25. 03. 2019 Oreste Attanasio Information Security Operations Center, Log Auditing, Microsoft Management, NetEye

Safed improvements since 1.10.1

The Safed agent keeps track of the events it receives from the Eventlog by keeping the LastEventID in registry. At start time the agent tries to retrieve all events from Windows Eventlog since starting from the LastEventID. When the amount of events since LastEventID is too large or the LastEventID has been removed from the EventLog, the Safed Agent may hang and apparently do nothing.

The new Safed version (1.10.1) introduces an important bugfix that avoids the agent to hung. This has been accomplished by modifying the agent’s behavior at start time. The LastEventID ist still taken into account at start time, but it can’t be older than the maximum cache days defined in the agent configuration.

Hence, to maximize performance when using Safed for realtime event monitoring it is advised to set the cache, expressed in days as Number of Cache files under Network Configuration to 0.
This way the agent won’t try to retrieve old events on start.

On the other hand, if Safed is used to collect data for auditing purposes, we advise to keep the above value higher, in order for the agent to try to retrieve all events received by the Eventlog during the agent’s downtime.

Please keep in mind that because of the EventLog design, Safed may slow down anyways if the amount of events it has to receive/recover upon start is too large. We recommend to keep the agent monitored by NetEye itself and to add a restart policy on the service, in order to avoid these situations.

Please find the new version under Downloads

Oreste Attanasio

Oreste Attanasio

Team Leader Service & Support at Würth Phoenix
I graduated in Applied Computer Science at the University of Bolzano in 2006. After 3 years of experience as consultant in a small IT business IT I decided to move on, and found Würth Phoenix as a good starting point for a career. After serving several years as a developer, consultant and support engineer, I now lead the Service & Support Team and aim to deliver best quality services to our customers, by helping them using our products together with the strength of Open Source, in which I strongly believe in.

Author

Oreste Attanasio

I graduated in Applied Computer Science at the University of Bolzano in 2006. After 3 years of experience as consultant in a small IT business IT I decided to move on, and found Würth Phoenix as a good starting point for a career. After serving several years as a developer, consultant and support engineer, I now lead the Service & Support Team and aim to deliver best quality services to our customers, by helping them using our products together with the strength of Open Source, in which I strongly believe in.

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive