Enterprise Vault™ Auditing
- About this guide
- Introducing Enterprise Vault auditing
- Setting up auditing
- Viewing the audit database entries
- Viewing the audit database entries using Audit Viewer
- Viewing the audit database entries using SQL queries
- Auditing for data protection compliance
- Appendix A. Format of audit database entries
Example query search for privileged delete audit entries
The following example query searches the audit database for item delete operations between the dates that you specify:
USE EnterpriseVaultAudit GO SELECT * FROM EVAuditView WHERE CategoryName = 'Delete' AND SubCategoryName = 'Information' AND AuditDate BETWEEN CONVERT(datetime,'mm-dd-yyyy',110) and CONVERT(datetime,'mm-dd-yyyy',110)
Table: Example audit entry values returned by the SQL query shows example values of an audit entry returned by this query.
Table: Example audit entry values returned by the SQL query
EVAuditView column title
Example values (Delete)
The user who performed the delete operation. For items that are were deleted by the Discovery Accelerator Privileged Delete feature, the UserName column displays the name of the Vault Service account. For items that were deleted by a third-party application, this is the user that is assigned to the Compliance Delete Application role.
The saveset ID of the item that was deleted.
The archive that contained the item.
<Delete ObjectType="Item" ObjectName="(null)"> <Property Name="EV_API_DELETION_LEVEL"> <Current Value="DELETION_LEVEL_COMPLIANCE"/> </Property> </Delete>
The deletion level DELETION_LEVEL_COMPLIANCE denotes that the item was deleted using Privileged Delete in Discovery Accelerator or compliance delete in a third-party application that uses the Enterprise Vault API.