Case Study

My name is Knut Weber. My colleague, Manuel Kaltschmidt, and I work in the IT Infrastructure Solutions at BurdaSolutions (https://www.burdasolutions.com) in Germany.

BurdaSolutions is the internal IT service provider of the international media group Hubert Burda Media (https://www.burda.com/en) with more than 10,000 employees. With our services, we support our customers in the business areas of national and international media brands, printing and in the digital brands of Hubert Burda Media.

Being in this position 15 years, my duties are mainly our Active Directory, Exchange on premises and hybrid, NetApp Filers, Patch Management, Server Monitoring, Security Auditing, Ransomware detection and prevention, accompanied with the supporting technologies like load balancers, SAN storage, clustering, fault tolerance, SQL, firewalling, access control, etc. serving a mixed environment of thousands of fifty – fifty Windows and Macs and hundreds of mobile devices.

Our data center hosts several hundred servers, Linux, Windows and specialties. While we have and had the usual monitoring tools like check_mk, Icinga, Nagios, PRTG, Splunk, Graylog, Solarwinds, ..., we always had a special monitoring system for real-time monitoring of Windows Event logs, what for us means we get an E-Mail in 1-5 minutes after the event occurrence. In former times this was Monitor IT from Goliath Technologies. Because we had the requirement for non-English operating systems and reporting languages and also monitoring of Azure Events from our hybrid environment, we made a deep market investigation of products in this area. Our main focus was archiving, reporting and particularly real-time monitoring and alerting capabilities of Windows Event Logs of much more than 100 million events occurring per day.

Only of minor interest at this early stage was the price of Corner Bowl, which is only a tiny fraction of all relevant competitors. But it has to be mentioned, of course. With our amount of monitored data, some solutions have a price tag more than 100-fold.

We implemented a test installation quite fast, it took an hour or so to start evaluation in our test labs. Together with Corner Bowl development, we got missing features programmed completely new for our demand and existing features tailored specific for our purposes. This was always fast and hit the nail perfectly. As with our old solution, it was mandatory, that intelligence is offloaded to the monitored systems, so that only a fraction of all occurring events are transferred to the central system and database. We have specific experience from the past, but keep open for new and unexpected events, through combinations of white and blacklisting of events and failure categories. As said, we have 15 years of expertise, which kind of events are relevant in our ecosystem in real-time, which we will need at once via E-Mail and everything else can be kept in daily scheduled reports. We know that there are pre-built reports in Corner Bowl, servicing the needs for specific use cases and demands. That is great for non-tech people, who do not know in depth what they have to look for. They are just ready to use. But if you, like we, know exactly what to look for, today and in the future, it is easy to map this demand into a Corner Bowl rule.

Here are a few examples of our many dozens of real-time notifications:

1. On premise systems general: Active Directory Service errors, specific LDAP and Kerberos errors, errors of self-written applications, modification of scheduled tasks, installation of services, reboots, admin logon problems, audit setting changes, lockout of specific accounts, modification of groups, process creation in specific directory locations, ...
2. Specific Exchange events: back pressure detection, throttling, CAS redirects, failover, EDB corruption, cluster errors, database size, ...
3. Azure AD: break glass account events, user restored, add/remove member to role, device registration for administrators, high level audit risk events, ...

Additionally we monitor and start services on demand, like DHCP, print or certificate services and monitor some file system directory events for expected and unexpected changes. Automated cleanup tasks for temp directories helps to keep the systems clean.

Corner Bowl was capable of the replacement of all our previous monitors we had in place - and provide a lot of new possibilities. The logic possible of combining different events and use of threshold levels allows a very specific handling of nearly everything you can think of. It is getting as complex and capable as you need it. A great challenge in the past were staged Windows design changes like RPC sealing. Corner Bowl helped us to set up an alarm in less than 10 minutes, to send E-Mails with affected clients in our varied environment.

I expect most people to use Corner Bowls daily reporting features. It has noumerous additional features like resource monitoring (disk, RAM, CPU), Website monitoring, … we also know, and competitors also have here and there - but we emphasize the specific capabilities of real-time and scheduled monitoring of Windows Eventlogs, with offloaded intelligence to the servers and secured communication with certificates through a single firewall port. This capabilitiy is nonexistent in all other products, especially in regard of the possibility of filtering and in defining very specific things with regular expresions for content buried deep inside the events. When it comes to the handling of much more than 100 million events per day, we see no other solution providing this with such an ease.

We enjoy using this product, we enjoy the communication with the manufacturer and can recommend Corner Bowl to 100%. It is worth every single cent.

Update: April 19th 2024

Now, after two years of running corner bowl highly satisfied, we made huge improvements in our always getting more and more important Microsoft 365 environment.

Everything runs smoothly as it did before and were are at a very high conficence level about knowing what is going on in our data centers on premises. But Microsoft Entra ID, formerly Azure AD, is getting more and more important – and is of high interest as a possible way of getting hacked or attacked, of course. So we are very glad to be able to observe in near real-time the Azure AD / Entra ID logs: “Audit”, “Identity Risk Events” and “ “SignIns” in our Tenants.

What we are monitoring are events like: admin logon failures, locked accounts, admin consent to applications, users restored, app role assingments, add/remove member to/from roles, device registration for administrative accounts, admin password changes, multi factor authentication setting changes for administrative accounts, etc. Especially the monitoring of changes in administrative accounts and multi factor settings is critical and very valuable for us. We are a small team with full access rights and we all get immediately E-Mails from Corner Bowl when something happens here with our administrative accounts, like getting a new or additional mobile phone in place or changes in multi factor authentication settings like adding a method (Authenticator, telephone number, …) so that we immediately inform our collegues, yes, that´s OK, it´s me.