How to get audit logs for various admin activities in SharePoint 2007

A customer came up with a requirement that they wanted to know and get the audit log of the following activities happening their environment:

1. Users/Groups added/modified in the People and Groups list of the site.
2. Any modification in the Site Collection Administrator section.
3. User/Groups permission change in the Advanced Permissions section.

In MOSS 2007, to view the audit log for security related operations is a two step process.

1. Enable the audit log for a specific entity
   • Under Site Collection Administration, click on Site collection audit settings
   • Select “Editing users and permissions” option.
   • From now on SharePoint will start storing the audit log in its database.
2. Write a custom application using the SharePoint Audit APIs to view the audit log.
   • Use SPAuditQuery class to query the audit log for a site collection.
   • Use SPAuditEventType enumeration to know the type of the event.
   • SPAuditEntry.EventData contains the event related data in XML format which can be used to identify the actionable objects and their related objects. The MSDN article contains the detail of what EventData object can contain and explanation of the Audit Event Type data

Here the sample code which will help you understand the audit entries and the event data associated with it.

    1: SPSite siteColl = new SPSite("https://moss-server"); // Open a reference to Site Collection
    2: SPWeb site = siteColl.OpenWeb(); 
    3:  
    4: SPAuditQuery wssQuery = new SPAuditQuery(siteColl); //Create a SPAuditQuery object
    5: SPAuditEntryCollection auditCol = siteColl.Audit.GetEntries(wssQuery); //Query the Sharepoint DB for audit entries of this site collection
    6:  
    7: foreach (SPAuditEntry en in auditCol)
    8: {
    9:     switch (en.Event)
   10:     {
   11:         case SPAuditEventType.SecGroupCreate:
   12:             MessageBox.Show(en.EventData, "Security Group Created”);
   13:             break;
   14:                     
   15:         case SPAuditEventType.SecGroupDelete:
   16:             MessageBox.Show(en.EventData, "Security Group Deleted");
   17:             break;
   18:  
   19:          case SPAuditEventType.SecGroupMemberAdd :
   20:              MessageBox.Show(en.EventData, "User Added to Security Group”);
   21:              break;
   22:  
   23:         case SPAuditEventType.SecGroupMemberDel:
   24:             MessageBox.Show(en.EventData, "User Deleted from Security Group”);
   25:             break;
   26:  
   27:         case SPAuditEventType.SecRoleBindUpdate:
   28:             MessageBox.Show(en.EventData, "User Deleted from Security Group”);
   29:  
   30:         default:
   31:             MessageBox.Show(en.ventData);
   32:             break;
   33:     } 
   34: }

 

As always… Happy Coding