HomeLOGbinder for SQL KBPrinter Friendly Version

LOGbinder for SQL KB

1. Most Used

1.1. Download LOGbinder for SQL Server

Click here to download LOGbinder for SQL Server.

1.2. LOGbinder Newsletter

Subscribe here to receive news, alerts and security bulletins for Supercharger.

2. Getting Started Guide

2.1. Installing LOGbinder for SQL Server

Installing LOGbinder for SQL Server

LOGbinder for SQL Server runs as a Windows service on a Windows server. It translates audit log entries from Microsoft SQL Server, and outputs them to the LOGbinder SQL event log, the Windows Security Log, a Syslog server or Syslog files.

For more information, please visit our web site https://www.logbinder.com. There you will find a rich set of resources to guide you in setting audit policy, setting up audit log reporting and archiving, and so forth.

To open a case with our support staff, please submit a ticket.

Step 1 – Select Server and Check Requirements

Select Server

LOGbinder for SQL Server can be installed on any Windows workstation that is capable of running Microsoft SQL 2008 or later Express Edition, but a Windows server is recommended. It does not have to be installed on your Microsoft SQL Enterprise Edition server. LOGbinder for SQL Server can consume logs from multiple numbers of SQL servers remotely. The version of the server processing the audit events has to be equal or higher than the server that is generating the events. (For example, is the server generating the events is SQL Server 2014, you can process those with SQL Server 2014, SQL Server 2014 Express, SQL Server 2016, SQL Server 2016 Express, but not with SQL Server 2012.)

Software Requirements

  • Microsoft Windows Server 2012 or later
  • Microsoft .NET Framework 4.8
  • Microsoft SQL Server Express 2008 or later for processing events

SQL Server Auditing Requirements

For LOGbinder for SQL Server to be able to process audit events, SQL Server Audit has to be configured, together with a Server Audit Specification and/or Database Audit Specifications. The audit destinations should be a file.

For an easy, few-step configuration of both SQL Server Audit and Server Audit Specification, you can use our completely free tool, the SQL Audit Policy Wizard.

Step 2 – Check User Accounts and Authority

Three user accounts are involved with LOGbinder for SQL Server. This is a list of authority these accounts are required:

  1. Your account: The account you are logged on as when you install and configure LOGbinder for SQL Server.
    • Read-only access to Audit File Location
    • Member of the local Administrators group (recommended)
      • Windows UAC sometimes interferes with this setting. It is recommended that you use the “Run as Administrator” option when running LOGbinder. You may also need to your account as well as the service account modify permissions to the C:\ProgramData folder as described in the third bullet point below.
  2. Service account: The account that the LOGbinder for SQL Server (LOGbinder SQL) service will run as. This domain account must be created before installing LOGbinder for SQL Server. (See Appendix A: Assigning Permissions for details on granting these permissions)
    • Control Server permission on the SQL Server being used to process events
    • Privilege “log on as a service” (The installer will set this prerequisite.)
    • Permission to create, read, modify files in C:\ProgramData\LOGbinder SQL (The installer will set this prerequisite.)
      • Please note that the ProgramData folder is a hidden folder, and it is not the same as the Program Files folder.
      • This LOGbinder SQL folder will be created while LOGbinder is installed.
    • If outputting to Windows Security log 

      • Privilege "Generate Security Audit" (SeAuditPrivilege)
      • Setting audit policy
        • Windows Server 2003:
          • Enable “Audit object access” for Success and Failure
        • Windows Server 2008 or later:
          • Enable “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” security option
          • Enable “Audit Application Generated” audit subcategory for Success and Failure
  3. SQL Server service account: The account running the SQL Server that is set in the LOGbinder input to process the events.
    • Read access to Audit File Location (see section Configure Input for more details on this)

Step 3 – Run the Installer

Download and run the installer. On the page "Logon Information", enter the user account name, domain and password of the service account (the user account that will run the LOGbinder for SQL Server (LOGbinder SQL) service). The rights outlined above must be granted to the account before running the installer, or else LOGbinder for SQL Server will not install properly.


On the page "Select Installation Folder," it is recommended that you use the default setting, C:\Program Files\LOGbndSQ.

If a dialog box "Set Service Login" appears, then the user account information entered previously was not valid. Confirm the account name and password, and re-enter the information.

Transferring settings to a new server

If LOGbinder was running in your environment before, but it now has to be installed on a different server, the following steps can be followed to transfer the settings to the new server. (Please note that LOGbinder is not recommended to be run on two servers at the same time in the same environment.) This not only saves setup time and reduces setup problems, but this will ensure audit log collection to be continued where LOGbinder left off so as to preserve a complete audit trail:

  1. Make sure that on both the source (where LOGbinder was run before) and target (the new LOGbinder server) servers, the LOGbinder service is not running and the LOGbinder control panel is not open.
  2. Go to the C:\ProgramData\LOGbinder SQL folder on the source server.
    • Please note that the ProgramData folder is a hidden folder, and it is not the same as the Program Files folder.
  3. Copy all *.stg and *.xml files to the same folder on the target server.

2.2. Configuring LOGbinder for SQL Server

Configuring LOGbinder for SQL Server

Open the "LOGbinder for SQL Server" link in the Windows start menu, which appears by default in the “LOGbinder” folder.

To use LOGbinder for SQL Server, adjust the settings in the three views: Input, Output, and Service. Settings can be changed while the service is running, but changes will be applied only when the service is restarted. If the LOGbinder for SQL Server control panel is closed before restarting the service, the changes will be discarded. On the other hand, if the service is already stopped, the changes are saved automatically.

Configure Input

Adding a new input 

Use the menu Action\New Input to add at least one Audit File Location. Either type the path, or use the Browse button to find the path. The path can be in UNC or drive/path format.

Audit File Location

LOGbinder for SQL Server retrieves audit logs from files you create using Microsoft SQL Server 2008 or later. When creating an audit in SQL Server, use “File” as the selection for “Audit destination,” as shown below.

Figure 1: SQL Server Audit Properties window

Choose this file path when specifying LOGbinder for SQL Server’s Audit File Location folder. (If auditing multiple SQL Server instances, specify a unique folder for each.)

You can use one installation of LOGbinder for SQL Server to monitor audits from multiple Microsoft SQL servers. Create an input for each server you wish to monitor. However, each input has to be located in its own unique folder. It is not possible to read audit log files generated by multiple SQL Server instances within the same folder.

To adjust the properties of an input, use the menu Action\Properties or double-click on it. Check the box “Specify last processed file” if you are reinstalling LOGbinder for SQL Server and must resume at a specific location. Generally, though, this box will be unchecked—as you will experience errors if an invalid selection is made.

In the section “SQL Server for Processing Events,” choose—or enter the name of—an existing SQL server. All eligible servers can be listed by pressing the Refresh button. (Note that only those SQL servers can be discovered and listed here that have the SQL Server Browser service running.) You do not need to choose the server that generates the events—any of these servers can be chosen. The version of the server processing the audit events has to be equal or higher than the server that is generating the events. (For example, is the server generating the events is SQL Server 2014, you can process those with SQL Server 2014, SQL Server 2014 Express, SQL Server 2016, SQL Server 2016 Express, but not with SQL Server 2012.)


Figure 2: Input properties window

The LOGbinder service account must have the following permission:

  • “Control Server” permission on this SQL server [NOTE: The service account does not need such permissions to the server(s) generating audit events.]

The SQL Server service account that is running the SQL Server for Processing Events must have the following permission:

  • Read access to the Audit File Location folder

Why do I need to specify a SQL server?

Above it is noted that LOGbinder for SQL Server does not access the audit logs directly from your Microsoft SQL Server (a.k.a. your production server). So, why does a SQL server need to be chosen? And for what purpose?

When SQL outputs audit logs to a file, it does so in an encrypted format that can be read only by Microsoft SQL Server itself. This is essential to prevent tampering with the integrity of the audit log trail. Thus, LOGbinder for SQL Server cannot read these log files itself, but it must use SQL Server to read the logs.

LOGbinder must be able to use an installation of SQL Server 2008 or later, including Express edition. In most cases you will not want to choose your production server for LOGbinder’s use to process events.

Adding new inputs in bulk

If you have many inputs to add, these can be entered through a comma separated values (CSV) file. Each line of the CSV file should have the folder name and the processing SQL Server separated by a comma. the first line being the header. For example:

folder,sql_server
C:\Audit Logs,MYSERVER1\SQLSERVER1
\\MYSERVER3\SQL Audit Logs,MYSERVER2\SQLSERVER2
C:\Other Audit Logs,MYSERVER2\SQLSERVER4

Use the menu Action\Add Inputs from File. Browse for the CSV file and open it. Click on the "Test inputs" button to verify that the inputs can be set up properly. When satisfied, the "Add" button will add all correct inputs.

