Search <book_title>...

Enterprise Vault™ Auditing

Last Published: 2019-10-21

Product(s): Enterprise Vault (12.5)

About this guide
1. Introducing this guide
2. Where to get more information about Enterprise Vault
  1. Enterprise Vault training modules
Introducing Enterprise Vault auditing
1. About Enterprise Vault auditing
Setting up auditing
Viewing the audit database entries
Auditing for data protection compliance
1. Auditing general delete operations
  1. Example query search for general item delete audit entries
2. Auditing privileged delete operations
  1. Example query search for privileged delete audit entries
Appendix A. Format of audit database entries
1. The format of audit database entries

Viewing the audit database entries using SQL queries

We recommend that you query the database view, EVAuditView, in the audit database. The SQL queries can filter audit entries based on criteria, such as a date range, user name, or ObjectID. See the Appendix to this document for a description of the format of audit database entries, and an explanation of the values in the EVAuditView columns for different types of audit entry.

See The format of audit database entries.

The procedure below shows you how to use SQL Server Management Studio to enter and run SQL queries. Later sections include example SQL queries that search database entries for item delete operations. You may need to run such queries to obtain evidence of item deletion, for example, to show compliance with data protection regulations.

See Auditing general delete operations.

Changes to archive access permissions are shown as Security Descriptor Definition Language (SDDL) strings. A script is shipped with Enterprise Vault to convert these strings to an array of permissions in a more user-friendly format.

See Retrieving audited changes to archive permissions in a user-friendly format.

To view the audit database entries using SQL Server Management Studio

Start the SQL Server Management Studio.
On the Standard toolbar, click New Query.
On the SQL Editor toolbar, select EnterpriseVaultAudit from the list of available databases.

Type a SQL query to retrieve the audit entries that you want.

This simple example query retrieves the audit entries from the database view, EVAuditView, in date order:

SELECT * FROM EVAuditView ORDER BY AuditDate DESC

Here is another example query. This example query filters entries based on a date range and user names.

USE EnterpriseVaultAudit

DECLARE @StartDateTime datetime
DECLARE @EndDateTime datetime
 
SET @StartDateTime = '2017-10-05 08:00:00'
SET @EndDateTime = '2017-10-06 08:00:00'
 
SELECT * FROM [EnterpriseVaultAudit].[dbo].[EVAuditView] 
WHERE AuditDate BETWEEN @StartDateTime and @EndDateTime
AND UserName in ('Org\HSmith', 'Org\JDoe')
ORDER BY AuditID

Click Execute on the SQL Editor toolbar, or press F5 to run the command.