Enterprise Vault™ Auditing
- About this guide
- Introducing Enterprise Vault auditing
- Setting up auditing
- Viewing the audit database entries
- Auditing for data protection compliance
- Appendix A. Format of audit database entries
Example query search for privileged delete audit entries
The following example query searches the audit database for item delete operations between the dates that you specify:
USE EnterpriseVaultAudit GO SELECT * FROM EVAuditView WHERE CategoryName = 'Delete' AND SubCategoryName = 'Information' AND AuditDate BETWEEN CONVERT(datetime,'mm-dd-yyyy',110) and CONVERT(datetime,'mm-dd-yyyy',110)
Table: Example audit entry values returned by the SQL query shows example values of an audit entry returned by this query.
Table: Example audit entry values returned by the SQL query
EVAuditView column title | Example values (Delete) |
|---|---|
AuditID | 4 |
Status | SUCCESS |
AuditDate | 2018-02-02 17:01:56.583 |
UserName | example\vsa The user who performed the delete operation. For items that are were deleted by the Discovery Accelerator Privileged Delete feature, the UserName column displays the name of the Vault Service account. For items that were deleted by a third-party application, this is the user that is assigned to the Compliance Delete Application role. |
CategoryName | Delete |
SubCategoryName | Information |
ObjectID | 201802017502363~201802011626030000~Z~A158658C6FBE60B76 The saveset ID of the item that was deleted. |
Vault | 600B5AA958C24411F9D0B892B91F5E4393B33DB7F88B8E551110000VS1 The archive that contained the item. |
Info | <Delete ObjectType="Item" ObjectName="(null)"> <Property Name="EV_API_DELETION_LEVEL"> <Current Value="DELETION_LEVEL_COMPLIANCE"/> </Property> </Delete> The deletion level DELETION_LEVEL_COMPLIANCE denotes that the item was deleted using Privileged Delete in Discovery Accelerator or compliance delete in a third-party application that uses the Enterprise Vault API. |
MachineName | EVServer1 |