Deleting inputs

To delete inputs, select one or more inputs (use Shift and/or Ctrl to select more than one), and use the Action\Delete Input menu item.

Configure Output

LOGbinder supports multiple output formats. LOGbinder for SQL Server allows output to go to:

  • LOGbinder SP Event Log: a custom event log under Applications and Services Logs.
  • Security Log: the Windows Security log. (Please remember to set the additional privileges as described in section Step 2 – Check User Accounts and Authority when using this feature.)
  • Syslog-CEF: a Syslog server using ArcSight’s Common Event Format.
  • Syslog-LEEF: a Syslog server using IBM Security QRadar’s Log Event Extended Format.
  • Syslog-Generic: a Syslog server using the generic Syslog format.
  • Syslog-CEF (File): a Syslog file using ArcSight’s Common Event Format.
  • Syslog-LEEF (File): a Syslog file using IBM Security QRadar’s Log Event Extended Format.
  • Syslog-Generic (File): a Syslog file using the generic Syslog format.

At least one of these must be enabled in order for the LOGbinder service to start.

To adjust the settings, select an item and use the menu Action\Properties, or double-click on the item. To enable it, check the box "Send output to [name of output format]."


Figure 3: Output properties window

Select the "Include Noise Events" if you want to include these in the event log. A “noise event” is a log entry generated from the input (SQL Server) that contains only misleading information. This option is included in case it is essential to preserve a complete audit trail; by default this option is not selected.

For some output formats, LOGbinder for SQL Server can preserve the original data extracted from SQL, along with details as to how the entry was translated by LOGbinder. Check the option "Include XML Data" in order to include these details in the event log. Including this data will make the size of the log grow more quickly. If the option does not appear, then it is not supported for that output format.

For the output format "LOGbinder SQL Event Log", the entries are placed in a custom log named "LOGbinder SQL." When the log is created, by default the maximum log size is set to 16MB, and it will overwrite events as needed. If changing these settings, balance the log size settings with the needs of your log management software as well as the setting for "Include XML Data." In this way you will ensure that your audit trail is complete.

For file based outputs, such as Syslog (File), the output file is stored, by default, in the "C:\ProgramData\LOGbinder SQL" folder, or in the folder specified by the “Alternate Output Data Folder” option under File\Options. (See section below on Configure Options.)

Configure Service

To start, stop, and restart the LOGbinder for SQL Server (LOGbinder SQL) service, use the buttons on this panel. You may also use the items in the Action menu, or the toolbar.


Figure 4: Message indicating outputs not configured

Although you can use the Services window in the Windows Control Panel to start and stop the service, it is recommended that you use LOGbinder's user interface to control the service. Before starting the service, LOGbinder will confirm that the settings are accurate and that the necessary permissions have been granted. If the service fails to start, a message will be shown as to what settings need to be corrected. The reasons why the service will not start include:

  • If no inputs have been properly configured.
  • If no outputs (i.e. Windows Event Log, Windows Security Log) are enabled.

If either of these conditions is found, the service will not start. A message will be presented to the user with the details of the problem.

If the service cannot start because the account does not have sufficient authority, or if there is another problem preventing it from running, the details of the problem are written to the Application Event Log. These events can also be viewed inside of the LOGbinder control panel, by selecting the “LOGbinder Diagnostic Events” view.

See the section Monitoring LOGbinder for SQL Server for more information on how to handle issues that may arise when starting the LOGbinder for SQL Server (LOGbinder SQL) service.

Configure Options

Use the menu File\Options to change LOGbinder's options.

The Service Account lists the user account that runs the LOGbinder for SQL Server (LOGbinder SQL) service. This is the account you specified when installing LOGbinder for SQL Server. If it is necessary to change the account, use the Services management tool (in Windows Administrative Tools).

If the box “Do not write informational messages to the Application log” box is checked, then event 551 – LOGbinder agent successful (see Appendix C: Diagnostic Events) will not be written to the Application log.


Figure 5: Options window

The Purge audit files after processing option will move or delete audit files that are no longer in use by SQL Server and have already been processed by LOGbinder and forwarded to the selected output(s).

  • The Move option will move the processed sqlaudit files to a sub-folder named "processed". From there you can either archive or delete the processed files.
  • The Delete option will delete the processed sqlaudit files.

The Logging options can be utilized for diagnostic purposes if experiencing problems with LOGbinder. By default, the Logging Level is set to None. If necessary, the Logging Level can be set to Level 1 or Level 2Level 1 generates standard level of detail of logging. Level 2 will generate more detailed logging. Level 2 should be selected only if specifically requested by LOGbinder support; otherwise performance will be adversely affected. Both Level 1 and Level 2 logging options will generate log files named Control Panel.logService.logService Controller.log and Service Processor.log in the Log location folder.

Alternate Output Data Folder” specifies the data folder used for the output data. This is the folder where LOGbinder stores output that are written in files, such as the Syslog-Generic (File), as well as the above mentioned diagnostic files. The folder path can be set using drive letter or UNC, if it is a network location. The default folder is {Common Application Data}\LOGbinder SP (i.e. C:\ProgramData\LOGbinder SP). Please note that the Alternate Output Data Folder needs the same permissions as the Common Application Data folder as specified above in section Step 2 – Check User Accounts and Authority.

Status Bar

The status bar will show information about the operation of LOGbinder.

Displays the status of the service. The image shown indicates the service is stopped (). The service may also be running (), or in an 'unknown' state ().
Shows the status of the license for LOGbinder. If LOGbinder is not fully licensed, a message will appear in the status bar.
Indicates that settings have been changed. In order to apply the changes, the LOGbinder for SQL Server (LOGbinder SQL) service must be restarted. If the LOGbinder for SQL Server (LOGbinder SQL) service is running and the LOGbinder for SQL Server control panel is closed, the changes will be discarded.

License

Use the menu File\License to view information about your license for LOGbinder. If you have purchased LOGbinder for SQL Server and need to obtain a license key, follow these steps:

  1. For Unit/Server Count, enter the number of audit inputs being monitored.
  2. Press the Copy button, and paste the contents into a support ticket.
  3. When the license key is received, copy it to the clipboard and press the Paste button.


Figure 6: License window

If you are properly licensed, the license window will redisplay and show that you are properly licensed. If there is a problem, respond to your license request ticket immediately.

2.3. Monitoring LOGbinder for SQL Server

Monitoring LOGbinder for SQL Server

When installing, configuring, and running LOGbinder for SQL Server, the software writes diagnostic events to the Windows Application Event Log. Most of these will be from the source "LOGbndSE" and the category "LOGbinder." You may use the Windows Event Viewer to examine these events.

During Installation and Configuration

During installation and configuration, you will find these entries:

  • After installation, there may be an entry from the source MsiInstaller: "Product: LOGbinder SQL -- Installation completed successfully."
  • When the configuration of LOGbinder for SQL Server changes, you will see one or more entries entitled "LOGbinder settings changed." See Appendix C: Diagnostic Events: “553 – LOGbinder settings changed for information about these events.
  • When the service starts, there may be an entry from the source LOGbinder SQL: "Service started successfully." (Entries are also written when the service is stopped.)

You can monitor these events to ensure that LOGbinder for SQL Server continues to be configured properly, and that unauthorized changes do not occur.

After configuring LOGbinder for SQL Server and starting the service, it automatically performs a check to ensure that LOGbinder's settings are valid and that the account running the Windows service has sufficient authority. If there is a problem, the LOGbinder for SQL Server (LOGbinder SQL) service will not start and a message will be presented to the user. In most cases, the details of the problem are written to the Application log. Common problems include:

  • Input/output not configured properly. See the previous section Configuring LOGbinder for SQL Server for more information.
  • Insufficient authority. If the service account does not have adequate authority, then the service will not run. An entry is written to the Application log. See Appendix C: Diagnostic Events “556 – LOGbinder insufficient authority for more details. Some of the common missing permissions include:
    • Account does not have authority to log on as a Windows service
    • Account does not have necessary permissions to the Audit File Location.
    • The account does not have authority to write to the Security event log. (If this output destination has not been selected, then it is not necessary to grant this permission.)
  • License invalid. If the license is not valid or has expired, then the LOGbinder for SQL Server (LOGbinder SQL) service will not run. An entry may be written to the Application log. See Appendix C: Diagnostic Events “557 – License for LOGbinder invalid for details.
  • Other errors will be found in entries entitled "LOGbinder error." See Appendix C: Diagnostic Events “555 – LOGbinder error for more information.

