Auditing in SharePoint 2013/2016
Post date: Sep 21, 2016 10:40:36 AM
Site Collection Auditing
I’ve heard that Auditing shouldn’t be used, because it fills your Content database with a lot of data you don’t need. And I’ve participated in project switching off auditing to free up disk space. But that’s often related to database auditing which typically logs every action by every user. And on an active site – that’s a lot.
But a scenario I’ve come across recently is what happens when a user deletes a document? In some organizations you need to track that there actually was a document and that it was rightfully deleted. You can’t do that with normal versioning technique, since versioning only works if the file is present (obviously).
Now every Site Collection in SharePoint 2013/2016 have auditing settings which is very granular. You don’t want edited or added documents (or list items), you just need deleted document – and that’s where site collection auditing comes into play. Turn your head to Site Settings and in Site Collection Administration you have Site collection auditing setting and Audit log reports.
Using auditing setting you determine what to track and how often you need this logs to be saved. Monthly is a good choice in most cases. What’s important to remember is that you want your audit report logs in your site collection and not on the system drive. You can quickly run into trouble if you save logs on the system drive and eating disk space or if you for whatever reason need to switch servers, your audits will be gone. That’s why we should use a Document Library which we name something like AuditLogs. But we don’t want our members or owners of the site to access the audit logs, just the farm admin or IT-personnel. We solve this by breaking permission inheritance, remove everyone and only add the farm account and the group of IT-professionals I’m sure you have in your organization.
In the audit log settings, we hit the browse button to point to our newly created AuditLog library. When we have our AuditLog document library present, we need to set what we want to track. As a test, we can track items being deleted (and restored).
That’s it! We’ve set a location, and what type of action we want to track – and how often we want the report to be created. At this stage we need to test our Auditing. So head over to a document library, and delete some documents. Preferably documents you’ve uploaded that doesn’t contain much. We don’t want to lose data just to prove Auditing.
And with the documents deleted, we turn back to site settings and hit Audit Log Reports. When we’re there we the Deletion link and press OK. If everything works as expected, the Audit Log is now present in our Audit Log document library.
Opening the spreadsheet, we’ll see both an overview and the details on different sheets.
And that concludes the powerful auditing of SharePoint 2013/2016. Enjoy!