Saturday, July 16, 2011

How to enable Audit functionality in SharePoint 2010

“Microsoft SharePoint Server 2010 includes four information management policy features to help you manage your content: expiration, auditing, document labels, and document bar codes. - msdn.microsoft.com”.

In this post I will focus on the audit capabilities in SharePoint 2010, more specifically how to enable the audit functionality.

When the audit functionally is enabled it will automatically log events and activities that is done on your content. The content could be documents, records and other items, such as task list and calendars.

Why

Why would you enable auditing in SharePoint? There could be different reasons, and they often depend on which vertical (e.g. Public/Government) you are located in.

  • Meet Regulatory and Legal requirements.
  • Track how documents (and items) are used.
  • Keep track of document history if documents are sent to the Content Organizer. When using the Content Organizer,  the document’s version history is deleted. The audit log will be your source to the document history.

How

An Administrator has access to configure auditing, but a developer can also create custom code that read and write to the audit log. More details here: http://msdn.microsoft.com/en-us/library/ms441917.aspx.

What’s available for the administrator? The audit functionality can be enabled on different levels in SharePoint’s containment hierarchy. Specifically, you can enable auditing on these levels: site collection, library/list, folder, and content type.

Site Collection

  • Go to Site Actions –> Site Settings –> Site Collection Administration –> Site Collection audit settings.
  • Under the Document and Items section you can enable the events you would like to audit:

image

On the same page you also have the option to enable audit logging for Lists, Libraries and Sites:

image

Library/list

  • Go to [yourlibrary] –> Library Tools/Library –> Library Settings –> Permissions and Management –> Information management policy settings.
  • Under the Content Types Policies section you can define a new policy or choose an existing policy (created in the site collection).

image

  • More about how to create site collection policies later… In this example a choose “Define a policy…”
  • Scroll down to Auditing where you will be able to choose the events you want to add to the audit log:

image

Hey, wait a minute! This is not enabling auditing of all documents in this library.

True. It is more about being able to apply different events to audit, to different libraries, even when those libraries are using the same content types. Which leads us to how to apply auditing on the content type.

Content Type

  • Go to Site Actions –> Site Settings –> Galleries –> Site Content Type.
  • Scroll down to Document Content Types and click on Document.
  • Under Settings click on Information management policy settings:

imageClick on Enable Auditing and then select the events you would like to be written to the audit log.

Hmmm…. what happens if I have applied auditing on a content type, and now are trying to apply different rules at the library level?

Following the example above, I have enabled the “Edit items” events on the Content Type level. Going back to my library and into my library settings I find that I can’t apply specific policy settings because the library inherits the settings from the Content Type:

image

So, if you need to differentiate audit settings between libraries you cannot configure audit settings on the Content Type level.

Folder

A folder (in a library) is just another content type. See details above on how to configure auditing on content types.

Site Collection policies

You can predefine information management policies, and make them available for use within your site collection

  • Go to Site Actions –> Site Settings –> Site Collection Administration –> Site Collection policies.
  • Click Create.
  • A new page will let you predefine policies that also include more than the auditing. E.g you can create a policy for your Contracts that include both audit and retention settings. Having the policy predefined may make it easier for administrators to apply the correct policy to their content types.

image

Other things to consider…

Audit log trimming

By enabling auditing in a SharePoint environment with a large number of events, you will potentially end up with a large audit log which can affect the over all performance. It is recommended to enable audit log trimming for site collections with extensive auditing.

  • Go to Site Actions –> Site Settings –> Site Collection Administration –> Site Collection audit settings.

image

As you can see, the number of days of audit log data to retain is an optional field. If you don’t set this value the trimming will follow settings on the Farm level. This is done by the Farm Administrator using Central Admin.

Limit the size of the audit log

Only audit the events required to meet your needs. Which one of these events do you really need to log?

image

Audit log reports

Ok, I have enabled auditing.. how do I access my audit log?

I recommend you to check out this page for details: http://office.microsoft.com/en-us/sharepoint-server-help/view-audit-log-reports-HA102039795.aspx

 

Resources

Configure audit settings for site collection

http://office.microsoft.com/en-us/sharepoint-server-help/configure-audit-settings-for-a-site-collection-HA010099726.aspx

Version history erased when using Content Organizer http://technet.microsoft.com/en-us/library/ff453933.aspx#Auditing
SPAudit Class http://msdn.microsoft.com/en-us/library/ms441917.aspx
View audit log reports http://office.microsoft.com/en-us/sharepoint-server-help/view-audit-log-reports-HA102039795.aspx

7 comments:

  1. This is Sreelatha. Thank you for sharing this.

    ReplyDelete
  2. Thanks for the article. It is worth noting that the Reporting site collection feature must be activated in order to see any audit reports. The article that you link to does not make mention of this, and SCAs will not see the 'Audit log reports' option on their Site Settings page until they activate the Reporting feature.

    ReplyDelete
  3. Very useful article. Thanks! :-)

    ReplyDelete
  4. EXCELLENT information. Your directions are clear and concise, and easy to follow. Thanks for your hard work in posting this info.

    ReplyDelete