Overview of the Change Log

  • Article

Applies to: SharePoint Foundation 2010

The change log is not a flat file stored somewhere on the file system, nor is it actually a single log. Every content database contains an EventCache table that is the "change log" for objects contained in the database. Each row in the table is an entry in the log. Columns in the table contain information such as the date and time of a change, the type of object that was changed, the nature of the change, and a unique identifier for the object.

The change log is not available through the user interface. Although you could access the log by querying the database directly, that method of access is not supported and, in any case, is quite unnecessary. SharePoint Foundation has a rich object model that provides access to changes at the list, Web site, site collection, and content database level.

Change Log Functionality

The change log records changes to the following types of objects:

  • Items, files, and folders

  • List metadata

  • Site metadata

  • Security policy, users, and groups

The change log does not record changes to the following settings or objects:

  • Web application configuration

  • Global administration settings

  • Binary deployment

  • Web Parts and safe controls

  • Web site, site collection, content database, or Web application configuration

The change log contains information about the following types of change:

  • Add

  • Update

  • Delete

  • Rename

  • Move away from a source list

  • Move into a destination list

The change log can be accessed at the following, progressively inclusive, scopes:

  • List

  • Web site

  • Site collection

  • Content database

Change Log Retention

By default, entries in the change log expire after 60 days. A timer job regularly deletes expired entries. You can modify the retention period at the Web application level by setting the ChangeLogRetentionPeriod property. You can disable change log throttling altogether by setting the ChangeLogExpirationEnabled property.

Change Log Security

The change log is not security-trimmed based on the caller's privileges. Instead, unauthorized disclosure of information is avoided by logging only the information that is needed to identify the object that was changed and the nature of the change. A caller can use information obtained from the change log to get access to an object that has been changed, but that access is subject to normal security checks. If the caller does not have sufficient privileges, access to the object is denied.

Change Log API

You can access the change log by calling the GetChanges method of an SPList, SPWeb, SPSite, or SPContentDatabase object. This method returns an SPChangeCollection object with the changes that have occurred within a given scope. You can then enumerate the collection and examine each of its members individually.

Each object in the SPChangeCollection that is returned by the GetChanges method is a subclass of the SPChange class. The properties of the parent SPChange class contain basic information about a change, including the type of change, as represented by the ChangeType property; the time of the change, as represented by the Time property; and the ID of the site collection where the change was made, as represented by the SiteId property. The properties of subclasses of SPChange contain information specific to the type of object that was changed. For example, the SPChangeItem class represents a change to an SPListItem object and therefore has a ListId property that identifies the list where the item was changed. Similarly, the SPChangeList class represents a change to a list and has a WebId property that identifies the Web site where the list was changed.