Auditing SharePoint Workspace activity

 

Applies to: SharePoint Workspace 2010, Groove Server 2010

Topic Last Modified: 2010-09-27

Groove Audit is an optional installation feature of the Groove Server 2010 Manager application. A Groove Server Manager policy enables auditing on SharePoint Workspace clients. In setting up your site, be aware that a single Audit installation is dedicated to a single specific Groove Server Manager installation; one Audit installation cannot support multiple Groove Server Manager installations. However, multiple Audit installations may be associated with a single Groove Server Manager installation.

Warning

Auditing SharePoint Workspace client events can have a significant impact on bandwidth usage, disk storage on clients and servers, and other system resources. Therefore, set the policy to enable client auditing only if necessary. To avoid disruption of other Groove Server Manager activities, install Auditing on a separate, dedicated Internet Information Services (IIS) front-end, with a separate, dedicated SQL back-end.
In addition, due to late-breaking changes in SharePoint Workspace 2010, some audit features may not work as expected. Microsoft recommends that you deploy this feature under the guidance of a qualified Microsoft Support Engineer.

Warning

If optional Audit policies are applied to SharePoint Workspace clients installed in non-NTFS environments (FAT or FAT32), you cannot secure audited files by using Access Control Lists (ACLs), and users can access and delete the files. To monitor such activity, you may want to check the Audit server SQL Security table where the Audit server reports file deletions and other events.

In this article:

  • About SharePoint Workspace auditing

  • Audit requirements

  • Installing SharePoint Workspace client auditing

  • Enabling auditing of SharePoint Workspace clients

  • Interpreting audit data

About SharePoint Workspace auditing

The Auditing option, available with Groove Server Manager, lets you set a policy that triggers auditing on managed SharePoint Workspace clients that have been configured accordingly. The Audit Service must be enabled on SharePoint Workspace clients for auditing to occur. Audited information is then collected and stored in SQL databases. Administrators can then use standard SQL-compatible reporting tools to view the logged data. Each Audit installation is associated with and depends on a single Groove Server Manager.

The Auditing capability has four components:

  • The SharePoint Workspace client audit log which logs SharePoint Workspace user activity to an encrypted file on managed clients.

  • The Microsoft SharePoint Workspace Audit Service which helps secure the audit trail for upload to the Groove Auditing application.

  • The Groove Auditing application which collects the logs and stores them in an SQL database.

  • The Groove Server Manager Audit policy that controls what events should be audited.

Audit logs are immediately encrypted on SharePoint Workspace clients upon event creation, and are decrypted only after arrival at the Audit server. In addition, NTFS permissions are used to prevent unauthorized manipulation of logs and the Audit Service that manages them. The Audit Service purges client logs when they have been uploaded to the Auditing server and applies security credentials that prevent spoofing of the audit server and of other operating system users on the SharePoint Workspace client.

Auditing can have a significant impact on system resources. Therefore, you should use discretion when you set policies that enable and control auditing. Affected resources include the following:

  • Disk space on SharePoint Workspace clients (for temporary log storage)

  • Disk space on the SQL Server that supports Groove Audit(for audit databases)

  • Bandwidth to upload logs

  • Processing time to encrypt and decrypt logs

Audit requirements

Before you start setting up SharePoint Workspace client auditing, make sure that your setup will meet the requirements listed in the following table:

Hardware requirements Setup

Groove Server Manager

Install Groove Server Manager as described in Install and configure Groove Server 2010 Manager.

Install Groove Server Manager before you install the Auditing application.

Record the server name and logon credentials for future use.

SQL Server

Decide where you want to install the SQL database for auditing:

  • On a SQL Server that supports the primary Groove Server Manager, or

  • On a dedicated SQL Server

Record the server name, logon credentials, and Master Password (specified during installation) for later use in the Audit installation.

Groove Audit server

Install Groove Server Manager with the Audit feature on a server that meets the Groove Server Manager requirements described in System requirements for Groove Server 2010.

Note

Install auditing on a separate, dedicated server, following the procedures in this article. This recommended configuration minimizes the impact of auditing activities on other Groove Server Manager tasks.

Record the server name and logon for future use.

SharePoint Workspace client

Ensure that SharePoint Workspace 2010 is installed and running as follows:

  • Microsoft SharePoint Workspace 2010 (preferred) or Microsoft Office Groove 2007 must be installed on client computers.

  • Managed client accounts must be configured for SharePoint Workspace 2010 users in your management domain.

For information about how to deploy SharePoint Workspace 2010 in your organization, see Deploy SharePoint Workspace 2010.

For information about how to deliver managed account configuration codes to users, see Automate SharePoint Workspace account configuration/restoration.

For information about how to add users to a management domain, see Create a SharePoint Workspace user directory for Groove Server Manager.

SharePoint Workspace users

Ensure that Groove users are members of a Groove Server Manager domain.

For information about how to add users to a domain, see Create a SharePoint Workspace user directory for Groove Server Manager.

Installing SharePoint Workspace client auditing

The following procedure describes how to install Groove Server Manager with the Audit feature.

To install SharePoint Workspace client auditing

  1. Address the prerequisites described previously in this article in Audit requirements.

  2. After installing an initial Groove Server Manager front end server, start the installation for Groove Server Manager with Auditing and follow the Setup wizard instructions to configure the server.

  3. When the Installation Options window appears, select Install Groove Server Manager with Groove Auditing. Selecting this option displays additional fields to configure SharePoint Workspace client auditing.

  4. Repeat the Groove Server Manager settings that were used for the initial (primary) Groove Server Manager installation, specifically:

    • Specify the same SQL Server name that was used for the primary installation.

    • Specify the same Groove Server Manager database that was used for the primary installation.

