LOGbinder for SharePoint by default makes every effort to fully translate and enrich SharePoint audit events through so called "lookups" where-in LOGbinder makes extra queries to SharePoint
to obtain this information. But there is a cost/benefit relationship to be considered. Some events in the native SharePoint audit log include fields that are
of low or no value to end users at many organizations. Each field in the native log, including these low or no value fields, requires a lookup by LOGbinder to resolve the native
SharePoint data in to user friendly data.
For example, below is a sample of LOGbinder for SharePoint event ID 13:
Document checked in
Occurred: 6/25/2016 1:13:04 PM
Site: http://sp2010-sp
User: Administrator
Object
URL: Shared Documents/FinancialData.xlsx
Title: n/a
Version: 1.0
As you can see in the above event, the “Title” field returned from SharePoint is “n/a”. This is obviously of no value to the end
user. Since SharePoint includes these low/no value fields, LOGbinder for SharePoint includes an option to intelligently restrict the number of lookups it processes resulting in
increased performance of LOGbinder. You can manage the amount of SharePoint lookups by opening the LOGbinder Control Panel selecting File and then Options. The
amount of lookups performed by LOGbinder can be customized by choosing a value under “Amount of SharePoint lookups.” See figure 1 below.
Figure 1: Managing the amount of SharePoint lookups
The fields that are affected (with the exception of the “Restrict all lookups option”) are all child fields of the targeted object. “URL” is the most important field included in the events and that
field is always reported except on some permission change events and only if the “Exclude high/medium-cost” option is selected.
Most organizations who need to speed up LOGbinder can safely use the “Exclude high-cost lookups” option without losing significant audit
information. Please note that the “Exclude high/medium-cost” option does adversely impact permission change events.
The following chart outlines which fields are affected depending on which option is selected when managing the amount of SharePoint lookups.
Field will be blank if this
setting is chosen …
|
Exclude none
|
Exclude highest-cost lookups
|
Exclude high-cost lookups
|
Exclude high/ medium- cost
lookups
|
Restrict all lookups
|
10 Noise entry
|
|
|
|
|
|
This entry was
generated, but contains only data that is misleading or irrelevant.
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Details: %2
|
|
|
|
|
|
11 Site collection audit policy changed
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
New audit
policy: %4
|
|
|
|
|
|
12 Audit policy changed
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
Type: %4
|
|
|
|
|
|
Subtype: %5
|
|
✘ 1
|
✘
|
✘
|
✘
|
URL: %6
|
|
|
|
|
|
Title: %7
|
|
✘ 1
|
✘
|
✘
|
✘
|
Description: %8
|
|
✘ 1
|
✘
|
✘
|
✘
|
New audit
policy: %9
|
|
|
|
|
|
13 Document checked in
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
URL: %4
|
|
|
|
|
|
Title: %5
|
|
|
✘
|
✘
|
✘
|
Version: %6
|
|
|
|
|
|
14 Document checked out
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
URL: %4
|
|
|
|
|
|
Title: %5
|
|
|
✘
|
✘
|
✘
|
Version: %6
|
|
|
|
|
|
15 Child object
deleted
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Parent Object
|
|
|
|
|
|
Type: %4
|
|
|
|
|
|
Subtype: %5
|
|
✘ 1
|
✘
|
✘
|
✘
|
URL: %6
|
|
|
|
|
|
Title: %7
|
|
✘ 1
|
✘
|
✘
|
✘
|
Child Object
|
|
|
|
|
|
Type: %8
|
|
|
|
|
|
URL: %9
|
|
|
|
|
|
16 Child object moved
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Parent Object
|
|
|
|
|
|
Type: %4
|
|
|
|
|
|
Subtype: %5
|
|
✘ 1
|
✘
|
✘
|
✘
|
URL: %6
|
|
|
|
|
|
Title: %7
|
|
✘ 1
|
✘
|
✘
|
✘
|
Description: %8
|
|
✘ 1
|
✘
|
✘
|
✘
|
Child Object
|
|
|
|
|
|
Type: %9
|
|
|
|
✘
|
✘
|
Title: %10
|
|
|
|
✘
|
✘
|
Original location: %11
|
|
|
|
|
|
New location: %12
|
|
|
|
|
|
17 Object copied
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
Type: %4
|
|
|
|
|
|
Title: %5
|
|
✘ 1
|
✘
|
✘
|
✘
|
Description: %6
|
|
✘ 1
|
✘
|
✘
|
✘
|
Original location: %7
|
|
|
|
|
|
New location: %8
|
|
|
|
|
|
18 Custom event
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Details: %4
|
|
|
|
|
|
Examine the details
accompanying the event for more information.
|
|
|
|
|
|
19 Object deleted
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
Type: %4
|
|
|
|
|
|
URL: %5
|
|
|
|
|
|
Versions deleted: %6
|
|
|
|
|
|
Recycled: %7
|
|
|
|
|
|
20 SharePoint audit logs deleted
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Logs deleted:
%4
|
|
|
|
|
|
Last date: %5
|
|
|
|
|
|
Audit logs
created before this date have been removed from SharePoint.
