Sharepoint audit log trimming

Question

Please let me clarify how Audit Log Trimming works in Sharepoint.
I'm using SharePoint 2016 , which is running on my company's servers.
I confirmed that Audit log is automatically trimmed every 30 days in my company.

My section's setting at "audit log trimming" is following:
Automatically trim the audit log for this site? Yes
Optionally, specify the number of days of audit log data to retain: 10
If you'd like to keep audit data for longer than this, please specify a document library where we can store audit reports before trimming occurs: /sites/〇〇〇〇/Documents

For example, I set this up on Feb. 5th.
What will happen on Feb 28th (I mean, the end of month, which I'm believing the log is supposed to be trimmed automattically)?
What will happen 10 days after Feb. 28th?

My understanding is that 10 days after the 28th of Feb, the audit log which is from Feb.1st to Feb.28th
will be stored and saved at "/sites/〇〇〇〇/Documents." (at this timing I believe the data is not from Feb.1st to March 10th but Feb 1st to Feb 28th), and from Feb 28th to March 10th I can get the the audit log which is from Feb 1st to Feb 28th in "viewing audting report" if I would like to get it , and in this case If I get the data,let's say, on March 5th, I will get the data which is not only from Feb 1st to Feb 28th but also from March 1st to March 5th at the same time.
I'm using Feb 28th as example of the end of the month, so even if it is Feb 27th or March 1, I'm okay with that since my purpose is keep saving and stocking the data regularly.

Would you kindly advise me if my understanding is correct or not? If not, please correct my understanding.

I have read microsoft documentation and various blogpost which is like the following, but I'm afraid that I'm still not sure about the question above.
https://social.technet.microsoft.com/Forums/en-US/015116e8-98c4-4e24-97d1-efffefd1e444/audit-log-trimming-settings?forum=SP2016

Thank you so much in advance.

Answer 1

Hi @Kawa1 ,

Per my understanding, if the timer job is set monthly, and the number of days of audit log data to retain is 10:

At Feb 28th, you could go to CA>Monitoring>Timer Jobs>Check job status>Job history to check if the Audit Log Trimming timer job of the web application has already run.

If yes, then you could only see the data from 2.18-2.28(10 days as you set) when you click the "Audit log reports" in Site settings, and the other data will be stored in sites/〇〇〇〇/Documents.

If no, then you could see the data directly in the "Audit log reports" and there will be no excel in sites/〇〇〇〇/Documents.

==============================

In fact, as the post you mentioned, the number of days of audit log data to retain determines how long the log will be kept in the AuditData table in the SQL server.

The data in the Audit log will be stored in the AuditData table in the database, and the increase in data will reduce performance.

So if you set up data storage for 10 days, the audit log will leave the data of the previous ten days, and the data more than 10 days will be deleted from the database, and at the same time, excel(the data more than 10 days) will be generated to the specified library according to your instructions.

You can check them both. This storage method will save space and improve database performance.

================Update1===================
I did a one-day test,take deleting List as an example:

My settings:

02/10/2021
11:13 Delete List 222.
15:50 Delete List 333.
02/11/2021
13:15 Check Site settings>Audit log report>Deletion,we can see both List 222 and 333:

13:22 After the timer job ran,we can see that the data deleted from list 222 one day ago has been automatically generated and appears in the Library:


When checking Site settings>Audit log report>Deletion again, we can only see list 333 and list 222 disappeared:

Check the table AuditData in SQL,we can only see List 333, because list 222 has been deleted from SQL and it is stored in the library you set:

If you configure Site collection audit settings at Feb 5th,then the data will be recorded from Feb 5th.
If you set 35 days, then the data of the 35 days before the timer job runs will be kept in the Library. However this also depends on the situation, depending on how much data is left after your last timer job was run. If there are only 30 days of data left, then there are only 30 days of data.

===================Update2=================
For your questions:
1&2)We don't need to manually run this timer job, as long as we set the time, it can run automatically.
For example, if I set the timer job to run automatically on 02/17/2021 8AM:

3&4)According to my understanding, if the 31st of each month is set, this timer job will run in the last 1 to 2 days of each month. The specific situation still needs to be judged according to the actual operation of the timer job. We will need more time to confirm the behavior of timer job in different situations.

If the timer job to run at 2AM March 31st, then the data which is from March 5th to March 31st(2AM) will be kept in the library.
Then, the data which is from 2AM 31st to April 30th will be kept in the library on April 30.

In addition, the running time of the Timer job sometimes has a deviation of one to two days, so it needs to be judged based on the actual operation of the Timer job.

===============Update3=============
I did a test in my end:
Settings:
✓Automatically trim the audit log for this site? Yes
✓Optionally, specify the number of days of audit log data to retain: 1
✓If you'd like to keep audit data for longer than this, please specify a document library where we can store audit reports before trimming occurs: /sites/〇〇〇〇/Documents,

When check the Timer job:

---

If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi Elsie Lu, thank you for explaining in detail.I'm afraid that I'm still not sure what you are saying.
Would you advise how I can go to CA?
I guess I'm not at the administration organization, so I have no right to have access to CA.

If I don't have the permission at this moment, I will talk to Administration staff in my company.
Before talking to the staff, let me clarify the following questions.

1)How can we check if the Audit Log Trimming timer job of the web application has already run or not.
Can we see the comments like "running" at the page"Job history"?

2) If admin staff don't permit to change the status from not running to running because the data is getting too heavy, can't we stock the data automatically? I mean, If I would like to collect the audit log ,let's say,for 1 year, I need to get the data directly and manually every at the end of the month because audit log is automatically trimmed every 30 days?
Moreover, I guess the timing which is automatically trimmed is not always the final day of the month,right? If so, I need to get the data everyday during let's say, 28-31 of every month because I don't know when the data is automatically trimmed. I'm still not sure I can get the data perfectly by doing so. Would you tell me how to keep getting the audit log perfectly.(if it's automatic, it will be appreciated)

2) If admin staff permit to change the status from not running to running, will the audit log will be stocked every 10 days,if the number of days of audit log data to retain is 10?

3)You mention "If yes, then you could only see the data from 2.18-2.28(10 days as you set) when you click the "Audit log reports" in Site settings, and the other data will be stored in sites/〇〇〇〇/Documents."
in this case, "the other data" is the data which is from when to when?

My apologies on long sentences. Please let me know what you think about that.

Answer 3

Hi Elsie Lu.
I confirmed that the Audit Log Trimming timer job is running as follows.

This timer job is scheduled to run: Monthly,
By date: starting every month between 2AM on the 31st and no later than 2AM on the 31st

so, if in my section setting is following,
✓Automatically trim the audit log for this site? Yes
✓Optionally, specify the number of days of audit log data to retain: 35
✓If you'd like to keep audit data for longer than this, please specify a document library where we can store audit reports before trimming occurs: /sites/〇〇〇〇/Documents,

does this means that ,let's say, when the audit log is trimmed automatically at 2am on March 31st the audit log which is from March 1 to March 31 will be stored in "/sites/〇〇〇〇/Documents" as Excel file?

In addition, As you said, does it mean I can collect the audit log which is from February 24 to March 31 by "audit log report" because setting about retaining is 35days?
I'm not sure on it because just right now I got the data, but this data is just from 2am January 31 to present. My understanding is that if you are correct, should be this data from January 6 to present?

Moreover, admin staff mentioned that even if I set up "setting" as follows in my section, if CA set monthly trimming as above, your setting was overwritten by CA, it means that your setting is not effective. He is not sure about it. Would you advise if this is correct or not?

✓Automatically trim the audit log for this site? Yes
✓Optionally, specify the number of days of audit log data to retain: 35
✓If you'd like to keep audit data for longer than this, please specify a document library where we can store audit reports before trimming occurs: /sites/〇〇〇〇/Documents,

Thank you.

Answer 4

Answer 5

One more quick question!
in my case of CA setting above, If there is no 31st in the month, when is it automatically trimmed?
Let's say in Feb. there is no 31st, when is it automatically trimmed?
Thank you.