I've moved my blog to!. Please update your links. This blog is no longer in use--you can find all posts and comments at my new blog; I will no longer be posting to this site and comments have been disabled.

Friday, November 30, 2007

Set Audit Settings for Site Collection

In any financial institution auditing is crucial - it's no different with my company - as such we wanted to make sure that there was at least a minimum level of auditing occurring at the site collection level. From the site collection settings page you can get to the "Site collection audit settings" page where some basic auditing can be enabled. For more complex stuff you can setup custom policies and associate them at various levels. However, for our initial deployment we wanted to at least have some of these basic settings enabled for every site collection. To automate these settings during our upgrade I created a new command: gl-setauditsettings. This command turned out to be really easy to create and only took me a few minutes. Only thing I stumbled on was figuring out the best way to handle replacing, adding, or removing settings so that I didn't have to create more than one command. In the end I opted for a simple mode parameter which enables you to state your intent - each setting is then a simple parameter that's passed in. The code, shown below, gets the SPAudit object via the SPSite's Audit property and then sets the AuditFlags property appropriately:

   1: public override int Run(string command, StringDictionary keyValues, out string output)
   2: {
   3:  output = string.Empty;
   5:  InitParameters(keyValues);
   7:  string url = Params["url"].Value.TrimEnd('/');
   8:  ModeEnum mode = (ModeEnum) Enum.Parse(typeof (ModeEnum), Params["mode"].Value, true);
  10:  using (SPSite site = new SPSite(url))
  11:  {
  12:   // Initialize the mask to it's default.
  13:   SPAuditMaskType auditMask = SPAuditMaskType.None;
  14:   if (mode != ModeEnum.Replace)
  15:    auditMask = site.Audit.AuditFlags; // We're not replacing the mask so we need to store the current settings.
  17:   if (mode == ModeEnum.Remove)
  18:   {
  19:    // Remove settings
  20:    foreach (SPAuditMaskType mask in Enum.GetValues(typeof(SPAuditMaskType)))
  21:    {
  22:     if (Params[mask.ToString()].UserTypedIn)
  23:      auditMask = auditMask & ~mask;
  24:    }
  25:   }
  26:   else
  27:   {
  28:    // Add settings (replace is just an add but starts with a blank slate)
  29:    foreach (SPAuditMaskType mask in Enum.GetValues(typeof(SPAuditMaskType)))
  30:    {
  31:     if (Params[mask.ToString()].UserTypedIn)
  32:      auditMask = auditMask | mask;
  33:    }
  34:   }
  35:   // Update the Audit object with the new flags
  36:   site.Audit.AuditFlags = auditMask;
  37:   site.Audit.Update();
  38:  }
  40:  return 1;
  41: }

The syntax of the command can be seen below:

C:\>stsadm -help gl-setauditsettings

stsadm -o gl-setauditsettings

Set the events that should be audited for documents, items, lists, libraries, and sites within the site collection.

        -url <site collection url>
        -mode <replace | add | remove>
Here's an example of how to enable auditing of the delete and undelete events in addition to any existing events already monitored:
stsadm -o gl-setauditsettings -url "http://intranet" -mode add -delete -undelete
One thing to be aware of - when you edit these settings via the browser you are, in some circumstances, editing more than one setting at a time. For example, via the browser you cannot choose to audit delete events and not undelete events - they are combined into one setting. Using this command allows you to set the audit settings at a finer level so you can track just delete events without tracking undelete (in most cases you'll want to track both but it's nice to know that you can now treat them separately). Note however that if you use this command to enable just delete and not undelete the browser will show the check box for "Deleting or restoring items" as checked as it does an or comparison when enabling the check box.


Patrick said...

Gary! your the man. Just got a request to enable this on all 200 of our site collections. BTW thanks for the autograph you gave my co-admin, she sent it over to me and I have it on my cube wall =)

Remi Blog said...

Hi. Thanks for the solution. I executed it but it says Access denied. What could be the problem.

Gary Lapointe said...

Are you a farm administrator?