Menu

Search

LOGbinder Support


3. Monitoring LOGbinder for SharePoint


Support
Getting Started

Part 1: Installing LOGbinder For SharePoint
Part 2: Configuring LOGbinder for SharePoint
Part 4: Appendix

When installing, configuring, and running LOGbinder for SharePoint, the software writes diagnostic events to the Windows Application Event Log. Most of these will be from the source "LOGbndSE" and the category "LOGbinder." You may use the Windows Event Viewer to examine these events.

During Installation and Configuration

During installation and configuration, you will find these entries:

  • After installation, there may be an entry from the source MsiInstaller: "Product: LOGbinder SP -- Installation completed successfully."
  • When the configuration of LOGbinder for SharePoint changes, you will see one or more entries entitled "LOGbinder settings changed." See Appendix C: Diagnostic Events: “553 – LOGbinder settings changed” for information about these events.
  • When the service starts, there may be an entry from the source LOGbinder SP: "Service started successfully." (Entries are also written when the service is stopped.)

You can monitor these events to ensure that LOGbinder for SharePoint continues to be configured properly, and that unauthorized changes do not occur.

After configuring LOGbinder for SharePoint and starting the service, it automatically performs a check to ensure that LOGbinder's settings are valid and that the account running the Windows service has sufficient authority. If there is a problem, the LOGbinder for SharePoint (LOGbinder SP) service will not start and a message will be presented to the user. In most cases, the details of the problem are written to the Application log. Common problems include:

  • Input/output not configured properly. See the previous section “Configuring LOGbinder for SharePoint” for more information.
  • Insufficient authority. If the service account does not have adequate authority, then the service will not run. An entry is written to the Application log. See Appendix C: Diagnostic Events “556 – LOGbinder insufficient authority” for more details. Some of the common missing permissions include:
    • Account does not have authority to log on as a Windows service
    • Account does not have necessary permissions in SharePoint.
    • The account does not have authority to write to the Security event log. (If this output destination has not been selected, then it is not necessary to grant this permission.)
  • License invalid. If the license is not valid or has expired, then the LOGbinder for SharePoint (LOGbinder SP) service will not run. An entry may be written to the Application log. See Appendix C: Diagnostic Events: “557 – License for LOGbinder invalid” for details.
  • Other errors will be found in entries entitled "LOGbinder error." See Appendix C: Diagnostic Events: “555 – LOGbinder error” for more information.

If any of these errors are encountered, the LOGbinder for SharePoint (LOGbinder SP) service will not run.

While LOGbinder for SharePoint is Running

While LOGbinder for SharePoint is running, you will see information entries in the Application log as follows:

  • Entries 'exported' from SharePoint. For each site collection being monitored, this message indicates the number of audit entries that LOGbinder for SharePoint has processed.
  • Entries 'imported' into the Windows event log. This indicates that the audit entries have been placed in the enabled output formats. There will be one message event if multiple output formats have been selected (i.e. you have selected both Windows Security Log and Windows Event Log as output formats). The 'export'/'import' entries are complementary: there should be a corresponding 'import' entry for each 'export.'
  • If the Default Audit Policy is used for newly created site collections, a number of “553 – LOGbinder settings changed” events (see Appendix C: Diagnostic Events) will be generated when configuring a new site collection.

These log entries are informational in nature. Generally no action is required. If more entries are being processed than what appear in the event logs or in your log management solution, it could be that the log size is too small and entries are being overwritten. See Appendix C: Diagnostic Events “551 – LOGbinder agent successful” for more information on these events.

There may also be some warning event entries:

  • Could not find information. As LOGbinder for SharePoint translates audit entries in SharePoint, and it cannot find information, this event will be generated. See Appendix C: Diagnostic Events “552 – LOGbinder warning” for more information. (Note: When LOGbinder for SharePoint is first installed, or if a site collection is being monitored for the first time, there is a greater likelihood of these messages. Once LOGbinder for SharePoint translates the backlog of SharePoint audit entries, the number of these warnings should decrease.)
  • LOGbinder agent produced unexpected results. When LOGbinder for SharePoint cannot translate an event properly, in addition to outputting the event to the selected output streams, it also creates an entry in the Application log. See Appendix C: Diagnostic Events “554 – LOGbinder agent produced unexpected results” for further details.

If LOGbinder for SharePoint has an error, an entry will be created in the Application log. If permissions are removed, or if the license expires, you may receive a "556 – LOGbinder insufficient authority" or "557 – License for LOGbinder invalid" error, which are explained above. Other errors will be entitled "555 – LOGbinder error." If you cannot resolve the problem, please submit the issue to the LOGbinder support team.


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Still have questions - Submit a new ticket