Microsoft has taken to increasing the complexity of some of their product auditing functions, starting with Exchange and SharePoint's auditing implementations in the 2010 versions. Gone are the days of simple configurations to log to the event log, here are the days of audit tables, databases, and API calls. This makes it difficult if you're someone who is moving content to SharePoint, already has content in SharePoint, or is looking to move toward SharePoint, and have audit or regulatory requirements. We've had a LOT of requests for SharePoint auditing and rather than build something, we've chosen to leave it to the experts.

 

In case you missed our Unveil SharePoint’s Audit Logs webinar (links to the slides in this post), we've partnered with the fine folks over at the Monterey Technology Group to become one of their SIEM partners with LOGbinder SP, a super useful SharePoint auditing utility. These are the same experts who are also responsible for bringing you Ultimate Windows Security - a site you should surely check out if you're interested in Windows event logs, auditing, and security.

 

Use LOGbinder SP for:

  • Pulling SharePoint audit activity out of the cryptic database and into the Event Log
  • Providing object & user names in SharePoint audit events
  • Managing SharePoint audit policies

 

Use LEM with LOGbinder for:

  • Alerting on SharePoint change activity (new administrators, permissions changes)
  • Auditing SharePoint item & object access, deletion, import, and export
  • Reporting on SharePoint activity for compliance
  • Viewing SharePoint audit activity in context with operating system, network device, and other application logs

 

I just uploaded some rules, filters, and reports for LOGbinder over on the Content Exchange that provides everything you need to get going on the LEM side. There's an integration guide in the Zip file that will explain how to install the files, which are all tailored to the LOGbinder SP event log data. You will need an agent installed on your SharePoint+LOGbinder system, you'll need to make sure you have either LEM version 5.4 or the latest product connectors installed, then it's just a matter of following the guide to get set up and start monitoring.