Gravwell Blog

Gravwell And Docker Deployment

Apr 5, 2018 3:50:03 PM / by Kris Watts posted in Logging, ingester, DevOps Analytics, docker, automation, cluster

0 Comments

Overview

For this blog post we are going to go over the deployment of a distributed Docker-based Gravwell cluster. We will use Docker and a few manageability features to very quickly build and deploy a cluster of Gravwell indexers. By the end of the post we will have deployed a 6 node Gravwell cluster, a load balancing federator, and a couple ingesters. Also, the six node “cluster” is also going to absolutely SCREAM, collecting over 4 million entries per second on a single Ryzen 1700 CPU. You read that right, we are going to crush the ingest rate of every other unstructured data analytics solution available on a single $250 CPU.  Lets get started.

Read More

Gravwell Release Update: Version 2 Lands

Apr 5, 2018 3:09:18 PM / by Corey Thuen posted in Gravwell Story, Software Updates

0 Comments

This week marks the release of a Gravwell version 2. It’s been a journey with plenty of long days and nights but we’re really excited about the new capabilities. We’ll be publishing a series of blog posts which go into details of the major points, but I’d like to discuss the highlights.

Read More

Gravwell Goes to Washington

Feb 2, 2018 1:34:00 PM / by Leah Figueroa posted in Gravwell Story

0 Comments

Shmoocon, an InfoSec conference held annually by The Shmoo Group since 2005, is held early each year in Washington, D.C. ShmooCon is a purposely smaller conference, focused on bringing original research to attendees and supporting networking. ShmooCon XIV was held January 19-21 at the Washington Hilton (for those history buffs out there, you might recall that ARPANET made its debut at this hotel in 1972). It is important to us at Gravwell to be involved in the community, so I jumped at the chance to attend this year's Shmoo!

Read More

Mojitos in Miami - S4 or Bust

Jan 12, 2018 1:46:42 PM / by Corey Thuen posted in Gravwell Story

0 Comments

Read More

Gravwell and Windows Event Logging

Dec 18, 2017 9:00:00 AM / by Kris Watts posted in Windows, EventLog, Security, Case study

0 Comments

TL;DR

We are going to dive into Windows and show how to get logs flowing into Gravwell in under 5 minutes with the WinEvent ingester. Using the Windows queries we will audit login behavior, RDP usage, some Windows Defender, and identify when Bob from accounting is copying sensitive financial data to external storage devices. Also, Taylor Swift is involved; don't panic, just stay with me.

Overview

This Gravwell post is all about the wild world of Windows Event logging and analytics. Both Unix and Windows provide standardized central logging facilities; however, the structure and format of the stored logs are dramatically different. Syslog and most other logging systems with roots in Unix approach logging as an unstructured stream: a log entry is a string of text, no more, no less (we are going to ignore journald and its binary madness). Windows, however, logs all events in fully-formed XML and the logging system is integrated into the operating system itself.  We should also note that logging in Windows is... less than ideal.  If you are coming from the Unix world, throw out all your assumptions; things are different here.

Read More

Amazon Kinesis Streams and Gravwell

Dec 5, 2017 1:11:03 PM / by John Floren posted in ingester, developer, API, Amazon, AWS, Kinesis

0 Comments

Amazon’s Kinesis Streams service provides a powerful way to aggregate data (logs, etc.) from a large number of sources and feed that data into multiple data consumers. For instance, a large enterprise might use one Kinesis stream to gather log data from their cloud infrastructure and another stream to aggregate sales data from the web services running on that infrastructure. Once the data is in the stream, it remains available for up to a day (or optionally longer) for any number of applications to read it back for processing and analysis. This is particularly useful to customers that want to deploy and destroy virtual machines on a whim; data is stored in the stream, rather than the ephemeral VMs.

Read More

Gravwell releases version 1 and attracts notable investor

Dec 1, 2017 10:04:16 AM / by Corey Thuen posted in Gravwell Story, Software Updates

0 Comments

We’re extremely excited to announce a new major release of the Gravwell analytics platform to our testers. It’s been a long road full of interesting (and sometimes annoying) challenges.

Read More

We're thankful for big data analytics

Nov 24, 2017 4:04:39 PM / by Corey Thuen posted in DevOps Analytics

0 Comments

It’s Thanksgiving Weekend in America and that means most people have acknowledged the blessings in their lives and are gearing up for something America does better than anyone: consumerism. I had a bit of down time and thought I’d do something else America is good at: Freedom Fighting.

Read More

How NOT to Launch a Product Around Black Friday

Nov 22, 2017 12:00:00 PM / by Leah Figueroa

0 Comments

With Thanksgiving on Thursday, the start of the winter holidays is here in the states. In addition to seasonal celebrations spanning the weeks, shopping often increases around this time. Two such days, Black Friday and Cyber Monday, are some of the biggest shopping days of the year and people often wait to see what deals can be found. Products are launched on or around Black Friday/Cyber Monday in the hopes of garnering more sales and to drive up excitement. Often, this is a great idea. Sometimes, though, a product drops in such a way that could only be dubbed failure.

Read More

OT Security Analytics - Finding the ground truth

Nov 16, 2017 11:22:40 AM / by Corey Thuen posted in Case study, Network Analytics, OT Analytics

1 Comment

In this post, we take a look at analyzing Industrial Control System data to detect unauthorized manipulation of relays in a process.

Read More