SOLVED

SharePoint Online site collection Audit Logs vs Office 365 Unified Audit Logs

Iron Contributor

Is Office 365 Unified Audit logs just a duplication of SharePoint online site collection audit logs ?

 

If yes is it okay to turn off SharePoint Oniline site collection audit logs ?

 

If no what are the benefits of having them both turned on ?

 

Thank you

11 Replies
No, it's not. Office 365 Audit Logs provide much more information that SharePoint Online Audit Logs. IMHO, you can disable auditing in SPO and you will still have the Office 365 Audit Log working

Thank you Juan for quick response.

 

I agree that office 365 audit logs provide much more than sharepoint, because it covers exchange and other office 365 products.

 

By turning off SPO audit logs, I will still be able to pull all the logs related to SPO(that were being covered under SPO audit logs) through office 365 audit logs am I right ?

best response confirmed by Sai Gutta (Iron Contributor)
Solution

The thing about the Office 365 audit logs is that any entries ingested from a workload, like SharePoint, are normalized based on a known schema. This means that the information captured in the audit log from SharePoint is the same as you'd get from SharePoint, but it's in a common format that makes it easy to match SPO data with other workloads.

Thank you Juan and Tony, this helps for sure.

There is some benefit, Some events will not be captured unless you specifically turned on auditing for that site collection. Here are those events,

 

For Documents and Items,

Editing items
Checking out or checking in items
Moving or copying items to another location in the site
Deleting or restoring items

Lists, Libraries, and Sites

Editing content types and columns
Searching site content
Editing users and permissions

Is the audit log feature only available for non-group enabled site collections? I looked at https://support.office.com/en-us/article/view-audit-log-reports-b37c5869-1b47-4a82-a30d-ea20070fe527 and can certainly configure audit log settings, but I don't see any audit log reports option under site settings. The set of events look very similar to what is pumped into the Office 365 audit log by SharePoint, which is the most verbose of all the apps...

I think @Christophe Fiessinger or any other of the Groups guys are the only ones that can tell us why the Audit Log Reports link is missing in the site settings page in a Group site

Agreed.

 

However, let me also make the observation that when a choice exists between a workload-dependent feature and an equivalent feature that works across workloads, I would always take the latter. The reason is that we deal with Office 365 rather than a workload, and Microsoft's efforts inside Office 365 always focus on features that work across the service rather than are specific to a workload (like SharePoint).

@St William I think the below mentioned logs are captured within unified logs without turning on SharePoint audit Logs, can @Tony Redmond and @Juan Carlos González Martín please confirm.

@St William, i could find some of the events you mentioned, here:

https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-c... . Did you find this from your testing or is there any documentation underlining the fact that some events are captured in the O365 logs ONLY if SPO audit logging is also enabled?

 

Thanks!

@Teodora Badiu 

 

The Unified crap line method might be in place, but the need for auditing at the site collection level is not going away.   Any audit service should be on the bottom of the processing stack for load balancing, but still needs to be there for site collection admins to use.  Also, these could be timed and auto-deleted so not creating a massive load of logs.

 

More broke stuff (as far as collection admin is concerned) - not cool. 

 

 

 

1 best response

Accepted Solutions
best response confirmed by Sai Gutta (Iron Contributor)
Solution

The thing about the Office 365 audit logs is that any entries ingested from a workload, like SharePoint, are normalized based on a known schema. This means that the information captured in the audit log from SharePoint is the same as you'd get from SharePoint, but it's in a common format that makes it easy to match SPO data with other workloads.

View solution in original post