Getting Started Guide

fr SQL Server www.lgbinder.cm Getting Started Guide Dcument versin 1 Cntents Installing LOGbinder fr SQL Server... 3 Step 1 Select Server and Check Requirements... 3 Select Server... 3 Sftware Requirements... 3 SQL Server Auditing Requirements... 3 Step 2 Check User Accunts and Authrity... 4 If utputting t Windws Security lg... 4 Step 3 Run the Installer... 5 Cnfiguring LOGbinder fr SQL Server... 6 Cnfigure Input... 6 Cnfigure Output... 7 Cnfigure Service... 8 Cnfigure Optins... 8 Status Bar... 9 License... 10 Mnitring LOGbinder fr SQL Server... 11 During Installatin and Cnfiguratin... 11 While LOGbinder fr SQL Server is Running... 12 Appendix A: Assigning Permissins... 13 SQL Cntrl Server permissin... 13 Lcal Security Plicy Changes... 13 Lg On as a Service... 14 Generate Security Audits (SeAuditPrivilege)... 14 Audit Plicy... 14 Appendix B: LOGbinder Event List... 16 LOGbinder fr SQL Server Events... 16 Diagnstic Events... 16 Appendix C: Diagnstic Events... 17 LOGbinder fr SQL Server Versin 2 Page 1

551 LOGbinder agent successful... 17 552 LOGbinder warning... 17 553 LOGbinder settings changed... 17 554 LOGbinder agent prduced unexpected results... 18 555 LOGbinder errr... 19 556 LOGbinder insufficient authrity... 19 557 License fr LOGbinder invalid... 21 LOGbinder fr SQL Server Versin 2 Page 2

Installing LOGbinder fr SQL Server LOGbinder fr SQL Server runs as a Windws service n a Windws server. It translates audit lg entries frm Micrsft SQL Server, and utputs them t the LOGbinder SQL event lg, the Windws Security Lg, Syslg, Syslg in CEF, r Syslg in LEEF. Fr mre infrmatin, please visit ur web site https://www.lgbinder.cm. There yu will find a rich set f resurces t guide yu in setting audit plicy, setting up audit lg reprting and archiving, and s frth. T pen a case with ur supprt staff, please email supprt@lgbinder.cm. Installing LOGbinder fr SQL Server invlves 3 simple steps: Step 1 Select Server and Check Requirements Step 2 Check User Accunts and Authrity Step 3 Run the Installer Subsequent sectins cver: Cnfiguring LOGbinder fr SQL Server Mnitring LOGbinder fr SQL Server Step 1 Select Server and Check Requirements Select Server LOGbinder fr SQL Server can be installed n any Windws wrkstatin that is capable f running Micrsft SQL 2008 r 2012 Express Editin, but a Windws server is recmmended. It des nt have t be installed n yur Micrsft SQL Enterprise Editin server. LOGbinder fr SQL Server can cnsume lgs frm multiple numbers f SQL servers remtely. Sftware Requirements Micrsft Windws Server 2003 r later Micrsft.NET Framewrk 4.0 Micrsft SQL Server Express 2008 r later fr prcessing events SQL Server Auditing Requirements Fr LOGbinder fr SQL Server t be able t prcess audit events, SQL Server Audit has t be cnfigured, tgether with a Server Audit Specificatin and/r Database Audit Specificatins. The audit destinatins shuld be a file. Fr an easy, few-step cnfiguratin f bth SQL Server Audit and Server Audit Specificatin, yu can use ur cmpletely free tl, the SQL Audit Plicy Wizard. LOGbinder fr SQL Server Versin 2 Page 3

