LOGbinder Blog

Updates, Tips and News   RSS Feed  

All LOGbinder products updated

Tue, 10 Dec 2019 17:18:50 GMT

Almost 12 years ago, my first LOGbinder product (LOGbinder for SharePoint) was created.  Since then we've developed software to help you audit SQL Server and Exchange admin and mailbox audit logs.  With the advent of our latest product, Supercharger for Windows Event Collection, we are now one of the biggest resources for the deployment, implementation and troubleshooting of Windows Event Collection (WEC).  Recently we released updates to all four of our products.  What's new?  At the bottom of this email are just a few of many new features and enhancements to our product line.  

I realize that a bulleted list of "features" may not seem that impressive, so I invite you to download any or all of our products and test them for yourself to see how they can help you audit the security actions in your environment.  For example, do you want to set a custom audit policy for every single one of your SharePoint sites including new sites that get create and then also get alerted if a malicious actor changes that audit policy?  Then try LOGbinder for SharePoint.  Do you want to audit SQL Server audits without touching the SQL Server or DB's once the audit is created?  Your SQL admins would love for you to try out LOGbinder for SQL Server.  Do you want to collect any log in event viewer from every workstation and server in your domain?  If your SIEM's cost is based on EPS or data storage, then Supercharger may pay for itself by allowing you to leave the noise at the source.

You can click the product to see all the latest changes:

  • Supercharger for WEC 19.10
    • Reports added
      • Comprehensive forwarder analysis - see every possible detail about every forwarder in your domain.  Excellent resource for troubleshooting problem forwarders
      • Collector performance history - see trends and patterns about collectors EPS and CPU.  Helpful for monitoring collector performance and resource planning
    • Maintenance button added to subscriptions of load balanced distributed subscriptions so you can maintain them on demand
    • Enhanced custom event log creation
  • LOGbinder for SharePoint 7.0.1
    • Filter events based on site
    • Error handling improved to make the service more resilient
    • Performance enhancements to speed up processing
    • Noise filtering 
    • Support for the latest versions of SharePoint
  • LOGbinder for SQL Server 5.0.1
    • Enhanced error handling
  • LOGbinder for Exchange 4.0.1
    • Redesign of mailbox audit configuration wizard
    • Coded workarounds for the "Too many audit requests" Exchange issue
    • Performance enhancements to speed up processing
    • "Apply Now" option for instantly applying the audit wizard configuration​

If you're already familiar with WEC or just learning, you'll want to view Randy Franklin Smith's recent webinar on WECBuilding a Resilient Logging Pipeline: Windows Event Collection Tips and Tricks for When You Are Serious About Log Collection.

Get instant pricing for Supercharger and our LOGbinder for SharePoint/SQL/Exchange products here:  Instant Quotes  

Over the past few months we've been listening to you.  Most of the enhancements and bug fixes in our latest releases are because of you.  The feedback and suggestions on our forum and support portal have helped us continue to improve our products.

If you are already a licensed user of our products and have a current support contract, then upgrading is easy.  Just find the product you need to upgrade on our download page.  Download the installer you need and just install on top of your current installation.  You will most likely need to request an updated product key at support.logbinder.com.  If you are upgrading Supercharger you just need to upgrade the manager.  All the collectors will upgrade themselves.

Thanks again for your support and I look forward to your feedback.

Randy Franklin Smith

Support for Exchange 2016 Auditing; New Features in LOGbinder for SQL Server

Wed, 15 Aug 2018 11:38:50 GMT

Exchange 2016 support

We are happy to announce support for Exchange 2016. Now you may be thinking 2016; wasn't that years ago?  It's true, Exchange 2016 was released in 2015 but because of a bug that seemed to have been introduced with the 2016 version, LOGbinder was not able to support it.  At the time we discovered it almost two years ago, we worked with Microsoft to confirm this behavior. This is what Microsoft said at that time:

  • The issue is caused due to limit of 100 search folders in particular mailbox. Before any new search can start, the old search folder has to age out and needs to be cleared. If this does not happen then it would fail.
  • We cannot modify these search folder limits, as it is by design.
  • We also found that it would take approx. 12hrs to reset the search folders count. So that we can run new query.

