Menu

Search

LOGbinder Support


Impact of Restricted Lookups


bjvista
How To

LOGbinder for SharePoint by default makes every effort to fully translate and enrich SharePoint audit events through so called "lookups" where-in LOGbinder makes extra queries to SharePoint to obtain this information. But there is a cost/benefit relationship to be considered. Some events in the native SharePoint audit log include fields that are of low or no value to end users at many organizations. Each field in the native log, including these low or no value fields, requires a lookup by LOGbinder to resolve the native SharePoint data in to user friendly data.

For example, below is a sample of LOGbinder for SharePoint event ID 13:

Document checked in
Occurred: 6/25/2016 1:13:04 PM
Site: http://sp2010-sp
User: Administrator
Object
URL: Shared Documents/FinancialData.xlsx
Title: n/a
Version: 1.0

As you can see in the above event, the “Title” field returned from SharePoint is “n/a”. This is obviously of no value to the end user. Since SharePoint includes these low/no value fields, LOGbinder for SharePoint includes an option to intelligently restrict the number of lookups it processes resulting in increased performance of LOGbinder. You can manage the amount of SharePoint lookups by opening the LOGbinder Control Panel selecting File and then Options. The amount of lookups performed by LOGbinder can be customized by choosing a value under “Amount of SharePoint lookups.” See figure 1 below.

Figure 1: Managing the amount of SharePoint lookups

The fields that are affected (with the exception of the “Restrict all lookups option”) are all child fields of the targeted object. “URL” is the most important field included in the events and that field is always reported except on some permission change events and only if the “Exclude high/medium-cost” option is selected.

Most organizations who need to speed up LOGbinder can safely use the “Exclude high-cost lookups” option without losing significant audit information. Please note that the “Exclude high/medium-cost” option does adversely impact permission change events.

The following chart outlines which fields are affected depending on which option is selected when managing the amount of SharePoint lookups.


Field will be blank if this setting is chosen …

Exclude none

Exclude highest-cost lookups

Exclude high-cost lookups

Exclude high/ medium- cost lookups

Restrict all lookups

10 Noise entry

This entry was generated, but contains only data that is misleading or irrelevant.

Occurred: %1

Details: %2

11 Site collection audit policy changed

Occurred: %1

Site: %2

User: %3

New audit policy: %4

12 Audit policy changed

Occurred: %1

Site: %2

User: %3

Object

Type: %4

Subtype: %5

1

URL: %6

Title: %7

1

Description: %8

1

New audit policy: %9

13 Document checked in

Occurred: %1

Site: %2

User: %3

Object

URL: %4

Title: %5

Version: %6

14 Document checked out

Occurred: %1

Site: %2

User: %3

Object

URL: %4

Title: %5

Version: %6

15 Child object deleted

Occurred: %1

Site: %2

User: %3

Parent Object

Type: %4

Subtype: %5

1

URL: %6

Title: %7

1

Child Object

Type: %8

URL: %9

16 Child object moved

Occurred: %1

Site: %2

User: %3

Parent Object

Type: %4

Subtype: %5

1

URL: %6

Title: %7

1

Description: %8

1

Child Object

Type: %9

Title: %10

Original location: %11

New location: %12

17 Object copied

Occurred: %1

Site: %2

User: %3

Object

Type: %4

Title: %5

1

Description: %6

1

Original location: %7

New location: %8

18 Custom event

Occurred: %1

Site: %2

User: %3

Details: %4

Examine the details accompanying the event for more information.

19 Object deleted

Occurred: %1

Site: %2

User: %3

Object

Type: %4

URL: %5

Versions deleted: %6

Recycled: %7

20 SharePoint audit logs deleted

Occurred: %1

Site: %2

User: %3

Logs deleted: %4

Last date: %5

Audit logs created before this date have been removed from SharePoint.

Purge performed by LOGbinder: %6

21 Object moved

Occurred: %1

Site: %2

User: %3

Object

Type: %4

Title: %5

1

Original location: %6

New location: %7

22 Object profile changed

Occurred: %1

Site: %2

User: %3

Object

Type: %4

Subtype: %5

1

URL: %6

Title: %7

1

Description: %8

1

Profile details: %9

23 SharePoint object structure changed

Occurred: %1

Site: %2

User: %3

Object

Type: %4

Subtype: %5

1

URL: %6

Title: %7

1

Description: %8

1

Details: %9

24 Search performed

Occurred: %1

Site: %2

User: %3

Search: %4

25 SharePoint group created

Occurred: %1

Site: %2

User: %3

Group

ID: %4

Name: %5

Initial members: %6

26 SharePoint group deleted

Occurred: %1

Site: %2

User: %3

Group

ID: %4

The group name is not available because Microsoft does not report this. Refer to events 25, 27, 28, as these may contain the group name.

