Skip to main content
Skip table of contents

UDLA - SharePoint 2007 AuditData

Microsoft SharePoint 2007 is a software platform for collaboration and web publishing that combines several capabilities under a single server. It allows users to perform common tasks such as publish a web site, search for and manage content, or create applications without installing a separate server for each function.

This document instructs you how to configure collection of SharePoint 2007 audit logs via a LogRhythm agent.


Identify and note the following prior to configuration:

  • The IP Address and/or host name of the SharePoint database server to be collected from.
  • The Database name that contains the auditdata and userinfo tables.The name is usually determined by the DBA and typically starts with WSS_Content. 

    • WSS_Content_SGG8_Admin
    • WSS_Content_1111a22bbb33333db4c567d890123e45
  • The SharePoint database login credentials of the user account the LogRhythm Agent should use to connect to the database. Otherwise, a trusted connection can be made using the credentials under which the Agent runs.
  • The LogRhythm Agent used to collect the audit data from the SharePoint Database.

Configure Microsoft SharePoint 2007 Audit

To specify which SharePoint events you want to audit, do the following:

  1. On the Start menu, click Program Files, click Microsoft Office Server, and then click SharePoint Central Administration.

  2. Log in to the site for which you want to enable auditing.

  3. On the right side of the page, click Site Actions, and then click Site Settings.

  4. On the Site Settings page, click Site Collection Audit Settings under Site Collection Administration.

  5. Select the events you want to audit, and then click OK.

Configure the ODBC Driver for Microsoft SharePoint 2007 Audit

Microsoft SharePoint logs are accessed by LogRhythm via an ODBC driver. The recommended driver must already be installed on the System Monitor host and configured according to the information in Configure UDLA Log Collection.

  • Name. SQL Server
  • Company Name. Microsoft Corporation
  • Version. 2000.85.1132.00
  • Date. 4/13/2008
  • Download Location. Pre-installed

After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. TYou must use a LogRhythm System Monitor to collect the logs. The agent does not need to reside on the SharePoint server, but does need to be able to establish a network ODBC connection. 

Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

Before you begin, download the SharePoint 2007 Audit Data XML Configuration File. You will import this file later to populate the UDLA configuration fields for the Log Source.

The name of the log message source is UDLA – SharePoint 2007 AuditData. In addition, when configuring this log source:

  • For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
  • On the UDLA Settings tab, enter the following:
    • Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.

      The default connection string specifies a trusted connection. If your connection requires a user name and password, change the connection string to the following: Driver={SQL Server};Server=<server>\<instance>,<port>;Database=<database>;Uid=<username>;Pwd=<password>;

      For either connection string, ensure that you change the placeholder values to those matching your deployment..

    • If you want to validate the current settings, click Test.
      If the test fails, verify the connection settings and that all values were entered correctly.
    • When the test passes, close the Test dialog box.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.