Chat now with support
Chat with Support

Metalogix ControlPoint 8.5 - O365 User Guide

Getting Started with ControlPoint Using Discovery to Collect Information for the ControlPoint Database Cache Searching for SharePoint Sites Managing SharePoint Objects Managing Audit Settings Managing Metadata Managing SharePoint User Permissions Data Analysis and Reporting Scheduling a ControlPoint Operation Saving, Modifying and Executing Instructions for a ControlPoint Operation Provisioning SharePoint Site Collections and Sites Using Sensitive Content Manager to Analyze SharePoint Content for Compliance Using ControlPoint Sentinel to Detect Anomalous Activity Default Menu Options for ControlPoint Online Users About Us

Events Captured in SharePoint Logs

The following tables identify the log(s) where different types of events are recorded and the event codes used to identify them.

NOTE: Be aware that some events may not appear immediately in analysis results, as it can take several minutes for them to be recorded in the SharePoint log.

Add/Delete Site Collections, Sites, Libraries and Lists

Event

Where Recorded (ControlPoint Event Type)

·Site collection added

·Site added

·Library or list added

Change Log (Add)

NOTE:  It may take several minutes for an added site to appear in the Change Log.

·Site deleted

·Library or list deleted

·Audit Log (Delete/Delete Child)

NOTE:  A Delete event is reported from the perspective of the object itself.  A Delete Child event is reported from the perspective of the object's parent.

·Change Log (Delete)

Add/Delete Document and List Items

Event

Where Recorded (ControlPoint Event Type)

Document or list item added

·Audit Log (Update)

·Change Log (Add)

Document or list item deleted

·Audit Log (Delete/Delete Child)

NOTE:  A Delete event is reported from the perspective of the object itself.  A Delete Child event is reported within the scope of the object's parent.

·Change Log (Delete)

Document or list item restored

·Audit Log (Undelete)

·Change Log (Restore)

Other Actions on Document and List Items

Event

Where Recorded (ControlPoint Event Type)

·Document opened/downloaded

·List item viewed

·List item properties viewed

Audit Log (View)

·Document or list item edited

·Document or list item properties edited

·Audit Log (Update)

·Change Log (Update)

Item checked in/checked out

·Audit Log (Check In/Check Out)

·Change Log (Update)

Items moved to another location in the site

Audit Log (Move)

Change Log (Move Away/Move Into)

Items copied to another location in the site (using the Send To menu entry)

Audit Log (Update)

Item accessed as part of a workflow

Audit Log (Workflow)

Add/Delete/Change Users and Permissions

 

Event

Where Recorded (ControlPoint Event Type) (SharePoint Event Code)

Site security inheritance broken

 

·Audit Log (Turn Off Inheritance from Parent) (SecRoleBindBreakInherit)

·Change Log (Add Assignment) (AssignmentAdd)

Site security inheritance restored

·Audit Log (Turn On Inheritance from Parent) (SecRoleBindInherit)

·Change Log (Delete Assignment) (Assignment)

Permission level inheritance restored

Change Log (Delete Assignment) (Assignment)

Site permission level created

·Audit Log (Create Permissions) (SecRoleDefCreate)

·Change Log (Add Role)(RoleUpdate)

Site permission level deleted

·Audit Log (Remove Permissions) (SecRoleDefDelete)

·Change Log (Delete Role) (RoleUpdate)

Site Permission level changed

·Audit Log (Modify Permissions) (SecGroupCreate)

·Change Log (Update Role) (RoleUpdate)

User or SharePoint group permission changed

·Audit Log (Change Permissions) (SecRoleBindUpdate)

·Change Log (Add Assignment and/or Delete Assignment) (AssignmentAdd and/or Assignment)

SharePoint group created

·Audit Log (Create Group) (SecGroupCreate)

·Change Log (Add)

SharePoint group deleted

·Audit Log (Delete Group) (SecGroupDelete)

·Change Log (Delete)

Member added to SharePoint group

·Audit Log (Add Member to Group) (SecGroupMemberAdd)

·Change Log (Add Member) (MemberAdd)

Member deleted from SharePoint group

·Audit Log (Delete Member from Group) (SecGroupemberDelete)

·Change Log ( Delete Member) (MemberDelete)

Add Content Types and Columns

Action

Where Recorded (ControlPoint Event Type) (SharePoint Event Code)

Content Type added

Audit Log (Change Profile) (ProfileChange)

Column added

Audit Log (Change Schema) (SchemaChange)

SharePoint Search Activity

Event

Where Recorded (ControlPoint Event Type)

SharePoint search performed

Audit Log (Search)

Audit Settings

Event

Where Recorded (ControlPoint Event Type) (SharePoint Event Code)

Audit settings changed

Audit Log (Change Mask) (AuditMaskChange)

 

Analyzing Audit Log Contents

The ControlPoint Audit Log analysis extends SharePoint's built-in audit logging by letting you easily view entries written to the audit log.  You can focus your analysis on specific event types, and even limit the scope to include only certain objects (sites, lists, documents, etc.).

