SharePoint Audit Log Event ID 11
11: Site collection audit policy changed
This is an event from
SharePoint
audit event from
LOGbinder SP
generated by
.
On this page
This is an important event for SharePoint audit trail integrity. Changing the audit policy maliciously or by accidentally could result in audit events not being logged. Check the user who performed the operation. Normally this should only be the LOGbinder SP service account.
Free Security Log Resources by Randy
- Occurred: this is the date and time when SharePoint recorded the event to the internal SharePoint audit log and may be earlier than the date/time in the header of this event which reflects when LOGbinder SP wrote the event to Windows event log
- Site: This is the URL of the site generating this event
- User: name of the user who performed the action
- New audit policy: list of Audit Flags that have been enabled
Setup PowerShell Audit Log Forwarding in 4 Minutes
This Event Is Produced By
Which Integrates with Your SIEM
Audit policy changed
Occurred: 11/22/2011 8:08:37 PM
Site: http://sp2010-sp
User: logbindersp
New audit policy: Check Out; Check In; Delete; Update; Profile Change; Child Delete; Schema Change; Security Change; Undelete; Workflow; Copy; Move; Search
In this example a user account named logbindersp enabled auditing on site collection http://sp2010-sp for multiple Audit Flags as specified in "New audit policy". The name of the account would indicate that LOGbinder SP changed the audit policy to reflect that defined within the LOGbinder SP GUI.
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection