Restrict SPAuditQuery to return only results from a single SPWeb

sharepoint.stackexchange https://sharepoint.stackexchange.com//questions/75692

  •  10-12-2019
  •  | 
  •  

Question

It seems there is no simple way to only return results from an SPWeb and not the entire site collection when using SPAuditQuery to query the audit log. It's possible to use both:

SPSite.Audit.GetEntries(query);
SPWeb.Audit.GetEntries(query);

But according to the documentation either of them will return results for the entire site collection (http://msdn.microsoft.com/en-us/library/ms458658%28v=office.14%29.aspx).

Is it possible to restrict the SPAuditQuery to return only events on a single SPWeb?

Was it helpful?

Solution 2

I found a workaround that works in my case, but is resource heavy.

What I do is this:

  1. Get all audit events over the last 30 days for the site collection.
  2. Using depth-first find all entries where SPAuditEntry.DocLocation starts with the server relative url of that web (remove leading /). Remove these entries and place them in separate list for processing.

As the tree is processed each web in the tree will only return entries that are specifically associated with it. For leaf nodes no other entries will have DocLocation beginning with the webs server relative url and for nodes above them the entries for descendant nodes will already have been removed.

This should give me a complete set of events grouped for each web in the tree. In my code I process and dispose the webs as they are reached to prevent too many webs from residing in memory.

OTHER TIPS

It looks like it's not possible without manual filtering.

All the entries are stored in the site collection database in the table dbo.AuditData so GetEntries is just a method to get the data from the table. Let's look at the table structure:

[dbo].[AuditData](
    [SiteId] [uniqueidentifier] NOT NULL,
    [ItemId] [uniqueidentifier] NOT NULL,
    [ItemType] [smallint] NOT NULL,
    [UserId] [int] NULL,
    [MachineName] [nvarchar](128) NULL,
    [MachineIp] [nvarchar](20) NULL,
    [DocLocation] [nvarchar](260) NULL,
    [LocationType] [tinyint] NULL,
    [Occurred] [datetime] NOT NULL,
    [Event] [int] NOT NULL,
    [EventName] [nvarchar](128) NULL,
    [EventSource] [tinyint] NOT NULL,
    [SourceName] [nvarchar](256) NULL,
    [EventData] [nvarchar](max) NULL
)

As you can see, there is no WebId or something like that column, so it means that there is no way to filter entries by that attribute.

As I understand there is "Web" value in ItemType column, but that is only for audit event directly related to web instead of events on the web.

To sum up, there is no options to restrict SPAuditQuery by the way you need.

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top