Enterprise Vault™ Auditing

Last Published:
Product(s): Enterprise Vault (12.3)

Configuring audit categories

Audit categories identify the different types of information that auditing can collect. After you have created the audit database, you can use the Enterprise Vault Administration Console to select audit categories. All categories can record summary audit data, and some can also record detailed data.

Audit categories apply to the Enterprise Vault server that you select in the Enterprise Vault Servers container in the Administration Console. If there are multiple Enterprise Vault servers, you need to select each server in turn, and configure the audit categories for each server. It is good practice to set the audit categories consistently on all of the Enterprise Vault servers in the sites that are associated with the Enterprise Vault directory. Failure to do this will result in inconsistent audit data in your environment. If you select the Archive Permissions category, it is particularly important to select this category on all of the Enterprise Vault servers.

When an Enterprise Vault administrator changes the auditing configuration, event ID 4288 reports whether auditing is running (enabled) or stopped (disabled), the status of each audit category, and the identity of the administrator who made the change. An audit database entry is also created with the same information.

You can modify the audit categories when auditing is running or stopped.

Table: Audit categories



Admin Activity

Configuration changes made in the Enterprise Vault Administration Console or Management Shell, such as adding a new task, creating archives, or enabling mailboxes.

Advanced Search

Searches performed, including the terms used and the number of items found.


Items being archived, either manually or on a scheduled run.

Archive Folder Updates

Archived items being moved to a different mailbox folder.

Archive Permissions

Manual changes to user or group access permissions on an archive. Manual permissions are set on an archive in the Enterprise Vault Administration Console using the Archive Properties dialog box, or using the Enterprise Vault Policy Manager (EVPM) utility. If you select this category, you should select it on all of the Enterprise Vault servers in the site.

Note that this auditing category does not capture changes to automatic access permissions on an archive. Automatic archive permissions are permissions that are set on the original content source, and synchronized to the Enterprise Vault archive. To capture this information, you must enable and configure auditing in the content source application. For example, access permission changes that a user makes on an Exchange Server mailbox are automatically synchronized to the associated Enterprise Vault archive. To capture these permission changes, you must enable and configure Exchange Server auditing on the Exchange Server that hosts the mailbox.


Classification of archived items.


Archived items being deleted because their retention periods have expired, users have chosen to delete them, or third-party applications have requested their deletion for compliance with data protection legislation.

Domino Archive

Any Domino archiving activity.

Domino Restore

Any Domino restore activity.

Exchange Synchronization

Records details of creation, modification, and deletion of Exchange managed content settings. Enterprise Vault records relevant details when it is configured to archive from Exchange managed folders and to synchronize with their managed content settings.

FS Archive

File System Archiving activity.


Document retrieval into SharePoint Portal Server.

Indexing operations

When indexing subtasks for managing index volumes start and stop. Also records any critical errors that the subtasks encounter when processing indexes. The Manage Indexes wizard enables you to manage index volumes.

Move Archive

Details of individual Move Archive operations.

NSF Migration

Items being migrated from NSF files.

PST Migration

Items being migrated from PST files.


Archived items being restored.

Retention Category Updates

Changes to the retention category of archived items.

SPS Archive

SharePoint archiving activity.

Saveset Status

(For Support use.) Rarely used. Records whether a saveset file is available.

Subtask Control

The creation and modification of subtasks, such as the subtasks that control Move Archive operations.


Deleted items that are recovered using the option Recover items on the Deleted Items tab of Archive Properties. Shortcuts recovered using the FSAUndelete utility are also recorded.


Your own auditing entries.


Viewing archived items, either as HTML or in their original formats.

View Attachments

Viewing of archived items from within SharePoint Portal Server.

To configure audit categories

  1. In the Administration Console, expand the tree in the left pane until the Enterprise Vault Servers container is visible.
  2. Expand the Enterprise Vault Servers container.
  3. Right-click the computer for which you want to configure auditing, and click Properties on the context menu.
  4. Click the Auditing tab.
  5. Select or clear the audit categories.

    Table: Audit categories

  6. Click OK to save the changes you have made.