This time it’s the add-in that let’s you collect debug logs generated by Microsoft DNS servers.

Continue here.

In this short video watch how subscription bases OnDemand Log Management lets you:

1. Easily set up comprehensive tracking of all changes made to Active Directory irregardless of the native auditing configuration
2. Perform investigation of security issues by giving you tools to effectively search and analyze audit trails
3. Take proactive measures to prevent security incidents from happening in the future
4. Prepare evidence reports suitable for presenting to CSOs and external auditors

Want to conduct your own investigation now?

Sign up for a full functional trial and let us know how it goes.

Alexey

We’re pleased to offer a brand new custom reporting functionality that not only allows you to run any of the pre-defined reports but also build your own with the same ease.

The new export to PDF feature came to replace the old way of reporting that is now gone as is the Reports tab where you’d previously find it. Check out this short video that shows the new and straightforward process of building custom reports based on favorite searches. Now it literally takes the same amount of time as the video runs.

Wait, we’ve got some more news for you.

If you take a closer look to the home page of the product you’ll notice that it now contains another chart which lets you quickly assess the state of alerts you configured for your environment. Here is the sample screenshot of the Top Alerts chart:

Lucky owners of the commercial service subscription get another handy tool. With a help of Events by Time chart you can do basic trend analysis and watch for unusual event peaks. Here is a sample of this chart as well.

Both new charts have interactive features and drill down capability which instantly sets you up for further investigation.

We look forward to continuing expanding the product feature set throughout the next year.

Happy holidays!

Quite a few of the early adopters of OnDemand Log Management echoed this concern. As you know we’ve been listening to your feedback very carefully so we addressed this concern with the recent introduction of the so called Extended Auditing for Active Directory and File Servers. It’s Extended Auditing because it provides additional level of details compared to what you can extract from the native operating system or application logs.

Extended Auditing is instantly available to all of existing and yet to come customers of OnDemand Log Management. It is activated in the agent installation wizard by selecting Extended Auditing option as shown below. Just keep in mind that these options will only show up when you’re installing the agent to the server OS holding the corresponding server role: Active Directory server or file server.

Once you’ve let the agent capture first changes to your Active Directory objects or files and directories you can instantly view them by using one of the predefined searches that end with (Extended Auditing)

In this post I’m going to go through top 5 reasons why Extended Auditing gives you additional piece of mind from the change management standpoint. So, here they go

1. Capturing originator’s IP address

Unlike with Object Access events from the native Security log with Extended Auditing you can trace all changes down to a workstation from which the change originated. So, if multiple people in your organization use the same administrative account to perform their duty you could possibly distinguish between them by looking up the IP address they used.

2. Full Active Directory change auditing down to the attribute level with before and after values

As the screenshot above shows for each change being made to Active Directory Extended Auditing scrupulously seizes all the details including the object attribute and more importantly the before and after values.  Not only you can replay a sequence of changes made to Active Directory within a specified time period but also roll them back if they deem inappropriate. Unlike with the native Windows auditing subsystem there is no need to go through a time consuming process of setting up the auditing configuration. Once Extended Auditing for Active Directory is enabled it immediately starts intercepting changes and change attempts to all objects in Active Directory.

3. Group Policy settings change auditing

The only indication of changes ever made to Group Policy configuration that can be found in the native Security log is an event like this below. Unfortunately, no way it’d tell you whether this change concerned one of the security policies like Account Lockout Policy or it just targeted one of the application configuration settings.

Compare this to the event you’d get with a help of Extended Auditing in OnDemand Log Management. In addition to the name of the Group Policy object you would easily see both the name of the affected setting and its before and values!

4. Detailed permission change tracking

Those of you that can’t read with naked eye a lengthy sequence of hexadecimal numbers will have no clue who actually was granted or revoked what permissions to a file or Active Directory object. Simply because this is how Windows stores permissions in the object’s security descriptor and native event logs don’t bother decrypting this format.

Extended Auditing makes things a way easier by breaking each permission change down into a series of events in which you can clearly see what user or group was granted or revoked which permission to the file or Active Directory object in question.

5. Accurate file and share access auditing

As you know due to the implementation details of the Windows auditing subsystem the accuracy of file access audit events really depends on how well behaved the application that works with those files is. It can turn into a real mess when a lot of file activity happens behind the scenes which is the case with Microsoft Word.

Extended Auditing for File Servers brings that mess in order. However complex the underlying file manipulations are it will always capture the real operations performed on a file, directory or share. So instead of having to guess whether this file open event actually resulted in a subsequent file write or not you’ll know for sure when the file was changed, deleted or moved.

And for every file access event you’ll get the entire picture including the file operation, the name and IP of the user who made the change and the application executable that carried out the request on the user’s behalf.

As you might guess there are many other cases where Extended Auditing does a much better job capturing every single aspect of a change being made to files, folders, shares and Active Directory objects. And the best way to feel it is to give it a free try by yourself.

With the help of Extended Auditing you can bring change management processes to an absolutely new level where tight and all encompassing control of changes becomes a reality.

CloudCamp is a half day conference related to trends in cloud technologies. It’s held throughout the world and supported by well known experts and companies in the cloud industry.
It was a 4 hour event packed with a lot of interesting content and discussions. I liked the idea that attendees could submit topics for discussions and a self nominated panel of cloud experts could pick up any questions they felt comfortable answering over the beer .
The event started with vendor sponsored enlightening talks. Speakers were teaching the audience what’s unique about the cloud restraining from pitching their own tools.
Scalr and RighScale shared VM pattern based approaches they use to efficiently scale cloud applications up and out. Jeremiah Peschka from Quest Software raised the importance of NoSQL databases and explained how Toad for Cloud Databases can help developers interact with cloud databases in the way they’ve been doing with traditional RDBMs.
Adrian Cockroft from Netflix talked about the company’s experience with the recent infrastructure migration to Amazon EC2 (which turned out being a complete rewrite) and what they would like to see provided by yet to mature NoSQL databases. Other presentations were delivered by guys from IBM, Tropo and Twilio.

Everyone agreed that security, reliability and NoSQL will continue being the cloud buzz words throughout 2011.

The break out session on PaaS held by Sebastian Stadil was of particular interest to me. Today most of the cloud derived value comes from IaaS while PaaS still has to go a long way to become an attractive alternative to traditional development platforms.
The group was debating when leveraging PaaS can make sense today. The agreement was the PaaS might be a good start for a “two guys in the garage” startup to quickly spin up their startup project. It becomes more difficult to stick with the PaaS of choice when the service grows and you have to keep up with the increasing demand at the same time staying profitable and not locking yourself into a single platform vendor.

This is when open source projects can play very important role to bridge the gap. Announced at the event the project typhoonae is an open source implementation of Google AppEngine API that can run in any virtual environment. Its flexible architecture let’s you plug in any NoSQL database as a storage backend while making transparent the migration from Google AppEngine PaaS to your choice of IaaS. So, if down the road you’ve learned that for your type of application immediate data consistency can be traded off in favor of constant data availability you could easily switch from say Google Big Table to Cassandra or MongoDB running in Amazon EC2.

Apparently, over the course of the next couple of years we’ll continue seeing the convergence of IaaS and PaaS . For cloud providers this is the only viable way to provide a rapid development platform for highly available, massive data processing applications and cut the cost of on premise applications migration. What an interesting age we’re living in!

Have you ever questioned yourself why you have to check for critical events by yourself instead of having the product do that for your and only interfere with your other business when your attention is really required?

I did and so did quite a few of you according to the feedback you’ve been generously sharing with this. So I’m pleased to tell you that you’ve been heard!

During last couple of weeks we made a couple of exiting feature updates for you.

Now every time you log into the event log management service you can start with any of the pre-defined searches which we put for all service users or you happened to craft by yourself some time ago and found helpful enough for ongoing use.  You can customize any of the pre-defined searches down the road by adding column filters, adjusting the search criteria and changing the set of fields being displayed in the results view. Finally found a needle in the haystack and want to save the time you spent on building the resulting query? Just add your search to the favorites and start with it next time.

Check out a set of the canned searches we provide for you today and tell us what’s missing!

Favorite searches is not just a shortcut to start an investigation. Any saved search can now be run in real time against every new event that is collected from your entire network. All events matching the search criteria that you defined in your alert-enabled searches will be immediately sent to the specified email address. Don’t want to be spammed by notifications? Subscribe do hourly or daily digests with a full list of critical events.

See the nice and concise video on the Dmitry’s blog that  clearly shows how easy setting up alerts really is

So, now OnDemand Log Management can be used in entirely unattended mode. If you don’t have much time to do daily analysis right in the service UI then just set up alerts and get back to your business – the service will take care of all the important things happening in your network.

It’s nice to see how the cloud based event log management service is becoming a neat operation tool. Indeed alert enabled searches set you up for monitoring of security incidents and operational issues.  And the same searches can be later used to find the root cause of the issue by looking up events that preceded it.

See another video that shows how OnDemand Log Management can help you track and investigate one of the most distracting operational issues these days – service account lockouts.

Stay tuned.

Provide thorough and fair feedback about any of the OnDemand products and you’ll participate in a draw to win one of the 2 iPads!

I think that I’ll share one hint with you here – your chances will double if you provide feedback about both of the OnDemand services: OnDemand Recovery for AD and OnDemand Log Management.

Feel free to provide any likes and dislikes about OnDemand and we won’t make you wait for too long until your feedback find its way into the product.

There are many ways people search data today. The main factor that influence our search behavior is the nature of the actual data being searched. If data is unstructured (e.g. web pages, text documents) then full text search becomes your savior. For structured data (Windows events, database records, spreadsheets) it makes much more sense to search by specific parts of the composite record.

In OnDemand Log Management we decided to combine the best of the both worlds. You have the power of Google like search language coupled with familiar Excel like column based filtering.

One search tool nicely complements the other – start off by putting any word or phrase you’re looking for in the query box, get the initial results and narrow them down by putting additional criteria in the column filters. For example start your search with “logons”, then pick up the EventID field into the events grid and put in only the eventids of logon events you’re really interested in. Don’t know what eventids to look for?  Find it out in our online event encyclopedia. Shrink the results further down by putting in the logon name of the user the logon events should be attributed to.

The syntax of the query language we came up with highly resembles that of Google or Windows 7 desktop search. We don’t want you to climb a huge learning curve of mastering yet another query language. Instead we want you to leverage your existing search skills you arguably apply every day. Today the language syntax can accommodate both plain words and phrases that can be found anywhere in the event and queries tied to particular fields that can be distinguished in the event. You can construct complex search criteria by stitching the simple parts together with the logical operators like AND and OR. You can also use wildcards to search by a substring that you can only remember (e.g. first N characters of the user name). The full language description along with the sample queries can be found in our online Help.

Of course, this is not where we’re going to stop. We hope that the first version of our query language will help you jump started with constructing basic event queries not requiring you to spend a lot of learning time beforehand. Meanwhile we’ll be sophisticating the language to let you do more with your event data both already collected and yet to come.

Tell us what you can and can not do with the search tools we put in your hands today! Spend two minutes of your time to vote for existing or submit new product improvement ideas by using this feedback widget that you can find on the left hand side of the product UI