Tue, 05 Mar 2013 22:31:46 GMT

ArcSight is an excellent tool, and together with ArcSight Connector, you can collect and process data from a variety of sources.

The following paper looks at how you can significantly improve your experience with ArcSight when processing logs from SQL Server Audit. In this brief comparison, we examine how you will benefit by replacing ArcSight Connector for SQL Servel Audit with LOGbinder SQL, our CEF certified product. It also highlights the potential impacts you will avoid by doing so.

Download Comparison: ArcSight Connector for SQL Server Audit and LOGbinder SQL.

New Whitepaper: Top 6 Security Events to Audit in SharePoint

info@logbinder.com — Tue, 05 Mar 2013 22:00:49 GMT

Click here to get a copy of Randy Franklin Smith's new whitepaper: Top 6 Security Events to Audit in SharePoint.

You can find other SharePoint whitepapers at on our Resources page at LOGbinder.com.

LOGbinder EX for Exchange Released: Bridge the Gap between Exchange and Your SIEM

info@logbinder.com — Mon, 18 Feb 2013 19:54:19 GMT

I’m excited to announce the release of LOGbinder EX for Exchange Server which bridges the gap between Exchange and your SIEM.

With today’s ever-growing compliance burden and threat-scape, obtaining visibility into the dominant messaging platform is crucial to security and business risk management for most organizations.

Thankfully, Exchange Server provides an audit trail of non-owner access to mailboxes as well as privileged activity by Exchange administrators.

With mailbox auditing, you can detect

· Users viewing an executive’s confidential email

· Impersonated, fraudulent emails

· Administrators exporting copies of entire mailboxes

· Deletion of emails to cover up evidence

With administrator auditing, you can detect

· Exports of mailboxes

· Copies of entire mailbox databases

· Security configuration changes to Exchange

· Access control changes to groups, roles, and permissions

· Modifications to Exchange policies involving retention, mobile device policy, information rights management, federation, and more

But, like many application audit logs today, the information is trapped within the application and specific to Exchange, audit logs are actually maintained in mailboxes. Applications benefit from internal audit capability but ultimately audit logs should be copied as frequently as possible to a separate, isolated log management system.

LOGbinder EX efficiently process native Exchange audit data and translates cryptic codes, yielding an easy-to-understand Exchange audit log to the Windows event log or syslog where any log management/SIEM solution can take over with collection, alerting, reporting, and secure archival. LOGbinder EX performs these functions on both the administrator audit log and the mailbox audit log.

LOGbinder EX can be installed on most any server in your domain; there's no need to install it on any of your Exchange servers thus preventing impact on production mail flow.

Exchange audit logs need to be monitored and they belong in your SIEM. Use LOGbinder EX to bridge the gap.

Please download LOGbinder today or contact us for a demo. I’ve also got a whitepaper that explains Exchange Server’s 3 Audit Logs and how LOGbinder and your SIEM fit in. Click here to read the whitepaper.

Work around if LOGbinder SP is having SQL database issues

info@logbinder.com — Fri, 14 Dec 2012 23:45:22 GMT

A problem that might occur when using LOGbinder SP stems from the fact that SharePoint does not behave the same way through its web interface and through its API.

As a result, even though the account has been added correctly via Central Administration or the SharePoint site collection settings page, and has no problem when using the account in the SharePoint web interfaces, the privileges granted are not sufficient when third-party software uses the public SharePoint APIs, resulting in an ‘access denied’ error.

In this blog, we will provide a workaround for the problem.

SYMPTOMS:

Even though the LOGbinder user is definitely a farm administrator, you get an event from LOGbinder like this:

Unable to configure SharePoint export. Details: Cannot open database "WSS_Content" requested by the login. The login failed. Login failed for user 'SHAREPOINTSERVER\logbinderaccount'. SQL Database 'WSS_Content' on SQL Server instance 'SHAREPOINTSERVER\OfficeServers' not found. Additional error information from SQL Server is included below. Cannot open database "WSS_Content" requested by the login. The login failed. Login failed for user 'SHAREPOINTSERVER\logbinderaccount'.

CAUSE:

SharePoint behaves differently when accessing it via its web interface versus accessing it via standard Microsoft SharePoint API’s in third-party software. As a result, it might happen that you are able to perform certain operations through the SharePoint web interface, but when doing the same from a third-party application (such as LOGbinder SP) that is using only standard, published SharePoint API’s, the same operations performed by the same user do not work.

If this occurs, you will likely want to perform the following workaround, so please follow these steps:

1. Go to Central Administration and under “System Settings” click on “Manage servers in this farm”.

2. Make a note of the “Farm Information” at the top of the page, for example:

3. Using the server/instance specified above in the Farm Information, open SQL Server Management Studio.

4. Under the SharePoint_Config database (exact database may vary by installation), go to Security, then Users. Make sure that both the service account that LOGbinder SP is using, as well as the account to run LOGbinder SP Configuration (if not the same) have db_owner role set.

5. Repeat the previous step for the SharePoint_AdminContent database (exact database may vary by installation).

6. Note: If there are any other config databases for SharePoint and the problem still occurs, make sure you do this steps for those databases as well.

(Also see the additional note below.)

This should implement the workaround.

Additional note:

A similar issue may occur with administrator privileges to SharePoint site collections: even though the service account is listed as a site collection administrator in SharePoint’s user interface, you receive an error that the user is not a site collection administrator.

If this occurs, perform similar steps as described above, but to the WSS_Content database. In this case, you would need to add only the LOGbinder SP service account, since the account you use to run the LOGbinder GUI does not need site collection administrator privilege.

It has to be emphasized that we don’t consider the above steps to be a fix, just a workaround to this SharePoint problem, which affects not only LOGbinder, but many other applications too. See, for example this, this, or this article. Even Microsoft says that it can happen and that sometimes “you cannot open a database in the SharePoint Management console of SharePoint Foundation 2010 or SharePoint Server 2010 even though you are a farm administrator who has full administrator rights”, unless you are a member of the db_owner fixed database role for the database.

As a security company we strongly advocate the principles of least privilege, which we also apply in the design of our LOGbinder products. There is no reason why the LOGbinder service account should be granted any rights in SQL server, much less database owner. However, until Microsoft fixes this, the only way to get a third-party application work through SharePoint API is to implement the workaround outlined above.

How does LOGbinder SP detect log tampering?

info@logbinder.com — Fri, 14 Dec 2012 21:35:06 GMT

While LOGbinder SP is processing events, it will perform actions that generate SharePoint events. What happens, though, if these same actions are performed maliciously by a SharePoint user? Will this compromise the integrity of the audit trail? No. LOGbinder SP can detect log tampering. How?

In order to distinguish between authorized and unauthorized changes, LOGbinder SP (version 3 and later), when processing these events, will indicate whether it performed the action itself, or the action might be unauthorized. A tamper warning will be generated in the following cases:

· Audit policy change: When processing event #11 “Site collection audit policy changed” or #12 “Audit policy changed,” LOGbinder will determine if the change overrides the settings in LOGbinder. If so, LOGbinder will reset the audit policy and generate a tamper warning (#60 “Possible tampering warning”).

· Audit logs deleted: When processing event #20 “SharePoint audit logs deleted,” LOGbinder will determine whether LOGbinder deleted the logs, and indicate it in an additional line added to this event. The line “Purge performed by LOGbinder” will show value “Yes” if LOGbinder performed the purge, and “No” otherwise. In the latter case, a tamper warning event (#60 “Possible tampering warning”) will be generated.
Note: If it cannot determined whether the logs were deleted by LOGbinder SP, the “Purge performed by LOGbinder” value will be set to “Indeterminate”. This typically occurs when processing backlog events, i.e. those produced before LOGbinder started processing the site collection.

By alerting on event #60 “Possible tampering warning”, malicious audit tampering attempts can be detected, so the audit trail is not compromised.

New Whitepaper by Randy Franklin Smith "Comparing SharePoint's 4 Audit Logs for Security and SIEM Integration"

info@logbinder.com — Sat, 24 Nov 2012 23:21:02 GMT

This whitepaper by Randy Franklin Smith, provides an overview of the 4 different logs in SharePoint and discusses their relative merits in terms of security value and how to integrate with your SIEM.

Click here to download it now.

You want to run audit reports in SharePoint but LOGbinder SP purges the audit log

info@logbinder.com — Tue, 20 Nov 2012 18:44:19 GMT

LOGbinder SP can automatically purge audit entries from SharePoint after they have been processed by LOGbinder SP and forwarded to an event log or your SIEM/Log Management solution. This purging occurs on a daily basis, but a buffer is maintained, so only entries older than 24 hours are purged.
This is usually sufficient to satisfy security and compliance requirements through the audit logs stored in the organization’s SIEM or log management solution. However, in some rare instances, it might be necessary to leave the audit logs in SharePoint in order to be able to run audit reports from within the SharePoint environment. The problem is that these logs are no longer available in SharePoint, since LOGbinder SP purged them.
In this case, the LOGbinder SP automatic purging feature needs to be disabled through the Options dialog on the LOGbinder interface. Since it will not process events it has already processed, not purging the logs from SharePoint will not create duplicate events in your log management.

Figure 1: Disable purging under LOGbinder SP Options

To avoid the logs to accumulate in SharePoint, taking up valuable resources and potentially degrading the performance of the site collection, SharePoint can be set to trim the audit log. Under Site Settings / Site Collection Administration group / Site collection audit settings options are available to trim audit logs when they reach a certain age (specified in number of days) and optionally be stored in a document library.

Figure 2: Enable trimming in SharePoint audit settings

Applying these changes you can benefit from the managing your logs with your preferred SIEM/Log management solution through LOGbinder, while still taking advantage of having access to the audit logs from SharePoint.

Whitepaper: Comparing Exchange Server's™ 3 Audit Logs for Security and SIEM Integration

info@logbinder.com — Fri, 16 Nov 2012 21:18:46 GMT

This whitepaper by Randy Franklin Smith, provides an overview of the 3 different audit logs in Exchange and discusses their relative merits in terms of security value and how to integrate with your SIEM.

Download it now here.