Home → LOGbinder for SQL KB → Getting Started Guide → Configuring LOGbinder for SQL Server
2.2. Configuring LOGbinder for SQL Server
Configuring LOGbinder for SQL Server
Open the "LOGbinder for SQL Server" link in the Windows start menu, which appears by default in the “LOGbinder” folder.
To use LOGbinder for SQL Server, adjust the settings in the three views: Input, Output, and Service. Settings can be changed while the service is running, but changes will be applied only when the service is restarted. If the LOGbinder for SQL Server control panel is closed before restarting the service, the changes will be discarded. On the other hand, if the service is already stopped, the changes are saved automatically.
Configure Input
Adding a new input
Use the menu Action\New Input to add at least one Audit File Location. Either type the path, or use the Browse button to find the path. The path can be in UNC or drive/path format.
Audit File LocationLOGbinder for SQL Server retrieves audit logs from files you create using Microsoft SQL Server 2008 or later. When creating an audit in SQL Server, use “File” as the selection for “Audit destination,” as shown below. Figure 1: SQL Server Audit Properties window Choose this file path when specifying LOGbinder for SQL Server’s Audit File Location folder. (If auditing multiple SQL Server instances, specify a unique folder for each.) |
You can use one installation of LOGbinder for SQL Server to monitor audits from multiple Microsoft SQL servers. Create an input for each server you wish to monitor. However, each input has to be located in its own unique folder. It is not possible to read audit log files generated by multiple SQL Server instances within the same folder.
To adjust the properties of an input, use the menu Action\Properties or double-click on it. Check the box “Specify last processed file” if you are reinstalling LOGbinder for SQL Server and must resume at a specific location. Generally, though, this box will be unchecked—as you will experience errors if an invalid selection is made.
In the section “SQL Server for Processing Events,” choose—or enter the name of—an existing SQL server. All eligible servers can be listed by pressing the Refresh button. (Note that only those SQL servers can be discovered and listed here that have the SQL Server Browser service running.) You do not need to choose the server that generates the events—any of these servers can be chosen. The version of the server processing the audit events has to be equal or higher than the server that is generating the events. (For example, is the server generating the events is SQL Server 2014, you can process those with SQL Server 2014, SQL Server 2014 Express, SQL Server 2016, SQL Server 2016 Express, but not with SQL Server 2012.)
Figure 2: Input properties window
The LOGbinder service account must have the following permission:
- “Control Server” permission on this SQL server [NOTE: The service account does not need such permissions to the server(s) generating audit events.]
The SQL Server service account that is running the SQL Server for Processing Events must have the following permission:
- Read access to the Audit File Location folder
Why do I need to specify a SQL server?Above it is noted that LOGbinder for SQL Server does not access the audit logs directly from your Microsoft SQL Server (a.k.a. your production server). So, why does a SQL server need to be chosen? And for what purpose? When SQL outputs audit logs to a file, it does so in an encrypted format that can be read only by Microsoft SQL Server itself. This is essential to prevent tampering with the integrity of the audit log trail. Thus, LOGbinder for SQL Server cannot read these log files itself, but it must use SQL Server to read the logs. LOGbinder must be able to use an installation of SQL Server 2008 or later, including Express edition. In most cases you will not want to choose your production server for LOGbinder’s use to process events. |
Adding new inputs in bulk
If you have many inputs to add, these can be entered through a comma separated values (CSV) file. Each line of the CSV file should have the folder name and the processing SQL Server separated by a comma. the first line being the header. For example:
folder,sql_server
C:\Audit Logs,MYSERVER1\SQLSERVER1
\\MYSERVER3\SQL Audit Logs,MYSERVER2\SQLSERVER2
C:\Other Audit Logs,MYSERVER2\SQLSERVER4
Use the menu Action\Add Inputs from File. Browse for the CSV file and open it. Click on the "Test inputs" button to verify that the inputs can be set up properly. When satisfied, the "Add" button will add all correct inputs.
Deleting inputs
To delete inputs, select one or more inputs (use Shift and/or Ctrl to select more than one), and use the Action\Delete Input menu item.
Configure Output
LOGbinder supports multiple output formats. LOGbinder for SQL Server allows output to go to:
- LOGbinder SP Event Log: a custom event log under Applications and Services Logs.
- Security Log: the Windows Security log. (Please remember to set the additional privileges as described in section Step 2 – Check User Accounts and Authority when using this feature.)
- Syslog-CEF: a Syslog server using ArcSight’s Common Event Format.
- Syslog-LEEF: a Syslog server using IBM Security QRadar’s Log Event Extended Format.
- Syslog-Generic: a Syslog server using the generic Syslog format.
- Syslog-CEF (File): a Syslog file using ArcSight’s Common Event Format.
- Syslog-LEEF (File): a Syslog file using IBM Security QRadar’s Log Event Extended Format.
- Syslog-Generic (File): a Syslog file using the generic Syslog format.
At least one of these must be enabled in order for the LOGbinder service to start.
To adjust the settings, select an item and use the menu Action\Properties, or double-click on the item. To enable it, check the box "Send output to [name of output format]."
