Kris Watts

Founder and CTO

Recent Posts

Announcing the Gravwell Sysmon Kit

Mar 10, 2021 8:22:53 AM / by Kris Watts posted in EventLog, Windows, Security, kits, Sysmon, DNS

We are pleased to announce the immediate availability of the Gravwell Sysmon kit.  This kit is designed to get you started quickly with Sysmon data and demonstrate the art of the possible.  This post will cover the basic contents of the kit and then we will perform a quick investigation of a process that probably shouldn't be running on a corporate machine.

Read More

Brewing With Gravwell

Nov 4, 2020 1:12:52 PM / by Kris Watts posted in Case study, Home Operations Center, HOWTO


Today we are going to talk about something very important - beer.  Homebrewing has a long tradition and many master brewers started by making swill in their basement.  So today, I am going to go over my homebrew setup, how it is instrumented, how I use low-cost sensors to monitor every stage; and how a little bit of automation saved a kegerator and a few carboys.

Read More

Gravwell Version 3.3.9

Apr 13, 2020 1:31:16 PM / by Kris Watts posted in Software Updates

This week sees the release of Gravwell 3.3.9, our last planned release prior to the 3.4.0 "Big Bang" release.  The Big Bang release will introduce Gravwell kits (our way of providing pre-packaged dashboards, resources, SOAR scripts, and more) plus lots of new user interface features.  But first, let's talk about 3.3.0.  This relatively boring release is mostly comprised of bug fixes, a new timegrinder timestamp, and one UI tweak.  Full change log available here.

Read More

Gravwell 3.3.0 - Overwatch Release

Nov 22, 2019 12:56:34 PM / by Kris Watts posted in Software Updates, DevOps Analytics

We are excited to announce the immediate availability of Gravwell version 3.3.0. This release being a Minor release features a few fairly significant features and a whole heap of bug fixes and performance improvements. Over the next couple of days we will be doing a series of blog posts for this release detailing each of the new things in Gravwell, but first we need need to show off the centerpiece of this release, Overwatch.

Read More

Version 3.2.3 - Performance Improvements

Sep 25, 2019 11:18:26 AM / by Kris Watts posted in DevOps Analytics, ingester, Events, Logging

We proud to announce the immediate availability of Gravwell version 3.2.3. This release is all about performance and bug fixes, but we did manage to slip in a new Kafka ingester.

Read More

Version 3.2.2! Do you grok it?

Sep 10, 2019 4:29:33 PM / by Kris Watts posted in DevOps Analytics, Logging, Analytics Economics

We are pleased to announce the immediate availability of Gravwell version 3.2.2!

This one got away from us a bit and probably should be a major release, there is just too much good stuff in here. I tried to convince the team that we should just jump to version 10, but as our GUI lead started choking and muttering something about C'est absurde we decided to stick with a point release.

Read More

Benchmarking Gravwell's Hybrid Indexing

May 22, 2019 10:06:25 AM / by Kris Watts posted in ingester

We've had some benchmarking requests from multiple organizations struggling with ingest performance from Elasticsearch, so we're publishing them here. The latest Gravwell release marks a significant improvement in ingest and indexing performance and this post covers the nitty gritty details. Better ingest performance means reduced infrastructure cost, less dropped data, and faster time-to-value. See how Gravwell stacks up.

Read More

New Gravwell Feature: Introducing Autoextractors

Feb 27, 2019 10:51:08 AM / by Kris Watts posted in Software Updates

We are excited to introduce autoextractors with Gravwell version 3.0.2.  Autoextractors make it easy for regex gurus and binary ninjas to generate extractions and share them in a portable format.  Autoextractors can dramatically simplify the process of performing field extractions from unstructured data without complicated time-of-ingest data definitions; they can built and shared by ninjas and and used by us mere mortals.

Read More

Gravwell And Bro

Aug 10, 2018 2:26:18 PM / by Kris Watts posted in Events, Security, Bro

In this detailed technical guide we’ll cover analyzing Bro security analytics with Gravwell. Bro is a passive network security sensor designed to provide a plugin friendly detection framework. There are a myriad of commercial Bro vendors and almost as many ways to format and store the output. Gravwell provides an efficient and simple interface for acquiring, storing, and querying Bro data.

Read More

Security Auditing DNS With CoreDNS and Gravwell

Jul 26, 2018 11:16:19 AM / by Kris Watts posted in Network Analytics, Case study, Logging, Security, automation, Integrations, Home Operations Center, Orchestration, DNS

DNS auditing is an integral part of any I.T. security program. Name resolutions can act as a great tip for discovering malware, command and control streams, or misbehaving employees. Acquiring DNS audit data can be difficult with some DNS servers (*cough* Windows *cough*); for this post we are going to show an extremely easy method of getting DNS audit data directly into Gravwell.

Read More