Getting Started Guide

(1)

www.logbinder.com

Getting Started Guide

Document version 3

Installing LOGbinder for SharePoint

LOGbinder for SharePoint runs as a Windows service on a SharePoint server. It translates audit log entries in SharePoint, and outputs them to the LOGbinder SP event log, the Windows Security Log, Syslog, Syslog in CEF, or Syslog in LEEF.

For more information, please visit our web site

https://www.logbinder.com/Products/LOGbinderSP/#tabs-Resources.

There you will find a rich set of resources to guide you in setting audit policy, setting up audit log reporting and archiving, and so forth.

To open a case with our support staff, please email [email protected]. Installing LOGbinder for SharePoint involves 3 simple steps:*

 Step 1 – Select Server and Check Software Requirements

 Step 2 – Check User Accounts and Authority

 Step 3 – Run the Installer Subsequent sections cover:

 Configuring LOGbinder for SharePoint

 Monitoring LOGbinder for SharePoint

Step 1 – Select Server and Check Software Requirements

Select Server

If SharePoint is installed in a server farm environment, then LOGbinder for SharePoint would be installed on a single application, web front end or central admin server. Do not install LOGbinder for SharePoint on dedicated SharePoint database servers because the necessary SharePoint components are not present.

Software Requirements

 Microsoft Windows server 2003 or later

 Microsoft .NET Framework

o For SharePoint 2007 and 2010, Microsoft .NET Framework 3.5 SP1 or 4.0 o For SharePoint 2013, Microsoft .NET Framework 4.0 or later

 Microsoft SharePoint (one of the following): o Windows SharePoint Services 3.0 o Microsoft Office SharePoint Server 2007 o Microsoft SharePoint Foundation 2010 o Microsoft SharePoint Server 2010

*_{If LOGbinder has been used on another server in the same environment where it is now installed, refer}

(4)

o Microsoft SharePoint Server 2013

Step 2 – Check User Accounts and Authority

Two user accounts are involved with LOGbinder for SharePoint.

Account Description Authority Required

Your account

The account you are logged on as when you install and configure LOGbinder for SharePoint.

 Member of the local Administrators group

 SharePoint farm administrator

o Windows UAC sometimes interferes with this setting. It is recommended that you use the “Run as Administrator” option when running LOGbinder. You may also need to your account as well as the service account modify

permissions to the C:\ProgramData folder as described in the fourth bullet point below.

Service account

The account that the LOGbinder for SharePoint (LOGbinder SP) service will run as. This domain account must be created before installing LOGbinder for SharePoint. This account does not need to be a local or domain administrator; the LOGbinder for SharePoint (LOGbinder SP) service can run in a least-privilege environment.

See Appendix A: Assigning Permissions for details on granting these permissions

 SharePoint farm administrator

 Site collection administrator on each SharePoint site collection being monitored

 Privilege “log on as a service”

 Permission to create, read, modify files in {Common Application Data}\LOGbinder SP

(i.e. C:\Documents and Settings\All Users\Application Data\LOGbinder SP or C:\ProgramData\LOGbinder SP)

o Please note that the ProgramData folder is a hidden folder, and it is not the same as the

Program Files folder.

o This LOGbinder SP folder will be created after LOGbinder is installed and the LOGbinder control panel is first started.

 Member of the WSS_ADMIN_WPG group (required for SharePoint 2013 installation only)

If outputting to Windows Security log

 Privilege "Generate Security Audit" (SeAuditPrivilege)

 Setting audit policy

o Windows 2003: Enable “Audit object access” o Windows 2008 or later:

 Enable “Audit: Force audit policy

subcategory settings (Windows Vista or later) to override audit policy category settings” security option

(5)

 Enable “Audit Application Generated” audit subcategory

Note: LOGbinder for SharePoint uses the standard SharePoint API to access audit information. (See

blog LOGbinder SP use of SQL Privileges.) However, in some rare occasions, SharePoint requires more authority than is normally necessary. In these unusual cases, the user account as well as the service account needs additional privileges to the SharePoint databases. For further details on why, what, and how, see blog Workaround if LOGbinder SP is having SQL database issues.

Step 3 – Run the Installer

Run the appropriate installer from the installation package:

 for SharePoint 2007, use the …32bit or the …64bit installer, depending on your system;

 for SharePoint 2010, use the …64bit installer;

 for SharePoint 2013, use the …2013 installer.

