LOGbinder Blog

Updates, Tips and News   RSS Feed  

All LOGbinder products updated

Tue, 10 Dec 2019 17:18:50 GMT

Almost 12 years ago, my first LOGbinder product (LOGbinder for SharePoint) was created.  Since then we've developed software to help you audit SQL Server and Exchange admin and mailbox audit logs.  With the advent of our latest product, Supercharger for Windows Event Collection, we are now one of the biggest resources for the deployment, implementation and troubleshooting of Windows Event Collection (WEC).  Recently we released updates to all four of our products.  What's new?  At the bottom of this email are just a few of many new features and enhancements to our product line.  

I realize that a bulleted list of "features" may not seem that impressive, so I invite you to download any or all of our products and test them for yourself to see how they can help you audit the security actions in your environment.  For example, do you want to set a custom audit policy for every single one of your SharePoint sites including new sites that get create and then also get alerted if a malicious actor changes that audit policy?  Then try LOGbinder for SharePoint.  Do you want to audit SQL Server audits without touching the SQL Server or DB's once the audit is created?  Your SQL admins would love for you to try out LOGbinder for SQL Server.  Do you want to collect any log in event viewer from every workstation and server in your domain?  If your SIEM's cost is based on EPS or data storage, then Supercharger may pay for itself by allowing you to leave the noise at the source.

You can click the product to see all the latest changes:

  • Supercharger for WEC 19.10
    • Reports added
      • Comprehensive forwarder analysis - see every possible detail about every forwarder in your domain.  Excellent resource for troubleshooting problem forwarders
      • Collector performance history - see trends and patterns about collectors EPS and CPU.  Helpful for monitoring collector performance and resource planning
    • Maintenance button added to subscriptions of load balanced distributed subscriptions so you can maintain them on demand
    • Enhanced custom event log creation
  • LOGbinder for SharePoint 7.0.1
    • Filter events based on site
    • Error handling improved to make the service more resilient
    • Performance enhancements to speed up processing
    • Noise filtering 
    • Support for the latest versions of SharePoint
  • LOGbinder for SQL Server 5.0.1
    • Enhanced error handling
  • LOGbinder for Exchange 4.0.1
    • Redesign of mailbox audit configuration wizard
    • Coded workarounds for the "Too many audit requests" Exchange issue
    • Performance enhancements to speed up processing
    • "Apply Now" option for instantly applying the audit wizard configuration​

If you're already familiar with WEC or just learning, you'll want to view Randy Franklin Smith's recent webinar on WECBuilding a Resilient Logging Pipeline: Windows Event Collection Tips and Tricks for When You Are Serious About Log Collection.

Get instant pricing for Supercharger and our LOGbinder for SharePoint/SQL/Exchange products here:  Instant Quotes  

Over the past few months we've been listening to you.  Most of the enhancements and bug fixes in our latest releases are because of you.  The feedback and suggestions on our forum and support portal have helped us continue to improve our products.

If you are already a licensed user of our products and have a current support contract, then upgrading is easy.  Just find the product you need to upgrade on our download page.  Download the installer you need and just install on top of your current installation.  You will most likely need to request an updated product key at support.logbinder.com.  If you are upgrading Supercharger you just need to upgrade the manager.  All the collectors will upgrade themselves.

Thanks again for your support and I look forward to your feedback.

Randy Franklin Smith

How to analyze where events are coming from and how many

Thu, 31 Oct 2019 15:41:08 GMT

Recently we had an issue with a Supercharger customer/  They had 40+ distributed subscriptions and two of their many collectors were having latency issues. After hours and hours of investigation, research and troubleshooting we identified the issue. Of their tens of thousands of forwarders, just a few (yes not few thousand or few hundred but a handful) were generating a huge amount of events in comparison to the rest. This resulted in an unbalanced load balanced subscription. As a result of this troubleshooting, our Event Count By Source utility was born. Just download the utility and run it on a collector against some of the logs. You will see how it totals events by source and sorts them in descending order.

This utility is intended to help you determine where forwarded events are coming from and in what quantity. It analyzes the specified log and counts events by source computer and source log. 3 tab delimited files are produced in the current directory named after the type of data, log name, and computer name allowing you to co-mingle output from multiple executions of the program.

The 3 files summarize event counts by source machine only, source log only and by log and machine. A 4th file simply documents the number of events in the log.

There is only one parameter - log name. For a list of logs run "get-winevent -listlog *".
Omit log name and it will default to ForwardedEvents.

Download Event Count By Source utility.

This is a free utility from LOGbinder (www.logbinder.com) which is a division of Monterey Technology Group, Inc.
(c) 2019 Monterey Technology Group, Inc (MTG). You are free to use and copy this program for lawful uses. Use at your own risk. By your use of this program you hold MTG harmless of any untoward results.

Kerbpurge - Group memebership without a reboot

Sat, 01 Jun 2019 11:30:18 GMT

KerbPurge - What is it?

When you add a computer to a group in Active Directory, the computer does not know that it has been added to the group until a reboot happens. There are many obvious reasons why this is a problem. For example, you can't just reboot production servers at any time. Most organizations have some sort process in place for scheduling server reboots which in itself can be a time consuming process. When it comes to Windows Event Collection there are many reasons for adding endpoint forwarders to groups, especially if you are using Supercharger. For example, Superchargers builtin load balanced or distributed subscription feature rely's on group changes to keep forwarders balanced across the number of specified collectors. This is why Randy Franklin Smith of UltimateITSecurity.com designed and wrote KerbPurge.

Benefits and Features

  • Safely and efficiently make Windows computers see group membership changes
  • Tiny Windows service
  • Installable via Group Policy's Software Installation feature
  • Only purges tickets for the Network Service logon session and only when group membership has been changed for a computer
  • No measurable resource usage

Installation and Configuration

To install and configure Kerbpurge visit our knowledgebase for the step-by-step guide.

    Least Privilege Workaround for SQL DB Access

    Sat, 08 Dec 2018 10:21:56 GMT
    In the past we have explained how LOGbinder for SharePoint uses SQL privileges. We also informed you about the unfortunate workaround of giving dbo access to certain DB's in SQL in the sporadic cases when the SharePoint API interferes with access to the databases. 

    This was never a "workaround" that we were really happy with.  Giving dbo access is not only like giving the bank the title to your home as collateral for the mortgage but also giving them a letter that says "Stop by anytime you want and while you're here feel free to repaint the walls and help yourself to the scotch in the pantry."

    Thankfully, we have found a proper workaround that does not require dbo access.  There is a role on the SharePoint SQL DB's named "SPDataAccess".  We have found that giving the service account this role grants enough access for LOGbinder for SharePoint to function properly.  Again we would like to specify that this is not the standard configuration needed with LOGbinder for SharePoint.  This is only used in the rare situations when the SharePoint API is giving issues with DB access.  For most of our customers the permissions set within SharePoint itself for the service account is all that is needed. 

    There are two ways to give the service account this role.  One is using the SharePoint Management Shell and the other is directly in SQL (in our example below using SSMS). 

    Our preferred method is making the changes directly in SQL.  We noticed that when using the SP Management Shell an extra role is given.  We also noticed that this is not always the case as well.  Sometimes the extra role is given and sometimes it is not.  Why?  We don't know.  Maybe it's a hidden Microsoft feature.

    Here is how to make the changes using SSMS.

    1. In SSMS add your service account as a login.

    2. Open the logins properties and locate the three databases that your SharePoint farm is using for the Admin Content, Configuartion and WSS Content databases..  In this instance we have SharePoint_AdminContent(GUID), SharePoint_Config2019 and WSS_Content(GUID). 

    3. For each database map the SPDataAccess role to the login.  You will notice that for the WSS_Content db, after saving the role change SSMS also grants the PSDataAccess and the PSReportingSchemaAdmin role.  If you have more than one content db, then you will have to perform these steps on all applicable db's with the WSS_Content prefix.  For more information on how to set SPDataAccess on a large number of content databases, click here.

    You can also perform the steps above with a simple cmdlet using the SharePoint Management Shell.  Run the following cmdlet:

    Get-SPContentDatabase | Add-SPShellAdmin -UserName domain\ServiceAccount

    So in our example below we ran "Get-SPContentDatabase | Add-SPShellAdmin -UserName lab\sp2019srvacct".  Notice that doing this grants an additional role on all three databases; the SharePoint_Shell_Access role. As security experts our recommendation is obviously whichever process results in the least privilege needed to get the job done which, in this case, is making the changes via SSMS.

    What does the SPDataAccess role allow?  According to TechNet, the SP_DATA_ACCESS role will have the following permissions:

    • Grant EXECUTE or SELECT on all SharePoint stored procedures and functions
    • Grant SELECT on all SharePoint tables
    • Grant EXECUTE on User-defined type where schema is dbo
    • Grant INSERT on AllUserDataJunctions table
    • Grant UPDATE on Sites view
    • Grant UPDATE on UserData view
    • Grant UPDATE on AllUserData table
    • Grant INSERT and DELETE on NameValuePair tables
    • Grant create table permission
    Reference:  TechNet

    Support for Exchange 2016 Auditing; New Features in LOGbinder for SQL Server

    Wed, 15 Aug 2018 11:38:50 GMT

    Exchange 2016 support

    We are happy to announce support for Exchange 2016. Now you may be thinking 2016; wasn't that years ago?  It's true, Exchange 2016 was released in 2015 but because of a bug that seemed to have been introduced with the 2016 version, LOGbinder was not able to support it.  At the time we discovered it almost two years ago, we worked with Microsoft to confirm this behavior. This is what Microsoft said at that time:

    • The issue is caused due to limit of 100 search folders in particular mailbox. Before any new search can start, the old search folder has to age out and needs to be cleared. If this does not happen then it would fail.
    • We cannot modify these search folder limits, as it is by design.
    • We also found that it would take approx. 12hrs to reset the search folders count. So that we can run new query.

    The above limitations posed such restrictions on the auditing capabilities of Exchange, that LOGbinder was not able to support Exchange 2016 at that time.

    Our latest tests reveal that this has since been resolved and the above limitations have been removed in the latest cumulative updates. We have confirmed this to be true starting with CU6.

    Therefore, LOGbinder now fully supports Exchange 2016 CU6+.

    You can download LOGbinder for Exchange from our website and start auditing your Exchange environment.

    SQL Server 2017

    Microsoft released SQL Server 2017 and along with it they introduced new audit events. We have included these events in the latest LOGbinder for SQL Server version, adding events 24338-24348 and 24350-24375. These events are related to permissions on database scoped credentials and external libraries, and creating and dropping external libraries and database scoped resource governors, among some other events.

    Additional new features in version 4:

    • Adding inputs in bulk from a CSV file. 
      • This is useful for users who have dozens or more inputs.  These inputs can now be added all at once instead of one by one.
    • As a counterpart to adding inputs in bulk, selecting and deleting multiple inputs is now also enabled.
    • Improve resilience by not stopping the service if one of the inputs is temporarily unavailable
      • This means that if there are many inputs monitored by LOGbinder for SQL Server and one or more of them is temporarily down or inaccessible, auditing will continue uninterrupted for the rest of the inputs.  For the unavailable inputs a warning will be generated and sent to the output.

    Please download LOGbinder for SQL Server version 4.0 from our website to start auditing your SQL Server 2017.

    After downloading LOGbinder for SQL Server version 4, if you have a current active support and maintenance license, you will have to request a new license key by opening a ticket at the https://support.logbinder.com site. If you do not currently own a license, please contact sales at LOGbinder for a quote.

    previous | next

    powered by Bloget™