Using Administrative Actions logging in SharePoint Server 2016

The Administrative Actions logging feature is included in the November 2016 Public Update for SharePoint Server 2016 (Feature Pack 1). This feature enables logging of SharePoint Server 2016 administrative actions.

Overview

Administrative changes to SharePoint Server settings can sometimes cause errors or have unintended effects. To aid in troubleshooting administrative changes, logging around key SharePoint administrative actions is available in Feature Pack 1. Logging is available for both Central Administration and Windows PowerShell actions.

Turning on Administrative Actions logging

Administrative Actions logging is turned on by default when you install SharePoint Server 2016 November 2016 Public Update for SharePoint Server 2016 (Feature Pack 1).

After you install Feature Pack 1, Administrative Actions will show up as a checked option under "Events to log" in the Configure usage and health data collection page of SharePoint 2016 Central Administration.

Administrative Action Logging in Central Administration of SharePoint 2016

How to find the Administrative actions local log file location

Administrative actions log files are stored on your server. To view the local location of these logs:

  1. On the SharePoint 2016 Central Administration home page, click Monitoring.

  2. In the Reporting section, click Configure usage and health data collection.

  3. You will see the log file location listed under Usage Data Collection Settings.

How to find the Administrative actions Usage Database log files

Administrative actions logs are written to the SharePoint Usage Database. To find your logging database server:

  1. On the SharePoint 2016 Central Administration home page, click ** Monitoring **.

  2. In the Reporting section, click Configure usage and health data collection.

  3. You will find the logging database server and database name under: Logging Database Server settings.

Retrieving logs from the SharePoint Usage Database

Administrative actions logs are kept in the SharePoint Usage Database for a maximum of 31 days.

  1. Open Microsoft SQL Server Management Studio. ** Note: ** You must be logged in as Administrator.

  2. Connect to the Server name indicated as the "Database Server," in the Logging Database Server settings above.

  3. Connect to your applicable logging database. This is the database you have specified as the "Database Name" in the Logging Database Server settings, typically WSS_Logging.

  4. Query the "AdministrativeActions" partitions.

    Note

    Select the number of applicable "AdministrativeActions" partitions. There should be 32 partitions created, partitions 0 through 31. WSS_logging is the default logging Database Name. Modify the query if your logging Database Name is different.

    Sample Query

SELECT TOP 1000 [PartitionId]
      ,[RowId]
      ,[LogTime]
      ,[MachineName]
      ,[FarmId]
      ,[SiteSubscriptionId]
      ,[UserLogin]
      ,[CorrelationId]
      ,[Action]
      ,[Target]
      ,[Details]
      ,[RowCreatedTime]
  FROM (
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition0]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition1]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition2]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition3]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition4]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition5]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition6]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition7]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition8]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition9]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition10]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition11]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition12]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition13]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition14]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition15]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition16]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition17]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition18]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition19]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition20]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition21]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition22]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition23]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition24]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition25]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition26]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition27]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition28]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition29]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition30]
union
select * from [WSS_Logging].[dbo].[AdministrativeActions_Partition31]
) as A

Using Windows PowerShell to retrieve logs

You can also retrieve Administrative Actions logs using the Windows PowerShell cmdlet, ** Merge-SPUsageLog **.

Important

Remote cmdlet execution must be enabled to use Merge-SPUsageLog. To configure the computer to receive remote commands, see Enable-PSRemoting.

The Merge-SPUsageLog cmdlet gathers, filters, and aggregates logs based on the your specified criteria. We recommend that you filter by using the StartTime and EndTime parameters to optimize performance of this cmdlet.

Merge-SPUsageLog generates objects into PowerShell pipeline from logs that meet the criteria. You should at least specify a usage type, for example "Administrative Actions".

Merge-SPUsageLog -Identity <SPUsageDefinitionPipeBind> [-AssignmentCollection <SPAssignmentCollection>] [-DiagnosticLogPath <String>] [-EndTime <DateTime>] [-OverWrite <SwitchParameter>] [-Servers <String[]>] [-StartTime <DateTime>] 
Parameter Required Type Description
Identity
Required
Microsoft.SharePoint.PowerShell.SPUsageDefinitionPipeBind
Specifies the name of usage log file.
AssignmentCollection
Optional
Microsoft.SharePoint.PowerShell.SPAssignmentCollection
Manages objects for the purpose of proper disposal. Use of objects, such as SPWeb or SPSite, can use large amounts of memory and use of these objects in Windows PowerShell scripts requires proper memory management. Using the SPAssignment object, you can assign objects to a variable and dispose of the objects after they are needed to free up memory. When SPWeb, SPSite, or SPSiteAdministration objects are used, the objects are automatically disposed of if an assignment collection or the Global parameter is not used.
> [!NOTE]> When the Global parameter is used, all objects are contained in the global store. If objects are not immediately used, or disposed of by using the Stop-SPAssignment command, an out-of-memory scenario can occur.
DiagnosticLogPath
Optional
System.String
Specifies the file to write diagnostic information to. A relative path is supported.
EndTime
Optional
System.DateTime
Specifies the end time of the log entries returned. The type must be a valid DateTime format that is culture-specific to the administrative language, that is, 2/16/2007 12:15:12 for English-US. The default value is the current time.
If you want to specify UTC time, you must add a "Z" to the end of the parameter. For example, "2016-06-15 03:29:18.199 Z". If the "Z" is not specify, local computer time will be displayed instead of UTC.
OverWrite
Optional
System.Management.Automation.SwitchParameter
Overwrites the diagnostic log file if it already exists at the specified path.
Servers
Optional
System.String[]
The server address or addresses to filter on. To obtain a list of valid addresses in the farm use Get-SPServer
StartTime
Optional
System.DateTime
Specifies the start time of the log entries returned. The type must be a valid DateTime format that is culture-specific to the administrative language, such as "2/16/2007 12:15:12" for English-US. The default value is one hour prior to the current time on the local computer.
If you want to specify UTC time, you must add a "Z" to the end of the parameter. For example, "2016-06-15 03:29:18.199 Z". If the "Z" is not specify, local computer time will be displayed instead of UTC.

Example 1: This example merges the last hour of log data for "Administrative Actions" usage provider from all farm computers.

Merge-SPUsageLog -Identity "Administrative Actions" 

Example 2: This example merges the log entries for the "Administrative Actions" usage provider from "06/09/2016 16:00" untill now from servers named "A-0606" and "A-0505".

Merge-SPUsageLog -Identity "Administrative Actions" -Servers "A-0606","A-0505" -StartTime "06/09/2008 16:00" 

Example 3: This example retrieves Administrative Actions logs starting from Aug 11th, and then selects the following fields to display: User, ActionName, and TimeStamp. The results are sorted by TimeStamp. This example uses the Windows PowerShell pipeline. For more information about how to use the pipeline, see about_Pipelines

Get-SPUsageDefinition -Identity "Administrative Actions" | Merge-SPUsagelog  -StartTime "08/11/2016 3:50 AM" | Select User, ActionName, Timestamp | Sort Timestamp  

Types of administrative actions logged

The following tables details the types of Administrative Actions that are captured in the logs.

