In any financial institution auditing is crucial – it’s no different with my company – as such we wanted to make sure that there was at least a minimum level of auditing occurring at the site collection level. From the site collection settings page you can get to the "Site collection audit settings" page where some basic auditing can be enabled. For more complex stuff you can setup custom policies and associate them at various levels. However, for our initial deployment we wanted to at least have some of these basic settings enabled for every site collection. To automate these settings during our upgrade I created a new command: gl-setauditsettings. This command turned out to be really easy to create and only took me a few minutes. Only thing I stumbled on was figuring out the best way to handle replacing, adding, or removing settings so that I didn’t have to create more than one command. In the end I opted for a simple mode parameter which enables you to state your intent – each setting is then a simple parameter that’s passed in. The code, shown below, gets the SPAudit object via the SPSite’s Audit property and then sets the AuditFlags property appropriately:
The syntax of the command can be seen below:
C:\>stsadm -help gl-setauditsettings stsadm -o gl-setauditsettings Set the events that should be audited for documents, items, lists, libraries, and sites within the site collection. Parameters: -url <site collection url> -mode <replace | add | remove> [-none] [-checkout] [-checkin] [-view] [-delete] [-update] [-profilechange] [-childdelete] [-schemachange] [-securitychange] [-undelete] [-workflow] [-copy] [-move] [-search] [-all]
Here’s an example of how to enable auditing of the delete and undelete events in addition to any existing events already monitored:
stsadm -o gl-setauditsettings -url "http://intranet" -mode add -delete -undelete
One thing to be aware of – when you edit these settings via the browser you are, in some circumstances, editing more than one setting at a time. For example, via the browser you cannot choose to audit delete events and not undelete events – they are combined into one setting. Using this command allows you to set the audit settings at a finer level so you can track just delete events without tracking undelete (in most cases you’ll want to track both but it’s nice to know that you can now treat them separately). Note however that if you use this command to enable just delete and not undelete the browser will show the check box for "Deleting or restoring items" as checked as it does an or comparison when enabling the check box.