Getting Started Guide

(1)

www.logbinder.com

Getting Started Guide

Document version 1

for SQL Server

(2)

551 – LOGbinder agent successful ... 17

552 – LOGbinder warning ... 17

553 – LOGbinder settings changed ... 17

554 – LOGbinder agent produced unexpected results ... 18

555 – LOGbinder error ... 19

556 – LOGbinder insufficient authority ... 19

(3)

Installing LOGbinder for SQL Server

LOGbinder for SQL Server runs as a Windows service on a Windows server. It translates audit log entries from Microsoft SQL Server, and outputs them to the LOGbinder SQL event log, the Windows Security Log, Syslog, Syslog in CEF, or Syslog in LEEF.

For more information, please visit our web site https://www.logbinder.com. There you will find a rich set of resources to guide you in setting audit policy, setting up audit log reporting and archiving, and so forth.

To open a case with our support staff, please email support@logbinder.com. Installing LOGbinder for SQL Server involves 3 simple steps:

 Step 1 – Select Server and Check Requirements  Step 2 – Check User Accounts and Authority  Step 3 – Run the Installer

Subsequent sections cover:

 Configuring LOGbinder for SQL Server  Monitoring LOGbinder for SQL Server

Step 1 – Select Server and Check Requirements

Select Server

LOGbinder for SQL Server can be installed on any Windows workstation that is capable of running Microsoft SQL 2008 or 2012 Express Edition, but a Windows server is recommended. It does not have to be installed on your Microsoft SQL Enterprise Edition server. LOGbinder for SQL Server can consume logs from multiple numbers of SQL servers remotely.

Software Requirements

 Microsoft Windows Server 2003 or later  Microsoft .NET Framework 4.0

 Microsoft SQL Server Express 2008 or later for processing events

SQL Server Auditing Requirements

For LOGbinder for SQL Server to be able to process audit events, SQL Server Audit has to be

configured, together with a Server Audit Specification and/or Database Audit Specifications. The audit destinations should be a file.

For an easy, few-step configuration of both SQL Server Audit and Server Audit Specification, you can use our completely free tool, the SQL Audit Policy Wizard.

(4)

Step 2 – Check User Accounts and Authority

Three user accounts are involved with LOGbinder for SQL Server. User

account Description Authority Required

Your account

The account you are logged on as when you install and configure LOGbinder for SQL Server.

 Read-only access to Audit File Location  Member of the local Administrators group

(recommended)

o Windows UAC sometimes interferes with this setting. It is recommended that you use the “Run as Administrator” option when running LOGbinder. You may also need to your account as well as the service account modify permissions to the C:\ProgramData folder as described in the third bullet point below.

Service account

The account that the LOGbinder for SQL Server (LOGbinder SQL) service will run as. This domain account must be created before installing LOGbinder for SQL Server.

See Appendix A: Assigning Permissions for details on granting these permissions

 Control Server permission on the SQL Server being used to process events

 Privilege “log on as a service”

 Permission to create, read, modify files in {Common Application Data}\LOGbinder SQL

(i.e. C:\Documents and Settings\ All Users\Application Data\LOGbinder SQL or C:\ProgramData\LOGbinder SQL)

o Please note that the ProgramData folder is a hidden folder, and it is not the same as the Program Files folder.

o This LOGbinder SQL folder will be created after LOGbinder is installed and the LOGbinder control panel is first started.

If outputting to Windows Security log

 Privilege "Generate Security Audit" (SeAuditPrivilege)  Setting audit policy

o Windows Server 2003:

 Enable “Audit object access” for at least success

o Windows Server 2008 or later:

 Enable “Audit: Force audit policy

subcategory settings (Windows Vista or later) to override audit policy category settings” security

option

 Enable “Audit Application

Generated” audit subcategory for at

(5)

SQL Server account

The account running the SQL Server that is set in the LOGbinder input to process the events

 Read access to Audit File Location (see section Configure Input below for more details on this)

Step 3 – Run the Installer

Run the installer. On the page "Specify Service Account," enter the user account name, including both domain name and user name (i.e. domain\username) of the service account (the user account that will run the LOGbinder for SQL Server (LOGbinder SQL) service). The rights outlined above must be granted to the account before running the installer, or else LOGbinder for SQL Server will not install properly. On the page "Select Installation Folder," it is recommended that you use the default setting, C:\Program Files\LOGbndSQ.

If a dialog box "Set Service Login" appears, then the user account information entered previously was not valid. Confirm the account name and password, and re-enter the information.

(6)

Configuring LOGbinder for SQL Server

Open the "LOGbinder SQL" link in the Windows start menu, which appears by default in the “LOGbinder” folder.

To use LOGbinder for SQL Server, adjust the settings in the three views: Input, Output, and Service. Settings can be changed while the service is running, but changes will be applied only when the service is restarted. If the LOGbinder for SQL Server control panel is closed before restarting the service, the changes will be discarded. On the other hand, if the service is already stopped, the changes are saved automatically.

Configure Input

Use the menu Action\New Input to add at least one Audit File Location. Either type the path, or use the Browse button to find the path. The path can be in UNC or drive/path format.

Audit File Location

LOGbinder for SQL Server retrieves audit logs from files you create using Microsoft SQL Server 2008 or 2012 Enterprise edition. When creating an audit in SQL Server, use “File” as the selection for “Audit destination,” as shown below.

Figure 1: SQL Server Audit Properties window

Choose this file path when specifying LOGbinder for SQL Server’s Audit File Location folder.

You can use one installation of LOGbinder for SQL Server to monitor audits from multiple Microsoft SQL servers. Create an input for each server you wish to monitor.

To adjust the properties of an input, use the menu Action\Properties or double-click on it. Check the box “Specify last processed file” if you are reinstalling LOGbinder for SQL Server and must resume at a specific location. Generally, though, this box will be unchecked—as you will experience errors if an invalid selection is made.

(7)

In the section “SQL Server for Processing Events,” choose—or enter the name of—an existing SQL server. All eligible servers can be listed by pressing the Refresh button. (Note that only those SQL servers can be discovered and listed here that have the SQL Server Browser service running.) You do not need to choose the server that generates the events—any of these servers can be chosen.

The service account must have the following permission:

 “Control Server” permission on this SQL server [NOTE: The service account does not need such permissions to the server(s) generating audit events.]

The account that is running the SQL Server for Processing Events must have the following permission:

 Read access to the Audit File Location folder

See Appendix A: Assigning Permissions for details on granting permissions. Why do I need to specify a SQL server?

Above it is noted that LOGbinder for SQL Server does not access the audit logs directly from your Microsoft SQL Server (a.k.a. your production server). So, why does a SQL server need to be chosen? And for what purpose?

When SQL outputs audit logs to a file, it does so in an encrypted format that can be read only by Microsoft SQL Server itself. This is essential to prevent tampering with the integrity of the audit log trail. Thus, LOGbinder for SQL Server cannot read these log files itself, but it must use SQL Server to read the logs.

LOGbinder must be able to use an installation of SQL Server 2008 or 2012, including Express edition. In most cases you will not want to choose your production server for LOGbinder’s use to process events.

Configure Output

LOGbinder supports multiple output formats. LOGbinder for SQL Server allows output to go to  LOGbinder SP Event Log: a custom event log under Applications and Services Logs.  Security Log: the Windows Security log. (Please remember to set the additional privileges as

described in section Step 2 – Check User Accounts and Authority when using this feature.)  Syslog-CEF: a Syslog server using ArcSight’s Common Event Format.

 Syslog-LEEF: a Syslog server using IBM Security QRadar’s Log Event Extended Format.  Syslog-Generic: a Syslog server using the generic Syslog format.

 Syslog-CEF (File): a Syslog file using ArcSight’s Common Event Format.

 Syslog-LEEF (File): a Syslog file using IBM Security QRadar’s Log Event Extended Format.  Syslog-Generic (File): a Syslog file using the generic Syslog format.

At least one of these must be enabled in order for the LOGbinder service to start.

To adjust the settings, select an item and use the menu Action\Properties, or double-click on the item. To enable it, check the box "Send output to [name of output format]."

(8)

Select the "Include Noise Events" if you want to include these in the event log. A “noise event” is a log entry generated from the input (SQL Server) that contains only misleading information. This option is included in case it is essential to preserve a complete audit trail; by default this option is not selected. For some output formats, LOGbinder for SQL Server can preserve the original data extracted from SQL, along with details as to how the entry was translated by LOGbinder. Check the option "Include XML Data" in order to include these details in the event log. Including this data will make the size of the log grow more quickly. If the option does not appear, then it is not supported for that output format.

For the output format "LOGbinder SQL Event Log", the entries are placed in a custom log named "LOGbinder SQL." When the log is created, by default the

maximum log size is set to 16MB, and it will overwrite events as needed. If changing these settings, balance the log size settings with the needs of your log management software as well as the setting for "Include XML Data." In this way you will ensure that your audit trail is complete.

For file based outputs, such as Syslog (File), the output file is stored in the folder specified by the “Alternate Output Data Folder” option under File\Options. (See section below on Configure Options.)

Configure Service

To start, stop, and restart the LOGbinder for SQL Server (LOGbinder SQL) service, use the buttons on this panel. You may also use the items in the Action menu, or the toolbar.

Although you can use the Services window in the Windows Control Panel to start and stop the service, it is recommended that you use LOGbinder's user interface to control the service. Before starting the service, LOGbinder will confirm that the settings are accurate and that the necessary permissions have been granted. If the service fails to start, a message will be shown as to what settings need to be corrected. The reasons why the service will not start include:

 If no inputs have been properly configured.

 If no outputs (i.e. Windows Event Log, Windows Security Log) are enabled.

If either of these conditions is found, the service will not start. A message will be presented to the user with the details of the problem.

If the service cannot start because the account does not have sufficient authority, or if there is another problem preventing it from running, the details of the problem are written to the Application Event Log. These events can also be viewed inside of the LOGbinder control panel, by selecting the “LOGbinder Diagnostic Events” view.

See the section “Monitoring LOGbinder for SQL Server” for more information on how to handle issues that may arise when starting the LOGbinder for SQL Server (LOGbinder SQL) service.

Configure Options

Use the menu File\Options to change LOGbinder's options.

The Service Account lists the user account that runs the LOGbinder for SQL Server (LOGbinder SQL) service. This is the account you specified when installing LOGbinder for SQL Server. If it is necessary to change the account, use the Services management tool (in Windows Administrative Tools).

Figure 3: Output properties window

Figure 4: Message indicating outputs not configured

(9)

If the box “Do not write informational messages to the Application log” box is checked, then event 551 – LOGbinder agent successful (see Appendix C: Diagnostic Events) will not be written to the Application log.

The Logging options can be utilized for diagnostic purposes if experiencing problems with LOGbinder. By default, the Logging Level is set to None. If necessary, the Logging Level can be set to Level 1 or Level 2. Level 1 generates standard level of detail of logging. Level 2 will generate more detailed logging. Level 2 should be selected only if specifically requested by LOGbinder

support; otherwise performance will be adversely affected. Both Level 1 and Level 2 logging options will generate log files named Control Panel.log, Service.log, Service Controller.log and Service Processor.log in the Log location folder.

“Alternate Output Data Folder” specifies the data folder used for the output data. This is the folder where LOGbinder stores output that are written in files, such as the Syslog-Generic (File), as well as the above mentioned diagnostic files. The folder path can be set using drive letter or UNC, if it is a network location. The default folder is {Common Application Data}\LOGbinder SP (i.e. C:\ProgramData\LOGbinder SP). Please note that the Alternate Output Data Folder needs the same permissions as the Common Application Data folder as specified above in section Step 2 – Check User Accounts and Authority.

Status Bar

The status bar will show information about the operation of LOGbinder.

Displays the status of the service. The image shown indicates the service _{is stopped. The service may also be running, or in an 'unknown' state.} Shows the status of the license for LOGbinder. If LOGbinder is not fully licensed, a message will appear in the status bar.

Indicates that settings have been changed. In order to apply the changes, the LOGbinder for SQL Server (LOGbinder SQL) service must be

restarted. If the LOGbinder for SQL Server (LOGbinder SQL) service is running and the LOGbinder for SQL Server control panel is closed, the changes will be discarded.

(10)

License

Use the menu File\License to view information about your license for LOGbinder. If you have purchased LOGbinder for SQL Server and need to obtain a license key, follow these steps:

 For Unit/Server Count, enter the number of audit inputs being monitored.

 Press the Copy button, and paste the contents into an email addressed to

licensing@logbinder.com

 When the license key is received, copy it to the clipboard and press the Paste button. If you are properly licensed, the license window will redisplay and show that you are properly licensed. If there is a problem, respond immediately to

licensing@logbinder.com.

(11)

Monitoring LOGbinder for SQL Server

When installing, configuring, and running LOGbinder for SQL Server, the software writes diagnostic events to the Windows Application Event Log. Most of these will be from the source "LOGbndSE" and the category "LOGbinder." You may use the Windows Event Viewer to examine these events. Also, the LOGbinder control panel includes a set of views that lists these events, choose “LOGbinder Diagnostic Events,” or drill down to one of the nested views.

Figure 7: LOGbinder Diagnostic Events view

During Installation and Configuration

During installation and configuration, you will find these entries:

 After installation, there may be an entry from the source MsiInstaller: "Product: LOGbinder SQL -- Installation completed successfully."

 When the configuration of LOGbinder for SQL Server changes, you will see one or more entries entitled "LOGbinder settings changed." See Appendix C: Diagnostic Events: “553 – LOGbinder settings changed” for information about these events.

 When the service starts, there may be an entry from the source LOGbinder SQL: "Service started successfully." (Entries are also written when the service is stopped.)

You can monitor these events to ensure that LOGbinder for SQL Server continues to be configured properly, and that unauthorized changes do not occur.

After configuring LOGbinder for SQL Server and starting the service, it automatically performs a check to ensure that LOGbinder's settings are valid and that the account running the Windows service has

sufficient authority. If there is a problem, the LOGbinder for SQL Server (LOGbinder SQL) service will not start and a message will be presented to the user. In most cases, the details of the problem are written to the Application log. Common problems include:

 Input/output not configured properly. See the previous section Configuring LOGbinder for SQL Server for more information.

 Insufficient authority. If the service account does not have adequate authority, then the service will not run. An entry is written to the Application log. See Appendix C: Diagnostic Events “556 – LOGbinder insufficient authority” for more details. Some of the common missing permissions include:

o Account does not have authority to log on as a Windows service

o Account does not have necessary permissions to the Audit File Location.

o The account does not have authority to write to the Security event log. (If this output destination has not been selected, then it is not necessary to grant this permission.)

(12)

 License invalid. If the license is not valid or has expired, then the LOGbinder for SQL Server (LOGbinder SQL) service will not run. An entry may be written to the Application log. See Appendix C: Diagnostic Events “557 – License for LOGbinder invalid” for details.

 Other errors will be found in entries entitled "LOGbinder error." See Appendix C: Diagnostic Events “555 – LOGbinder error” for more information.

If any of these errors are encountered, the LOGbinder for SQL Server (LOGbinder SQL) service will not run.

While LOGbinder for SQL Server is Running

While LOGbinder for SQL Server is running, you will see information entries in the Application log as follows:

 Entries 'exported' from SQL. This message indicates the number of audit entries that LOGbinder for SQL Server has processed.

 Entries 'imported' into the Windows event log. This indicates that the audit entries have been placed in the enabled output formats. There will be one message event if multiple output formats have been selected (i.e. you have selected both Windows Security Log and Windows Event Log as output formats). The 'export'/'import' entries are complementary: there should be a

corresponding 'import' entry for each 'export.'

