Below is the list of blog post categories

If you are capturing Windows Event Logs on a large scale, you know that the more logs you collect, the more resources you need. Thus, the more expensive your SIEM becomes. The main issue is a large amount of the log data you are sending to your SIEM contains no valuable information. This means you waste a sizable portion of your cost on what the industry calls “log noise”.

There are several reasons you might want to start a particular NXLog module with a delay. You can think of it like delaying the start of a Windows service. In most cases, you need to do this for performance reasons. But there might be other scenarios where you would want to do this, such as collecting logs during a specific time frame. If you have, for example, a less critical module block, you can prioritize the more important one by delaying the less important one.

This post is the first in a series of answers to questions that our customers asked. Clarifying EPS EPS stands for Events Per Second and is considered a standard for measuring the speed of event processing. More precisely, it tells how many events can flow through a particular system in a second. In our case, the number relates to how many events NXLog receives, handles, and outputs in one second.

NXLog supports filtering, enriching, and forwarding logs directly to Splunk Enterprise for further analysis. If you landed on this blog post, you are likely looking for a new log collection solution or seeking to improve an existing Splunk deployment. If so, we hope this article provides you with the necessary information to take the next step toward a better log collection strategy. NXLog and Splunk Universal Forwarder feature comparison Several log collection agents are available on the market, and Splunk Universal Forwarder is one of them.

How does NXLog Enterprise Edition compare to the IBM QRadar WinCollect event forwarder? IBM QRadar SIEM collects, processes, and aggregates log data to provide real-time monitoring and automated response to network threats. With its powerful correlation engine and specialized modules for risk and vulnerability management, it is no surprise that it is among the highest-rated tools on Gartner Peer Insights. To get the best out of a platform like IBM QRadar, you need to ensure that you send the proper amount of data in a format that it can process efficiently.

If you are reading this, then it is safe to say that you are now part of the NXLog community. In other words, you are ready to dive into the world of log collection. Excellent. You have made a great choice. However, before you start collecting logs you should know just how your NXLog log collection tool works. The NXLog log collection tool uses loadable modules that are invoked within the input, data modification, and output stages.

How does NXLog CE and EE compare to the Snare Enterprise Agent? If you are reading this article, you may either be looking for a new log collection agent solution or seeking to replace and improve an existing deployment. This article provides information based on some fairly common questions from those who have migrated from Snare to NXLog. Feature Comparison There are multiple choices of log collection agents available on the market, some are free and have paid versions that come with official support.

One of the harder decisions revolve around implementing agent-based vs agentless log collection. This post covers the two methods - their advantages and disadvantages - and provides some quick and actionable implementation notes. Why does log collection agent choice matter? When deploying a log collection strategy, administrators usually tend to zone in on already selected solutions that answers fundamental questions, such as "Will this solution collect and ship these types of log sources?

Raijin has announced the release of version 2.0 of its powerful, schemaless SQL-like database engine. This version introduces several performance improvements. Read on for the highlights and check out the Raijin release notes for a complete list of the features and improvements. Enhanced table partitioning Table partitioning is a key factor in database management, improving query performance by only searching through relevant information and optimizing storage by efficiently pruning irrelevant content.

Raijin has announced the release of version 1.5 of its powerful, schemaless SQL-like database engine. This version introduces several performance improvements. Read on for the highlights and check out the Raijin release notes for a complete list of the features and improvements. Centralized storage for simpler management Until now, Raijin stored various stateful files in different locations across the system, requiring additional effort to keep track of that content. Raijin has now been refactored to use /data as the base directory.

It’s finally the holiday season, and we’re down to a skeleton staff here at NXLog. It’s nearly time for us to shut down our laptops, pick up a cup of hot chocolate (or mulled wine if we’re lucky), and get ready for a week or so of reading, relaxing, opening presents, perhaps coping with distant relatives, and all-around merry-making over the holiday period. So we hope you’ll forgive us if we keep this recap of 2023 succinct.

We are excited to announce the release of NXLog Enterprise Edition 5.10. This latest version addresses over twenty important issues - the two most significant are mentioned in this announcement - and introduces two features backported from NXLog Enterprise Edition 6. Key enhancements in NXLog Enterprise Edition 5.10 ElasticSearch integration NXLog Enterprise Edition 5.10 now allows ElasticSearch users to send data as a stream. This feature enables the storage of events in an append-only, single-named manner, enhancing data management and retrieval efficiency.

Raijin has announced the release of version 1.4 of its powerful, schemaless SQL-like database engine. This version introduces new functionality for managing users and views, among several fixes and performance improvements. Read on for the highlights and check out the Raijin release notes for a complete list of the features and improvements. Improved user management This release builds on the previous one to provide better user management and auditing. With the SHOW USERS command, you can now retrieve a list of your Raijin users and their authentication type.

We proudly announce the latest release of NXLog Enterprise Edition, version 6.2. This release adds some new features and includes bug fixes and stability enhancements. File and folder symlink support In this release, the primary focus was on adding uniform support for file and folder symlinks. The new development affects the im_file and im_fim modules when collecting logs from files, and when using File Integrity Monitoring. The new feature is available to use with the newly introduced directive FollowSymlink.

We are pleased to announce the latest release of NXLog Manager, version 5.7. This release addresses several CVE issues, adds support for NXLog’s Microsoft Azure modules, and provides an updated Docker image. Read on to find out more about these new features. A more secure NXLog Manager This version addresses multiple known Common Vulnerabilities and Exposures (CVE), reducing the attack surface in our customers' systems. See the release notes for a complete list of corrected CVEs.

We proudly announce the latest release of NXLog Enterprise Edition, version 6.1. This release adds new features to our Google Chronicle and Kafka output modules to provide more flexible configuration, introduces support for certificates with TPM-attested keys, and implements enhancements to our HTTP input module. Read on to find out more about these new features. More flexibility for your Google Chronicle integration We continue to build up our Google Chronicle output module with new functionality to give you more flexibility and control over your data.

Raijin has announced the release of version 1.3 of its powerful, schemaless SQL-like database engine. This version implements user authentication and permissions and focuses on enhancing performance and robustness. New user authentication and permissions This release introduces certificate and password-based user authentication and granular user permissions. You can grant permissions at the database or table level with support for the following privileges: ALL PRIVILEGE (superuser) CREATE SELECT INSERT DROP

We proudly announce the latest release of NXLog Enterprise Edition, version 6.0. This major release includes new NXLog language data types, additional TCP and HTTP configuration options, and enhancements to our Elasticsearch and remote administration modules. It will help you improve data integration and handling, enhance manageability, and increase cost efficiency. Empower your data integration with new "Array" and "Hash" data types As the NXLog configuration language now supports compound values with Array and Hash data types, you can enhance data integrity and coherence.

Raijin has announced the release of version 1.2 of its powerful, schemaless SQL-like database engine. This version introduces significant performance improvements and usability enhancements. Faster data ingestion and query performance This release optimizes data ingestion by introducing partial parallelization. Raijin Database now parses and inserts batches of data simultaneously, resulting in up to 15% faster ingestion. The team also addressed bottlenecks in the SELECT and COPY statements and implemented several optimizations to improve overall query performance.

We are proud to announce the latest release of NXLog Enterprise Edition, version 5.9. This release focuses on bringing you new supported platforms and configuration options. Read on to find out more about some of these new features. Added protocols to network packet capture information Our administrative module (xm_admin) now returns a list of protocols configured in a packet capture (im_pcap) instance when you request server or module information. This allows you to track, count, and report on the network protocols you are monitoring.

Raijin has announced the release of version 1.1 of its powerful, schemaless SQL-like database engine. Many new features have been added to version 1.1. Let’s take a look at the highlights. Prometheus exporter improvements Introduced disk usage statistics - Disk usage statistics about free space availability and file system size were introduced. Introduced query statistics - Event and query statistics were introduced in the Prometheus exporter. The following statistics can be queried:

We are proud to announce the latest release of NXLog Enterprise Edition, version 5.8. Our newest release includes new modules, better integrations, and additional metrics to collect across your organization. Read on to find out more about some of these new features. Native Salesforce module We’ve built a new native module (im_salesforce) for ingesting logs from Salesforce. With this, you no longer have to run an external Python-based Add-On script.

