ArchiveAuditLog Configuration Settings
The following three settings are exclusive to ControlPoint Archive Audit Log Data processing:
·Archive Audit Log Table Connection String
·Web Applications to Include in Audit Logs
·Number of Hours Worth of Data to Archive at One Time.
For information on using these configuration settings within the context of audit log data archiving, see Archiving SharePoint Audit Log Data.
Number of Days to Keep Audit Records (AUDITMAXDAYS)
When auditing is enabled for a SharePoint site collection (either from within SharePoint or using the ControlPoint Set Site Collection Properties feature), SharePoint keeps records of audited actions and events in the content database(s). It is from this history that ControlPoint Audit Log analyses can be run.
ControlPoint provides an option to purge audit data so that content databases are not overloaded. By default, no purging is done (as indicated by a Value of 0). ControlPoint Application Administrators can change this retention period by modifying the Value for the ControlPoint Setting Number of Days to Keep Audit Records (AUDITMAXDAYS).
Audit history is purged up to the number of days specified by the ControlPoint Discovery process
If the default Value is kept, the audit records will never be purged. Keep in mind however, the longer audit history is retained, the more storage space it will use in content databases. Alternatively, you can archive audit log data to free up storage space using ControlPoint xcUtilities. See Archiving SharePoint Audit Log Data.
Tips for Archiving a Large Accumulation of Audit Data
If you have many months or even years' worth of accumulated data to purge, doing all of it in a single operation can be resource-intensive and can perform slowly. It is recommended, therefore, that you initially set AUDITMAXDAYS to a larger number, then incrementally reduce that number before each subsequent Discovery run until you have reached the number of days' worth that you want to retain on an ongoing basis.
EXAMPLE:
Suppose 1,000 days' worth of audit log data has accumulated on your farm, but going forward you only want to retain 60 days' worth. Depending on the size of your farm, purging 940 days worth of data in a single operation might significantly slow down the Discovery job. To avoid this problem, you may want to initially set the AUDITMAXDAYS Value to 800 (that is, purge 200 days' worth) of audit log data. After the Discovery job has completed, you may want to bring the number down to 600 (that is, purge another 200 or so days' worth), and so on, until you have reduced the amount of audit log data in the database to a manageable amount. You can then set and leave the Value at 60, saving only the amount that you want to retain on an ongoing basis.
Excluding Users from Audit Log Analyses (ExcludeUsersAudit)
By default, unless one or more users are specified in the People Picker, all SharePoint users are included in the ControlPoint Audit Log analysis.
ControlPoint Application Administrators can, however, exclude certain users from these analyses by entering the user account name(s) as the Value for the ControlPoint Configuration Setting Users to Exclude from Audit Log Analyses (ExcludedUsersAudit). Enter multiple account names as a comma-separated list.
You may, for example, want to exclude common system accounts such as SharePoint\System.
NOTE: You must exclude users based on full account names (sometimes known as pre-Windows 2000 account names in Active Directory), not display names. For example, you cannot exclude system accounts by entering the display name System Account.
Note that you can still run Audit Log analyses on excluded users if you enter them in the People Picker.
NOTE: Users can be excluded from permissions and activity analyses via the ControlPoint Configuration Setting Users to Exclude from Reports (EXCLUDEDUSERS).
Specifying Whether to Display Site Names in Audit Log Analyses (PROCESSAUDITNAMES)
By default, ControlPoint Audit Log analysis results include name of the Site on which audited activity occurred. The process required for ControlPoint to collect this information is time-consuming and may affect performance, especially if the scope of the analysis is large.
ControlPoint Application Administrators can, however, prevent this process from being carried out by changing the ControlPoint Configuration Setting PROCESSAUDITNAMES from True to False.
Note that, if PROCESSAUDITNAMES is set to false, you can use the url to identify the site where audited activity occurred.
