Overview of Groove Audit - download.microsoft.comdownload.microsoft.com/.../GrooveAuditPrescriptiveGuid… · Web viewDo not enable this audit option unless you have a strong business

Microsoft® Office Groove® 2007 Auditing - Prescriptive GuideDecember 2007

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred

© 2007 Microsoft Corporation. All rights reserved.

Microsoft, Microsoft Office Groove 2007, and Microsoft Office Groove Server 2007 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

http://www.microsoft.com/office/groove/ 2

Table of Contents

Overview of Groove Audit............................................................................................................4What It Is................................................................................................................................... 4How Groove Auditing Works..................................................................................................6System and Network Impact..................................................................................................7

Capacity Considerations..............................................................................................................9Auditing Scenarios..................................................................................................................... 11

Scenario with Minimal Auditing...........................................................................................11Scenario with Basic Auditing...............................................................................................12Scenario with Heavy Volume of Auditing..........................................................................13Scenario with Selective Auditing.........................................................................................13

Groove Audit Requirements......................................................................................................14Installing and Configuring Groove Audit..................................................................................16

For Shared Manager and Audit Front End.........................................................................16For Separate Manager and Audit Front Ends....................................................................19

Adjusting Audit Policies.............................................................................................................24Blocking Use of Non-Auditable Tools.......................................................................................26Enabling the Audit Service on Groove Clients.........................................................................27Enabling and Disabling Groove Auditing.................................................................................28

Enabling Auditing...................................................................................................................28Disabling Auditing.................................................................................................................. 29

Interpreting Audit Data and Creating Reports..........................................................................30Interpreting Audit Data.........................................................................................................30

Sample Audit_LogEntryProperties Data in EventProperties View....................................31Sample Audit_LogEntryAttributes Data in EventAttributes View......................................32Sample Audit_SecurityEventLog Data.............................................................................33Groove Audit SQL Tables................................................................................................33Audit_EventCategoryReadableNames Table...................................................................35Audit_EventTypeReadableNames Table.........................................................................35Audit_AttributeReadableNames Table.............................................................................38Audit_ErrorCodeReadableNames....................................................................................40

Removing User Data.............................................................................................................40Creating SQL Queries............................................................................................................41

Search IMs for a String Using SearchIMs........................................................................41Search for File Information Associated with User via SearchUser...................................43Search for a File Using SearchFile...................................................................................45

Extracting File Content.........................................................................................................46Creating Reports....................................................................................................................49

Additional Resources................................................................................................................. 50


Overview of Groove Audit Microsoft Office Groove Audit allows IT administrators to monitor designated Groove user activity by examining user account, workspace, and tool event data. Logged data is collected into a SQL database, to which administrators can apply SQL queries. Using external SQL-compatible reporting tools, administrators can generate formatted reports of audited data.

What It IsGroove Audit is an optional feature provided with Groove Server Manager installation. When installed and enabled, the Audit feature provides a mechanism for collecting specific information about Groove user events into SQL databases. IT administrators can interpret the stored data and process it using SQL queries, or format audit output using external SQL reporting tools. These results can facilitate the oversight and secure management of Groove user activities.

Note: Groove Audit does not include reporting tools, although its stored data can be output via third-party SQL-compatible analytic and reporting tools.

Note: Groove Audit is available for onsite Groove Servers only, not for Groove Enterprise Services.

Audited events include those associated with Groove user accounts (such as logging on or off, sending an instant message, or inviting a colleague to a workspace), or with Groove workspaces and tools (such as adding a tool to a workspace or a file to the Files tool). Groove administrators can control what data will be audited by setting a policy that marks selected categories of events for auditing. Administrators can also set a policy that limits the tools in Groove workspaces to those tools which are auditable, such as Files, Discussion, and InfoPath. Whenever necessary, administrators can modify device policies to disable any or all aspects of auditing.

Audited data is stored in SQL database tables which must be interpreted and formatted in order to be useful for end-user administration. Using MS ProClarity, Reporting Services, or


other reporting applications, database administrators can create templates that analyze and format the audited output into valuable reports.

Note that Groove Audit data is distinctly different from the Audit Log and Groove usage reports available from any Groove Server Manager installation. The following table shows how Groove Audit output differs from the data collected in Groove Server Manager reports:

Groove Audit data Groove Server Manager Reports – Groove Usage and Activities

Groove Server Manager Reports – Audit Log

Groove client events logged as they occur.

For example:

User1 created workspaceA at <date/time>

User1 added Discussion tool to workspaceA <date/time>

User1 invited User2 to workspaceA <date/time>

User2 entered Discussion tool in workpaceA <date/time>

Statistics relating to Groove users, workspaces, and tools over a date range.

For example:

Domain member names and status (active, pending, deleted)

Number of workspaces that a member has joined

Names of workspaces created by a member

Workspace names and creation dates

Workspace member names as of report date

Number of users in workspace as of report date

Names of tools in workspaces as of report date

Number of minutes a tool was used during date range

Groove Server Manager events within a date range.

For example:

Server startup

Relay server added

Domain added

New domain member added

If auditing is necessary in a Groove collaboration environment, IT planners should follow best practices in place at their organization, along with these guidelines:

Consider whether the Audit Log and Groove usage reports generated by Groove Server Manager will provide the type of data you need.

If your organization requires Groove Auditing services, consider the available installation and setup options and select one most suited to your infrastructure and user population.

Identify the Groove events that you want to audit.


Estimate current and anticipated Groove activity that will be audited in your organization, then allocate resources accordingly.

Install the necessary hardware and prepare your network for auditing. Install Manager and Auditing as appropriate for your organization, ensuring that

Auditing can meet expected capacity without disrupting Groove Server Manager operations.

Check Groove Audit requirements and make sure to configure servers and clients accordingly.

Understand how to interpret the SQL tables of audited data. Create Report templates using MS ProClarity or other reporting tool for viewing

audited data. Once Auditing begins, check load conditions regularly and be prepared to make

necessary adjustments to configuration. Schedule archiving and cleanup of audited data. Audited data is not deleted

automatically; it accumulates until it reaches maximum system load or until administrative action is taken to remove it.

How Groove Auditing WorksThe Audit option is selected during Groove Server Manager installation. After installation is complete, administrators can set a device policy that triggers Groove auditing on managed client devices that have been properly configured. The Audit Service must be enabled on Groove clients for auditing to take place. Audited data is then collected and stored in SQL databases.

The Groove Auditing capability has four components:

The Groove client audit log which logs Groove user activity to an encrypted file on managed client devices.

The Groove client Audit Service which manages the audit log for secure uploading to the Groove Audit application.

The Groove Audit application which receives, decrypts, and stores the logs in an SQL database.

The Groove Server Manager device policy that controls what events should be audited.

Groove audit logs are immediately encrypted on Groove clients upon event creation, and are decrypted only after arrival at the Groove Audit server, affording a highly secure auditing environment. In addition, NTFS permissions are used to prevent unauthorized http://www.microsoft.com/office/groove/ 6

manipulation of logs and the Audit Service that manages them. The Audit Service purges client logs once they have been uploaded to the Groove Audit server and applies security credentials that prevent spoofing of the audit server or of other operating system users on the Groove client.

Each Groove Audit application is associated with and depends upon its parent Groove Server Manager installation. If you need to enable auditing on several servers, you must install Groove Manager with the Groove Audit feature separately on each server and pair each front end with a SQL backend server.

To utilize audit data, administrators must apply SQL queries to extract specific information, and use standard SQL-compatible reporting tools to analyze and format the audited data.

System and Network ImpactAuditing operations demand additional network bandwidth and storage, beyond that required for a Groove management system without Audit. Some audit operations, such as auditing contents of files added to tools, require more bandwidth than others.

In typical usage scenarios, the performance impact on Groove clients and servers can be significant and unexpected if IT and administrative personnel are unprepared. In environments where network and computing resources are inadequate for handling heavy audit volume, error conditions may arise, jeopardizing production schedules. Understanding the implications of an audit presence on Groove systems and allocating network and storage resources accordingly can help avoid the pitfalls of an inadequately supported auditing installation.

Because auditing can have a substantial impact on system resources, you should use discretion when setting policies that enable and control auditing. Affected resources at your site include the following:

Disk space on Groove client devices (for log storage) Disk space for audit data on SQL server Bandwidth to upload logs Processing time to encrypt and decrypt logs


Important facts to consider before Audit installation include the following:

Audited data is not deleted from SQL databases automatically as it accumulates; collected data remains on the server until it reaches maximum system load or until administrative action is taken to remove it.

The policy, ‘Audit the contents of files added to tools’, if enabled, has an exceptionally high impact on system resources, including bandwidth usage and disk storage on clients and servers.

Groove Audit data resides in a SQL database and requires SQL queries and external reporting tools in order to have administrative value. In addition, if you choose to audit file content, you will need a file content extraction utility. Your Groove management system must include these resources to provide for successful auditing.


Capacity Considerations The process for incorporating Groove Audit into a Groove management system depends largely on anticipated audit volume. You can gain a rough estimate of likely resource consumption by defining your Groove user base and estimating auditable tool usage per user per day.

Begin by noting the following information:

Number of Groove users to be audited Which events will be audited Estimated number and size of client events per user per day Estimated number and size of workspace events per user per day Estimated number and size of tool events per user per day Estimated number and volume of content in files per user per day

You can use the table below as a sample worksheet. The values in the table are based on conditions where, each day, each Groove user may:

- logon/off 4 times,- send 1 instant message (IM) and 1 workspace invitation,- add 3 files to a workspace (add 1 Word document to the Files tool, attach 1 Powerpoint, - file to a Discussion entry, and attach 1 spreadsheet to an instant message), and- edit the contents of 3 files (possibly).

In this use case, values and calculations might look as follows:

Parameters Maximum Value Estimates*Number of Groove users to be audited 20

Which events will be audited User account logon/off, instant messages and invitations, Files and Discussion tools, contents of files

Estimated number of client logon/off events per user per day

4 events x 2Kb per user per day

Estimated number and size of client instant messages and Groove invitations per user per day

(1 x 8Kb IMs) + (1 x 8Kb IMs) per user per day

Estimated number and size of Workspace events per user per day (adding/removing members, setting roles)

0


Parameters Maximum Value Estimates*Estimated number and size of File events and Discussion entries generated per user per day

(3 x 5Kb Files) + (12 x 30Kb Discussion entries) per user per day

Estimated number and volume of content in files per user per day (if ‘Audit the contents of files added to tools’ policy is set)

3 x 500Kb per user per day

* In each case, supply maximum rather than average values, to ensure that your installation can handle extreme use cases if conditions arise.

Next, calculate the total estimated Groove audit volume per day, based on the values you recorded in the worksheet above. For example, the values in the above example, produce the following results:

Without file content auditing:

8Kb/user/day + 16Kb/user/day + 15Kb/user/day + 360Kb/user/day ~= 400Kb/user/day

400 x 20 users = 8,000Kb/day

With file content auditing:

8Kb/user/day + 16Kb/user/day + 15Kb/user/day + 360Kb/user/day + 1,500Kb/user/day ~= 2,000Kb/user/day

2,000Kb x 20 users = 40,000Kb/day

This can give you an idea of the additional bandwidth necessary to support auditing and the required storage in a SQL database. Note the order-of-magnitude difference between the result when file content is not audited as compared to the result which reflects auditing of file content changes. In a large company, that difference could be compounded.

The estimates above do not include the bandwidth associated with the logging of user identity metadata for each event, but metadata comprises only a small percentage of audited data and can be accommodated by using the slightly inflated values mentioned above.


Auditing ScenariosThe installation and configuration process for bringing Groove Audit online at a site depends upon the network topology appropriate for the anticipated capacity requirements and infrastructure. The following sections describe three basic scenarios, representing minimal, moderate, and heavy auditing volume. A fourth scenario illustrates a setting where auditing is performed on selected individuals and groups at different times, a practical solution that reduces the amount of hardware overhead required to satisfy your auditing needs.

Note: All auditing scenarios require the installation of Groove Servers installed onsite in an enterprise; auditing is not available through Microsoft-hosted Groove Enterprise Services.

Scenario with Minimal AuditingJohn is the IT manager for a new division of Contoso Corporation, a supplier of recycled architectural products. The new division is given the task of marketing antique floor boards which have become increasingly available to buyers. John’s responsibilities include setting up a collaboration system for a team of about 100 PC users. In addition, corporate software management practices in place at Contoso require that user collaboration events be audited, along with other data input activities.

While most of the team will be based onsite at the division’s main office, some will be working offsite, at points of origin for the product. John has already deployed Microsoft Office in his division and set up a SharePoint server for archiving planning documents and reports. On any given work day, at most 75 Groove users will be active and each user will spend at most 30 minutes in a Groove workspace that contains only two auditable tools: Files and Discussion (the Meetings tool is not auditable and the management team has decided not to audit the SharePoint files tool used for archiving). Of the 100 PC users, only the 20 group leaders – those responsible for outlining strategy and filing daily progress reports - have roles that permit them to add, edit, and delete files. Only the team leader can create workspaces. Remaining contributors may participate in


discussions but cannot manipulate or edit files. So in this environment, the amount of Groove activity subject to auditing will be low.

