Home → LOGbinder for SP KB → How To → How does LOGbinder for SharePoint detect log tampering?

3.1. How does LOGbinder for SharePoint detect log tampering?

While LOGbinder for SharePoint is processing events, it will perform actions that generate SharePoint events. What happens, though, if these same actions are performed maliciously by a SharePoint user? Will this compromise the integrity of the audit trail? No. LOGbinder for SharePoint can detect log tampering. How?

In order to distinguish between authorized and unauthorized changes, LOGbinder for SharePoint (version 3 and later), when processing these events, will indicate whether it performed the action itself, or the action might be unauthorized. A tamper warning will be generated in the following cases:

· Audit policy change: When processing event #11 “Site collection audit policy changed” or #12 “Audit policy changed,” LOGbinder will determine if the change overrides the settings in LOGbinder. If so, LOGbinder will reset the audit policy and generate a tamper warning (#60 “Possible tampering warning”).

· Audit logs deleted: When processing event #20 “SharePoint audit logs deleted,” LOGbinder will determine whether LOGbinder deleted the logs, and indicate it in an additional line added to this event. The line “Purge performed by LOGbinder” will show value “Yes” if LOGbinder performed the purge, and “No” otherwise. In the latter case, a tamper warning event (#60 “Possible tampering warning”) will be generated.
Note: If it cannot determined whether the logs were deleted by LOGbinder for SharePoint, the “Purge performed by LOGbinder” value will be set to “Indeterminate”. This typically occurs when processing backlog events, i.e. those produced before LOGbinder started processing the site collection.

By alerting on event #60 “Possible tampering warning”, malicious audit tampering attempts can be detected, so the audit trail is not compromised.