In this blog post I will describe my experience with ingesting logs from a Fortinet firewall at a customer site. During this process I exploited the brand new Filebeat 7.8.0 Fortinet module. In particular, I will describe how I went from 3K events per second (eps) to 32K eps, more than a 10x improvement.
Read MoreStarting from NetEye 4.12, NetEye SIEM is secured with X-Pack Security. NetEye comes pre-configured with some users and roles (see NetEye User Guide > Log Manager > Elasticsearch Access Control) to grant the Elastic Stack the ability to ingest, manage, and view the logs that you want to collect. For example, NetEye provides: A Kibana…
Read MoreBeats is the new method for log acquisition introduced in the latest releases of NetEye 4. It’s a system fully integrated with the Elastic Stack. The Beats agents send logs directly to Logstash, which then forwards them to Elastic. Logstash also writes each log received into files on the file system (at the same location…
Read MoreTalking about IT security is now clearly synonymous with resilience! We are continuously and inevitably under attack… every organization must implement defensive principles and practices that avoid the worst damage and the least impact on its survival and development. From the data selection, to its collection and normalization, for its representation and analysis with techniques…
Read MoreWith SIEM we ensure maximum security in the management of sensitive data Even the safest bulwarks require permeable zones. The same applies to the security systems we use to protect our data from unauthorized access. But every system, no matter how meticulously monitored, contains security gaps. When these become known, it is the task of…
Read MoreA bug has been discovered on NetEye modules logmanagement and SIEM. If affected, rsyslog directories on system might be created with wrong permissions causing Logstash to be unable to load log lines of some hosts inside Elasticsearch. Users might also receive an error message trying to check signatures for some hosts inside Logmanager Log Check….
Read MoreBefore I tell you about one of my latest customer requirements, I would like to briefly explain what our NetEye Tornado module is. In our user guide you will see it written that Tornado is the successor to NetEye’s Event Handler. It is a plugin-based, stateless, scalable rule matching engine written in Rust, based on…
Read MoreIn a previous blog post I presented how the Log Management architecture fits in a NetEye cluster, and now I want to summarize my recent experiences to help you diagnose Elasticsearch health issues. Elasticsearch provides a set of APIs which help to identify and debug a number of potential causes. But NetEye Log Management is…
Read MoreThe new challenge for monitoring solutions is to monitor infrastructure, software, and platforms that run in the cloud, or that are outsourced. The various contract models with cloud providers/outsourcers no longer focus on infrastructure monitoring, such as monitoring the fans or power supply in a physical server, but rather the availability and performance of applications,…
Read MoreNetEye 4 Log Manager, as already presented in this blog post, allows you to easily manage the collection, navigation, visualization and analysis of large numbers of logs. For many reasons, I as a user may want to limit log access to a subset of users. For example a network administrator should only see the logs…
Read MoreCreating hosts in NetEye’s Director module can sometimes be time-consuming and a repetitious, tiring and boring job. Especially if you have to populate Director with a large number of hosts for setting up a test environment, for example. One solution is to create a script consisting of nothing but icingacli commands. Each command line instruction…
Read MoreThe Safed agent keeps track of the events it receives from the Eventlog by keeping the LastEventID in registry. At start time the agent tries to retrieve all events from Windows Eventlog since starting from the LastEventID. When the amount of events since LastEventID is too large or the LastEventID has been removed from the…
Read More– Retrieved events from eventlog (win 2008 +) starts from bookmark but should not be older than defined cache days
Read MoreWith the release of NetEye 4, we have also redesigned the Log Management module. In this blog post I would like to briefly discuss the main innovations and improvements in NetEye 4 Log Management. First, the management and configuration interface of NetEye 4 Log Manager appears in the unified NetEye 4 layout. Basically, it has…
Read MoreThis blog post describes the basic architecture of an Elasticsearch cluster. The deployment of a cluster is needed to provide high-availability and, whenever possible, to increase performance. NetEye 4’s clustering service is based on RedHat 7’s High Availability Clustering technologies: Corosync: Provides group communication between a set of nodes, application restart upon failure, and a quorum…
Read More