On the page "Specify User Account," enter the user account name, including both domain name and user name (i.e. domain\username) of the service account (the user account that will run the LOGbinder for SharePoint (LOGbinder SP) service). The rights outlined above must be granted to the account before running the installer, or else LOGbinder for SharePoint will not install properly.

On the page "Select Installation Folder," it is recommended that you use the default setting, “C:\Program Files\LOGbndSP”.

If a dialog box "Set Service Login" appears, then the user account information entered previously was not valid. Confirm the account name and password, and re-enter the information.

Transferring settings to a new server

If LOGbinder was running in your environment before, but it now has to be installed on a different server, the following steps can be followed to transfer the settings to the new server.*This not only saves setup time and reduces setup problems, but this will ensure audit log collection to be continued where

LOGbinder left off so as to preserve a complete audit trail:

1. Make sure that on both the source (where LOGbinder was run before) and target (the new LOGbinder server) servers, the LOGbinder service is not running and the LOGbinder control panel is not open.

2. Go to the {Common Application Data}\LOGbinder SP folder on the source server, i.e. C:\Documents and Settings\ All Users\Application Data\LOGbinder SP or C:\ProgramData\LOGbinder SP.

o Please note that the ProgramData folder is a hidden folder, and it is not the same as the

Program Files folder.

3. Copy all *.stg and *.xml files to the same folder on the target server.

(6)

Configuring LOGbinder for SharePoint

Open the "LOGbinder SP" link in the Windows start menu, which appears by default in the “LOGbinder” folder.

To use LOGbinder for SharePoint, adjust the settings in the three views: Input, Output, and Service. Settings can be changed while the service is running, but changes will be applied only when the service is restarted. If the LOGbinder for SharePoint control panel is closed before restarting the service, the

changes will be discarded. On the other hand, if the service is already stopped, the changes are saved automatically.

Configure Input

LOGbinder for SharePoint examines the local SharePoint server farm; the site collections that exist on the farm are shown in the view. Only the sites with a check mark in the Monitored column will be processed by LOGbinder.

What do I do if the site collection list is empty?

If the site collection list is empty (that is, apart from the <Default Audit Policy> entry), you are not properly connected to a SharePoint farm. It may be that (1) LOGbinder for SharePoint is not installed on a valid SharePoint server, (2) your account is not a

SharePoint Farm Administrator, or (3) your account needs to run with elevated privileges (i.e. run as administrator) in order to access the farm.

The first item listed is <Default Audit Policy>. LOGbinder for SharePoint allows you to set a default audit policy, which can then be applied to site collections you specify. If you later change the default audit policy, the site collections to which you have applied it will automatically have their policy changed. To adjust the default audit policy, select that item in the list, and use the menu Action\Properties (or double-click on it). Select one or more event types to be monitored. If you wish to apply the default policy to newly created site collections, check the box “Apply default audit policy to new site collections.”

Figure 1: A typical Input list

To adjust the properties of a site collection, use the menu Action\Properties or double-click on it. To adjust the audit policy of multiple site collections at once, use the Shift and/or Ctrl buttons while selecting.

(7)

Figure 2: Input properties window

For site collections you wish to monitor, you have three ways to specify the audit policy:

 “Allow Site Collection Administrator to configure audit policy

using SharePoint’s administration page”: This allows you to

set the audit policy in SharePoint. To see what the current audit policy is for the site collection, click the “View” link, and a list of the current policy will be shown. (See Appendix D: Configuring auditing on a SharePoint list or document library)

 “Use LOGbinder’s default audit policy”: To view the default audit policy, you may click the “View” link. If this option is disabled, it means that you have not yet set the default audit policy.

 “Custom audit policy”: If this option is selected, then select one or more event types to be audited in the box. At least one audit type must be selected in order for the site collection to be processed by LOGbinder.

The "Last Processed" box shows the date and time audit events were last retrieved from SharePoint. After installing LOGbinder the first time, it starts processing audit logs from the time of the installation onward.* If some of the backlog events are also to be processed, the start date can be set here. It is recommended that once LOGbinder is in operation, this date not be changed manually,

as it could result in skipping some audit events in SharePoint, or double-handling, resulting in events appearing twice in the event log. If the date needs to be adjusted, check the box next to the date, and then the date can be adjusted.

This window also has a link to SharePoint Farm Properties, which displays basic information about the SharePoint farm.

