As more and more information and processes move to SharePoint, it becomes
critical for compliance and security requirements to monitor and audit
SharePoint activity.
SharePoint does have an internal audit log but it is essentially unusable
for due to 4 key issues:
- SharePoint's audit log does not provide the names of users or objects.
The SharePoint audit log fails to translate record IDs, meaning you have no
idea what object or user to which a given event refers!
Click here for
an example of an audit event from SharePoint and then what LOGbinder does with
it.
- SharePoint's audit log is buried in SharePoint's SQL server content database.
To ensure the integrity of audit trails, logs must be moved from the system
where they are generated to a separate and secure archive. However in
SharePoint, the audit log isn't really a log - it's a table in the SharePoint
database. This makes it inaccessible for most log management solutions.
Without the ability to collect the SharePoint audit log into a separate, secure
log archive, its value as a high integrity audit trail is compromised.
- SharePoint's audit log has no reporting. In Windows SharePoint
Services the log is totally inaccessible, and in Office SharePoint Services it's
exposed through a few rudimentary, impractical reports in Excel.
- Windows SharePoint Services provides no interface for enabling auditing
at all. The audit log is there, but without custom programming there's no
way to turn it on, much less access the logs.
No, the LOGbinder SP service is a tiny executable that efficiently checks the
SharePoint audit log for entries and uses limited resources while processing
events.
LOGbinder SP runs at a lower priority than SharePoint, so it will never compete with SharePoint for resources.
Your SharePoint audit policy has the biggest impact on what resources
LOGbinder needs; for each site collection, consider whether you really need to
audit read/view access.
LOGbinder is fully integrated with Windows security and complies with widely
accepted secure design and coding techniques.
At installation, LOGbinder secures the folder permissions where the software
files reside. To protect LOGbinder's configuration from tampering LOGbinder encrypts its configuration data.
LOGbinder security requirements are greatly simplified since LOGbinder does not
store your audit log data. LOGbinder is designed to quickly get audit
events out of the SharePoint audit log and to the destination of your choice, at
which point your log management solution takes over. If you configure
LOGbinder SP to direct events to the Windows security log, you leverage the
significant effort Microsoft has invested in protecting the security log.
And if you are already collecting Windows security logs with your log management
application, SharePoint events will automatically be included when you install
LOGbinder SP.
LOGbinder SP's design helps you fulfill separation of duty and audit trail
integrity requirements by quickly getting audit events off the system where they
are produced (and thus vulnerable to intruders or malicious administrators) and
into your separate and secure log management system.
LOGbinder SP installs in about 2 minutes and only requires a few settings:
- Select which site collections for LOGbinder to translate the audit log
- Specify the user account LOGbinder should run as
How do you monitor LOGbinder SP’s health?
Check the Application log for warnings or errors from source LOGbndSE
Why doesn’t LOGbinder SP include alerting or long term archival capability?
These are functions of a log management solution. LOGbinder complements
and enhances the value of your log management solution.
How does LOGbinder SP integrate with my current log management solution?
With LOGbinder, any log management solution that supports Windows event logs can
now collect, monitor, archive, and report on SharePoint audit log activity.
Also, see next Q&A.
Which output formats does LOGbinder SP currently support?
In the current beta, LOGbinder can output to either the Windows Security Log or a custom Windows event log called LOGbinder SP.
Based on customer feedback we may add additional output formats such as syslog,
text files or XML.
How is LOGbinder SP licensed?
Why does LOGbinder SP need to be installed on the SharePoint server?
The SharePoint object model classes that provide access to the SharePoint audit
log require code to run locally. If SharePoint is installed in a server farm environment,
LOGbinder SP must be installed on each of the front-end web servers.
LOGbinder SP is not required on the SharePoint application (indexing, Excel services, etc.) or database servers.
What user credentials must be assigned to LOGbinder SP? Why?
The account you choose for the LOGbinder service must be a member of the
server's local Administrators group. The account must also
be an administrator on each site collection being monitored.
These requirements come from SharePoint in order to access the SharePoint audit log.
The account needs to be authorized to run as a service, and if using the security log,
must be authorized to write to the security log.
Does LOGbinder SP support multiple SharePoint site collections?
Yes. With LOGbinder SP you can configure the SharePoint audit policy
and enable/disable translation of the audit log for each site collection on the SharePoint server.
