Getting Started Guide

fr SharePint www.lgbinder.cm Getting Started Guide Dcument versin 3 Cntents Installing LOGbinder fr SharePint... 3 Step 1 Select Server and Check Sftware Requirements... 3 Select Server... 3 Sftware Requirements... 3 Step 2 Check User Accunts and Authrity... 4 If utputting t Windws Security lg... 4 Step 3 Run the Installer... 5 Transferring settings t a new server... 5 Cnfiguring LOGbinder fr SharePint... 6 Cnfigure Input... 6 Cnfigure Output... 7 Cnfigure Service... 8 Cnfigure Optins... 8 Status Bar... 10 License... 10 Mnitring LOGbinder fr SharePint... 12 During Installatin and Cnfiguratin... 12 While LOGbinder fr SharePint is Running... 13 Reprts... 14 Appendix A: Assigning Permissins... 15 SharePint Farm Administratr... 15 Site Cllectin Administratr... 15 WSS_ADMIN_WPG grup... 15 Lcal Security Plicy Changes... 15 Lg On as a Service... 16 LOGbinder fr SharePint Versin 5 Page 1

Generate Security Audits (SeAuditPrivilege)... 16 Audit Plicy... 16 Appendix B: LOGbinder Event List... 18 LOGbinder fr SharePint Events... 18 Diagnstic Events... 18 Appendix C: Diagnstic Events... 19 550 LOGbinder prcess reprt... 19 551 LOGbinder agent successful... 19 552 LOGbinder warning... 19 553 LOGbinder settings changed... 20 554 LOGbinder agent prduced unexpected results... 20 555 LOGbinder errr... 21 556 LOGbinder insufficient authrity... 22 557 License fr LOGbinder invalid... 23 558 LOGbinder prcessing warning... 23 Appendix D: Cnfiguring auditing n a SharePint list r dcument library... 24 LOGbinder fr SharePint Versin 5 Page 2

Installing LOGbinder fr SharePint LOGbinder fr SharePint runs as a Windws service n a SharePint server. It translates audit lg entries in SharePint, and utputs them t the LOGbinder SP event lg, the Windws Security Lg, Syslg, Syslg in CEF, r Syslg in LEEF. Fr mre infrmatin, please visit ur web site https://www.lgbinder.cm/prducts/logbindersp/#tabs-resurces. There yu will find a rich set f resurces t guide yu in setting audit plicy, setting up audit lg reprting and archiving, and s frth. T pen a case with ur supprt staff, please email supprt@lgbinder.cm. Installing LOGbinder fr SharePint invlves 3 simple steps: * Step 1 Select Server and Check Sftware Requirements Step 2 Check User Accunts and Authrity Step 3 Run the Installer Subsequent sectins cver: Cnfiguring LOGbinder fr SharePint Mnitring LOGbinder fr SharePint Step 1 Select Server and Check Sftware Requirements Select Server If SharePint is installed in a server farm envirnment, then LOGbinder fr SharePint wuld be installed n a single applicatin, web frnt end r central admin server. D nt install LOGbinder fr SharePint n dedicated SharePint database servers because the necessary SharePint cmpnents are nt present. Sftware Requirements Micrsft Windws server 2003 r later Micrsft.NET Framewrk Fr SharePint 2007 and 2010, Micrsft.NET Framewrk 3.5 SP1 r 4.0 Fr SharePint 2013, Micrsft.NET Framewrk 4.0 r later Micrsft SharePint (ne f the fllwing): Windws SharePint Services 3.0 Micrsft Office SharePint Server 2007 Micrsft SharePint Fundatin 2010 Micrsft SharePint Server 2010 * If LOGbinder has been used n anther server in the same envirnment where it is nw installed, refer t the Transferring settings t a new server sectin belw, in rder t preserve a cmplete audit trail. LOGbinder fr SharePint Versin 5 Page 3

Micrsft SharePint Server 2013 Step 2 Check User Accunts and Authrity Tw user accunts are invlved with LOGbinder fr SharePint. Accunt Descriptin Authrity Required Yur accunt The accunt yu are lgged n as when yu install and cnfigure LOGbinder fr SharePint. Member f the lcal Administratrs grup SharePint farm administratr Windws UAC smetimes interferes with this setting. It is recmmended that yu use the Run as Administratr ptin when running LOGbinder. Yu may als need t yur accunt as well as the service accunt mdify permissins t the C:\PrgramData flder as described in the furth bullet pint belw. Service accunt The accunt that the LOGbinder fr SharePint (LOGbinder SP) service will run as. This dmain accunt must be created befre installing LOGbinder fr SharePint. This accunt des nt need t be a lcal r dmain administratr; the LOGbinder fr SharePint (LOGbinder SP) service can run in a least-privilege envirnment. See Appendix A: Assigning Permissins fr details n granting these permissins SharePint farm administratr Site cllectin administratr n each SharePint site cllectin being mnitred Privilege lg n as a service Permissin t create, read, mdify files in {Cmmn Applicatin Data}\LOGbinder SP (i.e. C:\Dcuments and Settings\All Users\Applicatin Data\LOGbinder SP r C:\PrgramData\LOGbinder SP) Please nte that the PrgramData flder is a hidden flder, and it is nt the same as the Prgram Files flder. This LOGbinder SP flder will be created after LOGbinder is installed and the LOGbinder cntrl panel is first started. Member f the WSS_ADMIN_WPG grup (required fr SharePint 2013 installatin nly) If utputting t Windws Security lg Privilege "Generate Security Audit" (SeAuditPrivilege) Setting audit plicy Windws 2003: Enable Audit bject access Windws 2008 r later: Enable Audit: Frce audit plicy subcategry settings (Windws Vista r later) t verride audit plicy categry settings security ptin LOGbinder fr SharePint Versin 5 Page 4

