Part 1: Installing LOGbinder For SharePoint
Part 3: Monitoring LOGbinder for SharePoint
Part 4: Appendix
Configuring LOGbinder for SharePoint
Open the "LOGbinder for SharePoint" link in the Windows start menu,
which appears by default in the “LOGbinder” folder.
To use LOGbinder for SharePoint, adjust the settings in the three
views: Input, Output, and Service. Settings can be changed while the service is
running, but changes will be applied only when the service is restarted. If the
LOGbinder for SharePoint control panel is closed before restarting the service,
the changes will be discarded. On the other hand, if the service is already
stopped, the changes are saved automatically.
Configure Input
LOGbinder for SharePoint examines the local SharePoint server farm;
the site collections that exist on the farm are shown in the view. Only the
sites with a check mark in the Monitored column will be processed by LOGbinder.
What do I do if the site collection list is
empty?
If the site collection list is empty (that is, apart from the <Default Audit Policy> entry), you
are not properly connected to a SharePoint farm. It may be that (1) LOGbinder
for SharePoint is not installed on a valid SharePoint server, (2) your account
is not a SharePoint Farm Administrator, or (3) your account needs to run with
elevated privileges (i.e. run as administrator) in order to access the farm.
The first item listed is <Default
Audit Policy>. LOGbinder for SharePoint allows you to set a default
audit policy, which can then be applied to site collections you specify. If you
later change the default audit policy, the site collections to which you have
applied it will automatically have their policy changed.
To adjust the default audit policy, select that item in the list,
and use the menu Action\Properties (or double-click on it). Select one or more
event types to be monitored. If you wish to apply the default policy to newly
created site collections, check the box “Apply default audit policy to new site
collections.”

Figure 1: A typical
Input list
To adjust the properties of a site collection, use the menu
Action\Properties or double-click on it. To adjust the audit policy of multiple
site collections at once, use the Shift+Click, CTRL-A, or mouse scrolling while selecting.
For site collections you wish to
monitor, you have three ways to specify the audit policy:
- “Allow Site Collection Administrator to
configure audit policy using SharePoint’s administration page”: This allows
you to set the audit policy in SharePoint. To see what the current audit policy
is for the site collection, click the “View” link, and a list of the current
policy will be shown. (See Appendix D: Configuring auditing on a SharePoint
list or document library)
- “Use
LOGbinder’s default audit policy”: To view the default audit policy, you
may click the “View” link. If this option is disabled, it means that you have
not yet set the default audit policy.
- “Custom audit policy”: If this option is selected, then select one or more event
types to be audited in the box. At least one audit type must be selected in order for the site collection to be processed by LOGbinder.

Figure 2: Input properties window
The "Last Processed"
box shows the date and time audit events were last retrieved from SharePoint. After
installing LOGbinder the first time, it starts processing audit logs from the
time of the installation onward.[1]
If some of the backlog events are also to be processed, the start date can be
set here. It is recommended that once LOGbinder is in operation, this date not
be changed manually, as it could result in skipping some audit events in SharePoint,
or double-handling, resulting in events appearing twice in the event log. If
the date needs to be adjusted, check the box next to the date, and then the
date can be adjusted.
This window also has a link to SharePoint Farm Properties, which
displays basic information about the SharePoint farm.
Configure Output
LOGbinder supports multiple output formats. LOGbinder for SharePoint
allows output to go to
- LOGbinder SP Event Log: a custom event log under Applications
and Services Logs.
- Security Log: the Windows Security log. (Please remember to set the additional
privileges as described in section Step 2 – Check User Accounts and Authority
when using this feature.)
- Syslog-CEF: a Syslog server using ArcSight’s Common Event Format.
- Syslog-LEEF: a Syslog server using IBM Security QRadar’s Log Event Extended Format.
- Syslog-Generic: a Syslog server using the generic Syslog format.
- Syslog-CEF (File): a Syslog file using ArcSight’s Common Event Format.
- Syslog-LEEF (File): a Syslog file using IBM Security QRadar’s Log Event Extended Format.
- Syslog-Generic (File): a Syslog file using the generic Syslog format.
At least one of these must be enabled in order for the LOGbinder service to start.
To enable an output and adjust the settings, select it and use the
menu Action\Properties, or double-click on the item. To enable it, check the
box "Send output to [name of output format]."
Select the "Include noise events" if you want to include these in the event log. A “noise event”
is a log entry generated from the input (SharePoint) that contains only misleading information. This option is included in case it is essential to
preserve a complete audit trail; by default this option is not selected.

