Forum Discussion
SharePoint Online site collection Audit Logs vs Office 365 Unified Audit Logs
The thing about the Office 365 audit logs is that any entries ingested from a workload, like SharePoint, are normalized based on a known schema. This means that the information captured in the audit log from SharePoint is the same as you'd get from SharePoint, but it's in a common format that makes it easy to match SPO data with other workloads.
There is some benefit, Some events will not be captured unless you specifically turned on auditing for that site collection. Here are those events,
For Documents and Items,
Editing items
Checking out or checking in items
Moving or copying items to another location in the site
Deleting or restoring items
Lists, Libraries, and Sites
Editing content types and columns
Searching site content
Editing users and permissions
St William I think the below mentioned logs are captured within unified logs without turning on SharePoint audit Logs, can TonyRedmond and jcgonzalezmartin please confirm.
St William, i could find some of the events you mentioned, here:
https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-compliance . Did you find this from your testing or is there any documentation underlining the fact that some events are captured in the O365 logs ONLY if SPO audit logging is also enabled?
Thanks!
The Unified crap line method might be in place, but the need for auditing at the site collection level is not going away. Any audit service should be on the bottom of the processing stack for load balancing, but still needs to be there for site collection admins to use. Also, these could be timed and auto-deleted so not creating a massive load of logs.
More broke stuff (as far as collection admin is concerned) - not cool.
