«
New Whitepaper by Randy F... |
Whitepaper: Comparing Ex... »
LOGbinder SP can automatically purge audit entries from SharePoint after they have been processed by LOGbinder SP and forwarded to an event log or your SIEM/Log Management solution. This purging occurs on a daily basis, but a buffer is maintained, so only entries older than 24 hours are purged.
This is usually sufficient to satisfy security and compliance requirements through the audit logs stored in the organization’s SIEM or log management solution. However, in some rare instances, it might be necessary to leave the audit logs in SharePoint in order to be able to run audit reports from within the SharePoint environment. The problem is that these logs are no longer available in SharePoint, since LOGbinder SP purged them.
In this case, the LOGbinder SP automatic purging feature needs to be disabled through the Options dialog on the LOGbinder interface. Since it will not process events it has already processed, not purging the logs from SharePoint will not create duplicate events in your log management. |
|
Figure 1: Disable purging under LOGbinder SP Options
|
To avoid the logs to accumulate in SharePoint, taking up valuable resources and potentially degrading the performance of the site collection, SharePoint can be set to trim the audit log. Under Site Settings / Site Collection Administration group / Site collection audit settings options are available to trim audit logs when they reach a certain age (specified in number of days) and optionally be stored in a document library.
|
 |
Figure 2: Enable trimming in SharePoint audit settings |
| Applying these changes you can benefit from the managing your logs with your preferred SIEM/Log management solution through LOGbinder, while still taking advantage of having access to the audit logs from SharePoint.
|
Comments disabled
powered by Bloget™