Security, et al

Randy's Blog on Infosec and Other Stuff

Making the SharePoint Audit Log Usable

Tue, 09 Feb 2010 10:53:22 GMT

As more and more information and processes move to SharePoint, it becomes critical for compliance and security requirements to monitor and audit SharePoint activity.

I was very excited when I first learned about the SharePoint audit log but I quickly determined that in its unimproved state the SharePoint audit log is essentially unusable due to 4 key issues:

  1. SharePoint's audit log does not provide the names of users or objects.
    The SharePoint audit log fails to translate record IDs, meaning you have no idea what object or user to which a given event refers! Click here for an example of an audit event from SharePoint and then what LOGbinder does with it.
  2. SharePoint's audit log is buried in SharePoint's SQL server content database.
    To ensure the integrity of audit trails, logs must be moved from the system where they are generated to separate and security log archive. However in SharePoint, the audit log isn't really a log - it's a table in the SharePoint database. This makes it inaccessible for most log management solutions. Without the ability to collect the SharePoint audit log into a separate, secure log archive its value as a high integrity audit trail is compromised.
  3. SharePoint's audit log has no reporting.
    In Windows Sharepoint Services the log is totally inaccessible and in Office Sharepoint Services it's exposed through through a few rudimentary, impractical reports in Excel.
  4. Windows SharePoint Services provides no interface for enabling auditing at all.
    The audit log is there but without custom programming there's no way to turn it on; much less access the logs.

I'm still a software developer at heart and the problems with the SharePoint audit log finally pushed me over the edge. The result is LOGbinder SP.

LOGbinder SP is a small, efficient Windows service that monitors the internal SharePoint audit log without making any changes to your SharePoint installation.

For each event LOGbinder SP resolves the user and object IDs and other cryptic codes, producing an easy to understand, plain-English translation of the SharePoint audit event. LOGbinder SP then sends these events to the Windows event log (either the Security log or a custom log) which in turn allows you to leverage any log management solution to collect, monitor, alert, analyze, report and archive SharePoint audit logs.

Here's an example event from the SharePoint audit log pictured as delivered via Excel compared to what the event looks like after LOGbinder SP translates it.

LOGbinder SP turns this: 

SharePoint Audit Log Example

LOGbinder SP is now out of beta and ready for prime-time. You can download an evaluation copy, watch a webinar on the SharePoint audit log, get your questions answered and more at: www.logbinder.com

Please try it out and tell me what you think!

email this digg reddit dzone
comments (0)references (0)

Related:
Auditing Privileged Operations and Mailbox Access in Office 365 Exchange Online
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log
5 Indicators of Endpoint Evil
Audit Myth Busters: SharePoint, SQL Server, Exchange

previous | next

powered by Bloget™

Search


Categories
Recent Blogs
Archive


 

Additional Resources