lunes, 7 de octubre de 2013

Auditing - A Built-in Feature of SharePoint

Introduction

In this article we explore the Audit feature of SharePoint 2010. This is a built-in feature and provides a great amount of flexibility for Administrators and Developers.

What is Auditing in SharePoint?

Auditing involves Activity Tracking inside the SharePoint environment. The auditing reports generated can be used by Administrators or Managers to determine the usage of SharePoint resources.
By enabling Auditing we can track activities like:
  • List Access
  • Library Access
  • Opening of Documents
  • Editing Items
  • Check In / Check Out
  • Copying / Moving / Deleting items
  • Searching
  • Editing Permissions
Following is a sample of how a detailed audit report looks like:

Under the hood, SharePoint uses events and a SQL Server table to retrieve and save the audit entries. Following are the topics we are discussing in this article:
  • Enable Audit
  • View Audit Entries
  • Custom Report
  • Server Object Models
  • Audit Event Types
  • Writing custom Audit entries

Enable Audit

We can enable audit for a site collection from the Site Settings > Audit Settings link.

From the Configure Audit Settings page opened, specify the events to be audited.

Once you have enabled Audit you can go ahead and try accessing/modifying existing list/library items. These activities should trigger the Audit entry creation.
Note: Please note that in real world scenarios you should only enable the events required. Too many event auditing queues causes more work to the server and can degrade the performance.

View Audit Entries

Now we can proceed to view the audit entries just created. You can use the Audit log reports from the Site Settings page.

In the appearing page View Auditing Reports you can see there are various categories of reports like:
  • Content Modification
  • Content Viewing
  • Deletion
  • Policy Modification etc.
Click on the Content Viewing as this time we are interested in only Viewing reports. In the appearing dialog, enter the document library where you want to save the report. Click OK to generate the report. (The report is a document and hence a document library is required to save it.)

Click on the Click here to view report link to view the report. It should open in an XLSX document. There are two tabs on the XLSX file – Summary and Detailed.

Custom Report

Now we can try using the Custom Report generation. This option is useful when we need to get a report based on / or a combination of:
  • Custom List
  • Particular user
  • Date Range
Please note that under the hood SharePoint has saved all the event records. The custom report will be filtering the records based on user selection.
To generate the custom report, go to Site Settings > Audit log reports > Run a custom report.

You should get the following page with filtering options:

You can choose Save Location, List, Dates, Users, and Events and click the OK button to generate the report as an XLSX file.

Server Object Models

The good thing is that we can use the Server Object Model to interact with Audit. Following are some of the important audit classes inside theMicrosoft.SharePoint namespace.
  • SPAudit
  • SPAuditEntry
  • SPAuditEventType
  • SPAuditQuery

SPAudit

SPAuditis the main class which can be used to access the audit settings for the associated object. The server object models like SPSite, SPWeb, SPList,SPDocumentLibrary contain a property named Audit which represents the underlying SPAudit settings.
TheSPAudit class contains methods for the following operations:
  • GetAuditEntries()to get the audit entries
  • Update()to update modifications to audit settings
Following is the code to get audit entries:
private void GetAuditEntriesButton_Click(object sender, EventArgs e)
{
    SPSite site = new SPSite("http://localhost");
    SPAudit audit = site.Audit;
    var collection = audit.GetEntries();
}
Following is the code to update audit settings for the site:
private void UpdateButton_Click(object sender, EventArgs e)
{
    SPSite site = new SPSite("http://localhost");
    SPAudit audit = site.Audit;
    audit.AuditFlags = SPAuditMaskType.None;
    audit.Update();
}
The above code clears all Audit Events by setting the AuditFlags property to None. After executing the code you can revisit the Site Collection Audit Settings to see that all the events are unchecked.
Note: You can use the SPAudit class to update audit settings across multiple site collections in one shot. Plus you can automate clearing the audit entries using the DeleteEntries() method.

SPAuditEventType

The enumeration SPAuditEventType is needed to specify the event type of the audit entry. The enumeration contains the following members:
public enum SPAuditEventType
{
    AuditMaskChange = 14,
    CheckIn = 2,
    CheckOut = 1,
    ChildDelete = 7,
    ChildMove = 0x10,
    Copy = 12,
    Custom = 100,
    Delete = 4,
    EventsDeleted = 50,
    FileFragmentWrite = 0x11,
    Move = 13,
    ProfileChange = 6,
    SchemaChange = 8,
    Search = 15,
    SecGroupCreate = 30,
    SecGroupDelete = 0x1f,
    SecGroupMemberAdd = 0x20,
    SecGroupMemberDel = 0x21,
    SecRoleBindBreakInherit = 40,
    SecRoleBindInherit = 0x27,
    SecRoleBindUpdate = 0x26,
    SecRoleDefBreakInherit = 0x25,
    SecRoleDefCreate = 0x22,
    SecRoleDefDelete = 0x23,
    SecRoleDefModify = 0x24,
    Undelete = 10,
    Update = 5,
    View = 3,
    Workflow = 11
}

SPAuditQuery

SPAuditQuery represents the class to do filter fetching of audit entries. It provides the following methods and properties:

You can see that the methods are similar to the options available in the custom report generation page. The sample code using SPAuditQuery is included in the source attachment.

Writing custom Audit entries

Occasionally we need to write custom audit information for a SharePoint solution. In this case we can reuse the Audit Server Object Model mechanism to perform the same.
Following is the code that writes to the Audit entry:
private void WriteAuditEvent_Click(object sender, EventArgs e)
{
    SPSite site = new SPSite("http://localhost");
    SPAudit audit = site.Audit;
    audit.WriteAuditEvent(SPAuditEventType.Custom, "MySource", "<xml/>");
}
After execution you can see the new entry through invocation of the GetAuditEntries()method. You can use the associated application to view the same.

Remark on Database Usage

The audit entries are stored inside the SharePoint database. You can view this database inside the SharePoint SQL Server instance. The table storing the Audit records is AuditData. For inserting your own records into the table, it is recommended to use the Server Object Model.

Summary

In this article we have explored the Audit feature of SharePoint. I believe now you will agree that it is a good feature that saves a lot of our time that otherwise would have been invested in writing events and persisting code.
The associated code contains the examples we have discussed.

2 comentarios:

  1. Este comentario ha sido eliminado por el autor.

    ResponderEliminar
  2. Nice, thanks for sharing this information for custom auditing in SharePoint server.I tested his SharePoint auditing tool ( https://www.netwrix.com/sql_server_auditing.html ) which assist to prevent unwanted changes made in SharePoint 2010 server by monitoring users and administrator activity. It gets real time alerts via a customized email notification of all unwanted activity done in SharePoint server and generates the complete report on-demand.

    ResponderEliminar