SharePoint JSON Log File
The JSON log file format is used to send SharePoint activity monitoring data to Enterprise Auditor v10.0 consoles. The following information lists all of the attributes generated by SharePoint Activity Monitor into a JSON log file:
| Attribute Name | Description | Example |
|---|---|---|
| TimeLogged | DateTime/ string | 2019-03-14T18:13:39.00Z |
| ActivityType | Constant “SharePoint” | SharePoint |
| AgentHost | Host name where agent is installed | sphost |
| UserSid | User SID who caused the event | S-1-0-0 |
| UserName | User Name who caused the event | System Account |
| UserID | ID of the user who caused the event | 1073741823 |
| UserLogin | User Login who caused the event | SHAREPOINT\system |
| Protocol | Protocol: HTTP / HTTPS.. | HTTP |
| AbsoluteUrl | Full Url: SiteUrl + DocLocation | http://sphost/Lists/Comments/1_.000 |
| WebApplication | Web application name | SharePoint – 80 |
| SiteId | Site Id (guid) | 7b2c8d23-a74f-4c3c-985d-2c7facb5ebae |
| SiteUrl | Site Url | http://sphost/sites/mysite |
| WebTitle | Web title | my site |
| DocLocation | Location of an audited object at the time of the audited event | Lists/Comments/1_.000 |
| ItemId | A Guid that the object whose event is represented by the entry | 2c4174dc-322d-47bc-a420-52968fc3ba6c |
| ItemTitle | Title of the object | Welcome to my blog! |
| ItemType | Type of the object: Document / ListItem / List / Folder / Web / Site | ListItem |
| EventType | An SPAuditEventType that represents the type of event | Update |
| EventSource | A value that indicates whether the event occurred as a result of user action in the SharePoint Foundation user interface (UI) or programmatically. Values: SharePoint / ObjectModel | SharePoint |
| LocationType | Specifies the actual location of a document in a SharePoint document library: Invalid, Url, ClientLocation | Url |
| AppPrincipalId | The ID of the app principal who caused the event. If the value of EventSource is ObjectModel, thenAppPrincipalId holds the ID of the app principal whose context the code that caused the event was running. If there is no app context, the AppPrincipalId is null. | 0 |
| SourceName | The name of the application that caused the event | <empty> |
| RawEventData | A String that holds XML markup providing data that is specific to the type of event that the entry object represents. | <RelatedItem><Id>06C49477-0498-4858-900C-45B595337462</Id><Relationship><NewName>MyDocs/myfile.zip</NewName></Relationship></RelatedItem> |
| AuditMask | The new audit mask | [“CheckIn”,“View”,“Delete”,“Update”] |
| ChildId | The GUID of the child that is deleted/moved. | 06C49477-0498-4858-900C-45B595337462 |
| ChildDocLocation | The pre-deletion URL of the child item | Lists/Posts/2_.000 |
| NewDocLocation | The URL to which the item is moved | MyNewDocs/myfile.zip |
| Version | The new version of the document / The version that was deleted | 1.0 |
| DeleteType | Whether it is moved to the recycle bin (1) or is deleted completely (0). 1 - MovedToRecycle; 0 - DeletedCompletely | MovedToRecycle |
| SearchQuery | myfile | |
| SearchConstraint | site:“http://sphost/sites/mysite” | |
| GroupId | The ID of the new/deleted group The ID of the group that was bound to the role | 11 |
| GroupName | The name of the new/deleted group The name of the group that was bound to the role | My Super Group |
| TrusteeId | The ID of the user that was added/deleted from the group The ID of the user that was bound to the role | 8 |
| TrusteeName | The Name of the user/group that was added/deleted from the group The Name of the user/group that was bound to the role | spuser |
| TrusteeType | The name is the name of group or user: User / Group | User |
| UpdateType | Added or Removed | Added, Removed, or Updated |
| RoleId | The ID of the new/changed/deleted permission level | 1073741924 |
| RoleName | The name of the new/changed/deleted permission level | My Role |
| Permissions | The combination of permissions | [“ViewListItems”,“AddListItems”,“EditListItems”] |