How to configure SharePoint event collection with LOGbinder SP and GFI EventsManager™

This page explains how to configure and use GFI EventsManager to collect Microsoft SharePoint audit events which have been processed by LOGbinder SP in order to make the information more readable and manageable.

The patch which is referred to in this document adds the following extra functionality to GFI EventsManager:

• Custom log to collect LOGbinder SP audit events
• Additional rules to process SharePoint events
• Additional queries to view SharePoint events in the events browser

Prerequisites

This procedure assumes that a functional installation of Microsoft SharePoint Server or SharePoint Services is already in place.

Further we assume that LOGbinder SP has been installed and configured on the SharePoint server. For more information on LOGbinder SP please follow these links:

• Download: http://www.logbinder.com/form.aspx?action=download
• Requirements: http://www.logbinder.com/products/logbindersp/resources/requirements.aspx
• Support: support@logbinder.com (866-749-2048)

Once LOGbinder SP is installed on the SharePoint Server it will start writing events either in the security event log or in a custom log called ‘LOGbinder SP’ depending on the configuration. This setting is very important, however, in order to configure GFI EventsManager appropriately.

An installation of GFI EventsManager version 2011 (build 20110207) and the GFI EventsManager ReportPack 2011 (build 20110208) is also required.

NOTE: All further references to ‘SharePoint events’ in this document assumes that these are events which have been processed by LOGbinder SP and saved in a Windows event log in the usual LOGbinder SP format.

Installation

The patch to enable data generated by LOGbinder SP to become available in GFI EventsManager contains two parts:

• 20110322_EventsManagerAlertsAndFiltersForLogBinder_PATCH.zip - containing files for the main application and
• 20110317_EventsManagerReportsForLogBinder_PATCH.zip - containing files for the ReportPack

Both files should be downloaded and unpacked on their respective servers before proceeding.

Main application

To install the patch for the main application perform the following:

1. Close the GFI EventsManager Management Console and stop the GFI EventsManager service.

2.Navigate to the installation folder of GFI EventsManager and create a backup copy of the following files:
a. EvtLogic.dll
b. Plwineventsbrowser.dll

3. Replace the original files with the ones extracted from the patch archive.

4. Open the main interface of GFI EventsManager and import all settings contained in the patch file called configurationsForLogBinder.esmbkp (File > Import and Export Configurations > Import the desired configurations from a file).

5. Start GFI EventsManager service.

ReportPack

To install the patch for the ReportPack, perform the following:

1. Close the GFI ReporterCenter and stop the GFI ReportCenter service.

2. Create a backup copy of the entire GFI EventsManager ReportPack installation folder.

3. Copy all files delivered with the patch into their respective subfolders of the ReportPack installation folder and replace the originals.

4. Restart the GFI ReportCenter service.

Configuration

Adding new SharePoint servers as event source
New SharePoint servers can be added as an event source to the GFI EventsManager configuration by right-clicking into the ‘SharePoint servers’ group section and selecting ‘Add new event source’ – Events from these sources will then be collected for the first time as soon as they are added.

The properties of this group can be customized further to meet individual requirements.

Additional event processing rules
The default rules to process and evaluate SharePoint events can be found in the GFI EventsManager configuration under Configuration > Event Processing Rules > Windows Event Logs > SharePoint Audit. Currently there are three rule sets which contain various rules to evaluate different event types plus one additional rule called ‘Archive SharePoint Audit Events’ which will capture and archive any event which has not matched any other rule with low priority. This is done to prevent any loss of data at the initial time of setup. However, once additional processing rules have been configured and all events of interest are being captured by other rules this ‘catch-all’ rule can be disabled.

There are multiple ways to create new custom processing rules for SharePoint events which do not match any of the default rules. The easiest way is described in the steps below:

1. Open the GFI EventsManager UI and select the Events Browser tab.

2. Make sure the Windows Events Browser is active and select ‘Other Events’ > ‘LOGbndSP’. This will display all SharePoint events currently in the database.

3. Select any event which has been captured by the generic ‘Archive SharePoint Audit Events’ rule and for which a new processing rule needs to be created.

4. Right click the event and select ‘New rule from selected event’.

5. Accept the default conditions for the newly created event and click OK.

6. The new rule will be created in the ‘Custom Rules’ folder but can be moved to any rule set in the ‘SharePoint Audit’ folder per drag-and-drop.

Additional event browser queries
Creating additional queries in the events browser is described in the GFI EventsManager user manual, section 4.2. (http://support.gfi.com/manuals/en/esm2011/esm2011manual.1.21.html)

Technical difficulties and support

In case of technical difficulties with any of the components involved in the process described in this document, it is important to first evaluate which part of the process is failing in order to contact the appropriate support personnel.

1. No default SharePoint logs (*.log files) are being generated or the SharePoint audit settings don’t seem to work as expected.

• This part of the process is related only to SharePoint itself and should be handled through Microsoft’s support team or technical forums.

2. LOGbinder SP does not seem to process any events or does not generate any events in the Windows event logs.

• This part of the process is related to LOGbinder SP and will be handled by the LOGbinder support team which can be contacted via email (support@logbinder.com) or phone (866-749-2048).

3. Events are being generated on the SharePoint server but GFI EventsManager is unable to collect them or does not process them according to the configured processing rules.

• This part of the process is related to GFI EventsManager and will be handled by our own support team which can be contacted via http://support.gfi.com.