3.17. You want to run audit reports in SharePoint but LOGbinder for SharePoint purges the audit log
LOGbinder for SharePoint can automatically purge audit entries from SharePoint after they have been processed by LOGbinder for SharePoint and forwarded to an event log or your SIEM/Log Management solution. This purging occurs on a daily basis, but a buffer is maintained, so only entries older than 24 hours are purged.
This is usually sufficient to satisfy security and compliance requirements through the audit logs stored in the organization’s SIEM or log management solution. However, in some rare instances, it might be necessary to leave the audit logs in SharePoint in order to be able to run audit reports from within the SharePoint environment. The problem is that these logs are no longer available in SharePoint, since LOGbinder for SharePoint purged them.
In this case, the LOGbinder for SharePoint automatic purging feature needs to be disabled through the Options dialog on the LOGbinder interface. Since it will not process events it has already processed, not purging the logs from SharePoint will not create duplicate events in your log management.
Figure 1: Disable purging under LOGbinder for SharePoint Options
To avoid the logs to accumulate in SharePoint, taking up valuable resources and potentially degrading the performance of the site collection, SharePoint can be set to trim the audit log. Under Site Settings / Site Collection Administration group / Site collection audit settings options are available to trim audit logs when they reach a certain age (specified in number of days) and optionally be stored in a document library.
Figure 2: Enable trimming in SharePoint audit settings
Applying these changes you can benefit from the managing your logs with your preferred SIEM/Log management solution through LOGbinder, while still taking advantage of having access to the audit logs from SharePoint.