We’re glad to announce the latest release of NXLog Community Edition. This release mainly fixes an issue where the file_name() function returns an unknown error. We’ve also stopped officially supporting the Android mobile operating system. Get in touch with our team if you have any questions, or request a free trial of our flagship log collection solution, NXLog Enterprise Edition, below. GET STARTED TODAY: CONTACT US Our experts are happy to help REQUEST A FREE TRIAL Give NXLog Enterprise Edition a try GET PRICING Request a quote NXLog Ltd.

Raijin has announced the release of version 1.0 of its powerful schemaless SQL database engine, furthering its goal of "solving schema rigidity" in modern databases. Many new features have been added to this version 1.0 milestone release. Let’s take a look at some of the headline features. The power of SQL without the drawbacks SQL has been the titan of database query languages for decades, and it is still ubiquitous the world over.

A round-up of some of our favorite social media chatter about NXLog this month. Tecmint: Most notable open source log collection tools - NXLog features on the list of top centralized log collection tools Blumira: Windows Firewall with GPOs - NXLog is recommended to be used in managing the Windows Firewall with GPOs NSTEC: Exploring the benefits of SCEP - NXLog is recommended for collecting logs for System Center Endpoint Protection

New year, new NXLog Enterprise Edition. Our developers have been hard at work throughout the holiday season to release the latest version of our flagship log collection solution. We are proud to announce NXLog Enterprise Edition 5.7, which includes bug fixes, security updates, and, of course, many new features. Read on to find out more about some of these new features. Native support for Google Cloud Logging, Amazon S3, and Microsoft 365 Google Cloud Logging, Amazon S3, and Microsoft 365 integrations were already available as Add-Ons to NXLog Enterprise Edition.

We’ve come to the end of 2022, and what a year it’s been. It was a year marked by war, economic toil, and addressing the aftermath of the Covid-19 pandemic. Europe was immediately thrust into crisis in February when the Russia-Ukraine War began. Unfortunately, as an Eastern European-based company, many of our colleagues were directly affected by it. Then, more recently and in the United States especially, many tech companies began restructuring their organizations to deal with the looming economic problems that are forecast.

We are delighted to announce that with the release of NXLog Enterprise Edition 5.5, NXLog provides native support for sending log data to the Google Chronicle threat intelligence platform. About Google Chronicle Google Chronicle is a cloud-native SIEM service provided on the Google Cloud Platform. It allows organizations to normalize, correlate, and analyze their logging data. Chronicle makes threat hunting easy by empowering security experts to investigate logs allowing them to take a holistic approach to threat detection.

Last month saw the release of NXLog Community Edition version 3.0. One of the major new features in this release is the added support for sending log data to Raijin Database. This feature opens up exciting possibilities for implementing a custom centralized log collection and storage solution. What is Raijin Database? Raijin Database is a free-of-charge schemaless database engine explicitly designed to store data for analytics efficiently. The fact that it does not require you to define a schema up-front makes it well suited for storing event logs from diverse sources containing different types of information in a structured format.

On the 18th of March, we noticed some unusual activity on one of our servers we use for build automation. Further investigation revealed that an outside party had deployed a Monero miner. The server was immediately taken offline. There was no customer data stored on the server and we have since replaced all our private keys and secrets that might have been potentially compromised. After careful and thorough investigation of the incident, we decided to publish this announcement and share this news with our customers and users, hoping that it might serve as a lesson for others.

The European Union’s General Data Protection Regulation (EU GDPR) came into force on 25 May 2018. Many of us remember the influx of marketing emails around this time, with companies updating their privacy policies and asking for the consent of around 450 million Europeans to continue using their personal data. An often misunderstood participant of this compliance quest is log data—​a source potentially rich in protected personal data. So, how does the GDPR apply to an organization’s log data?

NXLog supports filtering, enriching, and forwarding logs directly to Splunk Enterprise for further analysis. If you landed on this blog post, you are likely looking for a new log collection solution or seeking to improve an existing Splunk deployment. If so, we hope this article provides you with the necessary information to take the next step toward a better log collection strategy. NXLog and Splunk Universal Forwarder feature comparison Several log collection agents are available on the market, and Splunk Universal Forwarder is one of them.

syslog-ng and NXLog are both powerful log collectors providing flexible log processing. However, you might be in a position where you need to switch from syslog-ng to NXLog. Whether it’s because syslog-ng doesn’t support an operating system or you want to upgrade your log collection solution to one that can be centrally managed, converting your syslog-ng configuration to NXLog is a simple task. How do syslog-ng and NXLog differ? syslog-ng and NXLog are alike in many ways.

Log collection is most closely linked to enterprise security practices—​for example, aggregation and analysis in a SIEM. However, collecting certain logs for reasons other than security is often valuable. It may even be a requirement of your organization for the purposes of auditing, legal compliance, or data retention. Storing all these logs in a database is the most efficient way to manage the data. Finding and managing logs stored as flat files or structured data can be challenging without a database.

One of the challenges that security-conscious Windows administrators face is collecting and centralizing Windows event logs. One of the obvious solutions that come to mind is the native Windows Event Forwarding (WEF) feature available on all modern Windows operating systems. WEF offers the convenience of forwarding Windows events to a central event collector without installing and managing agents. To objectively portray the role this valuable technology plays in the larger scope of enterprise log collection, we have written several articles that discuss it:

How does NXLog Enterprise Edition compare to the IBM QRadar WinCollect event forwarder? IBM QRadar SIEM collects, processes, and aggregates log data to provide real-time monitoring and automated response to network threats. With its powerful correlation engine and specialized modules for risk and vulnerability management, it is no surprise that it is among the highest-rated tools on Gartner Peer Insights. To get the best out of a platform like IBM QRadar, you need to ensure that you send the proper amount of data in a format that it can process efficiently.

How does NXLog CE and EE compare to the Snare Enterprise Agent? If you are reading this article, you may either be looking for a new log collection agent solution or seeking to replace and improve an existing deployment. This article provides information based on some fairly common questions from those who have migrated from Snare to NXLog. Feature Comparison There are multiple choices of log collection agents available on the market, some are free and have paid versions that come with official support.

On February 26, 2024, the U.S. National Institute of Standards and Technology (NIST) officially released Cybersecurity Framework (CSF) 2.0. This release has had the most significant changes since its inception in 2014. Let’s quickly walk through the updates it brought and how log collection supports the functions of the renewed framework. What is NIST CSF The U.S. NIST Cybersecurity Framework is one of the most widely used security frameworks (with ISO27001, CIS, and others), helping organizations estimate, manage, and reduce their cybersecurity risks.

The U.S. Federal Trade Commission (FTC) approved amendments to its Safeguards Rule that require FTC-regulated non-banking financial institutions to report data breaches and other security events directly to the FTC. It was originally proposed to add a breach notification requirement back in late 2021. The rule requires financial institutions to report “notification events” to the FTC within 30 days of discovery of the notification event where the private information of 500+ consumers is involved.

It was late March 2021 when a phishing email was sent to a network administrator of TTEC Healthcare Solutions, Inc. (TTEC HS) - an integrated healthcare CX solutions provider - and a threat actor gained highly privileged access to the network. On September 12, 2021, a common ransomware scenario was triggered, with approximately 1,800 devices compromised via the access channel obtained almost 5 months earlier. Prior to executing the ransomware attack, the threat actor successfully exfiltrated data from the TTEC HS network, containing non-public information (NPI) of current and former employees of TTEC HS, and for individuals who were insured by one of TTEC HS’s clients, including, importantly, some New York residents.

Historically, seaports have played a crucial role in a state’s development, and interruption in their services has a significant impact on economics. So, it’s no surprise commercial ports are regarded as a critical transport infrastructure. One of the most significant challenges ports face today is ongoing digital transformation. The majority of tasks carried out across a port utilize autonomous and partially automated systems, including those for managing port access, vessel berthing (bridges, locks, gates, etc.

SOX - an overview Serious financial fraud was never considered a real risk while investing in U.S.-listed stocks until 2001, when energy giant Enron Corporation, which held $63.4 billion in assets, collapsed. It was revealed that the company had been misleading investors for years and the company’s stock price quickly plummeted from $90 to less than $1 per share. It was the largest bankruptcy in US history, followed by a $40 billion lawsuit and imprisonment for the corporation’s executives.

What is PCI DSS? PCI DSS, or Payment Card Industry Data Security Standard, is a collection of security requirements developed by major credit card companies to safeguard merchants who accept credit card payments by ensuring they provide a secure environment. The standard includes provisions for data protection, network security, and security management, among other things. Organizations that process credit card transactions are required to comply with these standards. Who needs to be PCI DSS compliant?

