The Event Viewer is a very useful tool however, like any log management solution, the biggest hurdle can be filtering out the noise and returning only the meaningful log data that you care about.
This is a follow-up on a previous article which can be viewed here: Finding Human Logins in the Windows Event Viewer – Suppressing Everything Else
One of the most common requests is seeing who has been in and out of a box. To that end, I want to expand a bit more and talk about how to filter on the following three things… Username, Event ID, and Logon Type.
One of the things I wanted to get from my OpenVPN Access Server was a usage report that would be emailed to me regularly. OpenVPN Access Server writes such logs to a file in /var/log on Ubuntu and Debian based systems. However it also writes a lot of other things. So I first started by examining the log. The key information I wanted was:
Date and Time of Successful Connections
In my setup, OpenVPN connected users are put into a unique IP subnet and assigned an address by a DHCP server that is part of Access Server. All very easy to setup. In digging through the logs I found entries that are made whenever an IP address is assigned to a newly connected user.
An entry looked something like this: (more…)
If you aren’t familiar with Owncloud, it is a very cool open-source software package that runs on Linux Apache (or Nginx) that provides “dropbox like” functionality that you can host yourself.
This is a big deal for the tech-savvy average-Joe that is worried about keeping private data private (i.e. he doesn’t want all of his personal documents stored by Microsoft, or Dropbox, or Google, etc.) but still wants the “cloud-like” functionality of being able to securely access and sync files across multiple devices.
It is also a big deal for any enterprise that wants to use “cloud storage” but has to worry about all of the above due to data security requirements. It is self-hosted, so you know exactly where all of the data is and you have control over the security components protecting it. Citrix, Dropbox, and others have realized a growing need for this and have “enterprise” products that are in the same vein. They just cost a good bit of money, don’t always meet all of the stringent security requirements imposed on some types of data, and tend to be complex/cumbersome systems.
Owncloud also has an enterprise version of their software offering which runs upwards of $10k/year. When I did a comparison of the “enterprise” vs. “open-source” the only value I could see in going enterprise was support, and one additional module that does granular file-activity-logging (i.e. user jdoe, shared this file, on this date). Obviously support is support, you aren’t going to get enterprise support without paying an enterprise price. Writing that off, that just leaves the enhanced logging.
I don’t have the requisite skill-set to build my own logging module. But Owncloud is ultimately just a web application running on Apache, so why not track it like we would any other web application? Namely, using a site analytics tool and the Apache access log. (more…)
“Enterprise Log Search and Archive” (AKA ELSA) is an open-source project started by an individual who needed the ability to not just collect logs from a bunch of devices but to also quickly search and parse them. And by a “bunch” I mean on the scale of millions and millions of logs. A lot of traditional open-source systems use REGEX to parse logs, which is fine on a small scale but quickly falls apart under volume. ELSA takes a different approach and in the words of it’s creator allows “Google-fast searching on a massively large set of logs” and it does so by using a combination of MySQL and: