SharePoint 2013: How to read the SharePoint Audit Log using PowerShell(I)!

SharePoint 2013 (as in their previous versions), offers auditing functionality that records changes occurring at the Site Collection, Sites and List / Library level about documents, list items viewed by users, documents downloaded, security changes, etc. The information in the audit log is available through the user interface or by using SharePoint API and classes such as SPAuditQuery, SPAuditEntryCollection or SPAuditEntry. Precisely in this article I will share how to read the audit log using these classes, but in a PowerShell script that you can download from the following link:

 https://gallery.technet.microsoft.com/scriptcenter/site/mydashboard?pageIndex=10

############################################################################################################################################

# This script allows to get the Audit Log Information for a Site Collection

# Required Parameters: 

#    ->$sSiteCollection: Site Collection Url.

#    ->$iUserID: ID of the User we want to get all the required information.

############################################################################################################################################

 

If ((Get-PSSnapIn -Name Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue) -eq $null ) 

{ Add-PSSnapIn -Name Microsoft.SharePoint.PowerShell }

 

$host.Runspace.ThreadOptions = "ReuseThread"

 

#Definition of the function that allows to get information about a user specifying the user ID

function GetSiteUserByID

{

    param ($sSiteCollection,$iUserID)

    $sUserName=""

    try

    {

        $spSite=Get-SPSite -Identity $sSiteCollection

        $spwWeb=$spSite.OpenWeb()        

        $spUser=$spwWeb.Users.GetByID($iUserID)

        $sUserName=$spUser.Name

 

        $spwWeb.Dispose()     

        $spSite.Dispose()

    }

    catch [System.Exception]

    {  

        $sUserName="User Not Found"

    }

    return, $sUserName

}

 

#Definition of the function that allows to do the CAML query

function GetAuditLogForASiteCollection

{

    param ($sSiteCollection)

    try

    {

        $spSite=Get-SPSite -Identity $sSiteCollection

        $spwWeb=$spSite.OpenWeb()

        $spAuditQuery=New-Object Microsoft.SharePoint.SPAuditQuery($spSite)

        $spAuditEntries=$spSite.Audit.GetEntries($spAuditQuery)

        Write-Host "# of records in the Audit Log: " $spAuditEntries.Count -ForegroundColor Green

        foreach($spAuditEntry in $spAuditEntries){

            $sUser=GetSiteUserByID -sSiteCollection $sSiteCollection -iUserID $spAuditEntry.UserId

            Write-Host "Doc Location: " $spAuditEntry.DocLocation " - Event: " $spAuditEntry.Event " - User: " $spAuditEntry.UserId ";" $sUser -Foregroundcolor White

        }

        $spwWeb.Dispose()     

        $spSite.Dispose()

    }

    catch [System.Exception]

    {

        write-host -f red $_.Exception.ToString()

    }

}

 

Start-SPAssignment –Global

#Calling the function

$sSiteCollection="http://<Site_Collection_Url>"

GetAuditLogForASiteCollection -sSiteCollection $sSiteCollection

Stop-SPAssignment –Global

 

Remove-PSSnapin Microsoft.SharePoint.PowerShell

The output window you should get after executing the script is the following one:

image

 

Un pensamiento en “SharePoint 2013: How to read the SharePoint Audit Log using PowerShell(I)!

  1. Pingback: SharePoint 2013 & Office 365: Resumen de posts (LXVIII)! | Pasión por la tecnología...

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s