LOGbinder SQL is a small, efficient Windows service that runs on any Windows server
on your network. One instance of LOGbinder SQL can process logs from many SQL Servers.
LOGbinder SQL can coexist with other LOGbinder products like LOGbinder EX for Exchange
and LOGbinder SP for SharePoint.
Simply configure each SQL Server (optionally with our free
SQL Server Audit Wizard) to write its audit events to a specified folder and then provide those folders to
LOGbinder SQL. LOGbinder SQL processes events as they appear in SQL Server binary
audit log files, and then translates them into easy-to-read events which it then
forwards to your SIEM solution.
Where can I learn more about SQL Server's new Auditing capability?
Why do I need LOGbinder SQL - can't SQL Server send audit events to the Windows
event log itself?
SQL Server can definitely output its raw audit events to the Windows event log. In
fact, we encourage you to
and try it out. We think you will agree that LOGbinder
SQL is needed for 2 reasons:
- Performance: Writing events to the SQL server's local security log can consume added
CPU, memory and disk resources which may be unavailable on heavily loaded database
- Raw, Cryptic Audit Data: The audit records generated by SQL Server audit are cryptic
and difficult to understand. SQL Server uses log record format for documenting everything
from an insertion on a table to a modification of a stored procedure. And while
SQL Server can write events to the security log, it uses the same event ID for all
events, and the IDs and keywords are not resolved. Thus, it requires in-depth knowledge
of the SQL audit model to decipher events. LOGbinder SQL enriches SQL Server’s
cryptic and generic audit messages to produce
more than 300 different and easy-to-understand audit log events
in Windows event log, where any log management or SIEM solution can collect, alert,
report, and analyze.
What can I monitor with the SQL Server's audit log and LOGbinder SQL?
Will LOGbinder SQL slow down my SQL server?
You can run LOGbinder SQL on the same server where SQL Server auditing is enabled
and LOGbinder SQL's modest resource usage will not be felt in most environments,
but you can ensure LOGbinder SQL has absolutely no impact on heavily loaded SQL
Servers by installing LOGbinder SQL on a different server. This latter does not
incur the expense of another SQL Server license because LOGbinder SQL can use any
edition of SQL Server 2008 (and later) - even the free Express Edition -
to read audit logs generated by other SQL Servers via shared folders.
Will enabling the new auditing available in SQL Server slow down my database server?
Thankfully SQL Server has a very granular audit policy that allows you to audit
just the desired actions on just the desired objects. So it is unlikely auditing
will have a material impact on your database server performance unless you try to
audit frequently executed operations like (select, update, insert, delete) on heavily
accessed tables. Even with that said, most SQL Servers can output a great deal of
audit events without feeling it. This is especially true if you configure the Audit
to target a file instead of the local event log; appending to a file is much faster
than calling Windows event APIs. And the good news is LOGbinder SQL is designed
to process SQL audit log files and can do so from a different system than your busy
database server. So, to ensure audit trail generation without performance degradation,
enable auditing of table and view operations only as needed and target the Audit
to create files in a shared folder on a different server, where LOGbinder SQL is
How secure is LOGbinder SQL?
LOGbinder is fully integrated with Windows and SQL Server security and complies
with widely accepted secure design and coding techniques.
At installation, LOGbinder secures the folder permissions where the software files
reside. To protect LOGbinder's configuration from tampering, LOGbinder encrypts
its configuration data.
LOGbinder security requirements are greatly simplified since LOGbinder does not
store your audit log data. LOGbinder is designed to quickly get audit events out
of the SQL Server audit log files and to the destination of your choice, at which
point your log management solution takes over. If you configure LOGbinder SQL to
direct events to the Windows security log, you leverage the significant effort Microsoft
has invested in protecting the security log. And if you are already collecting Windows
security logs with your log management application, SQL audit events will automatically
be included when you install LOGbinder SQL.
LOGbinder SQL's design helps you fulfill separation of duty and audit trail
integrity requirements by quickly getting audit events off the system where they
are produced (and thus vulnerable to intruders or malicious administrators) and
into your separate and secure log management system.
Does LOGbinder SQL require much configuration?
LOGbinder SQL installs in about 2 minutes and only requires a few settings:
- Select which folders for LOGbinder to monitor for SQL audit log files
- Specify the user account LOGbinder should run as
- Choose whether to output events to custom LOGbinder SQL event log, to the actual
Windows Security Log, syslog or to a text file.
How do you monitor LOGbinder SQL’s health?
Check the Application log for warnings or errors from source LOGbndSQ
Why doesn’t LOGbinder SQL include alerting or long term archival capability?
These are functions of a log management solution. LOGbinder complements and enhances
the value of your log management solution. If you do not already have a log management
solution, we can provide a simple, inexpensive, but dependable solution from our
partner and we will help you install and configure it.
How does LOGbinder SQL integrate with my current log management solution?
With LOGbinder, any log management solution that supports Windows event logs, text
files or syslog can now collect, monitor, archive, and report on SQL Server audit
log activity. Also, see next Q&A.
Which output formats does LOGbinder SQL currently support?
LOGbinder can output to either the Windows Security Log, syslog, text file, or a
custom Windows event log called LOGbinder SQL.
Based on customer feedback we may add additional output formats such as syslog,
text files, or XML.
How is LOGbinder SQL licensed?
Does LOGbinder SQL need to be installed on my SQL Server?
No. See above questions on performance.
What user credentials must be assigned to LOGbinder SQL? Why?
The account needs to be authorized to run as a service, and if using the security
log, must be authorized to write to the security log.
Can one installation of LOGbinder SQL process audit logs from multiple SQL Servers?
Yes, LOGbinder SQL can monitor multiple shared folders for SQL audit logs produced
by different SQL servers.
Your SIEM, log management or BDSA solution already does a great job at collecting,
archiving, correlating and reporting on security logs. We just extend that capability
to SQL Server. LOGbinder SQL works with any SIEM, log management or Big Data platform
that can consume:
- Windows event logs
- Text files
- Syslog UDP
- Common Event Format (ArcSight)
- LEEF for Qradar (Future release)
In addition, we provide Recommended Report and Alert specifications so that you
can intelligently respond to and analyze SQL Server security activity once it’s
in your SIEM. If your SIEM/BDSA vendor is one of our Synergy Partners, your
SIEM already understands SQL Server events from LOGbinder. If not, introduce us
to your SIEM or BDSA vendor; we’d love to work with them!