We have a few new partners that have joined our SIEM Synergy Partner Program.  We would like to welcome SolarWinds and Prism Microsystems as certified partners along with our existing partner GFI. 

How does this program benefit you as the end user?

Here at LOGbinder we have worked closely with these vendors to not only integrate LOGbinder into their SIEM solutions but also package together some prebuilt rules, alerts, and reports.  This allows you to install LOGbinder in your environment and then have our recommended reports and alerts at your fingertips in no time.

Don't see your SIEM solution listed as a partner?

Not a problem.  We currently have a long list of prospective partners who we are working with to get certified as a SIEM Synergy Partner.  Send us an email and let us know who your SIEM solution provider is and we'll let you know if we're already working with them or if we need to reach out to them to get started.  Are you a SIEM provider and want to work along with us to get SP, SQL, or EX logs in to your SIEM; simply email us and we'll get the process started.

You will happy to know that we have released a new version of LOGbinder SP, version 3.1.  Here's what we've updated:

• During the trial period, output to the Security Log is now permitted 
• New event #62 “Document fragment updated”: This event handles the SharePoint event type “FileFragmentWrite”
• LOGbinder will now reset its connection automatically to the site collection(s) every 23 hours, which will help eliminate authentication timeouts and reduce resource consumption
• Also, a number of bug fixes and performance improvements

You can download the latest version at http://www.logbinder.com/form.aspx?action=download 

We've just updated the Recommended Alerts and Reports for SharePoint (LOGbinder SP) which you can find at http://www.logbinder.com/Form/SPReportSpecs.

Updates include

• coverage of new events and features in LOGbinder SP 3.0. 
• new recommended alert rules
• important notes and explanations regarding "insertion strings", how date/time works in LOGbinder SP and information about the 2 possible "event log sources" that LOGbinder SP events can bear.

This free resource is valuable for anyone looking for tips and recommendations on creating reports or alert rules for SharePoint audit events.

We recently discovered in our labs that Microsoft made an undocumented change to the event structure of two events in SharePoint 2010, which causes the user name not to be included in the event. This affects these LOGbinder SP events:

                27 - SharePoint group member added

                28 - SharePoint group member removed

A maintenance release of LOGbinder SP, version 2.1.10, is available for download.

In addition to fixing this issue, it addresses the "SharePoint server out of memory" error that some customers have experienced. In some cases, LOGbinder encounters a "server out of memory" error while looking up additional details of events. Instead of crashing, LOGbinder will continue running.

If you have additional questions on this or other technical issues regarding LOGbinder, and you cannot find the answer on our site logbinder.com, please feel free to write to support@logbinder.com. We will be happy to assist you.

You may have noticed that there is no event from SharePoint auditing (and therefore LOGbinder SP) for "List item viewed".  All you get are events telling the the overall List was viewed (event ID 49). 

On the other hand, for document libraries and documents you get events for when the library is viewed (event ID 48) and when documents are viewed that identity the individual document (47). 

This seems like a hole in the SharePoint audit trail at first but when you think about it, it makes sense. 

It's easy to audit when a document is viewed but not for list items.  You see, the document's contents cannot be displayed as a column in a View, so the viewing or downloading of a document is a very discreet event.  On the other hand you can display any and all properties of a list item in a view.

You can potentially view any list item in full detail anytime you view a list.  To provide an audit trail of list item views, it would be necessary to output an "item view" event for every item included by the filter criteria of the view each time the view is viewed or refreshed.