LOGbinder Blog

Updates, Tips and News   RSS Feed  

Randy releases two new "How-To" Videos

Wed, 21 Jun 2017 13:55:45 GMT
Randy Franklin Smith, guru at UltimateWindowsSecurity.com, just released two new "How-To" video's on monitoring two important areas with Windows Event Collection.

Video 1 - In this 4 minute video, Randy shows you step-by-step how you can use Supercharger to create a WEC susbscription that pulls PowerShell security events from all of your endpoints to a central collector.

Video 2 - In this 8 minute video, Randy shows you how to monitor security event ID 4688 from all of your endpoints. Obviously this would normally create a plethora of data but using Supercharger's Common System Process noise filter you will see how you can leave 60% of the noise at the source.

You can watch the video's by clicking on the links above or visiting the resources page for Supercharger by clicking here.

Supercharger Free Edition is Now Available

Wed, 14 Jun 2017 08:58:44 GMT

It’s been an exciting 3 months or so since we released Supercharger for Windows Event Collection and we have even more exciting news to share: We just released a new and free edition of Supercharger for Windows Event Collection which you can get here

There are no time-outs and no limits on the number of computers you can manage with Supercharger Free.

We wanted to include more than enough functionality so that anyone who uses WEC would want to install Supercharger Free right away.  For non-WEC users, Free Edition helps you get off the ground with step-by-step guidance. 

With Supercharger Free you can stop remoting into each collector and messing around with Event Viewer just to see the status of your subscriptions.  You can see all your collectors, subscriptions and source computers on a single pane of glass – even from your phone.  And you can create/edit/delete subscriptions as necessary.

We also wanted to help you get more from WEC’s ability to filter out noise events at the source by leveraging my research on the Windows Security Log. 

Supercharger Free Edition:

  • Provides a single pane of glass view of your entire Windows Event Collection (WEC) environment across all collectors and domains
  • Virtually eliminates the need to remote into collectors and wrestle with Event Viewer.  You can manage subscriptions right from the dashboard
  • Includes a growing list of my personally-built Security Log noise filters that help you get the events you need while leaving the noise behind

The manager only takes a few minutes to install and can even co-exist on a medium loaded collector.  Then it’s just seconds to install the agent on your other collectors.  You can uninstall Supercharger without affecting your WEC environment. 

We hope Supercharger Free is something that saves you time and helps you accomplish more with WEC.

This is just the beginning.  We’ve got more exciting and free stuff coming.  But you’ll need at least Supercharger Free to make use of what’s next, so install it today if you can.

How to Monitor Active Directory Changes for Free: Using Splunk Free, Supercharger Free and the New Splunk App for LOGbinder

Fri, 02 Jun 2017 13:35:28 GMT
No matter how big or small you are, whether you have budget or not – you need to be monitoring changes in Active Directory.  There are awesome Active Directory audit solutions out there.  And ideally you are using one of them.  But if for whatever reason you can’t, you still have AD and it still needs to be monitored.  This solution helps you do just that.  

Yesterday during Randy Franklin Smith’s webinar: How to Monitor Active Directory Changes for Free: Using Splunk Free, Supercharger Free and My New Splunk App we released a version of our Splunk App for LOGbinder.  Not only is this application free, but with the help of our just announced free edition of Supercharger for Windows Event Collection, we demonstrate the power of WEC’s Xpath filtering to deliver just the relevant events to Splunk Free and stay within the 500MB daily limit of Splunk Light’s free limitations.  It’s a trifecta free tools that produces this:

Among other abilities, our new Splunk App puts our deep knowledge of the Windows Security Log to work by analyzing events to provide an easy to use but powerful dashboard of changes in Active Directory.  You can see what’s been changing in AD sliced up

by object type (users, groups, GPOs, etc)
by domain
by time
by administrator

Too many times we see dashboards that showcase the biggest and highest frequency actors and subjects but get real – most of the time what you are looking for is the needle – not the haystack.  So we show the smallest, least frequent actors and objects too.  

Just because it’s free doesn’t mean it’s low value.  We put some real work into this.  We always learn something new about or own little AD lab environment when we bring this app up.  To make this app work we had to make some improvements to how Splunk parses Windows Security Events.  The problem with stuff built by non-specialists is that it suffices for filling in a bullet point like “native parsing of Windows Security Logs” but doesn’t come through when you get serious about analysis.  Case-in-point: Splunk treats these 2 very different fields in the below event as one:

As you can see rsmith created the new user cmartin.  But checkout what Splunk does with that event:

Whoah! So there’s no different between the actor and the target of a critical event like a new account being created?  One Splunker tells me they have dealt with this issue by ordinal position but we are frightened that actor and target could switch positions.  Anyway, it’s ugly.  Here’s what the same vent looks like once you install our Splunk App:

That’s what we’re talking about! Hey, executives may say that’s just the weeds but we know that with security the devil is in the details.  

Now, you knowledgeable Splunkers out there are probably wondering if we get these events by defining them at index time.  And the answer is “no”.  Randy provided the Windows Security Log brains but we got a real Splunker to build the app and you’ll be happy to know that Imre defined these new fields as search time fields.  So this works on old events already indexed and more importantly doesn’t impact indexing.  We tried to do this right.

Plus, we made sure this app works whether you consume events directly from the Security log each computer or via Windows Event Collection (which is what we recommend with the help of Supercharger). 
To learn more about the over all solution please watch the webinar which is available on demand at https://www.ultimatewindowssecurity.com/webinars/watch.aspx?ID=1439

For those of you new to Splunk, we’ll quickly show you how to install Splunk Free and our Splunk App.  Then we’ll show you how in 5 minutes or our free edition of Supercharger for Windows Event Collection can have your domain controllers efficiently forwarding just the relative trickle of relevant change events to Splunk.  Then we’ll start rendering some beautiful dashboards and drilling down into those events.  We will briefly show you how this same Splunk app can also analyze SharePoint, SQL Server and Exchange security activity produced by our LOGbinder product and mix all of that activity with AD changes and plot it on a single pane of glass.

Or checkout the solution page at https://www.logbinder.com/Solutions/ActiveDirectory where there are links to the step-by-step directions.

And if you are already proficient with Splunk and collecting domain controller logs you can get the Splunk app at https://www.logbinder.com/Resources/ and look under SIEM Integration.  

For technical support please use the appropriate forum at forum.logbinder.com 

Supercharger for Windows Event Collection Now Available – Save 50% on Enterprise Edition

Mon, 27 Feb 2017 15:34:10 GMT

No matter what SIEM you use, this is big news because collecting logs from hundreds or thousands of Windows endpoints is a constant pain point. But it doesn’t have to be if you use the technology already built-in to Windows to eliminate agents AND polling.

We are thrilled to announce the availability of Supercharger – a brand-new and one-of-a-kind solution for quickly implementing and managing the native Windows Event Collection already built-in to your servers and workstations.

Already using WEC? Supercharger will instantly give you time back and help you improve security and operational efficiency.

New to WEC? Supercharger will accelerate your implementation and help make it a roaring success.

Supercharger for Windows Event Collection manages all your collectors from a single pane of glass providing instant visibility into the health of your environment from the domain level down to each individual forwarder.


  • Every collector, subscription and forwarder computer in your environment on a single pane of glass
  • Alerts when any subscription's healthy forwarder percentage falls below your threshold; by email or inform your systems management solution
  • Load balance hundreds of thousands of forwarder computers across multiple collectors
  • Deep analysis of forwarder computers correlating Active Directory computer and group information with WEC source data
    • Deterministic - Enumerate each AD group assigned to subscription and compare against source computers reported by WEC - taking into account computer's status in AD
    • Empirical - Compare current active forwarders to past activity
    • Arbitrary - Strict tracking foor smaller, high value forwarder sets
  • Purge old WEC sources from collectors
  • Build safe Security Log filters that leave the noise at the source
  • Leverage expert knowledge on the Security Log from Randy Franklin Smith's UltimateWindowsSecurity.com
  • Enforce consistent WEC configuration policies across collectors and subscriptions
  • Track collector and event logging performance for tuning and capacity planning