Figure 3: Output properties window
For some output formats, LOGbinder for SharePoint can preserve the
original data extracted from SharePoint, along with details as to how the entry
was translated by LOGbinder. Check the option “Include XML data” in order to include these details in the event
log. Including this data will make the size of the log grow more quickly. If
the option does not appear, then it is not supported for that output format.
For the output format "LOGbinder
SP Event Log," the entries are placed in a custom log named “LOGbinder SP.” When the log is created
by LOGbinder, by default the maximum log size is set to 16MB, and it will
overwrite events as needed. If changing these settings, balance the log size
settings with the needs of your log management software as well as the setting
for “Include XML Data.” In this way you will ensure that your audit trail is
complete.
For file based outputs, such as Syslog
(File), the output file is stored, by default, in the "C:\ProgramData\LOGbinder SP" folder, or in the folder specified by the “Alternate Output Data Folder” option
under File\Options. (See section below on Configure Options.)
Configure Service
To start, stop, and restart the LOGbinder for SharePoint (LOGbinder
SP) service, use the buttons on this panel. You may also use the items in the
Action menu, or the toolbar.

Figure 4: Message indicating outputs not configured
Although you can use the Services window in the Windows Control Panel to start and stop the service, it is recommended that you use LOGbinder's user interface to control the service. Before starting the service, LOGbinder will confirm that (a) at least one site collection has been selected for monitoring and (b) at least one output (i.e. LOGbinder SP Event Log, Windows Security Log) has been selected.
While attempting to start the LOGbinder for SharePoint (LOGbinder
SP) service, a problem may be encountered—perhaps that the service account does
not have sufficient authority. The details of the problem are written to the
Application Event Log. These events can also be viewed inside of the LOGbinder
control panel, by selecting the “LOGbinder Diagnostic Events” view.
See the section “Monitoring LOGbinder for SharePoint”
for more information on how to handle issues that may arise when starting the LOGbinder
for SharePoint (LOGbinder SP) service.
Configure Options
Use buttons on the panel, or the menu File\Options, to change
LOGbinder's options.
LOGbinder for SharePoint allows the control of how much lookups it
should perform in order to obtain additional information while translating raw
audit event to easy-to-understand audit entries. Examples of this could be
resolving a user ID to user name or an object GUID to the actual name of the
object. The available levels of lookups are as follows:
- Exclude
none: All lookups will be done. This may result in slower processing for
larger farms.
- Exclude
highest-cost lookups: All lookups will be done except lookups that use
the highest amount of resources. It can affect all events, where details for
any main item, where it is an item in a list, will not be looked up. Details
such as ‘Title’ and ‘Description’ will not have values.
- Exclude
high-cost lookups: Do not do lookups that use a high amount of resources.
(Recommended setting for large farms.) It can affect all events, where details
for any main item will not be looked up. Details such as ‘Title’ and ‘Description’
will not have values.
- Exclude high/medium-cost
lookups: Do not do lookups that use high or medium amount of resources. It
will affect events 16, 29, 31, 32, where details of related items will not be
looked up. The event will be included in the audit trail, but much of the
detail will be missing for these events
- Restrict all: Do not do
any lookups. IDs will be resolved that do not require querying SharePoint. (Not
recommended.) It will affect all events, where user, group, and role IDs are
not resolved.