Action category Action sub-category Log actions(s) Description
Configure Accounts
Add, Remove, Update
Administration.Security.User.Add Administration.Security.User.Remove Administration.Security.User.Update Administration.Security.User.Role.Update
Logs administrative account configuration and information changes including the addition, removal, and updates of farm and site collections administrators. Also, logs role updates.
Configure managed accounts
New, Remove, Update
Administration.Security.ManagedAccount.New Administration.Security.ManagedAccount.Remove Administration.Security.ManagedAccount.Update
Logs changes in the configuration of managed accounts, creation and removal of managed accounts, and updates to existing managed accounts.
Configure Service Account
Update
Administration.Security.ServiceAccount.Update
Logs updates to the designated service accounts in the farm.
Configure Password change settings
Update
Administration.Security.AccountPasswordSetting.Update
Logs updates to password management settings.
Specify Authentication Providers
Update
Administration.Security.AuthenticationProviderSetting.Update
Logs updates to authentication provider settings.
Manage Trust
Edit, Remove, Update
Administration.Security.ManageTrust.SPTrustedRootAuthority.Edit Administration.Security.ManageTrust.SPTrustedRootAuthority.New Administration.Security.ManageTrust.SPTrustedRootAuthority.Remove Administration.Security.ManageTrust.SPTrustedSecurityTokenIssuer.Edit Administration.Security.ManageTrust.SPTrustedSecurityTokenIssuer.New Administration.Security.ManageTrust.SPTrustedSecurityTokenIssuer.Remove
Administration.Security.ManageTrust.SPTrustedRootAuthority logs edits to, and removals of the trust relationship settings in the farm, and the creation of new trust relationships. Administration.Security.ManageTrust.SPTrustedSecurityTokenIssuer logs edits to, and removals of the token issuer settings, and the creation of new token issuer trust relationships.
Manage Web Part Security
Update
Administration.Security.WebPart.Update
Logs updates to Web Part pages and Web parts on your selected web application.
Farm backup and restore operations
Backup, Restore, Update
Administration.Farm.BackupRestore.Backup Administration.Farm.BackupRestore.Restore Administration.Farm.BackupRestore.Settings.Update
Logs farm restore and backup operations, including updates to your default backup and restore settings.
Server Administration
Add, Remove, Update
Administration.Farm.Server.Add Administration.Farm.Server.Remove Administration.Farm.Server.Role.Update
Logs removals and additions of servers to the farm, including role updates of farm servers.
Configuration database changes
New, Remove
Administration.Farm.ConfigurationDatabase.New Administration.Farm.ConfigurationDatabase.Remove
Logs the addition of the new configuration database or the removal of an existing one.
Site Collection Administration
Add, Backup, Export, Import, Remove, Restore, Update
Administration.SiteCollection.Add Administration.SiteCollection.Remove Administration.SiteCollection.BackupRestore.Backup Administration.SiteCollection.BackupRestore.Restore Administration.SiteCollection.Owner.Update Administration.SiteCollection.SecondContact.Update Administration.SiteCollection.Quota.Update Administration.SiteCollection.ImportExport.Export Administration.SiteCollection.ImportExport.Import
Logs the most common operations around site collection administration, including the addition and removal of a site collection, backup and restore operations of a site collection, changes to ownership, secondary contact, and quota, and import and export operations of the site collection.
Site Collection Content Database
Add, New, Remove, Set
Administration.ContentDatabase.Add Administration.ContentDatabase.New Administration.ContentDatabase.Remove Administration.ContentDatabase.Set
Logs common SharePoint content database operations such as: adding a content database to the farm, creating a new content database, removing a content database, and setting the global properties of a content database.
Quota Changes
New, Remove, Update
Administration.Quota.New Administration.Quota.Remove Administration.Quota.Update
Logs setting a site new collection quota, making updates to an existing site collection quota, and removing a site collection quota.
Feature Administration
Install, Disable, Uninstall, Enable
Administration.Feature.Disable Administration.Feature.Enable Administration.Feature.Install Administration.Feature.Uninstall
Logs site collection feature administration actions to disable, enable, install, and uninstall features.
Web Application Administration
Edit, New, Remove
Administration.WebApplication.Edit Administration.WebApplication.New Administration.WebApplication.Remove
Logs common web application administrations actions including edits to an existing web application, the creation of a new web application, and the removal of an existing web application.
Web Application Administration User Policy
Add, New, Remove, Update
Administration.WebApplication.UserPolicy.Add Administration.WebApplication.UserPolicy.New Administration.WebApplication.UserPolicy.Remove Administration.WebApplication.UserPolicy.Update
Logs operations related to the management of user permission policies of web applications including: adding users to an existing web application user policy, creating a new user policy, removing users from an existing user policy, and making updates to a user permission policy.
Service Application
Edit, New, Remove
Administration.ServiceApplication.Edit Administration.ServiceApplication.New Administration.ServiceApplication.Remove
Logs edits to Service Applications, the creation of a new Service Application, and the removal of an existing Service Application.
Form & Feature Template Administration
Convert, Disable, Enable, Install, New, Set, Start, Stop, Test, Update, Upgrade, Uninstall
Administration.FormTemplate.Convert Administration.FormTemplate.Disable Administration.FormTemplate.Enable Administration.FormTemplate.Install Administration.FormTemplate.New Administration.FormTemplate.Set Administration.FormTemplate.Start Administration.FormTemplate.Stop Administration.FormTemplate.Update Administration.FormTemplate.Test Administration.FormTemplate.Upgrade Administration.FormTemplate.Uninstall Administration.Feature.FormTemplate.Install Administration.Feature.FormTemplate.Uninstall
Logs operations related to the management of InfoPath templates in site collections, including: template conversion, disablement (deactivation), enablement, installation, creation of a new template, setting a template, starting and stopping of templates, updates, testing, upgrade, and uninstalling of a template.
Content Database
Add, New, Remove, Set
Administration.ContentDatabase.Add Administration.ContentDatabase.New Administration.ContentDatabase.Remove Administration.ContentDatabase.Set
Configure Groups
Add, Remove, Update
Administration.Security.Group.Add Administration.Security.Group.Remove Administration.Security.Group.Update
Logs actions related to group creation, deletion, and management, such as: adding, removing, and updating groups.
User & Group Migration
Move
Administration.Security.User.Move Administration.Security.Group.Move
Logs activities relating the migration of group and user logins.