Rapid7 Blog

Logentries  

R7-2017-18: Logentries Windows Agent uses vulnerable OpenSSL (FIXED)

Summary The Logentries Windows Agent before version 2.6.0.1 shipped with a version of OpenSSL that is susceptible to several public vulnerabilities described below. While we have no indication that any Logentries customers have been compromised due to these older versions of OpenSSL,…

Summary The Logentries Windows Agent before version 2.6.0.1 shipped with a version of OpenSSL that is susceptible to several public vulnerabilities described below. While we have no indication that any Logentries customers have been compromised due to these older versions of OpenSSL, we strongly encourage Logentries customers to update Agents deployed to Windows systems using the steps outlined under “Remediation” below. Since the previously shipped version of OpenSSL was susceptible to several categories of vulnerabilities, this issue is classified as CWE-937 (Using Components with Known Vulnerabilities). If you have any questions about this issue, please reach out to support@logentries.com. UPDATE - 2017/08/04 Scan coverage to detect vulnerable versions of the Logentries Windows Agent was added to InsightVM in the 6.4.48 update on July 26, 2017. InsightVM customers can use this to verify that all their Logentries Agents are patched. Credit Rapid7 warmly thanks Dustin Heart for reporting this vulnerability to us, as well as providing information throughout the investigation to help us resolve the issue quickly. Am I affected? All versions prior to 2.6.0.1 of Logentries Windows Agent are vulnerable. Logentries Agents on Linux and OS X are not vulnerable, as they use the version of OpenSSL present on the assets on which they are installed. Vulnerability Details The Logentries Windows Agent uses the OpenSSL library as part of its communication with the Logentries servers. Before v2.6.0.1, the Logentries Windows Agent used OpenSSL v1.0.1e, which is vulnerable to a number of issues. The vast majority are Denial of Service type vulnerabilities, but there are a small number that have the potential to allow remote code execution and information disclosure by an attacker in a privileged position on the network. One notable information disclosure issue that this version is vulnerable to is CVE-2014-0160 (AKA “Heartbleed”). While Heartbleed can be a big issue in some attack scenarios, in this case, the risk is relatively low as any information that could be accessed would be log data limited to the affected asset. By default, the Logentries Windows Agent will follow Application, Security, and System Windows logs, and a hardware statistics log. Users can additionally follow logs related to Internet Explorer, Key Management, Media Center, PowerShell, and Hardware Events. These should not include critically sensitive information such as credentials, personally identifiable information (PII), or intellectual property, but may include sensitive environment and user information. If your Logentries Windows Agent is configured to follow application logs, there is a possibility of more sensitive information being exposed. In addition, triggering an information leak from memory is reasonably complicated as it requires the Agent to connect to a malicious server. This could be accomplished by, for example, a man-in-the-middle (MITM) scenario, privileged access to the asset running the Agent (in order to set alternate host entries for the Logentries servers), or DNS cache poisoning attacks. The Logentries Windows Agent also failed to correctly validate TLS certificates and would fall back to plaintext HTTP if errors were encountered during HTTPS connections. This is especially problematic during the Agent update process and when setting username and password (only asked when setting up new installations). The latest version of the Logentries Windows Agent uses the most current version of the OpenSSL 1.0.2 series, v1.0.2l, which fixes all of the vulnerabilities described above. Rapid7 has also ensured that the Insight Agent is shipping with the latest OpenSSL libraries. Remediation Administrators should update all deployed Logentries Windows Agents to v2.6.0.1 through the following steps: Download the latest zip of Logentries Windows Agent here Verify you have the latest patched Windows-Agent.zip via the following checksums: MD5: 1c76f076d08c70ac43467e31c1125bda SHA256: b2ade2356a52e8dde136a2bb451c56df1cfbd6b5639e1b1b58686d861e6b4887 Unzip the zip file Run the extracted .exe file as an Administrator Follow the GUI prompts Once finished, you can verify the Agent version by clicking the Help tab in the GUI: Additional documentation for the Logentries Windows Agent is available here. Disclosure Timeline Thu, Jun 15, 2017: Vulnerability reported to Rapid7 Fri, Jun 16, 2017: Vulnerability confirmed by Rapid7 Wed, Jun 21, 2017: Rapid7 assigned CVE-2017-5245 for this issue Thurs, Jul 13, 2017: Patch for Logentries Windows Agents made available Thurs, Jul 13, 2017: Public disclosure Thurs, Jul 13, 2017: Disclosed to MITRE Tue, Jul 18, 2017: MITRE rejected CVE-2017-5245 assignment for this issue. A new CVE was not necessary, as we can instead reference the CVEs that impact the outdated dependency, i.e. those affecting OpenSSL v1.0.1e used by LogEntries Windows Agent before v2.6.0.1.

