SharePoint offers options for collecting activity which may prove useful for many different reasons. Whether that reason is for security auditing or fulfilling other compliance requirements, in order to make use of it – it must be turned on and you need to know what you are looking for. The purpose of this blog is to show you what kind of activity is available, how to enable activity auditing and how to make use of that data.
There are two primary ways to do this:
To manually enable SharePoint auditing, navigate to the settings page (settings cog in the top right) from within a SharePoint site. In order to do this, you must be a SharePoint Site Collection Administrator of the site or security admin.
Opening the site collection audit settings link will bring you a page that allows you to configure your audit settings and choose what you are interested in collecting activity on as shown in the screenshot below.
Use the following script to enable activity auditing on a web-application basis, all children of the web-application will have activity auditing enabled on it so long as they are set to inherit the permissions of the parent.
Add-PSSnapin Microsoft.SharePoint.Powershell
$webapp = Get-SPWebApplication "http://chrisbits-sp16:21378/"
$auditmask = [Microsoft.SharePoint.SPAuditMaskType]::All;
$webapp.sites | % {
$_.TrimAuditLog = $true
$_.Audit.AuditFlags = $auditmask
$_.Audit.Update()
$_.AuditLogTrimmingRetention = 30
}
To enable auditing for a site collection you must be a Site Collection Admin of that site collection. The easiest way to assign those rights is via PowerShell.
For a particular site collection the following command can be used:
Set-SpoUser -site <YourSiteURL> -LoginName <YourTargetUPN> -IsSiteCollectionAdmin $true
To perform this task on all site collections the following command can be used:
$sites=Get-SPOSite
foreach ($site in $sites) {Set-SPOUser -LoginName <YourTargetUPN> -Site $site -IsSiteCollectionAdmin $true}
Microsoft provides its own means of viewing the activity logs through the ULS Viewer which ingests the SharePoint logs and gives you a raw feed of the data. There are some filtering options so if you know what you are looking for this tool can be valuable.
However, if you do not know what you are looking for this raw stream of data will be very difficult to use effectively. As you can see from the screenshot above, in just a few minutes there were over 38,000 activity events recorded in my small test environment. The best way to effectively use these logs is to leverage a tool that will collect this data and provide meaningful reports on it so that you aren’t stuck sifting through logs.
A tool like the STEALTHbits Activity Monitor (SAM) can make this data much easier to work with especially when combined with the reporting and analytic power of StealthAUDIT. Below is a screenshot of what the SAM data collector looks like and you can see there are a lot more options in terms of filtering the activity down to what you are interested in such as the type of action, the user making the options and more.
Chris studied Information Systems at Hofstra University before joining Stealthbits – now part of Netwrix where he took on the role as the Technical Product Manager of SharePoint, Dropbox, and Box solution sets. His focus is primarily on SharePoint security, but data security, in general, is a passion. Aside from technical interests, he enjoys the outdoors and hopes to one day start an animal rescue and rehabilitation center for injured, disabled, and orphaned animals.
Adopting a Data Access Governance strategy will help any organization achieve stronger security and control over their unstructured data. Use this free guide to help choose the best available solution available today!
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply