DEV Community: XpoLog

A New Open Log Collector, Parser and Forwarder That Cuts 90% of Manual Work.

XpoLog — Mon, 20 Jul 2020 08:18:47 +0000

XPLG releases PortX, a new solution to collect, parse and ship log data, pain-free and solves one of the biggest pain points and time-consuming tasks in log analysis.

PortX’s engine identifies data patterns from a wide variety of applications/ systems/ cloud/ servers and represents them eﬃciently in any logging system. It collects, parses, indexes, and enriches any data, agent-less, Windows, Linux, Syslog, HTTPS.

PortX optimizes data management costs by filtering events and data. With its built-in log data filters you can forward (ELK/logging services/SIEM) only data that matters and reduce costs substantially.

Key features:
• Persistency and data forwarding to log data services.
• Load balancing.
• Visual parsing.
• Cloud connectors.
• Built-in plugins.
• Elastic (ELK) integration.
• Templates.
• Pattern detection and more.

Simplifying the work with ELK stack
The ELK Stack is one of the world’s most popular log management platform since it is open source. But with any advantages, there are also pitfalls. The implementation and deployment are tedious, requires a high level of proficiency and time-consuming.

Setting up a processing pipeline in PortX is 90% faster than it is in Logstash because there are no complex pipeline configurations to write. With this approach, customers can keep their existing investment in the ELK stack and add real-time log viewer, monitors, problem detection, predictive insights, security, data management policies, data manipulation and more.

Try PortX on your data > https://www.xplg.com/download/
Learn more: https://www.xplg.com/port-x-log-parser/

How to identify and prevent most common S3 security problems?

XpoLog — Tue, 06 Aug 2019 11:40:45 +0000

Amazon S3 is an object storage service widely used for storing many different types of data in the cloud.

While it’s inexpensive and easy to set up and maintain S3 buckets, it’s also very easy to overlook S3 security aspects and expose them to malicious attacks.

A typical example is accidentally allowing public access to S3 files.

Several recent high-profile data breaches were caused by lax S3 security.

Other attacks used AWS credentials from less protected services to download files, whereas those services shouldn’t have access to S3 in the first place.

In this AWS security guide, we will talk about some best practices to help you identify and prevent most common S3 security problems.

Have no time to read? You can easily secure your AWS S3 buckets and get immediate S3 insights, monitors, problem detection > download XpoLog free here - https://www.xplg.com/download/

Article sections:

How you can audit AWS S3 buckets in minutes?
Use policies.
prevent public access.
Disable file ACLs.
least privilege principle.
Encrypt S3 files.
Use versioning.
Enable Logging.
Secure All Your S3 Buckets With Automation.
Free checklist – 10 essential S3 audit.

Please refer to our blog as the design limitations and lack of image makes the read here very difficult and not so friendly > https://www.xplg.com/s3-security-buckets/

Hope you'll enjoy, keep us posted :)

How to Look for Suspicious Activities in Windows Servers

XpoLog — Sun, 30 Jun 2019 08:53:54 +0000

You are running a large production environment with many Windows servers.
There are multiple forests in the network and some forests have multiple domain controllers.

Your Windows server security is paramount – you want to track and audit suspicious activities and view detailed Windows reports extracted from the Windows servers event logs.

Read the article, with images and design here > https://www.xplg.com/windows-servers-security-suspicious-activities/

Looking for suspicious activities in Windows is important for many reasons:

There are more virus and malware for Windows than Linux.
People often leave their remote desktop sessions running when they disconnect, making those sessions prime targets for unauthorized takeover.
Service accounts are often made domain administrators circumvent access issues.
Known passwords of service accounts become open backdoors for hackers.
Antivirus and local firewalls are sometimes disabled to get acceptable application performance.
Patching cycles are missed or sometimes altogether ignored, making Windows systems vulnerable to potential attacks.

Bottom line: Prevention is better than cure, that’s why all possible security measures should be taken.

