Auditing and Compliance in WSS 3.0

29 Jan

Auditing from within MOSS (SharePoint Server) is quite simple — There is a UI for enabling and disabling all of the events you may want to audit.  There is also a facility for viewing and exporting these logs.

However, what if you would like to use auditing features in WSS 3.0 without MOSS?  Believe it or not, most of the same auditing functionality is available, but without a UI.

Most of the information you need to do this is available already on the web, however its very spread out and difficult to digest.  Rather than repeat information that is available elsewhere, let me point you to all your options with some explanations:

You can enable auditing on the list or site level via code — Here's an example of what that looks like:

SPSite siteCollection = SPContext.Current.Site;
siteCollection.Audit.AuditFlags = SPAuditMaskType.All;
siteCollection.Audit.Update();

You might do this in a feature, or as an application page.

Here is additional information on enabling Auditing for a document library.

Here is information on enabling auditing for a site collection.

You can also enable the auditing without writing any code, using this custom STSADM command from Gary Lapointe.

Then you might ask yourself…

But how do I view my logs?

There is less information available about this.  First, let's talk about where the logs live.

Audit logs are stored in your sites content database, in a table called "AuditData".

That table has a logical schema, and looks like this:

[SiteId] [uniqueidentifier] <span class="kwrd">NOT</span> <span class="kwrd">NULL</span>,
[ItemId] [uniqueidentifier] <span class="kwrd">NOT</span> <span class="kwrd">NULL</span>,
[ItemType] [<span class="kwrd">smallint</span>] <span class="kwrd">NOT</span> <span class="kwrd">NULL</span>,
[UserId] [<span class="kwrd">int</span>] <span class="kwrd">NULL</span>,
[MachineName] [nvarchar](128) <span class="kwrd">NULL</span>,
[MachineIp] [nvarchar](20) <span class="kwrd">NULL</span>,
[DocLocation] [nvarchar](260) <span class="kwrd">NULL</span>,
[LocationType] [tinyint] <span class="kwrd">NULL</span>,
[Occurred] [datetime] <span class="kwrd">NOT</span> <span class="kwrd">NULL</span>,
[Event] [<span class="kwrd">int</span>] <span class="kwrd">NOT</span> <span class="kwrd">NULL</span>,
[EventName] [nvarchar](128) <span class="kwrd">NULL</span>,
[EventSource] [tinyint] <span class="kwrd">NOT</span> <span class="kwrd">NULL</span>,
[SourceName] [nvarchar](256) <span class="kwrd">NULL</span>,
[EventData] [ntext] <span class="kwrd">NULL</span>

You may need to join this data to your Site table via the SiteID if you want to report on it effectively with SQL Reporting Services or even Excel.

Additionally, the Audit API has a more 'proper' way to access the audit data which will be safe in the event that the underlying schema changes in a future update.

Ted Pattison has prepared a sample with the ability to configure the logs and view the log data using the API.

Oh, and of course I plan to add the ability to view audit logs to my SharePoint Log Viewer in a future version!

Tweet about this on TwitterShare on Google+Share on FacebookShare on RedditEmail this to someoneShare on LinkedInShare on StumbleUpon

Leave a Reply

Your email address will not be published. Required fields are marked *