Enterprise Vault™ Auditing
- About this guide
- Introducing Enterprise Vault auditing
- Setting up auditing
- Viewing the audit database entries
- Auditing for data protection compliance
- Appendix A. Format of audit database entries
Configuring and managing auditing
Audit categories identify the different types of information that auditing can collect. After you have created the audit database, you can use the Enterprise Vault Administration Console to select audit categories. All categories can record summary audit data, and some can also record detailed data.
The option in the container in the Administration Console lets you configure common audit categories for all the available Enterprise Vault servers in the site. You can also configure customized audit settings at the server-level.
In a building blocks configuration, we recommend that you select the same audit categories on the active server and the failover servers. Failure to do this will result in inconsistent audit data in your environment. If you select the category, it is particularly important to select this category on all of the Enterprise Vault servers.
In Enterprise Vault 12.4 and later, you can configure auditing in the following ways:
Enable or disable auditing across all the Enterprise Vault servers in the site at once, or for individual servers.
Use common audit categories for all the Enterprise Vault servers in the site.
Configure audit categories separately for each Enterprise Vault server.
When an Enterprise Vault administrator changes the auditing configuration, event ID 4288 reports whether auditing is running (enabled) or stopped (disabled), the status of each audit category, and the identity of the administrator who made the change. When the Enterprise Vault Admin service starts, event ID 4286 is reported if auditing is running and event ID 4287 is reported if auditing is stopped. An audit database entry is also created with the same information.
You can modify the audit categories when auditing is running or stopped.
Table: Audit categories
Category | Description |
|---|---|
Admin Activity | Configuration changes made in the Enterprise Vault Administration Console or Management Shell, such as adding a new task, creating archives, or enabling mailboxes. |
Advanced Search | Searches performed, including the terms used and the number of items found. |
Archive | Items being archived, either manually or on a scheduled run. |
Archive Folder Updates | Archived items being moved to a different mailbox folder. |
Archive Permissions | Manual changes to user or group access permissions on an archive. Manual permissions are set on an archive in the Enterprise Vault Administration Console using the Archive Properties dialog box, using the Enterprise Vault Policy Manager (EVPM) utility, or using the Set-EVArchivePermission PowerShell cmdlet. If you select this category, you should select it on all of the Enterprise Vault servers in the site. Note that this auditing category does not capture changes to automatic access permissions on an archive. Automatic archive permissions are the permissions that are set on the original content source, and synchronized to the Enterprise Vault archive. To capture this information, you must enable and configure auditing in the content source application. For example, access permission changes that a user makes on an Exchange Server mailbox are automatically synchronized to the associated Enterprise Vault archive. To capture these permission changes, you must enable and configure Exchange Server auditing on the Exchange Server that hosts the mailbox. |
Classification | Classification of archived items. |
Delete |
Archived items being deleted because their retention periods have expired, users have chosen to delete them, or third-party applications have requested their deletion for compliance with data protection legislation. |
Domino Archive | Any Domino archiving activity. |
Domino Restore | Any Domino restore activity. |
Exchange Synchronization | Records the details of creation, modification, and deletion of Exchange managed content settings. Enterprise Vault records relevant details when it is configured to archive from Exchange managed folders and to synchronize with their managed content settings. |
FS Archive | File System Archiving activity. |
GetOnlineXML | Document retrieval into SharePoint Portal Server. |
Indexing operations | When indexing subtasks for managing index volumes start and stop. Also records any critical errors that the subtasks encounter when processing indexes. The Manage Indexes wizard enables you to manage index volumes. |
Move Archive | Details of individual Move Archive operations. |
NSF Migration | Items being migrated from NSF files. |
PST Migration | Items being migrated from PST files. |
Restore | Archived items being restored. |
Retention Category Updates | Changes to the retention category of archived items. |
SPS Archive | SharePoint archiving activity. |
Saveset Status | (For Support use.) Rarely used. Records whether a saveset file is available. |
Subtask Control | The creation and modification of subtasks, such as the subtasks that control Move Archive operations. |
Undelete | Deleted items that are recovered using the option Recover items on the Deleted Items tab of Archive Properties. Shortcuts recovered using the FSAUndelete utility are also recorded. |
User | Your own auditing entries. |
View | Viewing archived items, either as HTML or in their original formats. |
View Attachments | Viewing of archived items from within SharePoint Portal Server. |
To configure auditing
- In the Administration Console, right-click the Enterprise Vault Servers container and, on the shortcut menu, click Configure Auditing.
- On the Centralized Auditing tab, select or clear the audit categories.
- On the Server Settings tab, do the following:
To enable or disable auditing across all the Enterprise Vault servers in the site, select or clear the check box next to the Auditing column header.
To enable or disable auditing for individual servers, select or clear the check box for that server row in the Auditing column.
To apply the audit categories that you configured on the Centralized Auditing tab for all the Enterprise Vault servers in the site, select the check box next to the Centralized Category column header.
To apply the audit categories that you configured on the Centralized Auditing tab for individual servers, select the check box for that server row in the Centralized Category column.
To configure customized categories for individual servers, clear the check box for that server row in the Centralized Category column and click Audit Categories. In the Manage Server Auditing Settings dialog box, configure the auditing categories for each server.
- Click Apply, and then click OK to save the settings.