locked
Audit functionality in Sharepoint Foundation (2010)

    Question

  • Hello guys!

    I'm currently working on a Sharepoint Foundation system and I am missing the Audit functionality. As in the following Article mentioned, it SHOULD have the functionality, but it is turned off by default.

    http://office.microsoft.com/en-us/privacy-supplement-for-microsoft-sharepoint-designer-2010-HA101108410.aspx

    So my question is, how I could turn it on, or if there are other functionalities like the auditing. 

    What I want to see is a log of all uploads, deletings, openings, logins, logouts and so on. Tracking who is deleting which files.

     

    Would be great if someone could help me on that. 

    Greez cashflow0815

    Thursday, March 31, 2011 1:28 PM

Answers

  • Hi CA Callahan,

    No, I can't show you the documentation, but here you go with the PowerShell commands:

    1. Go to Start -> All Programs -> Microsoft SharePoint 2010 Products -> SharePoint 2010 Management Shell
    2. When it is loaded you then run the following command to get your site collection object:
    $site = Get-SPSite http://site_URL
    3. If you don't get errors then execute the following commands one by one to set audit options and update it:
    $site.Audit.AuditFlags = [Microsoft.SharePoint.SPAuditMaskType]::Update
    $site.Audit.Update()
    4. [Microsoft.SharePoint.SPAuditMaskType]::Update is a enum value of type SPAuditMaskType. You can have a look here for all possible values: http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spauditmasktype.aspx
    If you want to combine them then use -bxor in your script. Example for Delete and Update:
    [Microsoft.SharePoint.SPAuditMaskType]::Update -bxor [Microsoft.SharePoint.SPAuditMaskType]::Delete

    I used those commands myself on SharePoint 2010 Foundation machine on a site collection level and it worked for me.

    Kamil said literally the following: "The answer is NO. You cannot enable auditing in SharePoint Foundation 2010". That's what I thought is a false statement and my proof is above. :)

    I agree that there is lack of documentation around there and that in Foundation we don't have UI to manage audit settings, but as I said it's available in Foundation. You just need to use your own tools or PowerShell.

    I am opened for the discussion, but I'd think before publishing any statements without trying first.

    Thanks.

    Best wishes, 


    Slava G
    http://wyldesolutions.com
    http://wyldesharepoint.blogspot.com
    Monday, June 27, 2011 3:54 AM

All replies

  • You can turn auditing several different ways, if you have SharePoint Server in my opinion I would audit at the document level.  This would require using content types and place auditing on them.  This will give you the freedom to place different auditing on different types of documents.  You set auditing when you create the content type. 

    This is done from Site Actions... Site Settings... Under Galleries click Site Content Types...

    Once here click create...

    Name your content type

    Set your content types parent, in this clase in the "select parent content type from" drop down click "document content types"

    In the parent content type box for this example select document, select a group if you want... click OK

    If you have now you should see a link under settings which are for Information Management Policy settings... click this link.

    Now you will see a check box for Auditing... select this and the page will reload with you auditing settings.  You would make use of this by now using the content type in a doc lib or which ever type you want.

    Another way of setting auditing is to set it at a site collection.

    You need to be on the root of your site collection to be able to do this, click on Site Actions... Site settings...

    Under Site COllection Administration click Site COllection Audit settings. This will set auditing for the entire site collection.

    Good luck,

    Gary

     


    Gary Newman MCSE, MCT, CCNA MCDBA, MCAD, MCSA MCTS SharePoint 2007 Dev & Admin MCPD SharePoint 2010 Development
    • Proposed as answer by Chris Geier Monday, April 04, 2011 12:54 PM
    • Unproposed as answer by Clayton Cobb Monday, June 27, 2011 4:34 AM
    Thursday, March 31, 2011 2:31 PM
  • Hi Gary!

    Thanks for your prompt answer!

    But I think you are writing about the Sharepoint SERVER edition, right? Not about the FOUNDATION-Version of it?

    Because, I can find mostly of the functionality you described in your post, but I can't find the "Information Management Policy Settings" for example. Also the "Site Collection Audit settings" under "Site Collection Administration" aren't there on my system. 

