Audit log information and SharePoint reports

Connie_Falk_Mil · ‎04-06-2015

Hi,

I am trying to determine what precisely some of my DI reports are telling me. Specifically, related to the Access details report, it is my understanding that SharePoint audit logs differentiate between a "view" (e.g., going to a site or a library) and a "read" (e.g., opening an item on a site or a library), but it does not appear that DI access reports maintain that distinction- everything appears to be a "read". So the question is: does DI differentiate between "view" and "read" events in SharePoint (2010). If so, can we create a report that shows who has accessed a SharePoint site, but not read anything? Thanks.

Rod_p1 · ‎04-13-2015

Connie:

I think you are asking how the SharePoint events are recorded in Symantec DataInsight (SDI) and can you use those events in a report. You can certainly gain a perspective in a report on all events and marrying the event reported to the type you desire can be done consider some typical events in SharePoint like:

{"checkout”} Read

{"checkin”} Write

{"view”} Read

{"undelete”} Write

{"copy”} Read (on Source file)

{"move”} Rename

{"update”} Write

{"security”} Security

Here is a list of all the mappings:
Note: there are unsupported types as well.

Data Insight Access Type	SharePoint Access Type	Description
Read	CheckOut	Check-out of the object.
Write	CheckIn	Check-in of the object.
Read	View	Viewing of the object by a user.
Delete	Delete	Deletion of the object.
Write	Update	Changing the properties of an object or creating an object.
NOT SUPPORTED	ProfileChange	Change in a profile that is associated with the object.
Delete	ChildDelete	Deletion of one of the child objects of the object.
NOT SUPPORTED	SchemaChange	Change in the schema of the object.
Write	Undelete	Restoration of an object from the Recycle Bin.
NOT SUPPORTED	Workflow	Access of the object as part of a workflow.
Read (on source file)	Copy	Copying of the object.
Rename	Move	Move of the object.
NOT SUPPORTED	AuditMaskChange	A change in the types of events that are audited for the object.
NOT SUPPORTED	Search	Search on the object.
Rename	ChildMove	Move of one of the child objects of the object.
NOT SUPPORTED	FileFragmentWrite	A File Fragment has been written for the file.
Security	SecGroupCreate	Creation of a user group for a SharePoint site collection.
Security	SecGroupDelete	Deletion of a group that is associated with a SharePoint site collection.
Security	SecGroupMemberAdd	Addition of a new member to a group that is associated with a SharePoint site collection.
Security	SecGroupMemberDel	Deletion of a member from a group that is associated with a SharePoint site collection.
Security	SecRoleDefCreate	Creation of a new role (that is, permission level) definition associated with the object.
Security	SecRoleDefDelete	Removal of a role (that is, permission level) definition associated with the object.
Security	SecRoleDefModify	Changing a role (that is, permission level) definition associated with an object.
Security	SecRoleDefBreakInherit	Turning off inheritance of role (that is, permission level) definitions from the parent of the object.
Security	SecRoleBindUpdate	Changing the permissions of a user or group for the object.
Security	SecRoleBindInherit	Turning on inheritance of security settings from the parent of the object.
Security	SecRoleBindBreakInherit	Turning off inheritance of security settings from the parent of the object.
NOT SUPPORTED	EventsDeleted	Deletion of audited events that are connected with the object from the SharePoint database.
Depends*	Custom	Custom action or event.

*Notes: Data Insight (DI) SharePoint Agent inserts a custom event whenever a file/folder is created. This is to generate a create event in DI since SharePoint natively does not create events.

This will allow you to confirm the type of event you wish to report on. Some events such as READ depict differing access with the same event type. Does that answer your question or is there further explanation desired?

Rod

VOX

Audit log information and SharePoint reports