Improving SharePoint Auditing with ControlPoint
SharePoint administrators have a very difficult job when it comes to auditing a farm. Out-of-the-box, the audit log reports contain all the right data but are much too busy and large to be helpful. Frankly, the report is not readable by humans. This data is key for organizations needing to track whether users are in compliance with their governance plans. ControlPoint greatly improves this OOTB auditing capability, filtering through the audit data and delivering administrators granular audit reports as needed.
One major use of audit reporting is to manage user access changes. SharePoint can give you a report on all permission changes in a single report, but does not let you filter on individual changes. With ControlPoint, you can track permissions modifications and removals, additions and removals of users from SharePoint groups, creation and deletion of groups, and when inheritance has been broken or restored. While the report from SharePoint contains pages and pages of superfluous data, the ControlPoint report is filterable on any specific event detail to display only the information you care about.
From the screen shot, you can see my parameters are searching the last 2 years of who has changed permissions, checked in and checked out a document called “PrivateCellPhoneNumbers.doc.
Filterable events in ControlPoint include: Add Member to a SharePoint group, Change mask (audit flags are changed), Change of permissions, Change of profile, Schema change, Check in of document, Check out of document, Copy (an audited object is copied), Create SharePoint group, Create permissions, Custom event triggered, Deletion, Delete child object (the child of an auditable object is deleted), Delete events (Audit data removed from content database), Delete group, Delete member from SharePoint group, Modify permissions, Move (an audited object is moved), Move a child object (the child of an auditable object is moved), Remove permissions, Search (an audited object is searched), Turn off inheritance from parent, Turn on inheritance from parent, Undelete (restores), Update, View, Workflow.
ControlPoint will also send alerts when these changes occur. Your SharePoint team can be alerted when people are adding and deleting sites, breaking and restoring inheritance, changing permission for users and groups, and much more. This allows you to fix any breach in your governance plan as soon as possible.
Although the audit reports contain very powerful data, they will consume a ton of space in your content database. You are forced to enable auditing at the site collection level and are therefore forced to collect details on every subsite, list, and item inside that site collection. The dbo.AuditData table can grow at a rate of approximately 64 KB per page hit. Assuming that you have 1,000 hits to a page in a day, the growth in size would be 1,000 * 64 KB = 62.5 MB/day. This means that even if you do not add any content to the site, the content database will still grow by over 1.8 GB per month. Pretty scary statistics -- so don’t tell your DBA that you’ve enabled auditing! ;-)
With ControlPoint, you can enable auditing across a smaller scope, auditing specific sites and lists instead of the entire site collection. Additionally, ControlPoint can automatically archive your audit logs to any database on any SQL Server, and still allow you to search through your archived logs. If you need to audit your entire farm, ControlPoint can enable auditing in bulk across all site collections and enforce the audit setting as a policy, ensuring auditing is not changed on any existing site and is applied to all future sites. ControlPoint can then be used to run a powerful farm-wide audit report across all site collections at once, while SharePoint would require a separate report for each site collection. Your scope can also be filtered down to any object, such as documents, lists, webs, etc. Beyond that, we provide a “URL contains field” where you can plug in the name of any SharePoint URL you are looking for -- even a document name.
All this functionality is available for all versions of SharePoint, even for WSS 3.0 and 2010 Foundation clients. With ControlPoint, your audit report can be very broad or narrow in scope, saving you time and freeing you from the convoluted out of the box auditing. Find out more about ControlPoint here, download a free evaluation, or request a demonstration here.
Guest author Steve Goldberg is an Axceler Sales Engineer