LOGbinder Blog

Updates, Tips and News   RSS Feed  

November 2014 LOGbinder Newsletter: Windows Event Collection and your SIEM; 2 Tech Tips for security analysts

Mon, 24 Nov 2014 19:34:00 GMT

Is Windows Event Collection a problem for you? We hear (a lot) that organizations struggle with collecting Windows Events. It’s not that their SIEM struggles, but rather there is a gap in the technology to deliver Windows Event Collection (WEC) data from hundreds or thousands of machines to SIEM at sufficient speed.

We like to solve problems yet to be solved, and therefore would love to hear from you about your experience with WEC. Would it help you to have a LOGbinder for Windows that could deliver relevant security events to your SIEM? If so, what SIEM do you use?

This issue strikes at the very heart of our core belief that important security event information should be in the SIEM. We love SIEMs and we love solving the little problems so the SIEMs and their security analysts can pay attention to the big stuff.

What your SIEM doesn’t know about endpoints can kill you. If your SIEM (or your security analysts) don’t have the security event information from all those Windows machines in the organization in a timely manner – whether they are remotely connected or not – and if that’s a big problem for you, please tell us. If it’s not a problem, please tell us that, too, and also which SIEM you use. We’ll share that with our audience.

This brings us to another topic related to what SIEMs do (and don’t do).

It’s not your SIEM’s fault that it can’t consume audit logs from Exchange, SharePoint, SQL Server or even SAP via normal collection means. No SIEM can do this. Sometimes people forget that a SIEM’s job is to provide the analysis tools; it’s not the SIEM’s job to change hats and perform ad hoc coding to address all the different application audit log frameworks. For that, you need the insight and best effort from a subject matter expert focused on getting the information to a SIEM. Which is exactly where LOGbinder came from, the insight and effort of an application security subject matter expert.

Tech Tip: Manage the audit performance by tweaking the amount of excess information attached to the audit

One of the new features of LOGbinder SP 5.0 is the ability to dial-back internal processing to tweak audit performance.  LOGbinder SP allows the control of how many lookups it should perform in order to obtain additional information while translating raw audit events to easy-to-understand audit entries. Examples of this could be resolving a user ID to user name or an object GUID to the actual name of the object. We include recommendations to help guide you in our LOGbinder SP Getting Started Guide. See pages 8 and 9 for details.

It’s Renewal Time

For many of you, this month is the month to renew your support and maintenance contract. There are good reasons for doing so. For one thing you fix your support costs and get help immediately. For another, you have access to software updates at no additional cost. This year has seen major updates to LOGbinder software and we’re not done yet. We expect to release automatic mailbox audit policy management for Exchange from within the LOGbinder EX application! This is a huge advance, for not just LOGbinder EX but for Exchange Auditing in general, and customers who are current with their support and maintenance contract get it for no additional money.

Where to find information about LOGbinder events

Every month we answer about 150,000 questions about events. But where do you go if you have a specific question about an event reported by LOGbinder? Some of our SIEM Synergy partners have collaborated with us to provide a hyperlink within their application to take you directly to the relevant event ID page. So when you see an event you wish to research, clicking on the hyperlinked Event ID will take you directly to the details page on Ultimate Windows Security’s Online Encyclopedia.

But what if your SIEM doesn’t have a hyperlink to the right page? You can still get the information by browsing to UltimateWindowsSecurity.com and clicking on Security, then Encyclopedia. (https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx) Once there, select the source of the event (All Sources, Windows Audit, SharePoint Audit, SQL Server Audit or Exchange Audit). If you want to narrow the list use the drop-down box on the right, else browse the list of events and click on the appropriate one to get the full details. We list the events in numerical order, so they’re easy to find. (By the way, when you get a chance, send a note to your SIEM’s product manager to ask them to finish their integration so you can save yourself the trouble next time when you need the event information.)

If you still can’t find your answer there then click on the blue “Ask a question about this event” button and post your question in the Ultimate Windows Security forum.  LOGbinder is now sponsoring an Exchange, SQL and SharePoint forum there and you can expect a quick response from one of our technical engineers. 

Tech Tip: How to find the status of Exchange Server 2013 audit log requests

Exchange Server’s audit function is asynchronous. Which makes sense for Exchange but causes security analysts heartburn who have to “wait in faith”. The good news is that you can see the status of those audit requests via a PowerShell cmdlet, but the bad news is that only Exchange 2013 supports it. In Exchange 2013, you can retrieve a list of current audit log searches with the Get-AuditLogSearch cmdlet.

For more tips on application security intelligence, be sure to watch our blog updates at www.logbinder.com/Blog and sign up for the Real Training for Free™ webinars at Ultimate Windows Security’s web site.

October 2014 LOGbinder Newsletter: Feedback Makes Customer Happy; New SIEM integrations

Thu, 30 Oct 2014 11:04:20 GMT
Remember when we said that we loved feedback and wanted to hear from you about the pain points? Here's an example of what we try to do when you send us that feedback. We got a call from a LOGbinder SQL customer with a production environment problem that didn't show up during his evaluation in a test environment. While diagnosing the problem (it turned out to be a GPO issue at the customer's location) we saw that the input window was too narrow to display all of the long file name, which was a major pain. Our development team made the correction to the source code and we got the new bits to the customer that same day! The customer was happy, and the developers got the satisfaction of delivering a solution that made a real difference.

So please keep that feedback coming. We sweat even the small stuff if it helps you get application security intelligence where you need it – your SIEM.

People who speak our language

LOGbinder has some great value-added resellers who speak our language. They totally get that your SIEM needs to have application security intelligence. And many of them are translating LOGbinder sales material into languages other than English.

If you or a colleague prefer German for example, click Innovative SIEM-Integration von Microsoft-Daten to get what our VAR in Germany, iT-CUBE has put together. It's great!

IT Guard also has translated our sales materials in to Russian to get the word out in that country. They have done a great job with their web site.

If you like your English with an Australian accent, you can't do better than talk applications security intelligence with the SIEM experts at Shelde. In fact, you North American and European readers, when you can't sleep for thinking about a SIEM issue, chances are the Shelde guys down under are just starting their day and would love to help.

Our sales team is working to form partnerships with smart security consultants and resellers all over the globe. Do you have a firm you like to work with that we should know? Tell us.

Tech Tip: Why i:0#.w| in front of user names in LOGbinder SP?

The other day someone asked why LOGbinder SP puts the characters ” i:0#.w| ” in front of the usernames. For example, instead of LB\capt.kirk ” as the username, it would show i:0#.w|LB\capt.kirk ”.

LOGbinder does not do this; it actually comes from SharePoint. This is how SharePoint 2010 and SharePoint 2013 encodes identity claims. It's SharePoint's way of representing the authentication method used in SharePoint. Here is an article on what it means: http://social.technet.microsoft.com/wiki/contents/articles/13921.sharepoint-2013-claims-encoding-also-valuable-for-sharepoint-2010.aspx

New SIEM integrations are publicly available

Many SIEM product developers have recently told us about new integrations for LOGbinder solutions. We're going to be telling everybody about these developments as soon as the documentation is complete. In the meantime, here are the highlights about what's new:      
  • Logpoint has fully integrated all 3 of the LOGbinder products.
  • LogRhythm has completed their 2nd LOGbinder integration, the one for LOGbinder EX and they are working on the LOGbinder SQL integration.
  • McAfee ESM is now fully supporting all three LOGbinder products.
  • IBM's QRadar product team approved our LEEF implementation. (see note below) QRadar now has integration for LOGbinder SP and LOGbinder EX and are working on an integration for LOGbinder SQL.
  • Solarwinds has also completed their 2nd LOGbinder integration for LOGbinder EX and plan to work on LOGbinder SQL integration.
  • Our Splunk app for LOGbinder is in beta testing. Let us know if you want to kick the tires.
Note: All 3 LOGbinder products now in beta have LEEF output options. We expect to release these new versions publicly within the next 2 weeks.

Of course, LOGbinder works with any SIEM, and we have Recommended Rules and Alerts for all our products to help users when no custom integration exists for their SIEM. (Click here to get them.)

Options for SQL Server auditing

We know this is a huge topic. We sponsored an Ultimate Windows Security webinar about SQL Server auditing on October 16 that had one of the biggest registration and attendance counts of the year. Apparently more and more, people focus on getting SQL Server audit done right. If you missed the webinar, you can still get the information. If you or someone you know needs to get up to speed on SQL Server audit click here to get the recorded version. The recording captures all of the good questions and answers.

Don't forget to check out our blog post comparing SQL Trace to SQL Audit. It's great info.

Did we say that the Splunk app is ready for beta testing?

The new Splunk app for LOGbinder is available if you want to try it out. We'd love to hear some feedback from more beta testers.

LOGbinder releases updates to Exchange & SharePoint solutions

Fri, 22 Aug 2014 15:30:43 GMT

Summary: New updates offer substantial performance improvements. Customers with Maintenance contracts received notice of availability at no additional cost.

LOGbinder™ announces significant upgrades for two of its application security intelligence solutions for SIEM, LOGbinder SP 5.0 and LOGbinder EX 2.5. The updates bring performance improvements most beneficial to large enterprise environments.

Both versions benefitted from an extensive Enterprise Preview program LOGbinder instituted earlier this year. “Our enterprise customers who’ve installed the pre-release versions have been very pleased with the new performance improvements,” said Randy Franklin Smith, CEO of Monterey Tech Group, Inc., the parent company of LOGbinder Software. “In enterprise scale scenarios it is very challenging to keep Exchange and SharePoint audit data moving so that it reaches your SIEM as close to real-time as possible.  Our development team has crafted enterprise-class software that, with proprietary caching, multi-threading and asynchronous scheduling, does the right thing at the right time, which we have found to be of critical importance in large monitored environments.”

Both new versions of LOGbinder EX and LOGbinder SP have built-in protection against bogging down production environments when installing for the first time and trying to process a potentially massive backlog of events.  In addition:

  • LOGbinder EX™ 2.5, the solution for getting Exchange Server security intelligence to SIEM, adds greatly enhanced technology to improve audit log query intelligence. It also improves mail handling if Exchange’s audit result comes back with errors.

  • LOGbinder SP™ 5.0, the solution for getting SharePoint security intelligence to SIEM, introduces new technology to better handle large numbers of site collections, both in application start-up and in managing the automatic audit policy configurations. In addition, customers are now able to make their own ad-hoc application performance tweaks by adjusting query levels.

With these updates LOGbinder continues its practice of releasing major updates for its technology at least once a year. The last round of major updates released September 2013 included full compatibility with Microsoft’s most recent versions of Exchange, SharePoint and SQL Server. Minor updates have been released throughout the year.

How customers can get the updates

Customers with current maintenance & support agreements receive their upgrade at no cost. Emails were sent to the technical contact on file. Information is also available via the Summer 2014 Updates page.

LOGbinder and SolarWinds LEM featured in Randy's blog

Mon, 07 Jul 2014 08:52:41 GMT
There's a new blog post featuring LOGbinder SP and SolarWinds LEM.  Click here to read Randy's new post.

New Syslog Features in LOGbinder SP 4.0.5

Mon, 17 Mar 2014 11:06:43 GMT

We have a quick update to LOGbinder SP for all of you who are using Syslog to forward your SharePoint audit log to your favorite SIEM.

LOGbinder SP version 4.0.5 adds the following new features:

  • Alternate Output Data Folder: It is now possible to change the default data folder, which is also used for the output data. This is the folder where LOGbinder stores its outputs that are written in files, as well as the diagnostic files. Now you can store these in a different folder, or on a different hard drive, or even in shared folder on a different server. You will find this useful, if you need to separate software and data, or you have the requirement of using minimal disk space on the hard drive where your programs are installed.
  • Network locations for Syslog output: As a result of the above change, it is now possible to use network location for Syslog outputs, such as Syslog-Generic (File) and Syslog-CEF (File). These files, in turn, can be easily accessed by your SIEM.
  • Test button for Syslog output: A "Test" button is now available for Syslog outputs that sends a test Syslog message using the specified address/port. When setting up LOGbinder to output to a Syslog server for your SIEM to collect the logs, the most difficult part can be to ensure that firewalls and other settings don't block the traffic from LOGbinder to the Syslog server. The "Test" button will assist you in setting up and testing this connection.
  • Output file name clarification: The sample file name for the Syslog (File) outputs now correctly indicates that the date is included in the file name.

If you would like to take advantage of the above feature, please go ahead and download LOGbinder SP.

previous | next

powered by Bloget™