Monday, July 23, 2018

Configure audit settings for a site collection

Configure audit settings for a site collection

The audit feature of SharePoint Server or SharePoint Online lets you track user actions on a site's content types, lists, libraries, list items, and library files within your site collections. Knowing who has done what with which information is critical for many business requirements, such as regulatory compliance and records management.

Note: Pages, such as .aspx, aren't considered documents so they can't be audited in SharePoint Server 2016.

SharePoint Online

Site collection audit settings screen

SharePoint Server

Configure Audit settings in the Site Settings dialog

You can manage the size of the audit log in the Audit Log Trimming section and specify which events to audit in the Documents and Items and Lists, Libraries, and Sites sections. You can also specify the maximum number of days that items will be retained. By default all items are removed at the end of the month.

Note: When multiple users are co-editing a document, auditing events from multiple authors or editors can be difficult to interpret. If this is a concern, consider limiting editing permission to a minimum number of users.

As a site collection administrator, you can retrieve the history of actions taken by a particular user and can also retrieve the history of actions taken during a particular date range. For example, you can determine which users edited a specific document and when they did this.

  1. Click settings Office 365 Settings button , and then click Site settings.

  2. If you are not at the root of your site collection, under Site Collection Administration, select Go to top level site settings.

    Note: The Site Collection Administration section will not be available if you do not have the necessary permissions.

  3. On the Site Settings page, under Site Collection Administration, select Site collection audit settings.

    Site collection audit settings selected in Site Settings dialog.
  4. On the Configure Audit Settings page, in the Audit Log Trimming section, set Automatically trim the audit log for this site? to Yes.

    Note: For SharePoint Online, Automatically trim the audit log for this site? is set to Yes by default. This can't be changed by Administrator.

  5. Optionally, specify the number of days of audit log data to retain. SharePoint Online has a range of 1 to 90 days, SharePoint Server does not have a limit.

    Note: The default setting for retaining audit log data is zero days. That means if you don't specify a different retention period, all audit log entries are deleted at the end of the month. You can change this setting to retain audit log entries for a longer period of time. For example if you specify 30 days, then audit log data that was created in the month of September wouldn't be deleted until the end of October. To retain audit log data, you can also save it to an audit log report before the audit log is trimmed.

  6. You can also specify the document library to save audit log reports to before the audit log is trimmed. Set this option if you need access to audit log data, using audit log reports, after the audit log has been trimmed.

  7. Select OK.

  1. Select Settings > Site settings.

  2. If you are not at the root of your site collection, under Site Collection Administration, select Go to top level site settings.

    Note: The Site Collection Administration section will not be available if you do not have the necessary permissions.

  3. On the Site Settings page, under Site Collection Administration, select Site collection audit settings.

    Site collection audit settings selected in Site Settings dialog.
  4. On the Configure Audit Settings page, in the Documents and Items and List, Libraries, and Site sections, select the events you want to audit, and then select OK.

Which events you audit depends on your auditing needs. For example, regulatory compliance usually has specific requirements that will dictate which events you need to audit. We recommend that you only audit the events required to meet your needs. Additional unnecessary auditing can affect the performance and other aspects of your site collection(s).

Notes: 

  • For SharePoint Online, the Opening or downloading documents, viewing items in lists, or viewing item properties event is not available.

  • For SharePoint Server 2013, we recommend that you only select the Opening or downloading documents, viewing items in lists, or viewing item properties event when absolutely necessary. This option is likely to generate a large number of events that will potentially degrade the performance and other aspects of your site collection(s).

The events that you select to audit are captured in audit reports that are based on Microsoft Excel 2013 and are available from the Auditing Reports page. You can also create a custom report that includes a number of these events over a specified date range, within a specific area of the site collection, or filtered to an individual user. You cannot modify events once they are logged, but site collection administrators can delete items from the audit log and configure automatic trimming of the audit log data.

The audit log captures the following information for the events that are selected to be audited.

  • Site from which an event originated

  • Item ID, type, name, and location

  • User ID associated with the event

  • Event type, date, time, and source

  • Action taken on the item

Following is an example of the data in a Deletion audit log report. With this report, you can determine who deleted and restored data across the site collection. You can use the features of Excel to filter, sort, and analyze the data.

Delete Audit Report Report Data

When you select an event to be audited for a site collection, such as delete and restore, it will be audited for every item in the site collection each time the event occurs. Auditing can potentially generate a large number of audit events, creating a large audit log. This could fill the hard drive, affecting performance and other aspects of a site collection.

Important: To prevent the audit log from filling the hard drive and potentially degrading the performance of the site collection, we recommended that you enable audit log trimming for site collections with extensive auditing.

To manage the size of the audit log report you can configure it to automatically trim and optionally archive the current audit log data in a document library before the data is trimmed. The schedule for audit log trimming is configured by your server administrator in Central Administration. The default is the end of the month.

To view an audit log report:

  1. Click Settings Settings: update your profile, install software and connect it to the cloud , and then click Site settings.

    Note: The Site Collection Administration section will not be available if you do not have the necessary permissions, such as by being a member of the default Site Collections Administrators group.

  2. Click Audit log reports in the Site Collection Administration section.

  3. Select the report that you want, such as Deletion on the View Auditing Reports page, .

  4. Type a URL or Browse to the library where you want to save the report and then click OK.

  5. On the Operation Completed Successfully page, click click here to view this report. If you get an error, it may be because audit logs weren't enabled or there was no data to show.

    Notes: 

    • At least Excel version 2013 must be installed to view audit log reports by clicking click here to view this report.

    • Alternatively, if opening documents in the browser is enabled for the library, go to the library where you saved the audit log report, point to the audit log report, click the down arrow, and then click View in Browser.

You can use standard Excel features to narrow the reports to the information you want. Some ways in which you can analyze and view the log data include:

  • Filtering the audit log report for a specific site.

  • Filtering the audit log report for a particular date range.

  • Sorting the audit log report.

  • Determining who has updated content.

  • Determining which content has been deleted but not restored.

  • Viewing the changes to permissions on an item.

We're listening

Updated July 19, 2017

Was this article helpful? Was it missing content? If so, please let us know what's confusing or missing at the bottom of this page. Please include your version of SharePoint, OS, and browser. We'll use your feedback to double-check the facts, add info, and update this article.

Related Topics

View audit log reports

No comments:

Post a Comment