SharePoint Server provides the ability to audit the usage of your SharePoint environment. The SharePoint Server auditing capabilities allow you to track all activities that occur within the environment. The site collection administrator has the ability to set auditing requirements within the environment that determine the types of actions that should be tracked. Reports are then available that can be used to review the logged events. These reports could also be used to create any needed audit reporting or statistics. You also have the ability to set audit logging settings to control the volume of audit information kept over time.
To manage audit settings for a site collection, follow these steps:
1. Navigate to the Site Settings page for the top-level site in the site collection.
2. On the Site Settings page, in the Site Collection Administration section, click
the Site Collection Audit Settings link.
3. On the Configure Audit Settings page, identify any audit log trimming settings,
and select the items to audit:
a. In the Audit Log Trimming section, identify if automatic audit log trimming
should be enabled, identify the number of days of audit log data to retain,
and specify a location to store audit reporting before trimming the audit log.
b. In the Documents and Items section, check the boxes in front of the events
to audit which can include the following:
• Opening or downloading documents, viewing items in lists, or viewing
item properties
• Editing items
• Checking out or checking in items
• Moving or copying items to another location in the site
• Deleting or restoring items
c. In the Lists, Libraries, and Sites section, check the boxes in front of the items
to audit which can include the following:
• Editing content types and columns
• Searching site content
• Editing users and permissions
d. Once all of the appropriate audit options have been set, click the OK button.
The auditing options are set, and you are returned to the Site Settings page.
The information about audited actions will be tracked as the associated actions occur in the environment. You can then run the audit reports to view the audit history for captured events.
To view the auditing reports, follow these steps:
1. Navigate to the Site Settings page for the top-level site in the site collection.
2. On the Site Settings page, in the Site Collection Administration section, click
the Audit Log Reports link.
3. On the View Auditing Reports page, click the name of the report you want to
execute.
4. For the Run a Custom Report option, the Run a Custom Report Page is
presented.
On this page, follow these steps:
a. In the File Location section, select where the report should be saved once it
is generated.
b. In the Location section, check if the report should be restricted to a specific
list, and if so, select the web site where the list is located and select the list.
c. In the Date Range section, specify the optional Start Date and/or End Date to
which the report should be restricted.
d. In the Users section, specify which users the report should be restricted to.
e. In the Events section, specify the events the report should be restricted to.
This list can include the following events:
• Opening or downloading documents, viewing items in lists, or viewing
item properties
• Editing items
• Checking out or checking in items
• Moving or copying items to another location in the site
• Deleting or restoring items
• Editing content types and columns
• Searching site content
• Editing users and permissions
• Editing auditing settings and deleting audit log events
• Workflow events
• Custom events
f. Once all of the appropriate report settings have been entered, click the OK
5. The report is generated, and the file is saved to the library specified.The generated XML file is saved to the location you specify, and you are returned to the View Auditing Reports page.
You can select to download any of the listed auditing reports. The following are
the reports included:
• Content Activity Reports
• Content modifications: Lists logged events for changes to site content
including documents, list items, and pages
• Content type and list modifications: Lists logged events for modifications to
content types, lists, and libraries
• Content viewing: Lists logged events for viewing content within the site
• Deletion: Lists logged events for content deletions and restorations
• Custom Reports
• Run a custom report: Enables you to create a custom report to retrieve logged
events for specific actions
• Information Management Policy Reports
• Expiration and Disposition: Lists logged events related to the expiration and
disposition of content
• Policy modifications: Lists logged events related to the creation and use of
content information management policies
• Security and Site Settings Reports
• Auditing settings: Lists logged events related to changes made to the auditing
settings
• Security settings: Lists logged events related to SharePoint security
configuration settings
If you have any queries or doubts regarding the above mentioned information then please let me know,Thanks...
great post...thanks
ReplyDeleteAre auditing events fired when opening a document in Office Web Apps?
ReplyDeleteWhat if I click "Edit Document" from inside Office Web App?
Regards,
Luca
Yes-Auditing events are fired within Office Web App.
ReplyDeleteAs OWA is part of server and not the client so all the events are gets captured inside auditing..
Please let me know in case of any queries/doubts, Thanks..
Hi Amol,
DeleteCan i capture audit data based on who published the item?
Thanks,
Mahesh
Can we retrieve data from the generated audit log files?
