SharePoint Auditing - Bridging the Gap with LOGbinder for SharePoint
I created LOGbinder for SharePoint to make the native SharePoint auditing capability practical for
compliance, security monitoring and SIEM integration. If you are new to it, read more on
SharePoint Audit Logging.
To use the native SharePoint audit log for compliance and enterprise security 5
issues needed to be addressed:
- SharePoint's audit log does not provide the
names of users or objects. The SharePoint audit log fails to translate
record IDs, meaning you have no idea what object or user to which a given event
refers!
See
an example of an audit event
from SharePoint before being processed by LOGbinder for SharePoint.
- SharePoint's audit log is buried in SharePoint's
SQL server content database. To ensure the integrity of audit trails, logs must
be moved from the system where they are generated to a separate and secure archive.
However in SharePoint, the audit log isn't really a log - it's a table in
the SharePoint database. This makes it inaccessible for most log management
solutions. Without the ability to collect the SharePoint audit log into a
separate, secure log archive, its value as a high integrity audit trail is compromised.
- SharePoint's audit log has no reporting.
In Windows SharePoint Services the log is totally inaccessible, and in Office SharePoint
Services it's exposed through a few rudimentary, impractical reports in Excel.
- Windows SharePoint Services provides no interface
for enabling auditing at all. The audit log is there, but without custom
programming there's no way to turn it on, much less access the logs.
- SharePoint's audit log built-in trimming feature
can delete audit events before they are exported. Some editions of SharePoint
provide automatic log trimming of old events but there is no way to ensure events
have been archived first.
These issues caused me, Randy Franklin Smith, to design
LOGbinder for SharePoint.
LOGbinder for SharePoint translates the cryptic data in raw SharePoint audit entries and outputs
the audit trail to the Windows security log where your SIEM/log management solution
can take over with archival, alerting and report.
Next:
More information on LOGbinder for SharePoint: