Home > PowerShell, SharePoint 2010 > Setting SharePoint 2010 Audit Log Settings using PowerShell

Setting SharePoint 2010 Audit Log Settings using PowerShell

I needed to set the Audit Log settings for all the Site Collections in my SharePoint 2010 web application to prevent extensive database growth due to “over auditing”.  As many may know SharePoint 2010 audit logs can get out of hand if the logs are not monitored or trim accordingly, with extensive log growth in each content database which in return affects performance.

Instead of auditing everything on each Site Collection I only wanted to audit only specific events.

You can check with events can be audited in SharePoint 2010 – http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spauditmasktype.aspx

I only wanted to audit these events (Editing Items, Deleting or restoring items, and Editing users and permissions), only have a 30 day retention period, and automatically trim the logs.

Below is the PowerShell script I created to set the Audit Log Settings for all Site Collections in my web application with the same audit settings.

—————————————————————————————————————————————————————————————

function set-auditing {

param($URL)
$webapp = Get-SPWebApplication $URL
$auditmask = [Microsoft.SharePoint.SPAuditMaskType]::Delete -bxor [Microsoft.SharePoint.SPAuditMaskType]::Update -bxor [Microsoft.SharePoint.SPAuditMaskType]::SecurityChange

$webapp.sites | % {

$_.TrimAuditLog = $true
$_.Audit.AuditFlags = $auditmask
$_.Audit.Update()
$_.AuditLogTrimmingRetention = 30
}
}

set-auditing http://portal

———————————————————————————————————————————————————————————–

Since the Audit Log Settings can be changed by the Site Owners with Site Administration permissions, in our organization this setting can easily be changed by anyone with those permissions, so I placed this script in a Task Scheduler on my CA server and scheduled it to run on a daily basis to reset the settings back to my organizations policy just in-case it changed during the day.

Advertisements
  1. SP2010
    March 20, 2013 at 5:14 am

    i got this error with the above code

    its next to boxr, i’ve tried changing it to bxor but still coming up with errors

    You must provide a value expression on the right-hand side of the ‘-‘ operator.
    At D:\scripts\AuditLogSetting.ps1:5 char:116
    + $auditmask = [“Microsoft.SharePoint.SPAuditMaskType]::Delete -bxor [Microsoft
    .SharePoint.SPAuditMaskType]::Update – <<<< boxr [Microsoft.SharePoint.SPAuditM
    askType]::SecurityChange
    + CategoryInfo : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : ExpectedValueExpression

    • March 20, 2013 at 9:00 am

      There is a mistype on my end for -boxr, thanks for that catch. It should be -bxor not -boxr, you are correct here. I just tested this out in my environment and it works. Stupid question, there is no space between – and boxr is there?

      Ahh I just now saw your problem. You have this

      $auditmask = [“Microsoft.SharePoint.SPAuditMaskType]::Delete -bxor

      if you take the Quotation out of the class call “Microsoft.SharePoint.SPAuditMaskType it should work

      So

      $auditmask = [Microsoft.SharePoint.SPAuditMaskType]::Delete

      This is another mistype on my behave, sorry about that

  2. Santosh
    August 22, 2013 at 12:19 pm

    Very useful article and scirpt; can you help with a script to run through all the Site Collections and get details of the current Audit Log settings in a report format?

    • August 26, 2013 at 4:48 pm

      Hi Santosh,

      This can be done. Give me a couple days and I should have a script for you that does just that.

      v/r
      James

  3. Ron
    April 30, 2014 at 2:01 pm

    Hey there!

    This was really useful in setting things up across an entire web app, but I’m curious, what if you wanted to set the trim location to something as well? Like using the default “SiteAssets” folder across everything to store the trimmed logs.

    Can you do that?

    • May 2, 2014 at 2:17 pm

      Hi Ron,

      You sure can, you would simply add this line to your script. This will set the location for your audit logs to the location you prefer.

      [Microsoft.Office.RecordsManagement.Reporting.AuditLogTrimmingReportCallout]::SetAuditReportStorageLocation($_, “SiteAssets”)

      Thanks

      v/r
      JShidell

  4. Mike
    February 4, 2015 at 9:13 pm

    Hello jshidell,

    Did you ever write the script Santosh mentioned? I have a need to find all the site collections with auditing enabled in my farm. Not every site collection in my farm needs auditing and most dont have limits set on the ones that do. I figure if I can identify them I can set a limit on them either manually or through code if there are enough of them. Then let the timer job clean them up.

    Thanks
    Mike

    • Hemant
      March 4, 2015 at 1:09 pm

      Get-SPSite -Limit All | Select @{ label=”Site Name”; expression={$_.RootWeb.Title}},Url,
      @{ label=”Audit Flags”; expression={$_.Audit.AuditFlags}} |export-csv “D:\Scripts\Hemant\AuditLogs\info.csv” -notypeinformation

  5. Hemant
    March 4, 2015 at 1:13 pm

    what is the Url it is looking in below line as it is already spanning all webapplication.
    set-auditing http://portal
    In case if i have multiple webapps in a farm what needs to be done.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: