LOGbinder Blog

Updates, Tips and News   RSS Feed  

A new tool for unleashing the power of native Windows Event Collection arrives February 23

Thu, 02 Feb 2017 11:40:23 GMT

With today's endpoint-focused attack methods, it's never been more important to get security logs from every single computer on your network.

Windows Event Collection is baked into the OS itself and it's just waiting to be used. (Already a big believer in WEC? Read on, we've got a very big announcement for you.)

Very, very few organizations currently monitor the Windows Security Log on every server, desktop and laptop on the network and it's easy to understand why when you consider these facts:

  • Security logs are huge. Multiply huge by the number of endpoints and you get “extremely huge”
  • Many SIEM (e.g. ArcSight) and log management solutions (e.g. Splunk) charge based on volume of logs consumed
  • Remote log collection is prohibitively inefficient and, ironically, opens up security issues
  • Agents = Resistance. Admins don't want agents on their systems. Agents use resources. Agents have to be monitored and cared for. Agents have to be updated.

Windows Event Collection to the rescue

WEC provides the power of an agent with a zero-footprint and completely hands-off control. Leveraging Active Directory, we can cause any number of endpoints to forward their most important security events to the Windows event collector of our choice – or in very large organizations we can distribute that load across multiple collectors as necessary.

At that point, whether you use agents to push events or WMI/RPC to pull events, the burden of getting these events into your SIEM or log management solution now drops from thousands of systems down to a handful.

WEC also gives you options to deal with the size issue of event logs. Even with WEC's ability to bring event logs to your SIEM's doorstep, maybe you can't afford to upgrade the hardware and licenses necessary to handle that influx of log data. Or maybe your SIEM's scalability tops out at a certain point. One of these is the situation for most enterprises.

Then it's time to acknowledge that the majority of security log data is noise and leave that noise behind. With the power of advanced Xpath queries you can filter out the noise and get the much smaller number of important events. That requires specialized knowledge of Xpath and the Windows security log but read on.

In this deeply technical, real training for free ™ webinar at UltimateWindowsSecurity.com, Randy Franklin Smith will implement Windows Event Collection live and demonstrate how to:

  1. Target endpoints at your Windows Event Collectors
  2. Set up a Windows Event collector
  3. Create a subscription on the collector
    1. Scoped to a certain group of computers as forwarders
    2. Includes advanced filtering of noise events
  4. Monitor the subscription as source computers begin to forward events
  5. Troubleshoot problem forwarders

As great as WEC is, it's still just a foundation technology that lacks enterprise management, monitoring or reporting or features for scalability like load balancing. It's time to change that. After this detailed tour of Windows Event Collection, we will introduce a new and unique solution for managing this foundation technology in Windows. The product is Supercharger for Windows Event Collection. Supercharger automates every aspect of Windows Event Collection from:

  • configuring collectors
  • the creation of subscriptions
  • advanced filtering that safely ignores the noise without also suppressing important events

To advanced enterprise features like

  • load balancing large environments across multiple collectors
  • 24/7 health analysis and monitoring of every event source computer
  • performance monitoring and capacity planning – all from one pane of glass

We will demonstrate Supercharger and make it available for immediate trial download.

We are very excited about the release of Supercharger and we can't wait to help you improve security, increase endpoint vigilance while lowering costs. Please join us! Click here to register.


Exchange Cumulative Update breaks auditing

Wed, 01 Feb 2017 14:15:31 GMT
We have discovered earlier today that the latest Exchange cumulative updates released in December 2016 may be breaking Exchange auditing. We are currently testing the issue internally along with a few of our customers who have reported the same issue.  As of this time, installing the latest cumulative updates may break Exchange auditing which will break LOGbinder for Exchange.  Please visit our Knowledge Base for further details and steps to check if you are affected.

December 2016 LOGbinder Newsletter: New version of LOGbinder for SQL Server

Fri, 23 Dec 2016 10:48:01 GMT
In June 2016 Microsoft released SQL Server 2016 but due to a bug in their Exchange 2016 release, we wanted to make sure that we performed very extensive testing of this latest version of SQL Server and its new auditing features to make sure we didn’t discover any bugs there too.  We also performed very stringent testing of LOGbinder for SQL Server to make sure that our software continues to meet and exceed our internal standards.

With the release of SQL Server 2016 came not only many new features but also some new audit events. These include audit events related to committing and rollback of transactions, handling master keys, column encryption keys, database scoped credentials, as well as events related to external data sources (think, for example, Hadoop), external file formats and external resource pools.

