Share via


SPAuditEntry.EventData property

Gets data, in XML markup, that is specific to the type of event identified in the Event property.

Namespace:  Microsoft.SharePoint
Assembly:  Microsoft.SharePoint (in Microsoft.SharePoint.dll)

Syntax

'Declaration
Public ReadOnly Property EventData As String
    Get
'Usage
Dim instance As SPAuditEntry
Dim value As String

value = instance.EventData
public string EventData { get; }

Property value

Type: System.String
A String that holds XML markup providing data that is specific to the type of event that the SPAuditEntry object represents.

Remarks

For custom events that you create, you can use any XML schema. (Or you can use an undefined XML format.) For more information about the event data of custom events, refer to WriteAuditEvent. The data for custom events must not exceed 4000 characters. (Some system events produce more than 4000 characters of event data.)

Some of the built-in events in SharePoint Foundation put data into the EventData property as shown in the following table. The ToString method wraps the value of this property in <EventData></EventData> tags. Note that if the data is logically divisible, it has internal XML markup as well. If the data consists of a single data point (as is the case, for example, with the Copy event), it generally does not have internal XML markup. However, if the same type of data appears as part of complex data in another event's EventData, it has the same XML markup even when it is the sole data point. For example, part of the ChildMove event is marked with <NewName>; so this same markup appears on the data for the Move event even though the new name is the sole data point.

For built-in events not listed here,EventDataisa null reference (Nothing in Visual Basic)and is not included in the string returned byToString. Line breaks have been added for readability. The actual value of the property has no line breaks or white space.

SPAuditEventType Value

Type of Event

Example of EventData Property Value

Description of Value

AuditMaskChanged

The audit flags are changed for the audited object.

<NewAuditMask>68</NewAuditMask>

The new audit mask.

ChildDelete

A child of the audited object is deleted.

<RelatedItem>

    <Id>137DA01F-9AFD-5d9d-80C7-02AF85C822A8</Id>

    <Relationship>ChildDelete</Relationship>

    <Type>1</Type>

    <Location>MyTargetDocumentLibrary/DeletedFile.ext</Location>

    <LocationType>0</LocationType>

</RelatedItem>

The GUID of the child that is deleted, its relationship to the audited object, the pre-deletion URL of the child item, and the location type (which is always 0 in SharePoint Foundation).

ChildMove

A child of the audited object is moved.

<RelatedItem>

    <Id>937DA01F-9AFD-5d9d-80C7-02AF85C822A8</Id>

    <Relationship>ChildMove</Relationship>

    <NewName>MyTargetDocumentLibrary/MovedFile.ext</NewName>

</RelatedItem>

The GUID of the item that is moved, the URL to which it is moved, and the moved item's relationship to the audited object.

CheckIn

A document is checked in.

<Version>

    <Major>5</Major>

    <Minor>0</Minor>

</Version>

The new version the document.

Copy

The audited item is copied.

http://MyServer/MyTargetDocumentLibrary/CopiedFile.ext

The URL of the target copy.

Delete

The audited object is deleted.

<Version>

    <AllVersions/>

</Version>

<Recycle>1</Recycle>

The version that was deleted and whether it is moved to the Recycle Bin (1) or is deleted completely (0).

EventsDeleted

Some audit entries are deleted from SharePoint database.

<DeleteEntriesInfo>

    <Rows>127</Rows>

    <EndDate>2007-03-29T20:42:06</EndDate>

</DeleteEntriesInfo>

The date and time before which all entries were deleted, and the number of deleted entries.

Move

The audited object is moved.

<NewName>MyTargetDocumentLibrary/MovedFile.ext</NewName>

The new relative URL for the file.

Search

The audited object is searched.

query='search_term';constraint=' site:"http://MyServer/MyDocumentLibrary"'

The search term and the object that is searched.

SecGroupCreate

A group is created for the site collection. (This action also generates an Update event.See below.)

<title>ClericalPersonnel</title>

<groupid>11</groupid>

<user>12</user>

The name of the new group, its ID number, and the ID of the first user that created the group.

SecGroupDelete

A group on the site collection is deleted.

<groupid>11</groupid>

The ID number of the group.

SecGroupMemberAdd

A user is added to a group.

<groupid>11</groupid>

<user>8</user>

The ID of the group and the user that was added.

SecGroupMemberDelete

A user is removed from a group.

Same as SecGroupMemberAdd above.

The ID of the group and the ID of the user that was deleted.

SecRoleBindBreakInherit

A subsite's inheritance of permission level definitions (that is, role definitions) is severed.

<url>ShippingDept</url>

<scope>92EEC412-C14B-6EFB-AB9F-FA821A3A4C63</scope>

The URL and GUID of the subsite.

SecRoleBindInherit

A subsite is set to inherit permission level definitions (that is, role definitions) from its parent.

Same as SecRoleBindBreakInherit.

Same as SecRoleBindBreakInherit.

SecRoleBindUpdate

The permissions of a user or group for the audited object are changed.

<roleid>1073741826</roleid>

<principalid>11</principalid>

<scope>72EEC412-B14B-4EFB-AB95-EA821A3A4C63</scope>

The ID of the permission level (a combination of permissions that are given to people holding a particular role for the site collection), the ID of the user or group (the "principal"), and the GUID of the audited object.

SecRoleDefCreate

A new permission level (a combination of permissions that are given to people holding a particular role for the site collection) is created.

<name>SpecialPermissionPackage</name>

<id>8243098299</id>

<perm>199169</perm>

The name and ID of the new permission level, and a numerical code for the combination of permissions.

SecRoleDefDelete

A permission level (a combination of permissions that are given to people holding a particular role for the site collection) is deleted.

<id>8243098299</id>

The ID of the permission level.

SecRoleDefModify

A permission level (a combination of permissions that are given to people holding a particular role for the site collection) is modified.

<name>SpecialPermissionPackage</name>

<id>8243098299</id>

<perm>199169</perm>

The name and ID of the changed permission level, and a numerical code for the new combination of permissions.

Update

An existing object is updated.

MyFile.doc

The name of the item.

Update

A new item is added to a list.

Same as CheckIn events.

The version of the document.

Update

A new group is added to the list of all groups for the site collection. (See also SecGroupCreate.)

11_.000

The ID of the group affected ("11" in this example).

Examples

The following example (from Item-Level Auditing with SharePoint Server 2007) shows this property in use.

foreach (SPAuditEntry oAuditEntry in collAuditEntries)  {
  if (oAuditEntry.SourceName == "CustomViewAuditEvent") {
    string strMyXml = oAuditEntry.EventData;
    // process custom event
  }
}
Dim oAuditQuery As New SPAuditQuery(oSiteCollection)
oAuditQuery.RestrictToListItem(item)
Dim collAuditEntries As SPAuditEntryCollection = oSiteCollection.Audit.GetEntries(oAuditQuery)

For Each oAuditEntry As SPAuditEntry In collAuditEntries
  ' get info from audit log
Next oAuditEntry

See also

Reference

SPAuditEntry class

SPAuditEntry members

Microsoft.SharePoint namespace

Other resources

Item-Level Auditing with SharePoint Server 2007