Hi @Kawa1 ,
Per my understanding, if the timer job is set monthly, and the number of days of audit log data to retain is 10:
At Feb 28th, you could go to CA>Monitoring>Timer Jobs>Check job status>Job history to check if the Audit Log Trimming timer job of the web application has already run.
If yes, then you could only see the data from 2.18-2.28(10 days as you set) when you click the "Audit log reports" in Site settings, and the other data will be stored in sites/〇〇〇〇/Documents.
If no, then you could see the data directly in the "Audit log reports" and there will be no excel in sites/〇〇〇〇/Documents.
==============================
In fact, as the post you mentioned, the number of days of audit log data to retain determines how long the log will be kept in the AuditData table in the SQL server.
The data in the Audit log will be stored in the AuditData table in the database, and the increase in data will reduce performance.
So if you set up data storage for 10 days, the audit log will leave the data of the previous ten days, and the data more than 10 days will be deleted from the database, and at the same time, excel(the data more than 10 days) will be generated to the specified library according to your instructions.
You can check them both. This storage method will save space and improve database performance.
================Update1===================
I did a one-day test,take deleting List as an example:
My settings:
02/10/2021
11:13 Delete List 222.
15:50 Delete List 333.
02/11/2021
13:15 Check Site settings>Audit log report>Deletion,we can see both List 222 and 333:
13:22 After the timer job ran,we can see that the data deleted from list 222 one day ago has been automatically generated and appears in the Library:
When checking Site settings>Audit log report>Deletion again, we can only see list 333 and list 222 disappeared:
Check the table AuditData in SQL,we can only see List 333, because list 222 has been deleted from SQL and it is stored in the library you set:
If you configure Site collection audit settings at Feb 5th,then the data will be recorded from Feb 5th.
If you set 35 days, then the data of the 35 days before the timer job runs will be kept in the Library. However this also depends on the situation, depending on how much data is left after your last timer job was run. If there are only 30 days of data left, then there are only 30 days of data.
===================Update2=================
For your questions:
1&2)We don't need to manually run this timer job, as long as we set the time, it can run automatically.
For example, if I set the timer job to run automatically on 02/17/2021 8AM:
3&4)According to my understanding, if the 31st of each month is set, this timer job will run in the last 1 to 2 days of each month. The specific situation still needs to be judged according to the actual operation of the timer job. We will need more time to confirm the behavior of timer job in different situations.
If the timer job to run at 2AM March 31st, then the data which is from March 5th to March 31st(2AM) will be kept in the library.
Then, the data which is from 2AM 31st to April 30th will be kept in the library on April 30.
In addition, the running time of the Timer job sometimes has a deviation of one to two days, so it needs to be judged based on the actual operation of the Timer job.
===============Update3=============
I did a test in my end:
Settings:
✓Automatically trim the audit log for this site? Yes
✓Optionally, specify the number of days of audit log data to retain: 1
✓If you'd like to keep audit data for longer than this, please specify a document library where we can store audit reports before trimming occurs: /sites/〇〇〇〇/Documents,
When check the Timer job:
If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.