Download XpoLog 7 free and discover suspicious events automatically!Boom > http://bit.ly/2XGJOJV,

Windows Server Reports
There should be a robust security monitoring process in place.

This type of monitoring keeps an eye on who or what’s logging into a Windows server and when, and if those log in events look suspicious or out of normal.

This not only helps catch potential threats early, but it also provides a trail to follow when a breach happens.

Windows Reports – What to look for?
As a security conscious administrator, you want to keep an eye on a number of events such as:

Successful or failed login attempts to the Windows network, domain controller or member servers.
Successful or failed attempts of remote desktop sessions.
Password lockouts after repeated login attempts.
Successful or failed login attempts outside business hours.
Adding, deleting or modifying local or domain user accounts or groups.
Adding users to privileged local or active directory groups.
Clearing event logs in domain controllers or member servers.
Changing local audit policies and group policies.
Changing or disabling Windows firewall or firewall rules.
Adding new services, stopping or deleting existing services.
Changing registry settings.
Changing critical files or directories.

In this tutorial, we will talk about enabling some important security audits in Windows servers to help catch possible threats.

After reading this tutorial: you will have enough information to boost your Windows servers security level and workstation fleet and protecting them against malicious activities!

Read the full article here > https://www.xplg.com/windows-servers-security-suspicious-activities/

42 Critical Security Events To Follow
There are some critical security-related events you should include in your audit views and regular searches.

We have compiled a list of these event IDs and their descriptions in this helpful “cheat sheet". You can access the list from the article on our blog as well.

A Sports Analytics Phenomenon Reveals His Secrets Using The Champions League's 2019 Data & a Log Analysis Tool

XpoLog — Thu, 30 May 2019 11:33:49 +0000

One of our developers (Eran) is an analytics phenomenon, with a nearly infallible record predicting the outcome of matches (top 0.05% of sport analytics predictions).

Working up to this year’s Champions League tournament on Saturday, (in the context of our office pool) we wanted to understand his secret.

Eran showed us his method. Essentially, he gathered all the data around the matches (players, teams, fouls, etc.) and visualized it into past and predictive stats using our own tool.

Will this data make you a better predictor? Give it a try!

Access platform here > https://www.xplg.com/champions-league-results-predictions/

Log Management - all in one - no hidden fees!

XpoLog — Tue, 30 Apr 2019 15:27:13 +0000

A log management tool that doesn't require hard work > https://xpolog.com/.

Quick setup
Analysis apps to bring you all the insights you need automatically,
Customize your own apps,
Discover hidden problems and possible risks with AI/ML analysis engine,
Use filters, apptags and much more to make your searches easy and simple.
Great visualization gadgets

Troubleshoot fast, make your life super simple!
https://xpolog.com/

Guide: How to Troubleshoot Windows Task Scheduler in 5 Minutes?

XpoLog — Mon, 18 Mar 2019 09:14:33 +0000

Abstract

If you are responsible for managing your organization’s Windows Servers, simply monitoring and managing your machines is a full-time job.

Tools such as Windows Task scheduler helps you to keep your servers up and running by automating tasks. As much as you rely on the Scheduler, it can sometimes let you down, and often at the worst possible time.

Follow the next steps or download XpoLog 7 free and troubleshoot your scheduled tasks automatically - https://www.xplg.com/download.

When a single task, running on a local machine, fails, you can fix it without breaking a sweat.In large organizations, tasks are far more complex and run across hundreds or thousands of remote hosts.

Windows server gives you comprehensive logging tools to locate and fix issues> https://www.loggly.com/ultimate-guide/troubleshooting-with-windows-logs/.

Even with these tools – do you know which logs are available, and what are they telling you?

After reading this article, you will be able to proactively identify Windows Task Scheduler issues, as well as, use Windows events logs, and related data to resolve real-world issues.

