How to send logs from servers in the cloud to NetEye?

Posted by on Jun 6, 2017 in Log Auditing, NetEye, Syslog | 0 comments

LogManagement_03

Keeping an offline copy of your logs does not only provide better visibility from the system management point of view, but also turns out to be extremely precious in case of a security incident during which your local copies have been affected.

As many of you might know, the Log Management module of NetEye offers a complete solution to manage logs, in line with the obligations intended by the data protection authority. Moreover, it provides a handy way to centrally manage logs from various sources. (see also on our blog: “What to do with all those logs?” and “NetEye Log Management on the official Elastic blog” ).

NetEyeSyslog

Architecture of the Log Management module:

  • Log auditing and data collection system, based on rsyslog
  • Agent (Safed) for sending logs over the syslog protocol (RFC 3164 – configured by default to send over TCP on port 514 to guarantee the correct receiving of the sent logs)

It is crucial that the communication between the Safed agents and NetEye on the TCP port 514 is always guaranteed.

During one of my latest customer projects, I was asked to implement a possibility for collecting logs from remote systems in the cloud. The main challenge was that accessing the systems was possible just via SSH.

Now I will show you how I resolved this problem by using a reverse SSH tunnel and a Safed agent on a Linux/Unix machine.

Read More

NetEye 3.6 and RUE 1.9 Have Been Released!

Posted by on Dec 15, 2015 in Asset Management, Development, Log Auditing, NetEye, Real User Experience Monitoring, Syslog | 0 comments

NetEye 3_6 and RUE 1_9 Release

Effective log auditing, meaningful reports and better integration of the single modules

The new version NetEye 3.6 provides some substantial improvements, to respond to specific customer needs, as well as to satisfy the continuously growing requirements in the complex world of IT monitoring.

Major investments were made in the fields of reporting and SLA measurement. Thanks to a unified data structure, the merge of decentral collected data in a single reporting database is now possible.

Get an overview about the latest developments:

Read More

Trace Windows Administrators Login Activities with Safed

Posted by on Dec 3, 2015 in Log Auditing, NetEye, Syslog | 0 comments

Sometimes it is required to trace login/logoff activities of the administrator in order to be compliant with legal guidelines or simply for security reasons (see also our article “What to do with all those logs“). The Safed agent for Windows can be easily configured to collect administrator’s login/logoff. The agent is deployed with some administrator discovery commands, which it can execute in order to obtain the list of the admin of the domain and then to create a filtering objective. All events that concern with administrator’s login/logoff will be captured, formatted and then sent to the log server.

Read More

Rsyslog open FileHandler control with SyslogView 2.1.8

Posted by on Jan 8, 2015 in NetEye, NetEye Updates, Syslog | 0 comments

To keep the number of open TCP connections of the Log Auditing server under control, the SyslogView version 2.1.8 contains a control in the daily archiviation script, to check the number of currently open connections.

This issue could be found in particular situations, where SAFED or other Audit agents might send across a routing device  from another network. If those connections are not closed properly, the number of pending connections grows, till reaching a limit of the server. Therefore this issue sould be considered in those situations and appear only in very specific situations.

This new version contains now a control of the number of open FH. If the number of suggested 1024 unclosed connections is exceeded, the HUP operation on the Rsyslog service, makes sure, to close not needed pending connections. An additional parameter ( -F ) in the check_neteye_logManager.sh verifies this conditions. This parameter is activated automatically in the SyslogView’s cron job, and alerts automatically into your NetEye monitoring environment.

An additional template of the rsyslog.conf  configuration file is stored in the includes folder of the syslogview installation folder (/var/lib/neteye/syslogview/).

Read More

NetEye: New MySQL Audit Plugin for SyslogView

Posted by on Oct 9, 2014 in Log Auditing, NetEye, Syslog, Uncategorized | 0 comments

In a standard MySQL setup, the logging of user logins/logouts is done by enabling the “general_log” logfile, which forces the MySQL process to log EVERYTHING. This can clearly produce bad performances under heavy load. To avoid such performance restrictions we added a new MySQL Audit Plugin to the Syslog View of NetEye.

NetEye Performance Impact of Each Logoutput

Performance Impact of Each Logoutput
Using log destination FILE has least impact on MySQL performance (throughput decrease is roughly 13.5%; response time increase is roughly 17.5%)*

Read More