The audit feature of Microsoft SharePoint Server or SharePoint Online let you track user actions on a sites content types, lists, libraries, list items, and library files within your site collections. Knowing who has done what with which information is critical for many business requirements, such as regulatory compliance and records management.

You manage the size of the audit log in the Audit Log Trimming section and specify which events to audit in the Documents and Items and Lists, Libraries, and Sites sections. You can also specify the maximum number of days that items will be retained. By default all items are removed at the end of the month.

NOTE: When multiple users are co-editing a document, auditing events from multiple authors or editors can be difficult to interpret. If this is a concern, consider limiting editing permission to a minimum number of users.

As a site collection administrator, you can retrieve the history of actions taken by a particular user and can also retrieve the history of actions taken during a particular date range. For example, you can determine which users edited a specific document and when they did this.

What shows up in the audit log report ?

The events that you select to audit are captured in audit reports that are based on Microsoft Excel 2013 and are available from the Auditing Reports page. You can also create a custom report that includes a number of these events over a specified date range, within a specific area of the site collection, or filtered to an individual user. You cannot modify events once they are logged, but site collection administrators can delete items from the audit log and configure automatic trimming of the audit log data.

  • The audit log captures the following information for the events that are selected to be audited.
  • Site from which an event originated
  • Item ID, type, name, and location
  • User ID associated with the event
  • Event type, date, time, and source
  • Action taken on the item

Following is an example of the data in a Deletion audit log report. With this report, you can determine who deleted and restored data across the site

Trimming the audit log reports

When you select an event to be audited for a site collection, such as delete and restore, it will be audited for every item in the site collection each time the event occurs. Auditing can potentially generate a large number of audit events, creating a large audit log. This could fill the hard drive, affecting performance and other aspects of a site collection.

IMPORTANT: To prevent the audit log from filling the hard drive and potentially degrading the performance of the site collection, we recommended that you enable audit log trimming for site collections with extensive auditing.

To manage the size of the audit log report you can configure it to automatically trim and optionally archive the current audit log data in a document library before the data is trimmed. The schedule for audit log trimming is configured by your server administrator in Central Administration. The default is the end of the month.

View audit log reports

You can use standard Excel features to narrow the reports to the information you want. Some ways in which you can analyze and view the log data include:

  • Filtering the audit log report for a specific site.
  • Filtering the audit log report for a particular date range.
  • Sorting the audit log report.
  • Determining who has updated content.
  • Determining which content has been deleted but not restored.
  • Viewing the changes to permissions on an item.