• Application security intelligence for SharePoint delivered to your SIEM
  • Fill the audit gap in your compliance efforts
  • Catch APTs that have penetrated upstream defenses
  • Detect data grabs by malicious insiders
  • Know what’s happening inside of SharePoint including
    • Access to confidential information
    • Changes to documents and lists
    • Security policy changes
    • Privileged user activity
  • Correlate SharePoint security activity with related events from the rest of your environment
  • No agent or communication required with SharePoint server
    • No performance impact on SharePoint servers
    • Less pushback from SharePoint admins
  • Ensure consistence and centralized audit policy for all site collections in the farm
  • Fits neatly into your existing infrastructure between SharePoint and your SIEM/BDSA
  • No data silos or additional consoles to monitor
  • Address the 5 critical issues with native SharePoint auditing

LOGbinder SP translates cryptic SharePoint audit data into easy-to-understand messages and sends them to your SIEM – where they belong. LOGbinder SP does not require an agent to be installed on your SharePoint servers, nor does it make intrusive changes to your SharePoint environment. We simply bridge the gap by bringing application security intelligence on SharePoint to your security operations center.

  • Translates cryptic SharePoint audit data in to easy-to-understand events
  • Sends SharePoint audit events to your SIEM using the best method
  • Centrally manages audit policy for the entire farm
  • Safely purges internal audit log
  • Safeguards audit log integrity

LOGbinder SP is a small, efficient Windows service that runs on any Windows server that is a member of your SharePoint farm. This can be an existing SharePoint server or a dedicated server – even a VM. It just needs to be a member of the farm so that LOGbinder can interface with the SharePoint API. Regardless of how many servers are in the farm, you usually only need to install one instance of LOGbinder SP per farm. Only one instance of LOGbinder SP is usually required per SharePoint farm and LOGbinder SP can coexist with other LOGbinder products like LOGbinder EX for Exchange and LOGbinder SQL for SQL Server.

Once started and using the minimum necessary privileges, the LOGbinder SP service frequently searches the internal SharePoint audit log for new events and then translates them into easy-to-read events which it then forwards to your SIEM solution. If LOGbinder SP sees activity that indicates potential privileged user tampering with audit policy configuration or unauthorized log purging, it inserts additional warning events into the audit stream.

Periodically, LOGbinder SP checks for new site collections and configures them with your specified default audit policy. Every 24 hours LOGbinder purges events already sent to your SIEM from the SharePoint content database so that resources are conserved.

LOGbinder SP has special technology to compensate for SharePoint memory leaks, preserve stability, control memory and CPU footprint and reduce queries associated with name resolution, to ensure audit integrity is maintained, and make troubleshooting easy.

Only one instance of LOGbinder SP is required per SharePoint farm. LOGbinder SP can run on an existing SharePoint server or you can stand up an additional server for that purpose. Customers frequently run LOGbinder SP on a virtual machine along with other LOGbinder SP products like LOGbinder EX for Exchange and LOGbinder SQL for SQL Server.

  • Windows Server 2012, 2008 or 2003, 64 or 32 bit. Server must be a member of the SharePoint farm.
  • SharePoint 2013, 2010 or 2007 (including SharePoint Services/Foundation)
  • Microsoft .NET Framework 3.5 SP1 or later
  • Disk space: LOGbinder itself is tiny - not even 1MB. But with associated DLLs the total installation size is about 12MB. Storage for logs and/or reporting databases is dependent on settings defined by the customer.
  • Memory: LOGbinder averages 150mb memory usage. In some environments memory usage can grow beyond that, but special functionality detects and recovers memory when a maximum threshold is reached.
  • LOGbinder does not support custom Forms Based Authentication (FBA). Check the following links to see if you have FBA configured:

Where can I learn more about the SharePoint Audit Log?

Visit Randy's SharePoint section at UltimateWindowsSecurity.com.

What can I monitor with the SharePoint Audit Log and LOGbinder SP?

What does LOGbinder SP do to my SharePoint installation? Does it modify SharePoint? Will it conflict with any other SharePoint extensions or modifications?

"Nothing" and "no" are the short answers. LOGbinder SP is a Windows service that runs independently of SharePoint. There are NO changes to SharePoint whatsoever other than configuring SharePoint's audit feature and purging the SharePoint audit log of old events if you configure LOGbinder SP to do so.

