Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Microsoft SharePoint

 

The Microsoft SharePoint DSM for JSA collects audit events from the SharePoint database by using JDBC to poll an SQL database for audit events.

Audit events can track changes that are made to sites, files, and content that is managed by Microsoft SharePoint.

Microsoft SharePoint audit events include the following elements:

  • Site name and the source from which the event originated

  • Item ID, item name, and event location

  • User ID associated with the event

  • Event type, time stamp, and event action

Two log source configurations can be used to collect Microsoft SharePoint database events.

  1. Create a database view in your SharePoint database to poll for events with the JDBC protocol. See Configuring a database view to collect audit eventsBefore you can integrate Microsoft SharePoint events with JSA, you must complete three tasks..

  2. Create a JDBC log source and use predefined database queries to collect SharePoint events. This option does not require an administrator to create database view. See Configuring a SharePoint log source for predefined database queriesAdministrators who do not have permission to create a database view because of policy restrictions can collect Microsoft SharePoint events with a log source that uses predefined queries..

Note

The collection of Microsoft Sharepoint events now uses a predefined query, instead of requiring an administrator to create a database view. If you are an administrator, you might want to update existing Microsoft Sharepoint log sources so that they use the Microsoft Sharepoint predefined query.

Configuring a Database View to Collect Audit Events

Before you can integrate Microsoft SharePoint events with JSA, you must complete three tasks.

Use the following procedure:

  1. Configure the audit events you want to collect for Microsoft SharePoint.
  2. Create an SQL database view for JSA in Microsoft SharePoint.
  3. Configure a log source to collect audit events from Microsoft SharePoint.Note

    Ensure that firewall rules are not blocking the communication between JSA and the database associated with Microsoft SharePoint.

Configuring Microsoft SharePoint Audit Events

The audit settings for Microsoft SharePoint give you the option to define what events are tracked for each site that is managed by Microsoft SharePoint.

  1. Log in to your Microsoft SharePoint site.
  2. From the Site Actions list, select Site Settings.
  3. From the Site Collection Administration list, click Site collection audit settings.
  4. From the Documents and Items section, select a check box for each document and item audit event you want to audit.
  5. From the Lists, Libraries, and Sites section, select a check box for each content audit event you want to enable.
  6. Click OK.

    You are now ready to create a database view for JSA to poll Microsoft SharePoint events.

Creating a Database View for Microsoft SharePoint

Microsoft SharePoint uses SQL Server Management Studio (SSMS) to manage the SharePoint SQL databases. To collect audit event data, you must create a database view on your Microsoft SharePoint server that is accessible to JSA.

Do not use a period (.) in the name of your view, or in any of the table names. If you use a period in your view or table name, JDBC cannot access the data within the view and access is denied. Anything after a (.) is treated as a child object.

  1. Log in to the system that hosts your Microsoft SharePoint SQL database.
  2. From the Start menu, select Run.
  3. Type the following command:

    ssms

  4. Click OK.

    The Microsoft SQL Server 2008 displays the Connect to Server window.

  5. Log in to your Microsoft SharePoint database.
  6. Click Connect.
  7. From the Object Explorer for your SharePoint database, click Databases >WSS_Logging >Views.
  8. From the navigation menu, click New Query.
  9. In the Query pane, type the following Transact-SQL statement to create the AuditEvent database view:
  10. From the Query pane, right-click and select Execute.

    If the view is created, the following message is displayed in the results pane:

    Command(s) completed successfully.

    The dbo.AuditEvent view is created. You are now ready to configure the log source in JSA to poll the view for audit events.

Creating Read-only Permissions for Microsoft SharePoint Database Users

Restrict user access on the SharePoint database by granting read-only permissions on objects

  1. From the Object Explorer in your SharePoint database, click Security. Expand the Security folder tree.
  2. Right-click Logins and select New Login.
  3. For Windows authentication, complete the following steps:
    1. On the General page, click Search.

    2. Click Locations. From the Locations page, select a location that the user belongs to and click OK.

    3. Enter the object name in the text-box, and click Check Names to validate the user.

      Note

      Set the Default database to WSS_Logging.

    4. On the Server Roles page, select public.

    5. On the User Mapping page, select the WSS_Content and WSS_Logging. In the Default Schema column, click ... > Browse... and select db_datareader as the default schema.

    6. On the Status page, select Grant permission to connect to the database engine and select Enabled login.

  4. From the Object Explorer in your SharePoint database, click Databases > WSS_Logging > Security > Users.
    1. Double-click the Windows user that was created in step 3.

    2. On the Securables page, click Search.

    3. On the Add Objects page, select Specific objects... and click OK.

    4. Click Object Types... and select Views.

    5. For object names, click Browse and select the database view that you created. For example, [dbo].[AuditEvent].

    6. For the permissions of the database view you select, grant Select.

    7. Click OK.

  5. From the Object Explorer in your SharePoint database, click Databases > WSS_Content > Security > Users.
    1. Double-click the Windows user that was created in step 3.

    2. On the Securables page, click Search.

    3. On the Add Objects page, select Specific objects... and click OK.

    4. Click Object Types... and select Tables.

    5. For object names, click Browse. Select [dbo].[AuditData] and [dbo].[UserInfo].

    6. For the permissions of the AuditData table, grant Select.

    7. For the permissions of the UserInfo table, grant Select.

    8. Click OK.

Configuring a SharePoint Log Source for a Database View

JSA requires a user account with the proper credentials to access the view you created in the Microsoft SharePoint database.

To successfully poll for audit data from the Microsoft SharePoint database, you must create a new user or provide the log source with existing user credentials to read from the AuditEvent view. For more information on creating a user account, see your vendor documentation.

To configure JSA to receive SharePoint events:

  1. Click the Admin tab.
  2. On the navigation menu, click Data Sources.
  3. Click the Log Sources icon.
  4. In the Log Source Name field, type a name for the log source.
  5. In the Log Source Description field, type a description for the log source.
  6. From the Log Source Type list, select Microsoft SharePoint.
  7. From the Protocol Configuration list, select JDBC.
  8. Configure the following values:

    Table 1: Microsoft SharePoint JDBC Parameters

    Parameter

    Description

    Log Source Identifier

    Type the identifier for the log source. Type the log source identifier in the following format:

    <SharePoint Database>@<SharePoint Database Server IP or Host Name>

    Where:

    • <SharePoint Database> is the database name, as entered in the Database Name parameter.

    • <SharePoint Database Server IP or Host Name> is the host name or IP address for this log source, as entered in the IP or Hostname parameter.

    Database Type

    From the list, select MSDE.

    Database Name

    Type WSS_Logging as the name of the Microsoft SharePoint database.

    IP or Hostname

    Type the IP address or host name of the Microsoft SharePoint SQL Server.

    Port

    Type the port number that is used by the database server. The default port for MSDE is 1433.

    The JDBC configuration port must match the listener port of the Microsoft SharePoint database. The Microsoft SharePoint database must have incoming TCP connections that are enabled to communicate with JSA.

    If you define a Database Instance when you use MSDE as the database type, you must leave the Port parameter blank in your configuration.

    Username

    Type the user name the log source can use to access the Microsoft SharePoint database.

    Password

    Type the password the log source can use to access the Microsoft SharePoint database.

    The password can be up to 255 characters in length.

    Confirm Password

    Confirm the password that is required to access the database. The confirmation password must be identical to the password entered in the Password field.

    Authentication Domain

    If you select MSDE as the Database Type and the database is configured for Windows Authentication, you must define the Window Authentication Domain. Otherwise, leave this field blank.

    Database Instance

    Optional. Type the database instance, if you have multiple SQL server instances on your database server.

    If you use a non-standard port in your database configuration, or you block access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration.

    Table Name

    Type AuditEvent as the name of the table or view that includes the event records.

    Select List

    Type * for all fields from the table or view.

    You can use a comma-separated list to define specific fields from tables or views, if it is needed for your configuration. The list must contain the field that is defined in the Compare Field parameter. The comma-separated list can be up to 255 alphanumeric characters in length. The list can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period(.).

    Compare Field

    Type EventTime as the compare field. The compare field is used to identify new events added between queries to the table.

    Start Date and Time

    Optional. Type the start date and time for database polling.

    The Start Date and Time parameter must be formatted as yyyy-MM-dd HH: mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.

    Use Prepared Statements

    Select the Use Prepared Statements check box.

    Prepared statements allow the JDBC protocol source to set up the SQL statement one time, then run the SQL statement many times with different parameters. For security and performance reasons, it is suggested that you use prepared statements.

    Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements.

    Polling Interval

    Type the polling interval, which is the amount of time between queries to the AuditEvent view you created. The default polling interval is 10 seconds.

    You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M poll in seconds.

    EPS Throttle

    Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is 20000 EPS.

    Use Named Pipe Communication

    Clear the Use Named Pipe Communications check box.

    When you use a Named Pipe connection, the user name and password must be the appropriate Windows authentication user name and password and not the database user name and password. Also, you must use the default Named Pipe.

    Use NTLMv2

    Select the Use NTLMv2 check box.