27 SharePoint group member added

Occurred: %1

Site: %2

User: %3

Group

ID: %4

Name: %5

Member

ID: %6

Name: %7

2

28 SharePoint group member removed

Occurred: %1

Site: %2

User: %3

Group

ID: %4

Name: %5

Member

ID: %6

Name: %7

2

29 Unique permissions created

Occurred: %1

Site: %2

User: %3

Parent Object

Type: %4

Subtype: %5

URL: %6

Title: %7

Description: %8

Object

URL: %9

This object no longer inherits permissions from the parent.

30 Unique permissions removed

Occurred: %1

Site: %2

User: %3

Parent Object

Type: %4

Subtype: %5

URL: %6

Title: %7

Description: %8

Object

URL: %9

This object, which formerly had unique permissions, now inherits permissions from the parent.

31 Permissions updated

Occurred: %1

Site: %2

User: %3

Object

Type: %4

Subtype: %5

URL: %6

Title: %7

Description: %8

Target

Name: %9

Type: %10

Permissions

Role name: %11

Role description: %12

One instance of this event is logged for each role assigned this user. Look at adjacent events to determine all roles assigned to the user or group.

32 Permissions removed

Occurred: %1

Site: %2

User: %3

Object

Type: %4

Subtype: %5

URL: %6

Title: %7

Description: %8

Target

Name: %9

Type: %10

Permissions

Role name: %11

Role description: %12

33 Unique permission levels created

Occurred: %1

Site: %2

User: %3

Object

Type: %4

URL: %5

Title: %6

1

Description: %7

1

This object has unique permission levels (role definitions) that are not inherited from its parent.

34 Permission level created

Occurred: %1

Site: %2

User: %3

Object

Type: %4

URL: %5

Title: %6

1

Description: %7

1

Permission Level Details

ID: %8

Name: %9

Type: %10

Description: %11

Permissions

List permissions: %12

Site permissions: %13

Personal permissions: %14

35 Permission level deleted

Occurred: %1

Site: %2

User: %3

Object

Type: %4

URL: %5

Title: %6

1

Description: %7

1

Permission Level Details

ID: %8

The permission level name is not available because Microsoft does not report this. Refer to events 34 or 36, as these may contain the name.

36 Permission level modified

Occurred: %1

Site: %2

User: %3

Object

Type: %4

URL: %5

Title: %6

1

Description: %7

1

Permission Level Details

ID: %8

Name: %9

Type: %10

Description: %11

Permissions

List permissions: %12

Site permissions: %13

Personal permissions: %14

37 SharePoint site collection administrator added

Occurred: %1

Site: %2

User: %3

Administrator

ID: %4

Name: %5

2

38 SharePoint site collection administrator removed

Occurred: %1

Site: %2

User: %3

Administrator

ID: %4

Name: %5

2

39 Object restored

Occurred: %1

Site: %2

User: %3

Object

Type: %4

URL: %5

Title: %6

1

Description: %7

1

This object was restored from the Recycle Bin.

40 Site collection updated

Occurred: %1

Site: %2

User: %3

41 Web updated

Occurred: %1

Site: %2

User: %3

Object

URL: %4

Title: %5

Description: %6

42 Document library updated

Occurred: %1

Site: %2

User: %3

Object

URL: %4

Title: %5

Description: %6

Library item updated: %7

43 Document updated

Occurred: %1

Site: %2

User: %3

Object

URL: %4

Title: %5

Version: %6

44 List updated

Occurred: %1

Site: %2

User: %3

Object

Type: %4

URL: %5

Title: %6

Description: %7

45 List item updated

Occurred: %1

Site: %2

User: %3

Object

URL: %4

Title: %5

1

46 Folder updated

Occurred: %1

Site: %2

User: %3

Object

URL: %4

Version: %5

47 Document viewed

Occurred: %1

Site: %2

User: %3

Object

URL: %4

Title: %5

Version: %6

48 Document library viewed

Occurred: %1

Site: %2

User: %3

Object

URL: %4

Title: %5

Description: %6

49 List viewed

Occurred: %1

Site: %2

User: %3

Object

Type: %4

URL: %5

Title: %6

Description: %7

50 Object viewed

Occurred: %1

Site: %2

User: %3