Set Audit Settings for Site Collection

Posted on Posted in SharePoint 2007, STSADM Commands

In any financial institution auditing is crucial – it’s no different with my company – as such we wanted to make sure that there was at least a minimum level of auditing occurring at the site collection level. From the site collection settings page you can get to the "Site collection audit settings" page where some basic auditing can be enabled. For more complex stuff you can setup custom policies and associate them at various levels. However, for our initial deployment we wanted to at least have some of these basic settings enabled for every site collection. To automate these settings during our upgrade I created a new command: gl-setauditsettings. This command turned out to be really easy to create and only took me a few minutes. Only thing I stumbled on was figuring out the best way to handle replacing, adding, or removing settings so that I didn’t have to create more than one command. In the end I opted for a simple mode parameter which enables you to state your intent – each setting is then a simple parameter that’s passed in. The code, shown below, gets the SPAudit object via the SPSite’s Audit property and then sets the AuditFlags property appropriately:

   1: public override int Run(string command, StringDictionary keyValues, out string output)
   2: {
   3:  output = string.Empty;
   4:  
   5:  InitParameters(keyValues);
   6:  
   7:  string url = Params["url"].Value.TrimEnd('/');
   8:  ModeEnum mode = (ModeEnum) Enum.Parse(typeof (ModeEnum), Params["mode"].Value, true);
   9:  
  10:  using (SPSite site = new SPSite(url))
  11:  {
  12:   // Initialize the mask to it's default.
  13:   SPAuditMaskType auditMask = SPAuditMaskType.None;
  14:   if (mode != ModeEnum.Replace)
  15:    auditMask = site.Audit.AuditFlags; // We're not replacing the mask so we need to store the current settings.
  16:  
  17:   if (mode == ModeEnum.Remove)
  18:   {
  19:    // Remove settings
  20:    foreach (SPAuditMaskType mask in Enum.GetValues(typeof(SPAuditMaskType)))
  21:    {
  22:     if (Params[mask.ToString()].UserTypedIn)
  23:      auditMask = auditMask & ~mask;
  24:    }
  25:   }
  26:   else
  27:   {
  28:    // Add settings (replace is just an add but starts with a blank slate)
  29:    foreach (SPAuditMaskType mask in Enum.GetValues(typeof(SPAuditMaskType)))
  30:    {
  31:     if (Params[mask.ToString()].UserTypedIn)
  32:      auditMask = auditMask | mask;
  33:    }
  34:   }
  35:   // Update the Audit object with the new flags
  36:   site.Audit.AuditFlags = auditMask;
  37:   site.Audit.Update();
  38:  }
  39:  
  40:  return 1;
  41: }

The syntax of the command can be seen below:

C:\>stsadm -help gl-setauditsettings

stsadm -o gl-setauditsettings

Set the events that should be audited for documents, items, lists, libraries, and sites within the site collection.

Parameters:
        -url <site collection url>
        -mode <replace | add | remove>
        [-none]
        [-checkout]
        [-checkin]
        [-view]
        [-delete]
        [-update]
        [-profilechange]
        [-childdelete]
        [-schemachange]
        [-securitychange]
        [-undelete]
        [-workflow]
        [-copy]
        [-move]
        [-search]
        [-all]

Here’s an example of how to enable auditing of the delete and undelete events in addition to any existing events already monitored:

stsadm -o gl-setauditsettings -url "http://intranet" -mode add -delete -undelete

One thing to be aware of – when you edit these settings via the browser you are, in some circumstances, editing more than one setting at a time. For example, via the browser you cannot choose to audit delete events and not undelete events – they are combined into one setting. Using this command allows you to set the audit settings at a finer level so you can track just delete events without tracking undelete (in most cases you’ll want to track both but it’s nice to know that you can now treat them separately). Note however that if you use this command to enable just delete and not undelete the browser will show the check box for "Deleting or restoring items" as checked as it does an or comparison when enabling the check box.

12 thoughts on “Set Audit Settings for Site Collection

  1. Gary! your the man. Just got a request to enable this on all 200 of our site collections. BTW thanks for the autograph you gave my co-admin, she sent it over to me and I have it on my cube wall =)

    1. Unfortunately, when I wrote this command I was only considering the SPSite object but yes, you could modify the code and use the Audit property of the SPWeb object instead (pretty easy to do with PowerShell).

  2. Sorry, I entered the wrong email address…. can we try again?

    Is it still there because I do not see it on the downloads page — what is it called for WSS 3.0?

  3. Hi Gary is there any way to disable the audit logs? I have tried to do it in the auditsettings.aspx page on the site and uncheck the check box. But some how they seem to reset!
    Any idea if i am missing anything?

  4. Gary,
    We are seeing these in our siteCollection:
    $site.Audit.AuditFlags
    None

    $site.Audit.EffectiveAuditMask
    6687

    The UI shows that no Auditing is selected for the sitecollection (_layouts/auditsettings.aspx), but we are seeing entries being added to the AuditData table for any actions we are taking in the site collection. I thought the EffectiveAuditMask would match the AuditFlags… Have you run across this behavior before, or have any ideas as to how we can effectively disable Auditing here?

    Thanks,

Leave a Reply

Your email address will not be published. Required fields are marked *

*