Figure 5: Options windows
The levels are inclusive, that is, if you choose ‘high’, it includes
‘highest’. If you choose ‘medium’ it includes ‘highest’, and ‘high’.
Please note that when lowering the lookup level, some details in
certain events will be omitted. Therefore, we recommend that depending on the
acceptable performance, the highest possible level is selected. Recommendations:
- If site collections are not being processed in a
timely manner, choosing ‘highest’ or ‘high’ is a good option. The details that are
excluded do not significantly affect the integrity of the audit trail.
- If site collections are still not being
processed in a timely way, and there are a significant number of the events
that are listed above, then dropping to ‘medium’ is suggested.
- For very large sites, and where close to
real-time processing is needed, choose ‘restrict all’. The events will appear
closer to the “raw” format they appear in SharePoint.
If the box “Purge entries from
SharePoint after processing” is checked, then audit entries will be purged
automatically from SharePoint on a daily basis at 1:00 AM. A buffer is
maintained, in that only entries older than 24 hours are purged. (For example,
when entries are purged on 11/16/2009 1:00 AM, it purges entries older than
11/15/2009 1:00 AM.) If this option is checked, then SharePoint’s audit log
trimming feature will be disabled automatically.
If the box "Trim claims encoding from user name" is checked, LOGbinder will trim the claims encoding characters from the username before sending the log data to the output. For example, instead of "i:0#.w"|test\jsmith" displayed it will display "test\jsmith".
The “Service Account” lists
the user account that runs the LOGbinder for SharePoint (LOGbinder SP) service.
This is the account you specified when installing LOGbinder for SharePoint. If
it is necessary to change the account, use the Services management tool (in
Windows Administrative Tools).
If the box “Do not write
informational messages to the Application log” is checked, then event “551 – LOGbinder agent
successful”
(see Appendix C: Diagnostic Events)
will not be written to the Application log.
The “Logging” options can
be utilized for diagnostic purposes if experiencing problems with LOGbinder. By
default, the “Logging Level” is set
to None. If necessary, the Logging Level can be set to Level 1 or Level 2. Level 1
generates standard level of detail of logging. Level 2 will generate more detailed logging. Level 2 should be selected only if
specifically requested by LOGbinder support; otherwise performance will be
adversely affected. Both Level 1
and Level 2 logging options will
generate log files named Control Panel.log,
Service.log, Service Controller.log and Service
Processor.log in the Log location
folder.
“Alternate Output Data Folder”
specifies the data folder used for the output data. This is the folder where
LOGbinder stores output that are written in files, such as the Syslog-Generic (File), as well as the above
mentioned diagnostic files. The folder path can be set using drive letter or
UNC, if it is a network location. The default folder is {Common Application Data}\LOGbinder SP (i.e. C:\ProgramData\LOGbinder SP). Please
note that the Alternate Output Data Folder needs the same permissions as the
Common Application Data folder as specified above in section Step 2 – Check User Accounts and Authority.
"Memory Threshold" specifies how much memory LOGbinder can use before restarting the service. This can be useful due to memory leaks in the .NET Framework.
Status Bar
The status bar will show information about the operation of LOGbinder.
License
Use the menu File\License to view information about your license for
LOGbinder. If you have purchased LOGbinder for SharePoint and need to obtain a
license, follow these steps:
- For Unit/Server Count, in case you are planning expansion of your farm in the near future, you can enter more than the number of servers in the farm that need licensed. (The minimum number of servers requiring licensing
will be filled out automatically by LOGbinder. See box below for further
details.)
- Press the Copy button, and paste the contents
into a support ticket opened at https://support.logbinder.com.
- When the license key is received, copy it to the
clipboard and press the Paste button.

Figure 6: License window
If you are properly licensed, the license window will redisplay and
show that you are properly licensed. If there is problem, respond to your license request ticket immediately at https://support.logbinder.com.
When purchasing LOGbinder
for SharePoint, confirm that you obtain a license sufficient for the
SharePoint farm. The window “SharePoint Farm Properties” lists the
information you need. You can find a link to this window in Options, or in
any of the Input windows.
Particularly, you will need (a) the edition of SharePoint on your server farm, and (b)
the number of servers requiring a LOGbinder license.
|

Figure 7: SharePoint Farm Properties window
The license key you receive is valid for any server in your
SharePoint farm. Thus, if you need to install LOGbinder for SharePoint on a
different server in the same farm, you do not need to request a new license
key.