Jul 05 2018 12:49 PM
Is Office 365 Unified Audit logs just a duplication of SharePoint online site collection audit logs ?
If yes is it okay to turn off SharePoint Oniline site collection audit logs ?
If no what are the benefits of having them both turned on ?
Thank you
Jul 05 2018 01:16 PM
Jul 05 2018 01:52 PM
Thank you Juan for quick response.
I agree that office 365 audit logs provide much more than sharepoint, because it covers exchange and other office 365 products.
By turning off SPO audit logs, I will still be able to pull all the logs related to SPO(that were being covered under SPO audit logs) through office 365 audit logs am I right ?
Jul 07 2018 03:00 PM
SolutionThe thing about the Office 365 audit logs is that any entries ingested from a workload, like SharePoint, are normalized based on a known schema. This means that the information captured in the audit log from SharePoint is the same as you'd get from SharePoint, but it's in a common format that makes it easy to match SPO data with other workloads.
Jul 08 2018 04:33 AM
Jul 11 2018 01:27 AM
There is some benefit, Some events will not be captured unless you specifically turned on auditing for that site collection. Here are those events,
For Documents and Items,
Editing items
Checking out or checking in items
Moving or copying items to another location in the site
Deleting or restoring items
Editing content types and columns
Searching site content
Editing users and permissions
Jul 11 2018 10:04 AM
Is the audit log feature only available for non-group enabled site collections? I looked at https://support.office.com/en-us/article/view-audit-log-reports-b37c5869-1b47-4a82-a30d-ea20070fe527 and can certainly configure audit log settings, but I don't see any audit log reports option under site settings. The set of events look very similar to what is pumped into the Office 365 audit log by SharePoint, which is the most verbose of all the apps...
Jul 11 2018 10:58 AM
I think @Christophe Fiessinger or any other of the Groups guys are the only ones that can tell us why the Audit Log Reports link is missing in the site settings page in a Group site
Jul 11 2018 11:00 AM
Agreed.
However, let me also make the observation that when a choice exists between a workload-dependent feature and an equivalent feature that works across workloads, I would always take the latter. The reason is that we deal with Office 365 rather than a workload, and Microsoft's efforts inside Office 365 always focus on features that work across the service rather than are specific to a workload (like SharePoint).
Jul 12 2018 06:40 PM
@St William I think the below mentioned logs are captured within unified logs without turning on SharePoint audit Logs, can @TonyRedmond and @jcgonzalezmartin please confirm.
Sep 12 2018 05:32 AM
@St William, i could find some of the events you mentioned, here:
https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-c... . Did you find this from your testing or is there any documentation underlining the fact that some events are captured in the O365 logs ONLY if SPO audit logging is also enabled?
Thanks!
Apr 08 2021 07:41 AM
The Unified crap line method might be in place, but the need for auditing at the site collection level is not going away. Any audit service should be on the bottom of the processing stack for load balancing, but still needs to be there for site collection admins to use. Also, these could be timed and auto-deleted so not creating a massive load of logs.
More broke stuff (as far as collection admin is concerned) - not cool.
Jul 07 2018 03:00 PM
SolutionThe thing about the Office 365 audit logs is that any entries ingested from a workload, like SharePoint, are normalized based on a known schema. This means that the information captured in the audit log from SharePoint is the same as you'd get from SharePoint, but it's in a common format that makes it easy to match SPO data with other workloads.