SharePoint audit policy is widely regarded as a site collection level setting leading many to believe you must apply one audit policy to all objects in the entire site collection. If that were the case you would run into some real granularity problems leading to either not being able to get the events you need for important lists or libraries or else enabling too much auditing and getting way to many events.
Thankfully though you can enable auditing on specific document libraries or lists but you have to know where to look which I will explain in a moment.
First though what audit policies would you likely want to enable for an entire site collection and what would you want to activate only on specific lists and libraries? The one audit policy I always suggest enabling "Editing users and permissions" (aka Security Change in LOGbinder SP) which will provide an audit trail of all auditable security related changes for the site collection including permission changes, changes to users and groups and change to audit policy itself.
At the list and library level you have a variety of activities you that you can audit including:
- Viewing
- Editing
- Deletion
- Check in /Check out
List/library level audit policy is extremely important when it comes to auditing who is viewing confidential information. If you enable View auditing at the site collection level you end up generating events for every page click by every user througout the entire site collection which will create a load on resources and storage.
To enable auditing for a certain library access the library’s (or list’s) settings page and click the “Information management policy settings” link under Permissions and Management.
In the next page you’ll see entries for the content types allowed for that list or library. For instance a normal document library will have 2 content types: Document and Folder. Click on a content type and configure auditing. In the example below I’ve enabled auditing of any type of view and download access since this is a library contains confidential information.
Now SharePoint will obediently begin auditing those actions on that particular list or library and if you have my LOGbinder SP software you'll be able to report or alert on those events with LOGbinder SP SIEM Edition or if you have your own log management / SIEM solution you can use LOGbinder SP Agent Edition to get SharePoint audit events out of the content database where they don't belong and into your log management solution where they do! Click here for more information on LOGbinder SP.
Thanks,
Randy Franklin Smith