ReplyDeleteTo view the audit reports:
ReplyDelete1. Navigate to the Site Settings page for the top-level site in the site collection.
2. On the Site Settings page, in the Site Collection Administration section, click the Audit Log Reports link.
3. On the View Auditing Reports page, click the name of the report you want to execute.
4. For the Run a Custom Report option, the Run a Custom Report Page is presented. On this page, follow these steps:
a. In the File Location section, select where the report should be saved once it is generated.
b. In the Location section, check if the report should be restricted to a specific list, and if so, select the web site where the list is located and select the list.
c. In the Date Range section, specify the optional Start Date and/or End Date to which the report should be restricted.
d. In the Users section, specify which users the report should be restricted to.
e. In the Events section, specify the events the report should be restricted to.In your case include the following events:
• Opening or downloading documents, viewing items in lists, or viewing item properties
• Editing items
Once all of the appropriate report settings have been entered, click the OK button.
5. The report is generated, and the file is saved to the library specified.
In case of any queries/questions then please let me know,Thanks for your patience...
Wonderfull information.
ReplyDeleteGood way to summarize and brief if someone wants to easily understand the capabilities of Sharepoint Auditing actions and reports
Thank you very much for your comments..Please let me know in case of any queries/questions,Thanks..
ReplyDeleteDo you know how to do the above in PowerShell? I'm creating a site collection creation script and would like to include that as well. Thank you.
ReplyDeleteI have never done this before but you can refer the following links regarding the same: Thanks for your patience
ReplyDeletehttp://www.sharemuch.com/2011/03/20/managing-sharepoint-2010-auditing-settings-with-powershell/
http://www.sharemuch.com/?s
http://resolutionsnet.wordpress.com/2010/01/03/enable-auditing/
Can i clarify a couple of things in SP2010
ReplyDelete1) Is Auditing on by default in team sites when you create them
2) Is there a way in the GUI interface to turn off / on auditing
3) If you do not specify any trimming in Site collection audit settings, will SP2010 remove any data over 1 month old from the current date? So whilst you may think everything is being logged if you get a query relating to an issue that happened 6 weeks ago you wont be able to assist unless you trim and store? As SP2010 will have removed this.
4) If a user was to discard a checkout is this audited?
thanks
Brad
Hello Brad,
ReplyDeletePlease refer the requested info as mentioned below. Please let me know in case of any questions/queries,Thanks for your patience..
1) Is Auditing on by default in team sites when you create them: NO
2) Is there a way in the GUI interface to turn off / on auditing: YES (please refer the following steps)
-Navigate to the Site Settings page for the top-level site in the site collection.
-On the Site Settings page, in the Site Collection Administration section, click the Site Collection Audit Settings link.
-On the Configure Audit Settings page, identify any audit log trimming settings and select the items to audit
3) If you do not specify any trimming in Site collection audit settings, will SP2010 remove any data over 1 month old from the current date? So whilst you may think everything is being logged if you get a query relating to an issue that happened 6 weeks ago you wont be able to assist unless you trim and store? As SP2010 will have removed this.
-By default period is 30 days but you can customized it by using SPD/might be achived by using customized coding
4) If a user was to discard a checkout is this audited?-YES
The Auditing policy feature logs events and operations that are performed on documents and list items.
Essentially its this
-Opening or downloading documents, viewing items in lists, or viewing item properties
-Editing items
-Checking out or checking in items
-Moving or copying items to another location in the site
-Deleting or restoring items
-and on Lists, Libraries, and Sites you have
-Editing content types and columns
-Searching site content
-Editing users and permissions
Is it possible to generate a report for a single item (item-level auditing)? It seems like this should be a simple click from the drop down on the item but the Audit Report in Compliance Details just takes me to the aggregate reports.
ReplyDeleteOut-of-box, You will get a report of every event which is happened/executed on your site collection but a report will not be generated specific to single Item.
