SharePoint Audit Log Event ID 11

SourceSharePoint (LOGbinder SP)
Audit FlagSecurityChange
Windows Security Log
Category
 • Subcategory
Object Access
 • Application Generated
Type Success

11: Site collection audit policy changed

This is an event from SharePoint audit event from LOGbinder SP generated by Audit Flag  SecurityChange.

On this page

This is an important event for SharePoint audit trail integrity.  Changing the audit policy maliciously or by accidentally could result in audit events not being logged.  Check the user who performed the operation.  Normally this should only be the LOGbinder SP service account.

Free Security Log Resources by Randy

Description Fields in 11

  • Occurred: this is the date and time when SharePoint recorded the event to the internal SharePoint audit log and may be earlier than the date/time in the header of this event which reflects when LOGbinder SP wrote the event to Windows event log
  • Site: This is the URL of the site generating this event
  • User: name of the user who performed the action
  • New audit policy: list of Audit Flags that have been enabled

 

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Where Does This Event Come From?

This Event Is Produced By

Which Integrates with Your SIEM

Examples of 11

Audit policy changed
Occurred: 11/22/2011 8:08:37 PM
Site: http://sp2010-sp
User: logbindersp
New audit policy: Check Out; Check In; Delete; Update; Profile Change; Child Delete; Schema Change; Security Change; Undelete; Workflow; Copy; Move; Search

In this example a user account named logbindersp enabled auditing on site collection http://sp2010-sp for multiple Audit Flags as specified in "New audit policy". The name of the account would indicate that LOGbinder SP changed the audit policy to reflect that defined within the LOGbinder SP GUI.

 

 

 

 

 

 

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Upcoming Webinars
    Additional Resources