|
|
|
|
|
|
Purge
performed by LOGbinder: %6
|
|
|
|
|
|
21 Object moved
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
Type: %4
|
|
|
|
|
|
Title: %5
|
|
✘ 1
|
✘
|
✘
|
✘
|
Original location: %6
|
|
|
|
|
|
New location: %7
|
|
|
|
|
|
22 Object profile
changed
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
Type: %4
|
|
|
|
|
|
Subtype: %5
|
|
✘ 1
|
✘
|
✘
|
✘
|
URL: %6
|
|
|
|
|
|
Title: %7
|
|
✘ 1
|
✘
|
✘
|
✘
|
Description: %8
|
|
✘ 1
|
✘
|
✘
|
✘
|
Profile
details: %9
|
|
|
|
|
|
23 SharePoint
object structure changed
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
Type: %4
|
|
|
|
|
|
Subtype: %5
|
|
✘ 1
|
✘
|
✘
|
✘
|
URL: %6
|
|
|
|
|
|
Title: %7
|
|
✘ 1
|
✘
|
✘
|
✘
|
Description: %8
|
|
✘ 1
|
✘
|
✘
|
✘
|
Details: %9
|
|
|
|
|
|
24 Search performed
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Search: %4
|
|
|
|
|
|
25 SharePoint group created
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Group
|
|
|
|
|
|
ID: %4
|
|
|
|
|
|
Name: %5
|
|
|
|
|
|
Initial
members: %6
|
|
|
|
|
✘
|
26 SharePoint
group deleted
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Group
|
|
|
|
|
|
ID:
%4
|
|
|
|
|
|
The group
name is not available because Microsoft does not report this. Refer to events
25, 27, 28, as these may contain the group name.
|
|
|
|
|
|
27 SharePoint
group member added
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Group
|
|
|
|
|
|
ID:
%4
|
|
|
|
|
|
Name: %5
|
|
|
|
|
✘
|
Member
|
|
|
|
|
|
ID:
%6
|
|
|
|
|
|
Name: %7
|
|
|
|
|
✘ 2
|
28 SharePoint
group member removed
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Group
|
|
|
|
|
|
ID:
%4
|
|
|
|
|
|
Name: %5
|
|
|
|
|
✘
|
Member
|
|
|
|
|
|
ID:
%6
|
|
|
|
|
|
Name: %7
|
|
|
|
|
✘ 2
|
29 Unique permissions created
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Parent Object
|
|
|
|
|
|
Type: %4
|
|
|
|
✘
|
✘
|
Subtype: %5
|
|
|
|
✘
|
✘
|
URL: %6
|
|
|
|
✘
|
✘
|
Title: %7
|
|
|
|
✘
|
✘
|
Description: %8
|
|
|
|
✘
|
✘
|
Object
|
|
|
|
|
|
URL: %9
|
|
|
|
|
|
This object
no longer inherits permissions from the parent.
|
|
|
|
|
|
30 Unique
permissions removed
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Parent Object
|
|
|
|
|
|
Type: %4
|
|
|
|
✘
|
✘
|
Subtype: %5
|
|
|
|
✘
|
✘
|
URL: %6
|
|
|
|
✘
|
✘
|
Title: %7
|
|
|
|
✘
|
✘
|
Description: %8
|
|
|
|
✘
|
✘
|
Object
|
|
|
|
|
|
URL: %9
|
|
|
|
|
|
This object,
which formerly had unique permissions, now inherits permissions from the
parent.
|
|
|
|
|
|
31 Permissions
updated
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
Type: %4
|
|
|
|
✘
|
✘
|
Subtype: %5
|
|
|
|
✘
|
✘
|
URL: %6
|
|
|
|
✘
|
✘
|
Title: %7
|
|
|
|
✘
|
✘
|
Description: %8
|
|
|
|
✘
|
✘
|
Target
|
|
|
|
|
|
Name: %9
|
|
|
|
|
✘
|
Type: %10
|
|
|
|
|
✘
|
Permissions
|
|
|
|
|
|
Role name: %11
|
|
|
|
|
✘
|
Role description: %12
|
|
|
|
|
✘
|
One instance
of this event is logged for each role assigned this user. Look at adjacent
events to determine all roles assigned to the user or group.
|
|
|
|
|
|
32 Permissions
removed
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
Type: %4
|
|
|
|
✘
|
✘
|
Subtype: %5
|
|
|
|
✘
|
✘
|
URL: %6
|
|
|
|
✘
|
✘
|
Title: %7
|
|
|
|
✘
|
✘
|
Description: %8
|
|
|
|
✘
|
✘
|
Target
|
|
|
|
|
|
Name: %9
|
|
|
|
|
✘
|
Type: %10
|
|
|
|
|
✘
|
Permissions
|
|
|
|
|
|
Role name: %11
|
|
|
|
|
✘
|
Role description: %12
|
|
|
|
|
✘
|
33 Unique
permission levels created
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
Type: %4
|
|
|
|
|
|
URL: %5
|
|
|
|
|
|
Title: %6
|
|
✘ 1
|
✘
|
✘
|
✘
|
Description: %7
|
|
✘ 1
|
✘
|
✘
|
✘
|
This object has unique permission levels
(role definitions) that are not inherited from its parent.