    This option forces MSDE connections to use the NTLMv2 protocol when it communicates with SQL servers that require NTLMv2 authentication. The default value of the check box is selected.

    If the Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication.

    Use SSL

    Select this check box if your connection supports SSL communication. This option requires extra configuration on your SharePoint database and also requires administrators to configure certificates on both appliances.

    Database Cluster Name

    If you select the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly.

    Note

    Selecting a parameter value greater than 5 for the Credibility weights your Microsoft SharePoint log source with a higher importance compared to other log sources in JSA.

  9. Click Save.
  10. On the Admin tab, click Deploy Changes.

Configuring a SharePoint Log Source for Predefined Database Queries

Administrators who do not have permission to create a database view because of policy restrictions can collect Microsoft SharePoint events with a log source that uses predefined queries.

Predefined queries are customized statements that can join data from separate tables when the database is polled by the JDBC protocol. To successfully poll for audit data from the Microsoft SharePoint database, you must create a new user or provide the log source with existing user credentials. For more information on creating a user account, see your vendor documentation.

  1. Click the Admin tab.
  2. On the navigation menu, click Data Sources.
  3. Click the Log Sources icon.
  4. In the Log Source Name field, type a name for the log source.
  5. In the Log Source Description field, type a description for the log source.
  6. From the Log Source Type list, select Microsoft SharePoint.
  7. From the Protocol Configuration list, select JDBC.
  8. Configure the following values:

    Table 2: Microsoft SharePoint JDBC Parameters

    Parameter

    Description

    Log Source Identifier

    Type the identifier for the log source. Type the log source identifier in the following format:

    <SharePoint Database>@<SharePoint Database Server IP or Host Name>

    Where:

    • <SharePoint Database> is the database name, as entered in the Database Name parameter.

    • <SharePoint Database Server IP or Host Name> is the host name or IP address for this log source, as entered in the IP or Hostname parameter.

    Database Type

    From the list, select MSDE.

    Database Name

    Type WSS_Logging as the name of the Microsoft SharePoint database.

    IP or Hostname

    Type the IP address or host name of the Microsoft SharePoint SQL Server.

    Port

    Type the port number that is used by the database server. The default port for MSDE is 1433.

    The JDBC configuration port must match the listener port of the Microsoft SharePoint database. The Microsoft SharePoint database must have incoming TCP connections that are enabled to communicate with JSA.

    If you define a Database Instance when you use MSDE as the database type, you must leave the Port parameter blank in your configuration.

    Username

    Type the user name the log source can use to access the Microsoft SharePoint database.

    Password

    Type the password the log source can use to access the Microsoft SharePoint database.

    The password can be up to 255 characters in length.

    Confirm Password

    Confirm the password that is required to access the database. The confirmation password must be identical to the password entered in the Password field.

    Authentication Domain

    If you select MSDE as the Database Type and the database is configured for Windows, you must define the Window Authentication Domain. Otherwise, leave this field blank.

    Database Instance

    Optional. Type the database instance, if you have multiple SQL server instances on your database server.

    If you use a non-standard port in your database configuration, or block access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration.

    Predefined Query

    From the list, select Microsoft SharePoint.

    Use Prepared Statements

    Select the Use Prepared Statements check box.

    Prepared statements allow the JDBC protocol source to set up the SQL statement one time, then run the SQL statement many times with different parameters. For security and performance reasons, it is suggested that you use prepared statements.

    Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements.

    Start Date and Time

    Optional. Type the start date and time for database polling.

    If a start date or time is not selected, polling begins immediately and repeats at the specified polling interval.

    Polling Interval

    Type the polling interval, which is the amount of time between queries to the AuditEvent view you created. The default polling interval is 10 seconds.

    You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M poll in seconds.

    EPS Throttle

    Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is 20000 EPS.

    Use Named Pipe Communication

    Clear the Use Named Pipe Communications check box.

    When you use a Named Pipe connection, the user name and password must be the appropriate Windows authentication user name and password and not the database user name and password. Also, you must use the default Named Pipe.

    Use NTLMv2

    Select the Use NTLMv2 check box.

    This option forces MSDE connections to use the NTLMv2 protocol when they communicate with SQL servers that require NTLMv2 authentication. The default value of the check box is selected.

    If the Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication.

    Use SSL

    Select this check box if your connection supports SSL communication. This option requires extra configuration on your SharePoint database and also requires administrators to configure certificates on both appliances.

    Database Cluster Name

    If you select the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly.

    Note

    Selecting a parameter value greater than 5 for the Credibility weights your Microsoft SharePoint log source with a higher importance compared to other log sources in JSA.

  9. Click Save.
  10. On the Admin tab, click Deploy Changes.