If any of these errors are encountered, the LOGbinder for SQL Server (LOGbinder SQL) service will not run.

While LOGbinder for SQL Server is Running

While LOGbinder for SQL Server is running, you will see information entries in the Application log as follows:

  • Entries 'exported' from SQL. This message indicates the number of audit entries that LOGbinder for SQL Server has processed.
  • Entries 'imported' into the Windows event log. This indicates that the audit entries have been placed in the enabled output formats. There will be one message event if multiple output formats have been selected (i.e. you have selected both Windows Security Log and Windows Event Log as output formats). The 'export'/'import' entries are complementary: there should be a corresponding 'import' entry for each 'export.'

These log entries are informational in nature. Generally no action is required. If more entries are being processed than what appear in the event logs or in your log management solution, it could be that the log size is too small and entries are being overwritten. See Appendix C: Diagnostic Events “551 – LOGbinder agent successful for more information on these events.

There may also be some warning event entries:

  • LOGbinder agent produced unexpected results. When LOGbinder for SQL Server cannot translate an event properly, in addition to outputting the event to the selected output streams, it also creates an entry in the Application log. See Appendix C: Diagnostic Events “554 – LOGbinder agent produced unexpected results for further details.

If LOGbinder for SQL Server has an error, an entry will be created in the Application log. If permissions are removed, or if the license expires, you may receive a "556 – LOGbinder insufficient authority" or "557 – License for LOGbinder invalid" error, which are explained above. Other errors will be entitled "LOGbinder error." If you cannot resolve the problem, please submit the issue to the LOGbinder support team.

2.4. Appendix A: Assigning Permissions

SQL Control Server permission

  • Use the following Transact-SQL script to assign the “Control Server” permission to the service account:

USE master
GRANT CONTROL SERVER TO [domain\user]
GO

  • The “Control Server” permission does not appear on the Login Properties window in SQL Server Management Studio. The “SysAdmin” server role is basically the equivalent of the “Control Server” permission, and this could be assigned instead of “Control Server”:
    • In SQL Server Management Studio, navigate to Security\Logons
    • Select the login for the service account and open its properties
    • Select the Server Roles page
    • Check “sysadmin” and close
  • NOTE: Whereas the “SysAdmin” server role supersedes all other permissions, having the “Control Server” privilege is affected by other statements—‘DENY’ statements can reduce the amount of privileges. While this is beyond the scope of this document to outline specific scenarios, “Control Server” could be used in situations where it is necessary to reduce the privileges of the service account.

Local Security Policy Changes

The following chart summarizes the changes to be made in the Local Security Policy. More detailed explanations are found after the chart.

Local Security Policy (secpol.msc)

settings summary

Windows Server 2003

Windows Server 2008/2012

Security Settings

Local Policies

User Rights Assignment

Log on as a service

add service account

add service account

This always needs to be set

Generate security audits

add service account

add service account

These need to be set if outputting to Windows Security log

Audit Policy

Audit object access

set Success and Failure

N/A

Security Options

Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

N/A

set Enabled

Advanced Audit Policy Configuration

Object Access

Audit Application Generated

N/A

set Success and Failure

Log On as a Service

  • Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.
  • Select Security Settings\Local Policies\User Rights Assignment
  • Open "Log on as a service" and add user
  • NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.

Generate Security Audits (SeAuditPrivilege)

  • Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.
  • Select Security Settings\Local Policies\User Rights Assignment
  • Open "Generate security audits" and add user
  • NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.

Audit Policy

Windows Server 2003

  • Open the "Local Security Policy" (secpol.msc) Microsoft Management Console (MMC) snap-in.
  • Select Security Settings\Local Policies\Audit Policy
  • Edit "Audit object access," ensuring that "Success" is enabled. (LOGbinder for SQL Server does not require that the "Failure" option be enabled.)
  • NOTE: You can also configure this via a group policy object in Active Directory. If you try to modify this setting in Local Security Policy and the dialog is read-only, it means it is already being configured via Group Policy and you'll need to configure it from there.

Windows Server 2008 and 2012

Audit policy can be configured with the original top level categories as described above for Windows Server 2003 but most environments have migrated to the new more granular audit sub-categories available in Windows Server 2008 aka (Advanced Audit Policy).

Using Advanced Audit Policy Configuration allows for more granular control of the number and types of events that are audited on the server. (NOTE: The steps described here are for Windows Server 2008 R2; see TechNet for information on earlier releases.)

  • First, you must ensure that ‘basic’ and ‘advanced’ audit policy settings are not used at the same time.
    • Microsoft gives this warning: “Using both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should not be combined. If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.” (http://technet.microsoft.com/en-us/library/dd692792(WS.10).aspx)
    • Select Security Settings\Local Policies\Security Options
    • Open and enable “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
  • To enable LOGbinder for SQL Server events to be sent to the security log:
    • Select Security Settings\Advanced Audit Policy Configuration\Object Access
    • Edit “Audit Application Generated,” ensuring that “Success” is enabled. (LOGbinder for SQL Server does not require that the “Failure” option be enabled.)
    • NOTE: You can also configure this via a group policy object in Active Directory.

2.5. Appendix B: LOGbinder Event List

LOGbinder for SQL Server Events

See a list of all of the LOGbinder for SQL events at this link - https://www.logbinder.com/Products/LOGbinderSQL/EventsGenerated

Diagnostic Events

551 – LOGbinder agent successful
552 – LOGbinder warning
553 – LOGbinder settings changed
554 – LOGbinder agent produced unexpected results
555 – LOGbinder error
556 – LOGbinder insufficient authority
557 – License for LOGbinder invalid

2.6. Appendix C: Diagnostic Events

551 – LOGbinder agent successful

Occurs when LOGbinder for SQL Server successfully translates log entries. Usually appearing in pairs, as one indicates that log entries have been 'exported' from their source (for example, SQL Server), and the other that entries have been 'imported' to their destination (for example, the Windows event log). This event is informational in nature.

This event is written to the Windows Application log.

Example A

LOGbinder agent successful
LOGbinder SQL exported 3 entries from SQL logs from c:\sqlaudit\

Example B

LOGbinder agent successful
LOGbinder SQL imported 3 entries to Security event log

Example C

LOGbinder agent successful
LOGbinder SQL imported 3 entries to LOGbinder SQL event log

552 – LOGbinder warning

Occurs when LOGbinder for SQL Server does not find information as expected. In most cases, it does not indicate a serious problem, but is provided so as to complete the audit trail. This event is written to Windows application log.

For example, as LOGbinder for SQL Server translates entries, it performs various lookups to provide complete information. If the related item was deleted, a "LOGbinder warning" is generated.

Example A

LOGbinder warning
Lookup failed. Could not find Scope Item with ID of 89de71fe-1442-48ff-9a6e-052bddda3440.

Example B

LOGbinder warning
Lookup failed. Could not find User with ID of 19.

553 – LOGbinder settings changed

Occurs when the LOGbinder settings are changed. This event is written to Windows Application log.

For LOGbinder for SQL Server, this includes changes to the Audit File Location.

Example A

LOGbinder settings changed
Output to Security log enabled. Noise events included.

Example B

LOGbinder settings changed
Settings for c:\sqlaudit\ adjusted: Last export value is c:\sqlaudit\Audit-LocalFile_3B48C4ED-9DA8-462E-BFD9-4935A28148B8_0_129590759441100000.sqlaudit; offset 0

Example C

LOGbinder settings changed
Settings for C:\SQLAudit2 adjusted: folder changed from C:\SQLAudit2 to C:\SQLAudit

554 – LOGbinder agent produced unexpected results

Occurs when LOGbinder for SQL Server encounters something unexpected when translating a log entry. At times it may be from a custom log entry.

This event is written to Windows Application log.

You can help us improve LOGbinder by reporting these events to the LOGbinder support team so that the LOGbinder product may be improved. Private data will not be shared.

Example A

In this example, the developer created an audit entry with the type "MakeItSo."