    Could it be, that your description fits for the Standard and Enterprise Server-Editions but not for Foundation?

     

    Flo

    Monday, April 04, 2011 9:34 AM
  • there should be auditing options in SharePoint Foundation according to this article: http://office.microsoft.com/en-us/privacy-supplement-for-microsoft-sharepoint-designer-2010-HA101108410.aspx

    Auditing

    Microsoft SharePoint Foundation 2010 provides auditing features that allow administrators to keep a reliable audit trail of how users are working with certain content.

    When SharePoint Foundation administrators enable the Auditing feature, the server automatically records in the SharePoint content database certain actions performed by the user. These actions include view, edit, check-in, and check-out. For each recorded action, the server records identifying information about the file, the action, and the user's SharePoint ID. No data is sent to Microsoft as part of this feature.

    This feature is off by default and is available only to administrators of SharePoint sites where content is stored.


    ceren
    • Marked as answer by Wayne Fan Monday, April 11, 2011 3:04 AM
    • Unmarked as answer by Clayton Cobb Monday, June 27, 2011 4:31 AM
    Monday, April 04, 2011 12:13 PM
  • No, you're all wrong.
    The answer is NO. You cannot enable auditing in SharePoint Foundation 2010. The mentioned article is wrong. SPF does not contain "Information management policy" feature. End of story.
    • Proposed as answer by Kamil Jurik, MVP Wednesday, April 13, 2011 7:16 PM
    • Marked as answer by Clayton Cobb Monday, June 27, 2011 4:32 AM
    • Unmarked as answer by Clayton Cobb Monday, June 27, 2011 4:32 AM
    • Unproposed as answer by Clayton Cobb Monday, June 27, 2011 4:32 AM
    Wednesday, April 13, 2011 7:16 PM
  • No, you're all wrong.
    The answer is NO. You cannot enable auditing in SharePoint Foundation 2010. The mentioned article is wrong. SPF does not contain "Information management policy" feature. End of story.

    Kamil is correct. I've looked and looked, and once again, this is a case of an article based on SharePoint Server, applied to SharePoint Foundation that was not adequately vetted. SharePoint Foundation does not have the policies built in, like Server (thus why it's paid for, because those who don't, don't deserve auditing I guess), and you have to work around it to have anything like information management policy. That said, there are companies out there who are starting to plunder this space, and may offer cheap ways to get the auditing info you need. I just saw an article over at network world that addressed this issue (don't have the URL on me) and suggested some third party stuff. Likely there'll be more. Maybe some enterprising MVP will whip something up and put it on codeplex even. ; )

     

    But thanks Kamil for speaking out about this and not just regurgitating a URL. I would mark your answer as the true one if I could.


    CA Callahan | Author: Mastering Windows SharePoint Service 3.0 and Mastering Microsoft SharePoint Foundation 2010 | Community Launch Leader |
    Tuesday, May 03, 2011 6:02 PM
  • Hi,

    Kamil Jurik is wrong. You can enable auditing in SharePoint 2010 Foundation. It can be done:

    a) in code using SharePoint API

    b) using PowerShell

    There is no user interface to enable audit, like it is in SharePoint 2010 Server, but you still can enable audit.

    Please look here for reference:

    http://msdn.microsoft.com/en-us/library/bb418729(v=office.12).aspx

    Though the article is about WSS 3.0 it works for SharePoint 2010 Foundation


    Slava G
    http://wyldesolutions.com
    http://wyldesharepoint.blogspot.com
    Thursday, June 23, 2011 2:05 AM
  • Slava G,

     

    Can you show me any documentation that that will still work in SharePoint Foundation? Also, do you know what the PowerShell commands are to enable auditing? I have found no documentation concerning enabling the auditing settings in SharePoint Foundation using powershell at all.

    As far as using the site collection auditing settings in the interface, that still is not possible in SharePoint Foundation, leaving me to still side with Kamil on this. Above, everyone was assuming the setting was there in SPF, and it is not.

    I'm afraid that accuracy through obscurity doesn't really count (such as providing a vague reference to auditing that still doesn't help the OP). Although the WSS material you supplied the link for might work, I can't argue because I am not a developer so I can't "code it", it would be useful for us admins if you can actually supply those powershell commands that not only enable auditing, but give us control over those settings.


    CA Callahan | Author: Mastering Windows SharePoint Service 3.0 and Mastering Microsoft SharePoint Foundation 2010 | Community Launch Leader |
    Thursday, June 23, 2011 2:41 AM
  • Hi CA Callahan,

    No, I can't show you the documentation, but here you go with the PowerShell commands:

    1. Go to Start -> All Programs -> Microsoft SharePoint 2010 Products -> SharePoint 2010 Management Shell
    2. When it is loaded you then run the following command to get your site collection object:
    $site = Get-SPSite http://site_URL
    3. If you don't get errors then execute the following commands one by one to set audit options and update it:
    $site.Audit.AuditFlags = [Microsoft.SharePoint.SPAuditMaskType]::Update
    $site.Audit.Update()
    4. [Microsoft.SharePoint.SPAuditMaskType]::Update is a enum value of type SPAuditMaskType. You can have a look here for all possible values: http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spauditmasktype.aspx
    If you want to combine them then use -bxor in your script. Example for Delete and Update:
    [Microsoft.SharePoint.SPAuditMaskType]::Update -bxor [Microsoft.SharePoint.SPAuditMaskType]::Delete

    I used those commands myself on SharePoint 2010 Foundation machine on a site collection level and it worked for me.

    Kamil said literally the following: "The answer is NO. You cannot enable auditing in SharePoint Foundation 2010". That's what I thought is a false statement and my proof is above. :)

    I agree that there is lack of documentation around there and that in Foundation we don't have UI to manage audit settings, but as I said it's available in Foundation. You just need to use your own tools or PowerShell.

    I am opened for the discussion, but I'd think before publishing any statements without trying first.

    Thanks.

    Best wishes, 


    Slava G
    http://wyldesolutions.com
    http://wyldesharepoint.blogspot.com
    Monday, June 27, 2011 3:54 AM
  • I would mark this, but I need someone to confirm it.  It seems very strange that this is only available via PowerShell or code...
    SharePoint Architect || Microsoft MVP || My Blog
    Planet Technologies || SharePoint Task Force
    Monday, June 27, 2011 4:35 AM
  • As mentioned in the below article,

    http://office.microsoft.com/en-us/privacy-supplement-for-microsoft-sharepoint-designer-2010-HA101108410.aspx,

    they have clearly mentioned that,

    Auditing

    Microsoft SharePoint Foundation 2010 provides auditing features that allow administrators to keep a reliable audit trail of how users are working with certain content.

    When SharePoint Foundation administrators enable the Auditing feature, the server automatically records in the SharePoint content database certain actions performed by the user. These actions include view, edit, check-in, and check-out. For each recorded action, the server records identifying information about the file, the action, and the user's SharePoint ID. No data is sent to Microsoft as part of this feature.

     

    This feature is off by default and is available only to administrators of SharePoint sites where content is stored.

     

    so we can enable the feature by code or using powershell. Correct me if I'm wrong.

     


    Monday, June 27, 2011 7:06 AM
  • Mahesh,

    That is one of the documents I found online as well. It is yet another example of unclear documentations. Basically, according to Slava G, the capability to enable auditing *is* available for SharePoint Foundation-- but absolutely not in the UI-- not for farm administrators, or even site collection administrators.

    Apparently, according to Slava G (and I haven't had a chance to test it yet), you can enable auditing settings via powershell, VB, or C# on SharePoint Foundation. I have not had a chance to test it yet. So basically, your interpretation does appear to be correct.

    CA Callahan | Author: Mastering Windows SharePoint Service 3.0 and Mastering Microsoft SharePoint Foundation 2010 | Community Launch Leader |
    Monday, June 27, 2011 2:18 PM
  • Thank you Slava G. That is the clearest answer I have ever gotten concerning auditing on SharePoint Foundation. I appreciate it. I have not tried working with auditing using PowerShell, but I'll try it now. : )


    CA Callahan | Author: Mastering Windows SharePoint Service 3.0 and Mastering Microsoft SharePoint Foundation 2010 | Community Launch Leader |
    Monday, June 27, 2011 2:20 PM
  • Hi Clayton,

    Yes, in SharePoint 2010 Foundation, not Server it is available only via API or PowerShell. In SharePoint 2010 Server it is the same, but there is UI for that in Site Collection Administration section of Site Settings.

    As I said before I personally tried PowerShell instructions that I posted here, because it was a requirement from one of my customers. It works.

    There is no UI though OOTB to interact with audit data and settings in SharePoint 2010 Foundation.

    Best wishes, 


    Slava G
    http://wyldesolutions.com
    http://wyldesharepoint.blogspot.com
    Tuesday, June 28, 2011 12:30 AM
  • Thanks CA Callahan.

    Yes, please try the instructions that I used. As I wrote above, it was a requirement from one of my customers. It works. :) 

    Best wishes,


    Slava G
    http://wyldesolutions.com
    http://wyldesharepoint.blogspot.com
    Tuesday, June 28, 2011 12:35 AM
  • I've tested Slava's PowerShell scrips from the Ted Pattison 2007 article successfully. However, there doesn't appear to be any way to view the audit log from the GUI. So to test it, I had to view the audit log from PowerShell as follows:

    After running the 3 lines from Slava for a tst Foundation site, I updated the home.aspx and ran one additional script

    $site.Audit.GetEntries()

    Here was my output:

    SiteId       : 5adcde99-2abd-485a-b79e-ea6a417fbe65
    ItemId       : 5adcde99-2abd-485a-b79e-ea6a417fbe65
    ItemType     : Site
    UserId       : 2
    MachineName  :
    MachineIP    :
    DocLocation  :
    LocationType : Url
    Occurred     : 7/11/2011 2:53:58 AM
    Event        : AuditMaskChange
    EventName    :
    EventSource  : SharePoint
    SourceName   :
    EventData    : <NewAuditMask>16</NewAuditMask>

    SiteId       : 5adcde99-2abd-485a-b79e-ea6a417fbe65
    ItemId       : d05d120e-f891-4a1a-88cc-a8f30684183b
    ItemType     : Document
    UserId       : 1
    MachineName  :
    MachineIP    :
    DocLocation  : SitePages/Home.aspx
    LocationType : Url
    Occurred     : 7/11/2011 2:56:41 AM
    Event        : Update
    EventName    :
    EventSource  : SharePoint
    SourceName   :
    EventData    : <Version><Major>2</Major><Minor>0</Minor></Version>

     


    Tom Resing, Microsoft Certified Master in SharePoint 2007 - http://tomresing.com
    Monday, July 11, 2011 3:15 AM
  • Hi Tom,

    Yes, that's a good point using some PowerShell to get the output as well.

    I have no idea what's Ted Pattison 2007 article is. :) I have come up with those scripts myself just using the analogy with the SharePoint API.

    Best wishes,

     

     


    Slava G
    http://wyldesolutions.com
    http://wyldesharepoint.blogspot.com
    Tuesday, July 12, 2011 2:53 AM
  • Thanks Tom,

    I've been way, crazy busy lately, and haven't had time to experiment with Slava G's suggestions.

    That was a worry of mine-- that sure, you can enable auditing in PowerShell, but what does that really give you? Without the nice GUI reports, how do you actually gather and display the data? I feared it would just turn on some flags, but otherwise be prohibitively difficult to gather the info in a useful, quick to read way. Essentially, I figured the PowerShell scripts would be what third party (expensive) monitoring/auditing products would use on the backend to generate their data, but it would take those sorts of products to get useful info. I will, of course, need to test it all myself, when I get a chance, but these are my concerns.  Thank you for you excellent feedback though, I appreciate it.