Audit logging must be enabled for each site collection whose events you want to log.  You can enable audit logging for multiple site collections at a time via the ControlPoint Manage Audit Settings action.

To generate an Audit Log analysis:

1Select the object(s) for which you want to view audited events.  

NOTES:

§If the scope of your analysis includes site collections that have been deleted, audit events associated with that site collection will no longer exist.

§As with all ControlPoint analyses, if you initiated the analysis from the farm or site collection level, all child items will be included by default.  If you initiated the analysis at the site level, only information for that site (not its subsites) will be included.  You can, however, use the Change Selection option to further refine your scope.

2Choose Audit and Alerts > Audit Log.

3Specify one or more of the following parameters for your analysis:

§select both a Start and End date ( ) and time ( ) for which you want to report

NOTE:  Currently, SharePoint Online only allows the retrieval of the last seven days' worth of audit log data.  

§select the User(s) whose actions you want to audit (or leave blank for all users)

§enter a relative URL (note that you can enter a url down to the item level; you can also use an asterisk (*) at the beginning and end of a url as wildcards)

EXAMPLES

§sites/al*

§sites/alpha/shared documents/xcrSummaryReport.pdf

§select one or more Event types from the list box.  Refer to the topic Events Captured in SharePoint Log.  

CAUTION:  Although you have the option of viewing ALL events, if you select this option your result set may be extremely large.  One reason is that SharePoint records some events (such as a View) as a series of several events.  Also, some event types (such as Update) may encompass a wide variety of events.

Audit Log PARAMETERS - Cloud

§

Now you can:

·run the operation immediately (by clicking the [Run Now] button)

OR

·schedule the operation to run at a later time or on a recurring basis.

OR

·save the operation as XML Instructions that can be run at a later time.

Information in the Audit Log analysis

The Audit Log analysis contains the following information:

§the Date and time that the event occurred

§the User responsible for the event

§the Event type

§the Scope of the event, which may be:

§site collection (Site)

§site (Web)

§List

§Folder, Document, or List Item

§the name of the Site Collection and Site on/within which the event occurred.

§the relative URL for the list or document/item.

NOTE:  If auditing has been enabled at the site collection level, the URL for the document or item will display.  If auditing has been enabled at the site level or below, the URL for the list itself (but not the document or item within the list) will display.allow ControlPoint users to authenticate with Microsoft

Audit Log RESULTS

Depending on the event type, additional detail may display beneath each line item.

 

Analyzing Change Log Contents

The ControlPoint Change Log lets you view the contents of SharePoint change logs for one or more selected event types.

To generate a Change Log analysis:

1Select the object(s) for which you want to view change log entries.  

2Choose Audit & Alerts > Change Log Analysis.

3Specify one or more of the following parameters for your analysis:

§select both a Start and End date ( ) and time ( ) for which you want to report

The time period for which you can generate a change log analysis depends on how many days change log data is retained.  ControlPoint relies on the history maintained by SharePoint.  SharePoint for Office 365 retains Change Log data for 60 days.

§enter a relative URL (note that you can enter a url down to the item level; you can also use an asterisk (*) at the beginning and end of a url as wildcards)

EXAMPLES

§sites/al*

§sites/alpha/shared documents/SharePointPlanning.docx

§select one or more Event types from the list box.  Refer to the topic Events Captured in SharePoint Logs  for guidance in selecting the appropriate event type(s).

Change Log PARAMETERS

Now you can:

·run the operation immediately (by clicking the [Run Now] button)

OR

·schedule the operation to run at a later time or on a recurring basis.

OR

·save the operation as XML Instructions that can be run at a later time.

Information in the Change Log Analysis

Change Log RESULTS

The ControlPoint Change Log Analysis contains the following information:

·the Date and time that the event occurred

·the Scope of the event

·the Event type

·the individual the event was Performed By

NOTE:  For many event types, SharePoint change logging does not record the user who performed the event.  In such cases, the value "None" will appear in the Performed By column.

·the name of the Site Collection and Site on/within which the event occurred.

·the URL for the item (if applicable).

 

Analyzing SharePoint Alerts

The following analysis tools provides information about SharePoint alerts that have been created for users in your SharePoint environment:

·SharePoint Alerts by Site lets you review alerts that have been created within one or more selected sites.

·SharePoint Alerts by User lets you review alerts that have been created for one or more specific users.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating