Below is the list of blog posts with the “log collection” tag.
September 30, 2022
Assertive compliance - using frameworks to extend your coverage
So, it happened again. You got an internal audit finding or a regulatory notice. Or you just had a nagging feeling and found customer data somewhere it shouldn’t have been. Morale sinks. Are you forced to choose between serving your customers and addressing compliance weaknesses? Nobody said IT Compliance was easy. But don’t sign up to do any more work than is necessary. Use Frameworks to identify the activities, like logging, that demonstrate compliance for multiple domains and get the absolute best coverage without extra work.
August 18, 2022
The disappearing Windows DNS debug log
The Windows DNS debug log contains valuable information on DNS queries and activity that is especially useful for monitoring and analyzing malicious traffic. This requires some configuration changes for the DNS service in order to enable debug logging.
Here is a short description on how to enable debug logging for the DNS service on windows, this also applies to Windows Server 2008 and later. It is possible to specify the file and path name of the DNS debug log file as well as the maximum size of the file.
June 28, 2022
Security logging on Windows - beyond 4625
As a security administrator, you may be inclined to focus on the Windows Security log within Windows Event Log. You might even go as far as filtering for specific event IDs, such as EventID 4625 (failed logon request), while forgetting there is much more to security logging on Windows than this single log source.
The consequence of this narrow field of view is that you are not benefitting from the valuable information that other Event IDs used for security audit policies can offer.
October 11, 2021
Collecting DHCP server logs on Windows
DHCP server log collection made simple DHCP (Dynamic Host Configuration Protocol) is a network management protocol that dynamically assigns IP addresses to each client machine on your network. However, its importance does not stop there. DHCP can even generate numerous critical events that indicate your network’s security has been compromised.
You might then wonder how you can use these events to safeguard your organization from intrusion. Well, these event logs store valuable information that contain the ID and IP address associated with each client.
September 6, 2021
Collecting Kubernetes logs with NXLog
Kubernetes is nowadays the de facto standard for the deployment and management of containerized applications. A Kubernetes deployment may contain hundreds, if not thousands, of nodes and pods. As with any other system, collecting logs from your Kubernetes environment is imperative to monitor the health of your cluster and to troubleshoot issues when they arise. In this post we will explore the logging challenges that Kubernetes poses, and how NXLog can be a key player in your logging solution.
August 25, 2021
File-based logs? Yes, they’re still being used!
File-based logs are where it all began. These logs can yield information of great value to security analysts and administrators alike. Armed with this information, IT professionals are better equipped to troubleshoot issues, evaluate system performance, identify bugs, and even detect security breaches.
In today’s world, we tend to focus on the modern, integrated logging facilities like Microsoft’s Windows Event Log or Apple’s Unified Logging System (ULS). However, all the major operating systems still generate log files that may or may not be integrated into these logging facilities.
July 15, 2021
Top 5 Windows Security logs everyone should collect
It goes without saying that across your business infrastructure, there should be a commitment to protect not only the hardware and software assets, but the plethora of data that is transmitted through and stored in it. However, to successfully safeguard such data, it is imperative to have an effective audit policy in place that includes the collection of security events as its essential component.
Windows provides a wealth of security logs that are visible in the built-in Security channel of Event Viewer.
June 14, 2021
Windows Event Log collection in a nutshell
Unquestionably, Microsoft Windows is the number one desktop operating system in the world, as well as having a significant share of the server operating system market. Multi-million-dollar organizations rely heavily on Windows Server and Active Directory to provide a safe, secure networked environment for their business operations. Such an enterprise infrastructure alone can generate thousands of events per second that range anywhere from benign user authentication events to logs indicating a severe software failure, or even more serious events such as DoS attacks or intrusion attempts.
June 5, 2021
Flexible, cloud-backed Modbus/TCP log collection with NXLog and Python
Modbus is a simple and flexible protocol used by a wide variety of industrial and automation equipment. Its simplicity has made it attractive for many manufacturers, but it also poses a number of challenges in terms of security and traffic analysis. In this post, we’ll show you how to use NXLog to capture, process, and extract useful security information from Modbus traffic.
What makes Modbus traffic analysis challenging? Modbus is a low-level protocol that effectively uses only two data types: bits (in the form of coils), and 16-bit words (in the form of registers), which are also the only form of data that can be natively addressed with most devices.
February 22, 2021
Setting up a Windows Event Collector (WEC) on Linux
Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms which enables the forwarding of events from Windows Event Log to a central Windows Event Collector. Since the technology is built into the operating system, this means you can centralize log collection without having to install third party software on each Windows node. You can also use Group Policy for configuring clients to forward their events. This approach not only standardizes client management but also streamlines it.
May 31, 2020
DNS Log Collection - Part 1
DNS Log Collection and Parsing DNS log collection and parsing should be part of the log collection strategy of every modern IT infrastructure. There are numerous reasons why you should be concerned enough to collect as well as parse the DNS logs collected, some of which include:
Operations and Support Parsing DNS server logs can be used to track active DNS clients, while parsing complex and noisy logs can be helpful in troubleshooting support issues.
May 28, 2020
DNS Log Collection - Part 2
Be sure to read Part 1 and Part 3 of our DNS Log Collection series, in case you missed them.
DNS Log Collection on Windows If you need to reduce the cost of DNS security and increase efficiency through centralizing DNS log collection, where would you start? Answering this question requires knowledge and awareness of the challenges and opportunities available on the Windows platform. While Windows DNS server is a common technology serving many types of organizations, from local domains to large multi-site enterprises, the possibilities are not necessarily that well-known within the context of comprehensive, site-wide log collection.
May 14, 2020
DNS Log Collection - Part 3
Be sure to read Part 1 and Part 2 of our series in case you missed them.
DNS Log Collection on Linux In the third, closing part of our series on DNS log collection, we discuss DNS logging on Linux using open source software. From the numerous open source DNS server implementations available, we tried to include the more popular ones and summarized what is involved in collecting logs from them.
January 24, 2020
What is File Integrity Monitoring (FIM)? Why do you need it?
About File Integrity Monitoring (FIM) File integrity monitoring is implemented as a detection mechanism to monitor changes to important files and folders. File integrity monitoring is largely used as a security measure for detection and for meeting obligations such as compliance. By using file integrity monitoring, better control measures can be taken due to being able to track and provide data for alerts of activities on assets that are being monitored, such as potential unauthorized changes.
October 22, 2019