LOGbinder Support

2. Configuring LOGbinder for SharePoint

Getting Started

Part 1: Installing LOGbinder For SharePoint
Part 3: Monitoring LOGbinder for SharePoint
Part 4: Appendix

Configuring LOGbinder for SharePoint

Open the "LOGbinder for SharePoint" link in the Windows start menu, which appears by default in the “LOGbinder” folder.

To use LOGbinder for SharePoint, adjust the settings in the three views: Input, Output, and Service. Settings can be changed while the service is running, but changes will be applied only when the service is restarted. If the LOGbinder for SharePoint control panel is closed before restarting the service, the changes will be discarded. On the other hand, if the service is already stopped, the changes are saved automatically.

Configure Input

LOGbinder for SharePoint examines the local SharePoint server farm; the site collections that exist on the farm are shown in the view. Only the sites with a check mark in the Monitored column will be processed by LOGbinder.

What do I do if the site collection list is empty?
If the site collection list is empty (that is, apart from the <Default Audit Policy> entry), you are not properly connected to a SharePoint farm. It may be that (1) LOGbinder for SharePoint is not installed on a valid SharePoint server, (2) your account is not a SharePoint Farm Administrator, or (3) your account needs to run with elevated privileges (i.e. run as administrator) in order to access the farm.

The first item listed is <Default Audit Policy>. LOGbinder for SharePoint allows you to set a default audit policy, which can then be applied to site collections you specify. If you later change the default audit policy, the site collections to which you have applied it will automatically have their policy changed.

To adjust the default audit policy, select that item in the list, and use the menu Action\Properties (or double-click on it). Select one or more event types to be monitored. If you wish to apply the default policy to newly created site collections, check the box “Apply default audit policy to new site collections.”

Figure 1: A typical Input list

To adjust the properties of a site collection, use the menu Action\Properties or double-click on it. To adjust the audit policy of multiple site collections at once, use the Shift+Click, CTRL-A, or mouse scrolling while selecting.

For site collections you wish to monitor, you have three ways to specify the audit policy:

  • Allow Site Collection Administrator to configure audit policy using SharePoint’s administration page”: This allows you to set the audit policy in SharePoint. To see what the current audit policy is for the site collection, click the “View” link, and a list of the current policy will be shown. (See Appendix D: Configuring auditing on a SharePoint list or document library)
  • Use LOGbinder’s default audit policy”: To view the default audit policy, you may click the “View” link. If this option is disabled, it means that you have not yet set the default audit policy.
  • “Custom audit policy”: If this option is selected, then select one or more event types to be audited in the box. At least one audit type must be selected in order for the site collection to be processed by LOGbinder.

Figure 2: Input properties window​

The "Last Processed" box shows the date and time audit events were last retrieved from SharePoint. After installing LOGbinder the first time, it starts processing audit logs from the time of the installation onward.[1] If some of the backlog events are also to be processed, the start date can be set here. It is recommended that once LOGbinder is in operation, this date not be changed manually, as it could result in skipping some audit events in SharePoint, or double-handling, resulting in events appearing twice in the event log. If the date needs to be adjusted, check the box next to the date, and then the date can be adjusted.

This window also has a link to SharePoint Farm Properties, which displays basic information about the SharePoint farm.

Configure Output

LOGbinder supports multiple output formats. LOGbinder for SharePoint allows output to go to

  • LOGbinder SP Event Log: a custom event log under Applications and Services Logs.
  • Security Log: the Windows Security log. (Please remember to set the additional privileges as described in section Step 2 – Check User Accounts and Authority when using this feature.)
  • Syslog-CEF: a Syslog server using ArcSight’s Common Event Format.
  • Syslog-LEEF: a Syslog server using IBM Security QRadar’s Log Event Extended Format.
  • Syslog-Generic: a Syslog server using the generic Syslog format.
  • Syslog-CEF (File): a Syslog file using ArcSight’s Common Event Format.
  • Syslog-LEEF (File): a Syslog file using IBM Security QRadar’s Log Event Extended Format.
  • Syslog-Generic (File): a Syslog file using the generic Syslog format.

At least one of these must be enabled in order for the LOGbinder service to start.

To enable an output and adjust the settings, select it and use the menu Action\Properties, or double-click on the item. To enable it, check the box "Send output to [name of output format]."

