SharePoint Audit Logging and other Logs
SharePoint and associated components produce a large number of logs.
- Audit Logging
SharePoint audit logging does not capture the MachineIP and MachineName columns (http://support.microsoft.com/kb/939246). Microsoft states that this is by design: "The values in the MachineIP column and in the MachineName column appear as NULL because of privacy concerns."
- Item version history
SharePoint lists can be configured to capture each version of an item, and optionally a comment indicating what has changed between versions.
- Custom developer logging through SPAuditEvent
The SPAuditEvent provides developers the ability to write custom audit log entries, using the SPAuditMaskType enumeration to categorise events.
- Diagnostic logging
Diagnostic logging provides "trace logs" which are written to the 12 hive's LOGS folder. (that is, C:\Program Files\Common Files\Microsoft Shared\Web server extensions\12\LOGS).
- IIS Logging
IIS can also be configured to produces logs. Being a lower-level component than SharePoint, they tend to capture more lower-level detail, such as the Requested URL, User's IP address and Username, and so on, but without the ability to 'understand' these details.
- SQL Server Logs
Once again, SQL Server itself can log interactions as well. SQL Server generates logs written to the server's event log etc. For deep, fine-grained logging and auditing, the SQL Server Transaction Logs have the most detail, but there does not appear to be any easy way to read this information.
Reporting
SharePoint provides an interface for generating and running reports against its audit logging functionality.
Log consolidation
SharePoint does not make any attempt to consolidate the above logs. Generally, it is assumed that the audit logging capability is sufficient for most needs. Should this not be the case - perhaps in the case of establishing evidence for court - separate consolidation and analysis activities will be required.