Search <book_title>...

Enterprise Vault™ Auditing

Last Published: 2019-10-21

Product(s): Enterprise Vault (12.5)

About this guide
1. Introducing this guide
2. Where to get more information about Enterprise Vault
  1. Enterprise Vault training modules
Introducing Enterprise Vault auditing
1. About Enterprise Vault auditing
Setting up auditing
Viewing the audit database entries
Auditing for data protection compliance
1. Auditing general delete operations
  1. Example query search for general item delete audit entries
2. Auditing privileged delete operations
  1. Example query search for privileged delete audit entries
Appendix A. Format of audit database entries
1. The format of audit database entries

Example query search for general item delete audit entries

The following simple query retrieves from the audit database all Search and Delete entries within a specified time period.

USE EnterpriseVaultAudit
SELECT *  FROM [EnterpriseVaultAudit].[dbo].[EVAuditView]
WHERE CategoryName in ('Search', 'Delete')
AND AuditDate BETWEEN '2017-10-05 08:27:48' and '2017-10-05 08:32:37'
ORDER BY AuditID desc

The following SQL query extends this simple query to filter on archive also. The archive information is stored in the Enterprise Vault directory.

DECLARE @ArchiveId varchar(112)
DECLARE @StartDateTime datetime
DECLARE @EndDateTime datetime

SET @ArchiveId = '1B29F35DAA512AC47A64558FDF7A614571110000example.local'
SET @StartDateTime = '2017-10-05 08:27:48'
SET @EndDateTime = '2017-10-05 08:28:37'

CREATE TABLE #ArchiveFolders
(
       VaultEntryId varchar(112)
)

INSERT INTO #ArchiveFolders
SELECT VaultEntryId 
FROM [EnterpriseVaultDirectory].[dbo].[ArchiveFolderView]
WHERE ArchiveVEID = @ArchiveId

SELECT *  FROM [EnterpriseVaultAudit].[dbo].[EVAuditView] 
auditView LEFT JOIN #ArchiveFolders archFolder
ON archFolder.VaultEntryId = auditView.Vault
WHERE AuditDate BETWEEN @StartDateTime and @EndDateTime
AND CategoryName in ('Search', 'Delete')
ORDER BY AuditID

DROP TABLE #ArchiveFolders

Table: Example audit entry values returned by the SQL query shows example data returned by the SQL query of the audit database. The column titles relate to the database view, EVAuditView, in the audit database. The values in the column, Example values (Search), show an audit entry created by the initial search for the items to delete. The values in the column, Example values (Delete), show an audit entry created when the user, jdoe, deleted an item.

Given the steps in Table: Steps to provide evidence of item deletion, there would also be an audit entry for the final search showing that the item no longer exists. This audit entry is not included in Table: Example audit entry values returned by the SQL query.

See the Appendix to this document for a description of the format of audit database entries, and an explanation of the values in the EVAuditView columns for different types of audit entry.

Table: Example audit entry values returned by the SQL query

EVAuditView column title	Example values (Search)	Example values (Delete)
AuditID	3582	3584
Status	SUCCESS	SUCCESS
AuditDate	31/08/2017 10:03:37	31/08/2017 10:03:44
UserName	example\jdoe The user who performed the search operation.	example\jdoe The user who performed the delete operation.
CategoryName	Search	Delete
SubCategoryName	Searches	Item
ObjectID (Saveset and/or Folder ID)		201802017502363~201802011626030000~Z~A158658C6FBE60B76
Vault (Archive or Folder ID)	16454F118169EDE48822DC10CE 69307CA1110000example.local	1610D28B10DB21647B11EEF479019B70B1110000example.local
Info	Query '(NOT sens:2) AND (evtag.category:PII)', matching '8' entries, viewing range '1' to '100'
MachineName	EVServer1	EVServer1