Enable Audit Applicatin Generated audit subcategry Nte: LOGbinder fr SharePint uses the standard SharePint API t access audit infrmatin. (See blg LOGbinder SP use f SQL Privileges.) Hwever, in sme rare ccasins, SharePint requires mre authrity than is nrmally necessary. In these unusual cases, the user accunt as well as the service accunt needs additinal privileges t the SharePint databases. Fr further details n why, what, and hw, see blg Wrkarund if LOGbinder SP is having SQL database issues. Step 3 Run the Installer Run the apprpriate installer frm the installatin package: fr SharePint 2007, use the 32bit r the 64bit installer, depending n yur system; fr SharePint 2010, use the 64bit installer; fr SharePint 2013, use the 2013 installer. On the page "Specify User Accunt," enter the user accunt name, including bth dmain name and user name (i.e. dmain\username) f the service accunt (the user accunt that will run the LOGbinder fr SharePint (LOGbinder SP) service). The rights utlined abve must be granted t the accunt befre running the installer, r else LOGbinder fr SharePint will nt install prperly. On the page "Select Installatin Flder," it is recmmended that yu use the default setting, C:\Prgram Files\LOGbndSP. If a dialg bx "Set Service Lgin" appears, then the user accunt infrmatin entered previusly was nt valid. Cnfirm the accunt name and passwrd, and re-enter the infrmatin. Transferring settings t a new server If LOGbinder was running in yur envirnment befre, but it nw has t be installed n a different server, the fllwing steps can be fllwed t transfer the settings t the new server. * This nt nly saves setup time and reduces setup prblems, but this will ensure audit lg cllectin t be cntinued where LOGbinder left ff s as t preserve a cmplete audit trail: 1. Make sure that n bth the surce (where LOGbinder was run befre) and target (the new LOGbinder server) servers, the LOGbinder service is nt running and the LOGbinder cntrl panel is nt pen. 2. G t the {Cmmn Applicatin Data}\LOGbinder SP flder n the surce server, i.e. C:\Dcuments and Settings\ All Users\Applicatin Data\LOGbinder SP r C:\PrgramData\LOGbinder SP. Please nte that the PrgramData flder is a hidden flder, and it is nt the same as the Prgram Files flder. 3. Cpy all *.stg and *.xml files t the same flder n the target server. * LOGbinder is nt recmmended t be run n tw servers at the same time in the same envirnment. LOGbinder fr SharePint Versin 5 Page 5

Cnfiguring LOGbinder fr SharePint Open the "LOGbinder SP" link in the Windws start menu, which appears by default in the LOGbinder flder. T use LOGbinder fr SharePint, adjust the settings in the three views: Input, Output, and Service. Settings can be changed while the service is running, but changes will be applied nly when the service is restarted. If the LOGbinder fr SharePint cntrl panel is clsed befre restarting the service, the changes will be discarded. On the ther hand, if the service is already stpped, the changes are saved autmatically. Cnfigure Input LOGbinder fr SharePint examines the lcal SharePint server farm; the site cllectins that exist n the farm are shwn in the view. Only the sites with a check mark in the Mnitred clumn will be prcessed by LOGbinder. What d I d if the site cllectin list is empty? If the site cllectin list is empty (that is, apart frm the <Default Audit Plicy> entry), yu are nt prperly cnnected t a SharePint farm. It may be that (1) LOGbinder fr SharePint is nt installed n a valid SharePint server, (2) yur accunt is nt a SharePint Farm Administratr, r (3) yur accunt needs t run with elevated privileges (i.e. run as administratr) in rder t access the farm. The first item listed is <Default Audit Plicy>. LOGbinder fr SharePint allws yu t set a default audit plicy, which can then be applied t site cllectins yu specify. If yu later change the default audit plicy, the site cllectins t which yu have applied it will autmatically have their plicy changed. T adjust the default audit plicy, select that item in the list, and use the menu Actin\Prperties (r duble-click n it). Select ne r mre event types t be mnitred. If yu wish t apply the default plicy t newly created site cllectins, check the bx Apply default audit plicy t new site cllectins. Figure 1: A typical Input list T adjust the prperties f a site cllectin, use the menu Actin\Prperties r duble-click n it. T adjust the audit plicy f multiple site cllectins at nce, use the Shift and/r Ctrl buttns while selecting. LOGbinder fr SharePint Versin 5 Page 6