So, it happened again. You got an internal audit finding or a regulatory notice. Or you just had a nagging feeling and found customer data somewhere it shouldn’t have been. Morale sinks. Are you forced to choose between serving your customers and addressing compliance weaknesses? Nobody said IT Compliance was easy. But don’t sign up to do any more work than is necessary. Use Frameworks to identify the activities, like logging, that demonstrate compliance for multiple domains and get the absolute best coverage without extra work.

Compliance mandates are frameworks that organizations must implement to meet industry regulations. Some of these mandates provide guidelines and best practices, while others may be tied to legislation. With the constant and rapid changes in technology, ensuring that your organization adheres to the relevant regulations is an ongoing process. So why should you comply? Simply put, not complying might cost you more than implementing processes to meet regulatory requirements. By not complying, you might be violating the law, and in case of a data breach, you may face litigation from affected parties.

If you are reading this, then it is safe to say that you are now part of the NXLog community. In other words, you are ready to dive into the world of log collection. Excellent. You have made a great choice. However, before you start collecting logs you should know just how your NXLog log collection tool works. The NXLog log collection tool uses loadable modules that are invoked within the input, data modification, and output stages.

Kubernetes is nowadays the de facto standard for the deployment and management of containerized applications. A Kubernetes deployment may contain hundreds, if not thousands, of nodes and pods. As with any other system, collecting logs from your Kubernetes environment is imperative to monitor the health of your cluster and to troubleshoot issues when they arise. In this post we will explore the logging challenges that Kubernetes poses, and how NXLog can be a key player in your logging solution.

Applications are getting more and more complex. The demand to develop them faster is ever-increasing. This puts stress on organizations’ processes, infrastructure, and the IT teams that support them. Modern Container technology helps to alleviate issues faster across multiple environments. Linux containers are another evolutionary leap in how applications are developed, deployed, and managed. These containers are based on stable Red Hat Enterprise Linux images that have no adverse effects on your current IT infrastructure.

Log collection is most closely linked to enterprise security practices—​for example, aggregation and analysis in a SIEM. However, collecting certain logs for reasons other than security is often valuable. It may even be a requirement of your organization for the purposes of auditing, legal compliance, or data retention. Storing all these logs in a database is the most efficient way to manage the data. Finding and managing logs stored as flat files or structured data can be challenging without a database.

The NXLog team is constantly improving the quality of NXLog Enterprise Edition and will soon introduce a new major release - NXLog Enterprise Edition 6.0. This release will bring a large number of changes and it is important to correctly adapt your current configuration when upgrading your system. Warning We strongly recommend testing NXLog Enterprise Edition 6.0 operation on a smaller set of devices before commiting to a full-scale upgrade of your complete system.

Windows DNS Server log collection is essential yet complex, primarily because Windows DNS Server provides logs in various places in different forms containing a vast amount of information. Nevertheless, we all know that DNS Server log collection is paramount in IT security. Getting it right can be challenging. The Windows DNS Server section in the NXLog user guide offers a comprehensive guide on collecting log records from a Windows DNS Server.

syslog-ng and NXLog are both powerful log collectors providing flexible log processing. However, you might be in a position where you need to switch from syslog-ng to NXLog. Whether it’s because syslog-ng doesn’t support an operating system or you want to upgrade your log collection solution to one that can be centrally managed, converting your syslog-ng configuration to NXLog is a simple task. How do syslog-ng and NXLog differ? syslog-ng and NXLog are alike in many ways.

Log collection is most closely linked to enterprise security practices—​for example, aggregation and analysis in a SIEM. However, collecting certain logs for reasons other than security is often valuable. It may even be a requirement of your organization for the purposes of auditing, legal compliance, or data retention. Storing all these logs in a database is the most efficient way to manage the data. Finding and managing logs stored as flat files or structured data can be challenging without a database.

Puppet Bolt is an open-source orchestration tool that automates the manual configuration and management of your infrastructure. In this post, we will look at how you can create your Puppet Bolt project directory, your inventory YAML file, and finally, your Puppet Bolt Plan to deploy NXLog on a variety of Operating Systems. Why use Puppet Bolt to deploy NXLog? Apart from the usual tasks of updating software packages, configuring web servers and databases, the need for constant logging has become extremely important, and a de facto necessity nowadays.

Ansible has become an industry standard when it comes to configuring and managing servers. As a configuration management tool, it carries the burden of simplifying system administration tasks, such as installing and updating software packages, and infrastructure provisioning. In this post, we will create an Ansible playbook that will enable us to automate the installation and configuration of NXLog across multiple endpoints. Whether you need only a single endpoint today or thousands of endpoints next week, Ansible will do the heavy lifting for you.

If you are reading this, then it is safe to say that you are now part of the NXLog community. In other words, you are ready to dive into the world of log collection. Excellent. You have made a great choice. However, before you start collecting logs you should know just how your NXLog log collection tool works. The NXLog log collection tool uses loadable modules that are invoked within the input, data modification, and output stages.

One of the harder decisions revolve around implementing agent-based vs agentless log collection. This post covers the two methods - their advantages and disadvantages - and provides some quick and actionable implementation notes. Why does log collection agent choice matter? When deploying a log collection strategy, administrators usually tend to zone in on already selected solutions that answers fundamental questions, such as "Will this solution collect and ship these types of log sources?

The Windows DNS debug log contains valuable information on DNS queries and activity that is especially useful for monitoring and analyzing malicious traffic. This requires some configuration changes for the DNS service in order to enable debug logging. Here is a short description on how to enable debug logging for the DNS service on windows, this also applies to Windows Server 2008 and later. It is possible to specify the file and path name of the DNS debug log file as well as the maximum size of the file.

DNS Log Collection and Parsing DNS log collection and parsing should be part of the log collection strategy of every modern IT infrastructure. There are numerous reasons why you should be concerned enough to collect as well as parse the DNS logs collected, some of which include: Operations and Support Parsing DNS server logs can be used to track active DNS clients, while parsing complex and noisy logs can be helpful in troubleshooting support issues.

Be sure to read Part 1 and Part 3 of our DNS Log Collection series, in case you missed them. DNS Log Collection on Windows If you need to reduce the cost of DNS security and increase efficiency through centralizing DNS log collection, where would you start? Answering this question requires knowledge and awareness of the challenges and opportunities available on the Windows platform. While Windows DNS server is a common technology serving many types of organizations, from local domains to large multi-site enterprises, the possibilities are not necessarily that well-known within the context of comprehensive, site-wide log collection.

Be sure to read Part 1 and Part 2 of our series in case you missed them. DNS Log Collection on Linux In the third, closing part of our series on DNS log collection, we discuss DNS logging on Linux using open source software. From the numerous open source DNS server implementations available, we tried to include the more popular ones and summarized what is involved in collecting logs from them.

Features of NXLog Enterprise Edition you must have So, it turns out that your organization needs a reliable solution that can collect, parse, forward, and aggregate your log data. This need might be based on any number of reasons. Perhaps it is due to regulatory compliance mandates. Maybe your security analysts have realized that collecting security logs is the best way to detect potential cyber attacks. These are all valid reasons.

About File Integrity Monitoring (FIM) File integrity monitoring is implemented as a detection mechanism to monitor changes to important files and folders. File integrity monitoring is largely used as a security measure for detection and for meeting obligations such as compliance. By using file integrity monitoring, better control measures can be taken due to being able to track and provide data for alerts of activities on assets that are being monitored, such as potential unauthorized changes.

Industrial Control Systems (ICS) have evolved over the years and now have a lot in common with traditional IT systems. Low-cost Ethernet and IP devices are replacing older, proprietary technology, which opens up new possibilities to improve connectivity and remote access. However, it also increases vulnerability to cyberattacks and incidents since the system is no longer segregated. Due to the nature of ICS, they differ from other IT systems. A compromised system can cause severe damage to the environment, incur substantial financial and production losses, and negatively impact an entire nation.

Modbus is a simple and flexible protocol used by a wide variety of industrial and automation equipment. Its simplicity has made it attractive for many manufacturers, but it also poses a number of challenges in terms of security and traffic analysis. In this post, we’ll show you how to use NXLog to capture, process, and extract useful security information from Modbus traffic. What makes Modbus traffic analysis challenging? Modbus is a low-level protocol that effectively uses only two data types: bits (in the form of coils), and 16-bit words (in the form of registers), which are also the only form of data that can be natively addressed with most devices.