Will LOGbinder SP slow down my server or cause other resource issues?

No, the LOGbinder SP service is a tiny executable program that efficiently checks the SharePoint audit log for entries and uses limited resources while processing events. 

LOGbinder SP runs at a lower priority than SharePoint, so it will never compete with SharePoint for resources.

Your SharePoint audit policy has the biggest impact on what resources LOGbinder needs; for each site collection, consider whether you really need to audit read/view access. 

How secure is LOGbinder SP?

LOGbinder is fully integrated with Windows security and complies with widely accepted secure design and coding techniques.

At installation, LOGbinder secures the folder permissions where the software files reside. To protect LOGbinder's configuration from tampering, LOGbinder encrypts its configuration data.

LOGbinder security requirements are greatly simplified since LOGbinder does not store your audit log data. LOGbinder is designed to quickly get audit events out of the SharePoint audit log and to the destination of your choice, at which point your log management solution takes over. If you configure LOGbinder SP to direct events to the Windows security log, you leverage the significant effort Microsoft has invested in protecting the security log. And if you are already collecting Windows security logs with your log management application, SharePoint events will automatically be included when you install LOGbinder SP.

LOGbinder SP's design helps you fulfill separation of duty and audit trail integrity requirements by quickly getting audit events off the system where they are produced (and thus vulnerable to intruders or malicious administrators) and into your separate and secure log management system.

Does LOGbinder SP require much configuration?

LOGbinder SP installs in about 2 minutes and only requires a few settings:

  1. Select which site collections for LOGbinder to translate the audit log
  2. Specify the user account LOGbinder should run as
  3. Choose whether to output events to custom LOGbinder SP event log, to the actual Windows Security Log, syslog or to a text file.

How do you monitor LOGbinder SP’s health?

 Check the Application log for warnings or errors from source LOGbndSE.

Why doesn’t LOGbinder SP include alerting or long term archival capability?

These are functions of a log management solution. LOGbinder complements and enhances the value of your log management solution. If you do not already have a log management solution, we can provide a simple, inexpensive, but dependable solution from our partner and we will help you install and configure it.

How does LOGbinder SP integrate with my current log management solution?

With LOGbinder, any log management solution that supports Windows event logs, text file or syslog can now collect, monitor, archive, and report on SharePoint audit log activity.  Also, see next Q&A.

Which output formats does LOGbinder SP currently support?

LOGbinder can output to either the Windows Security Log, syslog, text file, or a custom Windows event log called LOGbinder SP. 

How is LOGbinder SP licensed?

Does LOGbinder SP need to be installed on the SharePoint server?   

You do not need to install LOGbinder SP on a production SharePoint server.

The SharePoint object model classes that provide access to the SharePoint audit log require code to run locally. To audit a given SharePoint farm, LOGbinder SP needs to be installed on just one of the servers to fully audit the farm. This can be an existing SharePoint production server or a new server you deploy for LOGbinder SP (usually a virtual machine).

What user credentials must be assigned to LOGbinder SP? Why?

The account you choose for the LOGbinder service must be a member of the server's local Administrators group.  The account must also be an administrator on each site collection being monitored. These requirements come from SharePoint in order to access the SharePoint audit log. The account needs to be authorized to run as a service, and if using the security log, must be authorized to write to the security log.

Does LOGbinder SP support multiple SharePoint site collections?

Yes.  With LOGbinder SP you can configure the SharePoint audit policy and enable/disable translation of the audit log for each site collection on the SharePoint server.

Your SIEM or log management solution already does a great job at collecting, archiving, correlating and reporting on security logs. We just extend that capability to SharePoint. LOGbinder SP works with any SIEM, log management or Big Data platform that can consume:

  • Windows event logs
  • Text files
  • Syslog UDP
  • Common Event Format (ArcSight)
  • LEEF for Qradar (Future release)

In addition, we provide Recommended Report and Alert specifications so that you can intelligently respond to and analyze SharePoint security activity once it’s in your SIEM. If your SIEM vendor is one of our Synergy Partners, your SIEM already understands SharePoint events from LOGbinder. If not, introduce us to your SIEM vendor; we’d love to work with them!

Ask SalesDownload Free Trial