LOGbinder agent produced unexpected results
As the LOGbinder agent translated this entry, it encountered data is could not handle properly. It could have been caused by a custom or undocumented feature. So that LOGbinder can handle these entries in the future, it is suggested that you submit the entry to the LOGbinder support team.
<LogEntry siteName="http://shpnt" itemType="Site" userName="Robert Solomon" locationType="Url" occurred="2009-06-26T14:13:02" eventType="MakeItSo"><RawData siteId="3b7fb82c-f30d-4604-99c0-df8325e9cff4" itemId="3b7fb82c-f30d-4604-99c0-df8325e9cff4" itemType="Site" userId="1" locationType="Url" occurred="633816223820000000" event="Custom" eventName="MakeItSo" eventSource="ObjectModel"><EventData><Version><Major>1</Major><Minor>2</Minor></Version></EventData></RawData><Details /></LogEntry>

Example B

In this example, the developer used an existing event type, "Workflow," but included non-standard event data.

LOGbinder agent produced unexpected results
As the LOGbinder agent translated this entry, it encountered data is could not handle properly. It could have been caused by a custom or undocumented feature. So that LOGbinder can handle these entries in the future, it is suggested that you submit the entry to the LOGbinder support team.
<LogEntry siteName="http://shpnt" itemType="List Item" userName="Robert Solomon" locationType="Url" occurred="2009-06-29T21:49:11" eventType="Workflow"><RawData siteId="3b7fb82c-f30d-4604-99c0-df8325e9cff4" itemId="c04f5388-bf24-4007-b463-1dd1b3c19a02" itemType="ListItem" userId="1" documentLocation="Cache Profiles/1_.000" locationType="Url" occurred="633819089510000000" event="Workflow" eventSource="ObjectModel"><EventData>http://shpnt/docLib/CopiedFile.ext</EventData></RawData><Details /></LogEntry>

555 – LOGbinder error

Occurs when LOGbinder encounters a problem that needs attention. This event is written to Windows Application log. In most cases this gives enough information for you to address the problem successfully. Otherwise, please contact LOGbinder support for assistance.

Example A

In this example, the error indicates that LOGbinder for SQL Server has not been configured properly: in that no SQL audit location was set to be monitored by LOGbinder.

LOGbinder error
Cannot start LOGbinder SQL service, SQL Audit Locations not configured.

556 – LOGbinder insufficient authority

Occurs when LOGbinder for SQL Server (LOGbinder SQL) service cannot run because of invalid or inadequate permissions. The event will include the module lacking the permission, the name or description of the permission, as well as relevant details. Each example below also includes the action needed in order to correct it.

Example A: No permission to write to security log

LOGbinder insufficient authority
The LOGbinder agent cannot operate normally because it lacks sufficient authority.
Source: Security Log
Privilege: SeAuditPrivilege
Details: The LOGbinder agent does not have the permissions to configure the security log

Action: The service account needs the "Generate security audits" privilege (https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Generate-security-audits), or do not enable LOGbinder to output to the Windows Security log.

Example B: Attempt to write to security log from invalid location

One measure to protect the security log is to write security events only from authorized locations. When LOGbinder is configured, it registers its program location with the security log. If this error occurs, then LOGbinder had been reinstalled to a different location, and the previous location was not removed properly.

LOGbinder insufficient authority
The LOGbinder agent cannot operate normally because it lacks sufficient authority.
Source: Security Log
Privilege: Invalid Location
Details: Cannot write to because the program location does not match what has been previously configured

Action: Recommended to delete the registry key manually. First ensure that LOGbinder is not open. Then delete the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LOGbndSC. Be careful not to delete other parts of the registry, as it can cause the server to be unstable. When you reopen LOGbinder, it will reconfigure its ability to write to the security log.

Example C: Internal error

LOGbinder insufficient authority
The LOGbinder agent cannot operate normally because it lacks sufficient authority.
Source: Security Log
Privilege: Internal Error
Details: The security account database contains an internal inconsistency

Action: One factor that can cause an internal error is if the LOGbinder program path is too long. By default, LOGbinder is installed to C:\Program Files\LOGbndSQ. It is recommended that the default be used. If the software has been installed to a different location with a longer program path, to correct this error it will be necessary to reinstall LOGbinder.

Example D: Log on as service

LOGbinder insufficient authority
The LOGbinder agent cannot operate normally because it lacks sufficient authority.
Source: LOGbinder service
Privilege: Log on as service
Details: Account running LOGbinder agent does not have user right "Logon as a service"

Action: The service account needs to be assigned the "Logon as a service" user right. (https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Log-on-as-a-service)

Example E: Cannot start LOGbinder control panel

LOGbinder insufficient authority
The LOGbinder agent cannot operate normally because it lacks sufficient authority.
Source: LOGbinder Manager
Privilege: File Permissions
Details: Account running LOGbinder Control Panel needs to be a member of the local Administrators group

Action: Ensure that the user account used to run the LOGbinder for SQL Server control panel has local administrator access.

557 – License for LOGbinder invalid

Occurs when the license for LOGbinder is not valid and an attempt is made to start the service. This event is written to the Application log.

If the license is not valid, the LOGbinder for SQL Server control panel continues to operate as normal. However, the LOGbinder service will not start if the license is invalid. Follow the instructions in the control panel, in the menu File\License, in order to obtain a license to the software.

Example

License for LOGbinder invalid
Details: License is invalid. Open LOGbinder SQL Control Panel to remedy.

3. How To

3.1. Need help configuring SQL Server 2008+ Audit Policy?

Introducing: LOGbinder for SQL Server - SQL Audit Policy Wizard

Our totally free SQL Audit Policy Wizard steps you through the process of implementing SQL Server 2008+ auditing. You can use our recommended baseline audit policy or customize it to fit your requirements.

After selecting your SQL Server and fine tune your desired audit policy, SQL Audit Policy Wizard automatically creates the necessary Server Audit and Server Audit Specification objects on your SQL server and optionally enables them so that auditing begins automatically.

You can also see the actual Transact-SQL generated by the wizard for learning purposes or for further customization. SQL Server 2008+ Audit Policy Wizard even allows you to modify existing audit objects.

3.2. SQL Server Audit Support in Different Editions and Versions

SQL Server Audit has been gradually brought to different editions of SQL Server as the years pass. When this true, native auditing feature was introduced in SQL Server 2008, it was only available in Enterprise and Datacenter editions. SQL Server 2012 made server-level auditing partially available to all editions, leaving only the more granular database-level auditing still exclusive to the Enterprise edition. Staring SQL Server 2016 SP1, all auditing features, that is both server-level and database-level auditing are available to all editions.

SQL Server Audit is based on actions and action groups. The audit can contain server-level audit specification and database-level audit specifications:

  • Server-level auditing consists of server-level audit action groups, which include server operations, such as security operations involving logins, roles and permissions, logon and logoff operations, database backup and restore,manipulation of certain database-, server-, and schema objects.
  • Database-level auditing is auditing at the database scope, and it is set on each database individually. Microsoft calls it "fine grained auditing". Database-level auditing utilizes database-level audit action groups, and database-level audit actions.
    • The database-level audit action groups cover some similar areas as the server-level audit groups, if applicable, but at the database level.
    • Additionally to auditing action groups,database-level auditing also enables auditing certain individual actions, such as SELECT, INSERT, UPDATE, DELETE, EXECUTE, RECEIVE, and REFERENCES. These database-level audit actions can be restricted to a specific database, an object (such as table, view, stored procedure), or a schema.

Here is a summary of the SQL Server Audit support in the different editions:

Edition \ Version
SQL Server 2008 and 2008 R2 SQL Server 2012 and 2014 SQL Server 2016* and 2017
Enterprise Server- and database-level Server- and database-level Server- and database-level
Developer Server- and database-level Server- and database-level Server- and database-level
Datacenter Server- and database-level N/A N/A
Business Intelligence None Server-level N/A
Standard None Server-level Server- and database-level*
Web None Server-level Server- and database-level*
Express None Server-level Server- and database-level*
* Database-level auditing for Standard, Web and Express editions are available starting SQL Server 2016 SP1.

So where does LOGbinder for SQL Server fit into the SQL audit equation? LOGbinder for SQL Server can be installed on any Windows server that has access to a SQL Server 2008 or later regardless of the edition, including Express edition. It does not need to be installed on the production server. The requirement is that the SQL Server that is being audited is:

  1. Set to produce audit events.
  2. Set to output these audit events to a location accessible to LOGbinder for SQL Server and the SQL Server that is set to process the audit logs.

The audit file can then be accessed and processed by LOGbinder for SQL Server and made available for your SIEM / log management solution.

To summarize, audit logs could move the following way:

3.3. Comparison: SQL Server Audit vs. SQL Trace Audit for security analysts

Security analysts must have meaningful, relevant audit data from the mission critical applications such as SQL Server. Database admins must have no disruptions nor degradation to the performance of the mission critical instances of SQL Server. Beginning with SQL Server 2008, versions of Microsoft SQL Server offer a new, superior SQL audit capability custom-built to meet demands from both parties.