Configure Output

LOGbinder supports multiple output formats. LOGbinder for SharePoint allows output to go to

 LOGbinder SP Event Log: a custom event log under Applications and Services Logs.  Security Log: the Windows Security log. (Please remember to set the additional privileges as

described in section Step 2 – Check User Accounts and Authority when using this feature.)

 Syslog-CEF: a Syslog server using ArcSight’s Common Event Format.

 Syslog-LEEF: a Syslog server using IBM Security QRadar’s Log Event Extended Format.

 Syslog-Generic: a Syslog server using the generic Syslog format.  Syslog-CEF (File): a Syslog file using ArcSight’s Common Event Format.

 Syslog-LEEF (File): a Syslog file using IBM Security QRadar’s Log Event Extended Format.

 Syslog-Generic (File): a Syslog file using the generic Syslog format.

At least one of these must be enabled in order for the LOGbinder service to start.

*_{If this is not the first installation of LOGbinder on the same server, it will continue audit log processing}

from the date and time it finished its last run with the previous installation. If LOGbinder was installed on another server in the same environment before, you might want to refer to the section above about

(8)

Figure 3: Output properties window

To enable an output and adjust the settings, select it and use the menu Action\Properties, or double-click on the item. To enable it, check the box "Send output to [name of output format]."

Select the "Include noise events" if you want to include these in the event log. A “noise event” is a log entry generated from the input (SharePoint) that contains only misleading information. This option is included in case it is essential to preserve a complete audit trail; by default this option is not selected.

For some output formats, LOGbinder for SharePoint can preserve the original data extracted from SharePoint, along with details as to how the entry was translated by

LOGbinder. Check the option “Include XML data” in order to include these details in the event log. Including this data will make the size of the log grow more quickly. If the option does not appear, then it is not supported for that output format.

For the output format "LOGbinder SP Event Log," the entries are placed in a custom log named “LOGbinder SP.” When the log is created by LOGbinder, by default the maximum log size is set to 16MB, and it will overwrite events as needed. If changing these settings, balance the log size settings with the needs of your log management software as well as the setting for “Include XML Data.” In this way you will ensure that your audit trail is complete. For file based outputs, such as Syslog (File), the output file is stored in the folder specified by the “Alternate Output Data Folder” option under File\Options. (See section below on Configure Options.)

Configure Service

To start, stop, and restart the LOGbinder for SharePoint (LOGbinder SP) service, use the buttons on this panel. You may also use the items in the Action menu, or the toolbar.

Although you can use the Services window in the Windows Control Panel to start and stop the service, it is

recommended that you use LOGbinder's user interface to control the service. Before starting the service, LOGbinder will confirm that (a) at least one site collection has been selected for monitoring and (b) at least one output (i.e. LOGbinder SP Event Log, Windows Security Log) has been selected.

While attempting to start the LOGbinder for SharePoint (LOGbinder SP) service, a problem may be encountered—

perhaps that the service account does not have sufficient authority. The details of the problem are written to the Application Event Log. These events can also be viewed inside of the LOGbinder control panel, by selecting the “LOGbinder Diagnostic Events” view.

See the section “Monitoring LOGbinder for SharePoint” for more information on how to handle issues that may arise when starting the LOGbinder for SharePoint (LOGbinder SP) service.

Configure Options

Use buttons on the panel, or the menu File\Options, to change LOGbinder's options.

LOGbinder for SharePoint allows the control of how much lookups it should perform in order to obtain additional information while translating raw audit event to easy-to-understand audit entries. Examples of this could be resolving a user ID to user name or an object GUID to the actual name of the object. The available levels of lookups are as follows:

 Exclude none: All lookups will be done. This may result in slower processing for larger farms.

Figure 4: Message indicating outputs not configured

(9)

 Exclude highest-cost lookups: All lookups will be done except lookups that use the highest

amount of resources. It can affect all events, where details for any main item, where it is an item in a list, will not be looked up. Details such as ‘Title’ and ‘Description’ will not have values.

 Exclude high-cost lookups: Do not do lookups that use a high amount of resources.

(Recommended setting for large farms.) It can affect all events, where details for any main item will not be looked up. Details such as ‘Title’ and ‘Description’ will not have values.

 Exclude high/medium-cost

lookups: Do not do lookups that use

high or medium amount of resources. It will affect events 16, 29, 31, 32, where details of related items will not be looked up. The event will be included in the audit trail, but much of the detail will be missing for these events

 Restrict all: Do not do any lookups.

IDs will be resolved that do not require querying SharePoint. (Not recommended.) It will affect all events, where user, group, and role IDs are not resolved.

