LOGbinder Blog

Updates, Tips and News   RSS Feed  

Supercharger 22.8.2 Adds Cross Domain Forwarding

Fri, 26 Aug 2022 19:00:48 GMT
One of the things we value the most at LOGbinder is customer feedback.  We are fortunate to have some very large customers that are willing to work very closely with us.  In our many conversations with our customers there has been a much requested feature; cross domain forwarding.  We are happy to announce today that as of version 22.8.2, Supercharger now includes cross domain forwarding. Let's answer a few questions:

What is it?  How does it work in Supercharger? What to expect when you upgrade a current installation?

What is cross domain forwarding?

When we talk about cross domain forwarding we are referring to using a WEC subscription to collect events from endpoints that reside in multiple domains.  

How does it work in Supercharger?

In Supercharger, after clicking on a domain, you will now see a tab named "Trust".  This tab lists the trust relationships that are discovered in Active Directory.  To enable cross domain forwarding between domains click on the "Enable" button next to the trust you want to work with.  There may be multiple domains listed but you only need to enable trusts for the domains you want to forward events between.

By enabling a trust you are ensuring that Supercharger properly synchronizes computers in the trusted domain so that forwarder analysis and load balancing can find forwarders in the trusted domain.  This allows the health features of Supercharger to work properly across domains.

Once enabled you will be able to select these domains when creating cohort elements on Load Balancers.  As you can see in the screenshot below we can create cohorts from both domains we have trusts enabled in. 

Just to be clear, cross domain forwarding means we can have endpoints from multiple domains.  It does not mean that we can have forwarders from domains sending events to WEC collectors from various domains.  The collectors on the Load Balancer will be from one domain.

What to expect when you upgrade a current installation?

You can download the latest version from here. Run the installer on your current Supercharger Manager.  All existing Supercharger collectors will upgrade themselves automatically.  If you have any existing trusts in any domains that exist in Supercharger these will be listed on the "Trusts" tab.

Latest version of Supercharger brings 50+ updates

Thu, 15 Apr 2021 10:54:34 GMT

Towards the end of 2020 and in to 2021 something big has been happening with Windows Security.  Over the past few months, the interest in Windows Event Collection (WEC) has exploded exponentially.  Our sales team has reported that the number of inquires, quotes and sales has gone through the roof.  The feedback we have been receiving about Supercharger for WEC is proof that so many organizations out there are focusing on getting event logs from all endpoints (servers/workstations) into the SIEM.  Over the years we have taken pride in our Supercharger software but today we have reason to really stand tall and puff out our chest.

Our latest version of Supercharger, 21.3.16, is being released.  It contains over 50 different enhancements and bug fixes.  Here are just a few:

  • Supercharged performance enhancements - some customers have previously expressed concerns about the load times in Supercharger, especially those with 100,000's of endpoints and 100's of subscriptions.  The improvements in our latest version speed up operations in Supercharger from smaller 1,000+ machine environments to enterprise size implementations.  From modifying the way Supercharger retrieves data from its database to tweaking things as small as license keys being applied you will see drastic improvements in load times across the board.
  • Improvements to multi domain implementations
  • Improvements to the look and feel of Superchargers application logging
  • Our Security Log Wizard is back by popular demand
  • Event log performance monitoring

Rather than bore you with a long list of everything we've done we invite you to download (or upgrade if you are an existing user) the latest version and test it out.  If you're new to Supercharger, here are some answers to a few common questions:

  • What special permissions are needed to run Supercharger?  None.  As a security focused company, we take pride in creating least privilege security applications.
  • How do I setup a POC or test Supercharger?  Download and install it fully functional for 30 days.  After installation follow the step-by-step Getting Started Guide in Superchargers dashboard to setup WEC properly.  As always, if you need more than 30 days just let our sales team know.
  • How much does Supercharger cost?  As quantities increase, price per forwarder decreases.  To get exact pricing just input your total amount of forwarders on our quote page.
  • What if I need help?  For presales tech support you can reach out to our highly technical sales team.  If you have an existing support contract you can open a support request in our Support Portal.

Download Supercharger today and see just how easy a huge implementation of WEC can be.  Just imagine having all of your Windows endpoints send event logs to a collector in under 15 minutes.  With Supercharger we've made the impossible possible. 

Over the past few months, we've been listening to you.  Most of the enhancements and bug fixes in our latest releases are because of you.  The feedback and suggestions on our forum and support portal have helped us continue to improve our products.  So thank you very much!

If you are already a licensed user of our products and have a current support contract, then upgrading is easy.  Just find the product you need to upgrade on our download page.  Download the installer you need and just install on top of your current installation.  You will most likely need to request an updated product key at support.logbinder.com.  If you are upgrading Supercharger you just need to upgrade the manager.  All the collectors will upgrade themselves.

Thanks again for your support and I look forward to your feedback.

All LOGbinder products updated

Tue, 10 Dec 2019 17:18:50 GMT

Almost 12 years ago, my first LOGbinder product (LOGbinder for SharePoint) was created.  Since then we've developed software to help you audit SQL Server and Exchange admin and mailbox audit logs.  With the advent of our latest product, Supercharger for Windows Event Collection, we are now one of the biggest resources for the deployment, implementation and troubleshooting of Windows Event Collection (WEC).  Recently we released updates to all four of our products.  What's new?  At the bottom of this email are just a few of many new features and enhancements to our product line.  

I realize that a bulleted list of "features" may not seem that impressive, so I invite you to download any or all of our products and test them for yourself to see how they can help you audit the security actions in your environment.  For example, do you want to set a custom audit policy for every single one of your SharePoint sites including new sites that get create and then also get alerted if a malicious actor changes that audit policy?  Then try LOGbinder for SharePoint.  Do you want to audit SQL Server audits without touching the SQL Server or DB's once the audit is created?  Your SQL admins would love for you to try out LOGbinder for SQL Server.  Do you want to collect any log in event viewer from every workstation and server in your domain?  If your SIEM's cost is based on EPS or data storage, then Supercharger may pay for itself by allowing you to leave the noise at the source.

You can click the product to see all the latest changes:

  • Supercharger for WEC 19.10
    • Reports added
      • Comprehensive forwarder analysis - see every possible detail about every forwarder in your domain.  Excellent resource for troubleshooting problem forwarders
      • Collector performance history - see trends and patterns about collectors EPS and CPU.  Helpful for monitoring collector performance and resource planning
    • Maintenance button added to subscriptions of load balanced distributed subscriptions so you can maintain them on demand
    • Enhanced custom event log creation
  • LOGbinder for SharePoint 7.0.1
    • Filter events based on site
    • Error handling improved to make the service more resilient
    • Performance enhancements to speed up processing
    • Noise filtering 
    • Support for the latest versions of SharePoint
  • LOGbinder for SQL Server 5.0.1
    • Enhanced error handling
  • LOGbinder for Exchange 4.0.1
    • Redesign of mailbox audit configuration wizard
    • Coded workarounds for the "Too many audit requests" Exchange issue
    • Performance enhancements to speed up processing
    • "Apply Now" option for instantly applying the audit wizard configuration​

If you're already familiar with WEC or just learning, you'll want to view Randy Franklin Smith's recent webinar on WECBuilding a Resilient Logging Pipeline: Windows Event Collection Tips and Tricks for When You Are Serious About Log Collection.

Get instant pricing for Supercharger and our LOGbinder for SharePoint/SQL/Exchange products here:  Instant Quotes  

Over the past few months we've been listening to you.  Most of the enhancements and bug fixes in our latest releases are because of you.  The feedback and suggestions on our forum and support portal have helped us continue to improve our products.

If you are already a licensed user of our products and have a current support contract, then upgrading is easy.  Just find the product you need to upgrade on our download page.  Download the installer you need and just install on top of your current installation.  You will most likely need to request an updated product key at support.logbinder.com.  If you are upgrading Supercharger you just need to upgrade the manager.  All the collectors will upgrade themselves.

Thanks again for your support and I look forward to your feedback.

Randy Franklin Smith

Support for Exchange 2016 Auditing; New Features in LOGbinder for SQL Server

Wed, 15 Aug 2018 11:38:50 GMT

Exchange 2016 support

We are happy to announce support for Exchange 2016. Now you may be thinking 2016; wasn't that years ago?  It's true, Exchange 2016 was released in 2015 but because of a bug that seemed to have been introduced with the 2016 version, LOGbinder was not able to support it.  At the time we discovered it almost two years ago, we worked with Microsoft to confirm this behavior. This is what Microsoft said at that time:

  • The issue is caused due to limit of 100 search folders in particular mailbox. Before any new search can start, the old search folder has to age out and needs to be cleared. If this does not happen then it would fail.
  • We cannot modify these search folder limits, as it is by design.
  • We also found that it would take approx. 12hrs to reset the search folders count. So that we can run new query.

The above limitations posed such restrictions on the auditing capabilities of Exchange, that LOGbinder was not able to support Exchange 2016 at that time.

Our latest tests reveal that this has since been resolved and the above limitations have been removed in the latest cumulative updates. We have confirmed this to be true starting with CU6.

Therefore, LOGbinder now fully supports Exchange 2016 CU6+.

You can download LOGbinder for Exchange from our website and start auditing your Exchange environment.

SQL Server 2017

Microsoft released SQL Server 2017 and along with it they introduced new audit events. We have included these events in the latest LOGbinder for SQL Server version, adding events 24338-24348 and 24350-24375. These events are related to permissions on database scoped credentials and external libraries, and creating and dropping external libraries and database scoped resource governors, among some other events.