These log entries are informational in nature. Generally no action is required. If more entries are being processed than what appear in the event logs or in your log management solution, it could be that the log size is too small and entries are being overwritten. See Appendix C: Diagnostic Events “551 – LOGbinder agent successful” for more information on these events.

There may also be some warning event entries:

 LOGbinder agent produced unexpected results. When LOGbinder for SQL Server cannot translate an event properly, in addition to outputting the event to the selected output streams, it also creates an entry in the Application log. See Appendix C: Diagnostic Events “554 –

LOGbinder agent produced unexpected results” for further details.

If LOGbinder for SQL Server has an error, an entry will be created in the Application log. If permissions are removed, or if the license expires, you may receive a "556 – LOGbinder insufficient authority" or "557 – License for LOGbinder invalid" error, which are explained above. Other errors will be entitled

"LOGbinder error." If you cannot resolve the problem, please submit the issue to the LOGbinder support

(13)

Appendix A: Assigning Permissions

SQL Control Server permission

 Use the following Transact-SQL script to assign the “Control Server” permission to the service account:

USE master

GRANT CONTROL SERVER TO [domain\user] GO

 The “Control Server” permission does not appear on the Login Properties window in SQL Server Management Studio. The “SysAdmin” server role is basically the equivalent of the “Control Server” permission, and this could be assigned instead of “Control Server”:

o In SQL Server Management Studio, navigate to Security\Logons o Select the login for the service account and open its properties o Select the Server Roles page

o Check “sysadmin” and close

 NOTE: Whereas the “SysAdmin” server role supersedes all other permissions, having the “Control Server” privilege is affected by other statements—‘DENY’ statements can reduce the amount of privileges. While this is beyond the scope of this document to outline specific scenarios, “Control Server” could be used in situations where it is necessary to reduce the privileges of the service account.

Local Security Policy Changes

The following chart summarizes the changes to be made in the Local Security Policy. More detailed explanations are found after the chart.

Local Security Policy (secpol.msc)

settings summary

Windows

Server

2003

Windows

Server

2008/2012

Security Settings Local Policies User Rights Assignment

Log on as a service add service account add service account This always needs to be set Generate security audits add service account add service account These need to be set if outputting to Windows Security log

Audit Policy Audit object access set

Success N/A

Security Options

Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

N/A set Enabled

Advanced Audit Policy Configuration Object Access Audit Application

(14)

Log On as a Service

 Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.  Select Security Settings\Local Policies\User Rights Assignment

 Open "Log on as a service" and add user

 NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.

Generate Security Audits (SeAuditPrivilege)

 Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.  Select Security Settings\Local Policies\User Rights Assignment

 Open "Generate security audits" and add user

Audit Policy

Windows Server 2003

 Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.  Select Security Settings\Local Policies\Audit Policy

 Edit "Audit object access," ensuring that "Success" is enabled. (LOGbinder for SQL Server does not require that the "Failure" option be enabled.)

Windows Server 2008 and 2012

Audit policy can be configured with the original top level categories as described above for Windows Server 2003 but most environments have migrated to the new more granular audit sub-categories available in Windows Server 2008 aka (Advanced Audit Policy).

Using Advanced Audit Policy Configuration allows for more granular control of the number and types of events that are audited on the server. (NOTE: The steps described here are for Windows Server 2008 R2; see TechNet for information on earlier releases.)

 First, you must ensure that ‘basic’ and ‘advanced’ audit policy settings are not used at the same time.

o Microsoft gives this warning: “Using both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should not be combined. If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.” (

http://technet.microsoft.com/en-us/library/dd692792(WS.10).aspx)

o Select Security Settings\Local Policies\Security Options

o Open and enable “Audit: Force audit policy subcategory settings (Windows Vista or

(15)

 To enable LOGbinder for SQL Server events to be sent to the security log:

o Select Security Settings\Advanced Audit Policy Configuration\Object Access

o Edit “Audit Application Generated,” ensuring that “Success” is enabled. (LOGbinder for SQL Server does not require that the “Failure” option be enabled.)

(16)

Appendix B: LOGbinder Event List

LOGbinder for SQL Server Events

https://www.logbinder.com/products/logbindersql/resources/eventlist.aspx

Diagnostic Events

551 – LOGbinder agent successful 552 – LOGbinder warning

553 – LOGbinder settings changed

554 – LOGbinder agent produced unexpected results 555 – LOGbinder error

556 – LOGbinder insufficient authority 557 – License for LOGbinder invalid

(17)

Appendix C: Diagnostic Events

551 – LOGbinder agent successful

Occurs when LOGbinder for SQL Server successfully translates log entries. Usually appearing in pairs, as one indicates that log entries have been 'exported' from their source (for example, SQL Server), and the other that entries have been 'imported' to their destination (for example, the Windows event log). This event is informational in nature.

This event is written to the Windows Application log. Example A

LOGbinder agent successful

LOGbinder SQL exported 3 entries from SQL logs from c:\sqlaudit\ Example B

LOGbinder SQL imported 3 entries to Security event log Example C

LOGbinder SQL imported 3 entries to LOGbinder SQL event log

552 – LOGbinder warning

Occurs when LOGbinder for SQL Server does not find information as expected. In most cases, it does not indicate a serious problem, but is provided so as to complete the audit trail. This event is written to

Windows application log.

For example, as LOGbinder for SQL Server translates entries, it performs various lookups to provide complete information. If the related item was deleted, a "LOGbinder warning" is generated.

Example A

LOGbinder warning

Lookup failed. Could not find Scope Item with ID of 89de71fe-1442-48ff-9a6e-052bddda3440.

Example B

LOGbinder warning

Lookup failed. Could not find User with ID of 19.

553 – LOGbinder settings changed

Occurs when the LOGbinder settings are changed. This event is written to Windows Application log. For LOGbinder for SQL Server, this includes changes to the Audit File Location.

(18)

Example A

LOGbinder settings changed

Output to Security log enabled. Noise events included. Example B

Settings for c:\sqlaudit\ adjusted: Last export value is c:\sqlaudit\Audit-LocalFile_3B48C4ED-9DA8-462E-BFD9-4935A28148B8_0_129590759441100000.sqlaudit; offset 0 Example C

Settings for C:\SQLAudit2 adjusted: folder changed from C:\SQLAudit2 to C:\SQLAudit

554 – LOGbinder agent produced unexpected results

Occurs when LOGbinder for SQL Server encounters something unexpected when translating a log entry. At times it may be from a custom log entry.

This event is written to Windows Application log.

You can help us improve LOGbinder by reporting these events to the LOGbinder support team so that the LOGbinder product may be improved. Private data will not be shared.

Example A

In this example, the developer created an audit entry with the type "MakeItSo." LOGbinder agent produced unexpected results

As the LOGbinder agent translated this entry, it encountered data is could not handle properly. It could have been caused by a custom or undocumented feature. So that LOGbinder can handle these entries in the future, it is suggested that you submit the entry to the

LOGbinder support team.

<LogEntry siteName="http://shpnt" itemType="Site" userName="Robert Solomon" locationType="Url" occurred="2009-06-26T14:13:02" eventType="MakeItSo"><RawData siteId="3b7fb82c-f30d-4604-99c0-df8325e9cff4" itemId="3b7fb82c-f30d-4604-99c0-siteId="3b7fb82c-f30d-4604-99c0-df8325e9cff4" itemType="Site" userId="1" locationType="Url"

occurred="633816223820000000" event="Custom" eventName="MakeItSo" eventSource="ObjectModel"><EventData><Version><Major>1</Major><Minor> 2</Minor></Version></EventData></RawData><Details /></LogEntry> Example B

In this example, the developer used an existing event type, "Workflow," but included non-standard event data.

(19)

LOGbinder agent produced unexpected results

As the LOGbinder agent translated this entry, it encountered data is could not handle properly. It could have been caused by a custom or undocumented feature. So that LOGbinder can handle these entries in the future, it is suggested that you submit the entry to the

LOGbinder support team.