To support this low volume of auditing, John is installing one Audit-enabled Groove Manager front end server and one SQL back end server.

He will monitor server performance and disk storage and schedule regular data cleanups and archiving. After a year, John will consider future plans for the team and re-evaluate his hardware needs. If team activity in his division is expected to increase, he will consider acquiring new servers and installing Groove Audit on a separate dedicated front end server, as described in the next section.

Scenario with Basic Auditing Jane is the IT manager for a major division of Contoso Corporation, a supplier of recycled architectural products. The division is responsible for marketing columns and balustrades, the largest segment of the company’s inventory. Jane’s responsibilities include setting up a collaboration system for a team of about 1,000 PC users. In addition, corporate software management practices in place at Contoso require that user collaboration events be audited, along with other data input activities.

Team members are located at company headquarters and at four regional offices around the country. Microsoft Office is already deployed throughout the division, SharePoint workspaces have been created, and Groove is running on most desktops and laptops. On any given work day, up to 500 Groove users will be active, creating workspaces, inviting colleagues to workspaces, outlining plans, discussing strategy, sending instant messages, and filing reports. Files, Discussion, and InfoPath tools are all subject to auditing, as is the sending of invitations and IMs. All users may have roles that allow them to add, edit, and delete files and records.

To support the division’s environment of moderate audit volume, Jane is installing one Groove Manager front end for the administrative UI, one Audit-enabled Manger Front End, and one shared SQL Back End.

She will monitor server performance and disk storage and schedule regular data cleanups and archiving. After a year, Jane will re-evaluate her hardware needs. If productivity in her


division exceeds expectations, she may consider acquiring new servers to better scale operations.

Scenario with Heavy Volume of Auditing Collaboration at Contoso International Corp. has resulted in an environment of heavy Groove use, and extensive, large-volume auditing is necessary to meet requirements for archiving and legal compliance. All 10,000 Groove users are audited, supported by a Groove management system comparable to the scenario above: one administrative Groove Server Manager, one Groove Server Manager with Audit, and one SQL server. Ideally, the company wants to scale its site to accommodate a growing work force.

This desired scenario would require multiple dedicated Groove Manager and Audit servers. While multiple Manager servers can share a SQL backend, each Audit server must be separately installed with its own SQL server backend.

Scenario with Selective Auditing Basic auditing scenarios can be shrunk by creating separate groups that target a subset of users – for example, a person suspected of disclosing proprietary information or a specific team whose work must be audited to comply with legal requirements. In this way, resources can be minimized, proportional to the fraction of the user base that is targeted for auditing.


Groove Audit RequirementsThe following table summarizes the basic requirements for running Groove Audit with Groove Server Manager 2007:

Resource Requirement: Administrative expertise Audit administrators must be familiar with SQL, SQL database structure,

and SQL reporting, as well as with Groove administration.

Hardware/Software requirements Groove Audit installations must comply with Groove Server Manager requirements, specified in the online Help that accompanies the Groove Server product. For details, see Requirements for Groove Audit (http://technet2.microsoft.com/Office/en-us/library/7f628622-2ede-4455-bd6b-2eef881f607a1033.mspx?mfr=true) in the Groove Server section of the Microsoft TechNet library.

Onsite Groove Server Manager Groove Server Manager 2007 SP1, must be installed on an IIS 6.0 server and be associated with a registered Domain Name Service (DNS) name. For detail, see Getting Started with Groove Server Manager in the Groove Server section of the Microsoft TechNet library.

Installation options:

Preferred: Dual installation – a primary administrative Groove Server Manager (without Audit) and a separate Audit-enabled Groove Server Manager, or

Single audit-enabled Groove Server Manager

Note: Record the server name and login for future use.

Groove Audit Groove Audit feature must be selected for installation under either of the following conditions:

Preferred: Installed on a separate, dedicated Groove Server Manager machine that meets the Manager requirements described in the online Help that accompanies Groove Server, or

Installed on the primary Groove Manager server. Consider this option only if a small volume of audit data is expected.

Note: Installing the auditing application on a separate, dedicated IIS front-end is the recommended configuration. This minimizes the impact of auditing activities on other Groove Manager tasks.

Note: Record the server name and login for future use.

