• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 323
  • Last Modified:

audit records

As we know in SharePoint, there's an audit log of everything that happens.  

When I was describing this capability to someone, they asked me if an administrator can turn the log off, sneak in and snoop in user files, then turn it back on, and subsequently have no record of the fact that the administrator snooped. Is this true?  

The reason I ask is that we're having the inevitible situation where some user is realizing that an IT user can get to people's files.  I was describing to them that this is not an uncommon situation in IT, and explaining that this is why we a framework and procedures in place to counterbalance this risk.  Things like:

-Background Investigations on new hires, and 5 year check-ins on existing employees
-SharePoint Audit logs, server logs, network logs, etc
-and not letting any one person be a single point of failure for any given system

So they challeneged the notion of Audit Logs speculating that an admin could go in turn logging off, do something michevious, and then turn logging back on.  

1) Is this a weakness?
2) Are there any other ways that you mitigate this inevitible "risk"

  • 2
  • 2
2 Solutions
That is correct , but I don't consider it a weakness , all systems have the same type of functionality.

It could be a problem if a single person is doing all the work .

best practice to have multiple administrators and have different admins have different roles.

Audit in sharepoint can be a bit heavy on SQL , so you can enable / disable it at the site collection level with the proper level of detail [that is done at setup time].

You can actually audit the audit settings changes themselves and that can be done by a higher non SharePoint entity.

hope that helps.

Also , there are 3rd party products that monitors the audit log changes , that are external to sharepoint .




That can be managed by your Security officer and not your SharePoint admin

Best of luck.

zephyr_hex (Megan)DeveloperCommented:
an IT person could "snoop" without turning off the Audit Logs.  sharepoint Audit Logs are based on IIS activity...

a smart IT person would just query the SQL backend... where all sharepoint data is stored.
zephyr_hex (Megan)DeveloperCommented:
tracking changes to audit log settings seems like a backwards method, too.  i mean, the IT snoop can always edit the audit log file directly and delete the "offending" lines.  monitoring changes to the audit log settings won't track that...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now