HomeLOGbinder for SP KBGetting Started GuideConfiguring LOGbinder for SharePoint

2.2. Configuring LOGbinder for SharePoint

Configuring LOGbinder for SharePoint

Open the "LOGbinder for SharePoint" link in the Windows start menu, which appears by default in the “LOGbinder” folder.

To use LOGbinder for SharePoint, adjust the settings in the three views: Input, Output, and Service. Settings can be changed while the service is running, but changes will be applied only when the service is restarted. If the LOGbinder for SharePoint control panel is closed before restarting the service, the changes will be discarded. On the other hand, if the service is already stopped, the changes are saved automatically.

Configure Input

LOGbinder for SharePoint examines the local SharePoint server farm; the site collections that exist on the farm are shown in the view. Only the sites with a check mark in the Monitored column will be processed by LOGbinder.

What do I do if the site collection list is empty?
If the site collection list is empty (that is, apart from the <Default Audit Policy> entry), you are not properly connected to a SharePoint farm. It may be that (1) LOGbinder for SharePoint is not installed on a valid SharePoint server, (2) your account is not a SharePoint Farm Administrator, or (3) your account needs to run with elevated privileges (i.e. run as administrator) in order to access the farm.

 

The first item listed is <Default Audit Policy>. LOGbinder for SharePoint allows you to set a default audit policy, which can then be applied to site collections you specify. If you later change the default audit policy, the site collections to which you have applied it will automatically have their policy changed.

To adjust the default audit policy, select that item in the list, and use the menu Action\Properties (or double-click on it). Select one or more event types to be monitored. If you wish to apply the default policy to newly created site collections, check the box “Apply default audit policy to new site collections.”


Figure 1: A typical Input list

To adjust the properties of a site collection, use the menu Action\Properties or double-click on it. To adjust the audit policy of multiple site collections at once, use the Shift+Click, CTRL-A, or mouse scrolling while selecting.

For site collections you wish to monitor, you have three ways to specify the audit policy:


Figure 2: Input properties window​

The "Last Processed" box shows the date and time audit events were last retrieved from SharePoint. After installing LOGbinder the first time, it starts processing audit logs from the time of the installation onward.* If some of the backlog events are also to be processed, the start date can be set here. It is recommended that once LOGbinder is in operation, this date not be changed manually, as it could result in skipping some audit events in SharePoint, or double-handling, resulting in events appearing twice in the event log. If the date needs to be adjusted, check the box next to the date, and then the date can be adjusted.

This window also has a link to SharePoint Farm Properties, which displays basic information about the SharePoint farm.

* If this is not the first installation of LOGbinder on the same server, it will continue audit log processing from the date and time it finished its last run with the previous installation. If LOGbinder was installed on another server in the same environment before, you might want to refer to the section here about Transferring settings to a new server.

Configure Output

LOGbinder supports multiple output formats. LOGbinder for SharePoint allows output to go to

At least one of these must be enabled in order for the LOGbinder service to start.

To enable an output and adjust the settings, select it and use the menu Action\Properties, or double-click on the item. To enable it, check the box "Send output to [name of output format]."

Select the "Include noise events" if you want to include these in the event log. A “noise event” is a log entry generated from the input (SharePoint) that contains only misleading information. This option is included in case it is essential to preserve a complete audit trail; by default this option is not selected.


Figure 3: Output properties window

For some output formats, LOGbinder for SharePoint can preserve the original data extracted from SharePoint, along with details as to how the entry was translated by LOGbinder. Check the option “Include XML data” in order to include these details in the event log. Including this data will make the size of the log grow more quickly. If the option does not appear, then it is not supported for that output format.

For the output format "LOGbinder SP Event Log," the entries are placed in a custom log named “LOGbinder SP.” When the log is created by LOGbinder, by default the maximum log size is set to 16MB, and it will overwrite events as needed. If changing these settings, balance the log size settings with the needs of your log management software as well as the setting for “Include XML Data.” In this way you will ensure that your audit trail is complete.

For file based outputs, such as Syslog (File), the output file is stored, by default, in the "C:\ProgramData\LOGbinder SP" folder, or in the folder specified by the “Alternate Output Data Folder” option under File\Options. (See section below on Configure Options.)

Configure Service

To start, stop, and restart the LOGbinder for SharePoint (LOGbinder SP) service, use the buttons on this panel. You may also use the items in the Action menu, or the toolbar.


Figure 4: Message indicating outputs not configured

Although you can use the Services window in the Windows Control Panel to start and stop the service, it is recommended that you use LOGbinder's user interface to control the service. Before starting the service, LOGbinder will confirm that (a) at least one site collection has been selected for monitoring and (b) at least one output (i.e. LOGbinder SP Event Log, Windows Security Log) has been selected.