    CA Callahan | Author: Mastering Windows SharePoint Service 3.0 and Mastering Microsoft SharePoint Foundation 2010 | Community Launch Leader |
    • Edited by CA Callahan Tuesday, July 12, 2011 3:14 AM typo
    Tuesday, July 12, 2011 3:13 AM
  • Hi CA Callahan,

    I understand your point, but the question of this thread was how to turn audit on. :) So that's what I provided a response to. 

    Anyway your additional questions as how to gather and display data are of course relevant to the problem and it's good that we can discuss it here and get a broader picture.

    Thanks.

    Best wishes,


    Slava G
    http://wyldesolutions.com
    http://wyldesharepoint.blogspot.com
    Wednesday, July 13, 2011 11:12 AM
  • I have enabled auditing on a SharePoint Foundation (2010) server and am trying to get this working as well. Initially I thought I had it all working because I was getting output similar to what you have here. However, now when I enter the script (in SharePoint Admin PowerShell) you reference above, I get an error:

    Exception calling "GetEntries" with "0" argument(s): "Attempted to perform an unauthorized operation" at Line:1 char:23

    + $site.Audit.GetEntries <<<< ()

        + CategoryInfo       : NotSpecified: (:) [], MethodInvocationException

        + FullyQualifiedErrorId : DotNetMethodException

     

    I am not a developer (by any stretch) but would like to find out why this has started popping up. Like I said - it was working at one point but clearly I have changed something - or applied an update that caused it to start throwing this error. Any chance you could help?

    Thanks,

    John Gallivan

    Friday, September 09, 2011 2:24 AM
  • You are talking about a log that lists all items that have been changed/deleted/viewed. Are you talking about the audit functionality or can you give me the name of the feature?

    Handyman Services
    Handyman Services Sydney

    Friday, September 09, 2011 3:45 AM
  • Actually, there is a free audit log enabler/viewer on the Codeplex (maybe it didn't exist 4 months ago):

    http://auditlogsp.codeplex.com/

    I have not tried it yet, but the screenshot look promising :)


    Ivailo Tzenkov

    Wednesday, February 08, 2012 9:28 AM
  • OMG Ivailo, that is awesome! It was apparently added to codeplex in January, so yes, it wasn't there a few months ago.

    Athough it is pretty rudimentary (I'd love to be able to sort the audit log report), it *does* work. Bummer that it considers "update" to include "create," leaving me to have to sort through the "updates" to find the files created in or added to libraries.

    Still, great when considering it can simply be deployed globally as a solution.

    Kudos to Agusto Xaverius PS, the creator of the solution. It rocks!

    And thanks, Ivailo, for posting it. I did try it and it works as advertised without any tweaking.

    -callahan


    CA Callahan | Author: Mastering Windows SharePoint Service 3.0 and Mastering Microsoft SharePoint Foundation 2010 | Community Launch Leader |

    Saturday, February 18, 2012 5:04 AM
  • Actually- after playing with the auditlogsp.codeplex.com solution I have only one big complaint- security. The audit log viewer is viewable by all members of the site. So any user can audit anyone's (including the site administrators) activity on the site.

    For me that's a deal breaker, unfortunately. :(


    CA Callahan | Author: Mastering Windows SharePoint Service 3.0 and Mastering Microsoft SharePoint Foundation 2010 | Community Launch Leader |

    Saturday, February 18, 2012 5:16 AM
  • In the download details page it says that he packaged the code and then "Deploy to Sharepoint 2010". How do you deploy the code once you've downloaded it?
    Wednesday, February 22, 2012 8:59 PM
  • For security issue, you can add "Rights" attribute of CustomAction node in elements.xml. e.g.

    <CustomAction
        Id="ItemAuditing.ECBItemMenu"
        RegistrationType="ContentType"
        RegistrationId="0x01"
        ImageUrl="/_layouts/images/GORTL.GIF"
        Location="EditControlBlock"
        Sequence="300"
        Title="View Audit History"
        Rights="AddListItems">
        <UrlAction Url="~site/_layouts/AuditingLog/ItemAudit.aspx?ItemId={ItemId}&amp;ListId={ListId}"/>
      </CustomAction>

    A list of supported values are explained at http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions.aspx

    Repackage, deploy and enjoy !!