Additional new features in version 4:

  • Adding inputs in bulk from a CSV file. 
    • This is useful for users who have dozens or more inputs.  These inputs can now be added all at once instead of one by one.
  • As a counterpart to adding inputs in bulk, selecting and deleting multiple inputs is now also enabled.
  • Improve resilience by not stopping the service if one of the inputs is temporarily unavailable
    • This means that if there are many inputs monitored by LOGbinder for SQL Server and one or more of them is temporarily down or inaccessible, auditing will continue uninterrupted for the rest of the inputs.  For the unavailable inputs a warning will be generated and sent to the output.

Please download LOGbinder for SQL Server version 4.0 from our website to start auditing your SQL Server 2017.

After downloading LOGbinder for SQL Server version 4, if you have a current active support and maintenance license, you will have to request a new license key by opening a ticket at the https://support.logbinder.com site. If you do not currently own a license, please contact sales at LOGbinder for a quote.

How to Monitor Active Directory Changes for Free: Using Splunk Free, Supercharger Free and the New Splunk App for LOGbinder

Fri, 02 Jun 2017 13:35:28 GMT
No matter how big or small you are, whether you have budget or not – you need to be monitoring changes in Active Directory.  There are awesome Active Directory audit solutions out there.  And ideally you are using one of them.  But if for whatever reason you can’t, you still have AD and it still needs to be monitored.  This solution helps you do just that.  

Yesterday during Randy Franklin Smith’s webinar: How to Monitor Active Directory Changes for Free: Using Splunk Free, Supercharger Free and My New Splunk App we released a version of our Splunk App for LOGbinder.  Not only is this application free, but with the help of our just announced free edition of Supercharger for Windows Event Collection, we demonstrate the power of WEC’s Xpath filtering to deliver just the relevant events to Splunk Free and stay within the 500MB daily limit of Splunk Light’s free limitations.  It’s a trifecta free tools that produces this:

Among other abilities, our new Splunk App puts our deep knowledge of the Windows Security Log to work by analyzing events to provide an easy to use but powerful dashboard of changes in Active Directory.  You can see what’s been changing in AD sliced up

by object type (users, groups, GPOs, etc)
by domain
by time
by administrator

Too many times we see dashboards that showcase the biggest and highest frequency actors and subjects but get real – most of the time what you are looking for is the needle – not the haystack.  So we show the smallest, least frequent actors and objects too.  

Just because it’s free doesn’t mean it’s low value.  We put some real work into this.  We always learn something new about or own little AD lab environment when we bring this app up.  To make this app work we had to make some improvements to how Splunk parses Windows Security Events.  The problem with stuff built by non-specialists is that it suffices for filling in a bullet point like “native parsing of Windows Security Logs” but doesn’t come through when you get serious about analysis.  Case-in-point: Splunk treats these 2 very different fields in the below event as one:

As you can see rsmith created the new user cmartin.  But checkout what Splunk does with that event:

Whoah! So there’s no different between the actor and the target of a critical event like a new account being created?  One Splunker tells me they have dealt with this issue by ordinal position but we are frightened that actor and target could switch positions.  Anyway, it’s ugly.  Here’s what the same vent looks like once you install our Splunk App:

That’s what we’re talking about! Hey, executives may say that’s just the weeds but we know that with security the devil is in the details.  

Now, you knowledgeable Splunkers out there are probably wondering if we get these events by defining them at index time.  And the answer is “no”.  Randy provided the Windows Security Log brains but we got a real Splunker to build the app and you’ll be happy to know that Imre defined these new fields as search time fields.  So this works on old events already indexed and more importantly doesn’t impact indexing.  We tried to do this right.

Plus, we made sure this app works whether you consume events directly from the Security log each computer or via Windows Event Collection (which is what we recommend with the help of Supercharger). 
To learn more about the over all solution please watch the webinar which is available on demand at https://www.ultimatewindowssecurity.com/webinars/watch.aspx?ID=1439

For those of you new to Splunk, we’ll quickly show you how to install Splunk Free and our Splunk App.  Then we’ll show you how in 5 minutes or our free edition of Supercharger for Windows Event Collection can have your domain controllers efficiently forwarding just the relative trickle of relevant change events to Splunk.  Then we’ll start rendering some beautiful dashboards and drilling down into those events.  We will briefly show you how this same Splunk app can also analyze SharePoint, SQL Server and Exchange security activity produced by our LOGbinder product and mix all of that activity with AD changes and plot it on a single pane of glass.

Or checkout the solution page at https://www.logbinder.com/Solutions/ActiveDirectory where there are links to the step-by-step directions.

And if you are already proficient with Splunk and collecting domain controller logs you can get the Splunk app at https://www.logbinder.com/Resources/ and look under SIEM Integration.  

For technical support please use the appropriate forum at forum.logbinder.com 

previous | next

powered by Bloget™