LOGbinder for SQL Server 3.0 includes the ability to handle these new events as well as many other improvements. Here are some of the highlights:

  1. Support for SQL Server 2016
  2. New installer – Our new installer automates some of the prerequisites required during the installation process.  Installation time is now just a couple of minutes.
  3. Improved service resilience – We have improved on the delay that was reported by some customer when restarting/starting/stopping the service.
  4. Purge processed files - We have added a new option to purge SQL audit files that are no longer being used by SQL Server and have already been processed by LOGbinder.
  5. Enhanced application activity events - Information events written to the Windows Application log now include statistics including entries exported, elapsed processing time and events per second (EPS).

These are just a few of the improvements in this release of LOGbinder for SQL Server. For full details, check the release notes below.

Customers with current support and maintenance contracts can access the latest version at the link below.  To upgrade to the latest version just run the installer on top of the previous version.  No data or settings will be lost. Please note you will need to request a new license key for this version.  You can do so by clicking on File in the LOGbinder Control Panel, then License and send the license information to licensing@logbinder.com.

Related information

Thank you for your hard work in protecting sensitive information, and thank you for your support!


October 2016 LOGbinder Newsletter: New version of LOGbinder for SharePoint

Mon, 31 Oct 2016 14:05:41 GMT

One of our team members was recently reminiscing about a past IT career and how at their organization SharePoint was a document storage facility hosting timesheets, resumes and the weeks’ cafeteria menu.  Years later, SharePoint has become a widely-used workflow platform for critical business processes and a clearing house for sensitive unstructured data.

Over the years, as we have had more interactions with our customers and audience, we have become convinced that SharePoint security auditing is a requirement for the millions of SharePoint customers around the world.  It seems that on a monthly and weekly basis we are hearing reports of more information leaks and data thefts.  You need the ability to open up closed applications like SharePoint and Exchange and see who’s doing what.

In May 2016 Microsoft released SharePoint 2016 but due to a bug in their Exchange 2016 release, we wanted to make sure that we performed very extensive testing of SharePoint auditing to make sure we didn’t discover any bugs there too.  We also performed very stringent testing of LOGbinder for SharePoint to make sure that our software continues to meet and exceed our internal standards.

What is new in LOGbinder for SharePoint 2016?

  1. Support for SharePoint 2016 On-Premises
  2. New installer – Our new installer automates some of the prerequisites required during the installation process.  Installation time is now just a couple of minutes.
  3. Improved service resilience – A few customers have reported to us that from time to time the LOGbinder service is stopped.  The detailed service logs showed that delays between SharePoint and the farms’ SQL Server were causing timeouts. These timeouts were being reported by SharePoint and were long enough to negatively impact the LOGbinder service.  Now the LOGbinder service will handle these interruptions with less impact.
  4. Weird username prefixes removal – Some customers were wondering why they are seeing weird characters prefixing usernames in the logs.  You can find more info about it here.  We have included an option to remove the claim type characters from the data.
  5. Site collection selection – Managing a handful of site collections is easy.  Some customers though have thousands and thousands of site collections being monitor.  Now you can use CTRL-A to select all site collections in the LOGbinder input.

These are just a few of the improvements in this release of LOGbinder for SharePoint.

Customers with current support and maintenance contracts can access the latest version at the link below.  To upgrade to the latest version just run the installer on top of the previous version.  No data or settings will be lost. Please note you will need to request a new license key for this version.  You can do so by clicking on File in the LOGbinder Control Panel, then License and send the license information to licensing@logbinder.com.

Related information

·         Release notes

·         Download

·         Getting Started Guide

·         Support



LOGbinder for Exchange 3.3.5 Released

Wed, 13 Jul 2016 18:15:30 GMT
We are happy to announce the release of the latest update to LOGbinder for Exchange.  The latest update, Version 3.3.5, introduces some improvements as well as a few bug fixes.  We know that some of our customers that utilize the LEEF Syslog output may have had a few issues with the format of the LEEF output.  This latest release fixes that issue.  We have also created a more robust installer for LOGbinder that automatically configures many of the prerequisites that previously had to be configured manually.  Click here to see a list of all of the latest enhancements and bug fixes.

In conjunction with this release, we have also added a new support section at LOGbinder.com that we will be keeping up-to-date with the latest news, bulletins and features of the entire suite of LOGbinder products.


previous | next

powered by Bloget™