The levels are inclusive, that is, if you choose ‘high’, it includes ‘highest’. If you choose ‘medium’ it includes ‘highest’, and ‘high’.

Please note that when lowering the lookup level, some details in certain events will be omitted. Therefore, we recommend that depending on the acceptable performance, the highest possible level is selected. Recommendations:

 If site collections are not being processed in a timely manner, choosing ‘highest’ or ‘high’ is a good option. The details that are excluded do not significantly affect the integrity of the audit trail.

 If site collections are still not being processed in a timely way, and there are a significant number of the events that are listed above, then dropping to ‘medium’ is suggested.

 For very large sites, and where close to real-time processing is needed, choose ‘restrict all’. The events will appear closer to the “raw” format they appear in SharePoint.

If the box “Purge entries from SharePoint after processing” is checked, then audit entries will be purged automatically from SharePoint on a daily basis at 1:00 AM. A buffer is maintained, in that only entries older than 24 hours are purged. (For example, when entries are purged on 11/16/2009 1:00 AM, it purges entries older than 11/15/2009 1:00 AM.) If this option is checked, then SharePoint’s audit log trimming feature will be disabled automatically.

The “Service Account” lists the user account that runs the LOGbinder for SharePoint (LOGbinder SP) service. This is the account you specified when installing LOGbinder for SharePoint. If it is necessary to change the account, use the Services management tool (in Windows Administrative Tools).

If the box “Do not write informational messages to the Application log” is checked, then event “551 – LOGbinder agent successful” (see Appendix C: Diagnostic Events) will not be written to the Application log.

The “Logging” options can be utilized for diagnostic purposes if experiencing problems with LOGbinder. By default, the “Logging Level” is set to None. If necessary, the Logging Level can be set to Level 1 or

Level 2. Level 1 generates standard level of detail of logging. Level 2 will generate more detailed logging. Level 2 should be selected only if specifically requested by LOGbinder support; otherwise performance

will be adversely affected. Both Level 1 and Level 2 logging options will generate log files named

Control Panel.log, Service.log, Service Controller.log and Service Processor.log in the Log location folder.

(10)

Figure 6: License window

“Alternate Output Data Folder” specifies the data folder used for the output data. This is the folder where LOGbinder stores output that are written in files, such as the Syslog-Generic (File), as well as the above mentioned diagnostic files. The folder path can be set using drive letter or UNC, if it is a network location. The default folder is {Common Application Data}\LOGbinder SP (i.e. C:\ProgramData\LOGbinder SP). Please note that the Alternate Output Data Folder needs the same permissions as the Common Application Data folder as specified above in section Step 2 – Check User Accounts and Authority.

Status Bar

The status bar will show information about the operation of LOGbinder.

Displays the status of the service. The image shown indicates the service is _{stopped. The service may also be running, or in an 'unknown' state.} Shows the status of the license for LOGbinder. If LOGbinder is not fully licensed, a message will appear in the status bar.

Indicates that settings have been changed. In order to apply the changes, the LOGbinder for SharePoint (LOGbinder SP) service must be restarted. If the LOGbinder for SharePoint (LOGbinder SP) service is running and the LOGbinder for SharePoint control panel is closed, the changes will be discarded.

License

Use the menu File\License to view information about your license for LOGbinder. If you have purchased LOGbinder for SharePoint and need to obtain a license, follow these steps:

 For Unit/Server Count, enter the number of SharePoint servers in the farm that need licensed. (The minimum number of servers requiring licensing will be filled out automatically by LOGbinder. See box below for further details.)

 Press the Copy button, and paste the contents into an email addressed to [email protected]  When the license key is received, copy it to the

clipboard and press the Paste button. If you are properly licensed, the license window will redisplay and show that you are properly licensed. If there is problem, respond immediately to

[email protected].

Figure 7: SharePoint Farm Properties window

When purchasing LOGbinder for SharePoint, confirm that you obtain a license sufficient for the SharePoint farm. The window “SharePoint Farm Properties” lists the information you need. You can find a link to this window in Options, or in any of the Input windows.

Particularly, you will need (a) the edition of SharePoint on your server farm, and (b) the number of servers requiring a LOGbinder license.

(11)

The license key you receive is valid for any server in your SharePoint farm. Thus, if you need to install LOGbinder for SharePoint on a different server in the same farm, you do not need to request a new license key.

(12)

Monitoring LOGbinder for SharePoint

When installing, configuring, and running LOGbinder for SharePoint, the software writes diagnostic events to the Windows Application Event Log. Most of these will be from the source "LOGbndSE" and the category "LOGbinder." You may use the Windows Event Viewer to examine these events. Also, the LOGbinder control panel includes a set of views that lists these events, choose “LOGbinder Diagnostic Events,” or drill down to one of the nested views.

Figure 8: LOGbinder Diagnostic Events view

During Installation and Configuration

During installation and configuration, you will find these entries:

 After installation, there may be an entry from the source MsiInstaller: "Product: LOGbinder SP -- Installation completed successfully."

 When the configuration of LOGbinder for SharePoint changes, you will see one or more entries entitled "LOGbinder settings changed." See Appendix C: Diagnostic Events: “553 – LOGbinder settings changed” for information about these events.

 When the service starts, there may be an entry from the source LOGbinder SP: "Service started successfully." (Entries are also written when the service is stopped.)

You can monitor these events to ensure that LOGbinder for SharePoint continues to be configured properly, and that unauthorized changes do not occur.

After configuring LOGbinder for SharePoint and starting the service, it automatically performs a check to ensure that LOGbinder's settings are valid and that the account running the Windows service has sufficient authority. If there is a problem, the LOGbinder for SharePoint (LOGbinder SP) service will not start and a message will be presented to the user. In most cases, the details of the problem are written to the Application log. Common problems include:

 Input/output not configured properly. See the previous section “Configuring LOGbinder for

SharePoint” for more information.

 Insufficient authority. If the service account does not have adequate authority, then the service

will not run. An entry is written to the Application log. See Appendix C: Diagnostic Events “556 – LOGbinder insufficient authority” for more details. Some of the common missing permissions include:

o Account does not have authority to log on as a Windows service o Account does not have necessary permissions in SharePoint.

(13)

o The account does not have authority to write to the Security event log. (If this output destination has not been selected, then it is not necessary to grant this permission.)

 License invalid. If the license is not valid or has expired, then the LOGbinder for SharePoint

(LOGbinder SP) service will not run. An entry may be written to the Application log. See Appendix C: Diagnostic Events: “557 – License for LOGbinder invalid” for details.

 Other errors will be found in entries entitled "LOGbinder error." See Appendix C: Diagnostic Events: “555 – LOGbinder error” for more information.

If any of these errors are encountered, the LOGbinder for SharePoint (LOGbinder SP) service will not run.

While LOGbinder for SharePoint is Running

While LOGbinder for SharePoint is running, you will see information entries in the Application log as follows:

 Entries 'exported' from SharePoint. For each site collection being monitored, this message indicates the number of audit entries that LOGbinder for SharePoint has processed.

 Entries 'imported' into the Windows event log. This indicates that the audit entries have been placed in the enabled output formats. There will be one message event if multiple output formats have been selected (i.e. you have selected both Windows Security Log and Windows Event Log as output formats). The 'export'/'import' entries are complementary: there should be a

corresponding 'import' entry for each 'export.'

 If the Default Audit Policy is used for newly created site collections, a number of “553 – LOGbinder settings changed” events (see Appendix C: Diagnostic Events) will be generated when configuring a new site collection.

These log entries are informational in nature. Generally no action is required. If more entries are being processed than what appear in the event logs or in your log management solution, it could be that the log size is too small and entries are being overwritten. See Appendix C: Diagnostic Events “551 – LOGbinder agent successful” for more information on these events.

There may also be some warning event entries:

 Could not find information. As LOGbinder for SharePoint translates audit entries in SharePoint,

and it cannot find information, this event will be generated. See Appendix C: Diagnostic Events “552 – LOGbinder warning” for more information. (Note: When LOGbinder for SharePoint is first installed, or if a site collection is being monitored for the first time, there is a greater likelihood of these messages. Once LOGbinder for SharePoint translates the backlog of SharePoint audit entries, the number of these warnings should decrease.)

 LOGbinder agent produced unexpected results. When LOGbinder for SharePoint cannot translate

an event properly, in addition to outputting the event to the selected output streams, it also creates an entry in the Application log. See Appendix C: Diagnostic Events “554 – LOGbinder agent produced unexpected results” for further details.

