SECURITY 7 MIN READ

Stay on Top of Your Environment with SharePoint Audit Logs

Miguel Bernard
WRITTEN BY MIGUEL BERNARD
Stay on Top of Your Environment with SharePoint Audit Logs

Imagine you ran a department store. To keep stock fluid and make sure you weren’t under or over-stocking goods, you’d need to maintain regularly updated audits of existing stock. Without carrying out audits often, you’d quickly arrive at a situation where certain shelves were empty for extended periods of time; while you had a backlog of other, less desirable, products crowding your shelves and your warehouse.

Auditing is key to efficiently managing any kind of infrastructure, and the same rules apply to SharePoint.

SharePoint is, in many ways, just like a department store. Different sections of the platform can be managed autonomously by different teams, just as the perfume, clothes, and jewelry sections are separated in a department store.

Nevertheless, it’s wise to maintain a high-level overview of how documents are stored, accessed, and changed across all your SharePoint sites in order to avoid bottlenecks and inefficiency. SharePoint audit logs let you do this.

SharePoint’s audit logs let you carry out a whole range of audits on your SharePoint farms and, depending on your needs, let you measure how often different sites are edited, what different users and administrators are doing and see what kinds of changes they are making across the farm.

Being able to collect and analyze this information is key to helping you better manage the platform.

What Can You Do with SharePoint Audit Logs?

Stay on Top of Your Environment with SharePoint Audit Logs

SharePoint audit logs basically let you do two key things:

  1. End User Tracking

    It might seem like overkill, but being able to track how individual end users make use of your SharePoint environment is very helpful. Not only is it handy for security, it also lets you understand what pain points and bottlenecks there might be in your current site set-up.

    You can see who views which documents, libraries, lists, and list items, as well as updates regarding checking in and out. It'll then be possible to decide whether or not you need to refresh or update one site or another.

  2. Administrator Tracking

    Again, being able to see what changes your administrators make is key to understanding how SharePoint is being used. The audit log can see what permission changes have been made, see how group membership has changed, and what role updates have been implemented.

SharePoint audit logs also let you set up audit flags that allow you to track specific changes – meaning you don’t have to constantly review reports to notice them. You can set flags for:

  • Check in/check out

  • View

  • Delete/undo

  • Update

  • Schema and profile changes

  • Security change

  • Copy/move

  • Search

  • Workflow child delete

  • Other flags for a whole range of other events

Free Bonus: To enhance your SharePoint management skills, download these Must-Have SharePoint & Office 365 Reports for Administrators.

OK, so How Do I Do All That?

Stay on Top of Your Environment with SharePoint Audit Logs

The key thing to understand about audit logs is that they can only be applied per SharePoint site. Each time you set up a new site, you’ll also need to configure the audit log for it – this won’t be applied automatically.

Learn exactly how to configure audit settings for a site collection here. The configuration of a new or existing site should be done by your site collection administrator. Configuration settings can be found in the Site Actions section, within site settings. From here, you’ll be able to view Audit log reports and select the specific type of report you need.

Once the right report has been selected, you can download this to Excel and filter the report by date range, viewing the permission history of an item among other factors. The audit log will include the following information:

  1. The site from which an event originated.

  2. Item ID, type, name, and location.

  3. User ID associated with the event.

  4. Event type, date, time, and source.

  5. Action taken on the item.

That Sounds Easy, What's the Catch?

The main problem with the SharePoint audit log reports is that they are...how might you say? Baffling! Your typical report is pretty hard for a regular human to read and understand – the reports come across as a huge series of numbers, dates, and codes which mean almost nothing to the uninitiated.

If you’ve got technical experience, it’s definitely worth learning about how to read the audit log and employ tricks to make your job easier, and to learn how to use PowerShell to manage them.

The general rule with audit logs is to set them to delete logs within a reasonable amount of time. Audit logs can quickly duplicate, and expand so fast they fill up your SQL Server. Fortunately, you can set SharePoint to delete these outdated logs when you need to.

Looking forward, the audit logs in SharePoint 2016 look to offer much the same approach and methodology as audit logs in existing versions of the platform. So, learn how to use them well and you’ll enjoy the benefits of a well-managed environment.

Hey, got another minute?

Learn how to keep your environment protected by using our checklist of essential security tasks.

ShareGate Logo White

Benefit from the full potential of the cloud.

Businesses have to move to the cloud and adapt to it. That’s a fact. ShareGate helps with that.

See how