It is known that measuring performance is one of the most challenging tasks in system administration. It requires proper configuration and a good understanding of the results. Fortunately, Linux systems offer a wide variety of tools for obtaining performance metrics. In this blog post, we will focus on the instrumentation capabilities of the Linux kernel and some interesting methods of analyzing the results. The importance of the kernel lies in the fact that usage information related to CPU, memory, disk space, or network interfaces is always passing through it, and it cannot be bypassed.

Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms which enables the forwarding of events from Windows Event Log to a central Windows Event Collector. Since the technology is built into the operating system, this means you can centralize log collection without having to install third party software on each Windows node. You can also use Group Policy for configuring clients to forward their events. This approach not only standardizes client management but also streamlines it.

Applications are getting more and more complex. The demand to develop them faster is ever-increasing. This puts stress on organizations’ processes, infrastructure, and the IT teams that support them. Modern Container technology helps to alleviate issues faster across multiple environments. Linux containers are another evolutionary leap in how applications are developed, deployed, and managed. These containers are based on stable Red Hat Enterprise Linux images that have no adverse effects on your current IT infrastructure.

Be sure to read Part 1 and Part 2 of our series in case you missed them. DNS Log Collection on Linux In the third, closing part of our series on DNS log collection, we discuss DNS logging on Linux using open source software. From the numerous open source DNS server implementations available, we tried to include the more popular ones and summarized what is involved in collecting logs from them.

DHCP server log collection made simple DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised. You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client.

File-based logs are where it all began. These logs can yield information of great value to security analysts and administrators alike. Armed with this information, IT professionals are better equipped to troubleshoot issues, evaluate system performance, identify bugs, and even detect security breaches. In today’s world, we tend to focus on the modern, integrated logging facilities like Microsoft’s Windows Event Log or Apple’s Unified Logging System (ULS). However, all the major operating systems still generate log files that may or may not be integrated into these logging facilities.

File-based logs are where it all began. These logs can yield information of great value to security analysts and administrators alike. Armed with this information, IT professionals are better equipped to troubleshoot issues, evaluate system performance, identify bugs, and even detect security breaches. In today’s world, we tend to focus on the modern, integrated logging facilities like Microsoft’s Windows Event Log or Apple’s Unified Logging System (ULS). However, all the major operating systems still generate log files that may or may not be integrated into these logging facilities.

Apple has made great strides in recent years, not only with its innovative hardware, but also with incremental improvements to its operating systems. For a number of reasons, Macs have become viable alternatives to PCs in many large corporations. Apple also continues to maintain a strong presence in institutions of higher education, as it has for decades in the US. Whether your Mac users are working on spreadsheets in accounting or they belong to creative teams developing software or marketing content, your digital assets are valuable and need to be monitored to detect any potential security threats.

Apple has made great strides in recent years, not only with its innovative hardware, but also with incremental improvements to its operating systems. For a number of reasons, Macs have become viable alternatives to PCs in many large corporations. Apple also continues to maintain a strong presence in institutions of higher education, as it has for decades in the US. Whether your Mac users are working on spreadsheets in accounting or they belong to creative teams developing software or marketing content, your digital assets are valuable and need to be monitored to detect any potential security threats.

The Windows DNS debug log contains valuable information on DNS queries and activity that is especially useful for monitoring and analyzing malicious traffic. This requires some configuration changes for the DNS service in order to enable debug logging. Here is a short description on how to enable debug logging for the DNS service on windows, this also applies to Windows Server 2008 and later. It is possible to specify the file and path name of the DNS debug log file as well as the maximum size of the file.

It is known that measuring performance is one of the most challenging tasks in system administration. It requires proper configuration and a good understanding of the results. Fortunately, Linux systems offer a wide variety of tools for obtaining performance metrics. In this blog post, we will focus on the instrumentation capabilities of the Linux kernel and some interesting methods of analyzing the results. The importance of the kernel lies in the fact that usage information related to CPU, memory, disk space, or network interfaces is always passing through it, and it cannot be bypassed.

Apple has made great strides in recent years, not only with its innovative hardware, but also with incremental improvements to its operating systems. For a number of reasons, Macs have become viable alternatives to PCs in many large corporations. Apple also continues to maintain a strong presence in institutions of higher education, as it has for decades in the US. Whether your Mac users are working on spreadsheets in accounting or they belong to creative teams developing software or marketing content, your digital assets are valuable and need to be monitored to detect any potential security threats.

DHCP server log collection made simple DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised. You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client.

Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms which enables the forwarding of events from Windows Event Log to a central Windows Event Collector. Since the technology is built into the operating system, this means you can centralize log collection without having to install third party software on each Windows node. You can also use Group Policy for configuring clients to forward their events. This approach not only standardizes client management but also streamlines it.

Be sure to read Part 1 and Part 3 of our DNS Log Collection series, in case you missed them. DNS Log Collection on Windows If you need to reduce the cost of DNS security and increase efficiency through centralizing DNS log collection, where would you start? Answering this question requires knowledge and awareness of the challenges and opportunities available on the Windows platform. While Windows DNS server is a common technology serving many types of organizations, from local domains to large multi-site enterprises, the possibilities are not necessarily that well-known within the context of comprehensive, site-wide log collection.

Be sure to read Part 1 and Part 2 of our series in case you missed them. DNS Log Collection on Linux In the third, closing part of our series on DNS log collection, we discuss DNS logging on Linux using open source software. From the numerous open source DNS server implementations available, we tried to include the more popular ones and summarized what is involved in collecting logs from them.

Last month saw the release of NXLog Community Edition version 3.0. One of the major new features in this release is the added support for sending log data to Raijin Database. This feature opens up exciting possibilities for implementing a custom centralized log collection and storage solution. What is Raijin Database? Raijin Database is a free-of-charge schemaless database engine explicitly designed to store data for analytics efficiently. The fact that it does not require you to define a schema up-front makes it well suited for storing event logs from diverse sources containing different types of information in a structured format.

In this post, we will look at how to use Raijin Database Engine as a backend in a centralized logging environment for collecting and aggregating Windows security events. We will also show you how to integrate Raijin with an open source data exploration tool. Finally, you will see how you can track suspicious network activity and identify specific types of intrusion on Windows hosts using these tools. A low-cost, lean and mean data discovery solution Although the combination of tools we present here cannot compete with a full-fledged SIEM solution, they do offer quite a few advantages for security analysts who need a responsive, highly customizable data discovery solution that accepts ad hoc SQL.

I always wondered what happens to our software when a company purchases it. Okay, I know they will install it and use it. But where do they install it? On what kind of machines? In what kind of environment? And why is it important for them to collect and handle logs? The possibilities are endless. We have customers worldwide; from shoemakers to telecom companies, NXLog is everywhere. But where are the most remarkable places NXLog Enterprise Edition is employed?

European electric power system operators supply around 2800 TWh of electricity per year and manage around 10 million kilometers of power lines - more than ten round trips to the Moon. Such electric travel is impossible without electric substations, an essential component of a power grid. Its automation becomes ultimately digitalized, so requires proper monitoring both for operational and security purposes. Let’s take a look at how a unified log collection pipeline embeds into power automation systems and helps make sure the lights stay on.

Since the Wright brothers' first flight, the aviation industry has been advancing at an unprecedented rate. But it has always been a step behind other sectors in some areas, for safety and security reasons. Engineers are only allowed to apply well-matured technologies thoroughly trialed in different industries. Civil aviation, especially from the IT and IT security perspective, is a bit like Debian among the Linux operating systems. It does not always include all the latest inventions, but it aims to be safe and very stable in return.

The U.S. Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 to protect the privacy and security of health information. It was one of the first sectoral security and privacy legislations in the United States. According to the Act, compliance guidelines had to be developed and regulated by the Secretary of the U.S. Department of Health and Human Services (HHS) and enforced by its Office for Civil Rights (OCR) with voluntary compliance activities and civil money penalties.

The analysis of events produced by various systems and applications can offer insights into the infrastructure health and the operational resilience of an enterprise. From an Infosec perspective, the end-goals are: threat detection, forensics and remediation. However, we can’t query or analyse data that we haven’t collected in the first place! Before threat hunting and incident response are even possible, security events need to be collected from various sources, parsed, transformed, and then forwarded to data sinks such as security information and event managements (SIEM), security analytics platforms, cloud ecosystems and long term storage.