If LOGbinder for SharePoint has an error, an entry will be created in the Application log. If permissions are removed, or if the license expires, you may receive a "556 – LOGbinder insufficient authority" or "557 – License for LOGbinder invalid" error, which are explained above. Other errors will be entitled "555 – LOGbinder error." If you cannot resolve the problem, please submit the issue to the LOGbinder support

(14)

Reports

If you do not yet have a SIEM solution, you may use Reports to view the results from LOGbinder for SharePoint. The reports are based on the recommended designs that you can download from

https://www.logbinder.com.

(15)

Appendix A: Assigning Permissions

SharePoint Farm Administrator

 Open SharePoint Central Administration, and select the “Security” tab

 Select “Manage the farm administrators group” under “Users”

 Add user or ensure that user is a member of a group in the list of administrators

Site Collection Administrator

 For WSS 3.0, see http://technet.microsoft.com/en-us/library/cc288148.aspx

 For SharePoint 2007, see http://technet.microsoft.com/en-us/library/cc262265.aspx

 For SharePoint 2010 and 2013, see http://technet.microsoft.com/en-us/library/ff631156.aspx

WSS_ADMIN_WPG group

On SharePoint 2013, the service account has to be member of the WSS_ADMIN_WPG Windows security group.

 Open the Computer Management administrative tool.

 Under System Tools, expand Local Users and Groups, and select Groups.

 In the properties of WSS_ADMIN_WPG, add the service account.

Local Security Policy Changes

The following chart summarizes the changes to be made in the Local Security Policy. More detailed explanations are found after the chart.

Local Security Policy (secpol.msc)

settings summary

Windows

Server

2003

Windows

Server

2008/2012

Security Settings Local Policies User Rights Assignment Log on as a service add service account add service account This always needs to be set Generate security audits add service account add service account These need to be set if outputting to Windows Security log

Audit Policy Audit object

access

set

Success N/A

Security Options

Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

N/A set Enabled

Advanced Audit Policy Configuration Object Access Audit Application

(16)

Log On as a Service

 Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.

 Select Security Settings\Local Policies\User Rights Assignment

 Open "Log on as a service" and add user

 NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.

Generate Security Audits (SeAuditPrivilege)

 Select Security Settings\Local Policies\User Rights Assignment

 Open "Generate security audits" and add user

Audit Policy

Windows Server 2003

 Select Security Settings\Local Policies\Audit Policy

 Edit "Audit object access," ensuring that "Success" is enabled. (LOGbinder for SharePoint does not require that the "Failure" option be enabled.)

Windows Server 2008/2012

Audit policy can be configured with the original top level categories as described above for Windows 2003 but most environments have migrated to the new more granular audit sub-categories available in

Windows 2008 aka (Advanced Audit Policy).

Using Advanced Audit Policy Configuration allows for more granular control of the number and types of events that are audited on the server. (NOTE: The steps described here are for Windows Server 2008 R2; see TechNet for information on earlier releases.)

 You must ensure that ‘basic’ and ‘advanced’ audit policy settings are not used at the same time. o Microsoft gives this warning: “Using both the basic audit policy settings under Local

Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should not be combined. If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.” (

http://technet.microsoft.com/en-us/library/dd692792(WS.10).aspx)

(17)

o Open and enable “Audit: Force audit policy subcategory settings (Windows Vista or

later) to override audit policy category settings”

 To enable LOGbinder for SharePoint events to be sent to the security log:

o Select Security Settings\Advanced Audit Policy Configuration\Object Access

o Edit “Audit Application Generated,” ensuring that “Success” is enabled. (LOGbinder for SharePoint does not require that the “Failure” option be enabled.)

(18)

Appendix B: LOGbinder Event List

LOGbinder for SharePoint Events

http://www.logbinder.com/Products/LOGbinderSP/EventsGenerated

Diagnostic Events

550 – LOGbinder process report 551 – LOGbinder agent successful 552 – LOGbinder warning

553 – LOGbinder settings changed

554 – LOGbinder agent produced unexpected results 555 – LOGbinder error

556 – LOGbinder insufficient authority 557 – License for LOGbinder invalid

(19)

Appendix C: Diagnostic Events

550 – LOGbinder process report

Each time all the site collections have been processed, LOGbinder for SharePoint will write this event to the Application event log. It lists the number of site collections processed, the start and end time, and the time elapsed.

Example

LOGbinder process report

The LOGbinder agent has completed a round of processing. Agent: LOGbinder SP

Processed: 24 SharePoint Site Collections Start time: 8/13/2013 4:02:03 PM

End time: 8/13/2013 4:05:07 PM Duration (minutes): 3

551 – LOGbinder agent successful

Occurs when LOGbinder for SharePoint successfully translates log entries. Usually appearing in pairs, as one indicates that log entries have been 'exported' from their source (for example, SharePoint), and the other that entries have been 'imported' to their destination (for example, the Windows event log). This event is informational in nature.

This event is written to the Windows Application log. Example A

LOGbinder SP exported 3 entries from SharePoint site http://MySite Example B

LOGbinder SP imported 3 entries to Security event log Example C

LOGbinder SP imported 3 entries to LOGbinder SP event log

552 – LOGbinder warning

Occurs when LOGbinder for SharePoint does not find information as expected. In most cases, it does not indicate a serious problem, but is provided so as to complete the audit trail. This event is written to Windows application log.

For example, as LOGbinder for SharePoint translates entries, it performs various lookups to provide complete information. If the related item was deleted, a "LOGbinder warning" is generated.

(20)

Example A

LOGbinder warning

Lookup failed. Could not find Scope Item with ID of 89de71fe-1442-48ff-9a6e-052bddda3440.

Example B

LOGbinder warning

Lookup failed. Could not find User with ID of 19.

553 – LOGbinder settings changed

Occurs when the LOGbinder settings are changed. This event is written to Windows Application log. For LOGbinder for SharePoint, this includes which SharePoint site collections are monitored, which audit event types are handled, and the date and time LOGbinder last translated log entries. In addition, the settings for output formats are included.

Example A

LOGbinder settings changed

Output to Security log enabled. Noise events included. Example B

Site collection http://spsite/administrator now being monitored. Settings: Check Out, Check In, Delete, Update, Profile Change, Child

Delete, Schema Change, Security Change, Undelete, Workflow, Copy, Move, Search.

Example C

Purge of entries from SharePoint Site Collections has been enabled.

554 – LOGbinder agent produced unexpected results

Occurs when LOGbinder for SharePoint encounters something unexpected when translating a log entry. At times it may be from a custom log entry.

Microsoft has not documented all the audit log entries SharePoint produces. In addition, SharePoint allows developers to write their own custom log entries.

This event is written to Windows Application log.

You can help us improve LOGbinder by reporting these events to the LOGbinder support team so that the LOGbinder product may be improved. Private data will not be shared.

Example A

In this example, the developer created an audit entry with the type "MakeItSo." LOGbinder agent produced unexpected results

As the LOGbinder agent translated this entry, it encountered data is could not handle properly. It could have been caused by a custom or

(21)

undocumented feature. So that LOGbinder can handle these entries in the future, it is suggested that you submit the entry to the

LOGbinder support team

<LogEntry siteName="http://shpnt" itemType="Site" userName="Robert Solomon" locationType="Url" occurred="2009-06-26T14:13:02" eventType="MakeItSo"><RawData siteId="3b7fb82c-f30d-4604-99c0-df8325e9cff4" itemId="3b7fb82c-f30d-4604-99c0-siteId="3b7fb82c-f30d-4604-99c0-df8325e9cff4" itemType="Site" userId="1" locationType="Url"

occurred="633816223820000000" event="Custom" eventName="MakeItSo" eventSource="ObjectModel"><EventData><Version><Major>1</Major><Minor> 2</Minor></Version></EventData></RawData><Details /></LogEntry> Example B

In this example, the developer used an existing event type, "Workflow," but included non-standard event data.

LOGbinder agent produced unexpected results

As the LOGbinder agent translated this entry, it encountered data is could not handle properly. It could have been caused by a custom or undocumented feature. So that LOGbinder can handle these entries in the future, it is suggested that you submit the entry to the

LOGbinder support team.

<LogEntry siteName="http://shpnt" itemType="List Item" userName="Robert Solomon" locationType="Url" occurred="2009-06-29T21:49:11"

eventType="Workflow"><RawData siteId="3b7fb82c-f30d-4604-99c0-df8325e9cff4" itemId="c04f5388-bf24-4007-b463-1dd1b3c19a02" itemType="ListItem" userId="1" documentLocation="Cache

Profiles/1_.000" locationType="Url" occurred="633819089510000000" event="Workflow"

eventSource="ObjectModel"><EventData>http://shpnt/docLib/CopiedFile.e xt</EventData></RawData><Details /></LogEntry>

555 – LOGbinder error

Occurs when LOGbinder encounters a problem that needs attention. This event is written to Windows Application log. In most cases this gives enough information for you to address the problem successfully. Otherwise, please contact LOGbinder support for assistance.

