OnDemand Log Management gets exciting new features that help you comply with IT regulations, stay on top of changes to critical IT resources and detect and react to security issues. Continue here.
Posts Tagged ‘ondemand log management’
Stay on top of security issues with OnDemand Log Management
January 27, 2011You tell me how important it is to keep a close eye on the Holy Grail of most IT environments today – Microsoft Active Directory. No one else can solve this pain for you in a more elegant way than OnDemand Log Management with its extended auditing capability which covers Active Directory and other IT infrastructure components.
In this short video watch how subscription bases OnDemand Log Management lets you:
- Easily set up comprehensive tracking of all changes made to Active Directory irregardless of the native auditing configuration
- Perform investigation of security issues by giving you tools to effectively search and analyze audit trails
- Take proactive measures to prevent security incidents from happening in the future
- Prepare evidence reports suitable for presenting to CSOs and external auditors
Want to conduct your own investigation now?
Sign up for a full functional trial and let us know how it goes.
Alexey
A better way to do custom reporting
December 23, 2010As the year wraps up and the Christmas Eve rapidly approaches we’re making some exciting updates to the OnDemand Log Management we want you to hear about.
We’re pleased to offer a brand new custom reporting functionality that not only allows you to run any of the pre-defined reports but also build your own with the same ease.
The new export to PDF feature came to replace the old way of reporting that is now gone as is the Reports tab where you’d previously find it. Check out this short video that shows the new and straightforward process of building custom reports based on favorite searches. Now it literally takes the same amount of time as the video runs.
Wait, we’ve got some more news for you.
If you take a closer look to the home page of the product you’ll notice that it now contains another chart which lets you quickly assess the state of alerts you configured for your environment. Here is the sample screenshot of the Top Alerts chart:
Lucky owners of the commercial service subscription get another handy tool. With a help of Events by Time chart you can do basic trend analysis and watch for unusual event peaks. Here is a sample of this chart as well.
Both new charts have interactive features and drill down capability which instantly sets you up for further investigation.
We look forward to continuing expanding the product feature set throughout the next year.
Happy holidays!
Extended Auditing for Active Directory and File Servers now available in OnDemand Log Management
December 3, 2010I’m sure many of IT admins happened to have this poor feeling when they couldn’t get from the logs a piece of information they were looking for. Partly because they didn’t have an appropriate log management tool in place. Partly because the logs themselves didn’t provide the level of details admins expected them to provide. It becomes especially frustrating in the change management world. If logs you rely on can’t give a full picture of the change that was made in the past how can you conduct a thorough change review to make sure that every change is made for a reason and according to your security policies?
Quite a few of the early adopters of OnDemand Log Management echoed this concern. As you know we’ve been listening to your feedback very carefully so we addressed this concern with the recent introduction of the so called Extended Auditing for Active Directory and File Servers. It’s Extended Auditing because it provides additional level of details compared to what you can extract from the native operating system or application logs.
Extended Auditing is instantly available to all of existing and yet to come customers of OnDemand Log Management. It is activated in the agent installation wizard by selecting Extended Auditing option as shown below. Just keep in mind that these options will only show up when you’re installing the agent to the server OS holding the corresponding server role: Active Directory server or file server.
Once you’ve let the agent capture first changes to your Active Directory objects or files and directories you can instantly view them by using one of the predefined searches that end with (Extended Auditing)
In this post I’m going to go through top 5 reasons why Extended Auditing gives you additional piece of mind from the change management standpoint. So, here they go
1. Capturing originator’s IP address
Unlike with Object Access events from the native Security log with Extended Auditing you can trace all changes down to a workstation from which the change originated. So, if multiple people in your organization use the same administrative account to perform their duty you could possibly distinguish between them by looking up the IP address they used.
2. Full Active Directory change auditing down to the attribute level with before and after values
As the screenshot above shows for each change being made to Active Directory Extended Auditing scrupulously seizes all the details including the object attribute and more importantly the before and after values. Not only you can replay a sequence of changes made to Active Directory within a specified time period but also roll them back if they deem inappropriate. Unlike with the native Windows auditing subsystem there is no need to go through a time consuming process of setting up the auditing configuration. Once Extended Auditing for Active Directory is enabled it immediately starts intercepting changes and change attempts to all objects in Active Directory.
