LOGbinder SP
SharePoint Audit Log Processing
Why do I need LOGbinder SP?
As more and more information and processes move to SharePoint, it becomes critical
for compliance and security requirements to monitor and audit SharePoint activity.
Doesn't SharePoint already have an audit log?
SharePoint does have an internal audit log but it is essentially unusable due
to 5 key issues:
- SharePoint's audit log does not provide the
names of users or objects. The SharePoint audit log fails to translate
record IDs, meaning you have no idea what object or user to which a given event
refers!
Click here for
an example
of an audit event from SharePoint before being processed by LOGbinder SP.
- SharePoint's audit log is buried in SharePoint's
SQL server content database. To ensure the integrity of audit trails, logs must
be moved from the system where they are generated to a separate and secure archive.
However in SharePoint, the audit log isn't really a log - it's a table in
the SharePoint database. This makes it inaccessible for most log management
solutions. Without the ability to collect the SharePoint audit log into a
separate, secure log archive, its value as a high integrity audit trail is compromised.
- SharePoint's audit log has no reporting.
In Windows SharePoint Services the log is totally inaccessible, and in Office SharePoint
Services it's exposed through a few rudimentary, impractical reports in Excel.
- Windows SharePoint Services provides no interface
for enabling auditing at all. The audit log is there, but without custom
programming there's no way to turn it on, much less access the logs.
- SharePoint's audit log built-in trimming feature
can delete audit events before they are exported. Somne editions of SharePoint
provide automatic log trimming of old events but there is no way to ensure events
have been archived first.
LOGbinder SP solves all 5 of these problems and writes SharePoint audit events to
the Windows event log. For alerting, reporting, and archiving you can use your existing
log management/SIEM solution or use LOGbinder SP SIEM Edition.
LOGbinder SP is available in 2 editions:
LOGbinder SP Agent Edition
LOGbinder SP Agent Edition
is a small, efficient Windows service that monitors the internal SharePoint audit
log without making any changes to your SharePoint installation.
For each event, LOGbinder SP resolves the user and object IDs and other cryptic
codes, producing an easy-to-understand, plain-English translation of the SharePoint
audit event.
Output formats:
• local Windows Security event log
• custom Windows event log
• syslog server (future)
This variety of output formats allows you to extend any log management solution
to now support SharePoint audit trails and security events.
more on Agent Edition
LOGbinder SP SIEM Edition
Don't already have a log management or SIEM solution to management events generated
by the LOGbinder SP agent? No problem,
LOGbinder SP SIEM Edition
provides alerting, reporting, and archiving of SharePoint audit logs as well as the
Windows security logs of all the servers in your SharePoint farm.
LOGbinder SP SIEM Edition
is a complete security monitoring and log management solution for your SharePoint
environment.
LOGbinder SP SIEM Edition
comprises:
- LOGbinder SP Agent - translates the unreadable native SharePoint Audit logs and writes
them to the Windows event log
- GFI EventsManager - collects SharePoint audit logs produced by the LOGbinder SP
agent as well as the native Windows security log. EventsManager analyzes both SharePoint
and Windows security events against pre-defined rules and alerts you of suspicious
activity and high impact changes. Also included are pre-built reports with recommended
guidance for usage and follow up as well as deep mapping to common compliance frameworks
like PCI, HIPAA, SOX, ISO, COBIT, etc.
Next: