How to Control SharePoint Auditing

Auditing is primarily controlled at the site collection (you can also customize auditing for specific libraries and lists).

In native SharePoint, there is no way to define a farm-wide audit policy and you must remember to configure audit policy each time new site collection is created which can especially be an issue in self- service site creations scenarios. (LOGbinder for SharePoint allows you to define a default audit policy for the entire site which applies to all site collections, including new ones, until and if you configure a site specific audit policy.)

To enable auditing you must be a site collection administrator. From the Site Settings page, look under Site Collection Administration, as pictured here, for “Site collection audit settings”.

That link displays the page you see to the right where you can configure audit log trimming, and more to the point, the audit policy for the site collection. Once you enable auditing, SharePoint will begin logging events to the internal SharePoint audit log.

The audit policies defined here apply to all objects in the entire site collection so be careful what you enable. In particular, auditing view access at the site collection level will generate a large amount of audit events including 1 to 2 events for every page view. Learn how to enable auditing on specific libraries or lists.

The check boxes shown above do not correspond directly to the more granular audit flags exposed programmatically through the SharePoint object model. LOGbinder for SharePoint allows you to configure auditing at this more granular level. The table below maps the check boxes provided by SharePoint site collection administration to the actual audit flags inside SharePoint and exposed by LOGbinder for SharePoint.

Audit Flags	As exposed on the "Site collection audit settings" page
CheckOut CheckIn	Checking out or checking in items
View	Opening or downloading documents, viewing items in lists, or viewing item properties
Delete Undelete	Deleting or restoring items
Update	Editing items
SchemaChange ProfileChange	Editing content types and columns
SecurityChange	Editing users and permissions
Copy Move	Moving or copying items to another location in the site
Search	Searching site content
Workflow ChildDelete	These audit flags are not enabled by any of the check boxes on the "Site collection audit settings" page and therefore unavailable via the SharePoint user interface. But can of course be enabled with LOGbinder for SharePoint.
Unknown or not applicable	There are several events that are always logged and are not connected with the checkboxes or audit flags. 52 - Information management policy created 53 - Information management policy changed 54 - Site collection information management policy created 55 - Site collection information management policy changed 56 - Export of objects started 57 - Export of objects completed 58 - Import of objects started 59 - Import of objects completed 60 - Possible tampering warning 61 - Retention policy processed 62 - Document fragment updated 63 - Content type imported 64 - Information management policy deleted 65 - Item declared as a record 66 - Item undeclared as a record

Upcoming Webinars

Additional Resources

Audit Policy

•	Check In/Out
•	Custom
•	View
•	Delete
•	Update
•	Security Change
•	Copy/Move
•	Search
•	Workflow
•	Profile/Schema Change

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.