Sharepoint audit log gathering

%3CLINGO-SUB%20id%3D%22lingo-sub-9929%22%20slang%3D%22en-US%22%3ESharepoint%20audit%20log%20gathering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-9929%22%20slang%3D%22en-US%22%3E%3CP%3EHey%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20are%20in%20environment%20with%20a%20huge%20amount%20of%20site%20collections%20(%2B100K)%20and%20for%20compliance%20issues%2C%20we%20need%20to%20collect%20all%20audit%20log%20data%20to%20report%20on%20user%20activities%20accross%20the%20environment.%20Given%20that%20querying%20the%20content%20database%20is%20not%20supported%20on%20premise%20and%20not%20possible%20in%20an%20Online%20scenario%2C%20I%20was%20wondering%20what%20other%20possibilies%20do%20exist%20%2F%20if%20anything%20is%20coming%20through%20PnP%20%2F%20CSOM%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%2C%3C%2FP%3E%3CP%3EChristophe%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-9929%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAPIs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPnP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-14685%22%20slang%3D%22en-US%22%3ERe%3A%20Sharepoint%20audit%20log%20gathering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-14685%22%20slang%3D%22en-US%22%3Ehave%20you%20looked%20at%20the%20O365%20Management%20API%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Foffice-365%2Foffice-365-management-activity-api-reference%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Foffice-365%2Foffice-365-management-activity-api-reference%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-13316%22%20slang%3D%22en-US%22%3ERe%3A%20Sharepoint%20audit%20log%20gathering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-13316%22%20slang%3D%22en-US%22%3E%3CP%3EAlso%2C%20if%20you%20are%20attending%20Microsoft%20Ignite%202016%2C%20there%20are%20300%20plus%20vendors%20in%20the%20Expo%20Hall.%26nbsp%3B%20Some%20of%20them%20might%20have%20solutions%20for%20more%20comprehensive%20audit%20logging%20for%20on%20premise%20SharePoint.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-13313%22%20slang%3D%22en-US%22%3ERe%3A%20Sharepoint%20audit%20log%20gathering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-13313%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20understanding%20is%20that%20the%20Audit%20Log%20data%20for%20SharePoint%20Online%20is%20available%20for%2090%20days.%20If%20you%20need%20to%20keep%20it%20around%20longer%2C%20you%20will%20need%20to%20write%20somethnig%20to%20harvest%20and%20store%20it.%20Look%20at%20%3CA%20href%3D%22https%3A%2F%2Fmsdn.microsoft.com%2Foffice-365%2Foffice-365-management-activity-api-reference%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmsdn.microsoft.com%2Foffice-365%2Foffice-365-management-activity-api-reference%3C%2FA%3E%20for%20API%20details.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-12954%22%20slang%3D%22en-US%22%3ERe%3A%20Sharepoint%20audit%20log%20gathering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-12954%22%20slang%3D%22en-US%22%3EToday%20you%20are%20right%2C%20but%20in%20the%20future%20you%20can%20expect%20to%20have%20the%20ability%20to%20query%20OnPremises%20activity%20from%20the%20Security%20and%20Compliance%20Center...in%20regards%20of%20your%205%20years%20requirement%20I%20don't%20think%20you%20will%20have%20for%20SPO%20data.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-12923%22%20slang%3D%22en-US%22%3ERe%3A%20Sharepoint%20audit%20log%20gathering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-12923%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20your%20responses.%20The%20Security%20%26amp%3B%20Compliance%20center%20is%20only%20giving%20part%20of%20the%20functionality%2C%20as%20it%20is%20only%20covering%20SPO.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20clarify%20a%20bit%20more%20on%20the%20needs%3A%20we%20have%20the%20requirement%20to%20be%20able%20to%20report%20on%20who's%20viewed%20%2F%20downloaded%20%2F%20deleted%20content%20in%20a%20full%20on-prem%20environment%26nbsp%3Bwhich%20might%20move%20in%20the%26nbsp%3Bfuture%20partly%20to%20SPO%26nbsp%3B(so%20a%20hybrid%20environment).%20These%20logs%20should%20be%20consultable%20for%20a%20longer%20period%20of%20time%20(%2B%205%20years).%20We%20are%20able%20to%20capture%20that%20data%20if%20we%20are%20reading%20directly%20from%20the%20content%20databases%2C%20but%20this%20is%20not%20advisable%20and%20even%20impossible%20on%20SPO.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-12807%22%20slang%3D%22en-US%22%3ERe%3A%20Sharepoint%20audit%20log%20gathering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-12807%22%20slang%3D%22en-US%22%3E%2B1%20to%20use%20the%20audit%20log%20features%20you%20have%20in%20the%20Security%20%26amp%3B%20Compliance%20center...by%20the%20way%2C%20in%20the%20PnP%20space%20in%20GitHub%20you%20can%20find%20samples%20about%20how%20to%20use%20CSOM%20to%20get%20information%20from%20the%20SPO%20change%20Log%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-12666%22%20slang%3D%22en-US%22%3ERe%3A%20Sharepoint%20audit%20log%20gathering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-12666%22%20slang%3D%22en-US%22%3E%3CP%3E%40Deleted%2C%20have%20you%20looked%20at%20the%20audit%20log%20reports%20built%20into%20Office%20365%3F%3C%2FP%3E%3CP%3EIn%20the%20Admin%20application%2C%20go%20to%20Admin%20Centers%20and%20open%20the%20Compliance%20admin%20center.%20In%20the%20Compliance%20(aka%20Security%20%26amp%3B%20Compliance)%20center%2C%20expand%20%22Search%20%26amp%3B%20investigation%22%20in%20the%20left%20navigation%2C%20and%20click%20on%20%22Audit%20log%20search%22.%20You%20can%20also%20read%20more%20about%20the%20Audit%20log%20search%20at%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FSearch-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FSearch-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%3C%2FA%3E%3C%2FP%3E%3CP%3EDo%20you%20neede%20to%20keep%20the%20audit%20log%20data%20for%20more%20than%2090%20days%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-12498%22%20slang%3D%22en-US%22%3ERe%3A%20Sharepoint%20audit%20log%20gathering%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-12498%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F369%22%20target%3D%22_blank%22%3E%40Vesa%20Juvonen%3C%2FA%3E%2C%20is%20this%20something%20that%20might%20get%20into%20PnP%20%2F%20any%20other%20tracks%20to%20explore%3F%20Thanks%20for%20any%20guidance!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

Hey,

 

we are in environment with a huge amount of site collections (+100K) and for compliance issues, we need to collect all audit log data to report on user activities accross the environment. Given that querying the content database is not supported on premise and not possible in an Online scenario, I was wondering what other possibilies do exist / if anything is coming through PnP / CSOM?

 

Kind regards,

Christophe

8 Replies
Highlighted

@Vesa Juvonen, is this something that might get into PnP / any other tracks to explore? Thanks for any guidance!

Highlighted

@Deleted, have you looked at the audit log reports built into Office 365?

In the Admin application, go to Admin Centers and open the Compliance admin center. In the Compliance (aka Security & Compliance) center, expand "Search & investigation" in the left navigation, and click on "Audit log search". You can also read more about the Audit log search at https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US

Do you neede to keep the audit log data for more than 90 days?

Highlighted
+1 to use the audit log features you have in the Security & Compliance center...by the way, in the PnP space in GitHub you can find samples about how to use CSOM to get information from the SPO change Log
Highlighted

Thanks for your responses. The Security & Compliance center is only giving part of the functionality, as it is only covering SPO.

 

To clarify a bit more on the needs: we have the requirement to be able to report on who's viewed / downloaded / deleted content in a full on-prem environment which might move in the future partly to SPO (so a hybrid environment). These logs should be consultable for a longer period of time (+ 5 years). We are able to capture that data if we are reading directly from the content databases, but this is not advisable and even impossible on SPO.

Highlighted
Today you are right, but in the future you can expect to have the ability to query OnPremises activity from the Security and Compliance Center...in regards of your 5 years requirement I don't think you will have for SPO data.
Highlighted

My understanding is that the Audit Log data for SharePoint Online is available for 90 days. If you need to keep it around longer, you will need to write somethnig to harvest and store it. Look at https://msdn.microsoft.com/office-365/office-365-management-activity-api-reference for API details.

Highlighted

Also, if you are attending Microsoft Ignite 2016, there are 300 plus vendors in the Expo Hall.  Some of them might have solutions for more comprehensive audit logging for on premise SharePoint.

Highlighted