3. Group Policy settings change auditing
The only indication of changes ever made to Group Policy configuration that can be found in the native Security log is an event like this below. Unfortunately, no way it’d tell you whether this change concerned one of the security policies like Account Lockout Policy or it just targeted one of the application configuration settings.
Compare this to the event you’d get with a help of Extended Auditing in OnDemand Log Management. In addition to the name of the Group Policy object you would easily see both the name of the affected setting and its before and values!
4. Detailed permission change tracking
Those of you that can’t read with naked eye a lengthy sequence of hexadecimal numbers will have no clue who actually was granted or revoked what permissions to a file or Active Directory object. Simply because this is how Windows stores permissions in the object’s security descriptor and native event logs don’t bother decrypting this format.
Extended Auditing makes things a way easier by breaking each permission change down into a series of events in which you can clearly see what user or group was granted or revoked which permission to the file or Active Directory object in question.
5. Accurate file and share access auditing
As you know due to the implementation details of the Windows auditing subsystem the accuracy of file access audit events really depends on how well behaved the application that works with those files is. It can turn into a real mess when a lot of file activity happens behind the scenes which is the case with Microsoft Word.
Extended Auditing for File Servers brings that mess in order. However complex the underlying file manipulations are it will always capture the real operations performed on a file, directory or share. So instead of having to guess whether this file open event actually resulted in a subsequent file write or not you’ll know for sure when the file was changed, deleted or moved.
And for every file access event you’ll get the entire picture including the file operation, the name and IP of the user who made the change and the application executable that carried out the request on the user’s behalf.
As you might guess there are many other cases where Extended Auditing does a much better job capturing every single aspect of a change being made to files, folders, shares and Active Directory objects. And the best way to feel it is to give it a free try by yourself.
With the help of Extended Auditing you can bring change management processes to an absolutely new level where tight and all encompassing control of changes becomes a reality.
Get critical events in real time to your inbox
October 21, 2010Have you ever caught yourself thinking that you don’t actually know what you should be searching for when you are on the Search tab of the nice and slick OnDemand Log Management UI?
Have you ever questioned yourself why you have to check for critical events by yourself instead of having the product do that for your and only interfere with your other business when your attention is really required?
I did and so did quite a few of you according to the feedback you’ve been generously sharing with this. So I’m pleased to tell you that you’ve been heard!
During last couple of weeks we made a couple of exiting feature updates for you.
Now every time you log into the event log management service you can start with any of the pre-defined searches which we put for all service users or you happened to craft by yourself some time ago and found helpful enough for ongoing use. You can customize any of the pre-defined searches down the road by adding column filters, adjusting the search criteria and changing the set of fields being displayed in the results view. Finally found a needle in the haystack and want to save the time you spent on building the resulting query? Just add your search to the favorites and start with it next time.
Check out a set of the canned searches we provide for you today and tell us what’s missing!
Favorite searches is not just a shortcut to start an investigation. Any saved search can now be run in real time against every new event that is collected from your entire network. All events matching the search criteria that you defined in your alert-enabled searches will be immediately sent to the specified email address. Don’t want to be spammed by notifications? Subscribe do hourly or daily digests with a full list of critical events.
See the nice and concise video on the Dmitry’s blog that clearly shows how easy setting up alerts really is
So, now OnDemand Log Management can be used in entirely unattended mode. If you don’t have much time to do daily analysis right in the service UI then just set up alerts and get back to your business – the service will take care of all the important things happening in your network.
It’s nice to see how the cloud based event log management service is becoming a neat operation tool. Indeed alert enabled searches set you up for monitoring of security incidents and operational issues. And the same searches can be later used to find the root cause of the issue by looking up events that preceded it.
See another video that shows how OnDemand Log Management can help you track and investigate one of the most distracting operational issues these days – service account lockouts.
Stay tuned.