ReplyDeleteThese events will be as follows:
-Opening or downloading documents, viewing items in lists, or viewing item properties
-Editing items
-Checking out or checking in items
-Moving or copying items to another location in the site
-Deleting or restoring items
-and on Lists, Libraries, and Sites you have
-Editing content types and columns
-Searching site content
-Editing users and permissions
If you do customization then it might be possible by using the following links:
http://msdn.microsoft.com/en-us/library/bb397403(v=office.12).aspx
http://msdn.microsoft.com/en-us/library/bb397403(v=office.12).aspx#MOSS2007ItemLevelAudit_ItemLevelAuditingACustomAuditingSolution
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0e4dd1e7-4b1d-4cb1-b906-6d5d272c8e9d&displaylang=en
Please check and let me know in case of any further queries/questions,Thanks
good article
ReplyDeleteHi Amol
ReplyDeleteThis is a good clear guide. However, I do not have an "Audit Log reports" link. I am on page
"/sites/nnnn/_layouts/settings.aspx", which is recognised as the Site settings page. Under "Site Collection Administration", the link Site collection Audit settings" takes me off to "AuditSettings.aspx" & where all events are checked. I am getting high level Web Analytics reports from the WSS_logging database. But the detailed Audit stuff is missing.
Many thanks Richard
Please run this command:
ReplyDeleteSTSADM.EXE -o activatefeature -name Reporting -url http://sitecollectionurl -force
PLease let me know in case of any issues/queries/questions, Thanks for your patience..
Many Thanks for this. We now have some nice detailed reports. Thanks again
ReplyDeleteRichard
How can I schedule a SPTimer job to 'Run a Custom Report' on a regular basis ? Thanks.
ReplyDeleteI have not implemented this as of now but conveying some referrences that might be helpful:
ReplyDeleteCreating Custom SharePoint Timer Jobs
http://www.andrewconnell.com/blog/articles/CreatingCustomSharePointTimerJobs.aspx
Timer job reference (SharePoint Server 2010)
http://technet.microsoft.com/en-us/library/cc678870.aspx#ManageJobs
http://www.alexbruett.net/?p=69
http://www.petestilgoe.com/category/sharepoint-timer-jobs/
Please let me know in case of any further queries, Thank you
Hi,
ReplyDeleteArtice is really nice but as per the requirement can we customize audit reports in readable form as this OOB report is quite complicated to read for end user or admin.
Please advice in this case,
The above requirement is for sharepoint 2010.
ReplyDeleteThanks
These reports are generated automatically when we activates the reporting feature. Out of box there is no way but what i can suggest you is when we download the reports(to excel) then you can customize it by your own requirements so that you can present them to your admins group.
ReplyDeletePlease let me know in case of any further queries/questions, thank you
Hi, Nice post.
ReplyDeleteI've got couple of questions.
1. How to give power users to access the custom audit log report run on a particular document library?
2. How to refresh the data on the report. do we need to create a new one every time?
Appreciate any help!
audit settings and custom audit log reports are a part of site collection administration section. if the users are belongs to site collection admin section then only those users can see the audit reports.
Deleteout of box there is no way by which we can manage the permissions for that specific reports.
regarding second section, behind this data refresh, auditing timer job is already running in the background. whenever you clicked on that report then it will refresh automatically.
if you need to check the specific timing behind this timer job then you can check by means of this: Central Administration-Operations-Timer Job Status.
if you have any queries/questions regarding the above mentioned information then please let me know. I would be more than happy to help you as well as resolves your issues, thank you
The logical question that some people are asking is whether there is a way to automate the creation of Custom Audit Log reports, so that the user does not have to go in each time and choose all of the options all over again - and so that the user is not required to be a Site Collection administrator.
ReplyDeleteThe only substantive reply that anyone has given is to use the SPAuditQuery object, usually in a Timer Job. Having had just a quick look at the help for this object, it seems that one would need to write a fair bit of custom code to extract the data - there is not a particular Method that will output a Custom Audit Log Report, with the appropriate parameters.
This seems to be a glaring error.
Even if one requiores a Site Collection Administrator to run custom Audit Log Reports, say weekly, then it is not viable to get that person to manually enter all of the settings each time this is done.
Surely there is some PowerShell command for getting this done...
I have not done this as of now but i have one saved ref which might help you to get that done: http://www.sharemuch.com/2011/03/20/managing-sharepoint-2010-auditing-settings-with-powershell/
ReplyDeletePlease check and let me know in case of any further queries. Thank you
Hi,
ReplyDeleteI have a requirement wherein i need to get data which is modified/updated/deleted. That is, I need to get old value as well as new value of any modifications done in any part of the site collection. So is there any way to achive this??