Skip between sections:

Understanding Scheduled Tasks - https://www.xplg.com/windows-server-windows-task-scheduler/#understanding
Troubleshooting Scheduled Events- https://www.xplg.com/windows-server-windows-task-scheduler/#troubleshooting
How You Can Troubleshoot Tasks in 5 Minutes https://www.xplg.com/windows-server-windows-task-scheduler/#bonus

Windows Tasks scheduler: Understanding Scheduled Tasks
A Windows Task is a group of actions, which automate system management and maintenance procedures; such as installing patches, auditing, backing up storage media, or dealing with security issues.

You create and schedule tasks using the Task Scheduler user interface or programmatically using PowerShell or the.Net framework.

Once you have created a task, you use the Task Scheduler Service to schedule the task’s execution.

The Task Scheduler Service is a Windows service that lets you manage, schedule, and monitor tasks.

Each task includes the following components:

General Information: Metadata that describes the task, such as the task’s name, description, and location.
Triggers: Conditions that schedule task execution at a specific time, or in response to specific criteria.
Actions: List of one or more actions to achieve the tasks desired outcome.
Security Principals: Defines security credentials, permitted access levels, and system privileges required for task execution.
Conditions: Determines when a task can run, i.e only running when the targeted host is idle, or connected to power.
Settings: Configures how the tasks run, including when to restart a failed action, and how long the task is permitted to run.
History: Logs task execution data.
Windows Task Scheduler – Troubleshooting Scheduled Events
Let’s look at what happens when a scheduled task fails to run and see how we can use event logs to locate and fix the problem.

Step 1: Understanding the Big Picture
To find the immediate reason why a task failed open the Event Viewer and locate the event.

Double-clicking the event opens a dialog box that tells us the immediate cause of the problem. It provides the event’s source, ID, level, and category.
The dialog also tells us when the event was recorded and on which machine it occurred.
Task Scheduler did not launch task -“\Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents” because instance “{92e4bd81-96af-4a12-987f-3e83d80dd116}” of the same task is already running.
Log Name: Microsoft-Windows-TaskScheduler/Operational
Source: Microsoft-Windows-TaskScheduler
Date: 10/28/2018 1:21:28 PM
Event ID: 322
Task Category: Launch request ignored, instance already running
Level: Warning
Keywords:

User: SYSTEM
Computer: BILBO.mordor.local

Step 2: Diving Deeper
For detailed contextual information to help understand why an event occurred, you can use the related events logged by Windows, across multiple Windows Event Log (evtx) files.

The log’s System section presents a summary of this additional environmental data that helps you resolve the problem, such as the task’s Process ID, the thread on which it ran, and its Security ID.

Guid=”{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}” />
322
0
3
322
0
0x8000000000000000

200241

Microsoft-Windows-TaskScheduler/Operational
BILBO.mordor.local

Step 3: Comprehending Event Context
To understand the actual nature of the event and to get contextual clues, you need to look at the log file’s EventData section.

Here, we can see that part of the reason that the task failed to run is related to a memory issue.

\Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents
{92E4BD81-96AF-4A12-987F-3E83D80DD116}

Step 4: Get the Full Picture by Investigating Related Logs
In most cases, investigating a single log file by itself, is not enough to find and fix a specific problem.

Since many scheduling issues are security related, a good place to start is to examine security-related audit logs, such as the Windows Security Event log.

Privileges: SeTcbPrivilege
Audit Failure 10/28/2018 13:21:28 BILBO MORDOR Microsoft-Windows-Security-Auditing 13056 4673 A privileged service was called Privilege
Use Sensitive Privilege Use / Non-Sensitive Privilege Use 0x00000000000D10EB
BILBO.mordor.local A privileged service was called.

In this case, the Windows Security Event shows us that the reason the task failed was related to a broader security issue, the log tells us that the event tried to perform an action which required SeTcbPrivilege level privileges.

The action performed by the task was assigned a lower privilege level, therefore, the host on which the task was scheduled to run, prevented it from running.

In addition to showing that the task failed due to the tasks assigned privileges, it also shows information that indicates the root cause of the problem.

Process:
Process ID: 0x0000000000000EBC
Process Name: C:\Windows\System32\taskhostw.exe

Here we can see that the Security log indicates the problem was caused by an executable process called taskhostw.exe.

The log shows us the executable’s Process ID and the process’s full path.

In the final step, we will understand why this information is important, and how we can use it.

Step 5: Research the Problem
Now we know the origin of the problem, let’s use our available resources to find out more about it.

By searching the internet, we can see that logs that identify a problem with taskhostw.exe. Problems with this process are usually related to malware exploits, or a defective Windows component which controls folder access.

For more information on taskhostw.exe and related issues, see this article from Microsoft.

Conclusions: How to Get the Most from Windows Server Logging?
Windows Scheduler Tasks are a great way to get things done.

In this article, we showed you what tasks are, and how they work. We also took you through a five-step process according to the following steps:

Understanding the big picture: How to use the Event Viewer to discover problems.
Diving deeper: How to read an event log file to learn more.
Comprehending event context: Using Event Data to understand the problem’s context.
Getting the full picture: Using other log files to locate the root cause.
Researching the problem: How to use the data you gathered to find a viable solution.
Now you can deal with complex situations involving multiple servers, large amounts of logged data to ensure that:

Your system continues to fulfill your organization’s mission
The user’s you support can do their work.

You can download XpoLog and get these insights in a few clicks - https://www.xplg.com/download/

How You Can Troubleshoot Tasks in 5 Minutes

Another way you can monitor and troubleshoot your Windows Task Scheduler operations (and find errors in Windows logs) is to use an out of the box solution, such as XpoLog.

Using XpoLog’s built-in Windows logs connector, you can stream Windows event logs in minutes.

Once you stream the Windows event logs into XpoLog (all it takes is a few clicks), you start getting insights about what’s happening in your system, without lifting a finger.

Learn more about our Windows app

What Do You Get with XpoLog Fully-Automated Tool?

XpoLog provides a dashboard that displays a general overview of Windows Task Scheduler related data it collected.

Here you can quickly find how many tasks failed to run and why, how many succeeded and details about the important events.

Drill down to each section to get more information.

The dashboard displays graphs of the collected Windows logs data.

To help you find exactly the log you need, it provides powerful search functionality.

Once you have found the relevant event or events, you can review the log data –

Not only does XpoLog show you what happened in the past, it also monitors system log files for common and obscure errors.

XpoLog’s proactive analytics engine is constantly analyzing log files. When it detects a problem, it sends notifications to alert system administrators immediately.

Bottom line: XpoLog also helps you deal with problems that you hadn’t thought of looking for, or never knew exists.

This means that you, your team and your organization, can fix a problem long before users notice, and start sending helpdesk requests.

You heard it here first! Less dealing with support, more focusing on your tasks.

XpoLog also provides long-term retention by collecting all system logs from multiple servers across your organization.

XpoLog keeps all Windows related logs available, from one or more locations, for any period of time.

Moreover, XpoLog is not constrained by your organization’s storage policies and restrictions.

The added value: This means that XpoLog stores collected logging data indefinitely, and uses it to help you find and fix problems occurring over a longer time frame.

This approach allows you to initiate preventive action to avert potential problems, instead of constantly putting out fires.

XpoLog stores collected logging data indefinitely

Conclusions

XpoLog provides you an end to end solution for log data automation.

Once deployed, XpoLog enables you to monitor your system and gives you a complete solution which includes a comprehensive analytics application.

This Windows application contains dashboards and reports which include insights about:

user access (login/logouts).
the health of your Windows server.
trends.
anomalies.
errors.
problems and more.
Your gain: Windows log visibility and insights in minutes without having to write queries or build reports manually.

In addition, you will be able to easily control and monitor your Windows environment, view and compare hosts activity – without manual work at all!

How cool is that?