Anyone not living under a rock in the last 25 years knows that the US healthcare and health insurance industries are required to safeguard patient data under the Health Insurance Portability and Accountability Act (HIPAA). This includes anyone who deals with protected health information (PHI), such as healthcare providers, health plans, healthcare clearinghouses, and business associates like vendors, contractors, and subcontractors. It’s crucial to remain compliant, or else you could face some hefty fines and penalties allowable by the law.

In Feb 2021, a major cybersecurity incident was declared when a hacker gained malicious access to the water treatment system of Oldsmar, Florida. Officials said the hacker tried to increase the level of sodium hydroxide in the city’s water supply, putting thousands at risk of being poisoned. Fortunately, it was quickly confirmed that this potential terroristic act did not come to fruition. Two years later, we still have no details on the malicious actor.

Have you ever locked yourself out of your car? After calling for roadside service, your tow truck driver forces the internal locking mechanism open with a slim-jim. Car thieves quickly discovered this technique and began using it to steal cars. Digital thieves have devised a similar attack called a Blind Return-Oriented Programming (Blind ROP, or just BROP) attack. It’s as quiet as a jackhammer on cement, but an attacker can open a remote shell and gain remote code execution on your server if the conditions are right.

The three characteristics your data must possess at all times, as dictated by your IT Security Policy, are: It must be confidential It must be available and It must not have any unauthorized modifications Your log policy will only be as good as the IT Security policy infrastructure behind it. And as much as we love talking about logs, that’s part of a more considerable general discussion about security policies.

Log collection is essential to managing an IT department because it allows administrators to research historical events throughout a network. Therefore, it’s critical to understand a few key points about collecting logs; the why, and what. We’ll look at a few specific examples of collecting log events efficiently, like incorporating threat modeling to enhance our collection. Implementing log collection policies and procedures is as fun as watching anti-phishing videos. But at the end of the day, the effort put in at the beginning will be worth it.

With open war in Europe for the first time since 1945, nations across the continent have been busy shoring up their information security defenses. The European Union is stepping up to the plate, releasing a Cyber Defence Policy to, in its words, "boost EU cyber defence capabilities and strengthen coordination and cooperation between the military and civilian cyber communities." However, bolstering cyber defenses across a collection of countries, home to 450 million people and spanning four million square kilometers, is no easy feat.

Cybersecurity Awareness Month has come and gone again. October marks that festive time of year when companies circulate their mandatory think pieces, remind their employees of the dangers of clicking questionable links, and pat themselves on the back and call it a day. Here’s your friendly November reminder to keep your wits about you year-round. A (brief) history of Cybersecurity Awareness Month The Cybersecurity Awareness Month story began as a partnership between an American governmental agency—​the Cybersecurity and Infrastructure Agency (CISA)--and the National Cyber Security Alliance non-profit.

Industrial Control Systems (ICS) have evolved over the years and now have a lot in common with traditional IT systems. Low-cost Ethernet and IP devices are replacing older, proprietary technology, which opens up new possibilities to improve connectivity and remote access. However, it also increases vulnerability to cyberattacks and incidents since the system is no longer segregated. Due to the nature of ICS, they differ from other IT systems. A compromised system can cause severe damage to the environment, incur substantial financial and production losses, and negatively impact an entire nation.

NXLog is a versatile log collector that easily integrates with other software, platforms, and programming languages. Out-of-the-box it supports integration with many third-party solutions through its input, output, and extension modules. Moreover, extending NXLog with custom functionality is as easy as writing an application or script in your favorite programming language and loading it from the configuration. Email notifications of events indicating potential security breaches or severe application errors are a standard procedure for IT admins and DevOps engineers.

As a security administrator, you may be inclined to focus on the Windows Security log within Windows Event Log. You might even go as far as filtering for specific event IDs, such as EventID 4625 (failed logon request), while forgetting there is much more to security logging on Windows than this single log source. The consequence of this narrow field of view is that you are not benefitting from the valuable information that other Event IDs used for security audit policies can offer.

In light of recent news stories about possible cyberattacks on the U.S. power grid, we are inclined to ponder over precautions we can take to prepare for such a scenario. If you are in the public utilities industry, this blog post is for you. But, if you’re not, don’t worry. We will cover some basic principles you can follow to get your organization ready before such a cyberattack occurs.

The Apache Log4j vulnerability has attracted a lot of media attention as a result of recent security incidents that were reported by some organizations using versions 2.0-beta9 through 2.14.1. This security flaw has the potential to affect thousands of applications since some of the world’s largest databases rely on Log4j. Because so many organizations are affected, cybercriminals are actively exploiting this well-known vulnerability. Why is this so dangerous? In addition to the threat of malware and ransomware, hackers can also perform remote code execution due to the Log4j vulnerability.

DHCP server log collection made simple DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised. You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client.

Kubernetes is nowadays the de facto standard for the deployment and management of containerized applications. A Kubernetes deployment may contain hundreds, if not thousands, of nodes and pods. As with any other system, collecting logs from your Kubernetes environment is imperative to monitor the health of your cluster and to troubleshoot issues when they arise. In this post we will explore the logging challenges that Kubernetes poses, and how NXLog can be a key player in your logging solution.

File-based logs are where it all began. These logs can yield information of great value to security analysts and administrators alike. Armed with this information, IT professionals are better equipped to troubleshoot issues, evaluate system performance, identify bugs, and even detect security breaches. In today’s world, we tend to focus on the modern, integrated logging facilities like Microsoft’s Windows Event Log or Apple’s Unified Logging System (ULS). However, all the major operating systems still generate log files that may or may not be integrated into these logging facilities.

It goes without saying that across your business infrastructure, there should be a commitment to protect not only the hardware and software assets, but the plethora of data that is transmitted through and stored in it. However, to successfully safeguard such data, it is imperative to have an effective audit policy in place that includes the collection of security events as its essential component. Windows provides a wealth of security logs that are visible in the built-in Security channel of Event Viewer.

The Domain Name System (DNS) facilitates communication between all devices connected to the Internet. It consists of hierarchical servers that can translate any given hostname, along with its corresponding domain name, to its internet protocol (IP) address(es). One of the most common is the windows DNS server that ensures that data requests are sent to their correct endpoints while providing human-readable addresses for websites connected to the Internet. With the ever-growing number of cloud-based devices and technologies, for instance, the Internet of things (IoT), portals, web applications, as well as online transaction processing, it is more important than ever to identify the actual physical addresses of remote devices when relying on DNS-dependent connectivity.

Applications are getting more and more complex. The demand to develop them faster is ever-increasing. This puts stress on organizations’ processes, infrastructure, and the IT teams that support them. Modern Container technology helps to alleviate issues faster across multiple environments. Linux containers are another evolutionary leap in how applications are developed, deployed, and managed. These containers are based on stable Red Hat Enterprise Linux images that have no adverse effects on your current IT infrastructure.

DNS Log Collection and Parsing DNS log collection and parsing should be part of the log collection strategy of every modern IT infrastructure. There are numerous reasons why you should be concerned enough to collect as well as parse the DNS logs collected, some of which include: Operations and Support Parsing DNS server logs can be used to track active DNS clients, while parsing complex and noisy logs can be helpful in troubleshooting support issues.

Be sure to read Part 1 and Part 3 of our DNS Log Collection series, in case you missed them. DNS Log Collection on Windows If you need to reduce the cost of DNS security and increase efficiency through centralizing DNS log collection, where would you start? Answering this question requires knowledge and awareness of the challenges and opportunities available on the Windows platform. While Windows DNS server is a common technology serving many types of organizations, from local domains to large multi-site enterprises, the possibilities are not necessarily that well-known within the context of comprehensive, site-wide log collection.

Be sure to read Part 1 and Part 2 of our series in case you missed them. DNS Log Collection on Linux In the third, closing part of our series on DNS log collection, we discuss DNS logging on Linux using open source software. From the numerous open source DNS server implementations available, we tried to include the more popular ones and summarized what is involved in collecting logs from them.

"The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications." In this article these top security risks discussed in the context of log collection. OWASP API security top 10 most critical API security risks APIs are a critical part of modern technologies - from SaaS and web consumer applications to enterprise deployments.

About File Integrity Monitoring (FIM) File integrity monitoring is implemented as a detection mechanism to monitor changes to important files and folders. File integrity monitoring is largely used as a security measure for detection and for meeting obligations such as compliance. By using file integrity monitoring, better control measures can be taken due to being able to track and provide data for alerts of activities on assets that are being monitored, such as potential unauthorized changes.

