Hello,
I have encountered a problem with the SharePoint audit system, the last few read operations are missing from the audit.
My problem was the same as described here:
https://social.msdn.microsoft.com/Forums/en-US/364aba87-b19d-48a8-af12-8454f253f8f2/while-fetching-the-audit-log-programmatically-last-downloaded-document-is-not-fetched-from-auditing?forum=sharepointdevelopmentprevious
But after investigating I have found that its more than that, the same problem (missing last read events from the audit) also happens when Im using PowerShell to retrieve the audit, and even when generating audit report from the site settings the excel is missing some audit entries.
The missing audit shows up with the correct time only after I perform an operation such as switching to a different page in the site (thats why normally when generating audit report no entries are missing because you need to switch to the site settings page).
I have couple of scenarios to reproduce the problem:
- Using PowerShell
Open up a PowerShell and run the following commands:
Add-PSSnapin Microsoft.SharePoint.PowerShell
$s1 = Get-SPSite "http://sp-site-url/"
$q1 = New-Object Microsoft.SharePoint.SPAuditQuery($s1)
$s = Get-Date
$s = $s.ToUniversalTime()
Now, go to the SharePoint site that you want to retrieve audit from and download a file from it.
After downloading the file go back to the PowerShell and enter:
$e = Get-Date
$e = $e.ToUniversalTime()
$q1.SetRangeEnd($e)
$q1.SetRangeStart($s)
$s1.Audit.GetEntries($q1)
You should see that a view event on the file youve downloaded is missing.
Go back to the site, switch to a different page (go to site settings for example).
And now, back in the PowerShell, enter the command:
$s1.Audit.GetEntries($q1)
Youll notice that now the view entry is present there.
- Using Custom Audit Report
This scenario will show that audit is not only missing when collecting it from SPAPI or PowerShell scripts, but its missing even when using the auditing reports from the site collection administration.
First, open the site settings, go to Audit log reports, and go to Run a custom report.
In the custom report settings check all the events, and select a time frame of the next 5 minutes.
Leave this page as is and open a new page in addition, the same site collection that youre about to generate audit report on, from this new page download a file.
Go to the audit report window and click OK to generate the audit report.
You should see that the view event on the downloaded file is missing from the audit report.
Just to be more clear, in both the scenarios Ive given, lets say that I want to collect all the audit on the site collection between 16:00 to 16:05, and at 16:02 I go to a site and download a file Ive used PDF files and not text files to avoid browser caching which also cause loss of audit, but thats because of the caching so its not a real new download that is missing.
So, in both ways of audit collection (using PowerShell or the audit report generator) when Ill collect all the audit between 16:00 to 16:05 I wont see the file download (view event) in the audit (assuming, of course, that I havent performed another action after downloading the file).
If then Ill go to a different page on the site, and again collect all the audit between 16:00 to 16:05 I will see the file download at 16:02.
This means that the audit I collect (in either way) is unreliable, and if I collect audit periodically (each time I collect audit for the last 5 minutes) it means that there might be audit entries that Ill never retrieve.
Is there a working workaround for this issue? Will it be fixed any time soon?
Thanks.
- Edited by mnidan Tuesday, April 21, 2015 2:54 PM
Other recent topics