Fr site cllectins yu wish t mnitr, yu have three ways t specify the audit plicy: Allw Site Cllectin Administratr t cnfigure audit plicy using SharePint s administratin page : This allws yu t set the audit plicy in SharePint. T see what the current audit plicy is fr the site cllectin, click the View link, and a list f the current plicy will be shwn. (See Appendix D: Cnfiguring auditing n a SharePint list r dcument library) Use LOGbinder s default audit plicy : T view the default audit plicy, yu may click the View link. If this ptin is disabled, it means that yu have nt yet set the default audit plicy. Custm audit plicy : If this ptin is selected, then select ne r mre event types t be audited in the bx. At least ne audit type must be selected in rder fr the site cllectin t be prcessed by LOGbinder. The "Last Prcessed" bx shws the date and time audit events were last retrieved frm SharePint. After installing LOGbinder the first time, it starts prcessing audit lgs frm the time f the installatin nward. * If sme f the backlg events are als t be prcessed, the start date can be set here. It is recmmended that Figure 2: Input prperties windw nce LOGbinder is in peratin, this date nt be changed manually, as it culd result in skipping sme audit events in SharePint, r duble-handling, resulting in events appearing twice in the event lg. If the date needs t be adjusted, check the bx next t the date, and then the date can be adjusted. This windw als has a link t SharePint Farm Prperties, which displays basic infrmatin abut the SharePint farm. Cnfigure Output LOGbinder supprts multiple utput frmats. LOGbinder fr SharePint allws utput t g t LOGbinder SP Event Lg: a custm event lg under Applicatins and Services Lgs. Security Lg: the Windws Security lg. (Please remember t set the additinal privileges as described in sectin Step 2 Check User Accunts and Authrity when using this feature.) Syslg-CEF: a Syslg server using ArcSight s Cmmn Event Frmat. Syslg-LEEF: a Syslg server using IBM Security QRadar s Lg Event Extended Frmat. Syslg-Generic: a Syslg server using the generic Syslg frmat. Syslg-CEF (File): a Syslg file using ArcSight s Cmmn Event Frmat. Syslg-LEEF (File): a Syslg file using IBM Security QRadar s Lg Event Extended Frmat. Syslg-Generic (File): a Syslg file using the generic Syslg frmat. At least ne f these must be enabled in rder fr the LOGbinder service t start. * If this is nt the first installatin f LOGbinder n the same server, it will cntinue audit lg prcessing frm the date and time it finished its last run with the previus installatin. If LOGbinder was installed n anther server in the same envirnment befre, yu might want t refer t the sectin abve abut Transferring settings t a new server. LOGbinder fr SharePint Versin 5 Page 7

T enable an utput and adjust the settings, select it and use the menu Actin\Prperties, r duble-click n the item. T enable it, check the bx "Send utput t [name f utput frmat]." Select the "Include nise events" if yu want t include these in the event lg. A nise event is a lg entry generated frm the input (SharePint) that cntains nly misleading infrmatin. This ptin is included in case it is essential t preserve a cmplete audit trail; by default this ptin is nt selected. Figure 3: Output prperties windw Fr sme utput frmats, LOGbinder fr SharePint can preserve the riginal data extracted frm SharePint, alng with details as t hw the entry was translated by LOGbinder. Check the ptin Include XML data in rder t include these details in the event lg. Including this data will make the size f the lg grw mre quickly. If the ptin des nt appear, then it is nt supprted fr that utput frmat. Fr the utput frmat "LOGbinder SP Event Lg," the entries are placed in a custm lg named LOGbinder SP. When the lg is created by LOGbinder, by default the maximum lg size is set t 16MB, and it will verwrite events as needed. If changing these settings, balance the lg size settings with the needs f yur lg management sftware as well as the setting fr Include XML Data. In this way yu will ensure that yur audit trail is cmplete. Fr file based utputs, such as Syslg (File), the utput file is stred in the flder specified by the Alternate Output Data Flder ptin under File\Optins. (See sectin belw n Cnfigure Optins.) Cnfigure Service T start, stp, and restart the LOGbinder fr SharePint (LOGbinder SP) service, use the buttns n this panel. Yu may als use the items in the Actin menu, r the tlbar. Althugh yu can use the Services windw in the Windws Cntrl Panel t start and stp the service, it is recmmended that yu use LOGbinder's user interface t cntrl the service. Befre starting the service, LOGbinder will cnfirm that (a) at least ne site cllectin has been selected fr mnitring and (b) at least ne utput (i.e. LOGbinder SP Event Lg, Windws Security Lg) has been selected. While attempting t start the LOGbinder fr SharePint (LOGbinder SP) service, a prblem may be encuntered perhaps that the service accunt des nt have sufficient authrity. The details f the prblem are written t the Applicatin Event Lg. These events can als be viewed inside f the LOGbinder cntrl panel, by selecting the LOGbinder Diagnstic Events view. See the sectin Mnitring LOGbinder fr SharePint fr mre infrmatin n hw t handle issues that may arise when starting the LOGbinder fr SharePint (LOGbinder SP) service. Cnfigure Optins Use buttns n the panel, r the menu File\Optins, t change LOGbinder's ptins. LOGbinder fr SharePint allws the cntrl f hw much lkups it shuld perfrm in rder t btain additinal infrmatin while translating raw audit event t easy-t-understand audit entries. Examples f this culd be reslving a user ID t user name r an bject GUID t the actual name f the bject. The available levels f lkups are as fllws: Figure 4: Message indicating utputs nt cnfigured Exclude nne: All lkups will be dne. This may result in slwer prcessing fr larger farms. LOGbinder fr SharePint Versin 5 Page 8

Exclude highest-cst lkups: All lkups will be dne except lkups that use the highest amunt f resurces. It can affect all events, where details fr any main item, where it is an item in a list, will nt be lked up. Details such as Title and Descriptin will nt have values. Exclude high-cst lkups: D nt d lkups that use a high amunt f resurces. (Recmmended setting fr large farms.) It can affect all events, where details fr any main item will nt be lked up. Details such as Title and Descriptin will nt have values. Exclude high/medium-cst lkups: D nt d lkups that use high r medium amunt f resurces. It will affect events 16, 29, 31, 32, where details f related items will nt be lked up. The event will be included in the audit trail, but much f the detail will be missing fr these events Restrict all: D nt d any lkups. IDs will be reslved that d nt require querying SharePint. (Nt recmmended.) It will affect all events, where user, grup, and rle IDs are nt reslved. The levels are inclusive, that is, if yu chse high, it includes highest. If yu chse medium it includes highest, and high. Please nte that when lwering the lkup level, sme details in certain events will be mitted. Therefre, we recmmend that depending n the acceptable perfrmance, the highest pssible level is selected. Recmmendatins: Figure 5: Optins windw If site cllectins are nt being prcessed in a timely manner, chsing highest r high is a gd ptin. The details that are excluded d nt significantly affect the integrity f the audit trail. If site cllectins are still nt being prcessed in a timely way, and there are a significant number f the events that are listed abve, then drpping t medium is suggested. Fr very large sites, and where clse t real-time prcessing is needed, chse restrict all. The events will appear clser t the raw frmat they appear in SharePint. If the bx Purge entries frm SharePint after prcessing is checked, then audit entries will be purged autmatically frm SharePint n a daily basis at 1:00 AM. A buffer is maintained, in that nly entries lder than 24 hurs are purged. (Fr example, when entries are purged n 11/16/2009 1:00 AM, it purges entries lder than 11/15/2009 1:00 AM.) If this ptin is checked, then SharePint s audit lg trimming feature will be disabled autmatically. The Service Accunt lists the user accunt that runs the LOGbinder fr SharePint (LOGbinder SP) service. This is the accunt yu specified when installing LOGbinder fr SharePint. If it is necessary t change the accunt, use the Services management tl (in Windws Administrative Tls). If the bx D nt write infrmatinal messages t the Applicatin lg is checked, then event 551 LOGbinder agent successful (see Appendix C: Diagnstic Events) will nt be written t the Applicatin lg. The Lgging ptins can be utilized fr diagnstic purpses if experiencing prblems with LOGbinder. By default, the Lgging Level is set t Nne. If necessary, the Lgging Level can be set t Level 1 r Level 2. Level 1 generates standard level f detail f lgging. Level 2 will generate mre detailed lgging. Level 2 shuld be selected nly if specifically requested by LOGbinder supprt; therwise perfrmance will be adversely affected. Bth Level 1 and Level 2 lgging ptins will generate lg files named Cntrl Panel.lg, Service.lg, Service Cntrller.lg and Service Prcessr.lg in the Lg lcatin flder. LOGbinder fr SharePint Versin 5 Page 9

Alternate Output Data Flder specifies the data flder used fr the utput data. This is the flder where LOGbinder stres utput that are written in files, such as the Syslg-Generic (File), as well as the abve mentined diagnstic files. The flder path can be set using drive letter r UNC, if it is a netwrk lcatin. The default flder is {Cmmn Applicatin Data}\LOGbinder SP (i.e. C:\PrgramData\LOGbinder SP). Please nte that the Alternate Output Data Flder needs the same permissins as the Cmmn Applicatin Data flder as specified abve in sectin Step 2 Check User Accunts and Authrity. Status Bar The status bar will shw infrmatin abut the peratin f LOGbinder. Displays the status f the service. The image shwn indicates the service is stpped. The service may als be running, r in an 'unknwn' state. Shws the status f the license fr LOGbinder. If LOGbinder is nt fully licensed, a message will appear in the status bar. Indicates that settings have been changed. In rder t apply the changes, the LOGbinder fr SharePint (LOGbinder SP) service must be restarted. If the LOGbinder fr SharePint (LOGbinder SP) service is running and the LOGbinder fr SharePint cntrl panel is clsed, the changes will be discarded. License Use the menu File\License t view infrmatin abut yur license fr LOGbinder. If yu have purchased LOGbinder fr SharePint and need t btain a license, fllw these steps: Fr Unit/Server Cunt, enter the number f SharePint servers in the farm that need licensed. (The minimum number f servers requiring licensing will be filled ut autmatically by LOGbinder. See bx belw fr further details.) Press the Cpy buttn, and paste the cntents int an email addressed t licensing@lgbinder.cm When the license key is received, cpy it t the clipbard and press the Paste buttn. If yu are prperly licensed, the license windw will redisplay and shw that yu are prperly licensed. If there is prblem, respnd immediately t licensing@lgbinder.cm. Figure 6: License windw Figure 7: SharePint Farm Prperties windw When purchasing LOGbinder fr SharePint, cnfirm that yu btain a license sufficient fr the SharePint farm. The windw SharePint Farm Prperties lists the infrmatin yu need. Yu can find a link t this windw in Optins, r in any f the Input windws. Particularly, yu will need (a) the editin f SharePint n yur server farm, and (b) the number f servers requiring a LOGbinder license. LOGbinder fr SharePint Versin 5 Page 10

The license key yu receive is valid fr any server in yur SharePint farm. Thus, if yu need t install LOGbinder fr SharePint n a different server in the same farm, yu d nt need t request a new license key. LOGbinder fr SharePint Versin 5 Page 11