The analysis of events produced by various systems and applications can offer insights into the infrastructure health and the operational resilience of an enterprise. From an Infosec perspective, the end-goals are: threat detection, forensics and remediation. However, we can’t query or analyse data that we haven’t collected in the first place! Before threat hunting and incident response are even possible, security events need to be collected from various sources, parsed, transformed, and then forwarded to data sinks such as security information and event managements (SIEM), security analytics platforms, cloud ecosystems and long term storage.

Windows DNS Server log collection is essential yet complex, primarily because Windows DNS Server provides logs in various places in different forms containing a vast amount of information. Nevertheless, we all know that DNS Server log collection is paramount in IT security. Getting it right can be challenging. The Windows DNS Server section in the NXLog user guide offers a comprehensive guide on collecting log records from a Windows DNS Server.

The global Security Information and Event Management (SIEM) market is big business. In 2022, it was valued at $5.2 billion, with analysts projecting that it will reach $8.5 billion dollars within five years. It’s a highly consolidated market dominated by a few major players in the information security field. They want your business, and they don’t want to lose it. As companies ship more and more data to their respective solutions and make use of more and more features, they become specialized and dependent on a vendor.

Log collection is most closely linked to enterprise security practices—​for example, aggregation and analysis in a SIEM. However, collecting certain logs for reasons other than security is often valuable. It may even be a requirement of your organization for the purposes of auditing, legal compliance, or data retention. Storing all these logs in a database is the most efficient way to manage the data. Finding and managing logs stored as flat files or structured data can be challenging without a database.

It is known that measuring performance is one of the most challenging tasks in system administration. It requires proper configuration and a good understanding of the results. Fortunately, Linux systems offer a wide variety of tools for obtaining performance metrics. In this blog post, we will focus on the instrumentation capabilities of the Linux kernel and some interesting methods of analyzing the results. The importance of the kernel lies in the fact that usage information related to CPU, memory, disk space, or network interfaces is always passing through it, and it cannot be bypassed.

We are delighted to announce that with the release of NXLog Enterprise Edition 5.5, NXLog provides native support for sending log data to the Google Chronicle threat intelligence platform. About Google Chronicle Google Chronicle is a cloud-native SIEM service provided on the Google Cloud Platform. It allows organizations to normalize, correlate, and analyze their logging data. Chronicle makes threat hunting easy by empowering security experts to investigate logs allowing them to take a holistic approach to threat detection.

Apple has made great strides in recent years, not only with its innovative hardware, but also with incremental improvements to its operating systems. For a number of reasons, Macs have become viable alternatives to PCs in many large corporations. Apple also continues to maintain a strong presence in institutions of higher education, as it has for decades in the US. Whether your Mac users are working on spreadsheets in accounting or they belong to creative teams developing software or marketing content, your digital assets are valuable and need to be monitored to detect any potential security threats.

So, you managed to read through all the compliance mandates that are required for the industry you are in. And, during the mandatory consultation you had with your company’s IT security expert and network manager you came to an agreement on which logs to collect and carefully selected their final destination. Which — in most cases — is usually some kind of analytics system or SIEM technology where log data can be analyzed and stored based on your business requirements.

What if you could selectively ingest only the high-quality events needed for metrics and reporting that come not only from Azure, but also from other cloud- based resources and on-site assets directly into Microsoft Sentinel? In this post, the technology we will be examining is the Azure Monitor HTTP Data Collector API, which enables clients, such as the NXLog Enterprise Edition agent, to send events to a Log Analytics workspace, making them directly accessible using Microsoft Sentinel queries.

IT security should be one of the main focus points of all enterprises. In today’s world, when digital transformation is taking place at an unprecedented pace, securing online data is vital for all kinds of businesses. This is why most companies are utilizing SIEM (Security Information and Event Management) solutions that help them identify threats before they can do any harm. Even though SIEM tools are perfect for event correlation and analytics, it is not part of their core functionality to manage log collection, filtering, distribution, and formatting.

NXLog supports direct collection of Event Tracing for Windows (ETW) data. DNS Analytical logs, for example, can be forwarded to Splunk or another SIEM for monitoring and analysis. Collecting ETW Logs Event Tracing for Windows (ETW) is a kernel-level tracing facility that provides high-performance logging of kernel and application events. ETW events can be written to a log file or collected directly from the system in realtime via the Consumers API.

On February 26, 2024, the U.S. National Institute of Standards and Technology (NIST) officially released Cybersecurity Framework (CSF) 2.0. This release has had the most significant changes since its inception in 2014. Let’s quickly walk through the updates it brought and how log collection supports the functions of the renewed framework. What is NIST CSF The U.S. NIST Cybersecurity Framework is one of the most widely used security frameworks (with ISO27001, CIS, and others), helping organizations estimate, manage, and reduce their cybersecurity risks.

I always wondered what happens to our software when a company purchases it. Okay, I know they will install it and use it. But where do they install it? On what kind of machines? In what kind of environment? And why is it important for them to collect and handle logs? The possibilities are endless. We have customers worldwide; from shoemakers to telecom companies, NXLog is everywhere. But where are the most remarkable places NXLog Enterprise Edition is employed?

European electric power system operators supply around 2800 TWh of electricity per year and manage around 10 million kilometers of power lines - more than ten round trips to the Moon. Such electric travel is impossible without electric substations, an essential component of a power grid. Its automation becomes ultimately digitalized, so requires proper monitoring both for operational and security purposes. Let’s take a look at how a unified log collection pipeline embeds into power automation systems and helps make sure the lights stay on.

Event logs are our breakfast, lunch, and dinner at NXLog. Before NXLog, I worked on an API that collected software usage logs. And before that, on a centralized log management application. Today, after a career of dealing with logs, I wondered, "How did our world come to rely so much on event logging?" I mean, in the vast landscape of technological progress, the history of event logging is only a minor subplot.

NXLog Enterprise Edition 5 has been with us for nearly four years. That’s four years of being an industry-leading log collection tool adored by engineering teams and Fortune 100 customers around the globe. And while the NXLog Enterprise Edition 5 story isn’t yet over, it needs to move forward to keep pace with modern technologies and new demands. Like any good muscle car, NXLog EE 5 has its limits, and so back in 2022 we came face-to-face with a problem - it required too much to change under the hood to stay modern and effective.

The U.S. Federal Trade Commission (FTC) approved amendments to its Safeguards Rule that require FTC-regulated non-banking financial institutions to report data breaches and other security events directly to the FTC. It was originally proposed to add a breach notification requirement back in late 2021. The rule requires financial institutions to report “notification events” to the FTC within 30 days of discovery of the notification event where the private information of 500+ consumers is involved.

It was late March 2021 when a phishing email was sent to a network administrator of TTEC Healthcare Solutions, Inc. (TTEC HS) - an integrated healthcare CX solutions provider - and a threat actor gained highly privileged access to the network. On September 12, 2021, a common ransomware scenario was triggered, with approximately 1,800 devices compromised via the access channel obtained almost 5 months earlier. Prior to executing the ransomware attack, the threat actor successfully exfiltrated data from the TTEC HS network, containing non-public information (NPI) of current and former employees of TTEC HS, and for individuals who were insured by one of TTEC HS’s clients, including, importantly, some New York residents.

If you are capturing Windows Event Logs on a large scale, you know that the more logs you collect, the more resources you need. Thus, the more expensive your SIEM becomes. The main issue is a large amount of the log data you are sending to your SIEM contains no valuable information. This means you waste a sizable portion of your cost on what the industry calls “log noise”.

Since the Wright brothers' first flight, the aviation industry has been advancing at an unprecedented rate. But it has always been a step behind other sectors in some areas, for safety and security reasons. Engineers are only allowed to apply well-matured technologies thoroughly trialed in different industries. Civil aviation, especially from the IT and IT security perspective, is a bit like Debian among the Linux operating systems. It does not always include all the latest inventions, but it aims to be safe and very stable in return.

The U.S. Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 to protect the privacy and security of health information. It was one of the first sectoral security and privacy legislations in the United States. According to the Act, compliance guidelines had to be developed and regulated by the Secretary of the U.S. Department of Health and Human Services (HHS) and enforced by its Office for Civil Rights (OCR) with voluntary compliance activities and civil money penalties.

The analysis of events produced by various systems and applications can offer insights into the infrastructure health and the operational resilience of an enterprise. From an Infosec perspective, the end-goals are: threat detection, forensics and remediation. However, we can’t query or analyse data that we haven’t collected in the first place! Before threat hunting and incident response are even possible, security events need to be collected from various sources, parsed, transformed, and then forwarded to data sinks such as security information and event managements (SIEM), security analytics platforms, cloud ecosystems and long term storage.