Save 50% on Enterprise Edition

Install a trial of Supercharger in the next week and get the promo code for Enterprise Edition at Standard pricing! https://www.logbinder.com/Form/SCDownload

Instant pricing is available here: https://www.logbinder.com/Products/Supercharger/Pricing

Let us know how you like Supercharger and what you’d like to see us add. We’ve got some very cool enhancements in store but we also want to hear from you. Install Supercharger today, it only takes a few minutes to have complete visibility over your entire WEC environment.

A new tool for unleashing the power of native Windows Event Collection arrives February 23

Thu, 02 Feb 2017 11:40:23 GMT

With today's endpoint-focused attack methods, it's never been more important to get security logs from every single computer on your network.

Windows Event Collection is baked into the OS itself and it's just waiting to be used. (Already a big believer in WEC? Read on, we've got a very big announcement for you.)

Very, very few organizations currently monitor the Windows Security Log on every server, desktop and laptop on the network and it's easy to understand why when you consider these facts:

  • Security logs are huge. Multiply huge by the number of endpoints and you get “extremely huge”
  • Many SIEM (e.g. ArcSight) and log management solutions (e.g. Splunk) charge based on volume of logs consumed
  • Remote log collection is prohibitively inefficient and, ironically, opens up security issues
  • Agents = Resistance. Admins don't want agents on their systems. Agents use resources. Agents have to be monitored and cared for. Agents have to be updated.

Windows Event Collection to the rescue

WEC provides the power of an agent with a zero-footprint and completely hands-off control. Leveraging Active Directory, we can cause any number of endpoints to forward their most important security events to the Windows event collector of our choice – or in very large organizations we can distribute that load across multiple collectors as necessary.

At that point, whether you use agents to push events or WMI/RPC to pull events, the burden of getting these events into your SIEM or log management solution now drops from thousands of systems down to a handful.

WEC also gives you options to deal with the size issue of event logs. Even with WEC's ability to bring event logs to your SIEM's doorstep, maybe you can't afford to upgrade the hardware and licenses necessary to handle that influx of log data. Or maybe your SIEM's scalability tops out at a certain point. One of these is the situation for most enterprises.

Then it's time to acknowledge that the majority of security log data is noise and leave that noise behind. With the power of advanced Xpath queries you can filter out the noise and get the much smaller number of important events. That requires specialized knowledge of Xpath and the Windows security log but read on.

In this deeply technical, real training for free ™ webinar at UltimateWindowsSecurity.com, Randy Franklin Smith will implement Windows Event Collection live and demonstrate how to:

  1. Target endpoints at your Windows Event Collectors
  2. Set up a Windows Event collector
  3. Create a subscription on the collector
    1. Scoped to a certain group of computers as forwarders
    2. Includes advanced filtering of noise events
  4. Monitor the subscription as source computers begin to forward events
  5. Troubleshoot problem forwarders

As great as WEC is, it's still just a foundation technology that lacks enterprise management, monitoring or reporting or features for scalability like load balancing. It's time to change that. After this detailed tour of Windows Event Collection, we will introduce a new and unique solution for managing this foundation technology in Windows. The product is Supercharger for Windows Event Collection. Supercharger automates every aspect of Windows Event Collection from:

  • configuring collectors
  • the creation of subscriptions
  • advanced filtering that safely ignores the noise without also suppressing important events

To advanced enterprise features like

  • load balancing large environments across multiple collectors
  • 24/7 health analysis and monitoring of every event source computer
  • performance monitoring and capacity planning – all from one pane of glass

We will demonstrate Supercharger and make it available for immediate trial download.

We are very excited about the release of Supercharger and we can't wait to help you improve security, increase endpoint vigilance while lowering costs. Please join us! Click here to register.

previous | next

powered by Bloget™