Step 2 Check User Accunts and Authrity Three user accunts are invlved with LOGbinder fr SQL Server. User accunt Descriptin Authrity Required Yur accunt The accunt yu are lgged n as when yu install and cnfigure LOGbinder fr SQL Server. Read-nly access t Audit File Lcatin Member f the lcal Administratrs grup (recmmended) Windws UAC smetimes interferes with this setting. It is recmmended that yu use the Run as Administratr ptin when running LOGbinder. Yu may als need t yur accunt as well as the service accunt mdify permissins t the C:\PrgramData flder as described in the third bullet pint belw. Service accunt The accunt that the LOGbinder fr SQL Server (LOGbinder SQL) service will run as. This dmain accunt must be created befre installing LOGbinder fr SQL Server. See Appendix A: Assigning Permissins fr details n granting these permissins Cntrl Server permissin n the SQL Server being used t prcess events Privilege lg n as a service Permissin t create, read, mdify files in {Cmmn Applicatin Data}\LOGbinder SQL (i.e. C:\Dcuments and Settings\ All Users\Applicatin Data\LOGbinder SQL r C:\PrgramData\LOGbinder SQL) Please nte that the PrgramData flder is a hidden flder, and it is nt the same as the Prgram Files flder. This LOGbinder SQL flder will be created after LOGbinder is installed and the LOGbinder cntrl panel is first started. If utputting t Windws Security lg Privilege "Generate Security Audit" (SeAuditPrivilege) Setting audit plicy Windws Server 2003: Enable Audit bject access fr at least success Windws Server 2008 r later: Enable Audit: Frce audit plicy subcategry settings (Windws Vista r later) t verride audit plicy categry settings security ptin Enable Audit Applicatin Generated audit subcategry fr at least success LOGbinder fr SQL Server Versin 2 Page 4

SQL Server accunt The accunt running the SQL Server that is set in the LOGbinder input t prcess the events Read access t Audit File Lcatin (see sectin Cnfigure Input belw fr mre details n this) Step 3 Run the Installer Run the installer. On the page "Specify Service Accunt," enter the user accunt name, including bth dmain name and user name (i.e. dmain\username) f the service accunt (the user accunt that will run the LOGbinder fr SQL Server (LOGbinder SQL) service). The rights utlined abve must be granted t the accunt befre running the installer, r else LOGbinder fr SQL Server will nt install prperly. On the page "Select Installatin Flder," it is recmmended that yu use the default setting, C:\Prgram Files\LOGbndSQ. If a dialg bx "Set Service Lgin" appears, then the user accunt infrmatin entered previusly was nt valid. Cnfirm the accunt name and passwrd, and re-enter the infrmatin. LOGbinder fr SQL Server Versin 2 Page 5

Cnfiguring LOGbinder fr SQL Server Open the "LOGbinder SQL" link in the Windws start menu, which appears by default in the LOGbinder flder. T use LOGbinder fr SQL Server, adjust the settings in the three views: Input, Output, and Service. Settings can be changed while the service is running, but changes will be applied nly when the service is restarted. If the LOGbinder fr SQL Server cntrl panel is clsed befre restarting the service, the changes will be discarded. On the ther hand, if the service is already stpped, the changes are saved autmatically. Cnfigure Input Use the menu Actin\New Input t add at least ne Audit File Lcatin. Either type the path, r use the Brwse buttn t find the path. The path can be in UNC r drive/path frmat. Audit File Lcatin LOGbinder fr SQL Server retrieves audit lgs frm files yu create using Micrsft SQL Server 2008 r 2012 Enterprise editin. When creating an audit in SQL Server, use File as the selectin fr Audit destinatin, as shwn belw. Figure 1: SQL Server Audit Prperties windw Chse this file path when specifying LOGbinder fr SQL Server s Audit File Lcatin flder. Yu can use ne installatin f LOGbinder fr SQL Server t mnitr audits frm multiple Micrsft SQL servers. Create an input fr each server yu wish t mnitr. T adjust the prperties f an input, use the menu Actin\Prperties r duble-click n it. Check the bx Specify last prcessed file if yu are reinstalling LOGbinder fr SQL Server and must resume at a specific lcatin. Generally, thugh, this bx will be unchecked as yu will experience errrs if an invalid selectin is made. LOGbinder fr SQL Server Versin 2 Page 6

