LOGbinder Blog

Updates, Tips and News   RSS Feed  

«  Workaround if LOGbinder S... | New Whitepaper by Randy F... »

How does LOGbinder SP detect log tampering?

Fri, 14 Dec 2012 16:35:06 GMT

While LOGbinder SP is processing events, it will perform actions that generate SharePoint events. What happens, though, if these same actions are performed maliciously by a SharePoint user? Will this compromise the integrity of the audit trail? No. LOGbinder SP can detect log tampering. How?

In order to distinguish between authorized and unauthorized changes, LOGbinder SP (version 3 and later), when processing these events, will indicate whether it performed the action itself, or the action might be unauthorized. A tamper warning will be generated in the following cases:

·         Audit policy change: When processing event #11 “Site collection audit policy changed” or #12 “Audit policy changed,” LOGbinder will determine if the change overrides the settings in LOGbinder. If so, LOGbinder will reset the audit policy and generate a tamper warning (#60 “Possible tampering warning”).

·         Audit logs deleted: When processing event #20 “SharePoint audit logs deleted,” LOGbinder will determine whether LOGbinder deleted the logs, and indicate it in an additional line added to this event. The line “Purge performed by LOGbinder” will show value “Yes” if LOGbinder performed the purge, and “No” otherwise.  In the latter case, a tamper warning event (#60 “Possible tampering warning”) will be generated.
Note: If it cannot determined whether the logs were deleted by LOGbinder SP, the “Purge performed by LOGbinder” value will be set to “Indeterminate”. This typically occurs when processing backlog events, i.e. those produced before LOGbinder started processing the site collection.

By alerting on event #60 “Possible tampering warning”, malicious audit tampering attempts can be detected, so the audit trail is not compromised.

Comments disabled

powered by Bloget™