Taming SharePoint Audit Logs with LOGbinder SP and EventTracker


As more and more information and processes move to SharePoint, it becomes critical for compliance and security requirements to monitor and audit SharePoint activity. 

SharePoint does have an internal audit log but it is essentially unusable for due to 4 key issues:
  1. SharePoint's audit log does not provide the names of users or objects.  The SharePoint audit log fails to translate record IDs, meaning you have no idea what object or user to which a given event refers! 
  2. SharePoint's audit log is buried in SharePoint's SQL server content database.  To ensure the integrity of audit trails, logs must be moved from the system where they are generated to a separate and secure archive.  However in SharePoint, the audit log isn't really a log - it's a table in the SharePoint database.  This makes it inaccessible for most log management solutions.  Without the ability to collect the SharePoint audit log into a separate, secure log archive its value as a high integrity audit trail is compromised.
  3. SharePoint's audit log has no reporting.  In Windows SharePoint Services the log is totally inaccessible and in Office SharePoint Services it's exposed through a few rudimentary, impractical reports in Excel.
  4. Windows SharePoint Services provides no interface for enabling auditing at all.  The audit log is there but without custom programming there's no way to turn it on; much less access the logs.
To solve these solutions I built LOGbinder SP. LOGBinder SP is a small, efficient Windows service that monitors the internal SharePoint audit log without making any changes to your SharePoint installation. For each event LOGbinder SP resolves the user and object IDs and other cryptic codes, producing an easy to understand, plain-English translation of the SharePoint audit event written to the Windows event log. From there you can use a log management/SIEM solution to process SharePoint audit events like any other event log.
In this webinar co-sponsored by Prism’s EventTracker I will:
-          show you how SharePoint auditing works
-          establish the 4 gaps listed above
-          demonstrate how LOGbinder SP and EventTracker work together to bring SharePoint audit logs “into the fold”
By bringing SharePoint audit logs in to the fold I mean bringing your full enterprise log management and SIEM efforts to bear on the increasingly critical SharePoint environment by allowing you to treat SharePoint audit trails as just another event log. You probably already apply centralized log management to Windows, UNIX, Linux, firewall and other applications logs – why should SharePoint be any different?
 You will see how LOGbinder SP solves the problems with SharePoint audit logging without re-inventing the wheel in terms of log management, alerting, reporting, correlation and secure archival – all things that a mature log management/SIEM solution like EventTracker is so good at.


Additional Resources