The above limitations posed such restrictions on the auditing capabilities of Exchange, that LOGbinder was not able to support Exchange 2016 at that time.

Our latest tests reveal that this has since been resolved and the above limitations have been removed in the latest cumulative updates. We have confirmed this to be true starting with CU6.

Therefore, LOGbinder now fully supports Exchange 2016 CU6+.

You can download LOGbinder for Exchange from our website and start auditing your Exchange environment.

SQL Server 2017

Microsoft released SQL Server 2017 and along with it they introduced new audit events. We have included these events in the latest LOGbinder for SQL Server version, adding events 24338-24348 and 24350-24375. These events are related to permissions on database scoped credentials and external libraries, and creating and dropping external libraries and database scoped resource governors, among some other events.

Additional new features in version 4:

  • Adding inputs in bulk from a CSV file. 
    • This is useful for users who have dozens or more inputs.  These inputs can now be added all at once instead of one by one.
  • As a counterpart to adding inputs in bulk, selecting and deleting multiple inputs is now also enabled.
  • Improve resilience by not stopping the service if one of the inputs is temporarily unavailable
    • This means that if there are many inputs monitored by LOGbinder for SQL Server and one or more of them is temporarily down or inaccessible, auditing will continue uninterrupted for the rest of the inputs.  For the unavailable inputs a warning will be generated and sent to the output.

Please download LOGbinder for SQL Server version 4.0 from our website to start auditing your SQL Server 2017.

After downloading LOGbinder for SQL Server version 4, if you have a current active support and maintenance license, you will have to request a new license key by opening a ticket at the https://support.logbinder.com site. If you do not currently own a license, please contact sales at LOGbinder for a quote.

Exchange Cumulative Update breaks auditing

Wed, 01 Feb 2017 14:15:31 GMT
We have discovered earlier today that the latest Exchange cumulative updates released in December 2016 may be breaking Exchange auditing. We are currently testing the issue internally along with a few of our customers who have reported the same issue.  As of this time, installing the latest cumulative updates may break Exchange auditing which will break LOGbinder for Exchange.  Please visit our Knowledge Base for further details and steps to check if you are affected.

LOGbinder for Exchange 3.3.5 Released

Wed, 13 Jul 2016 18:15:30 GMT
We are happy to announce the release of the latest update to LOGbinder for Exchange.  The latest update, Version 3.3.5, introduces some improvements as well as a few bug fixes.  We know that some of our customers that utilize the LEEF Syslog output may have had a few issues with the format of the LEEF output.  This latest release fixes that issue.  We have also created a more robust installer for LOGbinder that automatically configures many of the prerequisites that previously had to be configured manually.  Click here to see a list of all of the latest enhancements and bug fixes.

In conjunction with this release, we have also added a new support section at LOGbinder.com that we will be keeping up-to-date with the latest news, bulletins and features of the entire suite of LOGbinder products.

The 24-hour Bug in Microsoft Exchange Mailbox Auditing

Mon, 14 Dec 2015 16:36:48 GMT

"This is the official LOGbinder page for tracking the Exchange  24-hour mailbox audit bug. You can keep up with everything my team knows and  is doing by checking this page often.” – Randy Franklin Smith

LOGbinder bulletin, December 14, 2015 -- While investigating a support case, LOGbinder discovered a non-obvious yet critical bug in Exchange audit logging that essentially delays your ability to detect non-owner mailbox access for 24 hours. The PowerShell cmdlets New-MailboxAuditLogSearch and Search-MailboxAuditLog produce audit search results that are unpredictable and inconsistent when auditing all mailboxes and the start date is less than 24 hours ago.

We have notified Microsoft about the problem and they have confirmed it as a bug but have told us that they have no timeline for a bug fix. The bug affects Exchange Server 2010, 2013 and 2016.

What is the risk?

The risk to you is that you may never know you have an Exchange Server data breach – despite performing regular audits.

This strikes to the very core of application security audit. Not only is a 24-hour audit delay 24 hours too long, audit integrity is absolutely critical to security intelligence operations.

Details about the Bug

We encourage you to watch an 8-minute clip of our recent Exchange mailbox audit webinar embedded below. In this clip we discuss specifics about the bug and how it could be affecting you.

Here are the highlights about the bug:

  • The bug returns unpredictable results when auditing all mailboxes: you may get no events at all when there are events, you may get only a few events, or you may get all matching events as you should. 
  • Unless you are looking for specific events repeatedly – or you audit your audit results – you will never notice the problem. 
  • The bug is not documented. We have reported this issue to Microsoft; they have confirmed it is a bug and said they have no solution timeline to share. Microsoft’s suggested workaround is to use a date range greater than 24 hours.

LOGbinder’s View on this Issue

The bug introduces a huge business, compliance and security impact. It is simply unacceptable to be unable to detect or respond to information theft for 24 hours. Security audits need to be available in seconds, not minutes! A delay brings compliance issues and prevents organizations from handling Edward Snowden-like information grabs before the culprit is out of reach.

We believe that you need to get audit results off the system (or application) where they are generated as fast as possible, without causing harm to the application or system while using least privilege.

What LOGbinder is Doing

Our development team is solving the problem. To ensure audit integrity we have released an update to our Exchange audit solution that all customers should download and begin using immediately. LOGbinder for Exchange 3.1 allows customers to choose whether they wish to perform audits in less than 24 hours, but defaults to the delay that we know will provide all the audit results requested. Click here to download: https://www.logbinder.com/Form/LBEXDownload

But LOGbinder for Exchange 3.1 is only the first phase of the ultimate solution. We are working with Microsoft and the Exchange Server community to raise awareness of the issue to get it to the top priority within Microsoft.

Exchange Server’s audit function is quite good. Leaving the bug aside, few applications make such an effort to audit events. Microsoft deserves a lot of credit (more than they usually get) for embedding both an admin and mailbox audit function in the application.

But if and until Microsoft does fix this bug we realize you need to protect your organization and fulfill compliance requirements.

Coming soon: Targeted, Synchronous Mailbox Audit Log Collection

Our new edition of LOGbinder for Exchange due Q1 2016 will continue to maintain audit log integrity using least-privilege and minimal impact, and deliver the admin audit as well as mailbox audit logs with a new robust and stable technology to provide audit logs for high-priority mailboxes in near real-time!

Like our current version, you can specify groups or OUs of executives or other sensitive mailboxes, and LOGbinder will use synchronous mailbox audit log searches on those groups and/or OUs. (To understand why “synchronous” is so significant, watch the full edition of our webinar Detect and monitor threats to your executive mailboxes with Exchange mailbox auditing. Non-targeted mailbox audit logs that should also be monitored for non-owner access will be returned in 24 hours (if and when Microsoft fixes the bug).

The benefit is that your targeted mailboxes will get to your SIEM in minutes if not seconds! Click here to get the beta of the newest edition of LOGbinder for Exchange when it becomes available.

What You Can Do

Stay up-to-date and get the latest innovations from LOGbinder.

If you are already a LOGbinder for Exchange customer, the first thing you should do is download the latest version. This will ensure you get all the audits you should be getting to the SIEM, even if they are delayed 24 hours. Some organizations have reported that they have no issues with the 24-hour delay.

Register for a beta of the coming new edition of LOGbinder for Exchange that will deliver targeted mailbox audit using synchronous search and real-time log delivery.

Open a support case with Microsoft to let them know this bug is a problem for you and send us the case ID. LOGbinder is taking a proactive approach with Microsoft and the Exchange Server community to help solve this problem and your participation will be of great value to the process.

Join the discussion at http://forum.ultimatewindowssecurity.com/Forum1608-1.aspx.

Bookmark this page and check it often to see what news and updates there have been. We will keep you up-to-date with everything we know and are doing by adding news items to the top of the page (content will be in reverse date-order top-to-bottom).

previous | next

powered by Bloget™