SOLVED

SharePoint Online site collection Audit Logs vs Office 365 Unified Audit Logs

%3CLINGO-SUB%20id%3D%22lingo-sub-212579%22%20slang%3D%22en-US%22%3ESharePoint%20Online%20site%20collection%20Audit%20Logs%20vs%20Office%20365%20Unified%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-212579%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20Office%20365%20Unified%20Audit%20logs%20just%20a%20duplication%20of%20SharePoint%20online%20site%20collection%20audit%20logs%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20yes%20is%20it%20okay%20to%20turn%20off%20SharePoint%20Oniline%20site%20collection%20audit%20logs%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20no%20what%20are%20the%20benefits%20of%20having%20them%20both%20turned%20on%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-212579%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-251649%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Online%20site%20collection%20Audit%20Logs%20vs%20Office%20365%20Unified%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-251649%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F86881%22%20target%3D%22_blank%22%3E%40St%20William%3C%2FA%3E%2C%20i%20could%20find%20some%20of%20the%20events%20you%20mentioned%2C%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fsearch-the-audit-log-in-security-and-compliance%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fsearch-the-audit-log-in-security-and-compliance%3C%2FA%3E%20.%20Did%20you%20find%20this%20from%20your%20testing%20or%20is%20there%20any%20documentation%20underlining%20the%20fact%20that%20some%20events%20are%20captured%20in%20the%20O365%20logs%20ONLY%20if%20SPO%20audit%20logging%20is%20also%20enabled%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-215199%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Online%20site%20collection%20Audit%20Logs%20vs%20Office%20365%20Unified%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-215199%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F86881%22%20target%3D%22_blank%22%3E%40St%20William%3C%2FA%3E%26nbsp%3BI%20think%20the%20below%20mentioned%20logs%20are%20captured%20within%20unified%20logs%20without%20turning%20on%20SharePoint%20audit%20Logs%2C%20can%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64%22%20target%3D%22_blank%22%3E%40Tony%20Redmond%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F60%22%20target%3D%22_blank%22%3E%40Juan%20Carlos%20Gonz%C3%A1lez%20Mart%C3%ADn%3C%2FA%3E%26nbsp%3Bplease%20confirm.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-214488%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Online%20site%20collection%20Audit%20Logs%20vs%20Office%20365%20Unified%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-214488%22%20slang%3D%22en-US%22%3E%3CP%3EAgreed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%2C%20let%20me%20also%20make%20the%20observation%20that%20when%20a%20choice%20exists%20between%20a%20workload-dependent%20feature%20and%20an%20equivalent%20feature%20that%20works%20across%20workloads%2C%20I%20would%20always%20take%20the%20latter.%20The%20reason%20is%20that%20we%20deal%20with%20Office%20365%20rather%20than%20a%20workload%2C%20and%20Microsoft's%20efforts%20inside%20Office%20365%20always%20focus%20on%20features%20that%20work%20across%20the%20service%20rather%20than%20are%20specific%20to%20a%20workload%20(like%20SharePoint).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-214485%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Online%20site%20collection%20Audit%20Logs%20vs%20Office%20365%20Unified%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-214485%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F67%22%20target%3D%22_blank%22%3E%40Christophe%20Fiessinger%3C%2FA%3E%26nbsp%3Bor%20any%20other%20of%20the%20Groups%20guys%20are%20the%20only%20ones%20that%20can%20tell%20us%20why%20the%20Audit%20Log%20Reports%20link%20is%20missing%20in%20the%20site%20settings%20page%20in%20a%20Group%20site%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-214444%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Online%20site%20collection%20Audit%20Logs%20vs%20Office%20365%20Unified%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-214444%22%20slang%3D%22en-US%22%3E%3CP%3EIs%26nbsp%3Bthe%20audit%20log%20feature%20only%20available%20for%20non-group%20enabled%20site%20collections%3F%20I%20looked%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fview-audit-log-reports-b37c5869-1b47-4a82-a30d-ea20070fe527%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fview-audit-log-reports-b37c5869-1b47-4a82-a30d-ea20070fe527%3C%2FA%3E%20and%20can%20certainly%20configure%20audit%20log%20settings%2C%20but%20I%20don't%20see%20any%20audit%20log%20reports%20option%20under%20site%20settings.%20The%20set%20of%20events%20look%20very%20similar%20to%20what%20is%20pumped%20into%20the%20Office%20365%20audit%20log%20by%20SharePoint%2C%20which%20is%20the%20most%20verbose%20of%20all%20the%20apps...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-214191%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Online%20site%20collection%20Audit%20Logs%20vs%20Office%20365%20Unified%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-214191%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20is%20some%20benefit%2C%20Some%20events%20will%20not%20be%20captured%20unless%20you%20specifically%20turned%20on%20auditing%20for%20that%20site%20collection.%20Here%20are%20those%20events%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EFor%26nbsp%3BDocuments%20and%20Items%2C%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EEditing%20items%3CBR%20%2F%3EChecking%20out%20or%20checking%20in%20items%3CBR%20%2F%3EMoving%20or%20copying%20items%20to%20another%20location%20in%20the%20site%3CBR%20%2F%3EDeleting%20or%20restoring%20items%3C%2FP%3E%3CH3%20id%3D%22toc-hId-1449055779%22%20id%3D%22toc-hId-1508190012%22%3ELists%2C%20Libraries%2C%20and%20Sites%3C%2FH3%3E%3CP%3EEditing%20content%20types%20and%20columns%3CBR%20%2F%3ESearching%20site%20content%3CBR%20%2F%3EEditing%20users%20and%20permissions%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-213130%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Online%20site%20collection%20Audit%20Logs%20vs%20Office%20365%20Unified%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-213130%22%20slang%3D%22en-US%22%3EThank%20you%20Juan%20and%20Tony%2C%20this%20helps%20for%20sure.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-213084%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Online%20site%20collection%20Audit%20Logs%20vs%20Office%20365%20Unified%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-213084%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20thing%20about%20the%20Office%20365%20audit%20logs%20is%20that%20any%20entries%20ingested%20from%20a%20workload%2C%20like%20SharePoint%2C%20are%20normalized%20based%20on%20a%20known%20schema.%20This%20means%20that%20the%20information%20captured%20in%20the%20audit%20log%20from%20SharePoint%20is%20the%20same%20as%20you'd%20get%20from%20SharePoint%2C%20but%20it's%20in%20a%20common%20format%20that%20makes%20it%20easy%20to%20match%20SPO%20data%20with%20other%20workloads.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-212596%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Online%20site%20collection%20Audit%20Logs%20vs%20Office%20365%20Unified%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-212596%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20Juan%20for%20quick%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20agree%20that%20office%20365%20audit%20logs%20provide%20much%20more%20than%20sharepoint%2C%20because%20it%20covers%20exchange%20and%20other%20office%20365%20products.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20turning%20off%20SPO%20audit%20logs%2C%20I%20will%20still%20be%20able%20to%20pull%20all%20the%20logs%20related%20to%20SPO(that%20were%20being%20covered%20under%20SPO%20audit%20logs)%20through%20office%20365%20audit%20logs%20am%20I%20right%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-212585%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Online%20site%20collection%20Audit%20Logs%20vs%20Office%20365%20Unified%20Audit%20Logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-212585%22%20slang%3D%22en-US%22%3ENo%2C%20it's%20not.%20Office%20365%20Audit%20Logs%20provide%20much%20more%20information%20that%20SharePoint%20Online%20Audit%20Logs.%20IMHO%2C%20you%20can%20disable%20auditing%20in%20SPO%20and%20you%20will%20still%20have%20the%20Office%20365%20Audit%20Log%20working%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Is Office 365 Unified Audit logs just a duplication of SharePoint online site collection audit logs ?