Finalists in FIVE categories at the Network Computing Awards!

Ring Ring! You're in the Final! It's always nice to get a phone call letting us know that we've been shortlisted for awards – but when it's five awards, we like those calls even more! Two of our products, and our company have reached the final…

Ring Ring! You're in the Final! It's always nice to get a phone call letting us know that we've been shortlisted for awards – but when it's five awards, we like those calls even more! Two of our products, and our company have reached the final stages for the Network Computing Awards, and of course we'd love it if you took a moment to vote for us please. La La Land may have racked up the Oscar noms, but at the Network Computing Awards it's looking good for LE LE Land! OK, so we might not quite have the fourteen nominations that La La Land has, but our Logentries (lovingly shortened to LE) product is a finalist in three categories: Best Picture, Best Soundtrack, Best Original Screenplay (or rather: IT Optimisation Product of the Year, Software Product of the Year, and The Return on Investment Award). To reach this stage in these categories is huge, and we're very happy to be triple listed. If you've not yet experienced Logentries, I would highly recommend you take a look – it's a pretty amazing product: Imagine trying to put together a jigsaw puzzle, without an image of the completed puzzle, no idea of how many pieces are required, and to add to your woes the pieces are hidden all over the building. If you've ever had to trawl through multiple logs to try and work out what's causing a problem, and you only have symptoms to work from – say a production server is running slowly – you'll recognise the analogy. Logentries puts the answers hidden within your myriad of logs right at your fingertips. It's simple to use, lightning fast, and you can create some very cool visualisations from your data too. Click here to learn more about how Logentries can revolutionise how you see your ecosystem. Look out! Here comes the AppSpider, Man! Whilst my tenuously linked movie reference here is no stranger to Oscar nominations either, I'm obviously referring to our AppSpider product, which is listed as a finalist in the Network Computing Awards, in the Testing and Monitoring Product of the Year category. Web apps, and the plethora of technologies that power them, are growing at a crazy rate, presenting complicated security challenges for organisations. AppSpider crawls to the deepest, darkest corners of even the most modern and complex apps to effectively test for risk and get you the insight you need to remediate faster. It plays a key part in the SDLC, and allows DevOps to fix issues earlier in the cycle - resulting in a huge reduction in last minute delays caused by vulnerabilities being found late in the day. You can read more about how DevOps teams using AppSpider can reduce stress and possibly live longer happier lives* here. *Life lengthening not guaranteed, but your web app SDLC will be in a happier place for sure. Always read the label. So many great movies, so little time….but which One should I Watch? The Rapid7 movie, of course! Well, OK, we don't have a movie length extravaganza of Rapid7 for you yet (cough, cough: Kyle Flaherty,), but we do have some pretty cool YouTube videos you can watch, plus a highly acclaimed podcast you should listen to. We've also been listed as a finalist for the One to Watch Company - hooray! We're pleased (read: overjoyed), humbled, and indeed chuffed (I had to get a Britishism in somewhere) to have received our finalist nominations, and very much looking forward to attending the event in London later this year. If you could please take a minute to cast your votes for Logentries, AppSpider and Rapid7 that would be most wonderful of you – voting is open until March 22nd. Click here to vote!

12 Days of HaXmas: The Gift of Endpoint Visibility and Log Analytics

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we're highlighting some of the “gifts” we want to give back to the community. And while these gifts…

