LOGbinder Blog

Updates, Tips and News   RSS Feed  

«  | All LOGbinder products up... »

Today we revolutionize using Windows Event Collection at scale

Fri, 04 Sep 2020 15:53:09 GMT

What we are announcing today with Supercharger for Windows Event Collection reminds me of how far technology has come.  I remember being so excited to sit down in front of the great Commodore 64 thinking how amazing this is.  Now almost 40 years later and my processor has as many cores as that C64 had bits.  Why am I talking about 40-year-old computers?  Back then I, like many, thought that the C64 was an amazing machine. But look at what we have today just 40 years later.

Today, Windows Event Collection/Forwarding (WEC/WEF) is becoming a well-known well-functioning technology.  It’s been around since Vista and Server 2008 and it’s a great technology.  What makes WEC an awesome technology?  To start, it’s built-in to Windows and has no agents, no polling, no noise and can be centrally managed.  In the past 12 years nothing much has changed with WEC.

Now that WEC is being implemented more in the real world it’s becoming easier to see where it is lacking.  For example, once you start to scale out with multiple collectors and thousands (or tens or hundreds of thousands) of forwarders, then your collectors can become unstable or even unusable.  The solution?  Setup more collectors.  Create the same subscription on each collector but assign different computers to each collector.  Good idea, right?  In theory, yes.  Soon it will become obvious that keeping collectors and subscriptions consistent is a full-time job.  The next thought may be to just use AD groups.  But then you run into the issue of new computers and decommissioned computers.  That issue is nothing compared to the fact that group membership changes don’t take affect until either a system reboot or purging of the Kerberos ticket.  I think it’s safe to say that for most, if not, all of us, we just can’t do a mass reboot of servers/workstations.   So that leaves the option of purging the Kerberos ticket.  Now we have to bring in technologies like System Center, PS Remoting or tasks in our GPO’s.  There has to be a better way.

So, let’s nix the idea of groups in the WEC subscriptions.  Can’t we just add individual computers to the subscription? 

Yes, you can but as it turns out WEC’s subscription memory structure is limited to about 1,800 allowed computers.  Many organizations regularly need to assign tens of thousands of forwarders to a single collector. So now that’s going to require multiple duplicate subscriptions targeting unique sets of 1,800 (1,500 to be safe) forwarders each. 

 

Tired yet???  Just thinking of the management of this setup gets me stressed.  All this makes two points very clear.  WEC is a great foundation for an enterprise logging pipeline but

  1. it needs care and feeding
  2. becomes unwieldly on its own especially once you start scaling out

So, since its release 12 years ago not much has improved WEC, that is until now!

Back in 2018 we released Supercharger for WEC.  One could say it was the Commodore 64 of its time.  It had what we called Distributed Subscriptions.  Supercharger made use of a dedicated OU in AD where it managed groups that were used to balance subscriptions across multiple collectors.  Did this fix the issue that many WEC environments were facing with large numbers of endpoints?  Yes, but again we have the issue of computers not seeing that they are added to groups until reboot.  So, Supercharger was constantly waiting for load balance maintenance to take effect.

Now, on Sept 3, 2020 we released a new version of Supercharger.  We have redesigned distributing subscriptions with our new Load Balanced 2.0 technology.  

This revolutionary enhancement means no more waiting for endpoints to see group additions.  This also means Supercharger no longer requires a dedicated OU in AD and a dedicated service account with permissions to create/modify groups in that OU.  You may be thinking, “hey what about WEC’s limit of 1,800 forwarders to subscription limit?”  We solved that by programmatically creating multiple WEC subscriptions with 1,500 computers assigned to each one.  These individual subscriptions are known as “shard sets” in Supercharger.

Now load balanced subscriptions take effect immediately.  If you need to add, remove, or replace a collector this can be completed instantaneously.  We are not exaggerating when we say that the reaction time has been reduced from weeks to seconds!

With Supercharger, not only do you get one pane of glass visibility into your WEC environment but you no longer need to “jump box” around from collector to collector to monitor subscriptions.  So, you can escape being tied down to RDP and Event Viewer when managing WEC.  Also, Microsoft has admitted that at a certain point, once you reach X number of subscriptions and forwarders, Event Viewer just gets overloaded and will stop working.  Obviously, this makes it impossible to manage subscriptions in some environments.  Add on to this the health change alerting, performance monitoring, trend analysis, policy-based control and load balancing 2.0 and it’s clear that Supercharger is a must have for any WEC implementation. 

Download Supercharger today and see just how easy a huge implementation of WEC can be.  Just imagine having all of your Windows endpoints send event logs to a collector in under 15 minutes.  With Supercharger we’ve made the impossible possible. 


Comments disabled

powered by Bloget™