Enterprise Vault™ Auditing

Last Published:
Product(s): Enterprise Vault (12.3)

Viewing the audit database entries using SQL queries

We recommend that you query the database view, EVAuditView, in the audit database. The SQL queries can filter audit entries based on criteria, such as a date range, user name, or ObjectID. See the Appendix to this document for a description of the format of audit database entries, and an explanation of the values in the EVAuditView columns for different types of audit entry.

See The format of audit database entries.

The procedure below shows you how to use SQL Server Management Studio to enter and run SQL queries. Later sections include example SQL queries that search database entries for item delete operations. You may need to run such queries to obtain evidence of item deletion, for example, to show compliance with data protection regulations.

See Auditing general delete operations.

Changes to archive access permissions are shown as Security Descriptor Definition Language (SDDL) strings. A script is shipped with Enterprise Vault to convert these strings to an array of permissions in a more user-friendly format.

See Retrieving audited changes to archive permissions in a user-friendly format.

To view the audit database entries using SQL Server Management Studio

  1. Start the SQL Server Management Studio.
  2. On the Standard toolbar, click New Query.
  3. On the SQL Editor toolbar, select EnterpriseVaultAudit from the list of available databases.
  4. Type a SQL query to retrieve the audit entries that you want.

    This simple example query retrieves the audit entries from the database view, EVAuditView, in date order:


    Here is another example query. This example query filters entries based on a date range and user names.

    USE EnterpriseVaultAudit
    DECLARE @StartDateTime datetime
    DECLARE @EndDateTime datetime
    SET @StartDateTime = '2017-10-05 08:00:00'
    SET @EndDateTime = '2017-10-06 08:00:00'
    SELECT * FROM [EnterpriseVaultAudit].[dbo].[EVAuditView] 
    WHERE AuditDate BETWEEN @StartDateTime and @EndDateTime
    AND UserName in ('Org\HSmith', 'Org\JDoe')
    ORDER BY AuditID
  5. Click Execute on the SQL Editor toolbar, or press F5 to run the command.