Blog Entries

12. 12. 2024 Reinhold Trocker Log Management, Log-SIEM

Sample osquery Investigations for a Security Incident

osquery

Note: This description of a security analyst’s daily routine is fictitious. However, the osquery examples have been tested and can therefore be used as a template for your own research. 1. Alarm Detection Today started with a high-severity alarm from our Elastic Security system. The alert indicated suspicious activity on host HOST-1234, suggesting potential malware execution. The…

Read More
08. 11. 2024 Reinhold Trocker Log Management, Log-SIEM

Configuring EnvironmentFile for Elastic Agents on NetEye Nodes

When deploying Elastic Agents, the method of installation can affect the configuration of the systemd service file. Specifically, .tgz deployments of Elastic Agents include the line EnvironmentFile=-/etc/sysconfig/elastic-agent in their systemd configuration (elastic-agent.service). However, Elastic Agents installed on NetEye nodes via RPM packages do not include this line in the EnvironmentFile by default. Adding the EnvironmentFile on NetEye Nodes To…

Read More
24. 10. 2024 Reinhold Trocker Log Management, Log-SIEM

Categories of documents – create more namespaces within an agent’s environment

In the ever-evolving landscape of IT monitoring and management, the ability to efficiently handle multi-dimensional namespaces is crucial. Within NetEye, Log-SIEM (Elastic), provides a comprehensive solution for managing the single namespace dimension with the namespace of a data_stream. This blog post deals with multi-dimensional namespaces and how NetEye’s Log-SIEM solution simplifies their management. Understanding Multidimensional…

Read More
16. 02. 2024 Reinhold Trocker Log-SIEM, NetEye

Enabling Elastic Agents Upgrades in Restricted or Closed Networks

In this article, we’ll explore how to configure the “Agent Binary Download” setting and set up your own artifact registry for binary downloads within a NetEye cluster. Prerequisites Before we begin, ensure you have the following prerequisites in place: Configuring the “Agent Binary Download” Setting Hosting Your Own Artifact Registry If routing traffic through a proxy server…

Read More
19. 10. 2023 Reinhold Trocker Log Management, Log-SIEM

Integration of Elasticsearch Clients without Authentication and without TLS

Introduction Let’s say… you have a product that has some Elasticsearch output, which deals with parsing and indexes, and also comes with a nice dashboard, etc., and let’s suppose… you would like to use this built-in functionality. And let’s say… the product in question wants to connect to Elasticsearch in an unauthenticated manner over HTTP….

Read More
12. 10. 2023 Reinhold Trocker Log Management, Log-SIEM

stunnel TCP keepalive Settings Preventing Firewall from Blocking Log Traffic

Infrastructure Scenario An image says more than 1000 words 😉 Basically, the log source continuously sends log messages encrypted via TLS to the NetEye server. TLS is handled by stunnel and then content is internally forwarded unencrypted to an Elastic Agent Integration “Custom TCP Logs” inside the NetEye server. Cause: Logs lost due to firewall…

Read More

Archive