In the sectin SQL Server fr Prcessing Events, chse r enter the name f an existing SQL server. All eligible servers can be listed by pressing the Refresh buttn. (Nte that nly thse SQL servers can be discvered and listed here that have the SQL Server Brwser service running.) Yu d nt need t chse the server that generates the events any f these servers can be chsen. The service accunt must have the fllwing permissin: Cntrl Server permissin n this SQL server [NOTE: The service accunt des nt need such permissins t the server(s) generating audit events.] The accunt that is running the SQL Server fr Prcessing Events must have the fllwing permissin: Read access t the Audit File Lcatin flder See Appendix A: Assigning Permissins fr details n granting permissins. Why d I need t specify a SQL server? Figure 2: Input prperties windw Abve it is nted that LOGbinder fr SQL Server des nt access the audit lgs directly frm yur Micrsft SQL Server (a.k.a. yur prductin server). S, why des a SQL server need t be chsen? And fr what purpse? When SQL utputs audit lgs t a file, it des s in an encrypted frmat that can be read nly by Micrsft SQL Server itself. This is essential t prevent tampering with the integrity f the audit lg trail. Thus, LOGbinder fr SQL Server cannt read these lg files itself, but it must use SQL Server t read the lgs. LOGbinder must be able t use an installatin f SQL Server 2008 r 2012, including Express editin. In mst cases yu will nt want t chse yur prductin server fr LOGbinder s use t prcess events. Cnfigure Output LOGbinder supprts multiple utput frmats. LOGbinder fr SQL Server allws utput t g t LOGbinder SP Event Lg: a custm event lg under Applicatins and Services Lgs. Security Lg: the Windws Security lg. (Please remember t set the additinal privileges as described in sectin Step 2 Check User Accunts and Authrity when using this feature.) Syslg-CEF: a Syslg server using ArcSight s Cmmn Event Frmat. Syslg-LEEF: a Syslg server using IBM Security QRadar s Lg Event Extended Frmat. Syslg-Generic: a Syslg server using the generic Syslg frmat. Syslg-CEF (File): a Syslg file using ArcSight s Cmmn Event Frmat. Syslg-LEEF (File): a Syslg file using IBM Security QRadar s Lg Event Extended Frmat. Syslg-Generic (File): a Syslg file using the generic Syslg frmat. At least ne f these must be enabled in rder fr the LOGbinder service t start. T adjust the settings, select an item and use the menu Actin\Prperties, r duble-click n the item. T enable it, check the bx "Send utput t [name f utput frmat]." LOGbinder fr SQL Server Versin 2 Page 7

Select the "Include Nise Events" if yu want t include these in the event lg. A nise event is a lg entry generated frm the input (SQL Server) that cntains nly misleading infrmatin. This ptin is included in case it is essential t preserve a cmplete audit trail; by default this ptin is nt selected. Fr sme utput frmats, LOGbinder fr SQL Server can preserve the riginal data extracted frm SQL, alng with details as t hw the entry was translated by LOGbinder. Check the ptin "Include XML Data" in rder t include these details in the event lg. Including this data will make the size f the lg grw mre quickly. If the ptin des nt appear, then it is nt supprted fr that utput frmat. Fr the utput frmat "LOGbinder SQL Event Lg", the entries are placed in a custm lg named "LOGbinder Figure 3: Output prperties windw SQL." When the lg is created, by default the maximum lg size is set t 16MB, and it will verwrite events as needed. If changing these settings, balance the lg size settings with the needs f yur lg management sftware as well as the setting fr "Include XML Data." In this way yu will ensure that yur audit trail is cmplete. Fr file based utputs, such as Syslg (File), the utput file is stred in the flder specified by the Alternate Output Data Flder ptin under File\Optins. (See sectin belw n Cnfigure Optins.) Cnfigure Service T start, stp, and restart the LOGbinder fr SQL Server (LOGbinder SQL) service, use the buttns n this panel. Yu may als use the items in the Actin menu, r the tlbar. Althugh yu can use the Services windw in the Windws Cntrl Panel t start and stp the service, it is recmmended that yu use LOGbinder's user interface t cntrl the service. Befre starting the service, LOGbinder will cnfirm that the settings are accurate and that the necessary permissins have been granted. If the service fails t start, a message will be shwn as t what settings need t be crrected. The reasns why the service will nt start include: If n inputs have been prperly cnfigured. If n utputs (i.e. Windws Event Lg, Windws Security Lg) are enabled. If either f these cnditins is fund, the service will nt start. A message will be presented t the user with the details f the prblem. If the service cannt start because the accunt des nt have sufficient authrity, r if there is anther prblem preventing it frm running, the details f the prblem are written t the Applicatin Event Lg. These events can als be viewed inside f the LOGbinder cntrl panel, by selecting the LOGbinder Diagnstic Events view. See the sectin Mnitring LOGbinder fr SQL Server fr mre infrmatin n hw t handle issues that may arise when starting the LOGbinder fr SQL Server (LOGbinder SQL) service. Cnfigure Optins Use the menu File\Optins t change LOGbinder's ptins. Figure 4: Message indicating utputs nt cnfigured The Service Accunt lists the user accunt that runs the LOGbinder fr SQL Server (LOGbinder SQL) service. This is the accunt yu specified when installing LOGbinder fr SQL Server. If it is necessary t change the accunt, use the Services management tl (in Windws Administrative Tls). LOGbinder fr SQL Server Versin 2 Page 8