  5. When the Audit Server Configuration page appears, enter the required information, as described in the following table:

Groove Auditing Configuration Fields Explanations

Use the following SQL Server Login

Select this check box to specify native SQL Server authentication.

If you leave this option cleared, current logon credentials will be used for authentication.

User Name

Enabled only if Use the following SQL Server Login is selected.

Type your logon information for the SQL Server to be used for auditing information.

noteNote
Make sure that the logon gives you database creation permissions.

Password

Enabled only if ‘Use the following SQL Server Login’ is selected.

Type the password for the SQL Server to be used.

Database Information

SQL Server Name

Type the host name or IP address of the SQL Server to be used for auditing information.

Database Name

Type the SQL database name for the SharePoint Workspace Audit Service, such as auditDb. The Installer creates this database, where the Audit Service will store collected client audit logs.

  1. Click Next.

  2. When asked for a Master Password, enter the Master Password that was specified during installation of the primary Groove Server Manager front end.

  3. Follow the Install wizard to the final window and then click Finish. The Groove Server Manager administrative Web site opens.

Enabling auditing of SharePoint Workspace clients

The following procedure describes how to set the policy that enables SharePoint Workspace client auditing of management domain members. By default, the policy is cleared (disabled).

To enable auditing of SharePoint Workspace clients

  1. Enable client auditing from the Groove Server Manager administrative Web site as follows:

    1. Install Groove Server Manager to support client auditing, as described in Installing SharePoint Workspace client auditing.

    2. From the Groove Server Manager administrative Web site, select the domain in the navigation pane, expand Policies, and then click Default or another policy template that you want to update.

    3. Click the Audit Policies tab.

    4. Under Audit Server Policies, in the Audit Server URL text field, enter the URL for the Audit server (for example, http://grooveaudit.contoso.com).

    5. In the Upload audit logs every field, enter the number of minutes, hours, or, days to set the audit log upload interval.

    6. Under SharePoint Workspace Client Events, select the client and workspace events that you want to audit.

    7. Under Tool Events, select the tools that you want to audit.

    8. Set any other audit policies as needed.

      Note

      Enabling the option, Audit the contents of files added to tools, will have an exceptionally high impact on bandwidth, disk storage on clients and servers, and other system resources.

    9. Click Save Changes in the toolbar.

When management domain members log on and receive the audit policy, client activity will be logged and dispatched to SQL databases where you can view them. The Audit Service will be running on SharePoint Workspace clients and AuditService.exe will appear in the Windows Task Manager.

Interpreting audit data

Auditing data, generated via the optional Groove Auditing feature of the Groove Server Manager, is encrypted and stored on SharePoint Workspace clients so that only the Audit application can decrypt and read the data. Once the client reports the data, the Audit application decrypts and parses the data into relational database tables in a SQL directory. The following information provides background for understanding the data and the relationships among data tables. You can use this information to create customized Audit reports using SQL-compatible reporting tools. In addition, the Audit Server provides two Views that you may want to use as a starting-point for generating your own SQL Views from the audit server tables:

  • Auditv_EventAttributes

  • Auditv_EventProperties

A typical Groove client audit trail entry looks as follows, when it is decrypted:

<E _ag="s3shybqzefebxvp9h8zgg68hs3un89ggr6qqr4i" _c="7" _dt="06/30/2004 13:03:39:28"

_in="2137 Bill 3" _iu=grooveIdentity://9ht6sitjgpv69xa93ez2iirp77ibugbi@" _q="886" _t="903">

<INV _bd="" _rc="0" _rn="2139 Bill 2" _ro="Manager" _ru="grooveIdentity:// wcdfuqfaf8h5jet43cx9s9pxm4zxqqws@"

_sip="" _sn="http://wss1/sites/Site1/WeB%203/default.aspx" _su="grooveTelespace://pk4vegikcyf7sqaeg3t4habyq9fasgnpmr582hs"

_vm="0" _zn="2137 Bill 3" _zu="grooveIdentity:// 9ht6sitjgpv69xa93ez2iirp77ibugbi@" />

</E>

The following table lists and summarizes the SQL tables associated with this client information:

Groove Audit Data SQL Table Description and Contents

Main Event-specific Data

audit_LogEntryProperties

Seven attributes, common to all audit trail entries:

Account GUID (_ag)

Event Category (_c)

Event Time (_dt)

Identity Name (_in)

Identity URL (_iu)

Sequence Number (_q)

Event Type (_t)

One table entry is associated with each device GUID/Sequence Number pair (sequence numbers are unique to each Groove computer).

Main Event-specific Data

audit_EventCatagoryReadableNames

Mapping of Event Categories to their readable names.

Main Event-specific Data

audit_EventTypeReadableNames

Mapping of Event Types to their readable names.

Other Event-specific Data

audit_LogEntryAttributes

This data, which exists only in an enclosed XML element, is stored in a series of name/value pairs that correspond to the XML attribute name/value pairs found in the enclosed XML element. One table entry is associated with a DeviceGUID/Sequence Number/Attribute name combination. Typically, this table holds many entries - one for each client event. Each recognized attribute name is preceded by an underscore, and is usually relatively short, to minimize network traffic.

Other Event-specific Data

audit_AttributeReadableNames

Maps the attribute names to their readable names.

Session Data

audit_LogSessionProperties

Logs four pieces of information:

Device GUID

Time that the session started

Hostname of the devices

Logged in (OS) user

Current Device-specific Data

audit_Devices

Current device-specific information, including the device GUID, the last time log data was received, and the last sequence number received for a device.

Current Device-specific Data

audit_FileStorage

Files, indexed by their digests so that no file names appear in the table. The Audit log file-specific entries reference files by these digest values.