Enterprise Vault™ Auditing
- About this guide
- Introducing Enterprise Vault auditing
- Setting up auditing
- Viewing the audit database entries
- Viewing the audit database entries using Audit Viewer
- Viewing the audit database entries using SQL queries
- Auditing for data protection compliance
- Appendix A. Format of audit database entries
Starting or stopping auditing
To start or stop auditing you need to perform the following procedure on each Enterprise Vault server.
When auditing is started or stopped, event ID 42388 reports whether auditing is running (enabled) or stopped (disabled), the status of each audit category, and the identity of the administrator who made the change. When the Enterprise Vault Admin service starts, event ID 4286 is reported if auditing is running and event ID 4287 is reported if auditing is stopped. An audit database entry is also created with the same information.
To start or stop auditing
- In the Administration Console, expand the tree in the left pane until the Enterprise Vault Servers container is visible.
- Expand the Enterprise Vault Servers container.
- Right-click the computer on which you want to start or stop auditing, and click Properties on the context menu.
- Click the Auditing tab.
- To start auditing on the Enterprise Vault server, select Audit entries based on the following categories.
To stop auditing on the server, clear this setting.
- Click OK to save the changes you have made.