• Application security intelligence for SQL Server
  • Fill the audit gap in your compliance efforts
  • Catch APTs that have penetrated upstream defenses
  • Less push back from database admins
  • Zero Impact
    • Use SQL Server’s fastest, most efficient audit log output method and thereby offload all subsequent log processing from busy database servers to a server of your choice.
    • No agent required. LOGbinder for SQL Server does not require an agent to be installed on your SQL Servers. In fact, LOGbinder for SQL Server doesn’t even need to send a single packet to your database servers.
  • Know what’s happening inside of SQL Server including
    • Security operations involving logins, roles and permissions
    • Maintenance of tables, stored procedures and any other object
    • Database operations like backup and restore
    • Transact SQL table commands like insert, delete, update and select
  • Correlate SQL Server security activity with related events from the rest of your environment
  • No data silos or additional consoles to monitor
  • Translate cryptic data into easy to understand audit messages

    The audit records generated by SQL Server audit are cryptic and difficult to understand. Basically, one log record format is used for documenting everything from an insertion on a table to a modification of a stored procedure. And while SQL Server can write events to the security log, it uses the same event ID for all events, and the IDs and keywords are not resolved. Thus, it requires in-depth knowledge of the SQL audit model in order to decipher events. LOGbinder for SQL Server translates the one, generic SQL audit event into almost 300 different event IDs, each with its own specific wording and format.
  • Free SQL audit logs from their proprietary format

    Using the preferred and highest performance option for audit log output results in a proprietary file format that cannot be parsed by log management/SIEM solutions using typical text log file-based parsing engines. LOGbinder for SQL Server processes the proprietary formatted SQL Server audit log and enriches SQL Server’s cryptic and generic audit messages to produce an easy-to-understand audit log event and then outputs that message to your SIEM solution for analysis and archival
  • Leverage the centralized alerting, reporting and secure archival of your log management/SIEM

    LOGbinder for SQL Server fills a critical gap between enterprise database servers and audit log management solutions, allowing you to obtain a clearly-written and easy-to-understand audit log that is accessible to your existing log management solution. Through our Synergy Partner Program we actively work with log management and SIEM solution providers to build our recommended alerts and reports into their systems for SQL server audit logs processed by LOGbinder for SQL Server.

LOGbinder for SQL Server is a small, efficient Windows service that runs on any Windows server on your network. One instance of LOGbinder for SQL Server can process logs from many SQL Servers. LOGbinder for SQL Server can coexist with other LOGbinder products like LOGbinder for Exchange and LOGbinder for SharePoint.

Simply configure each SQL Server (optionally with our free SQL Server Audit Wizard) to write its audit events to a specified folder and then provide those folders to LOGbinder for SQL Server. LOGbinder for SQL Server processes events as they appear in SQL Server binary audit log files, and then translates them into easy-to-read events which it then forwards to your SIEM solution.

On instance of LOGbinder for SQL Server can process logs from many SQL Servers. LOGbinder for SQL Server can coexist with other LOGbinder products like LOGbinder for Exchange and LOGbinder for SharePoint.

  • Windows Server 2012, 2008 or 2003, 64 or 32 bit.
  • Microsoft SQL Server Express (Free) 2008 or later for processing events. LOGbinder for SQL Server needs at least the free SQL Server Express edition for processing SQL Server audit logs generated by other SQL Server instances. Generation of audit events is only available certain editions of SQL Server.
  • Microsoft .NET Framework 4.0
  • Disk space: LOGbinder itself is tiny - not even 1MB. But with associated DLLs the total installation size is about 12MB. Storage for logs and/or reporting databases is dependent on settings defined by the customer.
  • Memory: LOGbinder averages 150mb memory usage.

Where can I learn more about SQL Server's new Auditing capability?

Visit our SQL Audit Background page for lots of help.

Why do I need LOGbinder for SQL Server - can't SQL Server send audit events to the Windows event log itself?

SQL Server can definitely output its raw audit events to the Windows event log. In fact, we encourage you to configure it and try it out. We think you will agree that LOGbinder for SQL Server is needed for 2 reasons:

  1. Performance: Writing events to the SQL server's local security log can consume added CPU, memory and disk resources which may be unavailable on heavily loaded database servers.
  2. Raw, Cryptic Audit Data: The audit records generated by SQL Server audit are cryptic and difficult to understand. SQL Server uses log record format for documenting everything from an insertion on a table to a modification of a stored procedure. And while SQL Server can write events to the security log, it uses the same event ID for all events, and the IDs and keywords are not resolved. Thus, it requires in-depth knowledge of the SQL audit model to decipher events. LOGbinder for SQL Server enriches SQL Server’s cryptic and generic audit messages to produce more than 300 different and easy-to-understand audit log events in Windows event log, where any log management or SIEM solution can collect, alert, report, and analyze.

What can I monitor with the SQL Server's audit log and LOGbinder for SQL Server?

Will LOGbinder for SQL Server slow down my SQL server?

You can run LOGbinder for SQL Server on the same server where SQL Server auditing is enabled and LOGbinder for SQL Server's modest resource usage will not be felt in most environments, but you can ensure LOGbinder for SQL Server has absolutely no impact on heavily loaded SQL Servers by installing LOGbinder for SQL Server on a different server. This latter does not incur the expense of another SQL Server license because LOGbinder for SQL Server can use any edition of SQL Server 2008 (and later) - even the free Express Edition - to read audit logs generated by other SQL Servers via shared folders.

Will enabling the new auditing available in SQL Server slow down my database server?

Thankfully SQL Server has a very granular audit policy that allows you to audit just the desired actions on just the desired objects. So it is unlikely auditing will have a material impact on your database server performance unless you try to audit frequently executed operations like (select, update, insert, delete) on heavily accessed tables. Even with that said, most SQL Servers can output a great deal of audit events without feeling it. This is especially true if you configure the Audit to target a file instead of the local event log; appending to a file is much faster than calling Windows event APIs. And the good news is LOGbinder for SQL Server is designed to process SQL audit log files and can do so from a different system than your busy database server. So, to ensure audit trail generation without performance degradation, enable auditing of table and view operations only as needed and target the Audit to create files in a shared folder on a different server, where LOGbinder for SQL Server is installed.

How secure is LOGbinder for SQL Server?

LOGbinder is fully integrated with Windows and SQL Server security and complies with widely accepted secure design and coding techniques.

At installation, LOGbinder secures the folder permissions where the software files reside. To protect LOGbinder's configuration from tampering, LOGbinder encrypts its configuration data.

LOGbinder security requirements are greatly simplified since LOGbinder does not store your audit log data. LOGbinder is designed to quickly get audit events out of the SQL Server audit log files and to the destination of your choice, at which point your log management solution takes over. If you configure LOGbinder for SQL Server to direct events to the Windows security log, you leverage the significant effort Microsoft has invested in protecting the security log. And if you are already collecting Windows security logs with your log management application, SQL audit events will automatically be included when you install LOGbinder for SQL Server.

LOGbinder for SQL Server's design helps you fulfill separation of duty and audit trail integrity requirements by quickly getting audit events off the system where they are produced (and thus vulnerable to intruders or malicious administrators) and into your separate and secure log management system.

Does LOGbinder for SQL Server require much configuration?

LOGbinder for SQL Server installs in about 2 minutes and only requires a few settings:

  1. Select which folders for LOGbinder to monitor for SQL audit log files
  2. Specify the user account LOGbinder should run as
  3. Choose whether to output events to the custom LOGbinder SQL event log, to the actual Windows Security Log, syslog or to a text file.

How do you monitor LOGbinder for SQL Server’s health?

Check the Application log for warnings or errors from source LOGbndSQ

Why doesn’t LOGbinder for SQL Server include alerting or long term archival capability?

These are functions of a log management solution. LOGbinder complements and enhances the value of your log management solution. If you do not already have a log management solution, we can provide a simple, inexpensive, but dependable solution from our partner and we will help you install and configure it.

How does LOGbinder for SQL Server integrate with my current log management solution?

With LOGbinder, any log management solution that supports Windows event logs, text files or syslog can now collect, monitor, archive, and report on SQL Server audit log activity. Also, see next Q&A.

Which output formats does LOGbinder for SQL Server currently support?

LOGbinder can output to either the Windows Security Log, syslog, text file, or a custom Windows event log called LOGbinder for SQL Server.

Based on customer feedback we may add additional output formats such as syslog, text files, or XML.

How is LOGbinder for SQL Server licensed?

Does LOGbinder for SQL Server need to be installed on my SQL Server?

No. See above questions on performance.

What user credentials must be assigned to LOGbinder for SQL Server? Why?

The account needs to be authorized to run as a service, and if using the security log, must be authorized to write to the security log.

Can one installation of LOGbinder for SQL Server process audit logs from multiple SQL Servers?

Yes, LOGbinder for SQL Server can monitor multiple shared folders for SQL audit logs produced by different SQL servers.

Your SIEM, log management or BDSA solution already does a great job at collecting, archiving, correlating and reporting on security logs. We just extend that capability to SQL Server. LOGbinder for SQL Server works with any SIEM, log management or Big Data platform that can consume:

  • Windows event logs
  • Text files
  • Syslog UDP
  • Common Event Format (ArcSight)
  • LEEF for Qradar (Future release)

In addition, we provide Recommended Report and Alert specifications so that you can intelligently respond to and analyze SQL Server security activity once it’s in your SIEM. If your SIEM/BDSA vendor is one of our Synergy Partners, your SIEM already understands SQL Server events from LOGbinder. If not, introduce us to your SIEM or BDSA vendor; we’d love to work with them!

Ask SalesDownload Free Trial