Many, if not most, organizations have gotten comfortable with SQL Trace. They have satisfied themselves with its inefficiencies, and cobbled together custom routines to reduce its voluminous output. Outweighed by whatever problems that may exist with SQL Trace is one simple fact: it doesn’t hurt the database(s) to keep it going. Nobody wants to run the risk of disrupting the current process. It may not be great, but it’s what is comfortable.

Here’s the problem: SQL Trace leaves big gaps that compromise organizations’ InfoSec and compliance policies.

So, many organizations are taking a hard look at the risks vs. rewards of moving away from SQL Trace and implementing SQL Server Audit as part of the application security intelligence SIEM deployment. To help inform the professionals charged with this decision, our founder Randy Franklin Smith, and Tamas Lengyel, one of our software engineers, have collaborated in writing a white paper, Comparison: SQL Server Audit and SQL Trace Audit. This detailed resource will help both security analysts and database admins to get a better understanding of the superior SQL Server Audit function. The white paper presents the options available to both audit logs and then provides specific benefits that come with SQL Server Audit:

  • Easy administration and predefined activities
  • Granularity, Specificity
  • Performance improvements
  • Better (and more) output options, centralized storage of audit logs
  • Audit trail integrity

The short story is that SQL Server Audit hits the sweet spot for both database admins and security analysts: it’s a low impact process that yields better results.

Get the full story, download the whitepaper. It may also be helpful to read why LOGbinder solves a critical problem in SQL Server security intelligence at logbinder.com.

3.4. LOGbinder troubleshooting tip: Use the Diagnostic Logs

By a wide margin, the support issues we hear about are resolved by revisiting the steps provided in the Troubleshooting section of the LOGbinder application’s Getting Started Guide. Our support desk reports that most customers “self-serve” by checking that section or even the Windows Event Viewer for details, but only after first submitting a trouble ticket. We are happy to have such feedback by the way; it helps us to make sure our installation guides are comprehensive.

But here’s a tip for all the other support issues where such “Tier 1” steps don’t fix the problem: review the LOGbinder diagnostic log file(s). Here’s how to generate this troubleshooting file(s):

  1. Choose “File | Options” from LOGbinder control panel.

  2. Set “Logging level” to Level 1 and start or restart the service.

  3. Waiting for the issue to happen again, find all log files in C:\ProgramData\LOGbinderXX folder (where XX=SP, SQL or EX for the SharePoint, SQL Server or Exchange audit solution). The log files will have a “.log” suffix to the file name. The number of log files in the folder will depend on the LOGbinder application.

Very often the bit of information needed to resolve a problem is contained in the LOGbinder-generated diagnostic log files. Customers often successfully troubleshoot their issues by perusing these files.

If you need our technicians to help you with a particular problem connected to LOGbinder, open a support ticket and attach these level 1 diagnostic files (compressed into a zip file). Doing so will greatly decrease the time it takes for our technicians to help you solve the problem. Many of the initial questions the support desk will have are answered in one or more of these diagnostic log files.

After the problem is resolved, remember to turn off diagnostic logging to conserve disk space and CPU time.

3.5. Where to find information about LOGbinder events

Every month we answer about 150,000 questions about events. But where do you go if you have a specific question about an event reported by LOGbinder? Some of our SIEM Synergy partners have collaborated with us to provide a hyperlink within their application to take you directly to the relevant event ID page. So when you see an event you wish to research, clicking on the hyperlinked Event ID will take you directly to the details page on Ultimate Windows Security’s Online Encyclopedia.


But what if your SIEM doesn’t have a hyperlink to the right page? You can still get the information by browsing to UltimateItSecurity.com and clicking on Security, then Encyclopedia. (https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx) Once there, select the source of the event (All Sources, Windows Audit, SharePoint Audit, SQL Server Audit or Exchange Audit). If you want to narrow the list use the drop-down box on the right, else browse the list of events and click on the appropriate one to get the full details. We list the events in numerical order, so they’re easy to find. (By the way, when you get a chance, send a note to your SIEM’s product manager to ask them to finish their integration so you can save yourself the trouble next time when you need the event information.)


If you still can’t find your answer there then click on the blue “Ask a question about this event” button and post your question in the Ultimate IT Security forum. LOGbinder is now sponsoring an Exchange, SQL and SharePoint forum there and you can expect a quick response from one of our technical engineers.

3.6. What Microsoft Means by “Legacy audit”

Some of you may be seeing a new word crop up in recent Microsoft communications about its applications’ audit: “legacy”. This word is now distributed liberally in TechNet articles. What does it mean? In Microsoft terminology, and in the context of their just-released public and beta versions of their applications’ security audit, it means “current” or “existing”.


A new audit, called “Unified Audit Logging” or UAL, is expected to be introduced by Microsoft later in 2016. UAL will replace the current audit function (or at least be released in tandem), which is why the word “legacy” has started to show up in recent communications from the people in Redmond.

3.7. How to change the LOGbinder service account password

If the password for the LOGbinder service account changes, it also has to be changed on the LOGbinder service.

  1. Open Services.msc
  2. Find the LOGbinder service and open its properties
  3. On the Log On tab, set the new password for the LOGbinder service account

​​

3.8. New technical updates posted and available for customers with current maintenance and support contracts - July 2015

Within the last few weeks (July 2015) we posted new versions of our software containing features and improvements to all 3 of our applications. Two major features will bring immediate performance benefits:

  1. Split Syslog output if over 100mb. Prior to this update, LOGbinder started a new Syslog output every day (with the file named appropriately), but some organizations’ audit activities would generate more than 1GB of data in a day. This large output file size caused problems. So, we updated all 3 of our applications to create a new file after every 100mb of output and creating a file name suited to this new schema.

     

  2. Streamlined internal audit request and delivery process. To protect the monitored application’s performance and stability, LOGbinder carefully manages the process by which it requests audit log data. Persistent audit log demands can cause harm to the application. We have released an update to all 3 of our products that adds further refinement to the audit request technology by improving the calculated times for audit request and processing. The net effect is reduced resource demand on the monitored application while maintaining delivery speed and audit integrity.

     

The new updates are available via the website’s download resource page. Customers with current support and maintenance contracts may download and apply these new updates at no additional charge.

4. Resources

4.1. LOGbinder for SQL Server Version History

LOGbinder for SQL Server 6.0.1 (11/14/2023)

  • Add support for SQL Sever 2022
  • Add command line interface to add/delete/list inputs
  • Trim long events before writing to event log
  • Redesign pruning of processed files 
  • Better error reporting for FIPS related issues
  • Change minimum requirement to .NET Framework 4.8
  • User interface accessibility improvements 

LOGbinder for SQL Server 5.1.1 (11/22/2020)

  • Add support for SQL Server 2019

LOGbinder for SQL Server 5.0.1 (11/13/2019)

  • Add error handling for corrupted settings file

LOGbinder for SQL Server 4.0.8 (5/5/2019)

  • Add option to delete (instead of move) processed audit files
  • Speed up outputting to Syslog and Syslog files

LOGbinder for SQL Server 4.0.7 (5/4/2019)

  • Retry creating/opening Syslog files on error
  • Add noise event statistics (number of noise events suppressed)
  • Fix noise event filtering for all outputs
  • Fix a regression bug (from 3.0.11) that slowed down outputting

LOGbinder for SQL Server 4.0.6 (1/1/2019)

  • Renewed certificate

LOGbinder for SQL Server 4.0.5 (6/15/2018)

  • Don't stop if folder doesn't exist while creating auditors

LOGbinder for SQL Server 4.0.4 (6/3/2018)

  • Added support for SQL Server 2017
  • Added feature to add/delete inputs in bulk

LOGbinder for SQL Server 3.0.17 (4/7/2018)

  • Avoid stopping the service if input folder is unavailable

LOGbinder for SQL Server 3.0.16 (3/9/2018)

  • Handle multiple NICs correctly for Syslog outputs

LOGbinder for SQL Server 3.0.12 (12/22/2017)

  • Fixed a small regression bug

LOGbinder for SQL Server 3.0.11 (12/12/2017)

  • Increased allowed memory threshold
  • Added feature to select inputs by searching for text included in their names
  • Added date range to event 551
  • Fixed an issue relating inspection
  • Fixed Syslog date to use US format of month names instead of internationalized versions

LOGbinder for SQL Server 3.0.9 (8/20/2017)

  • Better handling the SQL Server error of not being able to process file name and offset pair
  • Fixed a date issue due to regional settings
  • Increased LOGbinder service startup timeout

LOGbinder for SQL Server 3.0.3 (2/16/2017)

  • Fix not moving some purged audit files bug

LOGbinder for SQL Server 3.0.2 (12/31/2016)

  • Added visual feedback on the user interface for actions that take long

LOGbinder for SQL Server 3.0.1 (12/23/2016)

  • Added support for SQL Server 2016
  • Added option to purge processed audit files
    • When this option is enabled, audit files that are no longer in use by SQL Server and have been processed by LOGbinder are moved to the "processed" sub-folder, from where it can be archived. This not only helps in preserving disk space, but also speeds up processing speed.
  • Added statistics to informational events
    • Information includes processed file names, elapsed time, EPS (events per second)
  • New and improved installer
  • Fixed handling PWCS:SL, PWC:SL, PWR:SL, PWRS:SL events
  • Added time zone classifier to Syslog, CEF and LEEF outputs
  • Refined service start/stop process
  • Removed reporting and event nodes from the Control Panel
  • Changed some LOGbinder message terminology
  • Added option to specify installation folder other than the default
  • Several other updates and improvements

LOGbinder for SQL Server 2.5.13 (1/26/2016)

  • Bug Fix for outputting LEEF in UDP

LOGbinder for SQL Server 2.5 (4/24/2015)

  • Add new events to support Microsoft SQL Server 2014
  • Add LEEF format
  • Add server name to events 25001 and 25002
  • A number of other fixes and improvements

LOGbinder SQL 2.1.1 (11/13/2014)

  • Increase timeout to 1 hour

LOGbinder SQL 2.1.0 (10/24/2014)

  • Add support for LEEF output

LOGbinder SQL 2.0.3 (9/17/2014)

  • Increase timeout to 10 minutes
  • Adjust width of Input window to allow for lengthy file names
  • Avoid error while typing in UNC path in Input window

LOGbinder SQL 2.0.2 (3/10/2014)

  • Process only 20,000 events at a time to avoid memory error

LOGbinder SQL 2.0.0 (9/2/2013)

  • Support SQL 2012, including new events
  • Handle better if bad credentials entered at installation
  • Handle error when loading list of SQL servers if name or version of server is missing
  • Truncate large events written via Syslog
  • Handle some events that were written as generic
  • Fix bug with event list

LOGbinder SQL 1.5.12 (5/30/2013)

  • New event #550 “LOGbinder process report”
  • New event #558 “LOGbinder process warning”
  • Fix problem if system data on SQL servers does not contain name or version

LOGbinder SQL 1.5.11 (9/10/2012)

  • Add Syslog and CEF outputs
  • Diagnostic log splits after reaches 10MB in size

LOGbinder SQL 1.0.4

  • Fix bug if no SQL servers found

LOGbinder SQL 1.0.0

  • First release

4.2. LOGbinder for SQL Server FAQ

Where can I learn more about SQL Server's new Auditing capability?

Visit our SQL Audit Background page for lots of help.

Why do I need LOGbinder for SQL Server - can't SQL Server send audit events to the Windows event log itself?

SQL Server can definitely output its raw audit events to the Windows event log. In fact, we encourage you to configure it and try it out. We think you will agree that LOGbinder for SQL Server is needed for 2 reasons:

  1. Performance: Writing events to the SQL server's local security log can consume added CPU, memory and disk resources which may be unavailable on heavily loaded database servers.
  2. Raw, Cryptic Audit Data: The audit records generated by SQL Server audit are cryptic and difficult to understand. SQL Server uses log record format for documenting everything from an insertion on a table to a modification of a stored procedure. And while SQL Server can write events to the security log, it uses the same event ID for all events, and the IDs and keywords are not resolved. Thus, it requires in-depth knowledge of the SQL audit model to decipher events. LOGbinder for SQL Server enriches SQL Server’s cryptic and generic audit messages to produce more than 300 different and easy-to-understand audit log events in Windows event log, where any log management or SIEM solution can collect, alert, report, and analyze.

What can I monitor with the SQL Server's audit log and LOGbinder for SQL Server?

See a list of event IDs generated by LOGbinder for SQL Server.

Will LOGbinder for SQL Server slow down my SQL server?

You can run LOGbinder for SQL Server on the same server where SQL Server auditing is enabled and LOGbinder for SQL Server's modest resource usage will not be felt in most environments, but you can ensure LOGbinder for SQL Server has absolutely no impact on heavily loaded SQL Servers by installing LOGbinder for SQL Server on a different server. This latter does not incur the expense of another SQL Server license because LOGbinder for SQL Server can use any edition of SQL Server 2008 (and later) - even the free Express Edition - to read audit logs generated by other SQL Servers via shared folders.

Will enabling the new auditing available in SQL Server slow down my database server?

Thankfully SQL Server has a very granular audit policy that allows you to audit just the desired actions on just the desired objects. So it is unlikely auditing will have a material impact on your database server performance unless you try to audit frequently executed operations like (select, update, insert, delete) on heavily accessed tables. Even with that said, most SQL Servers can output a great deal of audit events without feeling it. This is especially true if you configure the Audit to target a file instead of the local event log; appending to a file is much faster than calling Windows event APIs. And the good news is LOGbinder for SQL Server is designed to process SQL audit log files and can do so from a different system than your busy database server. So, to ensure audit trail generation without performance degradation, enable auditing of table and view operations only as needed and target the Audit to create files in a shared folder on a different server, where LOGbinder for SQL Server is installed.

How secure is LOGbinder for SQL Server?

LOGbinder is fully integrated with Windows and SQL Server security and complies with widely accepted secure design and coding techniques.

At installation, LOGbinder secures the folder permissions where the software files reside. To protect LOGbinder's configuration from tampering, LOGbinder encrypts its configuration data.

LOGbinder security requirements are greatly simplified since LOGbinder does not store your audit log data. LOGbinder is designed to quickly get audit events out of the SQL Server audit log files and to the destination of your choice, at which point your log management solution takes over. If you configure LOGbinder for SQL Server to direct events to the Windows security log, you leverage the significant effort Microsoft has invested in protecting the security log. And if you are already collecting Windows security logs with your log management application, SQL audit events will automatically be included when you install LOGbinder for SQL Server.

LOGbinder for SQL Server's design helps you fulfill separation of duty and audit trail integrity requirements by quickly getting audit events off the system where they are produced (and thus vulnerable to intruders or malicious administrators) and into your separate and secure log management system.

Does LOGbinder for SQL Server require much configuration?

LOGbinder for SQL Server installs in about 2 minutes and only requires a few settings:

  1. Select which folders for LOGbinder to monitor for SQL audit log files
  2. Specify the user account LOGbinder should run as
  3. Choose whether to output events to the custom LOGbinder SQL event log, to the actual Windows Security Log, syslog or to a text file.

How do you monitor LOGbinder for SQL Server’s health?

Check the Application log for warnings or errors from source LOGbndSQ

Why doesn’t LOGbinder for SQL Server include alerting or long term archival capability?

These are functions of a log management solution. LOGbinder complements and enhances the value of your log management solution.

How does LOGbinder for SQL Server integrate with my current log management solution?

With LOGbinder, any log management solution that supports Windows event logs, text files or syslog can now collect, monitor, archive, and report on SQL Server audit log activity. Also, see next Q&A.

Which output formats does LOGbinder for SQL Server currently support?

LOGbinder can output to either the Windows Security Log, syslog, text file, or a custom Windows event log called LOGbinder for SQL Server.

Based on customer feedback we may add additional output formats such as syslog, text files, or XML.

How is LOGbinder for SQL Server licensed?

See pricing and licensing information.

Does LOGbinder for SQL Server need to be installed on my SQL Server?

No. See above questions on performance.

What user credentials must be assigned to LOGbinder for SQL Server? Why?

The account needs to be authorized to run as a service, and if using the security log, must be authorized to write to the security log.

Can one installation of LOGbinder for SQL Server process audit logs from multiple SQL Servers?

Yes, LOGbinder for SQL Server can monitor multiple shared folders for SQL audit logs produced by different SQL servers.

4.3. End User License Agreement

END-USER LICENSE AGREEMENT

IMPORTANT. PLEASE READ THIS LICENSE AGREEMENT BEFORE LOADING THE SOFTWARE ONTO YOUR COMPUTER/SERVER.

