UDLA - SharePoint 2010 EventData

Microsoft SharePoint is a software platform for collaboration and web publishing that combines a number of capabilities under a single server. These capabilities include portal, content management system, business intelligence, search, wikis, blogs and application development. It allows users to perform a number of common tasks, such as publishing a web site or intranet, searching for content, managing content, or creating applications, but without having to install one separate server for each function.

Collected event data will indicate object accesses, modifies, and deletes of SharePoint documents, folders, files, etc. SharePoint does not log object views in this event log.

This guide provides step-by-step instructions to connect a LogRhythm Agent to Microsoft SharePoint 2010 for collection of its event logs.

Prerequisites

Identify the following prior to configuration:

• The IP address or hostname of the SharePoint database server from which you want to collect.

• The database name that contains the EventCache table. This name is usually determined by the DBA and typically starts with “WSS_Content.”

  Examples:

  • WSS_Content_SGG8_Admin
  • WSS_Content_1111a22bbb33333db4c567d890123e45
• The SharePoint database login credentials of the user account the LogRhythm Agent should use to connect to the database. Otherwise a trusted connection can be made using the credentials under which the Agent is running.
• The LogRhythm Agent that will be used to collect the event data from the SharePoint Database.

Configure Microsoft SharePoint 2010 EventData

To specify which SharePoint events you want to audit, do the following:

1. On the Start menu, click Program Files, click Microsoft Office Server, and then click SharePoint Central Administration.

2. Log in to the site for which you want to enable auditing.

3. On the right side of the page, click Site Actions, and then click Site Settings.

4. On the Site Settings page, click Site Collection Audit Settings under Site Collection Administration.

5. Select the events you want to audit, and then click OK.

Configure the ODBC Driver for Microsoft SharePoint 2010 EventData

Microsoft SharePoint logs are accessed by LogRhythm via an ODBC driver. The recommended driver must already be installed on the System Monitor host and configured according to the information in Configure UDLA Log Collection.

• Name. SQL Server
• Company Name. Microsoft Corporation
• Version. 2000.85.1132.00
• Date. 4/13/2008
• Download Location. Pre-installed

After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. You must use a LogRhythm System Monitor to collect the logs. The agent does not need to reside on the SharePoint server, but does need to be able to establish a network ODBC connection. 

Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

Before you begin, download the SharePoint 2010 EventData XML configuration file. You will import this file later to populate the UDLA configuration fields for the Log Source.

The name of the log message source is UDLA – SharePoint 2010 EventData. In addition, when configuring this log source:

• For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
• On the UDLA Settings tab, enter the following:

  • Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.

    In the Connection String box, replace <DSN>, <UID>, and <PWD> with the SharePoint data source name, user ID, and password that you want to use to connect.

  • If you want to validate the current settings, click Test.
    If the test fails, verify the connection settings and that all values were entered correctly.
  • When the test passes, close the Test dialog box.