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we're highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them. Machine generated log data is probably the simplest and one of the most used data source for everyday use cases such as troubleshooting, monitoring, security investigations … the list goes on. Since log data records exactly what happens in your software over time it is extremely useful for understanding what had caused an outage or security vulnerability. With technologies like InsightOps, it can also be used to monitor systems in real time by looking at live log data which can contain anything from resource usage information, to error rates, to user activity etc. So in short when used for the right job, log data is extremely powerful... until it's NOT! When is it not useful to look at logs? When your logs don't contain the data you need. How many times during an investigation have your logs contained enough information to point you in the right direction, but then fell short of giving you the complete picture. Unfortunately, it is quite common to run out of road when looking at log data; if only you had recorded 'user logins', or some other piece of data that was important with hindsight, you could figure out what user installed some malware and your investigation would be complete. Log data, by its very nature, provides an incomplete view of your system, and while log and machine data is invaluable for troubleshooting, investigations and monitoring, it is generally at its most powerful when used in conjunction with other data sources. If you think about it, knowing exactly what to log up front to give you 100% code or system coverage is like trying to predict the future. Thus when problems arise or investigations are underway, you may not have the complete picture you need to identify the true root cause. So our gift to you this HaXmas is the ability to generate log data on the fly through our new endpoint technology, InsightOPs, which enables you to  fill in any missing information during troubleshooting or investigations. InsightOps is pioneering the ability to generate log data on the fly by allowing end users to ask questions of their environment, InsightOps is pioneering the ability to generate log data on the fly by returning answers in the form of logs. Essentially, it will allow you to create synthetic logs which can be combined with your traditional log data - giving you the complete picture! It also gives you all this information in one place (so no need to combine a bunch of different IT monitoring tools to get all the information you need). You will be able to ask anything from 'what processes are running on every endpoint in my environment' to ‘what is the memory consumption' of a given process or machine. In fact, our vision is to allow users to ask any question that might be relevant for their environment such that you will never be left in the dark and never again have to say ‘if only I had logged that.' Interested in trying InsightOps for yourself? Sign up here: https://www.rapid7.com/products/insightops/ Happy HaXmas!

Announcing InsightOps - Pioneering Endpoint Visibility and Log Analytics

Our mission at Rapid7 is to solve complex security and IT challenges with simple, innovative solutions. Late last year Logentries joined the Rapid7 family to help to drive this mission. The Logentries technology itself had been designed to reveal the power of log data to…

Our mission at Rapid7 is to solve complex security and IT challenges with simple, innovative solutions. Late last year Logentries joined the Rapid7 family to help to drive this mission. The Logentries technology itself had been designed to reveal the power of log data to the world and had built a community of 50,000 users on the foundations of our real time, easy to use yet powerful log management and analytics engine. Today we are excited to announce InsightOps, the next generation of Logentries. InsightOps builds on the fundamental premise that in a world where systems are increasingly distributed, cloud-based and made up of connected/smart devices, log and machine data is inherently valuable to understand what is going on, be that from a performance perspective, troubleshooting customer issues or when investigating security threats. However, InsightOps also builds on a second fundamental premise, which is that log data is very often an incomplete view of your system, and while log and machine data is invaluable for troubleshooting, investigations and monitoring, it is generally at its most powerful when used in conjunction with other data sources. If you think about it, knowing exactly what to log up front to give you 100% code or system coverage is like trying to predict the future. Thus when problems arise or investigations are underway, you may not have the complete picture you need to identify the true root cause. To solve this problem InsightOps allows users to ask questions of specific endpoints in your environment. The endpoints return answers to these questions, in seconds, in the form of log events such that they can be correlated with your existing log data. I think of it as being able to generate 'synthetic logs' on the fly - logs designed to answer your questions as you investigate or need vital missing information. How often have you said during troubleshooting or an investigation "I wish I had logged that…”? Now you can ask questions in real time to fill in the missing details e.g. “who was the last person to have logged into this machine?” InsightOps combines both log data and endpoint information such that users can get a more complete understanding of their infrastructure and applications through a single solution. InsightOps will now deliver this IT data in one place and thus avoids the need for IT professionals to jump between several, disparate tools in order to get a more complete picture of their systems. By the way - this is the top pain point IT professionals have reported across lots and lots of conversations that we have had, and that we continue to have, with our large community of users. To say I am excited about this is an understatement - I've been building and researching log analytics solutions for more than 10 years and I truly believe the power provided by combining logs and endpoints will be a serious game changer for anybody who utilizes log data as part of their day to day responsibilities -- be that for asset management, infrastructure monitoring, maintaining compliance or simply achieving greater visibility, awareness and control over your IT environment. InsightOps will also be providing some awesome new capabilities beyond our new endpoint technology, including: Visual Search: Visual search is an exciting new way of searching and analyzing trends in your log data by interacting with auto-generated graphs. InsightOps will automatically identify key trends in your logs and will visualize these when in visual search mode. You can interact with these to filter your logs allowing you to search and look for trends in your log data without having to write a single search query. New Dashboards and Reporting: We have enhanced our dashboard technology making it easier to configure dashboards as well as providing a new, slicker look and feel. Dashboards can also be exported to our report manager where you can store and schedule reports, which can be used to provide a view of important trends e.g. reporting to management or for compliance reporting purposes. Data Enrichment: Providing additional context and structuring log data can be invaluable for easier analysis and ultimately to drive more value from your log and machine data. InsightOps enhances your logs by enriching them in 2 ways, (1) by combining endpoint data with your traditional logs to provide additional context and (2) by normalization your logs into a common JSON structure such that it is easier for users to work with, run queries against, build dashboards etc. As always check it out and let us know what you think - we are super excited to lead the way into the next generation of log analytics technologies. You can apply for access to the InsightOps beta program here: https://www.rapid7.com/products/insightops/beta-request

UNITED 2016: Want to share your experience?

Key trends. Expert advice. The latest techniques and technology. UNITED 2016 is created from the ground up to provide the insight you need to drive your security program forward, faster. This year, we're also hoping you can provide us with the insight we need to…

Key trends. Expert advice. The latest techniques and technology. UNITED 2016 is created from the ground up to provide the insight you need to drive your security program forward, faster. This year, we're also hoping you can provide us with the insight we need to make our products and services even better. That's why we're running two UX focus groups on November 1, 2016. We'd love to see you there—after all, your feedback is what keeps our solutions ever-evolving.UX Focus Group: Help us make Nexpose Now even betterStale results. False alerts. Windows of wait. We heard your issues with traditional scanning and released Nexpose Now to help you resolve them. Now that you've been using it for several months, we'd love to know: how's it going? Actually, we have way more questions than that, but they're all in the service of making sure Nexpose Now is meeting – or exceeding – your needs. And the only person who can tell us that is you! So please join us for this 1.5-hour focus group, where you – along with other Nexpose Now users – can share your list of loves and loathes. It's the perfect opportunity to speak with Rapid7, as well as your peers, about your Nexpose Now experience, so we can help make it even more exceptional.UX Focus Group: Creating personalized and exceptional experiencesHere at Rapid7, we think we've done some pretty great stuff, but we also know we can do some things even better. Though, frankly, what we think doesn't really matter—as a Rapid7 customer, the only opinion we care about is yours. And we want it! Why? Well, as our favorite customer experience author John A. Goodman put it, “We can solve only the problems we know about.” So join this 1.5-hour focus group and let us know: from the first time you heard about our solutions to the last time you used them, what's worked well and what could work better? Your participation will really help us to understand the experience from your perspective, and how we can further personalize and improve that experience moving forward.Want in?Saving a seat in our focus groups is easy. If you haven't yet registered for UNITED, you can register for a UX session while registering for the conference.If you have already registered for UNITED, just head back to the conference registration page, enter the email address you used to register – along with your confirmation number – and tack on the session that makes sense for you.Space is limited, so act soon! We are looking forward to seeing you!Ger JoyceSenior UX Researcher, Rapid7

Log Search Simplified

Hi, I'm Laura, UX Designer at Logentries and today I'm going to discuss how just about anyone can use Logentries to search and analyze their log data no matter what their job title or technical skill level. What is Logentries? At Logentries, the team works…

Hi, I'm Laura, UX Designer at Logentries and today I'm going to discuss how just about anyone can use Logentries to search and analyze their log data no matter what their job title or technical skill level. What is Logentries? At Logentries, the team works tirelessly to provide an easy to use log management service that allows users to stream their logs from just about anything. Logentries can accept data from almost any device that generates log data, including servers, applications, firewalls and routers. Really, any data, from any device and in any kind of format. These log events are automatically collected and sent to one secure location where users can quickly search and visualize their data to find out all they need to know. Typically, Logentries is used by DevOps and Developers while they are busy debugging, monitoring and troubleshooting. More recently, as Logentries has become part of Rapid7 information security and analytics solutions, the power of log search has grown to include a new variety of users within information security teams and IT. These professionals use Logentries search to help solve security problems, investigate incidents and help maintain compliance. So IT guys get to have all the fun? Not quite. We have a growing number of users from non-technical backgrounds who are hot on their heels. Businesses and marketing teams have recognized the potential of using Logentries to monitor behaviors, identify patterns and gather all types of interesting information to help focus their business goals or marketing campaigns. The basics of performing a search So you're not a DevOps master or some kind of IT guru? No problem. I'm going to take you through the basics of performing a search in Logentries using our very own search language LEQL (Logentries Query Language). Using this simple SQL-like language you can extract data hiding deep in your logs. Now that you know the basic query format, we will take a look at putting it into practice. For example, let's take myself, a UX Designer who wants to design solutions for an improved user experience within Logentries. But where do I start? Where do I focus my energies? First I want to discover the most popular or core features in Logentries. Easy. I can do this by using an application library such as node.js, .Net or Java libraries which allow you to log straight from the front end of your application. You can find this in the "Add a log" page and it is a quick and easy set up process. You can find a more detailed set up process and tips in the blog post "A different way to log your website usage". Your developer will help you embed the necessary code into your site and create listeners on elements you would like to track like buttons, links, pages and features. Once set up it can track metrics such as usage trends, activity, behaviors and engagement times across your application. Tracking most clicked features Now that I have the information that is important to me logging to my Logentries account, I can write some LEQL to query this data. First, navigate to the Logentries Log view. This is where logs feed into, where we can select logs and where we can search. The query search bar has two modes. "Advanced" is the mode an experienced user would use to write full LEQL queries. "Simple" mode is for users who are newbies or just need a helping hand in building their query. We are going to use simple mode to get you started. We are interested in learning how often a user visits a feature. We can find this out by tracking how often the button or link to this feature is clicked. First comes the "where" field followed by the "groupby" and "calculate" fields. Next is an icon to allow you to save your query and a time picker to allow you to select a particular time range to search. The mode can be toggled between simple and advanced via the switch mode link. Step 1 We want to search for click events so we search the keyword "clicked." Keyword search will work on all log entries regardless of their format and are case sensitive by default. This will give you a result of all the log entries containing click events. You can see the keyword highlighted in yellow. Step 2 That's great, but we want to do a more granular search. We need to break this up into exactly what features were clicked. Let's group by "features." Once this key is added to your query the calculate function automatically selects calculate(count). This returns a count of the matched search. Your results are returned as a table with all of your search criteria listed and a visualization of your data. Now you can see all the features that have been clicked and how often they were clicked giving an indication into what features users spend most of their time using. This can help me prioritize where I should focus my efforts to work towards making these features better for our users. Endless possibilities This is just one example of how you can use Logentries search to gain insight into your application usage. You could potentially find out lots of other interesting data like what screen resolution your users use most or what the most popular browsers are. You could find out how often or at what point a user drops off or cancels from a workflow such as a sign up process or a create wizard. Or even how long a user hovers on a button or how long they spend on a particular page. The possibilities are endless. To learn more about search check out our docs or start a 30 day free trial. Thanks for reading! Laura EllisUX Designer, Rapid7

Using Log Data as Forensic Evidence

This is a guest post by Ed Tittel. Ed, a regular contributor to blog.logentries.com, has been writing about information security topics since the mid-1990s. He contributed to the first five editions of the CISSP Study Guide (Sybex, 6e, 2012, ISBN: 978-1-119-31427-3) and to…

This is a guest post by Ed Tittel. Ed, a regular contributor to blog.logentries.com, has been writing about information security topics since the mid-1990s. He contributed to the first five editions of the CISSP Study Guide (Sybex, 6e, 2012, ISBN: 978-1-119-31427-3) and to two editions of Computer Forensics JumpStart (Sybex, 2e, 2011, ISBN: 978-0-470-93166-0), and still writes and blogs regularly on security topics for websites including Tom's IT Pro, GoCertify.com, CIO.com, and various TechTarget outlets including SearchSecurity.com. Learn more about or contact Ed through his website. Working with computer logs is something of an ongoing adventure in discovery. The data from such logs is amenable to many uses and applications, particularly when it comes to monitoring and maintaining security. But even after a security breach or incident has occurred, log data can also provide information about how an attack was carried out, the IP address (or addresses) from which it originated, and other packet data from network communications that could be used to identify the source of attack and possibly also, the identity of the attacker. This means presenting log data in a court of law as evidence to support specific allegations or accusations. How does that work? Documentary or Digital Evidence and the Hearsay Rule In legal matters, a special consideration called the hearsay rule normally applies to evidence that may be admitted in court for a judge or a jury to consider in assessing or disproving the truth of various assertions, or in deciding guilt or innocence for an accused party. The hearsay rule states that “testimony or documents which quote persons not in court are not admissible.” This provision in the law is intended to prevent information provided by third parties who cannot be questioned about their testimony or documents, or whose credibility or veracity can be neither proven nor impeached, from affecting the outcome of a decision of guilt or innocence. For the layperson, it's clearly tied to the notion that the accused has the right to face and question those who accuse him or her in the courtroom as the legal process works to its final conclusion. But what about digital evidence, then? Computer logs capture all kinds of information routinely, either at regular intervals or in response to specific events. Because an accused party cannot face or question software in the courtroom, does this mean that logs and other similar computer-generated data are not admissible as evidence? Absolutely not, but there are a few “catches” involved. The Business Records Exception… As is happens there are some kinds of information and documents that are NOT excluded by the hearsay rule as explained in the Federal Rule of Evidence 803(6). Most specifically, “Records of regularly conducted activity,” are excluded. These are defined in the afore-cited publication as “A memorandum, report, record, or data compilation, in any form, of acts, events, conditions, or diagnoses, made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record or data compilation, as shown by the testimony of the custodian or other qualified witness, …, unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness. The term ‘business' as used in this paragraph indicates business, institution, association, profession, occupation, and calling of every kind, whether or not conducted for profit.” Whew! That's a lot to digest, but here is what it means: As long as the party that wishes to use log data as evidence can show that it routinely collected log records before (and during) the events or activities captured in those logs, they should be admissible as evidence in court. A responsible person would have to be able to truthfully testify that logging was already in use by that time, and that the log data presented as evidence is a true and faithful (that is, unaltered) copy of the original data logged at the time the alleged events or activities occurred for that evidence to stand. But because logs are designed to provide a record of events and activities it will be close to impossible for the other side of the case to argue such evidence as inadmissible per se. As long as you can produce one or more credible witnesses, with supporting documentation (memos, file dates, and so forth) to show that logging started some time before the alleged events or activities occurred, and can provide records to show that the log data presented in court is identical to what was originally captured and has not been altered since, your logs can indeed tell their story in the courtroom. Note: my thanks to Neil Broom, President of the Technical Resource Center, and a regular forensics examiner and expert witness on digital forensics, and an author of Computer Forensics JumpStart for his clear and helpful guidance in explaining log data as legal evidence in the courtroom. Logentries by Rapid7 makes it simple to collect, analyze and ensure the security of your log data. Start centralizing your log data today with a free 30-day Logentries trial. Click here to get started.

Nexpose Logging Analytics using LogEntries

This blog shows how to use the power of LogEntries Search and Analytics to monitor your Nexpose installation. LogEntries has joined the Rapid7 family and offers several powerful capabilities to search, analyze, monitor and alert on your Nexpose installation. LogEntries is also super easy to…

This blog shows how to use the power of LogEntries Search and Analytics to monitor your Nexpose installation. LogEntries has joined the Rapid7 family and offers several powerful capabilities to search, analyze, monitor and alert on your Nexpose installation. LogEntries is also super easy to set up and maintain. I spent about five minutes getting it running. The Nexpose engineering team made it very easy by enabling the log4j appender in every installation of Nexpose. All you have to do is follow these steps to get up and running. Set up your free trial Set up a free trial on LogEntries (https://logentries.com/) by clicking on the "Start a Free Trial" button: Generate tokens for system logging You can create logging tokens by clicking on "Add a Log" and choosing the "Java" icon in the "Libraries" section and then click on "Create Log Token" at the bottom of the screen. Create as many as you want appenders (see next step). You can have an appender for every Nexpose log if you want: Configure Nexpose Logging In your Nexpose installation, copy the logentries appenders in the console's logging configuration located in /opt/rapid7/nexpose/nsc/conf/logging.xml (near the bottom of the file) and paste them into the user-log-settings.xml file in the same directory. Make sure to replace the ${logentries-*-token} with the actual token from your logentries account that you created above Each appender can have it's own token so they can be tracked using different logs in logentries. Here is an example: <appender name="le-nsc" class="com.logentries.logback.LogentriesAppender"> <Token>123725d5-10df-4aa7-b683-3e8c71251b2c</Token> <Debug>False</Debug> <Ssl>False</Ssl> <facility>USER</facility> <encoder> <pattern>${logFormat}</pattern> </encoder> </appender> Unlock the power of LogEntries Restart Nexpose and you will see logs flowing into your LogEntries account. Now you can start using all the great features of LogEntries including Live Tail, Saved Queries, Alerts, and Tagging to manage your Nexpose console. Here are some examples: Initial Log View This view will appear as soon as you click on the Log Set that you want to view. In my case, "Demo Set" is the log set that I used when creating my account and hooking up Nexpose. From here you can search and filter to find log entries of interest: Live Tailing Live Tailing is a great feature that allows you to debug or monitor issues as they are happening: Creating Tags and Alerts Tags and alerts allow you to label specific log lines based on regular expressions and also alert if anomalies occur: Wrap Up Also check out how to do the same thing with Metasploit Pro in Securing Your Metasploit Logs. I hope you have found this helpful and please share any feedback such as alerts, dashboards, or other useful tips and tricks that you have found when using Nexpose with LogEntries.

Securing Your Metasploit Logs

Original post from Logentries found here: Securing your Metasploit Logs by Justin Buchanan Metasploit, backed by a community of 200,000 users and contributors is the most impactful penetration testing solution on the planet. With it, uncover weaknesses in your defenses, focus on the highest…

Original post from Logentries found here: Securing your Metasploit Logs by Justin Buchanan Metasploit, backed by a community of 200,000 users and contributors is the most impactful penetration testing solution on the planet. With it, uncover weaknesses in your defenses, focus on the highest risks, and improve your security outcomes. Your Metasploit Pro console produces a lot of important logs. It is essential to be able to review these logs, alert on them, and keep them secure. Why should I monitor these logs? The logs produced by your Metasploit Pro console are helpful when troubleshooting, and also for monitoring the usage of the Metasploit product. Metasploit Pro is impressively powerful, which also makes it crucial to closely monitor the usage. Unfortunately, you must always plan fo the worst possible scenario, including the potential for a Metasploit user to alter the logs created by the console to hide their actions. Sending these logs to a secure central location in real-time, can ensure that they remain unaltered and easy to review. What and where are the Metasploit Pro Logs? The list below details all of the logs created by your Metasploit Pro console and where they are saved. Your installation root directory may vary; by default the installation root for Linux is: /opt/metasploit and for Windows: C:\metasploit $INSTALL_ROOT/apps/pro/nginx/logs/error.log – Console web server error log $INSTALL_ROOT/apps/pro/nginx/logs/access.log – Console web server access log $INSTALL_ROOT/apps/pro/ui/log/production.log – Rails (ruby) log $INSTALL_ROOT/apps/pro/engine/config/logs/framework.log – Metasploit Framework log $INSTALL_ROOT/apps/pro/engine/prosvc_stdout.log – Metasploit RPC output log $INSTALL_ROOT/apps/pro/engine/prosvc_stderr.log – Metasploit RPC error log $INSTALL_ROOT/apps/pro/tasks – Task logs $INSTALL_ROOT/apps/pro/engine/license.log – License log As a best practice, all of the above logs should be sent to a secure, off-site, location for storage and analysis. For the purposes of this post we will focus on the three most imperative logs: tasks framework.log access.log The tasks directory The tasks directory provides text files detailing all of the actions taken by all Metasploit users.  It will record any exploit that is run, the creation of a listener, establishment of a pivot, and any other action taken through the console. Configure the Logentries Agent To capture the log data saved to the tasks directory first ensure that you have installed the appropriate Logentries Agent on the Metasploit Console machine. The Logentries Agent can automatically identify and forward the newest log file written to a directory by using a wildcard configuration. For the Linux Agent issue the following command to follow the tasks directory: sudo le follow '/opt/metasploit/apps/pro/tasks/*.txt' and with the Windows Agent: AgentService.exe follow c:\metasploit\apps\pro\tasks\*.txt Always remember to restart the Logentries service after making changes to its configuration. View in Logentries Now as new tasks are written to the directory on your console server you can see them stream into Logentries in real time, creating an immutable offsite backup of these important audit trails. framework.log framework.log is your best friend when you are trying to troubleshoot an issue you are encountering with Metasploit. All the logged errors are saved here.  When you dig into this log you will gain insight into which exploits failed, and for what reasons, as well as general stack traces. Configure the Logentries Agent In this case, because framework.log is just a single file, there is no need for special configuration. The command to follow this file with the Linux Agent would simply be: sudo le follow /opt/metasploit/apps/pro/engine/config/logs/framework.log access.log The final log discussed here is the NGINX access.log produced by the Metasploit console. The information available in this log is imperative to maintain complete audit trails of all actions taken in the console. This log will contain every request made to the web interface including the ip address of the requester, making it invaluable in an investigation. Metasploit's NGINX server is configured to log in combined log format, and as a result Logentries will be able to perform in-depth analysis on these logs with ease.  The video below provides a tutorial on using the advanced search functionalities of Logentries to query an Apache access.log, all the same features and functionality will be available with this NGINX access.log. Ready to secure your Metasploit logs? Give it a try by creating a free Logentries account today!