While attempting to start the LOGbinder for SharePoint (LOGbinder SP) service, a problem may be encountered—perhaps that the service account does not have sufficient authority. The details of the problem are written to the Application Event Log. These events can also be viewed inside of the LOGbinder control panel, by selecting the “LOGbinder Diagnostic Events” view.

See the section “Monitoring LOGbinder for SharePoint” for more information on how to handle issues that may arise when starting the LOGbinder for SharePoint (LOGbinder SP) service.

Configure Options

Use buttons on the panel, or the menu File\Options, to change LOGbinder's options.

LOGbinder for SharePoint allows the control of how much lookups it should perform in order to obtain additional information while translating raw audit event to easy-to-understand audit entries. Examples of this could be resolving a user ID to user name or an object GUID to the actual name of the object. The available levels of lookups are as follows:

Figure 5: Options windows​

The levels are inclusive, that is, if you choose ‘high’, it includes ‘highest’. If you choose ‘medium’ it includes ‘highest’, and ‘high’.

Please note that when lowering the lookup level, some details in certain events will be omitted. Therefore, we recommend that depending on the acceptable performance, the highest possible level is selected. Recommendations:

If the box “Purge entries from SharePoint after processing” is checked, then audit entries will be purged automatically from SharePoint on a daily basis at 1:00 AM. A buffer is maintained, in that only entries older than 24 hours are purged. (For example, when entries are purged on 11/16/2009 1:00 AM, it purges entries older than 11/15/2009 1:00 AM.) If this option is checked, then SharePoint’s audit log trimming feature will be disabled automatically.

If the box "Trim claims encoding from user name" is checked, LOGbinder will trim the claims encoding characters from the username before sending the log data to the output. For example, instead of "i:0#.w"|test\jsmith" displayed it will display "test\jsmith".

The “Service Account” lists the user account that runs the LOGbinder for SharePoint (LOGbinder SP) service. This is the account you specified when installing LOGbinder for SharePoint. If it is necessary to change the account, use the Services management tool (in Windows Administrative Tools).

If the box “Do not write informational messages to the Application log” is checked, then event “551 – LOGbinder agent successful” (see Appendix C: Diagnostic Events) will not be written to the Application log.

The “Logging” options can be utilized for diagnostic purposes if experiencing problems with LOGbinder. By default, the “Logging Level” is set to None. If necessary, the Logging Level can be set to Level 1 or Level 2Level 1 generates standard level of detail of logging. Level 2 will generate more detailed logging. Level 2 should be selected only if specifically requested by LOGbinder support; otherwise performance will be adversely affected. Both Level 1 and Level 2 logging options will generate log files named Control Panel.logService.logService Controller.log and Service Processor.log in the Log location folder.

Alternate Output Data Folder” specifies the data folder used for the output data. This is the folder where LOGbinder stores output that are written in files, such as the Syslog-Generic (File), as well as the above mentioned diagnostic files. The folder path can be set using drive letter or UNC, if it is a network location. The default folder is {Common Application Data}\LOGbinder SP (i.e. C:\ProgramData\LOGbinder SP). Please note that the Alternate Output Data Folder needs the same permissions as the Common Application Data folder as specified above in section Step 2 – Check User Accounts and Authority.

"Memory Threshold" specifies how much memory LOGbinder can use before restarting the service. This can be useful due to memory leaks in the .NET Framework.

Status Bar

The status bar will show information about the operation of LOGbinder.

Displays the status of the service. The image shown indicates the service is stopped (). The service may also be running (), or in an 'unknown' state ().
Shows the status of the license for LOGbinder. If LOGbinder is not fully licensed, a message will appear in the status bar.
Indicates that settings have been changed. In order to apply the changes, the LOGbinder for SharePoint (LOGbinder SP) service must be restarted. If the LOGbinder for SharePoint (LOGbinder SP) service is running and the LOGbinder for SharePoint control panel is closed, the changes will be discarded.

License

Use the menu File\License to view information about your license for LOGbinder. If you have purchased LOGbinder for SharePoint and need to obtain a license, follow these steps:


Figure 6: License window​

If you are properly licensed, the license window will re-display and show that you are properly licensed. If there is problem, respond to your license request ticket immediately.

When purchasing LOGbinder for SharePoint, confirm that you obtain a license sufficient for the SharePoint farm. The window “SharePoint Farm Properties” lists the information you need. You can find a link to this window in Options, or in any of the Input windows.

Particularly, you will need (a) the edition of SharePoint on your server farm, and (b) the number of servers requiring a LOGbinder license.

Figure 7: SharePoint Farm Properties window

The license key you receive is valid for any server in your SharePoint farm. Thus, if you need to install LOGbinder for SharePoint on a different server in the same farm, you do not need to request a new license key.

This page was: Helpful | Not Helpful