If the bx D nt write infrmatinal messages t the Applicatin lg bx is checked, then event 551 LOGbinder agent successful (see Appendix C: Diagnstic Events) will nt be written t the Applicatin lg. The Lgging ptins can be utilized fr diagnstic purpses if experiencing prblems with LOGbinder. By default, the Lgging Level is set t Nne. If necessary, the Lgging Level can be set t Level 1 r Level 2. Level 1 generates standard level f detail f lgging. Level 2 will generate mre detailed lgging. Level 2 shuld be selected Figure 5: Optins windw nly if specifically requested by LOGbinder supprt; therwise perfrmance will be adversely affected. Bth Level 1 and Level 2 lgging ptins will generate lg files named Cntrl Panel.lg, Service.lg, Service Cntrller.lg and Service Prcessr.lg in the Lg lcatin flder. Alternate Output Data Flder specifies the data flder used fr the utput data. This is the flder where LOGbinder stres utput that are written in files, such as the Syslg-Generic (File), as well as the abve mentined diagnstic files. The flder path can be set using drive letter r UNC, if it is a netwrk lcatin. The default flder is {Cmmn Applicatin Data}\LOGbinder SP (i.e. C:\PrgramData\LOGbinder SP). Please nte that the Alternate Output Data Flder needs the same permissins as the Cmmn Applicatin Data flder as specified abve in sectin Step 2 Check User Accunts and Authrity. Status Bar The status bar will shw infrmatin abut the peratin f LOGbinder. Displays the status f the service. The image shwn indicates the service is stpped. The service may als be running, r in an 'unknwn' state. Shws the status f the license fr LOGbinder. If LOGbinder is nt fully licensed, a message will appear in the status bar. Indicates that settings have been changed. In rder t apply the changes, the LOGbinder fr SQL Server (LOGbinder SQL) service must be restarted. If the LOGbinder fr SQL Server (LOGbinder SQL) service is running and the LOGbinder fr SQL Server cntrl panel is clsed, the changes will be discarded. LOGbinder fr SQL Server Versin 2 Page 9

License Use the menu File\License t view infrmatin abut yur license fr LOGbinder. If yu have purchased LOGbinder fr SQL Server and need t btain a license key, fllw these steps: Fr Unit/Server Cunt, enter the number f audit inputs being mnitred. Press the Cpy buttn, and paste the cntents int an email addressed t licensing@lgbinder.cm When the license key is received, cpy it t the clipbard and press the Paste buttn. If yu are prperly licensed, the license windw will redisplay and shw that yu are prperly licensed. If there is a prblem, respnd immediately t licensing@lgbinder.cm. Figure 6: License windw LOGbinder fr SQL Server Versin 2 Page 10

Mnitring LOGbinder fr SQL Server When installing, cnfiguring, and running LOGbinder fr SQL Server, the sftware writes diagnstic events t the Windws Applicatin Event Lg. Mst f these will be frm the surce "LOGbndSE" and the categry "LOGbinder." Yu may use the Windws Event Viewer t examine these events. Als, the LOGbinder cntrl panel includes a set f views that lists these events, chse LOGbinder Diagnstic Events, r drill dwn t ne f the nested views. Figure 7: LOGbinder Diagnstic Events view During Installatin and Cnfiguratin During installatin and cnfiguratin, yu will find these entries: After installatin, there may be an entry frm the surce MsiInstaller: "Prduct: LOGbinder SQL -- Installatin cmpleted successfully." When the cnfiguratin f LOGbinder fr SQL Server changes, yu will see ne r mre entries entitled "LOGbinder settings changed." See Appendix C: Diagnstic Events: 553 LOGbinder settings changed fr infrmatin abut these events. When the service starts, there may be an entry frm the surce LOGbinder SQL: "Service started successfully." (Entries are als written when the service is stpped.) Yu can mnitr these events t ensure that LOGbinder fr SQL Server cntinues t be cnfigured prperly, and that unauthrized changes d nt ccur. After cnfiguring LOGbinder fr SQL Server and starting the service, it autmatically perfrms a check t ensure that LOGbinder's settings are valid and that the accunt running the Windws service has sufficient authrity. If there is a prblem, the LOGbinder fr SQL Server (LOGbinder SQL) service will nt start and a message will be presented t the user. In mst cases, the details f the prblem are written t the Applicatin lg. Cmmn prblems include: Input/utput nt cnfigured prperly. See the previus sectin Cnfiguring LOGbinder fr SQL Server fr mre infrmatin. Insufficient authrity. If the service accunt des nt have adequate authrity, then the service will nt run. An entry is written t the Applicatin lg. See Appendix C: Diagnstic Events 556 LOGbinder insufficient authrity fr mre details. Sme f the cmmn missing permissins include: Accunt des nt have authrity t lg n as a Windws service Accunt des nt have necessary permissins t the Audit File Lcatin. The accunt des nt have authrity t write t the Security event lg. (If this utput destinatin has nt been selected, then it is nt necessary t grant this permissin.) LOGbinder fr SQL Server Versin 2 Page 11

License invalid. If the license is nt valid r has expired, then the LOGbinder fr SQL Server (LOGbinder SQL) service will nt run. An entry may be written t the Applicatin lg. See Appendix C: Diagnstic Events 557 License fr LOGbinder invalid fr details. Other errrs will be fund in entries entitled "LOGbinder errr." See Appendix C: Diagnstic Events 555 LOGbinder errr fr mre infrmatin. If any f these errrs are encuntered, the LOGbinder fr SQL Server (LOGbinder SQL) service will nt run. While LOGbinder fr SQL Server is Running While LOGbinder fr SQL Server is running, yu will see infrmatin entries in the Applicatin lg as fllws: Entries 'exprted' frm SQL. This message indicates the number f audit entries that LOGbinder fr SQL Server has prcessed. Entries 'imprted' int the Windws event lg. This indicates that the audit entries have been placed in the enabled utput frmats. There will be ne message event if multiple utput frmats have been selected (i.e. yu have selected bth Windws Security Lg and Windws Event Lg as utput frmats). The 'exprt'/'imprt' entries are cmplementary: there shuld be a crrespnding 'imprt' entry fr each 'exprt.' These lg entries are infrmatinal in nature. Generally n actin is required. If mre entries are being prcessed than what appear in the event lgs r in yur lg management slutin, it culd be that the lg size is t small and entries are being verwritten. See Appendix C: Diagnstic Events 551 LOGbinder agent successful fr mre infrmatin n these events. There may als be sme warning event entries: LOGbinder agent prduced unexpected results. When LOGbinder fr SQL Server cannt translate an event prperly, in additin t utputting the event t the selected utput streams, it als creates an entry in the Applicatin lg. See Appendix C: Diagnstic Events 554 LOGbinder agent prduced unexpected results fr further details. If LOGbinder fr SQL Server has an errr, an entry will be created in the Applicatin lg. If permissins are remved, r if the license expires, yu may receive a "556 LOGbinder insufficient authrity" r "557 License fr LOGbinder invalid" errr, which are explained abve. Other errrs will be entitled "LOGbinder errr." If yu cannt reslve the prblem, please submit the issue t the LOGbinder supprt team. LOGbinder fr SQL Server Versin 2 Page 12

Appendix A: Assigning Permissins SQL Cntrl Server permissin Use the fllwing Transact-SQL script t assign the Cntrl Server permissin t the service accunt: USE master GRANT CONTROL SERVER TO [dmain\user] GO The Cntrl Server permissin des nt appear n the Lgin Prperties windw in SQL Server Management Studi. The SysAdmin server rle is basically the equivalent f the Cntrl Server permissin, and this culd be assigned instead f Cntrl Server : In SQL Server Management Studi, navigate t Security\Lgns Select the lgin fr the service accunt and pen its prperties Select the Server Rles page Check sysadmin and clse NOTE: Whereas the SysAdmin server rle supersedes all ther permissins, having the Cntrl Server privilege is affected by ther statements DENY statements can reduce the amunt f privileges. While this is beynd the scpe f this dcument t utline specific scenaris, Cntrl Server culd be used in situatins where it is necessary t reduce the privileges f the service accunt. Lcal Security Plicy Changes The fllwing chart summarizes the changes t be made in the Lcal Security Plicy. Mre detailed explanatins are fund after the chart. Security Settings Lcal Security Plicy (secpl.msc) settings summary Lcal Plicies Advanced Audit Plicy Cnfiguratin User Rights Assignment Audit Plicy Security Optins Object Access Lg n as a service Generate security audits Audit bject access Audit: Frce audit plicy subcategry settings (Windws Vista r later) t verride audit plicy categry settings Audit Applicatin Generated Windws Server 2003 add service accunt add service accunt set Success N/A N/A Windws Server 2008/2012 add service accunt add service accunt N/A set Enabled set Success This always needs t be set These need t be set if utputting t Windws Security lg LOGbinder fr SQL Server Versin 2 Page 13

Lg On as a Service Open the "Lcal Security Plicy" (secpl.msc) Micrsft Management Cnsle (MMC) snap-in. Select Security Settings\Lcal Plicies\User Rights Assignment Open "Lg n as a service" and add user NOTE: Yu can als cnfigure this via a grup plicy bject in Active Directry. If yu try t mdify this setting in Lcal Security Plicy and the dialg is read-nly, it means it is already being cnfigured via Grup Plicy and yu'll need t cnfigure it frm there. Generate Security Audits (SeAuditPrivilege) Audit Plicy Open the "Lcal Security Plicy" (secpl.msc) Micrsft Management Cnsle (MMC) snap-in. Select Security Settings\Lcal Plicies\User Rights Assignment Open "Generate security audits" and add user NOTE: Yu can als cnfigure this via a grup plicy bject in Active Directry. If yu try t mdify this setting in Lcal Security Plicy and the dialg is read-nly, it means it is already being cnfigured via Grup Plicy and yu'll need t cnfigure it frm there. Windws Server 2003 Open the "Lcal Security Plicy" (secpl.msc) Micrsft Management Cnsle (MMC) snap-in. Select Security Settings\Lcal Plicies\Audit Plicy Edit "Audit bject access," ensuring that "Success" is enabled. (LOGbinder fr SQL Server des nt require that the "Failure" ptin be enabled.) NOTE: Yu can als cnfigure this via a grup plicy bject in Active Directry. If yu try t mdify this setting in Lcal Security Plicy and the dialg is read-nly, it means it is already being cnfigured via Grup Plicy and yu'll need t cnfigure it frm there. Windws Server 2008 and 2012 Audit plicy can be cnfigured with the riginal tp level categries as described abve fr Windws Server 2003 but mst envirnments have migrated t the new mre granular audit sub-categries available in Windws Server 2008 aka (Advanced Audit Plicy). Using Advanced Audit Plicy Cnfiguratin allws fr mre granular cntrl f the number and types f events that are audited n the server. (NOTE: The steps described here are fr Windws Server 2008 R2; see TechNet fr infrmatin n earlier releases.) First, yu must ensure that basic and advanced audit plicy settings are nt used at the same time. Micrsft gives this warning: Using bth the basic audit plicy settings under Lcal Plicies\Audit Plicy and the advanced settings under Advanced Audit Plicy Cnfiguratin can cause unexpected results. Therefre, the tw sets f audit plicy settings shuld nt be cmbined. If yu use Advanced Audit Plicy Cnfiguratin settings, yu shuld enable the Audit: Frce audit plicy subcategry settings (Windws Vista r later) t verride audit plicy categry settings plicy setting under Lcal Plicies\Security Optins. This will prevent cnflicts between similar settings by frcing basic security auditing t be ignred. (http://technet.micrsft.cm/enus/library/dd692792(ws.10).aspx) Select Security Settings\Lcal Plicies\Security Optins Open and enable Audit: Frce audit plicy subcategry settings (Windws Vista r later) t verride audit plicy categry settings LOGbinder fr SQL Server Versin 2 Page 14

T enable LOGbinder fr SQL Server events t be sent t the security lg: Select Security Settings\Advanced Audit Plicy Cnfiguratin\Object Access Edit Audit Applicatin Generated, ensuring that Success is enabled. (LOGbinder fr SQL Server des nt require that the Failure ptin be enabled.) NOTE: Yu can als cnfigure this via a grup plicy bject in Active Directry. LOGbinder fr SQL Server Versin 2 Page 15

Appendix B: LOGbinder Event List LOGbinder fr SQL Server Events https://www.lgbinder.cm/prducts/lgbindersql/resurces/eventlist.aspx Diagnstic Events 551 LOGbinder agent successful 552 LOGbinder warning 553 LOGbinder settings changed 554 LOGbinder agent prduced unexpected results 555 LOGbinder errr 556 LOGbinder insufficient authrity 557 License fr LOGbinder invalid LOGbinder fr SQL Server Versin 2 Page 16

Appendix C: Diagnstic Events 551 LOGbinder agent successful Occurs when LOGbinder fr SQL Server successfully translates lg entries. Usually appearing in pairs, as ne indicates that lg entries have been 'exprted' frm their surce (fr example, SQL Server), and the ther that entries have been 'imprted' t their destinatin (fr example, the Windws event lg). This event is infrmatinal in nature. This event is written t the Windws Applicatin lg. Example A Example B Example C LOGbinder agent successful LOGbinder SQL exprted 3 entries frm SQL lgs frm c:\sqlaudit\ LOGbinder agent successful LOGbinder SQL imprted 3 entries t Security event lg LOGbinder agent successful LOGbinder SQL imprted 3 entries t LOGbinder SQL event lg 552 LOGbinder warning Occurs when LOGbinder fr SQL Server des nt find infrmatin as expected. In mst cases, it des nt indicate a serius prblem, but is prvided s as t cmplete the audit trail. This event is written t Windws applicatin lg. Fr example, as LOGbinder fr SQL Server translates entries, it perfrms varius lkups t prvide cmplete infrmatin. If the related item was deleted, a "LOGbinder warning" is generated. Example A Example B LOGbinder warning Lkup failed. Culd nt find Scpe Item with ID f 89de71fe-1442-48ff- 9a6e-052bddda3440. LOGbinder warning Lkup failed. Culd nt find User with ID f 19. 553 LOGbinder settings changed Occurs when the LOGbinder settings are changed. This event is written t Windws Applicatin lg. Fr LOGbinder fr SQL Server, this includes changes t the Audit File Lcatin. LOGbinder fr SQL Server Versin 2 Page 17

Example A Example B Example C LOGbinder settings changed Output t Security lg enabled. Nise events included. LOGbinder settings changed Settings fr c:\sqlaudit\ adjusted: Last exprt value is c:\sqlaudit\audit-lcalfile_3b48c4ed-9da8-462e-bfd9-4935a28148b8_0_129590759441100000.sqlaudit; ffset 0 LOGbinder settings changed Settings fr C:\SQLAudit2 adjusted: flder changed frm C:\SQLAudit2 t C:\SQLAudit 554 LOGbinder agent prduced unexpected results Occurs when LOGbinder fr SQL Server encunters smething unexpected when translating a lg entry. At times it may be frm a custm lg entry. This event is written t Windws Applicatin lg. Yu can help us imprve LOGbinder by reprting these events t the LOGbinder supprt team s that the LOGbinder prduct may be imprved. Private data will nt be shared. Example A In this example, the develper created an audit entry with the type "MakeItS." Example B LOGbinder agent prduced unexpected results As the LOGbinder agent translated this entry, it encuntered data is culd nt handle prperly. It culd have been caused by a custm r undcumented feature. S that LOGbinder can handle these entries in the future, it is suggested that yu submit the entry t the LOGbinder supprt team. <LgEntry sitename="http://shpnt" itemtype="site" username="rbert Slmn" lcatintype="url" ccurred="2009-06-26t14:13:02" eventtype="makeits"><rawdata siteid="3b7fb82c-f30d-4604-99c0- df8325e9cff4" itemid="3b7fb82c-f30d-4604-99c0-df8325e9cff4" itemtype="site" userid="1" lcatintype="url" ccurred="633816223820000000" event="custm" eventname="makeits" eventsurce="objectmdel"><eventdata><versin><majr>1</majr><minr> 2</Minr></Versin></EventData></RawData><Details /></LgEntry> In this example, the develper used an existing event type, "Wrkflw," but included nn-standard event data. LOGbinder fr SQL Server Versin 2 Page 18

LOGbinder agent prduced unexpected results As the LOGbinder agent translated this entry, it encuntered data is culd nt handle prperly. It culd have been caused by a custm r undcumented feature. S that LOGbinder can handle these entries in the future, it is suggested that yu submit the entry t the LOGbinder supprt team. <LgEntry sitename="http://shpnt" itemtype="list Item" username="rbert Slmn" lcatintype="url" ccurred="2009-06-29t21:49:11" eventtype="wrkflw"><rawdata siteid="3b7fb82c-f30d-4604-99c0- df8325e9cff4" itemid="c04f5388-bf24-4007-b463-1dd1b3c19a02" itemtype="listitem" userid="1" dcumentlcatin="cache Prfiles/1_.000" lcatintype="url" ccurred="633819089510000000" event="wrkflw" eventsurce="objectmdel"><eventdata>http://shpnt/dclib/cpiedfile.e xt</eventdata></rawdata><details /></LgEntry> 555 LOGbinder errr Occurs when LOGbinder encunters a prblem that needs attentin. This event is written t Windws Applicatin lg. In mst cases this gives enugh infrmatin fr yu t address the prblem successfully. Otherwise, please cntact LOGbinder supprt fr assistance. Example A In this example, the errr indicates that LOGbinder fr SQL Server has nt been cnfigured prperly: in that n SQL audit lcatin was set t be mnitred by LOGbinder. LOGbinder errr Cannt start LOGbinder SQL service, SQL Audit Lcatins nt cnfigured. 556 LOGbinder insufficient authrity Occurs when LOGbinder fr SQL Server (LOGbinder SQL) service cannt run because f invalid r inadequate permissins. The event will include the mdule lacking the permissin, the name r descriptin f the permissin, as well as relevant details. Each example belw als includes the actin needed in rder t crrect it. Example A: N permissin t write t security lg LOGbinder insufficient authrity The LOGbinder agent cannt perate nrmally because it lacks sufficient authrity. Surce: Security Lg Privilege: SeAuditPrivilege Details: The LOGbinder agent des nt have the permissins t cnfigure the security lg Actin: The service accunt needs the "Generate security audits" privilege (https://www.ultimatewindwssecurity.cm/wiki/windwssecuritysettings/generate-security-audits), r d nt enable LOGbinder t utput t the Windws Security lg. Example B: Attempt t write t security lg frm invalid lcatin One measure t prtect the security lg is t write security events nly frm authrized lcatins. When LOGbinder is cnfigured, it registers its prgram lcatin with the security lg. If this errr ccurs, then LOGbinder had been reinstalled t a different lcatin, and the previus lcatin was nt remved prperly. LOGbinder fr SQL Server Versin 2 Page 19

LOGbinder insufficient authrity The LOGbinder agent cannt perate nrmally because it lacks sufficient authrity. Surce: Security Lg Privilege: Invalid Lcatin Details: Cannt write t because the prgram lcatin des nt match what has been previusly cnfigured Actin: Recmmended t delete the registry key manually. First ensure that LOGbinder is nt pen. Then delete the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentCntrlSet\Services\Eventlg\Security\LOGbndSC. Be careful nt t delete ther parts f the registry, as it can cause the server t be unstable. When yu repen LOGbinder, it will recnfigure its ability t write t the security lg. Example C: Internal errr LOGbinder insufficient authrity The LOGbinder agent cannt perate nrmally because it lacks sufficient authrity. Surce: Security Lg Privilege: Internal Errr Details: The security accunt database cntains an internal incnsistency Actin: One factr that can cause an internal errr is if the LOGbinder prgram path is t lng. By default, LOGbinder is installed t C:\Prgram Files\LOGbndSQ. It is recmmended that the default be used. If the sftware has been installed t a different lcatin with a lnger prgram path, t crrect this errr it will be necessary t reinstall LOGbinder. Example D: Lg n as service LOGbinder insufficient authrity The LOGbinder agent cannt perate nrmally because it lacks sufficient authrity. Surce: LOGbinder service Privilege: Lg n as service Details: Accunt running LOGbinder agent des nt have user right "Lgn as a service" Actin: The service accunt needs t be assigned the "Lgn as a service" user right. (https://www.ultimatewindwssecurity.cm/wiki/windwssecuritysettings/lg-n-as-a-service) Example E: Cannt start LOGbinder cntrl panel LOGbinder insufficient authrity The LOGbinder agent cannt perate nrmally because it lacks sufficient authrity. Surce: LOGbinder Manager Privilege: File Permissins Details: Accunt running LOGbinder Cntrl Panel needs t be a member f the lcal Administratrs grup Actin: Ensure that the user accunt used t run the LOGbinder fr SQL Server cntrl panel has lcal administratr access. LOGbinder fr SQL Server Versin 2 Page 20

557 License fr LOGbinder invalid Occurs when the license fr LOGbinder is nt valid and an attempt is made t start the service. This event is written t the Applicatin lg. If the license is nt valid, the LOGbinder fr SQL Server cntrl panel cntinues t perate as nrmal. Hwever, the LOGbinder service will nt start if the license is invalid. Fllw the instructins in the cntrl panel, in the menu File\License, in rder t btain a license t the sftware. Example License fr LOGbinder invalid Details: License is invalid. Open LOGbinder SQL Cntrl Panel t remedy. LOGbinder fr SQL Server Versin 2 Page 21