SharePoint audit logs: A key to better SharePoint management

SharePoint is a complex and live infrastructure containing various kinds of content. As with every system, you need to keep track of user activity in your SharePoint environment and control malicious behavior.

Why? Let’s say you need to comply with various regulations, like HIPAA or GDPR, so you need to be able to detect activity connected to sensitive content. Or perhaps you need to get a bigger picture of how content is being used in order to optimize business processes. Or you just need to find a document that has been deleted or moved, something that may be tricky if nobody knows who deleted it or where it’s been moved to.

SharePoint audit logs can give you those answers. They offer a comprehensive insight into what’s happening with your content and permissions on SharePoint. You can easily answer questions like: “Who edited this document?” or “Who shared this document with other people?” Without this tool, you would soon be lost in your own environment, and eventually the whole system would fall apart.

How to configure SharePoint Farm audit settings

SharePoint farm audit logs are configured according to site collection using the Site Settings button. Under Site Collection Administration, you will find the Site Collection Audit Settings option.

SharePoint allows you to track the following events:

• Opened and downloaded documents, viewed items in lists, and viewed item properties (tracking of this latter event is not available for SharePoint Online sites)
• Edited items
• Checked-out and checked-in items
• Items that have been moved and copied to other locations in the site collection
• Deleted and restored items
• Changes to content type and column
• Search queries
• Changes to user accounts and permissions
• Changed audit settings and deleted audit log events
• Workflow events
• Custom events

Unfortunately, there is no way to add to this list, so this is the best you can do. It is worth noting that unlike SharePoint usage logs, which go into a separate logging database, SharePoint audit logs are stored on the AuditData table inside the content database of the site collection. You need to be careful which events you track and how you configure the audit log trimming to avoid using excessive disk space for audit logs. This is especially important if you track “opened and downloaded documents,” “viewed items in lists,” or “viewed item properties” events, all of which can degrade the performance of your site collection.

Since you need to configure audit logs for each of your site collections independently, using a browser to accomplish this can be time-consuming and inefficient. Using PowerShell, you can target multiple site collections at once and automate the entire process. Here is a sample of code showing how this can be done:

#enable "Editing users and permissions" audit logs
$site = Get-SPSite http://contoso.com
$site.Audit.AuditFlags = $site.Audit.AuditFlags -bor [Microsoft.SharePoint.SPAuditMaskType]::SecurityChange
$site.Audit.Update()
$site.Dispose()

How to view and generate SharePoint audit logs reports

Once you configure the audit logs you can view them in Site Settings. Under Site Collection Administration you will find the Audit Logs Reports option. It is straightforward: you choose the events you want view and generate an Excel report. Then you can use Excel features like filtering and sorting to find specific changes you are looking for.

The downside of this approach is that you have to do this one site collection at a time, which is very time-consuming. You can save some time by using PowerShell scripts to accumulate data from multiple site collections, but that data format is very hard to read. Most of this event data will be in an xml format unique to each event type. See the example below:

$site = Get-SPSite http://contoso.com
$auditQuery = New-Object Microsoft.SharePoint.SPAuditQuery($site)
$auditLogs = $site.Audit.GetEntries($auditQuery)
foreach($logEntry in $auditLogs)
{
$user = $site.RootWeb.SiteUsers.GetByID($logEntry.UserId).Name
Write-Host "Dococument: " $logEntry.DocLocation " Event: " $logEntry.Event " User: " $user " Details: " $logEntry.EventData
}
$site.Dispose()

SharePoint permissions and security audit across the Farm 

Our tool, SPDockit, can help you configure and view SharePoint audit logs in one centralized location. You can create rules to automatically configure audit logs across your entire farm in just 30 seconds.

SPDockit Audit Log Reports allow you to easily detect changes across your entire farm and audit SharePoint permissions.

The advantage of this tool over PowerShell scripts is that you can quickly drill down to specific site collections to view the logs in a readable, user-friendly format. Try it out with a 30-day free trial.