Why are my SharePoint Audit Logs missing the MachineName and MachineIP data?
January 2, 2009 Leave a comment
Audit Log Reporting seems to be one of those topics within SharePoint that is still a little misunderstood. I have blogged on it before here, and suggest that if you are not familiar with Audit Logs that you view that post quickly before reading on. There is also an overview which can be read here on the office.microsoft.com site.
I received a question about Audit Log Reporting from one of the readers of my blog a few months ago, and since then it hasn't been the first time I've heard it :
I read your blog about SharePoint Audit Log Report. I'm trying to get a report but I cannot get the "Machine Name" and "Machine IP" data. Can you help me? Is there any settings that I'm missing?
My answer was that there were no settings missing, and unfortunately the data missing is by design.
Here is a row taken straight from the Audit table :
|Site Id||Item Id||Item Type||User Id||Machine Name||Machine IP||Document Location||Location Type||Occurred (GMT)||Event||Custom Event Name||Event Source||Source Name||Event Data|
|ed91340f-e335-45d2-82f3-c6521eb23fc0||59af845e-b604-436e-9c08-0a948a27d996||Document||NT AUTHORITYlocal service||_catalogs/masterpage/Editing Menu/CustomSiteAction.xml|
As you can see the MachineName and MachineIP values are mysteriously null, in fact querying the table for a row where they were not null returns zero results, they are never used. Unfortunately the reason in this case is to view KB939246, which has the following as a cause : The values in the MachineIP column and in the MachineName column appear as NULL because of privacy concerns. By design, Windows SharePoint Services 3.0 works in this manner.
This feature is not going to be reporting MachineName or MachineIP of actions in the audit log any time soon, it is a bit of a shame because I can imagine some occasions where this could be useful. Keep in mind that your IIS logs will still contain all the IP information, and if you have a timestamp you should have no problem tracing that request back to a particular IP. Unless you have your site set to be edited by anonymous users, the UserID field is going to be far more valuable when utilizing these reports, however you may need to perform a join to the userinfo before you will get anything particularly relevant out of it, i.e.
SELECT UserInfo.tp_Login AS UserLogin, UserInfo.tp_Title AS UserTitle, AuditData.SiteId, AuditData.ItemId, AuditData.ItemType, AuditData.DocLocation,
AuditData.Occurred, AuditData.Event, AuditData.EventName, AuditData.EventSource, AuditData.SourceName, AuditData.EventData
INNER JOIN UserInfo ON AuditData.UserId = UserInfo.tp_ID
I would not be surprised if the functionality to turn back on the MachineIP and MachineName reporting could be enabled by flicking a switch in the registry or database, but as yet I have had no luck finding it. Maybe someone else out there will, good luck!