Anyone not living under a rock in the last 25 years knows that the US healthcare and health insurance industries are required to safeguard patient data under the Health Insurance Portability and Accountability Act (HIPAA). This includes anyone who deals with protected health information (PHI), such as healthcare providers, health plans, healthcare clearinghouses, and business associates like vendors, contractors, and subcontractors. It’s crucial to remain compliant, or else you could face some hefty fines and penalties allowable by the law.

Understanding how NXLog allocates memory is essential to optimize your configuration for performance and utilize system resources efficiently. NXLog is designed for high-performance log collection and processing and is optimized to use system resources efficiently. However, various external factors affect how NXLog uses system resources, including memory, which can impact NXLog’s and its host’s performance. Misconfiguration is the leading factor we see when troubleshooting excessive memory consumption. Therefore, in this blog post, we will dive deeper into how NXLog allocates memory to help you create the optimal configuration for your system or determine whether high memory usage results from a misconfiguration.

In Feb 2021, a major cybersecurity incident was declared when a hacker gained malicious access to the water treatment system of Oldsmar, Florida. Officials said the hacker tried to increase the level of sodium hydroxide in the city’s water supply, putting thousands at risk of being poisoned. Fortunately, it was quickly confirmed that this potential terroristic act did not come to fruition. Two years later, we still have no details on the malicious actor.

Why do you want to monitor who accessed a particular file? Files are one of the primary forms of storing information. It is common practice for companies to store data in files that hold valuable, sometimes sensitive, information. What could this "important" data be? Of course, I am not talking about the company’s last team-building pictures. I’m afraid that’s not what the bad guys are interested in. They will likely be more interested in business plans, financial or personal data.

The three characteristics your data must possess at all times, as dictated by your IT Security Policy, are: It must be confidential It must be available and It must not have any unauthorized modifications Your log policy will only be as good as the IT Security policy infrastructure behind it. And as much as we love talking about logs, that’s part of a more considerable general discussion about security policies.

PowerShell scripts can be used with NXLog for generating, processing, and forwarding logs, as well as for generating configuration content. In this article, we will take a look at how to execute PowerShell directly from NXLog. You can run a PowerShell script in multiple NXLog instances without using any PowerShell script file, and is achievable through having the script code directly in NXLog’s exec modules. This is ideal because if you need to make any change to the script, it’s easier to modify just the NXLog module rather than change the script on every computer used.

A multi-factor authentication (MFA) fatigue attack is a form of a social engineering cyberattack strategy where attackers repeatedly try to make second-factor authentication requests to the target’s email, phone, or other registered devices to gain access to the system. You may also hear about MFA Fatigue attack as MFA Bombing, 2FA fatigue, MFA push spam, MFA Spamming, or prompt bombing. Technology administrators are always playing a never-ending battle of cat and mouse when it comes to threat actors.

Log collection is essential to managing an IT department because it allows administrators to research historical events throughout a network. Therefore, it’s critical to understand a few key points about collecting logs; the why, and what. We’ll look at a few specific examples of collecting log events efficiently, like incorporating threat modeling to enhance our collection. Implementing log collection policies and procedures is as fun as watching anti-phishing videos. But at the end of the day, the effort put in at the beginning will be worth it.

The global Security Information and Event Management (SIEM) market is big business. In 2022, it was valued at $5.2 billion, with analysts projecting that it will reach $8.5 billion dollars within five years. It’s a highly consolidated market dominated by a few major players in the information security field. They want your business, and they don’t want to lose it. As companies ship more and more data to their respective solutions and make use of more and more features, they become specialized and dependent on a vendor.

There are several reasons you might want to start a particular NXLog module with a delay. You can think of it like delaying the start of a Windows service. In most cases, you need to do this for performance reasons. But there might be other scenarios where you would want to do this, such as collecting logs during a specific time frame. If you have, for example, a less critical module block, you can prioritize the more important one by delaying the less important one.

This post is the first in a series of answers to questions that our customers asked. Clarifying EPS EPS stands for Events Per Second and is considered a standard for measuring the speed of event processing. More precisely, it tells how many events can flow through a particular system in a second. In our case, the number relates to how many events NXLog receives, handles, and outputs in one second.

NXLog supports filtering, enriching, and forwarding logs directly to Splunk Enterprise for further analysis. If you landed on this blog post, you are likely looking for a new log collection solution or seeking to improve an existing Splunk deployment. If so, we hope this article provides you with the necessary information to take the next step toward a better log collection strategy. NXLog and Splunk Universal Forwarder feature comparison Several log collection agents are available on the market, and Splunk Universal Forwarder is one of them.

With open war in Europe for the first time since 1945, nations across the continent have been busy shoring up their information security defenses. The European Union is stepping up to the plate, releasing a Cyber Defence Policy to, in its words, "boost EU cyber defence capabilities and strengthen coordination and cooperation between the military and civilian cyber communities." However, bolstering cyber defenses across a collection of countries, home to 450 million people and spanning four million square kilometers, is no easy feat.

So, it happened again. You got an internal audit finding or a regulatory notice. Or you just had a nagging feeling and found customer data somewhere it shouldn’t have been. Morale sinks. Are you forced to choose between serving your customers and addressing compliance weaknesses? Nobody said IT Compliance was easy. But don’t sign up to do any more work than is necessary. Use Frameworks to identify the activities, like logging, that demonstrate compliance for multiple domains and get the absolute best coverage without extra work.

The Windows DNS debug log contains valuable information on DNS queries and activity that is especially useful for monitoring and analyzing malicious traffic. This requires some configuration changes for the DNS service in order to enable debug logging. Here is a short description on how to enable debug logging for the DNS service on windows, this also applies to Windows Server 2008 and later. It is possible to specify the file and path name of the DNS debug log file as well as the maximum size of the file.

Logs are a record of the internal workings of a system. Nowadays, organizations can have hundreds and, more regularly, thousands of managed computers, servers, mobile devices, and applications; even refrigerators are generating logs in this Internet of Things era. The result is the production of terabytes of log data—​event logs, network flow logs, and application logs, to name a few—​that must be carefully sorted, analyzed, and stored. Without a log management tool, you would need to manually search through many directories of log files on each system to access and extract meaning from these millions of event logs.

Compliance mandates are frameworks that organizations must implement to meet industry regulations. Some of these mandates provide guidelines and best practices, while others may be tied to legislation. With the constant and rapid changes in technology, ensuring that your organization adheres to the relevant regulations is an ongoing process. So why should you comply? Simply put, not complying might cost you more than implementing processes to meet regulatory requirements. By not complying, you might be violating the law, and in case of a data breach, you may face litigation from affected parties.

One of the challenges that security-conscious Windows administrators face is collecting and centralizing Windows event logs. One of the obvious solutions that come to mind is the native Windows Event Forwarding (WEF) feature available on all modern Windows operating systems. WEF offers the convenience of forwarding Windows events to a central event collector without installing and managing agents. To objectively portray the role this valuable technology plays in the larger scope of enterprise log collection, we have written several articles that discuss it:

When considering your log collection strategy, a decision you have to make is which transport protocol to use to transfer logs from source to destination. The choice is often between the two most commonly used protocols, UDP (User Datagram Protocol) and TCP (Transfer Control Protocol). Which one to use depends on the type of logs you need to transfer, and whether performance or reliability is more important. This blog post will compare these protocols, discuss why TCP is usually the preferred choice, and provide some options to further increase log delivery reliability with NXLog Enterprise Edition.

How does NXLog Enterprise Edition compare to the IBM QRadar WinCollect event forwarder? IBM QRadar SIEM collects, processes, and aggregates log data to provide real-time monitoring and automated response to network threats. With its powerful correlation engine and specialized modules for risk and vulnerability management, it is no surprise that it is among the highest-rated tools on Gartner Peer Insights. To get the best out of a platform like IBM QRadar, you need to ensure that you send the proper amount of data in a format that it can process efficiently.

If you’re a cyber security enthusiast, you’ve probably heard a lot about Windows Management Instrumentation (WMI) lately. There’s a good reason why this topic has gained popularity, however, this technology has been integrated into Windows operating systems for over 20 years now. In this blog post, we will delve into how WMI works, the risks resulting from misuse, and how to audit it with NXLog. A standardization effort The first thing to clarify about WMI is that it’s not a Windows-only technology.