 

If yes is it okay to turn off SharePoint Oniline site collection audit logs ?

 

If no what are the benefits of having them both turned on ?

 

Thank you

10 Replies
Highlighted
No, it's not. Office 365 Audit Logs provide much more information that SharePoint Online Audit Logs. IMHO, you can disable auditing in SPO and you will still have the Office 365 Audit Log working
Highlighted

Thank you Juan for quick response.

 

I agree that office 365 audit logs provide much more than sharepoint, because it covers exchange and other office 365 products.

 

By turning off SPO audit logs, I will still be able to pull all the logs related to SPO(that were being covered under SPO audit logs) through office 365 audit logs am I right ?

Highlighted
Best Response confirmed by Sai Gutta (Frequent Contributor)
Solution

The thing about the Office 365 audit logs is that any entries ingested from a workload, like SharePoint, are normalized based on a known schema. This means that the information captured in the audit log from SharePoint is the same as you'd get from SharePoint, but it's in a common format that makes it easy to match SPO data with other workloads.

Highlighted
Thank you Juan and Tony, this helps for sure.
Highlighted

There is some benefit, Some events will not be captured unless you specifically turned on auditing for that site collection. Here are those events,

 

For Documents and Items,

Editing items
Checking out or checking in items
Moving or copying items to another location in the site
Deleting or restoring items

Lists, Libraries, and Sites

Editing content types and columns
Searching site content
Editing users and permissions

Highlighted

Is the audit log feature only available for non-group enabled site collections? I looked at https://support.office.com/en-us/article/view-audit-log-reports-b37c5869-1b47-4a82-a30d-ea20070fe527 and can certainly configure audit log settings, but I don't see any audit log reports option under site settings. The set of events look very similar to what is pumped into the Office 365 audit log by SharePoint, which is the most verbose of all the apps...

Highlighted

I think @Christophe Fiessinger or any other of the Groups guys are the only ones that can tell us why the Audit Log Reports link is missing in the site settings page in a Group site

Highlighted

Agreed.

 

However, let me also make the observation that when a choice exists between a workload-dependent feature and an equivalent feature that works across workloads, I would always take the latter. The reason is that we deal with Office 365 rather than a workload, and Microsoft's efforts inside Office 365 always focus on features that work across the service rather than are specific to a workload (like SharePoint).

Highlighted

@St William I think the below mentioned logs are captured within unified logs without turning on SharePoint audit Logs, can @Tony Redmond and @Juan Carlos González Martín please confirm.

Highlighted

@St William, i could find some of the events you mentioned, here:

https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-c... . Did you find this from your testing or is there any documentation underlining the fact that some events are captured in the O365 logs ONLY if SPO audit logging is also enabled?

 

Thanks!