Magnificent items from you, man. I've bear in mind your stuff previous to and you are simply too wonderful. I really like what you've acquired right here, certainly like what you're stating and the best way through which you are saying it. You make it entertaining and you continue to care for to keep it wise. I can not wait to learn far more from you. That is really a great site.
ReplyDeleteMy webpage: proxy list
Hi Amol,
ReplyDeleteGreat post, but when I choose "Run Custom Report", I'm not offered to specify the location to save the report. Where are custom aufit reports created if there's no option to specify the save location?
Thanks!
Thanks for your patience.
ReplyDeletehere are the complete details:
1.On the Records Center site, on the Site Actions menu, click Site Settings.
2.On the Site Settings page, in the Site Collection Administration section, click Audit log reports.
3.On the View Auditing Reports page, in the Custom Reports section, click Run a custom report.
4.On the Run a custom report – Customize page, in the Location section, click Restrict this report to in order to specify that this report should be restricted to a particular list in the site collection. Select the site and list to which you want to restrict the report from the Web and Lists options.
Hi Amol, thanks... but I've done that and I still don't get an output file. I just get
ReplyDelete"Your report is being generated. Click OK to return to the home page". Could this be a known issue in 2007? Or perhaps there's a standard output folder and I just don't know where it is?
Thanks!
OK, never mind... running the report from my own profile, but logged into SharePoint as an admin seems to have done the trick! Thanks anyhow...
ReplyDeleteExcellent!! Its great that the issue has been resolved. Please let me know in case of any further queries/questions, Thank you.
ReplyDeleteHi Amol
ReplyDeleteIs it possible to check the visited Hyper Links which user has visited or clicked. on a perticular site or web.
If those hyperlinks are present on the SharePoint site then it should be visible inside the auditing logs
ReplyDeletemake sure the proper check boxes should be checked inside audit settings before analyzing the logs.
let me know in case of any further queries, thanks for your patience
Hi Amol,
ReplyDeleteI'm very new to Sharepoint development and currently working on Audit log reports in Sharepoint 2010. Is it possible to add custom fields to the excel report that gets generated in Sharepoint 2010.
For eg. for the event 'Security Group Member Add', the Event Data column in my audit log excel report has the following XML fields groupid,userid,username.
The groupid as such is not helpful for auditing, so I would like to add the group name as well.Can you please let me know if this is possible in Sharepoint 2010?If yes,how to go about doing it?
I've searched a lot but couldn't find a solution.All the artices just talk about filtering based on events and so on.
while setting up the audit settings and fetching the audit reports, you have a link on the same page named as "custom reports"- did you tried that? Please let me know if that fulfills the requirements, thanks for your patience....
Deletecan i have audit entries of all site collection to dedicated database for this propose because i don't need to grow up my content database due to these logs
ReplyDeleteI have a question that maybe you have not heard yet? I want to be able to grant site owners site collection admin access to manage their sites. The problem is I don't want them to be able to turn off the audit settings for the site collection. I s there a way to modify the site collection to accomplish this functionality. I am asking if the site collection administrator so they cannot change audit settings.
ReplyDeleteThanks
sorry to convey you but this is not possible. once you have given site collection admin then they can see all the sections on the site settings page.....
DeleteHi Amol, Can I capture the error which just came after I activates a feature?
ReplyDeleteAlthough ULS capyures that, but I am unable to resolve.
The error is like " Could not load type 'a.DocumentLibraryEvents' from assembly 'a, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ed1cd851a8f341d0."
The ULS log is created in a code path where all control templates are loaded into the web application. This is a one time process which happens just before showing any UI to the user after an IISReset.
DeleteThe source of the problem looks like a stale control template in the control templates folder while the control itself has been removed from the code base.
I'm impressed, I muѕt ѕay. Ѕeldom do
ReplyDeleteI encounter a blog that's еqually educatiѵe and entertаining, аnd without
a ԁoubt, you've hit the nаil on the head. Τhe issuе is something that not enough men аnԁ ωomеn агe speaking іntelligently about.
Nοw i'm very happy I stumblеԁ acгoss thіs during my hunt for
something relatіng tо this.
my bog post: voyance gratuite
Thank you. Do let me know in case of any queries/questions, I would be more than happy to help as well as share my expertise.