The value of log aggregation There is no denying the importance of log aggregation for multi-million-dollar enterprises worldwide. But just what is log aggregation? And how can it help your organization? Well, log aggregation is the process of standardizing and consolidating your log data from distributed systems across your network into one centralized server. By doing so, you have a unified view of what occurs across your entire IT infrastructure.

Features of NXLog Enterprise Edition you must have So, it turns out that your organization needs a reliable solution that can collect, parse, forward, and aggregate your log data. This need might be based on any number of reasons. Perhaps it is due to regulatory compliance mandates. Maybe your security analysts have realized that collecting security logs is the best way to detect potential cyber attacks. These are all valid reasons.

In this post, we will look at how to use Raijin Database Engine as a backend in a centralized logging environment for collecting and aggregating Windows security events. We will also show you how to integrate Raijin with an open source data exploration tool. Finally, you will see how you can track suspicious network activity and identify specific types of intrusion on Windows hosts using these tools. A low-cost, lean and mean data discovery solution Although the combination of tools we present here cannot compete with a full-fledged SIEM solution, they do offer quite a few advantages for security analysts who need a responsive, highly customizable data discovery solution that accepts ad hoc SQL.

So, you managed to read through all the compliance mandates that are required for the industry you are in. And, during the mandatory consultation you had with your company’s IT security expert and network manager you came to an agreement on which logs to collect and carefully selected their final destination. Which — in most cases — is usually some kind of analytics system or SIEM technology where log data can be analyzed and stored based on your business requirements.

Unquestionably, Microsoft Windows is the number one desktop operating system in the world, as well as having a significant share of the server operating system market. Multi-million-dollar organizations rely heavily on Windows Server and Active Directory to provide a safe, secure networked environment for their business operations. Such an enterprise infrastructure alone can generate thousands of events per second that range anywhere from benign user authentication events to logs indicating a severe software failure, or even more serious events such as DoS attacks or intrusion attempts.

Data logging, and by extension, logging events have become essential to enterprise-level IT operations in order to provide security and performance monitoring of business operations. However, with the large volume of logs being collected, there is cause for concern that companies are not only collecting too many logs, but also that they are neglecting to collect the very logs that would be most useful for monitoring security-related events. Ironically, many adhere to the notion that the more events collected, the better.

Modbus is a simple and flexible protocol used by a wide variety of industrial and automation equipment. Its simplicity has made it attractive for many manufacturers, but it also poses a number of challenges in terms of security and traffic analysis. In this post, we’ll show you how to use NXLog to capture, process, and extract useful security information from Modbus traffic. What makes Modbus traffic analysis challenging? Modbus is a low-level protocol that effectively uses only two data types: bits (in the form of coils), and 16-bit words (in the form of registers), which are also the only form of data that can be natively addressed with most devices.

Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms which enables the forwarding of events from Windows Event Log to a central Windows Event Collector. Since the technology is built into the operating system, this means you can centralize log collection without having to install third party software on each Windows node. You can also use Group Policy for configuring clients to forward their events. This approach not only standardizes client management but also streamlines it.

How does NXLog CE and EE compare to the Snare Enterprise Agent? If you are reading this article, you may either be looking for a new log collection agent solution or seeking to replace and improve an existing deployment. This article provides information based on some fairly common questions from those who have migrated from Snare to NXLog. Feature Comparison There are multiple choices of log collection agents available on the market, some are free and have paid versions that come with official support.

IT security should be one of the main focus points of all enterprises. In today’s world, when digital transformation is taking place at an unprecedented pace, securing online data is vital for all kinds of businesses. This is why most companies are utilizing SIEM (Security Information and Event Management) solutions that help them identify threats before they can do any harm. Even though SIEM tools are perfect for event correlation and analytics, it is not part of their core functionality to manage log collection, filtering, distribution, and formatting.

One of the harder decisions revolve around implementing agent-based vs agentless log collection. This post covers the two methods - their advantages and disadvantages - and provides some quick and actionable implementation notes. Why does log collection agent choice matter? When deploying a log collection strategy, administrators usually tend to zone in on already selected solutions that answers fundamental questions, such as "Will this solution collect and ship these types of log sources?

Windows Event Forwarding (WEF) provides log centralization capabilities that are natively supported in Windows-based systems. It is straightforward to set up since it is already built into Windows, and only a few pre-requisites are required, such as having a dedicated event server with a group policy object (GPO). Despite its ease of use and native support, WEF has some limitations. This post covers the advantages of using Windows Event Forwarding for centralized log collection, followed by limitations of WEF and its subsequent solutions.

The Windows DNS debug log contains valuable information on DNS queries and activity that is especially useful for monitoring and analyzing malicious traffic. This requires some configuration changes for the DNS service in order to enable debug logging. Here is a short description on how to enable debug logging for the DNS service on windows, this also applies to Windows Server 2008 and later. It is possible to specify the file and path name of the DNS debug log file as well as the maximum size of the file.

As a security administrator, you may be inclined to focus on the Windows Security log within Windows Event Log. You might even go as far as filtering for specific event IDs, such as EventID 4625 (failed logon request), while forgetting there is much more to security logging on Windows than this single log source. The consequence of this narrow field of view is that you are not benefitting from the valuable information that other Event IDs used for security audit policies can offer.

One of the challenges that security-conscious Windows administrators face is collecting and centralizing Windows event logs. One of the obvious solutions that come to mind is the native Windows Event Forwarding (WEF) feature available on all modern Windows operating systems. WEF offers the convenience of forwarding Windows events to a central event collector without installing and managing agents. To objectively portray the role this valuable technology plays in the larger scope of enterprise log collection, we have written several articles that discuss it:

If you’re a cyber security enthusiast, you’ve probably heard a lot about Windows Management Instrumentation (WMI) lately. There’s a good reason why this topic has gained popularity, however, this technology has been integrated into Windows operating systems for over 20 years now. In this blog post, we will delve into how WMI works, the risks resulting from misuse, and how to audit it with NXLog. A standardization effort The first thing to clarify about WMI is that it’s not a Windows-only technology.

DHCP server log collection made simple DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised. You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client.

In this post, we will look at how to use Raijin Database Engine as a backend in a centralized logging environment for collecting and aggregating Windows security events. We will also show you how to integrate Raijin with an open source data exploration tool. Finally, you will see how you can track suspicious network activity and identify specific types of intrusion on Windows hosts using these tools. A low-cost, lean and mean data discovery solution Although the combination of tools we present here cannot compete with a full-fledged SIEM solution, they do offer quite a few advantages for security analysts who need a responsive, highly customizable data discovery solution that accepts ad hoc SQL.

It goes without saying that across your business infrastructure, there should be a commitment to protect not only the hardware and software assets, but the plethora of data that is transmitted through and stored in it. However, to successfully safeguard such data, it is imperative to have an effective audit policy in place that includes the collection of security events as its essential component. Windows provides a wealth of security logs that are visible in the built-in Security channel of Event Viewer.

Unquestionably, Microsoft Windows is the number one desktop operating system in the world, as well as having a significant share of the server operating system market. Multi-million-dollar organizations rely heavily on Windows Server and Active Directory to provide a safe, secure networked environment for their business operations. Such an enterprise infrastructure alone can generate thousands of events per second that range anywhere from benign user authentication events to logs indicating a severe software failure, or even more serious events such as DoS attacks or intrusion attempts.

Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms which enables the forwarding of events from Windows Event Log to a central Windows Event Collector. Since the technology is built into the operating system, this means you can centralize log collection without having to install third party software on each Windows node. You can also use Group Policy for configuring clients to forward their events. This approach not only standardizes client management but also streamlines it.

Be sure to read Part 1 and Part 3 of our DNS Log Collection series, in case you missed them. DNS Log Collection on Windows If you need to reduce the cost of DNS security and increase efficiency through centralizing DNS log collection, where would you start? Answering this question requires knowledge and awareness of the challenges and opportunities available on the Windows platform. While Windows DNS server is a common technology serving many types of organizations, from local domains to large multi-site enterprises, the possibilities are not necessarily that well-known within the context of comprehensive, site-wide log collection.

Windows Event Forwarding (WEF) provides log centralization capabilities that are natively supported in Windows-based systems. It is straightforward to set up since it is already built into Windows, and only a few pre-requisites are required, such as having a dedicated event server with a group policy object (GPO). Despite its ease of use and native support, WEF has some limitations. This post covers the advantages of using Windows Event Forwarding for centralized log collection, followed by limitations of WEF and its subsequent solutions.