|
|
|
|
|
|
34 Permission
level created
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
Type: %4
|
|
|
|
|
|
URL: %5
|
|
|
|
|
|
Title: %6
|
|
✘ 1
|
✘
|
✘
|
✘
|
Description: %7
|
|
✘ 1
|
✘
|
✘
|
✘
|
Permission Level Details
|
|
|
|
|
|
ID:
%8
|
|
|
|
|
|
Name: %9
|
|
|
|
|
|
Type: %10
|
|
|
|
|
✘
|
Description: %11
|
|
|
|
|
✘
|
Permissions
|
|
|
|
|
|
List permissions: %12
|
|
|
|
|
|
Site permissions: %13
|
|
|
|
|
|
Personal permissions: %14
|
|
|
|
|
|
35 Permission level deleted
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
Type: %4
|
|
|
|
|
|
URL: %5
|
|
|
|
|
|
Title: %6
|
|
✘ 1
|
✘
|
✘
|
✘
|
Description: %7
|
|
✘ 1
|
✘
|
✘
|
✘
|
Permission
Level Details
|
|
|
|
|
|
ID: %8
|
|
|
|
|
|
The
permission level name is not available because Microsoft does not report
this. Refer to events 34 or 36, as these may contain the name.
|
|
|
|
|
|
36 Permission
level modified
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
Type: %4
|
|
|
|
|
|
URL: %5
|
|
|
|
|
|
Title: %6
|
|
✘ 1
|
✘
|
✘
|
✘
|
Description: %7
|
|
✘ 1
|
✘
|
✘
|
✘
|
Permission Level Details
|
|
|
|
|
|
ID:
%8
|
|
|
|
|
|
Name: %9
|
|
|
|
|
|
Type: %10
|
|
|
|
|
✘
|
Description: %11
|
|
|
|
|
✘
|
Permissions
|
|
|
|
|
|
List permissions: %12
|
|
|
|
|
|
Site permissions: %13
|
|
|
|
|
|
Personal permissions: %14
|
|
|
|
|
|
37 SharePoint site collection
administrator added
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Administrator
|
|
|
|
|
|
ID: %4
|
|
|
|
|
|
Name: %5
|
|
|
|
|
✘ 2
|
38 SharePoint site collection
administrator removed
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Administrator
|
|
|
|
|
|
ID: %4
|
|
|
|
|
|
Name: %5
|
|
|
|
|
✘ 2
|
39 Object restored
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
Type: %4
|
|
|
|
|
|
URL: %5
|
|
|
|
|
|
Title: %6
|
|
✘ 1
|
✘
|
✘
|
✘
|
Description: %7
|
|
✘ 1
|
✘
|
✘
|
✘
|
This object was restored from the Recycle
Bin.
|
|
|
|
|
|
40 Site collection
updated
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
41 Web updated
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
URL: %4
|
|
|
|
|
|
Title: %5
|
|
|
✘
|
✘
|
✘
|
Description: %6
|
|
|
✘
|
✘
|
✘
|
42 Document library updated
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
URL: %4
|
|
|
|
|
|
Title: %5
|
|
|
✘
|
✘
|
✘
|
Description: %6
|
|
|
✘
|
✘
|
✘
|
Library item
updated: %7
|
|
|
|
|
|
43 Document updated
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
URL: %4
|
|
|
|
|
|
Title: %5
|
|
|
✘
|
✘
|
✘
|
Version: %6
|
|
|
|
|
|
44 List updated
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
Type: %4
|
|
|
|
|
|
URL: %5
|
|
|
|
|
|
Title: %6
|
|
|
✘
|
✘
|
✘
|
Description: %7
|
|
|
✘
|
✘
|
✘
|
45 List item
updated
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
URL: %4
|
|
|
|
|
|
Title: %5
|
|
✘ 1
|
✘
|
✘
|
✘
|
46 Folder updated
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
URL: %4
|
|
|
|
|
|
Version: %5
|
|
|
|
|
|
47 Document viewed
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
URL: %4
|
|
|
|
|
|
Title: %5
|
|
|
✘
|
✘
|
✘
|
Version: %6
|
|
|
|
|
|
48 Document library viewed
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
URL: %4
|
|
|
|
|
|
Title: %5
|
|
|
✘
|
✘
|
✘
|
Description: %6
|
|
|
✘
|
✘
|
✘
|
49 List viewed
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|
|
|
|
✘
|
Object
|
|
|
|
|
|
Type: %4
|
|
|
✘
|
✘
|
✘
|
URL: %5
|
|
|
|
|
|
Title: %6
|
|
|
✘
|
✘
|
✘
|
Description: %7
|
|
|
✘
|
✘
|
✘
|
50 Object viewed
|
|
|
|
|
|
Occurred: %1
|
|
|
|
|
|
Site: %2
|
|
|
|
|
|
User: %3
|
|