Using Splunk and LOGbinder to Monitor SQL Server, SharePoint and Exchange Audit Events


It's all about your data and for many, a good bit of your data is in SQL Server, SharePoint and Exchange. Each of those apps has audit capability, but getting those events into Splunk is a bigger challenge than most people realize. The pre-built scripts and other utilities offered by Splunk allow their users to list SQL Server, SharePoint and Exchange as supported data sources, but they don't hold up to serious enterprise level security monitoring.

That problem isn't unique to Splunk. For instance ArcSight connectors have similar limitations and the reason is simple. Getting audit events out of these 3 apps is hard!

In this webinar I'll explain the technical hurdles to a reliable, stable and informative audit feed from SharePoint/SQL/Exchange to Splunk.

  1. You will learn how Exchange and SharePoint don't even provide an external audit log feed consumable by log management/SIEM solutions. And, while SQL Server does provide a useful audit log feed, I'll explain the 5 reasons why you and your DB admins won’t want to use it.
  2. I'll also show you how cryptic the raw audit events are – assuming they are extracted in the first place.

Then I'll show you how LOGbinder solves those major problems with a reliable, high performance and informative audit feed that can be consumed by any log management or SIEM solution – often in their preferred form such as CEF, LEEF, syslog or the Windows Security Log.

But as with other log management solutions, we go beyond the middleware to deliver even greater intelligence into the SIEM or log management solution so that it can understand these events.

I'm very happy to announce that LOGbinder has now done that for Splunk. The new product is called Splunk App for LOGbinder. I'll show you how easy it is to install “Splunk Free” and the new Splunk App for LOGbinder and start consuming SharePoint, SQL and Exchange audit events. These events automatically feed into 4 different dashboards in the Splunk App for LOGbinder which provides you with a high-level view of security activity across these 3 important applications. There's also plenty of reports to drill down into for supporting compliance and investigations. Better yet, you can even correlate other security logs from Windows and Active Directory with the SharePoint/SQL/Exchange events you're getting from LOGbinder!

Special valuable offer for “live” attendees!

LOGbinder wants everyone to be able to monitor these 3 important apps, so in celebration of its release of the new Splunk App for LOGbinder, all live attendees can receive a free perpetual and full-featured starter-kit license that allows even the smallest organizations to use Splunk Free and LOGbinder to monitor these 3 Microsoft applications. Are you a very small organization but don't use Splunk? No problem. You can use this starter-kit license* with any log management/SIEM solution. This starter kit is only available to those who attend this webinar live. (See the terms of the offer below.)

Please join me for this fast-moving, technical webinar. Register now to attend the free, live event and get your perpetual LOGbinder starter-kit license!

* Terms of the LOGbinder Starter Kit offer: The LOGbinder starter kit license is available for a limited time and only to registered and live attendees of the Ultimate Windows Security July 16, 2015 webinar. The offer ends August 31, 2015. The offer is for new LOGbinder customers and provides LOGbinder software license(s). Support and maintenance contracts are not included in the starter kit and must be purchased separately. A perpetual LOGbinder for SharePoint, LOGbinder for SQL Server and/or LOGbinder for Exchange software license is included for one or more of the following monitored scenarios:

  • SharePoint: 1 SharePoint server in 1 farm (1 license unit)
  • SQL Server: 1 monitored instance of SQL Server (1 license unit)
  • Exchange Server: Less than 500 total active mailboxes in the Exchange organization (1 license unit)


Additional Resources