Enterprise Vault™ Auditing
- About this guide
- Introducing Enterprise Vault auditing
- Setting up auditing
- Viewing the audit database entries
- Viewing the audit database entries using Audit Viewer
- Viewing the audit database entries using SQL queries
- Auditing for data protection compliance
- Appendix A. Format of audit database entries
Configuring audit categories
Audit categories identify the different types of information that auditing can collect. After you have created the audit database, you can use the Enterprise Vault Administration Console to select audit categories. All categories can record summary audit data, and some can also record detailed data.
Audit categories apply to the Enterprise Vault server that you select in thecontainer in the Administration Console. If there are multiple Enterprise Vault servers, you need to select each server in turn, and configure the audit categories for each server. It is good practice to set the audit categories consistently on all of the Enterprise Vault servers in the sites that are associated with the Enterprise Vault directory. Failure to do this will result in inconsistent audit data in your environment. If you select the category, it is particularly important to select this category on all of the Enterprise Vault servers.
When an Enterprise Vault administrator changes the auditing configuration, event ID 4288 reports whether auditing is running (enabled) or stopped (disabled), the status of each audit category, and the identity of the administrator who made the change. An audit database entry is also created with the same information.
You can modify the audit categories when auditing is running or stopped.
Table: Audit categories
Configuration changes made in the Enterprise Vault Administration Console or Management Shell, such as adding a new task, creating archives, or enabling mailboxes.
Searches performed, including the terms used and the number of items found.
Items being archived, either manually or on a scheduled run.
Archive Folder Updates
Archived items being moved to a different mailbox folder.
Manual changes to user or group access permissions on an archive. Manual permissions are set on an archive in the Enterprise Vault Administration Console using thedialog box, or using the Enterprise Vault Policy Manager (EVPM) utility. If you select this category, you should select it on all of the Enterprise Vault servers in the site.
Note that this auditing category does not capture changes to automatic access permissions on an archive. Automatic archive permissions are permissions that are set on the original content source, and synchronized to the Enterprise Vault archive. To capture this information, you must enable and configure auditing in the content source application. For example, access permission changes that a user makes on an Exchange Server mailbox are automatically synchronized to the associated Enterprise Vault archive. To capture these permission changes, you must enable and configure Exchange Server auditing on the Exchange Server that hosts the mailbox.
Classification of archived items.
Archived items being deleted because their retention periods have expired, users have chosen to delete them, or third-party applications have requested their deletion for compliance with data protection legislation.
Any Domino archiving activity.
Any Domino restore activity.
Records details of creation, modification, and deletion of Exchange managed content settings. Enterprise Vault records relevant details when it is configured to archive from Exchange managed folders and to synchronize with their managed content settings.
File System Archiving activity.
Document retrieval into SharePoint Portal Server.
When indexing subtasks for managing index volumes start and stop. Also records any critical errors that the subtasks encounter when processing indexes. The Manage Indexes wizard enables you to manage index volumes.
Details of individual Move Archive operations.
Items being migrated from NSF files.
Items being migrated from PST files.
Archived items being restored.
Retention Category Updates
Changes to the retention category of archived items.
SharePoint archiving activity.
(For Support use.) Rarely used. Records whether a saveset file is available.
The creation and modification of subtasks, such as the subtasks that control Move Archive operations.
Deleted items that are recovered using the option Recover items on the Deleted Items tab of Archive Properties. Shortcuts recovered using the FSAUndelete utility are also recorded.
Your own auditing entries.
Viewing archived items, either as HTML or in their original formats.
Viewing of archived items from within SharePoint Portal Server.
To configure audit categories
- In the Administration Console, expand the tree in the left pane until the Enterprise Vault Servers container is visible.
- Expand the Enterprise Vault Servers container.
- Right-click the computer for which you want to configure auditing, and click Properties on the context menu.
- Click the Auditing tab.
- Select or clear the audit categories.
- Click OK to save the changes you have made.