On 10 February 2016 Microsoft posted a notice to remind customers that Exchange is not compatible with the .NET Framework 4.6.1 that was recommended as an update on 9 Feb 2016. In fact, there are known issues if the new version is installed.

The Exchange Team blog post told Exchange customers to delay upgrading to .NET Framework 4.6.1, and updated their post 12 Feb 2016 to provide the steps to roll back to .NET Framework 4.5.2 if the update took place. You can read the post here: http://blogs.technet.com/b/exchange/archive/2016/02/10/on-net-framework-4-6-1-and-exchange-compatibility.aspx.

LOGbinder is targeted to .NET Framework 3.5 for compatibility reasons. Many customers reported issues when we targeted 4.x.

Back in December we offered a tech tip to turn diagnostic logging on when troubleshooting. Like many things, diagnostics reach a point at which the diagnostic is complete. When this happens, turn off the diagnostic log function within LOGbinder! For one thing diagnostic logs can place a huge amount of data in the C:\Programdata\LOGbinderXX folder. More important, diagnostic logging slows down the processing speed of the LOGbinder service.

Unless our support team is working with you on an issue, you will want to turn diagnostic logging off to conserve system resources.

Many attackers would trade domain authority for the real honey pot: read-access to your SQL Server databases. So how should you monitor authentication and/or logon failures to these sensitive information stores?

LOGbinder is sponsoring a free webinar to show you how to track these events, even if the attacker successfully authenticates via a stolen domain account but lacks access to the database.

This type of hands-on instruction is too important to miss. Registration is free and, as with all of the webinars from Ultimate Windows Security, registration will give you access to the recorded version so you can watch the presentation at a more convenient time.

To see attacks happening to your databases, you cannot rely simply on your domain controllers’ and Windows server security logs to monitor your SQL Server database(s). You must monitor events produced only by SQL Server itself.

In this webinar you will learn how to effectively do that – quickly and simply. Click here to read the webinar abstract and registration link.

Occasionally we get feedback from customers that boils down to questions about truncated audit log output. It is important that security analysts and compliance officers understand some basic technology aspects of audit log processing because it helps them to grasp how audit integrity is preserved within the limits of audit log reporting.

Audit truncation: Just the facts

Some event logs from Exchange and SharePoint contain very large chunks of data. Which is fine, except for a simple and incontrovertible fact: there is a limit to the amount of data that can be written to common audit log outputs such as the Windows Event and Security log and Syslog.

• Windows Event and Security log limit events from about 27,000 to 32,000 bytes.
• Some implementations of Syslog limit the size to 65,000 bytes, while other Syslog variants have different limits.

An example of an excessive event in SharePoint would be when someone changes the layout of a list or document library, or adds a rule to sort the list: event 23 will include tons of information about all the schema changes which quickly adds up to tens of thousands of bytes. Another example: Exchange includes a field on some events called “Additional information” that can contain thousands of bytes only marginally-important from a security perspective.

There is no byte limit to file outputs.

What you need to know about audit integrity and LOGbinder’s audit log truncation

LOGbinder puts audit integrity ahead of other considerations in the course of its work. This does not mean that we don’t truncate logs when the required output demands it. For customers whose SIEM requires an output that imposes a limit to the size of recorded event, a decision must be made on how to deliver the event. (It would be unacceptable to just skip it and fail to deliver the audit event.)

In the case of an excessive byte-sized event, LOGbinder makes the decision to truncate what we view to be extraneous: information that can be retrieved via other means (such as the schema change we mentioned earlier) or that is less important to SIEM security analysts than the particulars about the event such as the “who did it, what did they do, and where did it happen”. Those field data elements are never too big.

When we truncate the event, we take extra care to deliver all that is possible. Our very cool technology truncates events only to the size insisted on by the SIEM-specific Syslog implementation for example, starting with the full amount and reducing until it is accepted.

Of course, no such truncation takes place if the LOGbinder output is directed to a plain text file.

It should be stated that, by a wide margin, most use-cases never encounter this issue. Security officers and SysAdmins have good reasons to narrow their monitoring focus to the most relevant audit events. They exclude the noise events which are typically those that would require truncation.

Audit integrity has always been a LOGbinder core value. Our architects and developers have gone to great length to ensure security analysts have what they need from audit logs, both for real-time security event information and forensic investigations– despite hard-coded technological limitations in common event logging formats. The ability to simultaneously direct output to a file that has no byte limitation is an expression of our core value.

LOGbinder for SharePoint even has a feature to configure “lookup levels” to allow organizations to configure their own suitable balance between system performance and the collected audit log detail. We will take a closer look at this feature in a subsequent post.