SharePoint Activity Monitoring: How to do it And What to Look For

SharePoint offers options for collecting activity which may prove useful for many different reasons. Whether that reason is for security auditing or fulfilling other compliance requirements, in order to make use of it – it must be turned on and you need to know what you are looking for. The purpose of this blog is to show you what kind of activity is available, how to enable activity auditing and how to make use of that data.

Events Available for Logging

1. Opened and downloaded documents, viewed items in lists, or viewed item properties. (The event is currently not supported for SP Online sites)
2. Edited items
3. Checked out and checked in items
4. Items that have been moved and copied to other location in the site collection
5. Deleted and restored items
6. Changes to content types and columns
7. Search queries
8. Changes to user accounts and permissions
9. Changed audit settings and deleted audit log events
10. Workflow events
11. Custom events (Activity carried out by custom SharePoint applications)

Step 1: Enabling SharePoint Activity Logging

There are two primary ways to do this:

1. Manually enabling activity auditing from the site.
2. Using PowerShell to turn on activity auditing on a site.

The Manual Approach:

To manually enable SharePoint auditing, navigate to the settings page (settings cog in the top right) from within a SharePoint site. In order to do this, you must be a SharePoint Site Collection Administrator of the site or security admin.

Opening the site collection audit settings link will bring you a page that allows you to configure your audit settings and choose what you are interested in collecting activity on as shown in the screenshot below.

The PowerShell Option

Use the following script to enable activity auditing on a web-application basis, all children of the web-application will have activity auditing enabled on it so long as they are set to inherit the permissions of the parent.

Add-PSSnapin Microsoft.SharePoint.Powershell 
$webapp = Get-SPWebApplication "http://chrisbits-sp16:21378/"
$auditmask = [Microsoft.SharePoint.SPAuditMaskType]::All;

$webapp.sites | % {
   $_.TrimAuditLog = $true
   $_.Audit.AuditFlags = $auditmask
   $_.Audit.Update()
   $_.AuditLogTrimmingRetention = 30
}

Required Permissions:

To enable auditing for a site collection you must be a Site Collection Admin of that site collection. The easiest way to assign those rights is via PowerShell.

For a particular site collection the following command can be used:

Set-SpoUser -site <YourSiteURL> -LoginName <YourTargetUPN> -IsSiteCollectionAdmin $true

To perform this task on all site collections the following command can be used:

$sites=Get-SPOSite
foreach ($site in $sites) {Set-SPOUser -LoginName <YourTargetUPN> -Site $site -IsSiteCollectionAdmin $true}

Step 2: Collect the Activity Logs

Microsoft provides its own means of viewing the activity logs through the ULS Viewer which ingests the SharePoint logs and gives you a raw feed of the data. There are some filtering options so if you know what you are looking for this tool can be valuable.

However, if you do not know what you are looking for this raw stream of data will be very difficult to use effectively. As you can see from the screenshot above, in just a few minutes there were over 38,000 activity events recorded in my small test environment. The best way to effectively use these logs is to leverage a tool that will collect this data and provide meaningful reports on it so that you aren’t stuck sifting through logs.

A tool like the STEALTHbits Activity Monitor (SAM) can make this data much easier to work with especially when combined with the reporting and analytic power of StealthAUDIT. Below is a screenshot of what the SAM data collector looks like and you can see there are a lot more options in terms of filtering the activity down to what you are interested in such as the type of action, the user making the options and more.