Microsoft SharePoint
The Microsoft SharePoint DSM for JSA collects audit events from the SharePoint database by using JDBC to poll an SQL database for audit events.
Audit events can track changes that are made to sites, files, and content that is managed by Microsoft SharePoint.
Microsoft SharePoint audit events include the following elements:
Site name and the source from which the event originated
Item ID, item name, and event location
User ID associated with the event
Event type, time stamp, and event action
Two log source configurations can be used to collect Microsoft SharePoint database events.
Create a database view in your SharePoint database to poll for events with the JDBC protocol. See Configuring a Database View to Collect Audit Events.
Create a JDBC log source and use predefined database queries to collect SharePoint events. This option does not require an administrator to create database view. See JDBC Log Source Parameters for Microsoft Share Point.
The collection of Microsoft Sharepoint events now uses a predefined query, instead of requiring an administrator to create a database view. If you are an administrator, you might want to update existing Microsoft Sharepoint log sources so that they use the Microsoft Sharepoint predefined query.
Configuring a Database View to Collect Audit Events
Before you can integrate Microsoft SharePoint events with JSA, you must complete three tasks.
Use the following procedure:
Configure the audit events you want to collect for Microsoft SharePoint.
Create an SQL database view for JSA in Microsoft SharePoint.
Configure a log source to collect audit events from Microsoft SharePoint.
Note:Ensure that firewall rules are not blocking the communication between JSA and the database associated with Microsoft SharePoint.
Configuring Microsoft SharePoint Audit Events
The audit settings for Microsoft SharePoint give you the option to define what events are tracked for each site that is managed by Microsoft SharePoint.
Log in to your Microsoft SharePoint site.
From the Site Actions list, select Site Settings.
From the Site Collection Administration list, click Site collection audit settings.
From the Documents and Items section, select a check box for each document and item audit event you want to audit.
From the Lists, Libraries, and Sites section, select a check box for each content audit event you want to enable.
Click OK.
You are now ready to create a database view for JSA to poll Microsoft SharePoint events.
Creating a Database View for Microsoft SharePoint
Microsoft SharePoint uses SQL Server Management Studio (SSMS) to manage the SharePoint SQL databases. To collect audit event data, you must create a database view on your Microsoft SharePoint server that is accessible to JSA.
Do not use a period (.) in the name of your view, or in any of the table names. If you use a period in your view or table name, JDBC cannot access the data within the view and access is denied. Anything after a (.) is treated as a child object.
Log in to the system that hosts your Microsoft SharePoint SQL database.
From the Start menu, select Run.
Type the following command:
ssms
Click OK.
The Microsoft SQL Server 2008 displays the Connect to Server window.
Log in to your Microsoft SharePoint database.
Click Connect.
From the Object Explorer for your SharePoint database, click Databases >WSS_Logging >Views.
From the navigation menu, click New Query.
In the Query pane, type the following Transact-SQL statement to create the AuditEvent database view:
create view dbo.AuditEvent as select a.siteID
,a.ItemId ,a.ItemType ,u.tp_Title as "User" ,a.MachineName ,a.MachineIp ,a.DocLocation ,a.LocationType ,a.Occurred as "EventTime" ,a.Event as "EventID" ,a.EventName ,a.EventSource ,a.SourceName ,a.EventData
from WSS_Content.dbo.AuditData a, WSS_Content.dbo.UserInfo u where a.UserId = u.tp_ID and a.SiteId = u.tp_SiteID;
-
From the Query pane, right-click and select Execute.
If the view is created, the following message is displayed in the results pane:
Command(s) completed successfully.
The dbo.AuditEvent view is created. You are now ready to configure the log source in JSA to poll the view for audit events.
Creating Read-only Permissions for Microsoft SharePoint Database Users
Restrict user access on the SharePoint database by granting read-only permissions on objects
From the Object Explorer in your SharePoint database, click Security. Expand the Security folder tree.
Right-click Logins and select New Login.
For Windows authentication, complete the following steps:
On the General page, click Search.
Click Locations. From the Locations page, select a location that the user belongs to and click OK.
Enter the object name in the text-box, and click Check Names to validate the user.
Note:Set the Default database to WSS_Logging.