DeleteHi Amol,
DeleteI have a Question, While fetching the Audit Log Programmatically last Downloaded document is not fetched from Auditing Log. To update the events it is taking 5 to 10 mins. After that i can fetch the data. Is there any way to refresh the log to be reflected immediatly? The below is my code
SPAuditQuery wssQuery = new SPAuditQuery(SPContext.Current.Web.Site);
wssQuery.RestrictToUser(SPContext.Current.Web.CurrentUser.ID);
wssQuery.AddEventRestriction(SPAuditEventType.View);
wssQuery.RestrictToList(list)
//set the query date range
wssQuery.SetRangeEnd(DateTime.Now);
wssQuery.SetRangeStart(DateTime.Now.AddMinutes(-30));// To get the last 30 Mins of data
SPContext.Current.Web.Site.Audit.Update();
SPContext.Current.Web.Update();
SPAuditEntryCollection auditCol = SPContext.Current.Web.Site.Audit.GetEntries(wssQuery);
Can you please suggest on this ?
This comment has been removed by the author.
DeleteHi Amol,
ReplyDeleteI believe you can help on the below issue.
Code : To fetch the Audit log details for last 30 mins
SPAuditQuery wssQuery = new SPAuditQuery(SPContext.Current.Web.Site);
wssQuery.RestrictToUser(SPContext.Current.Web.CurrentUser.ID);
wssQuery.AddEventRestriction(SPAuditEventType.View);
wssQuery.RestrictToList(list)
//set the query date range
wssQuery.SetRangeEnd(DateTime.Now);
wssQuery.SetRangeStart(DateTime.Now.AddMinutes(-30));// To get the last 30 Mins of data
SPContext.Current.Web.Site.Audit.Update();
SPContext.Current.Web.Update();
SPAuditEntryCollection auditCol = SPContext.Current.Web.Site.Audit.GetEntries(wssQuery);
Steps followed :
1. Downloaded 3 documents sequentially
2. Gave pause for 15 seconds
3. Downloaded next 2 documents sequentially
4. Executed my above mentioned program
Result : Fetched only first 3 documents, documents which are downloaded after pause is not retrieved
5. Generated the custom report (or ) Do new Download
Result : I can See 5 Documents (In case of 5th step is new download, I can See 5 Documents instead of 6 documents)
6: Executed my above mentioned program
Result : I can See 5 Documents (In case of 5th step is new download, I can See 5 Documents instead of 6 documents)
Conclusion: Most recent download event is pushed by other relevant(Custom Report Generation or Download) event
Am i Missing anything to obtain proper result ?
Your help is highly appreciated !!
This comment has been removed by the author.
ReplyDeleteHI Amol,
ReplyDeleteI generated the report . When I am trying to view the report it says"An error has occured Please Try again".
Please help!
Hmm, it seems like your site ate my first comment (it was extremely long) so I guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying your blog. I as well as an aspiring blog writer, but I’m still new to the whole thing. Do you have any recommendations for newbie blog writers? I’d appreciate it.
ReplyDeleteAdvanced AWS Training in Bangalore | Best Amazon Web Services Training Institute in Bangalore
Advanced AWS Training Institute in Pune | Best Amazon Web Services Training Institute in Pune
Advanced AWS Online Training Institute in india | Best Online AWS Certification Course in india
AWS training in bangalore | Best aws training in bangalore
Very nice post here and thanks for it .I always like and such a super contents of these post.Excellent and very cool idea and great content of different kinds of the valuable information's.
ReplyDeletemicrosoft azure training in bangalore
rpa training in bangalore
best rpa training in bangalore
rpa online training
This is ansuperior writing service point that doesn't always sink in within the context of the classroom. In the first superior writing service paragraph you either hook the reader's interest or lose it. Of course your teacher, who's getting paid to teach you how to write an good essay,
ReplyDeletePython Online certification training
python Training institute in Chennai
Python training institute in Bangalore
Thanks for sharing a blog.
ReplyDeletePython training in bangalore
Data science with python training in Bangalore
AWS training in Banaglore
J meter training in Bangalore
Its help me to improve my knowledge and skills also.im really satisfied in this microsoft azure session.microsoft azure training in bangalore
ReplyDeletePython training institute
ReplyDeleteNice Blog...Thanks for information...
ReplyDeletepython training in bangalore