SharePoint Audit Log Storage

The SharePoint audit log is completely internal to SharePoint; in fact it is stored in the SharePoint content database.

The fact that the audit log resides in the content database raises resource and security issues. Audit logs can be extremely voluminous which, left unchecked, can artificially inflate the SharePoint content database consuming costly amounts of SQL Server storage and slowing down SharePoint response time and operations.

Moreover, wide accepted security best practice dictates that we remove audit logs as quickly as possible (if not in a near real-time stream) to a separate and secure log repository for the purpose of protecting the integrity of the audit logs from intruders and/or malicious administrators.

As with all audit logs, it is critical for security and compliance requirements to get the audit log out of SharePoint and into the organization’s SIEM/log management solution. To solve this and other needs with SharePoint I started LOGbinder and designed LOGbinder for SharePoint.



Additional Resources