Enterprise Vault™ Auditing
- About this guide
- Introducing Enterprise Vault auditing
- Setting up auditing
- Viewing the audit database entries
- Viewing the audit database entries using Audit Viewer
- Viewing the audit database entries using SQL queries
- Auditing for data protection compliance
- Appendix A. Format of audit database entries
Viewing the audit database entries using SQL queries
We recommend that you query the database view,, in the audit database. The SQL queries can filter audit entries based on criteria, such as a date range, user name, or ObjectID. See the Appendix to this document for a description of the format of audit database entries, and an explanation of the values in the EVAuditView columns for different types of audit entry.
The procedure below shows you how to use SQL Server Management Studio to enter and run SQL queries. Later sections include example SQL queries that search database entries for item delete operations. You may need to run such queries to obtain evidence of item deletion, for example, to show compliance with data protection regulations.
Changes to archive access permissions are shown as Security Descriptor Definition Language (SDDL) strings. A script is shipped with Enterprise Vault to convert these strings to an array of permissions in a more user-friendly format.
To view the audit database entries using SQL Server Management Studio
- Start the SQL Server Management Studio.
- On the Standard toolbar, click New Query.
- On the SQL Editor toolbar, select EnterpriseVaultAudit from the list of available databases.
- Type a SQL query to retrieve the audit entries that you want.
This simple example query retrieves the audit entries from the database view, EVAuditView, in date order:
SELECT * FROM EVAuditView ORDER BY AuditDate DESC
Here is another example query. This example query filters entries based on a date range and user names.
USE EnterpriseVaultAudit DECLARE @StartDateTime datetime DECLARE @EndDateTime datetime SET @StartDateTime = '2017-10-05 08:00:00' SET @EndDateTime = '2017-10-06 08:00:00' SELECT * FROM [EnterpriseVaultAudit].[dbo].[EVAuditView] WHERE AuditDate BETWEEN @StartDateTime and @EndDateTime AND UserName in ('Org\HSmith', 'Org\JDoe') ORDER BY AuditID
- Click Execute on the SQL Editor toolbar, or press F5 to run the command.