Mnitring LOGbinder fr SharePint When installing, cnfiguring, and running LOGbinder fr SharePint, the sftware writes diagnstic events t the Windws Applicatin Event Lg. Mst f these will be frm the surce "LOGbndSE" and the categry "LOGbinder." Yu may use the Windws Event Viewer t examine these events. Als, the LOGbinder cntrl panel includes a set f views that lists these events, chse LOGbinder Diagnstic Events, r drill dwn t ne f the nested views. Figure 8: LOGbinder Diagnstic Events view During Installatin and Cnfiguratin During installatin and cnfiguratin, yu will find these entries: After installatin, there may be an entry frm the surce MsiInstaller: "Prduct: LOGbinder SP -- Installatin cmpleted successfully." When the cnfiguratin f LOGbinder fr SharePint changes, yu will see ne r mre entries entitled "LOGbinder settings changed." See Appendix C: Diagnstic Events: 553 LOGbinder settings changed fr infrmatin abut these events. When the service starts, there may be an entry frm the surce LOGbinder SP: "Service started successfully." (Entries are als written when the service is stpped.) Yu can mnitr these events t ensure that LOGbinder fr SharePint cntinues t be cnfigured prperly, and that unauthrized changes d nt ccur. After cnfiguring LOGbinder fr SharePint and starting the service, it autmatically perfrms a check t ensure that LOGbinder's settings are valid and that the accunt running the Windws service has sufficient authrity. If there is a prblem, the LOGbinder fr SharePint (LOGbinder SP) service will nt start and a message will be presented t the user. In mst cases, the details f the prblem are written t the Applicatin lg. Cmmn prblems include: Input/utput nt cnfigured prperly. See the previus sectin Cnfiguring LOGbinder fr SharePint fr mre infrmatin. Insufficient authrity. If the service accunt des nt have adequate authrity, then the service will nt run. An entry is written t the Applicatin lg. See Appendix C: Diagnstic Events 556 LOGbinder insufficient authrity fr mre details. Sme f the cmmn missing permissins include: Accunt des nt have authrity t lg n as a Windws service Accunt des nt have necessary permissins in SharePint. LOGbinder fr SharePint Versin 5 Page 12

The accunt des nt have authrity t write t the Security event lg. (If this utput destinatin has nt been selected, then it is nt necessary t grant this permissin.) License invalid. If the license is nt valid r has expired, then the LOGbinder fr SharePint (LOGbinder SP) service will nt run. An entry may be written t the Applicatin lg. See Appendix C: Diagnstic Events: 557 License fr LOGbinder invalid fr details. Other errrs will be fund in entries entitled "LOGbinder errr." See Appendix C: Diagnstic Events: 555 LOGbinder errr fr mre infrmatin. If any f these errrs are encuntered, the LOGbinder fr SharePint (LOGbinder SP) service will nt run. While LOGbinder fr SharePint is Running While LOGbinder fr SharePint is running, yu will see infrmatin entries in the Applicatin lg as fllws: Entries 'exprted' frm SharePint. Fr each site cllectin being mnitred, this message indicates the number f audit entries that LOGbinder fr SharePint has prcessed. Entries 'imprted' int the Windws event lg. This indicates that the audit entries have been placed in the enabled utput frmats. There will be ne message event if multiple utput frmats have been selected (i.e. yu have selected bth Windws Security Lg and Windws Event Lg as utput frmats). The 'exprt'/'imprt' entries are cmplementary: there shuld be a crrespnding 'imprt' entry fr each 'exprt.' If the Default Audit Plicy is used fr newly created site cllectins, a number f 553 LOGbinder settings changed events (see Appendix C: Diagnstic Events) will be generated when cnfiguring a new site cllectin. These lg entries are infrmatinal in nature. Generally n actin is required. If mre entries are being prcessed than what appear in the event lgs r in yur lg management slutin, it culd be that the lg size is t small and entries are being verwritten. See Appendix C: Diagnstic Events 551 LOGbinder agent successful fr mre infrmatin n these events. There may als be sme warning event entries: Culd nt find infrmatin. As LOGbinder fr SharePint translates audit entries in SharePint, and it cannt find infrmatin, this event will be generated. See Appendix C: Diagnstic Events 552 LOGbinder warning fr mre infrmatin. (Nte: When LOGbinder fr SharePint is first installed, r if a site cllectin is being mnitred fr the first time, there is a greater likelihd f these messages. Once LOGbinder fr SharePint translates the backlg f SharePint audit entries, the number f these warnings shuld decrease.) LOGbinder agent prduced unexpected results. When LOGbinder fr SharePint cannt translate an event prperly, in additin t utputting the event t the selected utput streams, it als creates an entry in the Applicatin lg. See Appendix C: Diagnstic Events 554 LOGbinder agent prduced unexpected results fr further details. If LOGbinder fr SharePint has an errr, an entry will be created in the Applicatin lg. If permissins are remved, r if the license expires, yu may receive a "556 LOGbinder insufficient authrity" r "557 License fr LOGbinder invalid" errr, which are explained abve. Other errrs will be entitled "555 LOGbinder errr." If yu cannt reslve the prblem, please submit the issue t the LOGbinder supprt team. LOGbinder fr SharePint Versin 5 Page 13

Reprts If yu d nt yet have a SIEM slutin, yu may use Reprts t view the results frm LOGbinder fr SharePint. The reprts are based n the recmmended designs that yu can dwnlad frm https://www.lgbinder.cm. Figure 9: LOGbinder windw shwing Reprts flder LOGbinder fr SharePint Versin 5 Page 14

Appendix A: Assigning Permissins SharePint Farm Administratr Open SharePint Central Administratin, and select the Security tab Select Manage the farm administratrs grup under Users Add user r ensure that user is a member f a grup in the list f administratrs Site Cllectin Administratr Fr WSS 3.0, see http://technet.micrsft.cm/en-us/library/cc288148.aspx Fr SharePint 2007, see http://technet.micrsft.cm/en-us/library/cc262265.aspx Fr SharePint 2010 and 2013, see http://technet.micrsft.cm/en-us/library/ff631156.aspx WSS_ADMIN_WPG grup On SharePint 2013, the service accunt has t be member f the WSS_ADMIN_WPG Windws security grup. Open the Cmputer Management administrative tl. Under System Tls, expand Lcal Users and Grups, and select Grups. In the prperties f WSS_ADMIN_WPG, add the service accunt. Lcal Security Plicy Changes The fllwing chart summarizes the changes t be made in the Lcal Security Plicy. Mre detailed explanatins are fund after the chart. Security Settings Lcal Security Plicy (secpl.msc) settings summary Lcal Plicies Advanced Audit Plicy Cnfiguratin User Rights Assignment Audit Plicy Security Optins Object Access Lg n as a service Generate security audits Audit bject access Audit: Frce audit plicy subcategry settings (Windws Vista r later) t verride audit plicy categry settings Audit Applicatin Generated Windws Server 2003 add service accunt add service accunt set Success N/A N/A Windws Server 2008/2012 add service accunt add service accunt N/A set Enabled set Success This always needs t be set These need t be set if utputting t Windws Security lg LOGbinder fr SharePint Versin 5 Page 15

Lg On as a Service Open the "Lcal Security Plicy" (secpl.msc) Micrsft Management Cnsle (MMC) snap-in. Select Security Settings\Lcal Plicies\User Rights Assignment Open "Lg n as a service" and add user NOTE: Yu can als cnfigure this via a grup plicy bject in Active Directry. If yu try t mdify this setting in Lcal Security Plicy and the dialg is read-nly, it means it is already being cnfigured via Grup Plicy and yu'll need t cnfigure it frm there. Generate Security Audits (SeAuditPrivilege) Audit Plicy Open the "Lcal Security Plicy" (secpl.msc) Micrsft Management Cnsle (MMC) snap-in. Select Security Settings\Lcal Plicies\User Rights Assignment Open "Generate security audits" and add user NOTE: Yu can als cnfigure this via a grup plicy bject in Active Directry. If yu try t mdify this setting in Lcal Security Plicy and the dialg is read-nly, it means it is already being cnfigured via Grup Plicy and yu'll need t cnfigure it frm there. Windws Server 2003 Open the "Lcal Security Plicy" (secpl.msc) Micrsft Management Cnsle (MMC) snap-in. Select Security Settings\Lcal Plicies\Audit Plicy Edit "Audit bject access," ensuring that "Success" is enabled. (LOGbinder fr SharePint des nt require that the "Failure" ptin be enabled.) NOTE: Yu can als cnfigure this via a grup plicy bject in Active Directry. If yu try t mdify this setting in Lcal Security Plicy and the dialg is read-nly, it means it is already being cnfigured via Grup Plicy and yu'll need t cnfigure it frm there. Windws Server 2008/2012 Audit plicy can be cnfigured with the riginal tp level categries as described abve fr Windws 2003 but mst envirnments have migrated t the new mre granular audit sub-categries available in Windws 2008 aka (Advanced Audit Plicy). Using Advanced Audit Plicy Cnfiguratin allws fr mre granular cntrl f the number and types f events that are audited n the server. (NOTE: The steps described here are fr Windws Server 2008 R2; see TechNet fr infrmatin n earlier releases.) Yu must ensure that basic and advanced audit plicy settings are nt used at the same time. Micrsft gives this warning: Using bth the basic audit plicy settings under Lcal Plicies\Audit Plicy and the advanced settings under Advanced Audit Plicy Cnfiguratin can cause unexpected results. Therefre, the tw sets f audit plicy settings shuld nt be cmbined. If yu use Advanced Audit Plicy Cnfiguratin settings, yu shuld enable the Audit: Frce audit plicy subcategry settings (Windws Vista r later) t verride audit plicy categry settings plicy setting under Lcal Plicies\Security Optins. This will prevent cnflicts between similar settings by frcing basic security auditing t be ignred. (http://technet.micrsft.cm/enus/library/dd692792(ws.10).aspx) Select Security Settings\Lcal Plicies\Security Optins LOGbinder fr SharePint Versin 5 Page 16

Open and enable Audit: Frce audit plicy subcategry settings (Windws Vista r later) t verride audit plicy categry settings T enable LOGbinder fr SharePint events t be sent t the security lg: Select Security Settings\Advanced Audit Plicy Cnfiguratin\Object Access Edit Audit Applicatin Generated, ensuring that Success is enabled. (LOGbinder fr SharePint des nt require that the Failure ptin be enabled.) NOTE: Yu can als cnfigure this via a grup plicy bject in Active Directry. LOGbinder fr SharePint Versin 5 Page 17

Appendix B: LOGbinder Event List LOGbinder fr SharePint Events http://www.lgbinder.cm/prducts/logbindersp/eventsgenerated Diagnstic Events 550 LOGbinder prcess reprt 551 LOGbinder agent successful 552 LOGbinder warning 553 LOGbinder settings changed 554 LOGbinder agent prduced unexpected results 555 LOGbinder errr 556 LOGbinder insufficient authrity 557 License fr LOGbinder invalid LOGbinder fr SharePint Versin 5 Page 18

Appendix C: Diagnstic Events 550 LOGbinder prcess reprt Each time all the site cllectins have been prcessed, LOGbinder fr SharePint will write this event t the Applicatin event lg. It lists the number f site cllectins prcessed, the start and end time, and the time elapsed. Example LOGbinder prcess reprt The LOGbinder agent has cmpleted a rund f prcessing. Agent: LOGbinder SP Prcessed: 24 SharePint Site Cllectins Start time: 8/13/2013 4:02:03 PM End time: 8/13/2013 4:05:07 PM Duratin (minutes): 3 551 LOGbinder agent successful Occurs when LOGbinder fr SharePint successfully translates lg entries. Usually appearing in pairs, as ne indicates that lg entries have been 'exprted' frm their surce (fr example, SharePint), and the ther that entries have been 'imprted' t their destinatin (fr example, the Windws event lg). This event is infrmatinal in nature. This event is written t the Windws Applicatin lg. Example A Example B Example C LOGbinder SP exprted 3 entries frm SharePint site http://mysite LOGbinder SP imprted 3 entries t Security event lg LOGbinder SP imprted 3 entries t LOGbinder SP event lg 552 LOGbinder warning Occurs when LOGbinder fr SharePint des nt find infrmatin as expected. In mst cases, it des nt indicate a serius prblem, but is prvided s as t cmplete the audit trail. This event is written t Windws applicatin lg. Fr example, as LOGbinder fr SharePint translates entries, it perfrms varius lkups t prvide cmplete infrmatin. If the related item was deleted, a "LOGbinder warning" is generated. LOGbinder fr SharePint Versin 5 Page 19

Example A Example B LOGbinder warning Lkup failed. Culd nt find Scpe Item with ID f 89de71fe-1442-48ff- 9a6e-052bddda3440. LOGbinder warning Lkup failed. Culd nt find User with ID f 19. 553 LOGbinder settings changed Occurs when the LOGbinder settings are changed. This event is written t Windws Applicatin lg. Fr LOGbinder fr SharePint, this includes which SharePint site cllectins are mnitred, which audit event types are handled, and the date and time LOGbinder last translated lg entries. In additin, the settings fr utput frmats are included. Example A Example B Example C LOGbinder settings changed Output t Security lg enabled. Nise events included. LOGbinder settings changed Site cllectin http://spsite/administratr nw being mnitred. Settings: Check Out, Check In, Delete, Update, Prfile Change, Child Delete, Schema Change, Security Change, Undelete, Wrkflw, Cpy, Mve, Search. LOGbinder settings changed Purge f entries frm SharePint Site Cllectins has been enabled. 554 LOGbinder agent prduced unexpected results Occurs when LOGbinder fr SharePint encunters smething unexpected when translating a lg entry. At times it may be frm a custm lg entry. Micrsft has nt dcumented all the audit lg entries SharePint prduces. In additin, SharePint allws develpers t write their wn custm lg entries. This event is written t Windws Applicatin lg. Yu can help us imprve LOGbinder by reprting these events t the LOGbinder supprt team s that the LOGbinder prduct may be imprved. Private data will nt be shared. Example A In this example, the develper created an audit entry with the type "MakeItS." LOGbinder agent prduced unexpected results As the LOGbinder agent translated this entry, it encuntered data is culd nt handle prperly. It culd have been caused by a custm r LOGbinder fr SharePint Versin 5 Page 20

Example B undcumented feature. S that LOGbinder can handle these entries in the future, it is suggested that yu submit the entry t the LOGbinder supprt team <LgEntry sitename="http://shpnt" itemtype="site" username="rbert Slmn" lcatintype="url" ccurred="2009-06-26t14:13:02" eventtype="makeits"><rawdata siteid="3b7fb82c-f30d-4604-99c0- df8325e9cff4" itemid="3b7fb82c-f30d-4604-99c0-df8325e9cff4" itemtype="site" userid="1" lcatintype="url" ccurred="633816223820000000" event="custm" eventname="makeits" eventsurce="objectmdel"><eventdata><versin><majr>1</majr><minr> 2</Minr></Versin></EventData></RawData><Details /></LgEntry> In this example, the develper used an existing event type, "Wrkflw," but included nn-standard event data. LOGbinder agent prduced unexpected results As the LOGbinder agent translated this entry, it encuntered data is culd nt handle prperly. It culd have been caused by a custm r undcumented feature. S that LOGbinder can handle these entries in the future, it is suggested that yu submit the entry t the LOGbinder supprt team. <LgEntry sitename="http://shpnt" itemtype="list Item" username="rbert Slmn" lcatintype="url" ccurred="2009-06-29t21:49:11" eventtype="wrkflw"><rawdata siteid="3b7fb82c-f30d-4604-99c0- df8325e9cff4" itemid="c04f5388-bf24-4007-b463-1dd1b3c19a02" itemtype="listitem" userid="1" dcumentlcatin="cache Prfiles/1_.000" lcatintype="url" ccurred="633819089510000000" event="wrkflw" eventsurce="objectmdel"><eventdata>http://shpnt/dclib/cpiedfile.e xt</eventdata></rawdata><details /></LgEntry> 555 LOGbinder errr Occurs when LOGbinder encunters a prblem that needs attentin. This event is written t Windws Applicatin lg. In mst cases this gives enugh infrmatin fr yu t address the prblem successfully. Otherwise, please cntact LOGbinder supprt fr assistance. Example A In this example, the errr indicates that LOGbinder fr SharePint has nt been cnfigured prperly: in that n SharePint site cllectins were set t be mnitred by LOGbinder. Example B LOGbinder errr Cannt start LOGbinder SP service, SharePint Site Cllectins nt cnfigured. In this example, a prgram assembly used by SharePint SP des nt exist, indicating that the LOGbinder sftware is n lnger installed prperly. LOGbinder fr SharePint Versin 5 Page 21

LOGbinder errr Exprter assembly des nt exist: C:\Prgram Files\LOGbndSP\MTG.LOGbinder.Sharepint.dll 556 LOGbinder insufficient authrity Occurs when the LOGbinder fr SharePint service cannt run because f invalid r inadequate permissins. The event will include the mdule lacking the permissin, the name r descriptin f the permissin, as well as relevant details. Each example belw als includes the actin needed in rder t crrect it. Example A: N permissin t write t security lg LOGbinder insufficient authrity The LOGbinder agent cannt perate nrmally because it lacks sufficient authrity. Surce: Security Lg Privilege: SeAuditPrivilege Details: The LOGbinder agent des nt have the necessary rights t cnfigure the security lg Actin: The service accunt needs the "Generate security audits" privilege (https://www.ultimatewindwssecurity.cm/wiki/windwssecuritysettings/generate-security-audits), r d nt enable LOGbinder t utput t the Windws Security lg. Example B: Attempt t write t security lg frm invalid lcatin One measure t prtect the security lg is t write security events nly frm authrized lcatins. When LOGbinder is cnfigured, it registers its prgram lcatin with the security lg. If this errr ccurs, then LOGbinder had been reinstalled t a different lcatin, and the previus lcatin was nt remved prperly. LOGbinder insufficient authrity The LOGbinder agent cannt perate nrmally because it lacks sufficient authrity. Surce: Security Lg Privilege: Invalid Lcatin Details: Cannt write t because the prgram lcatin des nt match what has been previusly cnfigured Actin: Recmmended t delete the registry key manually. First ensure that LOGbinder is nt pen. Then delete the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentCntrlSet\Services\Eventlg\Security\LOGbndSC. Be careful nt t delete ther parts f the registry, as it can cause the server t be unstable. When yu repen LOGbinder, it will recnfigure its ability t write t the security lg. Example C: Internal errr LOGbinder insufficient authrity The LOGbinder agent cannt perate nrmally because it lacks sufficient authrity. Surce: Security Lg Privilege: Internal Errr Details: The security accunt database cntains an internal incnsistency Actin: One factr that can cause an internal errr is if the LOGbinder prgram path is t lng. By default, LOGbinder is installed t C:\Prgram Files\LOGbndSP. It is recmmended that the default be LOGbinder fr SharePint Versin 5 Page 22

used. If the sftware has been installed t a different lcatin with a lnger prgram path, t crrect this errr it will be necessary t reinstall LOGbinder. Example D: Lg n as service LOGbinder insufficient authrity The LOGbinder agent cannt perate nrmally because it lacks sufficient authrity. Surce: LOGbinder service Privilege: Lg n as service Details: Accunt running LOGbinder agent des nt have user right "Lgn as a service" Actin: The service accunt needs t be assigned the "Lgn as a service" user right. (https://www.ultimatewindwssecurity.cm/wiki/windwssecuritysettings/lg-n-as-a-service) Example E: Cannt start LOGbinder cntrl panel LOGbinder insufficient authrity The LOGbinder agent cannt perate nrmally because it lacks sufficient authrity. Surce: LOGbinder Manager Privilege: File Permissins Details: Accunt running LOGbinder Cntrl Panel needs t be a member f the lcal Administratrs grup Actin: Ensure that the user accunt used t run the LOGbinder fr SharePint cntrl panel has lcal administratr access. 557 License fr LOGbinder invalid Occurs when the license fr LOGbinder is nt valid and an attempt is made t start the service. This event is written t the Applicatin lg. If the license is nt valid, the LOGbinder fr SharePint cntrl panel cntinues t perate as nrmal. Hwever, the LOGbinder service will nt start if the license is invalid. Fllw the instructins in the cntrl panel, in the menu File\License, in rder t btain a license t the sftware. Example License fr LOGbinder invalid The license fr LOGbinder has expired r is invalid. Details: Trial perid has expired. 558 LOGbinder prcessing warning This warning message will be written t the Applicatin lg if any site cllectins have been behind in its prcessing fr mre than 24 cnsecutive hurs. LOGbinder fr SharePint Versin 5 Page 23

Appendix D: Cnfiguring auditing n a SharePint list r dcument library When cnfiguring the inputs fr LOGbinder, LOGbinder will adjust the audit settings fr the SharePint site cllectin. At times, thugh, it is necessary t have mre granular cntrl n the settings. Fr example, a SharePint dcument library may have cnfidential infrmatin, and it is desired t audit wh is viewing these dcuments. Auditing view access fr the entire site cllectin wuld result in a fld f audit entries that are nt needed. The slutin is t adjust the auditing f SharePint lists and dcument libraries. T d this: In the LOGbinder cntrl panel, set the audit plicy yu want enabled acrss the entire site cllectin. T change the audit plicy fr a certain dcument library r list, g t its settings page and click the link Infrmatin management plicy settings under Permissins and Management. Select a cntent type (if applicable), and g t the Auditing sectin and cnfigure the audit plicy. Save yur changes, and SharePint will begin auditing that list/library accrding t the settings yu specify. LOGbinder fr SharePint will include these audit events when it prcesses the site cllectin. NOTE: Fr servers running WSS 3.0 r SharePint Fundatin, SharePint des nt prvide user interface t allw yu t cnfigure auditing at the list/library level. Fr mre infrmatin, visit https://www.lgbinder.cm. LOGbinder fr SharePint Versin 5 Page 24