Solved: audit viewer

K_G · ‎01-17-2012

Hi,

I have to analyze ev audit.

auditing is enabled.

when i give the user archive id and evadmin user it goes to not responding state.

you have any way to get these results from audit viewer or directly from sql?

AndrewB · ‎01-17-2012

here's a query that should help narrow down the results to what you're looking for. fill in the <variables> with the information from your environment. the first select query will search by username and the second by archive id:

USE <name of EV Audit db>

SELECT * FROM EVAuditView WHERE UserName = '<domain\username>'

ORDER BY AuditDate DESC

SELECT * FROM EVAuditView WHERE Vault = '<Archive ID>'

ORDER BY AuditDate DESC

View solution in original post

Maverik · ‎01-17-2012

Viewing the below from the Admin Guide it shows Audit Viewer, but also mentions a query to view the log. Probably does not filter like the viewer, but may help. Also I wonder if connections has anything to do with the failure to respond? More details below.

Viewing the audit log

Enterprise Vault comes with the Audit Viewer utility, which lets you view and

filter the data that is logged in the auditing database. For more information on

Audit Viewer, see the Utilities Guide.

Auditing 317

Viewing the audit log

You can also view the audit log by following the instructions below.

To view the audit log

1 On the Windows Start menu, click All Programs > Microsoft SQL Server >

Query Analyzer.

2 At the top of the SQL Query Analyzer window, select the EnterpriseVaultAudit

database.

3 Type the following command in the Query window:

SELECT * FROM EVAuditView ORDER BY AuditDate DESC

4 Press F5 to run the command.

Tuning

Each computer on which you enable auditing has a limited number of connections

that it can make to the auditing database. These connections are reused as needed.

Auditing uses a pool of connections to the auditing database. You can make

Enterprise Vault log the level of usage of these connections and then, if necessary,

you can modify the number of connections as required.

To turn connection information logging on or off

1 In the Administration Console, expand the tree in the left pane until the

Enterprise Vault Servers container is visible.

2 Click the Enterprise Vault Servers container.

3 Right-click the computer whose logging you want to enable or disable and

then, on the context menu, click Properties.

4 Click the Auditing tab.

5 Click Advanced.

6 Check or uncheck Log database information to turn logging on or off.

7 Click OK.

8 Restart the Enterprise Vault services on the computer.

Modifying the number of connections

When an Enterprise Vault service that has auditing turned on stops, it logs an

event that shows the number of connections it used and the maximum number

of connections available to it. You can use this information to decide whether to

change the connection pool sizes.

Auditing

Tuning

318

To change the connection pool sizes

1 In the Administration Console, expand the tree in the left pane until the

Enterprise Vault Servers container is visible.

2 Click the Enterprise Vault Servers container.

3 Right-click the computer whose logging you want to enable or disable and

then, on the context menu, click Properties.

4 Click the Auditing tab.

5 Click Advanced.

6 Set the number of connections for each Enterprise Vault service.

7 Click OK.

8 Restart the Enterprise Vault services on the computer.

AndrewB · ‎01-17-2012

here's a query that should help narrow down the results to what you're looking for. fill in the <variables> with the information from your environment. the first select query will search by username and the second by archive id:

USE <name of EV Audit db>

SELECT * FROM EVAuditView WHERE UserName = '<domain\username>'

ORDER BY AuditDate DESC

SELECT * FROM EVAuditView WHERE Vault = '<Archive ID>'

ORDER BY AuditDate DESC

Rob_Wilcox1 · ‎01-23-2012

Perhaps your audit data set is quite large?

Working for cloudficient.com

VOX

audit viewer