<LogEntry siteName="http://shpnt" itemType="List Item" userName="Robert Solomon" locationType="Url" occurred="2009-06-29T21:49:11"

eventType="Workflow"><RawData siteId="3b7fb82c-f30d-4604-99c0-df8325e9cff4" itemId="c04f5388-bf24-4007-b463-1dd1b3c19a02" itemType="ListItem" userId="1" documentLocation="Cache

Profiles/1_.000" locationType="Url" occurred="633819089510000000" event="Workflow"

eventSource="ObjectModel"><EventData>http://shpnt/docLib/CopiedFile.e xt</EventData></RawData><Details /></LogEntry>

555 – LOGbinder error

Occurs when LOGbinder encounters a problem that needs attention. This event is written to Windows Application log. In most cases this gives enough information for you to address the problem successfully. Otherwise, please contact LOGbinder support for assistance.

Example A

In this example, the error indicates that LOGbinder for SQL Server has not been configured properly: in that no SQL audit location was set to be monitored by LOGbinder.

LOGbinder error

Cannot start LOGbinder SQL service, SQL Audit Locations not configured.

556 – LOGbinder insufficient authority

Occurs when LOGbinder for SQL Server (LOGbinder SQL) service cannot run because of invalid or inadequate permissions. The event will include the module lacking the permission, the name or description of the permission, as well as relevant details. Each example below also includes the action needed in order to correct it.

Example A: No permission to write to security log LOGbinder insufficient authority

The LOGbinder agent cannot operate normally because it lacks sufficient authority.

Source: Security Log

Privilege: SeAuditPrivilege

Details: The LOGbinder agent does not have the permissions to configure the security log

Action: The service account needs the "Generate security audits" privilege

(https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Generate-security-audits), or do not enable LOGbinder to output to the Windows Security log.

Example B: Attempt to write to security log from invalid location

One measure to protect the security log is to write security events only from authorized locations. When LOGbinder is configured, it registers its program location with the security log. If this error occurs, then LOGbinder had been reinstalled to a different location, and the previous location was not removed properly.

(20)

LOGbinder insufficient authority

Source: Security Log

Privilege: Invalid Location

Details: Cannot write to because the program location does not match what has been previously configured

Action: Recommended to delete the registry key manually. First ensure that LOGbinder is not open. Then delete the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LOGbndSC. Be careful not to delete other parts of the registry, as it can cause the server to be unstable. When you reopen LOGbinder, it will reconfigure its ability to write to the security log.

Example C: Internal error

Source: Security Log Privilege: Internal Error

Details: The security account database contains an internal inconsistency

Action: One factor that can cause an internal error is if the LOGbinder program path is too long. By default, LOGbinder is installed to C:\Program Files\LOGbndSQ. It is recommended that the default be used. If the software has been installed to a different location with a longer program path, to correct this error it will be necessary to reinstall LOGbinder.

Example D: Log on as service

Source: LOGbinder service Privilege: Log on as service

Details: Account running LOGbinder agent does not have user right "Logon as a service"

Action: The service account needs to be assigned the "Logon as a service" user right.

(https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Log-on-as-a-service) Example E: Cannot start LOGbinder control panel

Source: LOGbinder Manager Privilege: File Permissions

Details: Account running LOGbinder Control Panel needs to be a member of the local Administrators group

Action: Ensure that the user account used to run the LOGbinder for SQL Server control panel has local administrator access.

(21)

557 – License for LOGbinder invalid

Occurs when the license for LOGbinder is not valid and an attempt is made to start the service. This event is written to the Application log.

If the license is not valid, the LOGbinder for SQL Server control panel continues to operate as normal. However, the LOGbinder service will not start if the license is invalid. Follow the instructions in the control panel, in the menu File\License, in order to obtain a license to the software.

Example

License for LOGbinder invalid

Details: License is invalid. Open LOGbinder SQL Control Panel to remedy.

Getting Started Guide