Figure 3: Output properties window
Select the "Include Noise Events" if you want to include these in the event log. A “noise event” is a log entry generated from the input (SQL Server) that contains only misleading information. This option is included in case it is essential to preserve a complete audit trail; by default this option is not selected.
For some output formats, LOGbinder for SQL Server can preserve the original data extracted from SQL, along with details as to how the entry was translated by LOGbinder. Check the option "Include XML Data" in order to include these details in the event log. Including this data will make the size of the log grow more quickly. If the option does not appear, then it is not supported for that output format.
For the output format "LOGbinder SQL Event Log", the entries are placed in a custom log named "LOGbinder SQL." When the log is created, by default the maximum log size is set to 16MB, and it will overwrite events as needed. If changing these settings, balance the log size settings with the needs of your log management software as well as the setting for "Include XML Data." In this way you will ensure that your audit trail is complete.
For file based outputs, such as Syslog (File), the output file is stored, by default, in the "C:\ProgramData\LOGbinder SQL" folder, or in the folder specified by the “Alternate Output Data Folder” option under File\Options. (See section below on Configure Options.)
Configure Service
To start, stop, and restart the LOGbinder for SQL Server (LOGbinder SQL) service, use the buttons on this panel. You may also use the items in the Action menu, or the toolbar.
Figure 4: Message indicating outputs not configured
Although you can use the Services window in the Windows Control Panel to start and stop the service, it is recommended that you use LOGbinder's user interface to control the service. Before starting the service, LOGbinder will confirm that the settings are accurate and that the necessary permissions have been granted. If the service fails to start, a message will be shown as to what settings need to be corrected. The reasons why the service will not start include:
- If no inputs have been properly configured.
- If no outputs (i.e. Windows Event Log, Windows Security Log) are enabled.
If either of these conditions is found, the service will not start. A message will be presented to the user with the details of the problem.
If the service cannot start because the account does not have sufficient authority, or if there is another problem preventing it from running, the details of the problem are written to the Application Event Log. These events can also be viewed inside of the LOGbinder control panel, by selecting the “LOGbinder Diagnostic Events” view.
See the section “Monitoring LOGbinder for SQL Server” for more information on how to handle issues that may arise when starting the LOGbinder for SQL Server (LOGbinder SQL) service.
Configure Options
Use the menu File\Options to change LOGbinder's options.
The Service Account lists the user account that runs the LOGbinder for SQL Server (LOGbinder SQL) service. This is the account you specified when installing LOGbinder for SQL Server. If it is necessary to change the account, use the Services management tool (in Windows Administrative Tools).
If the box “Do not write informational messages to the Application log” box is checked, then event 551 – LOGbinder agent successful (see Appendix C: Diagnostic Events) will not be written to the Application log.
Figure 5: Options window
The Purge audit files after processing option will move or delete audit files that are no longer in use by SQL Server and have already been processed by LOGbinder and forwarded to the selected output(s).
- The Move option will move the processed sqlaudit files to a sub-folder named "processed". From there you can either archive or delete the processed files.
- The Delete option will delete the processed sqlaudit files.
The Logging options can be utilized for diagnostic purposes if experiencing problems with LOGbinder. By default, the Logging Level is set to None. If necessary, the Logging Level can be set to Level 1 or Level 2. Level 1 generates standard level of detail of logging. Level 2 will generate more detailed logging. Level 2 should be selected only if specifically requested by LOGbinder support; otherwise performance will be adversely affected. Both Level 1 and Level 2 logging options will generate log files named Control Panel.log, Service.log, Service Controller.log and Service Processor.log in the Log location folder.
“Alternate Output Data Folder” specifies the data folder used for the output data. This is the folder where LOGbinder stores output that are written in files, such as the Syslog-Generic (File), as well as the above mentioned diagnostic files. The folder path can be set using drive letter or UNC, if it is a network location. The default folder is {Common Application Data}\LOGbinder SP (i.e. C:\ProgramData\LOGbinder SP). Please note that the Alternate Output Data Folder needs the same permissions as the Common Application Data folder as specified above in section Step 2 – Check User Accounts and Authority.
Status Bar
The status bar will show information about the operation of LOGbinder.
| Displays the status of the service. The image shown indicates the service is stopped ( |
|
| Shows the status of the license for LOGbinder. If LOGbinder is not fully licensed, a message will appear in the status bar. | |
| Indicates that settings have been changed. In order to apply the changes, the LOGbinder for SQL Server (LOGbinder SQL) service must be restarted. If the LOGbinder for SQL Server (LOGbinder SQL) service is running and the LOGbinder for SQL Server control panel is closed, the changes will be discarded. |
License
Use the menu File\License to view information about your license for LOGbinder. If you have purchased LOGbinder for SQL Server and need to obtain a license key, follow these steps:
- For Unit/Server Count, enter the number of audit inputs being monitored.
- Press the Copy button, and paste the contents into a support ticket.
- When the license key is received, copy it to the clipboard and press the Paste button.
Figure 6: License window
If you are properly licensed, the license window will redisplay and show that you are properly licensed. If there is a problem, respond to your license request ticket immediately.