    • Edited by Vijay.Shah Thursday, February 23, 2012 2:50 AM
    Thursday, February 23, 2012 2:40 AM
  • Thank you Vijay.Shah!

    Although I am very far from a developer, every little thing helps. Hopefully this points me in the right direction, so thank you.

    -callahan


    CA Callahan | Author: Mastering Windows SharePoint Service 3.0 and Mastering Microsoft SharePoint Foundation 2010 | Community Launch Leader |


    • Edited by CA Callahan Thursday, February 23, 2012 5:03 AM spelling error
    Thursday, February 23, 2012 4:47 AM
  • I didn't use the zip download, I downloaded the wsp file (auditinglog.wsp). It's not displayed on the first page- you have to go to the "downloads" tab, and on the downloads page is listed the auditinglog.wsp link to download.

    I used STSADM commands (because I know them so well) to first install the solution (the file with the wsp extension) to SharePoint, then you can deploy it in Central Administration or at the command line.

    Once you do that, you need to go into the site collections where you want to enable auditing, and enable the site collection auditlog feature (now available because you deployed the solution) from the top level site of the site collection. Then you'll see that the Audit Management option will become available under Site Collection Administration. If you click it you can configure what will be audited.

    I didn't give you explicit details on the STSADM commands or how to deploy in Central Administration in case you already knew and just needed the heads up to get the wsp- not the unpackage code in the zip file on the first page.


    CA Callahan | Author: Mastering Windows SharePoint Service 3.0 and Mastering Microsoft SharePoint Foundation 2010 | Community Launch Leader |

    Thursday, February 23, 2012 4:57 AM
  • Hi Guys,

    SharePoint Foundation 2010 - has no user event audit except SharePoint Server 2010 and SharePoint Enterprise 2010 with users event audit.

    Thanks,

    Pinoy Maximus

    Saturday, February 25, 2012 4:52 AM
  • Hey Pinoy,

    We've all been discussing that SharePoint Foundation DOES have auditing capability- just not the nice UI features of SharePoint Enterprise 2010.

    However, we've discovered, thanks to Vijay.Shah, that someone created an easy to deploy solution that enables auditing and shows an audit log for SharePoint Foundation.

    So despite the simple "You can't audit except with SharePoint Server 2010" statement all over the internet, it's been proven here that you CAN enable auditing for SharePoint Foundation (the capability is there), but it takes effort.

    I am hoping that the person who created the auditlogsp project on codeplex will add the lines necessary to set it so only people who have "Manage Web Site" permission enabled can actually see the Audit logs. Then it would be a really great way to get some auditing done.

    You should *see* how the solution adds audit history to list/library items. It rocks.

    -callahan


    CA Callahan | Author: Mastering Windows SharePoint Service 3.0 and Mastering Microsoft SharePoint Foundation 2010 | Community Launch Leader |

    Saturday, February 25, 2012 5:38 AM
  • before you check the Audit report from site settings,  the Audit must be enabled first from the content Type as you mentioned

    enabling Audit on the content type enables it to view the report go to site settings then audet report

    Thursday, March 08, 2012 6:29 AM
  • you have to log on using the darm account then under (

    Site Collection Administration you can find

    Thursday, March 08, 2012 6:32 AM
  • kazaki, Are you referring to SharePoint Server when you mention this? As the thing we are currently discussing, at this point, is the codeplex solution that enables a GUI audit log for SharePoint Foundation. For what it's worth, I was logged in as a farm administrator. Please keep in mind, without coding of some sort, those auditing features you specify are not available in the GUI for SharePoint Foundation (which is what the OP is using). -callahan

    CA Callahan | Author: Mastering Windows SharePoint Service 3.0 and Mastering Microsoft SharePoint Foundation 2010 | Community Launch Leader |

    Thursday, March 08, 2012 4:41 PM
  • You can definitely use auditing with Foundation.  I know so because our software does it via the API.  www.logbinder.com/products/logbindersp

    Randall F Smith

    Saturday, August 11, 2012 4:52 PM