1. Support
  2. Knowledge base
  3. 100038709

How to Use and Configure Auditing for Enterprise Vault

Article: 100038709
Last Published: 2023-03-01
Ratings: 3 0
Product(s): Enterprise Vault

Description

Enterprise Vault includes flexible auditing that can be enabled for individual Enterprise Vault servers. The auditing events are written to a SQL Server database. A single auditing database for all Enterprise Vault Servers can be configured for a vault site. Custom queries can be generated by a SQL programmer for reporting purposes.  

Audit events recorded:
  • The time an event occurred.
  • The account that initiated the event.
  • The archive in which an item was archived.
  • The category of the event, such as View, Archive, or Delete.

Auditing can be enabled for a number of events such as:
  • Actions taken using the Administration Console.
  • Searches.
  • Viewing an item.
  • Deletions.

For most types of events, details and summaries can be generated:
  • The "Summary" returns information about the event, such as the date and time, account used, and vault used.
  • The "Details" will list more information such as excerpts from the content of a message. For example: Subject, Mailbox Owner, and Folder.

Note : There will be a slight reduction in performance on the Enterprise Vault server when auditing is enabled.

Auditing is disabled by default. Auditing can be enabled and controlled from the Enterprise Vault Administration Console.


How to configure Auditing:

Enterprise Vault auditing records activity in a number of different categories. Auditing can be enabled and specific categories can be audited.

The auditing database can be, but does not need to be, on a computer that is running Enterprise Vault services. Auditing must be hosted by the same SQL Server as the Enterprise Vault Directory Database.

The process of configuring auditing is:
  1. Create the audit database.
  2. Configure auditing on each Enterprise Vault server.

Creating the auditing database:

This section describes how to use the Enterprise Vault Administration Console to create the auditing database. The database can be rolled to a new database by referencing the support article on "How to rollover an auditing database".

To create the auditing database:
  1. In the left pane of the Administration Console, right-click on the Enterprise Vault Directory on then click Enable Auditing. If this option is not available then Auditing may have already been configured. 
  2. Under Audit Database location, click Browse to display the available locations for the auditing database.
Note: The Enterprise Vault system account must have local administrative rights on the SQL server to complete steps 2-8.
 
  1. A new folder for the auditing database can be created by clicking on New Folder.
  2. Click the location for the auditing database and then click OK.
  3. Click Browse under transaction log location to display the available locations for the auditing database transaction log.
  4. A new folder for the transaction logs can be created by clicking on New Folder.
  5. Click the location to use for the auditing database and then click OK.
  6. Click OK.
There is a short pause while Enterprise Vault creates the new database. A confirmation message will appear.
  1. Click OK on the confirmation message.

The database needs to be configured to audit specific Enterprise Vault operations after the database has been created. Each Enterprise Vault server will need to be configured.
 

Configuring auditing:


Enterprise Vault auditing will record data in a number of different categories. Each category can have auditing either enabled or disabled. Each category has a "Summary" level and some categories have a "Detailed" level.

To configure auditing:
  1. Launch the Enterprise Vault Administration Console under the security context of the Enterprise Vault service account then expand the tree in the left pane until the Enterprise Vault Server container is visible.
  2. Click the Enterprise Vault Server  container.
  3. Right-click the computer which the auditing should be enabled then click on Properties.
  4. Click the Auditing tab.
  5. Place a check mark in the Audit entries based on the following categories box.
  6. Select the check boxes for the categories to be audited as displayed in Figure 2.
 


Enabling or disabling all auditing:


To disable all auditing on an individual computer:
 
  1. Launch the Enterprise Vault Administration Console then expand the tree in the left pane until the Enterprise Vault Server  container is visible.
  2. Click on the Enterprise Vault Servers container.
  3. Right-click the computer which the auditing should be disabled then click on Properties.
  4. Click on the Auditing tab.
  5. Clear the Audit entries based on the following categories box. The individual category selections can remain checked.
  6. Click OK
  7. Restart all Enterprise Vault services on the vault server that was configured for auditing.
 

To enable auditing on an individual EV server:

 
  1. Repeat steps 1-4 above for disabling auditing
  2. Select the  Audit entries based on the following categories box .
  3. Select the categories and the detailed level to be audited.
  4. Click OK.
  5. Restart all Enterprise Vault services on the vault server(s) that have been configured for auditing.

 
This information is available in Admin_Console_Help.chm Guide which is located at:
 
  1. Enterprise Vault Installation Directory location <INSTALL_PATH>\Program Files\Enterprise Vault OR
  2. From the Enterprise Vault console
    1. Click on Help on the top toolbar and select Help of Enterprise Vault
    2. Click on the Search tab and enter Audit in the search box and click List Topics as displayed

How to View Audited Data:
 
Enterprise Vault includes a tool called  Audit Viewer.  It can be found in the following location on the EV server:  <INSTALL_PATH>\ EntepriseVault\auditviewer.exe

The tool allows for filtering on specific auditing options that have been configured. After it runs, a window will appear with columns/rows and from there, the data can be sorted by column and copied to the Windows clipboard.  Please reference the Admin_Console_Help.chm Guide for more details.

Was this content helpful?

Article Languages