How to generate and use SharePoint Audit Logs effectively

Many organizations have been using SharePoint as a content management and collaboration tool for a long time. As the data and users grow, so does the concerns for security. So, one must definitively take care about security and compliance actions to ensure data consistency, integrity and security.     

As a part of the security and compliance feature, SharePoint provides Audit Log Reports that allows you to know who is accessing what, such as SharePoint sites, lists, libraries, list items and files in Site collections and what they are doing with them. This report clearly logs all user activities along with time stamps, which will help you sort and filter easily, analyze changes and, effectively audit your entire SharePoint content.   

 For example, say some users shared private content with external users outside of your organization or deleted some important files or granted some high privileges to least privilege users. Every single one of these actions can be tracked using Audit Reports. Without Audit Reports, it is very difficult to find what and who made changes to the content. SharePoint Audit Log Reports help us find out these type of activities and fix any unwanted changes without any hassle.   

So, now that you know what SharePoint Audit Logs are, let’s see how you can enable an Audit Log in SharePoint. 

Enabling SharePoint Audit Logs

Before generating SharePoint Audit Log Reports, we need to configure audit settings for a site collection.  

Follow the below steps to generate an Audit Log in SharePoint-

For SharePoint Servers- 

• Go to the Central Administration 
• In the Application Management section, click manage service applications 
• Select the secure store service application 
• On the ribbon, click properties 
• In the enable audit section, click to select the audit log enabled box 
• To change the number of days, the entries that you want to purge from the audit log file, specify the number in days in the Days until Purge field (the default value is 30 days). 
• Click OK

For SharePoint Online-  

• From the admin center, select Security & Compliance 
• In the Compliance Center, expand Search 
• Click Audit Log Search 
• In the upper left corner of the page, click the Start Recording User and Admin Activities link 

Features available for Audit Log Reports 

The below-mentioned activities can be seen by a user through SharePoint Audit Logs-

• Opened and downloaded documents, viewed items in lists, or viewed item properties (This event is not available for SharePoint Online sites) 
• Edited items 
• Checked out and checked in items
• Items that have been moved and copied to other locations in the site collection
• Deleted and restored items
• Changes to content types and columns
• Search queries
• Changes to user accounts and permission
• Changed audit settings and deleted audit log event
• Workflow events
• Custom events 

Generating an Audit Log Report 

To view Audit Log Reports you need to be a site collection administrator.  

• Go to Site Settings 
• Under Site Collection Administration section, click Audit Log Reports
• Choose the appropriate Report Type 
• Choose a location to save the report. 

For a Customized Report 

• Choose the Date Range for which the activities report should be restricted to (optional) 
• Choose to which user this report should be restricted to (Optional) 
• Choose the events you want this report should be restricted to. If not selected, the report will include all the events
• Click OK 

SharePoint Audit Log Report Uses

By using the above Audit Log Report and leveraging the pivot tables in Microsoft Excel, we can generate and track any activity details from the above-mentioned activities.  

Below are some of the useful analysis reports that can be derived using audit reports-  

User activities 

1. User activity 

By using an audit report, we can track who is performing what action on the SharePoint objects and can also generate the total number of activities they performed on the site.  

For example, by using the User ID and Events columns in an audit report, we can get the report of who performed what in SharePoint. Based on this, we can analyse who is the most active user and who is frequently accessing or managing the site collections content.

2. User Last Activity 

With an audit report, we can track who is accessing more and who is accessing less and their last activity time and can also generate a report of the user and his date wise accessed count.

3. Last usage of Site Collection/Site/List/Library/Document/Folder/Item 

By using the audit report, get the count of the event occurred in a month or a day. Based on this we can track the last used date of site collection/site/list/library/document/folder/item.

By grouping the Document location and sort by Occurred date column, we can get the details for the file when it was last modified or accessed.

4. Access Granted Activity

By using the audit log reports, we can know who given access to whom on list/library/document/ site.

For example, based on Event type as “Security Group Create”, “Security Role Definition Create” we can get the following.

5. Access Removal Activity

By using the audit log reports, we can know who given access to whom on list/library/document/ site.

For example, based on Event type as “Security Group Delete”, “Security Role Definition Delete” we can get the information about who removed access from the list/library/site/document/ file/ item for whom.

6. Most Searched Query 

By using the audit log reports, we can get the frequent search terms, and the sites in which the search performed.  

For example, Based on Event Type ‘Search’ we can get the most searched query on the site collection/ sites / lists / libraries.

7. Most Viewed Document/Item/Folder 

With the help of Audit log reports, we can know historical usage information of the document /item/folder. We can track more specific information by filtering the events. 

For example, by filtering the document location and by counting occurred date we can get the document accessed count. With help of Event type, we can get most viewed/updated documents.

8. Most Viewed Documents by User 

With help of Audit Log Reports, we can know the historical usage information of the document /item /folder per user level. For a specific document, we can see individual user count. So, we can track who is frequently accessing the same information. 

For Example, with the help of filters on User ID and document location columns, and by counting the occurred date, we can get the document accessed count user wise and with the help of Event type, we can get most viewed/updated documents log.

Like above, we can sort, filter and generate many other activity and usage reports. But one thing to note here is, if audit data is very large, SharePoint would provide them in a different excel files which would result in much more complexity to merge them and generate required analytics reports based on them and it’s very difficult to derive some complex analysis using those excel files. 

Saketa SharePoint Security Manager

So, here, any third-party tool that provides effective Audit Reports Management, effective security and compliance features would save you from unexpected security threats and helps you easily track and analyse your SharePoint security.  

One such tool is the Saketa SharePoint Security Manager, which will help you analyse, track and manage your entire SharePoint Security.  You can view your SharePoint items that are shared externally or internally with users, manage access requests, clean orphan users and unused limited access, manage external users, manage sharing links, generate permission and audit reports and many more rich SharePoint security management features.  

This tool is provided along with SharePoint Migrator, so it’s one-stop solution for all your SharePoint needs.