Archive for the ‘OLM Feature Update’ Category

OnDemand Log Management: Now supporting syslog, agent less collection and more

August 25, 2011

OnDemand Log Management gets exciting new features that help you comply with IT regulations, stay on top of changes to critical IT resources and detect and react to security issues. Continue here.

A better way to do custom reporting

December 23, 2010

As the year wraps up and the Christmas Eve rapidly approaches we’re making some exciting updates to the OnDemand Log Management we want you to hear about.

We’re pleased to offer a brand new custom reporting functionality that not only allows you to run any of the pre-defined reports but also build your own with the same ease.

The new export to PDF feature came to replace the old way of reporting that is now gone as is the Reports tab where you’d previously find it. Check out this short video that shows the new and straightforward process of building custom reports based on favorite searches. Now it literally takes the same amount of time as the video runs.

Wait, we’ve got some more news for you.

If you take a closer look to the home page of the product you’ll notice that it now contains another chart which lets you quickly assess the state of alerts you configured for your environment. Here is the sample screenshot of the Top Alerts chart:

Lucky owners of the commercial service subscription get another handy tool. With a help of Events by Time chart you can do basic trend analysis and watch for unusual event peaks. Here is a sample of this chart as well.

Both new charts have interactive features and drill down capability which instantly sets you up for further investigation.

We look forward to continuing expanding the product feature set throughout the next year.

Happy holidays!

Extended Auditing for Active Directory and File Servers now available in OnDemand Log Management

December 3, 2010

I’m sure many of IT admins happened to have this poor feeling when they couldn’t get from the logs a piece of information they were looking for. Partly because they didn’t have an appropriate log management tool in place. Partly because the logs themselves didn’t provide the level of details admins expected them to provide. It becomes especially frustrating in the change management world. If logs you rely on can’t give a full picture of the change that was made in the past how can you conduct a thorough change review to make sure that every change is made for a reason and according to your security policies?

Quite a few of the early adopters of OnDemand Log Management echoed this concern. As you know we’ve been listening to your feedback very carefully so we addressed this concern with the recent introduction of the so called Extended Auditing for Active Directory and File Servers. It’s Extended Auditing because it provides additional level of details compared to what you can extract from the native operating system or application logs.

Extended Auditing is instantly available to all of existing and yet to come customers of OnDemand Log Management. It is activated in the agent installation wizard by selecting Extended Auditing option as shown below. Just keep in mind that these options will only show up when you’re installing the agent to the server OS holding the corresponding server role: Active Directory server or file server.

Once you’ve let the agent capture first changes to your Active Directory objects or files and directories you can instantly view them by using one of the predefined searches that end with (Extended Auditing)

In this post I’m going to go through top 5 reasons why Extended Auditing gives you additional piece of mind from the change management standpoint. So, here they go

1. Capturing originator’s IP address

Unlike with Object Access events from the native Security log with Extended Auditing you can trace all changes down to a workstation from which the change originated. So, if multiple people in your organization use the same administrative account to perform their duty you could possibly distinguish between them by looking up the IP address they used.

2. Full Active Directory change auditing down to the attribute level with before and after values

As the screenshot above shows for each change being made to Active Directory Extended Auditing scrupulously seizes all the details including the object attribute and more importantly the before and after values.  Not only you can replay a sequence of changes made to Active Directory within a specified time period but also roll them back if they deem inappropriate. Unlike with the native Windows auditing subsystem there is no need to go through a time consuming process of setting up the auditing configuration. Once Extended Auditing for Active Directory is enabled it immediately starts intercepting changes and change attempts to all objects in Active Directory.

3. Group Policy settings change auditing

The only indication of changes ever made to Group Policy configuration that can be found in the native Security log is an event like this below. Unfortunately, no way it’d tell you whether this change concerned one of the security policies like Account Lockout Policy or it just targeted one of the application configuration settings.

Compare this to the event you’d get with a help of Extended Auditing in OnDemand Log Management. In addition to the name of the Group Policy object you would easily see both the name of the affected setting and its before and values!

4. Detailed permission change tracking

Those of you that can’t read with naked eye a lengthy sequence of hexadecimal numbers will have no clue who actually was granted or revoked what permissions to a file or Active Directory object. Simply because this is how Windows stores permissions in the object’s security descriptor and native event logs don’t bother decrypting this format.

Extended Auditing makes things a way easier by breaking each permission change down into a series of events in which you can clearly see what user or group was granted or revoked which permission to the file or Active Directory object in question.

5. Accurate file and share access auditing

As you know due to the implementation details of the Windows auditing subsystem the accuracy of file access audit events really depends on how well behaved the application that works with those files is. It can turn into a real mess when a lot of file activity happens behind the scenes which is the case with Microsoft Word.

Extended Auditing for File Servers brings that mess in order. However complex the underlying file manipulations are it will always capture the real operations performed on a file, directory or share. So instead of having to guess whether this file open event actually resulted in a subsequent file write or not you’ll know for sure when the file was changed, deleted or moved.

And for every file access event you’ll get the entire picture including the file operation, the name and IP of the user who made the change and the application executable that carried out the request on the user’s behalf.

As you might guess there are many other cases where Extended Auditing does a much better job capturing every single aspect of a change being made to files, folders, shares and Active Directory objects. And the best way to feel it is to give it a free try by yourself.

With the help of Extended Auditing you can bring change management processes to an absolutely new level where tight and all encompassing control of changes becomes a reality.

OnDemand Log Management feature update in September

September 30, 2010

In this edition of the OnDemand Log Management new features review I’m going to familiarize yourself with the exciting changes we made to the core function of the product recently – events search.

There are many ways people search data today. The main factor that influence our search behavior is the nature of the actual data being searched. If data is unstructured (e.g. web pages, text documents) then full text search becomes your savior. For structured data (Windows events, database records, spreadsheets) it makes much more sense to search by specific parts of the composite record.

In OnDemand Log Management we decided to combine the best of the both worlds. You have the power of Google like search language coupled with familiar Excel like column based filtering.

One search tool nicely complements the other – start off by putting any word or phrase you’re looking for in the query box, get the initial results and narrow them down by putting additional criteria in the column filters. For example start your search with “logons”, then pick up the EventID field into the events grid and put in only the eventids of logon events you’re really interested in. Don’t know what eventids to look for?  Find it out in our online event encyclopedia. Shrink the results further down by putting in the logon name of the user the logon events should be attributed to.

The syntax of the query language we came up with highly resembles that of Google or Windows 7 desktop search. We don’t want you to climb a huge learning curve of mastering yet another query language. Instead we want you to leverage your existing search skills you arguably apply every day. Today the language syntax can accommodate both plain words and phrases that can be found anywhere in the event and queries tied to particular fields that can be distinguished in the event. You can construct complex search criteria by stitching the simple parts together with the logical operators like AND and OR. You can also use wildcards to search by a substring that you can only remember (e.g. first N characters of the user name). The full language description along with the sample queries can be found in our online Help.

Of course, this is not where we’re going to stop. We hope that the first version of our query language will help you jump started with constructing basic event queries not requiring you to spend a lot of learning time beforehand. Meanwhile we’ll be sophisticating the language to let you do more with your event data both already collected and yet to come.

Tell us what you can and can not do with the search tools we put in your hands today! Spend two minutes of your time to vote for existing or submit new product improvement ideas by using this feedback widget that you can find on the left hand side of the product UI

OnDemand Log Management feature update in July

July 26, 2010

It’s been over a month since we’ve been exploring a new cloud venue with our SaaS products.  One of the exiting changes that we couldn’t help noticing is how frequently we get to update our products with new features. I’m sure this is one of the sweetest things our customers continue enjoying in the cloud thanks to absolutely zero effort product upgrade. Indeed, all new features appear instantly  next time you launch your favorite browser. No annoying compatibility issues, no lengthy software assurance testing before rolling out to production, no manual reconfiguration – it’s all been taken care of for you!

With this post I decided to start broadcasting updates to features of the SaaS product I’ve been working on – Quest OnDemand Log Management. During the last couple of weeks the event log management service received the following improvements:

  1. Face lift. The service got the whole new design that is consistent across entire line of OnDemand products. I personally find the new design more polished and ergonomic than the previous one. You just go ahead and log into the product to check it out and let us know what you think about it. If you haven’t yet signed up for the service you can do that here
  2. Field picker. Now you’re free to choose a set of event fields being displayed in your search results.
    If you haven’t dealt with the event logs much and all you need to know is “who did what” in your environment then just stick with the default selection of W5 fields (Who, What, Where, When, Where From).
    If you mastered Windows Security log and feel a need to see events as they originally appear in the event log then just pull native event fields into the view: EventId, Source, Category, User, Computer, etc.
    Whatever event fields you choose they all participate in any searches you run.
  3. New reports. You can find a wider selection of pre-defined reports on Security Log events.  Moreover, happy customers of Quest Change Auditor can take full advantage of the event log management in the cloud which now includes support for Change Auditor product logs and reports.
  4. Faster event processing. Some tweaks were made to the event queue processing components living in the cloud.  Optimizations made to event metadata processing algorithm resulted in significant performance gain and warranted better service scalability in the long run.

These are just the most notable changes recently made to the product. The list goes on with numerous fixes and optimizations of the service being constantly made. And all this is provided for free with your existing service subscription.

There is more to come soon.