How to trim Audit Logs in SharePoint 2007&2010

Auditing enables administrators to keep a reliable log of what is happening with important content on a site collection. Administrators are able to retrieve the entire history of actions taken by a particular user and can also retrieve the entire history of actions taken during a particular date range.In SharePoint Content Database we have a table named  AuditData. This table  stores audit logs when “Auditing” enabled in Site or List Libraries. But once you enabled “Auditing” this table size will growth continously and  it will consume your storage space in your SQL Server quickly.At that point you’ll need to delete older audit logs which is stored in your content database

For SharePoint 2007 we have a STSADM command for clearing audit data for maintanence purporse (but it is depreciated in SharePoint 2010)

So clearing old auditlogs you may fallow

1)      Open a Command Prompt as Administrator Privilegdes in your one of SharePoint Server
2)      Change path to
cd c:\program files\common files\microsoft shared\web server extensions\12\Bin
3)  Run fallowing command change it as your content database name
stsadm –o trimauditlog –date 20120822 –databasename MyContentDatabaseName
Important: The audit entries before given date are permanently deleted after this operation has run

This operation is not done automatically by SharePoint 2007 (it is by design) .This responsibility has assigned to System Administrators for maintenance and shoud be done manually by periodically.For more information about trimauditlog you can check: http://technet.microsoft.com/en-us/library/cc706879.aspx

For SharePoint 2010  we have a dedicated TimerJob for doing this operation .Default schedule is set by monthly.

1)      Go to your Central Administration -> Monitoring -> Review Job definitions

2)      You can see in picture every site has own Audit Log Trimming Job. Select correct job for your actual site
3)      Click “Run Now” button.

I would like to inform you about someting when you run this timer job it will use the value of retention (for example 3 )  which you set in Site Settings-> Site Collection Audit Settings .
Even you set the “Automatically trim the audit log for this site” yes and set retention for 3 days (like in example) . the logs will not be deleted from Content Database until “Audit Log Trimming” timer job is run.After timer job runs the logs until retention value ( 3 days in example) will be deleted.

What if you set “Automatically trim the audit log for this site” as No . How could you clear old logs ?

There is another way to do it by using PowerShell . you can able to give here a date as parameter like stsadm command.

1)      Run SharePoint 2010 Powershell Console by administrator priviledges .
2)      Type fallowing commands:
$site = Get-SPSite http://yoursitecollectionURL
$date = Get-Date “22/08/2012”
#(You need to check date format , type $date and press enter)
$date
#Result like:  22 August 2012 00:00:00
#(and check the date is correct because it can be changed by regional settings. if date is in correct format )
$site.Audit.DeleteEntries($date)

You can fallow whats happening in background by tracing ULS logs in real time. And you can learn how many records are deleted.

//See you next article .

Advertisements

How to collect IIS Logs for a SharePoint Web Application

Hello All,

When working with Microsoft Support for some cases the support engineers ( like me ) may request IIS Logs for investigation.
So in this article i am going to tell how you can collect IIS Logs correctly.

1) You have to detect your IIS Web site on IIS Console because your site url and your web application name can be different.
First connect your Central Administration and click “Managed Web Application”‘s link .

but my Web Application Name is SharePoint – 8080

2) Open your IIS Manager and find and click your webapplication name

3) Click the “Advanced Settings” in Action pane.

4) Please not your IISsite ID for this example is 1442344892

5) Click “Logging” icon

6) Detect where the IIS logs are kept in which folder

7) Open this folder in Windows Explorer and find your related folder in it according your IISSite ID. In this scenario the folder is W3SVC1442344892
You can open windows explorer by “Start” -> “Run” and copy paste highlighted path on above screenshot and press enter.

8) Open that folder and order by “Modified Date” as descending order

9) Collect your files according to occurrance time of your problem or issue. If you have a workspace opened by Microsoft and your file size are big , you can compress the files with a compression program.

Notes: IIS buffers the logs in memory for a while before write to the log file (until log buffer chuck size has reached its max size). If you want to catch latest records you may need to do an iisreset or open a command prompt and type  “netsh http flush logbuffer” (this command will provide http.sys to flush logs.)
to force iis write cached log chunk to log file. If you are searching for old records that “Modifed Date” earlier than last log date you dont need this operation.

Have a nice log hunting 🙂

Sharepoint 2010 DistributedCOM error in system event logs.

If you getting DistributedCOM errors like:


The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{61738644-F196-11D0-9953-00C04FD919C1} and APPID
{61738644-F196-11D0-9953-00C04FD919C1} to the user <DOMAIN\user> SID (<ID>) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

For solution:
http://social.msdn.microsoft.com/Forums/da-DK/tfsadmin/thread/883b5f1c-1718-4b9a-a6c8-bf32c5d4d6d2

 

 

Getting Process Monitor logs for MS Support services

 In this article i descibe how to get process monitor log for sending Microsoft Support Services .

1)      Download Process Monitor from this link and install it on your Client Machine.
http://technet.microsoft.com/en-us/sysinternals/bb896645

2)      Run Process Monitor. Please  dont define any filter. And select red rectangled options on screenshoot.

3)      Quickly reproduce the error or the issue as fast as possible.

4)      After that for saving please select File->Save and open save dialog window
Select “All events”
And for Format select “Native Process Monitor Format (PML)

5)      Upload the log files

NOTE: If you need to transfer these files to Microsoft File Services , please compress files in zip file. If zip file size is bigger than  5GB please spearate multiple files that lower than 5GB.

TroubleShooting with Sharepoint 2010 Diagnostic Log Compression (DLC) v1.0

Here is the checklist.

1)      Check all WFE and APP servers gac folder that the assambly file of DLC named “DiagnosticLogCompression.dll” has registered.

2)      Check Sharepoint Timer Job Service is running and has correct account on every WFE and APP Servers.

3)      Check Diagnostic Log Compression feature is installed and enabled on Sharepoint Central Administration Application

CA-> Site Settings -> Manage Site Features  and check Diagnostic Log Compression Feature is activated.

4)      Check Sharepoint Timer Job Service Identity has enough rights to read/write to destination folder for log copy/move operations.

5)      If you are using UNC path check from every WFE and APP server havent any connection problem to reach defined UNC.

6)      Monitor from ULS Log via ULS viewer that Compression job is running as expected.

You can download ULS Viewer from this link : http://archive.msdn.microsoft.com/ULSViewer

Job Starting Message:

DLC -> Job:  Message:Job Starting

Directory Check Message:
DLC -> Job:  Message:Directory is OK! :   \\YOUR_NETWORK_PATH

The Log file is inuse message:

DLC -> Job:  Message:File in usage:C:\Program Files\Common Files\Microsoft Shared\Web Server
Extensions\14\LOGS\POSTPOINT2010-20110610-1927.log

Several processed log file message:

DLC -> Job:  Message:Processing -> C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\LOGS\POSTPOINT2010-20110606-1744.log


Finish message:

DLC -> Job:  Message:Job completed successfully

7)      If you do any update or manuel installation don’t forget to reset Sharepoint Timer job Service on updated server. For example getting Error of in ULS Log:

06/10/2011 19:36:03.45               OWSTIMER.EXE (0x21BC)             0x2018  SharePoint Foundation               Topology            umbo    High       The type DiagnosticLogsHelper.JobLogCompress, DiagnosticLogCompression, Version=1.0.0.0, Culture=neutral, PublicKeyToken=c1b6bc305019fff6 could not be found in its specified assembly.  Scanning all assemblies that have been loaded in the current app domain.      

end of list.

Installation of Sharepoint Diagnostic Log Compression (DLC) v1.0

Install via Sharepoint Management Console (PowerShell)

  1. Download Diagnostic Log Compression from http://dlc.codeplex.com and  Copy wsp file to c:\ drive
  2. Adding solution to solution storeAdd-SPSolution -LiteralPath C:\DiagnosticLogCompression.wsp
  3. Deploy SolutionInstall-SPSolution -Identity diagnosticlogcompression.wsp –GACDeployment
  4. Enable Feature for Central Administration application

Enable-SPFeature -Identity 0ed55cf5-5322-44bb-b5bf-9126130f7d38 -url <Your Central administration url and port>

  1. Restart Sharepoint Timer Servicenet stop sptimerv4
    net start sptimerv4

 

Install via stsadm tool

1. Download Diagnostic Log Compression from dlc.codeplex.com and Copy wsp file to c:\

2. Add Solution to solution store

stsadm -o addsolution -filename c:\DiagnosticLogCompression.wsp

3. Deploy solution

stsadm -o deploysolution -name DiagnosticLogCompression.wsp -immediate –allowgacdeployment

4. Execute Admin Service jobs

stsadm -o execadmsvcjobs

5. Enable Diagnostic Log Compression Feature

stsadm -o activatefeature -id 0ed55cf5-5322-44bb-b5bf-9126130f7d38 -url

6. Restart Sharepoint Timer Service

net stop sptimerv4
net start sptimerv4

  Cheers 🙂

Sharepoint 2010 Diagnostic Log Compression Tool

Hi everyone,

Have you ever  need to save sharepoint diagnostic log files ( uls logs) to another location for some reason security,backup, low storage capacity etc. If you enabled verbose mode than your log files could much storage problem . Sometimes one file getting bigger of GB’s.

This sharepoint extention helps you to compress,copy or move sharepoint uls log files to another location with a scheduled time for backup purpose.

Features
– Compression of uls log files using Gzip approximitly %80 compression ratio.
– Multiple Server Support , Running on selected servers option
– Scheduling operations.
– Copy or Move Compressed/Uncompressed Log files to another network location.
– Configuration via Central Administration.

You can download from codeplex.com
http://dlc.codeplex.com

.