SharePoint 2010 Auditing

Posted on by

Why using auditing?

There could be different reasons, and they often depend on which vertical (e.g. Public/Government) you are located in.

  • Meet Regulatory and Legal requirements.
  • Track how documents (and items) are used.

By enabling Auditing we can track activities like:

–          List Access

–          Library Access

–          Opening of Documents

–          Editing Items

–          Check In / Check Out

–          Copying / Moving / Deleting items

–          Searching

–          Editing Permissions

 We strongly suggest that, based on your business needs or requirements, you try to define what information should be audited. Indeed, the audit functionality can be enabled on different levels in SharePoint’s containment hierarchy.

Specifically, you can enable auditing on these levels:

–          Site collection

–          Library/list

–          Folder

–          Content type

Audit activation will have an impact on overall performance and capacity aspects of your platform depending on the configuration. We suggest not to log everything but well to focus on the essential portion of your content.

This way we can minimize impact but it will also provide lighter and accurate reports to analyze.

How to activate?

1.      Site collection

Site Actions > Site Settings > Site Collection Administration > Site Collection audit settings.

[Needed access ] Site Collection Administrator

 Documents and items

Under the Documents and Items section you can enable the events you would like to audit. Logging will be enable to the whole site collection.

 Lists, libraries and sites

On the same page you also have the option to enable audit logging for Lists, Libraries and Sites. 

2.      Content Type

Site Actions > Site Settings > Galleries > Site Content Type

Needed access: Site Administrator  (Full control) or Designer 

Scroll down to Document Content Types and click on Document. Under Settings, click on Information management policy settings and select desired settings

 In this example we activated loggin for Task content type.

 

As a result, custom report on a task list library will return following log

3.      Library/List

Selected Library Settings –> Information management policy settings.

Needed access: Site Administrator  (Full control) or Design to change settings on the list.

ð  only Site collection administrator are able to generate reports.

If you select document, you can define the auditing policy for it. This will be applied for this specific list only.

Under the Content Types Policies section you can define a new policy or choose an existing policy created at the site collection level.

To create a new site collection level policy:

Site settings > Site Collection Administration > Policies > Add a policy

Needed access: Site collection administrator

Once a policy is created at the site collection level, you will be able to select this policy in libraries and lists.

How to view audit entries

Site Actions > Site Settings > Site Collection Administration > Audit log reports

Needed access: Site collection administrator

4.      General reports

In the appearing page View Auditing Reports you can see there are various categories of reports like:

–          Content Modification

–          Content Viewing

–          Deletion        

–          Policy Modification etc. 

Generating a type of report based on these options should conduct you to the following screen. You can now follow the link to see your report as an XLSX file with summary and detailed information. 

5.      Custom Report

This option is useful when we need to get a report based on a combination of:

–          Custom List

–          Particular user

–          Date Range

To generate the custom report, as site collection administrator, go to

Site Settings > Audit log reports > Run a custom report.

You should get the following page with filtering options:

 

You can choose Save Location, List, Dates, Users, and Events and click the OK button to generate the report as an XLSX file.

Understanding impact on capacity

Auditing activation impact performances but how, and what can we do to minimize impact on performance while taking advantage of this feature.

After some tests we remarked that auditing activation doesn’t have a massive impact on http requests but well on backend systems. The impact on performances will depend on:

  • How many site collection require auditing
    • # items to audit
      •  # events per items to audit

This will impact:

  1. Storage of database server in a first instance.
  2. Performance as soon as logging table will grow in size.

To illustrate our assumptions we used Fiddler to analyze traffic (Updates and views) between the client and the server.

Action: Upload 14Mb File

Number of HTTP requests issued without auditing: 9

Number of HTTP requests issued with auditing: 9

 

The audit entries are stored inside the SharePoint database. You can view this database inside the SharePoint SQL Server instance. The table storing the Audit records is AuditData.

This table will grow depending on the amount of object under auditing. Each audit activation will trigger one or multiple INSERT in the AuditData table

Here is an example of the storage needed to log a document setting change in a document library.

SQL line description and storage per field:

SiteId : 16 bytes

Item Id: 16 bytes

ItemType : 2 bytes

UserId: 4 bytes

Doclocation : 106 bytes

locationtype : 1 bytes

Occured : 8 bytes

event: 4 bytes

Eventsource : 1 bytes

Event Data : 102 bytes

Otherfields = NULL

 Meaning 260 Bytes

With all logging enabled a simple page display or refresh can trigger up to 5 lines in the database, thus, a minimum of ~1,3 KB on disk without taking indexes and I/O into account.

Guidelines ands considerations

Hopefully SharePoint 2010 comes with solution that should help keeping acceptable database size.

6.      Audit log trimming

Site Actions > Site Settings > Site Collection Administration > Site Collection audit settings.

Audit log trimming will help to maintain your SQL Audit table by deleting unnecessary items. It will then free up related storage in the database server and preserve storage capacity and performances.

As an option you can select a document library to store full report before truncating them. It will be accessible by users having read access to that particulal library.

By default, trimming will be done each last day of the month.

 

7.      Occasionally check Audit table size

You can use SQL Server Management studio, Right click the database >  Reports > Standard Reports > Disk Usage by Table  to get a clear viewed of the storage consumed by the auditing feature.

This can be used as a reference to configure the SharePoint trimming option.

 

8.      Server Object Models

We can also use programmatically the Server Object Model to interact with Audit. Following are some of the important audit classes inside the Microsoft.SharePoint namespace.

–          SPAudit

–          SPAuditEntry

–          SPAuditEventType

–          SPAuditQuery

Please refer to the documentation to get more information over this topic.

9.      Limit the size of the audit log

We strongly suggest that you focus your auditing on essentials objects to make the correct balance between performance/capacity impact and relevancy of your data.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s