On the Server Roles page, select public.
On the User Mapping page, select the WSS_Content and WSS_Logging. In the Default Schema column, click ... > Browse... and select db_datareader as the default schema.
On the Status page, select Grant permission to connect to the database engine and select Enabled login.
From the Object Explorer in your SharePoint database, click Databases > WSS_Logging > Security > Users.
Double-click the Windows user that was created in step 3.
On the Securables page, click Search.
On the Add Objects page, select Specific objects... and click OK.
Click Object Types... and select Views.
For object names, click Browse and select the database view that you created. For example, [dbo].[AuditEvent].
For the permissions of the database view you select, grant Select.
Click OK.
From the Object Explorer in your SharePoint database, click Databases > WSS_Content > Security > Users.
Double-click the Windows user that was created in step 3.
On the Securables page, click Search.
On the Add Objects page, select Specific objects... and click OK.
Click Object Types... and select Tables.
For object names, click Browse. Select [dbo].[AuditData] and [dbo].[UserInfo].
For the permissions of the AuditData table, grant Select.
For the permissions of the UserInfo table, grant Select.
Click OK.
JDBC Log Source Parameters for Microsoft Share Point
If JSA does not automatically detect the log source, add a Microsoft SharePoint log source on the JSA Console by using the JDBC protocol.
When using the JDBC protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect JDBC events from Microsoft SharePoint:
Parameter |
Description |
---|---|
Log Source type |
Microsoft SharePoint |
Protocol Configuration |
JDBC |
Log Source Identifier |
Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol. If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2. |
Database Type |
From the list, select MSDE. |
Database Name |
Type WSS_Logging as the name of the Microsoft SharePoint database. |
IP or Hostname |
Type the IP address or host name of the Microsoft SharePoint SQL Server. |
Port |
Type the port number that is used by the database server. The default port for MSDE is 1433. The JDBC configuration port must match the listener port of the Microsoft SharePoint database. The Microsoft SharePoint database must have incoming TCP connections that are enabled to communicate with JSA. If you define a Database Instance when you use MSDE as the database type, you must leave the Port parameter blank in your configuration. |
Table Name |
Type AuditEvent as the name of the table or view that includes the event records. |
Compare Field |
Type EventTime as the compare field. The compare field is used to identify new events added between queries to the table. |
JDBC Log Source Parameters for Microsoft SharePoint with Predefined Database Queries
Administrators who do not have permission to create a database view because of policy restrictions can collect Microsoft SharePoint events with a log source that uses predefined queries. If JSA does not automatically detect the log source, add a Microsoft SharePoint log source on the JSA Console by using the JDBC protocol.
Predefined queries are customized statements that can join data from separate tables when the database is polled by the JDBC protocol. When using the JDBC protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect JDBC events from Microsoft SharePoint.
Parameter |
Value |
---|---|
Log Source Type |
Microsoft SharePoint |
Protocol Configuration |
JDBC |
Log Source Identifier |
Type the identifier for the log source. Type the log source identifier in the following format: <SharePoint Database>@<SharePoint Database Server IP or Host Name> where:
|
Database Type |
From the list, select MSDE. |
Database Name |
Type WSS_Logging as the name of the Microsoft SharePoint database. |
IP or Hostname |
Type the IP address or host name of the Microsoft SharePoint SQL Server. |
Port |
Type the port number that is used by the database server. The default port for MSDE is 1433. The JDBC configuration port must match the listener port of the Microsoft SharePoint database. The Microsoft SharePoint database must have incoming TCP connections that are enabled to communicate with JSA. If you define a Database Instance when you use MSDE as the database type, you must leave the Port parameter blank in your configuration. |
Predefined Query |
From the list, select Microsoft SharePoint. |
Use Prepared Statements |
Select the Use Prepared Statements check box. Prepared statements allow the JDBC protocol source to set up the SQL statement one time, then run the SQL statement many times with different parameters. For security and performance reasons, it is suggested that you use prepared statements. Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements. |
Use NTLMv2 |
Select the Use NTLMv2 check box. This option forces MSDE connections to use the NTLMv2 protocol when it communicates with SQL servers that require NTLMv2 authentication. The default value of the check box is selected. If the Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication. |