Example A

In this example, the error indicates that LOGbinder for SharePoint has not been configured properly: in that no SharePoint site collections were set to be monitored by LOGbinder.

LOGbinder error

Cannot start LOGbinder SP service, SharePoint Site Collections not configured.

Example B

In this example, a program assembly used by SharePoint SP does not exist, indicating that the LOGbinder software is no longer installed properly.

(22)

LOGbinder error

Exporter assembly does not exist: C:\Program Files\LOGbndSP\MTG.LOGbinder.Sharepoint.dll

556 – LOGbinder insufficient authority

Occurs when the LOGbinder for SharePoint service cannot run because of invalid or inadequate permissions. The event will include the module lacking the permission, the name or description of the permission, as well as relevant details. Each example below also includes the action needed in order to correct it.

Example A: No permission to write to security log LOGbinder insufficient authority

The LOGbinder agent cannot operate normally because it lacks sufficient authority.

Source: Security Log

Privilege: SeAuditPrivilege

Details: The LOGbinder agent does not have the necessary rights to configure the security log

Action: The service account needs the "Generate security audits" privilege

(https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Generate-security-audits), or do not enable LOGbinder to output to the Windows Security log.

Example B: Attempt to write to security log from invalid location

One measure to protect the security log is to write security events only from authorized locations. When LOGbinder is configured, it registers its program location with the security log. If this error occurs, then LOGbinder had been reinstalled to a different location, and the previous location was not removed properly.

LOGbinder insufficient authority

Source: Security Log

Privilege: Invalid Location

Details: Cannot write to because the program location does not match what has been previously configured

Action: Recommended to delete the registry key manually. First ensure that LOGbinder is not open. Then

delete the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LOGbndSC. Be careful not to delete other parts of the registry, as it can cause the server to be unstable. When you reopen LOGbinder, it will reconfigure its ability to write to the security log.

Example C: Internal error

Source: Security Log Privilege: Internal Error

Details: The security account database contains an internal inconsistency

Action: One factor that can cause an internal error is if the LOGbinder program path is too long. By

(23)

used. If the software has been installed to a different location with a longer program path, to correct this error it will be necessary to reinstall LOGbinder.

Example D: Log on as service

Source: LOGbinder service Privilege: Log on as service

Details: Account running LOGbinder agent does not have user right "Logon as a service"

Action: The service account needs to be assigned the "Logon as a service" user right.

(https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Log-on-as-a-service) Example E: Cannot start LOGbinder control panel

Source: LOGbinder Manager Privilege: File Permissions

Details: Account running LOGbinder Control Panel needs to be a member of the local Administrators group

Action: Ensure that the user account used to run the LOGbinder for SharePoint control panel has local

administrator access.

557 – License for LOGbinder invalid

Occurs when the license for LOGbinder is not valid and an attempt is made to start the service. This event is written to the Application log.

If the license is not valid, the LOGbinder for SharePoint control panel continues to operate as normal. However, the LOGbinder service will not start if the license is invalid. Follow the instructions in the control panel, in the menu File\License, in order to obtain a license to the software.

Example

License for LOGbinder invalid

The license for LOGbinder has expired or is invalid. Details: Trial period has expired.

558 –LOGbinder processing warning

This warning message will be written to the Application log if any site collections have been behind in its processing for more than 24 consecutive hours.

(24)

Appendix D: Configuring auditing on a

SharePoint list or document library

When configuring the inputs for LOGbinder, LOGbinder will adjust the audit settings for the SharePoint site collection. At times, though, it is necessary to have more granular control on the settings. For example, a SharePoint document library may have confidential information, and it is desired to audit who is viewing these documents. Auditing view access for the entire site collection would result in a flood of audit entries that are not needed. The solution is to adjust the auditing of SharePoint lists and document libraries. To do this:

 In the LOGbinder control panel, set the audit policy you want enabled across the entire site collection.

 To change the audit policy for a certain document library or list, go to its settings page and click the link “Information management policy settings” under “Permissions and Management.”

 Select a content type (if applicable), and go to the “Auditing” section and configure the audit policy.

 Save your changes, and SharePoint will begin auditing that list/library according to the settings you specify. LOGbinder for SharePoint will include these audit events when it processes the site collection.

NOTE: For servers running WSS 3.0 or SharePoint Foundation, SharePoint does not provide user interface to allow you to configure auditing at the list/library level.

Getting Started Guide

www.logbinder.com