This End-User License Agreement (“EULA”) is a legal agreement between you (a single entity) and Monterey Technology Group, Inc. (“Licensor”) for the license of the Software from Licensor accompanying this EULA. If you have entered into an agreement with Licensor, this EULA supplements and is a part of your agreement and is incorporated into your agreement. If you have not yet entered into any other agreement or contract with Licensor, this EULA is a binding, independent legal agreement between you and Licensor. By clicking “I agree,” or by installing, copying, modifying, registering, or otherwise using the Software, you agree to be bound by the terms of this EULA.

If you do not agree to accept all of the terms of this EULA, without any changes, additions or subtractions, please promptly click “I do not agree,” uninstall and remove the Software from your system, all of your computer(s), server(s), and/or your network, and return the Software to Licensor.

DEFINITIONS:

The following definitions apply to terms as they appear in this EULA:

(a) “EULA” means this End-User License Agreement.

(b) “Software” means the LOGbinder SQL software accompanied by this EULA.

(c) “Licensor” means Monterey Technology Group, Inc.

(d) “You” means you, a single entity.

(e) “computer” and “server” each mean a single computer server.

THE SOFTWARE:

The Software is owned by and the property of Licensor. The Software is protected by the copyright laws of the United States of America, as well as international treaties protecting copyrights, as well as other intellectual property laws and treaties. While Licensor continues to own the Software, you will be granted, under this EULA, certain limited rights only to use the Software after your acceptance of this EULA.

LICENSE GRANT:

This EULA grants you the following rights:

(a) This software must be licensed for the total number of SQL instances processed by this software. For the avoidance of doubt and regardless of how many servers you install the software on, you must purchase multiple licenses equal to the number of instances processed by this software.

(b) Notwithstanding the foregoing, You may make one copy of the Software for archival purposes, or copy the Software onto the hard disk of your server as a single copy and retain the original for archival purposes. In the event that you make such a copy, you must ensure that the proprietary, copyright, trademark or other such notices contained in or placed on the Software are affixed to any such copy in the same location and manner as it appears in or on the Software.

(c) You may, after prior written notice to Licensor and Licensor’s consent, which shall not be unreasonably withheld, transfer the Software on a permanent basis to another person or entity, provided that you retain no copies of the Software and that the transferee agrees to all of the terms of this agreement and provides written notice of its agreement to Licensor.

(d) You may only use the Software for commercial purposes, and not for personal or household use.

DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS:

(a) You may not copy any documentation which accompanies the Software.

(b) You may not sublicense, rent, or lease the Software, in part or in whole, or host the Software on your server for others to use. You may not allow the use of the Software as a service bureau.

(c) You may not reverse engineer, decompile, disassemble, modify, adapt, alter, integrate, translate, convert into human readable form, or make any attempt to discover, view or read the source code of the Software. You may not create derivative works, modifications or improvements to, of, from or on the Software.

(d) The Software is a single product. It may not be separated into its individual parts for use on any other server or computer.

(e) You may not transfer the Software to any third party without the prior written consent of Licensor.

(f) You may not use a previous version or copy of the Software after you have received a replacement or an upgraded version as a replacement of the Software. All copies of any prior version must be destroyed.


(g) Software installation, setup and maintenance is your sole responsibility. Licensor shall have no obligation or responsibility for software installation, setup or maintenance.

(h) You agree and grant Licensor the right to enter your premises and to access electronically at any time your server/computer as installed in order to verify your compliance with this EULA.

(i) All rights not expressly granted are reserved by Licensor. This EULA does not grant you any rights in connection with any copyrights, trademarks or service marks of Licensor.

(j) The Software may include copy protection or sunset technology to prevent the unauthorized copying or use of the Software. You agree that you will not circumvent any copy protection technology in the Software.

(k) This EULA does not require Licensor to provide to you any maintenance, updates, new versions, or support services related to the Software. The Licensor may or may not support the Software or any particular versions of the Software. Any services provided by Licensor, if any, may be described in the governing services agreement. Any supplemental software code, updates, modifications, or upgrades provided to you, whether as part of any support services or otherwise, are considered part of the Software and subject to the terms and conditions of this EULA. You acknowledge and agree that Licensor may use for its business purposes, including product support and development, any information you provide to Licensor whether the provision occurs during any support services, warranty claim or otherwise.

(l) Without prejudice to any other rights, Licensor may immediately terminate without notice this EULA if you fail to comply with any terms or conditions of this EULA.

(m) Returns and refunds are not accepted.

(n) You agree that you will not use the Software for any non-commercial purposes. You agree that you will not use the Software for personal or household purposes.

(o) You represent that you are authorized on behalf of your business or enterprise to enter into this EULA.

(p) You agree that you will not, during or after the termination of this EULA, contest or challenge Licensor’s ownership of, or interest in, the Software.

(q) You may not remove any copyright or other proprietary rights notices on any label of disks or other storage media containing the Software or in any documentation for the Software. You shall ensure that Licensor’s copyright and proprietary rights notices are not disabled and remain conspicuously displayed as provided in the Software.

UPGRADES:

Any are subject to all terms and conditions of this EULA.

INTELLECTUAL PROPERTY RIGHTS:

The Software, including but not limited to any and all source code, object code, software product, images, audio files, photographs, animations, macros, applets, video, music, text, the accompanying printed materials, related instructional material (whether in the Software, provided with the Software, or available concerning the Software), and documentation, is copyrighted with all rights reserved. You agree that Licensor, or third parties where appropriate, own(s) all rights to and in the Software, including without limitation all copyrights, proprietary rights, trademarks, service marks, patents, patent rights and trade secrets, as well as any and all such things for any modifications, derivatives, or improvements of the Software, or any part thereof, which you, Licensor, or others may make (in whole or in part), whether authorized or not.

NO WARRANTY:

The Software is provided as is and without any warranty.

DISCLAIMER OF WARRANTIES:

Licensor does not warrant any specific level of system functionality, availability or uptime.

LICENSOR HEREBY DISCLAIMS, AND DOES NOT MAKE, ANY AND ALL EXPRESS, IMPLIED, AND STATUTORY WARRANTIES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES, DUTIES OR CONDITIONS OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF ACCURACY OR COMPLETENESS OF RESPONSES, OF RESULTS, OF WORKMANLIKE EFFORT, OF LACK OF VIRUSES, OF LACK OF NEGLIGENCE AND OF NON-INFRINGEMENT. WITH RESPECT TO THE SOFTWARE, THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT. On occasion, all software has glitches or unforeseen errors, and consequently, Licensor makes no warranties and disclaims any and all warranties that the Software will function without interruption.

EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES:

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL LICENSOR BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, FOR LOSS OF DATA, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE, THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF LICENSOR, AND EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

LIMITATION OF LIABILITY AND REMEDIES:

NOTWITHSTANDING ANY DAMAGES THAT YOU MIGHT INCUR FOR ANY REASON WHATSOEVER (INCLUDING, WITHOUT LIMITATION, ALL DAMAGES REFERENCED ABOVE AND ALL DIRECT OR GENERAL DAMAGES), THE ENTIRE LIABILITY OF LICENSOR WHETHER UNDER ANY PROVISION OF THIS EULA, OR FROM ANY OTHER SOURCE OF LIABILITY, WHETHER IN CONTRACT OR IN TORT, INCLUDING NEGLIGENCE, AND YOUR EXCLUSIVE REMEDY FOR ALL OF THE FOREGOING (EXCEPT FOR ANY REMEDY OF REPAIR OR REPLACEMENT ELECTED BY LICENSOR WITH RESPECT TO ANY BREACH OF THE LIMITED WARRANTY), SHALL BE LIMITED TO THE AMOUNT ACTUALLY PAID, WITHIN THE ONE (1) CALENDAR YEAR PRECEDING THE TIME YOU MAKE A CLAIM TO LICENSOR OF SUCH DAMAGES, BY YOU TO LICENSOR FOR THE SOFTWARE THAT CAUSED THE DAMAGES OR THAT IS THE SUBJECT MATTER OF OR DIRECTLY RELATED TO THE CAUSE OF ACTION. IN NO EVENT WILL LICENSOR BE LIABLE FOR ANY DAMAGES CAUSED, IN PART OR IN WHOLE, BY YOUR FAILURE TO PERFORM YOUR OBLIGATIONS, OR FOR ANY LOSS OF DATA, PROFITS, SAVINGS, OR ANY OTHER CONSEQUENTIAL OR INCIDENTAL DAMAGES, OR FOR ANY CLAIMS BY YOU BASED UPON A THIRD-PARTY CLAIM.

SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR CERTAIN TYPES OF DAMAGES, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY OR MAY NOT APPLY TO YOU. THE PROVISIONS IN THIS PARAGRAPH WILL APPLY REGARDLESS OF WHETHER YOU ACCEPT THE SOFTWARE.

YOUR EXCLUSIVE REMEDY:

Licensors sole obligation and entire liability, if any, shall be, at Licensors option from time to time exercised subject to applicable law, to repair or replace the Software, so long as you return the original Software. If such a remedy is elected by Licensor, you are responsible for any expenses you may incur (e.g. cost of shipping Software to Licensor). Any replaced parts shall become the property of Licensor. Any replaced Software will be warranted with the same limited warranty set forth above for the longer of the amount of time left in the original warranty period or thirty (30) days. To exercise your remedy, contact Licensor at the address listed below.

CONFIDENTIALITY :

You acknowledge the Software, including its source code and know-how relating to such things, constitute confidential information of Licensor (collectively, “Confidential Information”). You (“Disclosee”) will therefore: (a) will take reasonable steps (including those steps that the Disclosee takes to protect its own information that it regards as confidential) to keep the Confidential Information confidential; and (b) will not disclose or otherwise make available, except as otherwise provided by law, the Confidential Information of the other party to any third party except to such directors, officers, employees and agents of the Disclosee who have a need to have access to the Confidential Information of the other party to perform their obligations to the other party under this EULA. The confidentiality provisions of this paragraph will not apply to Confidential Information that: (a) is in the public domain other than as a consequence of a breach of the obligations contained in this EULA to maintain the confidentiality of such Confidential Information; (b) is established by Disclosee’s documents as being known by the Disclosee prior to its disclosure to the Disclosee hereunder or is independently developed by the Disclosee without breach of the obligations contained in this EULA; or (c) has been received by the Disclosee from a third party who is not subject to obligations similar to the obligations contained in this EULA. In the event that the Disclosee receives notice indicating that it may or will be legally compelled to disclose any of the Confidential Information, it will provide Licensor with prompt notice so that the Licensor may at its sole discretion seek a protective order or other appropriate remedy and/or waive compliance with the provisions of this EULA. In the event that such protective order or other remedy is not obtained for whatever reason, or that such other party waives compliance with the provisions of this EULA, the Disclosee may furnish only that portion of the Confidential Information that he or she is legally required to disclose. The foregoing agreements and covenants set forth in this paragraph will be construed as being an agreement independent of the provisions in this EULA. The existence of any claim or cause of action of either party against the other party, whether predicated on this EULA or otherwise, shall not constitute a defense to the enforcement by such other party of any of the covenants and agreements of this paragraph. Each of the parties acknowledges that its failure to comply with the provisions of this paragraph will cause irreparable harm to the other party which cannot be adequately compensated for in damages, and accordingly acknowledges that the other party will be entitled, in addition to any other remedies available to it, to interlocutory and permanent injunction relief to restrain any anticipated, present or continuing breach of this paragraph.

In the event you breach this EULA, Licensor shall have the right, at its sole option, to terminate this EULA or any portion of this EULA, in addition to any other available remedies.

Upon Termination of this EULA. Upon the termination of this EULA: (a) Your confidentiality obligations, as well as any accrued payment obligations to Licensor, shall survive such termination; (b) your license right to the Software shall immediately cease, and (c) you shall: (i) return to Licensor all copies of and media bearing the Software within 10 business days; (ii) delete and erase any copy of the Software copied onto any computer/server pursuant to this EULA; (iii) erase all backup and archival copies of the Software; and (iv) certify in writing to Licensor within ten (10) business days of the termination of this EULA that all copies of the Software have been returned to Licensor or have been erased. You further authorize Licensor, in the event of termination of this EULA, to remotely and/or electronically disable, delete and/or remove the Software from your computer(s), server(s), and system(s). Termination of this EULA shall not limit either party from pursuing other remedies available to it, including injunctive relief, nor shall such termination relieve you from your obligation to pay fees accrued prior to the termination.

MISCELLANEOUS:

If applicable and unless overridden by a separate agreement, this EULA is incorporated into the agreement you have reached with Licensor for the Software, and in the event of any conflict between the terms of such agreement and this EULA, the terms of this EULA shall prevail and govern.

You acknowledge that the Software is of U.S. origin. You agree to comply with all applicable international and national laws that apply to the Software, including the U.S. Export Administration Regulations, as well as end-user, end-use and destination restrictions issued by the U.S. and other governments.

This EULA is governed by the laws of the State of North Carolina. This EULA may only be modified by a writing signed by both you and Licensor.

Disputes concerning or arising out of this EULA shall be submitted to confidential binding arbitration in Greensboro, North Carolina before the Judicial Arbitration and Mediation Service (“JAMS”) pursuant to the Streamlined JAMS Arbitration Rules and Procedures. Each party hereto submits to the jurisdiction of JAMS at the location so indicated above. Any process served in connection with any proceeding arising out of or relating to this EULA may be served upon the party to be served by registered or certified mail at the address listed above. Any such service will have the same effect as personal service within the states so indicated above. The foregoing shall not preclude any party hereto from seeking enforcement outside the relevant state of the arbitration of any order or judgment rendered by any court upon the JAMS award.

Except as expressly provided in this EULA, no amendment or waiver of this EULA shall be binding unless executed in writing by the Customer and Licensor. No waiver of any provision of this EULA shall constitute a waiver of any other provision nor shall any waiver of any provision of this EULA constitute a continuing waiver unless otherwise expressly provided.

If any provisions of this EULA shall for any reason be held illegal or unenforceable, such provision shall be deemed separable from the remaining provisions of this EULA and shall in no way affect or impair the validity or the enforceability of the remaining provisions of this EULA.

This EULA constitutes the entire agreement between the parties pertaining to the subject matter hereof. There are no warranties, conditions, or representations (including any that may be implied by statute) and there are no agreements in connection with such subject matter except as specifically set forth or referred to in this EULA.

Should you have any questions concerning this EULA, or if you desire to contact Licensor for any reason, please send a written communication to: rsmith@montereytechgroup.com.

4.4. Annual Support and Maintenance Terms and Conditions

Coverage

Purchase of an Annual Support and Maintenance Agreement (Agreement) covers:

  • Updates. Availability announcements of updates are sent to the email address on the Certificate.
  • Technical support (excluding consulting). Support is initiated by creating a ticket at https://logbinder.helpspot.com. Subsequent phone or web conferences will be arranged as deemed necessary by our support. Licensee may be asked for certificate number before being provided support.
  • Support is available 9am-5pm Eastern US time Monday – Friday.
  • 24 hour response time during normal business hours. Failure: 1 month of PSM refunded for each day missed. If not solved within 48 hours, customer can request to escalate the issue to LOGbinder's Development Triage Team who will classify the issue as:
    • LOGbinder product defect
    • Environment specific issue
    • Microsoft product defect

      Regardless of the classification we will make our best effort to solve or create a work around at which time a case-specific patch or product update will be provided. (To date we've only classified one issue as environment specific and we solved it in the next release of the software.)
  • Credit towards the purchase of a higher-level license and Support and Maintenance Agreement (e.g. when you upgrade from WSS to Enterprise, etc.). This includes the original software cost and the unused portion of this Support and Maintenance Agreement (pro-rated and applied to the maintenance fee for the higher-level license).

Pricing

Annual Support and Maintenance Agreements can be purchased in 1, 2 or 3 year increments.

Years Amount
1 20% of software list price
2 38% of software list price
3 54% of software list price

Terms and Conditions

Renewal: We will email the technical contact and business contact we have on record at least 30 days prior to expiration to arrange renewal. (We will likely begin reminding you 90 days before expiration as well as send a fax to your main office.) Unless you renew, this Agreement automatically expires on midnight of the expiration date.

The cost of the Support and Maintenance Agreement will be based on the list price of the software at the time of the purchase. After that period, the cost to renew the Support and Maintenance Agreement will be based on the list price of the software at the time of each renewal.

Please note that lapses in Support and Maintenance Agreements are not allowed. In the case where a Support and Maintenance Agreement expired, any future renewals of said agreement will begin on the day following the original expiration date.

Cancellation: The Agreement can be canceled at any time in writing by e-mail, fax or letter. In case of cancellation, Monterey Technology Group, Inc. will not pro-rate or issue any refunds for any unused time on this agreement.

4.5. Whitepapers, Webinars and SIEM Integration Resources

Click here to see a list of SIEM integration resources.

4.6. Events Generated

Click here for a list of events generated by LOGbinder for SQL Server.