A Quick Way to Aggregate Log Data/Drill Down to Investigate a Single Raw Log

XpoLog — Sun, 10 Mar 2019 10:14:51 +0000

The simplest fastest way to view & search logs for insights is using a fully automated tool - one that collects and parses your logs in just a few clicks and suggest you out of the box reports and dashboards, to get insights in 3 more clicks.

XpoLog 7 log viewer and log search also contain -

Augmented log search to discover Unknown errors.
Predefined log filters and app-tags to get insights faster.
Centralized console to correlate transactions between different logs/events.
Enhanced view of several logs - from multiple remote data sources.
Multiple tools to access data - navigation, search, filters, live tail.
Complex search to build dynamic search queries - focus on time frames, servers, apps, and other log sources.

You can download free here: https://www.xplg.com/log-event-viewer-log-search

New Free App for Active Directory

XpoLog — Thu, 07 Mar 2019 13:07:29 +0000

Active Directory logs contain valuable information which must be closely monitored and analyzed.

Some examples are:

Configuration and policy events: These event logs are used to maintain the integrity of access policies, i.e. in ensuring that no one has mistakenly or maliciously changed the access policies and configuration.
Group and user audit: These audit logs provide comprehensive information regarding the creation/deletion of groups, logins/ logouts etc. This information is used to investigate security breaches and unauthorized access.
Active directory performance: These logs provide indications regarding the health and performance of the Active Directory services as well as user replication and errors throughout the system.
Security Breaches: These logs track and monitor changes to the AD schema and configuration and provide enhanced visibility for security forensics and attack detection.

The new Active Directory app allows you to stream AD events using out of the box connectors and set up the app in just a few clicks.

The result is quick visualization and insights out of your log data!

You can download free here - https://www.xplg.com/download/

Which insights you will be able to get automatically?

The App features a variety of ready-to-use reports and dashboards, specifically designed for Active Directory log data:

Security Detection – organizes the most important reports and graphs for security purposes. Using this gadget, you compare the number of failed to successful logins, view the failed login trend over time, the distribution of failed login users, and more.

User’s Management – monitors new, deleted, and changed users, user-related actions by administrators, changed account names and more.

Computer’s Management – monitors new, deleted, and changed computers, computer-related actions by administrators and more.

Group Management – monitors new deleted and changed groups, monitors changes in groups, changes in group types, new groups members, top active groups, and more.

User’s Access – monitors user access attempts, such as locked users (automatically tripped by a lockout policy or by administrators), top locked users, and more.

Logins and Logouts – monitors user log-ins / log-outs, including successful logins and logouts (+ per user), failed logins (+per user), and more.

Policies – monitors changes to the policies, including policy changes reports, top changed policies, top policy changes by admins, etc.

Passwords – monitors password resets, including password resets reports, password changes reports, password resets per admin, top reset users and more.

Directory services – monitors directory services and their operations, including created/modified objects reports, created/modified objects per admin, and more.

Trends – a centralized view of important Active Directory trends over time, such as created and deleted users/groups, locked and disabled users, failed logins, and more.

New Analytics App for Linux Logs

XpoLog — Tue, 05 Mar 2019 09:55:02 +0000

Take your Linux log data into a new age of log analysis.

While the log management industry is focused on developing advanced search abilities and simplifying log analysis, nobody has been able to resolve the persistent issues of the long, complex and tedious deployments.

Up until today!
A new Linux app is here to automate the entire log management lifecycle.

"Brought to us by" XpoLog, the app provides an easier and more efficient solution for IT, Security and Operations Administrators.

You can download it free here: https://www.xplg.com/download

What Does Full Automation Mean For Your Linux Logs Analysis?

XpoLog 7 offers an analytics app for Linux logs which uses machine-learning and NLP analysis to automatically highlight critical insights from the collected Linux logs.

Using this app for Linux, logs are collected from all Linux machines and critical insights are highlighted for your attention and are visualized by dashboards and real-time reports.
-And it takes less than 10 minutes from installation!

Bottom line:
Discover problems and errors, understand trends, cron activity/ audit/ security insights, login status visualization and more, automatically!