Other SharePoint audit logs: A key to better SharePoint management April 20, 2018 By: Matija Hanzic Last updated: May 18, 2023 4 min read SharePoint audit logs offer a comprehensive insight into what’s happening with your content on SP. Learn how to properly set up your audit logs! Table of contents How to configure SharePoint Farm audit settingsHow to view and generate SharePoint audit logs reportsSharePoint permissions and security audit across the Farm SharePoint is a complex and live infrastructure containing various kinds of content. As with every system, you need to keep track of user activity in your SharePoint environment and control malicious behavior. Why? Let’s say you need to comply with various regulations, like HIPAA or GDPR, so you need to be able to detect activity connected to sensitive content. Or perhaps you need to get a bigger picture of how content is being used in order to optimize business processes. Or you just need to find a document that has been deleted or moved, something that may be tricky if nobody knows who deleted it or where it’s been moved to. SharePoint audit logs can give you those answers. They offer a comprehensive insight into what’s happening with your content and permissions on SharePoint. You can easily answer questions like: “Who edited this document?” or “Who shared this document with other people?” Without this tool, you would soon be lost in your own environment, and eventually the whole system would fall apart. How to configure SharePoint Farm audit settings SharePoint farm audit logs are configured according to site collection using the Site Settings button. Under Site Collection Administration, you will find the Site Collection Audit Settings option. SharePoint allows you to track the following events: Opened and downloaded documents, viewed items in lists, and viewed item properties (tracking of this latter event is not available for SharePoint Online sites) Edited items Checked-out and checked-in items Items that have been moved and copied to other locations in the site collection Deleted and restored items Changes to content type and column Search queries Changes to user accounts and permissions Changed audit settings and deleted audit log events Workflow events Custom events Unfortunately, there is no way to add to this list, so this is the best you can do. It is worth noting that unlike SharePoint usage logs, which go into a separate logging database, SharePoint audit logs are stored on the AuditData table inside the content database of the site collection. You need to be careful which events you track and how you configure the audit log trimming to avoid using excessive disk space for audit logs. This is especially important if you track “opened and downloaded documents,” “viewed items in lists,” or “viewed item properties” events, all of which can degrade the performance of your site collection. Since you need to configure audit logs for each of your site collections independently, using a browser to accomplish this can be time-consuming and inefficient. Using PowerShell, you can target multiple site collections at once and automate the entire process. Here is a sample of code showing how this can be done: #enable "Editing users and permissions" audit logs $site = Get-SPSite http://contoso.com $site.Audit.AuditFlags = $site.Audit.AuditFlags -bor [Microsoft.SharePoint.SPAuditMaskType]::SecurityChange $site.Audit.Update() $site.Dispose() How to view and generate SharePoint audit logs reports Once you configure the audit logs you can view them in Site Settings. Under Site Collection Administration you will find the Audit Logs Reports option. It is straightforward: you choose the events you want view and generate an Excel report. Then you can use Excel features like filtering and sorting to find specific changes you are looking for. The downside of this approach is that you have to do this one site collection at a time, which is very time-consuming. You can save some time by using PowerShell scripts to accumulate data from multiple site collections, but that data format is very hard to read. Most of this event data will be in an xml format unique to each event type. See the example below: $site = Get-SPSite http://contoso.com $auditQuery = New-Object Microsoft.SharePoint.SPAuditQuery($site) $auditLogs = $site.Audit.GetEntries($auditQuery) foreach($logEntry in $auditLogs) { $user = $site.RootWeb.SiteUsers.GetByID($logEntry.UserId).Name Write-Host "Dococument: " $logEntry.DocLocation " Event: " $logEntry.Event " User: " $user " Details: " $logEntry.EventData } $site.Dispose() SharePoint permissions and security audit across the Farm Our tool, SPDockit, can help you configure and view SharePoint audit logs in one centralized location. You can create rules to automatically configure audit logs across your entire farm in just 30 seconds. SPDockit Audit Log Reports allow you to easily detect changes across your entire farm and audit SharePoint permissions. The advantage of this tool over PowerShell scripts is that you can quickly drill down to specific site collections to view the logs in a readable, user-friendly format. Try it out with a 30-day free trial. Subscribe to our Newsletter Thank you for joining our community! Related Posts Other [Video] SharePoint migration: Preparation, cleanup, and checkup This week’s webinar was on the topic of SharePoint migration. The webinar was h… March 3, 2017 12 min read Other A comprehensive guide to SharePoint Site templates Get your answers to what are SharePoint Site templates? How to create custom Sh… March 8, 2022 10 min read Other SharePoint Admin problem #1: The SQL Server is out of disk space The correct functioning of SQL servers is crucial to every well-run SharePoint … July 17, 2019 4 min read