SharePoint2010: Site Collection Auditing



SharePoint Server provides the ability to audit the usage of your SharePoint environment. The SharePoint Server auditing capabilities allow you to track all activities that occur within the environment. The site collection administrator has the ability to set auditing requirements within the environment that determine the types of actions that should be tracked. Reports are then available that can be used to review the logged events. These reports could also be used to create any needed audit reporting or statistics. You also have the ability to set audit logging settings to control the volume of audit information kept over time.

To manage audit settings for a site collection, follow these steps:

1. Navigate to the Site Settings page for the top-level site in the site collection.

2. On the Site Settings page, in the Site Collection Administration section, click
the Site Collection Audit Settings link.

3. On the Configure Audit Settings page, identify any audit log trimming settings,
and select the items to audit:

a. In the Audit Log Trimming section, identify if automatic audit log trimming
should be enabled, identify the number of days of audit log data to retain,
and specify a location to store audit reporting before trimming the audit log.

b. In the Documents and Items section, check the boxes in front of the events
to audit which can include the following:
• Opening or downloading documents, viewing items in lists, or viewing
item properties
• Editing items
• Checking out or checking in items
• Moving or copying items to another location in the site
• Deleting or restoring items

c. In the Lists, Libraries, and Sites section, check the boxes in front of the items
to audit which can include the following:
• Editing content types and columns
• Searching site content
• Editing users and permissions

d. Once all of the appropriate audit options have been set, click the OK button.

The auditing options are set, and you are returned to the Site Settings page.
The information about audited actions will be tracked as the associated actions occur in the environment. You can then run the audit reports to view the audit history for captured events.

To view the auditing reports, follow these steps:

1. Navigate to the Site Settings page for the top-level site in the site collection.
2. On the Site Settings page, in the Site Collection Administration section, click
the Audit Log Reports link.
3. On the View Auditing Reports page, click the name of the report you want to
execute.
4. For the Run a Custom Report option, the Run a Custom Report Page is
presented.


On this page, follow these steps:

a. In the File Location section, select where the report should be saved once it
is generated.

b. In the Location section, check if the report should be restricted to a specific
list, and if so, select the web site where the list is located and select the list.

c. In the Date Range section, specify the optional Start Date and/or End Date to
which the report should be restricted.

d. In the Users section, specify which users the report should be restricted to.

e. In the Events section, specify the events the report should be restricted to.

This list can include the following events:
• Opening or downloading documents, viewing items in lists, or viewing
item properties
• Editing items
• Checking out or checking in items
• Moving or copying items to another location in the site
• Deleting or restoring items
• Editing content types and columns
• Searching site content
• Editing users and permissions
• Editing auditing settings and deleting audit log events
• Workflow events
• Custom events

f. Once all of the appropriate report settings have been entered, click the OK

5. The report is generated, and the file is saved to the library specified.The generated XML file is saved to the location you specify, and you are returned to the View Auditing Reports page.

You can select to download any of the listed auditing reports. The following are
the reports included:
• Content Activity Reports
• Content modifications: Lists logged events for changes to site content
including documents, list items, and pages
• Content type and list modifications: Lists logged events for modifications to
content types, lists, and libraries
• Content viewing: Lists logged events for viewing content within the site
• Deletion: Lists logged events for content deletions and restorations
• Custom Reports
• Run a custom report: Enables you to create a custom report to retrieve logged
events for specific actions
• Information Management Policy Reports
• Expiration and Disposition: Lists logged events related to the expiration and
disposition of content
• Policy modifications: Lists logged events related to the creation and use of
content information management policies
• Security and Site Settings Reports
• Auditing settings: Lists logged events related to changes made to the auditing
settings
• Security settings: Lists logged events related to SharePoint security
configuration settings


If you have any queries or doubts regarding the above mentioned information then please let me know,Thanks...

48 comments:

  1. Are auditing events fired when opening a document in Office Web Apps?
    What if I click "Edit Document" from inside Office Web App?

    Regards,
    Luca

    ReplyDelete
  2. Yes-Auditing events are fired within Office Web App.

    As OWA is part of server and not the client so all the events are gets captured inside auditing..

    Please let me know in case of any queries/doubts, Thanks..

    ReplyDelete
    Replies
    1. Hi Amol,

      Can i capture audit data based on who published the item?

      Thanks,
      Mahesh

      Delete
  3. Can we retrieve data from the generated audit log files?

    ReplyDelete
  4. To view the audit reports:

    1. Navigate to the Site Settings page for the top-level site in the site collection.

    2. On the Site Settings page, in the Site Collection Administration section, click the Audit Log Reports link.

    3. On the View Auditing Reports page, click the name of the report you want to execute.

    4. For the Run a Custom Report option, the Run a Custom Report Page is presented. On this page, follow these steps:
    a. In the File Location section, select where the report should be saved once it is generated.
    b. In the Location section, check if the report should be restricted to a specific list, and if so, select the web site where the list is located and select the list.
    c. In the Date Range section, specify the optional Start Date and/or End Date to which the report should be restricted.
    d. In the Users section, specify which users the report should be restricted to.
    e. In the Events section, specify the events the report should be restricted to.In your case include the following events:
    • Opening or downloading documents, viewing items in lists, or viewing item properties
    • Editing items
    Once all of the appropriate report settings have been entered, click the OK button.

    5. The report is generated, and the file is saved to the library specified.

    In case of any queries/questions then please let me know,Thanks for your patience...

    ReplyDelete
  5. Wonderfull information.

    Good way to summarize and brief if someone wants to easily understand the capabilities of Sharepoint Auditing actions and reports

    ReplyDelete
  6. Thank you very much for your comments..Please let me know in case of any queries/questions,Thanks..

    ReplyDelete
  7. Do you know how to do the above in PowerShell? I'm creating a site collection creation script and would like to include that as well. Thank you.

    ReplyDelete
  8. I have never done this before but you can refer the following links regarding the same: Thanks for your patience

    http://www.sharemuch.com/2011/03/20/managing-sharepoint-2010-auditing-settings-with-powershell/

    http://www.sharemuch.com/?s

    http://resolutionsnet.wordpress.com/2010/01/03/enable-auditing/

    ReplyDelete
  9. Can i clarify a couple of things in SP2010

    1) Is Auditing on by default in team sites when you create them
    2) Is there a way in the GUI interface to turn off / on auditing
    3) If you do not specify any trimming in Site collection audit settings, will SP2010 remove any data over 1 month old from the current date? So whilst you may think everything is being logged if you get a query relating to an issue that happened 6 weeks ago you wont be able to assist unless you trim and store? As SP2010 will have removed this.
    4) If a user was to discard a checkout is this audited?

    thanks
    Brad

    ReplyDelete
  10. Hello Brad,

    Please refer the requested info as mentioned below. Please let me know in case of any questions/queries,Thanks for your patience..

    1) Is Auditing on by default in team sites when you create them: NO

    2) Is there a way in the GUI interface to turn off / on auditing: YES (please refer the following steps)

    -Navigate to the Site Settings page for the top-level site in the site collection.

    -On the Site Settings page, in the Site Collection Administration section, click the Site Collection Audit Settings link.

    -On the Configure Audit Settings page, identify any audit log trimming settings and select the items to audit

    3) If you do not specify any trimming in Site collection audit settings, will SP2010 remove any data over 1 month old from the current date? So whilst you may think everything is being logged if you get a query relating to an issue that happened 6 weeks ago you wont be able to assist unless you trim and store? As SP2010 will have removed this.

    -By default period is 30 days but you can customized it by using SPD/might be achived by using customized coding

    4) If a user was to discard a checkout is this audited?-YES

    The Auditing policy feature logs events and operations that are performed on documents and list items.

    Essentially its this
    -Opening or downloading documents, viewing items in lists, or viewing item properties
    -Editing items
    -Checking out or checking in items
    -Moving or copying items to another location in the site
    -Deleting or restoring items
    -and on Lists, Libraries, and Sites you have
    -Editing content types and columns
    -Searching site content
    -Editing users and permissions

    ReplyDelete
  11. Is it possible to generate a report for a single item (item-level auditing)? It seems like this should be a simple click from the drop down on the item but the Audit Report in Compliance Details just takes me to the aggregate reports.

    ReplyDelete
  12. Out-of-box, You will get a report of every event which is happened/executed on your site collection but a report will not be generated specific to single Item.

    These events will be as follows:
    -Opening or downloading documents, viewing items in lists, or viewing item properties
    -Editing items
    -Checking out or checking in items
    -Moving or copying items to another location in the site
    -Deleting or restoring items
    -and on Lists, Libraries, and Sites you have
    -Editing content types and columns
    -Searching site content
    -Editing users and permissions

    If you do customization then it might be possible by using the following links:

    http://msdn.microsoft.com/en-us/library/bb397403(v=office.12).aspx

    http://msdn.microsoft.com/en-us/library/bb397403(v=office.12).aspx#MOSS2007ItemLevelAudit_ItemLevelAuditingACustomAuditingSolution

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0e4dd1e7-4b1d-4cb1-b906-6d5d272c8e9d&displaylang=en

    Please check and let me know in case of any further queries/questions,Thanks

    ReplyDelete
  13. Hi Amol

    This is a good clear guide. However, I do not have an "Audit Log reports" link. I am on page
    "/sites/nnnn/_layouts/settings.aspx", which is recognised as the Site settings page. Under "Site Collection Administration", the link Site collection Audit settings" takes me off to "AuditSettings.aspx" & where all events are checked. I am getting high level Web Analytics reports from the WSS_logging database. But the detailed Audit stuff is missing.

    Many thanks Richard

    ReplyDelete
  14. Please run this command:

    STSADM.EXE -o activatefeature -name Reporting -url http://sitecollectionurl -force

    PLease let me know in case of any issues/queries/questions, Thanks for your patience..

    ReplyDelete
  15. Many Thanks for this. We now have some nice detailed reports. Thanks again

    Richard

    ReplyDelete
  16. How can I schedule a SPTimer job to 'Run a Custom Report' on a regular basis ? Thanks.

    ReplyDelete
  17. I have not implemented this as of now but conveying some referrences that might be helpful:

    Creating Custom SharePoint Timer Jobs
    http://www.andrewconnell.com/blog/articles/CreatingCustomSharePointTimerJobs.aspx

    Timer job reference (SharePoint Server 2010)
    http://technet.microsoft.com/en-us/library/cc678870.aspx#ManageJobs

    http://www.alexbruett.net/?p=69

    http://www.petestilgoe.com/category/sharepoint-timer-jobs/

    Please let me know in case of any further queries, Thank you

    ReplyDelete
  18. Hi,
    Artice is really nice but as per the requirement can we customize audit reports in readable form as this OOB report is quite complicated to read for end user or admin.

    Please advice in this case,

    ReplyDelete
  19. The above requirement is for sharepoint 2010.

    Thanks

    ReplyDelete
  20. These reports are generated automatically when we activates the reporting feature. Out of box there is no way but what i can suggest you is when we download the reports(to excel) then you can customize it by your own requirements so that you can present them to your admins group.

    Please let me know in case of any further queries/questions, thank you

    ReplyDelete
  21. Hi, Nice post.
    I've got couple of questions.
    1. How to give power users to access the custom audit log report run on a particular document library?
    2. How to refresh the data on the report. do we need to create a new one every time?

    Appreciate any help!

    ReplyDelete
    Replies
    1. audit settings and custom audit log reports are a part of site collection administration section. if the users are belongs to site collection admin section then only those users can see the audit reports.

      out of box there is no way by which we can manage the permissions for that specific reports.

      regarding second section, behind this data refresh, auditing timer job is already running in the background. whenever you clicked on that report then it will refresh automatically.

      if you need to check the specific timing behind this timer job then you can check by means of this: Central Administration-Operations-Timer Job Status.

      if you have any queries/questions regarding the above mentioned information then please let me know. I would be more than happy to help you as well as resolves your issues, thank you

      Delete
  22. The logical question that some people are asking is whether there is a way to automate the creation of Custom Audit Log reports, so that the user does not have to go in each time and choose all of the options all over again - and so that the user is not required to be a Site Collection administrator.

    The only substantive reply that anyone has given is to use the SPAuditQuery object, usually in a Timer Job. Having had just a quick look at the help for this object, it seems that one would need to write a fair bit of custom code to extract the data - there is not a particular Method that will output a Custom Audit Log Report, with the appropriate parameters.

    This seems to be a glaring error.

    Even if one requiores a Site Collection Administrator to run custom Audit Log Reports, say weekly, then it is not viable to get that person to manually enter all of the settings each time this is done.

    Surely there is some PowerShell command for getting this done...

    ReplyDelete
  23. I have not done this as of now but i have one saved ref which might help you to get that done: http://www.sharemuch.com/2011/03/20/managing-sharepoint-2010-auditing-settings-with-powershell/

    Please check and let me know in case of any further queries. Thank you

    ReplyDelete
  24. Hi,
    I have a requirement wherein i need to get data which is modified/updated/deleted. That is, I need to get old value as well as new value of any modifications done in any part of the site collection. So is there any way to achive this??

    ReplyDelete
  25. Magnificent items from you, man. I've bear in mind your stuff previous to and you are simply too wonderful. I really like what you've acquired right here, certainly like what you're stating and the best way through which you are saying it. You make it entertaining and you continue to care for to keep it wise. I can not wait to learn far more from you. That is really a great site.
    My webpage: proxy list

    ReplyDelete
  26. Hi Amol,

    Great post, but when I choose "Run Custom Report", I'm not offered to specify the location to save the report. Where are custom aufit reports created if there's no option to specify the save location?

    Thanks!

    ReplyDelete
  27. Thanks for your patience.

    here are the complete details:

    1.On the Records Center site, on the Site Actions menu, click Site Settings.

    2.On the Site Settings page, in the Site Collection Administration section, click Audit log reports.

    3.On the View Auditing Reports page, in the Custom Reports section, click Run a custom report.

    4.On the Run a custom report – Customize page, in the Location section, click Restrict this report to in order to specify that this report should be restricted to a particular list in the site collection. Select the site and list to which you want to restrict the report from the Web and Lists options.

    ReplyDelete
  28. Hi Amol, thanks... but I've done that and I still don't get an output file. I just get
    "Your report is being generated. Click OK to return to the home page". Could this be a known issue in 2007? Or perhaps there's a standard output folder and I just don't know where it is?

    Thanks!

    ReplyDelete
  29. OK, never mind... running the report from my own profile, but logged into SharePoint as an admin seems to have done the trick! Thanks anyhow...

    ReplyDelete
  30. Excellent!! Its great that the issue has been resolved. Please let me know in case of any further queries/questions, Thank you.

    ReplyDelete
  31. Hi Amol

    Is it possible to check the visited Hyper Links which user has visited or clicked. on a perticular site or web.

    ReplyDelete
  32. If those hyperlinks are present on the SharePoint site then it should be visible inside the auditing logs

    make sure the proper check boxes should be checked inside audit settings before analyzing the logs.

    let me know in case of any further queries, thanks for your patience

    ReplyDelete
  33. Hi Amol,

    I'm very new to Sharepoint development and currently working on Audit log reports in Sharepoint 2010. Is it possible to add custom fields to the excel report that gets generated in Sharepoint 2010.
    For eg. for the event 'Security Group Member Add', the Event Data column in my audit log excel report has the following XML fields groupid,userid,username.
    The groupid as such is not helpful for auditing, so I would like to add the group name as well.Can you please let me know if this is possible in Sharepoint 2010?If yes,how to go about doing it?
    I've searched a lot but couldn't find a solution.All the artices just talk about filtering based on events and so on.

    ReplyDelete
    Replies
    1. while setting up the audit settings and fetching the audit reports, you have a link on the same page named as "custom reports"- did you tried that? Please let me know if that fulfills the requirements, thanks for your patience....

      Delete
  34. can i have audit entries of all site collection to dedicated database for this propose because i don't need to grow up my content database due to these logs

    ReplyDelete
  35. I have a question that maybe you have not heard yet? I want to be able to grant site owners site collection admin access to manage their sites. The problem is I don't want them to be able to turn off the audit settings for the site collection. I s there a way to modify the site collection to accomplish this functionality. I am asking if the site collection administrator so they cannot change audit settings.

    Thanks

    ReplyDelete
    Replies
    1. sorry to convey you but this is not possible. once you have given site collection admin then they can see all the sections on the site settings page.....

      Delete
  36. Hi Amol, Can I capture the error which just came after I activates a feature?
    Although ULS capyures that, but I am unable to resolve.
    The error is like " Could not load type 'a.DocumentLibraryEvents' from assembly 'a, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ed1cd851a8f341d0."

    ReplyDelete
    Replies
    1. The ULS log is created in a code path where all control templates are loaded into the web application. This is a one time process which happens just before showing any UI to the user after an IISReset.
      The source of the problem looks like a stale control template in the control templates folder while the control itself has been removed from the code base.

      Delete
  37. I'm impressed, I muѕt ѕay. Ѕeldom do
    I encounter a blog that's еqually educatiѵe and entertаining, аnd without
    a ԁoubt, you've hit the nаil on the head. Τhe issuе is something that not enough men аnԁ ωomеn агe speaking іntelligently about.
    Nοw i'm very happy I stumblеԁ acгoss thіs during my hunt for
    something relatіng tо this.

    my bog post: voyance gratuite

    ReplyDelete
    Replies
    1. Thank you. Do let me know in case of any queries/questions, I would be more than happy to help as well as share my expertise.

      Delete
    2. Hi Amol,
      I have a Question, While fetching the Audit Log Programmatically last Downloaded document is not fetched from Auditing Log. To update the events it is taking 5 to 10 mins. After that i can fetch the data. Is there any way to refresh the log to be reflected immediatly? The below is my code

      SPAuditQuery wssQuery = new SPAuditQuery(SPContext.Current.Web.Site);
      wssQuery.RestrictToUser(SPContext.Current.Web.CurrentUser.ID);
      wssQuery.AddEventRestriction(SPAuditEventType.View);
      wssQuery.RestrictToList(list)
      //set the query date range
      wssQuery.SetRangeEnd(DateTime.Now);
      wssQuery.SetRangeStart(DateTime.Now.AddMinutes(-30));// To get the last 30 Mins of data

      SPContext.Current.Web.Site.Audit.Update();
      SPContext.Current.Web.Update();

      SPAuditEntryCollection auditCol = SPContext.Current.Web.Site.Audit.GetEntries(wssQuery);
      Can you please suggest on this ?

      Delete
    3. This comment has been removed by the author.

      Delete
  38. Hi Amol,

    I believe you can help on the below issue.

    Code : To fetch the Audit log details for last 30 mins

    SPAuditQuery wssQuery = new SPAuditQuery(SPContext.Current.Web.Site);
    wssQuery.RestrictToUser(SPContext.Current.Web.CurrentUser.ID);
    wssQuery.AddEventRestriction(SPAuditEventType.View);
    wssQuery.RestrictToList(list)
    //set the query date range
    wssQuery.SetRangeEnd(DateTime.Now);
    wssQuery.SetRangeStart(DateTime.Now.AddMinutes(-30));// To get the last 30 Mins of data

    SPContext.Current.Web.Site.Audit.Update();
    SPContext.Current.Web.Update();

    SPAuditEntryCollection auditCol = SPContext.Current.Web.Site.Audit.GetEntries(wssQuery);



    Steps followed :

    1. Downloaded 3 documents sequentially

    2. Gave pause for 15 seconds

    3. Downloaded next 2 documents sequentially

    4. Executed my above mentioned program

    Result : Fetched only first 3 documents, documents which are downloaded after pause is not retrieved

    5. Generated the custom report (or ) Do new Download

    Result : I can See 5 Documents (In case of 5th step is new download, I can See 5 Documents instead of 6 documents)

    6: Executed my above mentioned program

    Result : I can See 5 Documents (In case of 5th step is new download, I can See 5 Documents instead of 6 documents)

    Conclusion: Most recent download event is pushed by other relevant(Custom Report Generation or Download) event

    Am i Missing anything to obtain proper result ?

    Your help is highly appreciated !!

    ReplyDelete

Your feedback is always appreciated. I will try to reply to your queries as soon as possible- Amol Ghuge