Observations on SharePoint 2007's irritating Audit

Auditing with SharePoint 2007 is something that I’ve managed to avoid playing with until our current project. Frankly, this has mainly been because the user interface for audit details is inadequate out of the box. Most other systems, you just go to a page, and see what happened to that item.

Anyway now that I’ve started to take a look at it in more detail, I notice a few other minor problems with it…

No audit on SPWeb…

… or rather, there is an SPWeb.Audit.GetEntries() function, but it returns all the entries for the SPSite. Genius. So I can get audit info for an SPSite, SPList, or SPListItem – but not a web. Instead, try filtering it:

SPAuditEntry entry = ....
SPWeb web = ...
string filterpath = web.ServerRelativeUrl.Substring(1, web.ServerRelativeUrl.Length - 1);
if (entry.DocLocation.StartsWith(filterpath))
{
// Do whatever - this entry is for our SPWeb
}

Yes, with a lot of items, that’s pretty slow.

What Version was viewed?

You can audit Views of documents, pages, home pages, lists and list views, which is excellent. But with documents, there seems to be a problem. The ‘Version’ details in the audit log do no match the versions in the ‘Version History’ page. You can end up with it such that if you upload a new document version to SharePoint and then go an view it the audit shows that you’ve updated to Version 3.0, but just viewed version 0.4.

Audit - Inconsistent Version Numbers

Doesn’t seem to match:

Version History Page

Viewing previous versions is not Audited.

Not really a lot more to say really. Makes it a bit hard to see who has seen what. At least with this you could write an HTTPModule and write your own entries into the audit log.

Weird viewing ‘version 0.-1’ entries

I’ve no idea what these really mean, or are about. If you know, please comment below – it’d be a help.

Audit - Minus Point 1 logs

Some changes not obvious on Audit

  • Restoring a version just appears as an update in the Audit log.
  • Creating a new document just appears as an updated in the Audit log.

Audit - Create and Restore records

Size

The audit logs populate a database table called AuditData. Apparently this can get a bit … huge. Like massive. Even with a moderate number of sites. I guess that there is little way around that issue – if you’re logging all views in a site, it’s kind of inevitable – but it is worth noting.
Really, all this makes the standard SharePoint audit unusable for us – which is a shame ‘cos it’s so nearly very, very good, but ends up being unreadable for users. The only alternative options I can come up with are:

An EventReceiver on all lists – this would capture lots of useful info, but not some things, such as views of an item.

An HTTPModule – Powerful, but complex to build. Would capture and process all HTTP Requests to our web app, which would add a lot of overhead. We could pick up views, and viewing old versions, and so on – but we’d need to check the structure of the HTTP requests from things like Word, etc.. Not sure how it we’d log WebDAV actions, either.

Advertisements
Observations on SharePoint 2007's irritating Audit

4 thoughts on “Observations on SharePoint 2007's irritating Audit

  1. I was very excited when I first learned about the SharePoint audit log but I quickly determined that in its unimproved state the SharePoint audit log is essentially unusable. I’m still a software developer at heart and the problems with the SharePoint audit log finally pushed me over the edge. Shamesless plug: The result is LOGbinder SP. LOGbinder SP is a small, efficient Windows service that monitors the internal SharePoint audit log without making any changes to your SharePoint installation. It then translates cryptic SharePoint audit events into readable messages and logs them to the Windows security where you can leverage any log management or SEIM solution . More information at http://www.logbinder.com.

    Like

  2. Hello,

    I am facing some issues related to SharePoint Auditing.

    Problem Description:
    ———————
    Not able to get the auditing reports. When we clicked on “content Viewing” report then it asked for credentials and after entering the username and password then it keeps the popup window as it is and when we click for the third time then it gives 403 unauthorized error message.

    Problematic Reports:
    ———————
    1. Content Viewing
    2. Conent Modification

    Troubleshooting Done:
    ———————–
    1. Backup-Restore completed but no RESULTS
    2. Tried opening in Mozilla as well as in Firfox but no RESULTS
    3. Export-Import complete but no RESULTS
    4. Deactivated the reporting feature by means of site collection and turned on again but no RESULTS

    Could you please guide as how i will get the mentioned reports ? Thanks

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s