Logentries Joins the Rapid7 Family

I'm very excited today to join the Rapid7 family. The acquisition is good news for Logentries customers, Rapid7 customers and all of our employees.  It means that great minds and innovative technology have come together to solve some of our thorniest IT and security…

I'm very excited today to join the Rapid7 family. The acquisition is good news for Logentries customers, Rapid7 customers and all of our employees.  It means that great minds and innovative technology have come together to solve some of our thorniest IT and security challenges.The Logentries team has been on a mission over the last few years -- Revealing the Power of Log Data to the World. While pursuing our mission, I am often asked why log data has become so valuable. The answer is simple: look at the world around us. Cloud computing has emerged as a disruptive force, mobile and internet connected devices are increasing exponentially, and IT systems are widely distributed and increasingly siloed.These trends have changed the nature of what it means to build, deploy, manage and secure the systems we all rely on for our daily lives. And when systems are breached, or closer investigation into potential issues is warranted, it's the log data that is often the source of truth.Rapid7 is dedicated to solving the security data and analytics challenge; Logentries is dedicated to solving the machine data search and analytics challenge. Uniting to form one team—uniquely positioned to offer the broadest and deepest solutions for searching and analyzing IT and security data—is the next logical iteration.It is in this spirit that I look forward to working as a member of the Rapid7 team. Together we will embrace the data challenge, and help our customers and partners better understand, manage and protect their IT infrastructure.Rapid7 is committed to continuing the development of our products.  The company has a strong reputation for effectively partnering with its customers, delivering continuous innovation and creating solutions with impact.  Sounds a lot like Logentries! You can learn more about the acquisition from the press release, this blog from Rapid7's CEO, Corey Thomas, or by joining our conference call today at 5:00 p.m. Eastern Time. The call will be accessible by telephone at 888-223-4580 (domestic) or 303-223-2683 (international). A webcast replay will be available at http://investors.rapid7.com until October 16, 2015.Andrew BurtonCEO, Logentries

Why we're welcoming Logentries to the Rapid7 family - a story of data and analytics

Those that follow Rapid7 will know that we talk a great deal about our vision of delivering security data and analytics to our customers to enable an active, analytics-driven approach to cyber security. I'm excited to let you know that today we're making an important…

Those that follow Rapid7 will know that we talk a great deal about our vision of delivering security data and analytics to our customers to enable an active, analytics-driven approach to cyber security. I'm excited to let you know that today we're making an important addition to the Rapid7 family that will help us advance this vision even further… we are acquiring the world-class, cloud-based log management and search technology company, Logentries.Organizations need real mastery of the information in their IT environment so they can better understand and respond to risk. Being able to easily search machine data and logs is a key means of doing this, enabling security pros to dig deeper for a better view of their security posture and to perform detailed investigations and forensics on security incidents.It's a great complement to our current capabilities for incident investigation, including our ability to tie events back to the specific users and assets involved, in a matter of minutes, and to seamlessly build an incident timeline.  Today, our customers tell us that with our UserInsight solution, they can complete an investigation which previously required two days in only minutes.  We plan to bring that kind of power to our customers with our new search capabilities as well.  We are committed to helping you solve problems quickly so you can focus on what matters – making your organization more secure.Logentries' technology enhances our data collection by providing our customers with really fast, scalable search, so you can find the answers you need more quickly and efficiently.Of course, when acquiring a company, great technology is only part of the picture -- even more important are all the people who make the company great.  Corporate culture is very important to Rapid7; we strongly believe one of the measures for success in a move like this is making sure the cultures mesh, and mesh well. At the core of our corporate culture is a strong commitment to putting customers first, and a dedication to driving innovation. We were impressed and excited to find that Logentries shares these core values.Another significant area of alignment in our approach is our mutual commitment to supporting a community of free users, and enabling customers to try the technology before they buy.  This has been a core tenet for Rapid7 for years, and underpins our support of the Metasploit Framework, as well as free versions and trials of Nexpose and AppSpider. Similarly, Logentries has a vast community of 50,000 for its free version, which you can try here. We believe that through these many areas of alignment we will continue to build something truly great. I am so excited to welcome the Logentries team to our family, and I am looking forward to tackling new customer challenges together in the future.Please join me in extending a very warm welcome to our new team members in Boston, MA and Dublin, Ireland!You can learn more about the acquisition from our press release, this blog from Logentries CEO, Andrew Burton, or by joining our conference call today at 5:00 p.m. Eastern Time. The call will be accessible by telephone at 888-223-4580 (domestic) or 303-223-2683 (international). A webcast replay will be available at http://investors.rapid7.com until October 16, 2015.Corey ThomasPresident & CEO, Rapid7

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now