Select the "Include noise events" if you want to include these in the event log. A “noise event” is a log entry generated from the input (SharePoint) that contains only misleading information. This option is included in case it is essential to preserve a complete audit trail; by default this option is not selected.

Figure 3: Output properties window

For some output formats, LOGbinder for SharePoint can preserve the original data extracted from SharePoint, along with details as to how the entry was translated by LOGbinder. Check the option “Include XML data” in order to include these details in the event log. Including this data will make the size of the log grow more quickly. If the option does not appear, then it is not supported for that output format.

For the output format "LOGbinder SP Event Log," the entries are placed in a custom log named “LOGbinder SP.” When the log is created by LOGbinder, by default the maximum log size is set to 16MB, and it will overwrite events as needed. If changing these settings, balance the log size settings with the needs of your log management software as well as the setting for “Include XML Data.” In this way you will ensure that your audit trail is complete.

For file based outputs, such as Syslog (File), the output file is stored, by default, in the "C:\ProgramData\LOGbinder SP" folder, or in the folder specified by the “Alternate Output Data Folder” option under File\Options. (See section below on Configure Options.)

Configure Service

To start, stop, and restart the LOGbinder for SharePoint (LOGbinder SP) service, use the buttons on this panel. You may also use the items in the Action menu, or the toolbar.

Figure 4: Message indicating outputs not configured

Although you can use the Services window in the Windows Control Panel to start and stop the service, it is recommended that you use LOGbinder's user interface to control the service. Before starting the service, LOGbinder will confirm that (a) at least one site collection has been selected for monitoring and (b) at least one output (i.e. LOGbinder SP Event Log, Windows Security Log) has been selected.

While attempting to start the LOGbinder for SharePoint (LOGbinder SP) service, a problem may be encountered—perhaps that the service account does not have sufficient authority. The details of the problem are written to the Application Event Log. These events can also be viewed inside of the LOGbinder control panel, by selecting the “LOGbinder Diagnostic Events” view.

See the section “Monitoring LOGbinder for SharePoint” for more information on how to handle issues that may arise when starting the LOGbinder for SharePoint (LOGbinder SP) service.

Configure Options

Use buttons on the panel, or the menu File\Options, to change LOGbinder's options.

LOGbinder for SharePoint allows the control of how much lookups it should perform in order to obtain additional information while translating raw audit event to easy-to-understand audit entries. Examples of this could be resolving a user ID to user name or an object GUID to the actual name of the object. The available levels of lookups are as follows:

  • Exclude none: All lookups will be done. This may result in slower processing for larger farms.
  • Exclude highest-cost lookups: All lookups will be done except lookups that use the highest amount of resources. It can affect all events, where details for any main item, where it is an item in a list, will not be looked up. Details such as ‘Title’ and ‘Description’ will not have values.
  • Exclude high-cost lookups: Do not do lookups that use a high amount of resources. (Recommended setting for large farms.) It can affect all events, where details for any main item will not be looked up. Details such as ‘Title’ and ‘Description’ will not have values.
  • Exclude high/medium-cost lookups: Do not do lookups that use high or medium amount of resources. It will affect events 16, 29, 31, 32, where details of related items will not be looked up. The event will be included in the audit trail, but much of the detail will be missing for these events
  • Restrict all: Do not do any lookups. IDs will be resolved that do not require querying SharePoint. (Not recommended.) It will affect all events, where user, group, and role IDs are not resolved.

  • Figure 5: Options windows​

The levels are inclusive, that is, if you choose ‘high’, it includes ‘highest’. If you choose ‘medium’ it includes ‘highest’, and ‘high’.

Please note that when lowering the lookup level, some details in certain events will be omitted. Therefore, we recommend that depending on the acceptable performance, the highest possible level is selected. Recommendations:

  • If site collections are not being processed in a timely manner, choosing ‘highest’ or ‘high’ is a good option. The details that are excluded do not significantly affect the integrity of the audit trail.
  • If site collections are still not being processed in a timely way, and there are a significant number of the events that are listed above, then dropping to ‘medium’ is suggested.
  • For very large sites, and where close to real-time processing is needed, choose ‘restrict all’. The events will appear closer to the “raw” format they appear in SharePoint.

If the box “Purge entries from SharePoint after processing” is checked, then audit entries will be purged automatically from SharePoint on a daily basis at 1:00 AM. A buffer is maintained, in that only entries older than 24 hours are purged. (For example, when entries are purged on 11/16/2009 1:00 AM, it purges entries older than 11/15/2009 1:00 AM.) If this option is checked, then SharePoint’s audit log trimming feature will be disabled automatically.

If the box "Trim claims encoding from user name" is checked, LOGbinder will trim the claims encoding characters from the username before sending the log data to the output. For example, instead of "i:0#.w"|test\jsmith" displayed it will display "test\jsmith".

The “Service Account” lists the user account that runs the LOGbinder for SharePoint (LOGbinder SP) service. This is the account you specified when installing LOGbinder for SharePoint. If it is necessary to change the account, use the Services management tool (in Windows Administrative Tools).

If the box “Do not write informational messages to the Application log” is checked, then event “551 – LOGbinder agent successful” (see Appendix C: Diagnostic Events) will not be written to the Application log.

The “Logging” options can be utilized for diagnostic purposes if experiencing problems with LOGbinder. By default, the “Logging Level” is set to None. If necessary, the Logging Level can be set to Level 1 or Level 2. Level 1 generates standard level of detail of logging. Level 2 will generate more detailed logging. Level 2 should be selected only if specifically requested by LOGbinder support; otherwise performance will be adversely affected. Both Level 1 and Level 2 logging options will generate log files named Control Panel.log, Service.log, Service Controller.log and Service Processor.log in the Log location folder.

Alternate Output Data Folder” specifies the data folder used for the output data. This is the folder where LOGbinder stores output that are written in files, such as the Syslog-Generic (File), as well as the above mentioned diagnostic files. The folder path can be set using drive letter or UNC, if it is a network location. The default folder is {Common Application Data}\LOGbinder SP (i.e. C:\ProgramData\LOGbinder SP). Please note that the Alternate Output Data Folder needs the same permissions as the Common Application Data folder as specified above in section Step 2 – Check User Accounts and Authority.

"Memory Threshold" specifies how much memory LOGbinder can use before restarting the service. This can be useful due to memory leaks in the .NET Framework.

Status Bar

The status bar will show information about the operation of LOGbinder.

Displays the status of the service. The image shown indicates the service is stopped (). The service may also be running (), or in an 'unknown' state ().

Shows the status of the license for LOGbinder. If LOGbinder is not fully licensed, a message will appear in the status bar.

Indicates that settings have been changed. In order to apply the changes, the LOGbinder for SharePoint (LOGbinder SP) service must be restarted. If the LOGbinder for SharePoint (LOGbinder SP) service is running and the LOGbinder for SharePoint control panel is closed, the changes will be discarded.


Use the menu File\License to view information about your license for LOGbinder. If you have purchased LOGbinder for SharePoint and need to obtain a license, follow these steps:

  • For Unit/Server Count, in case you are planning expansion of your farm in the near future, you can enter more than the number of servers in the farm that need licensed. (The minimum number of servers requiring licensing will be filled out automatically by LOGbinder. See box below for further details.)
  • Press the Copy button, and paste the contents into a support ticket opened at
  • When the license key is received, copy it to the clipboard and press the Paste button.

Figure 6: License window​

If you are properly licensed, the license window will redisplay and show that you are properly licensed. If there is problem, respond to your license request ticket immediately at

When purchasing LOGbinder for SharePoint, confirm that you obtain a license sufficient for the SharePoint farm. The window “SharePoint Farm Properties” lists the information you need. You can find a link to this window in Options, or in any of the Input windows.

Particularly, you will need (a) the edition of SharePoint on your server farm, and (b) the number of servers requiring a LOGbinder license.

Figure 7: SharePoint Farm Properties window

The license key you receive is valid for any server in your SharePoint farm. Thus, if you need to install LOGbinder for SharePoint on a different server in the same farm, you do not need to request a new license key.

[1] If this is not the first installation of LOGbinder on the same server, it will continue audit log processing from the date and time it finished its last run with the previous installation. If LOGbinder was installed on another server in the same environment before, you might want to refer to the section above about Transferring settings to a new server.

On a scale of 1-5, please rate the helpfulness of this article

Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!

Still have questions - Submit a new ticket