Groove Audit policy Must be enabled in Groove Manager. This requires that a URL for your Groove Audit server (for example, http://grooveaudit.contoso.com) is specified in the Audit server URL field of your domain’s Device Policies template.


http://go.microsoft.com/fwlink/?LinkID=104239&clcid=0x409

http://technet2.microsoft.com/Office/en-us/library/7f628622-2ede-4455-bd6b-2eef881f607a1033.mspx?mfr=true

http://technet2.microsoft.com/Office/en-us/library/7f628622-2ede-4455-bd6b-2eef881f607a1033.mspx?mfr=true

http://go.microsoft.com/fwlink/?LinkId=106345

Resource Requirement: SQL server Installation requires at least one SQL server dedicated to Groove Server

Manager (without Audit). In a dual installation, a separate SQL server dedicated to Audit-enabled Groove Server Manager is recommended to avoid overloading the server with Audit data.

For more details, see Getting Started with Groove Server Manager in the Groove Server section of the Microsoft TechNet library.

Note: Record the SQL server name and login for future use.

Groove client One of the following:

Office Groove 2007 SP1 (preferred), or

Groove 3.0, minimum

Groove Audit Service Must be enabled on all Groove clients. Groove Audit Service can be enabled by opening the Windows Services manager and setting the Microsoft Office Groove Audit Service to Automatic Startup.

Groove user identities Groove identities must be members of a Groove Manager domain.

For information about adding users to a domain, see ‘Managing Groove Users’ in the Groove Domain Operations section of the Groove Server entries in the Microsoft TechNet library.

Groove devices Domain member devices must be registered with a Groove Manager domain.

For information about adding devices to a domain, see ‘Managing Groove Device Policies’ in the Groove Domain Operations section of the Groove Server entries in the Microsoft TechNet library.


http://go.microsoft.com/fwlink/?LinkID=104239&clcid=0x409

Installing and Configuring Groove AuditGroove Auditing supplements the Groove Manager by providing another layer of administrative control. In setting up your site, be aware that a single Groove Audit installation is dedicated to a single specific Groove Manager; one Groove Audit installation cannot support multiple Groove Managers. However, multiple Groove Audit installations may be associated with a single Groove Manager.

For Shared Manager and Audit Front EndIf you anticipate low volumes of audit data at your organization, you may consider installing a single Audit-enabled Groove Server Manager application, at least temporarily. Periodic data archiving and cleanup will be necessary to prevent server overload, and eventually, additional server hardware may be necessary.

Caution: Auditing Groove client events can have a substantial impact on system resources, including bandwidth usage and disk storage on clients and servers. Therefore, set the policy to enable client device auditing only if necessary. To minimize impact on other Groove Manager activities, installing Groove auditing on a separate, dedicated IIS front-end, with a separate, dedicated SQL back-end if possible, is recommended.

Note: Install Groove Server Manager 2007 with the latest service pack (SP) available. The initial 2007 release (prior to SP1) has a known issue which blocks relay and directory synchronization if Audit is installed on the system. Therefore, do not enable Groove auditing on your primary Groove Server Manager machine without the service pack that addresses it. For information about separate Audit and Manager installations, see the subsequent procedure, For Separate Manager and Audit Front Ends.

To install and enable Groove client auditing on a shared Manager server at your site:

1. Ensure that your IIS and SQL and client systems meet Groove Audit requirements, as summarized previously, in Groove Audit Requirements. Note that this and related procedures should be executed only by experienced SQL administrators.

2. Install Groove Manager 2007 SP1 on an IIS server.


3. Upgrade your Groove 2007 client systems to SP1.

4. Run the Groove Manager setup.exe and follow the Setup wizard instructions.

5. When the Installation Options window appears, select Install Groove Server Manager with Groove Auditing. Selecting this option displays additional fields to configure Groove client auditing.

6. When the Groove Audit Server Configuration page appears, enter the required information, as described in the following table:

Groove Manager Audit Configuration Field ExplanationUse the following SQL Server Login Select this check box to specify native SQL server

authentication.

If you leave this option cleared, current login credentials will be used for authentication.

User Name Enabled only if ‘Use the following SQL Server Login’ is selected.

Type your login information for the SQL server to be used for Groove auditing information.

Note: Make sure that the login gives you database sysadmin rights.

Password Enabled only if ‘Use the following SQL Server Login’ is selected.

Database Information

SQL Server Name Type the host name or Internet Protocol (IP) address of the SQL server to be used for Groove auditing information.

Database Name Type the SQL database name for the Groove Auditing service, such as auditDB. The Installer creates this database, where the Groove Audit service will store collected Groove client audit logs.

7. Click Next.

8. Follow the Install wizard to the final window and click Finish. The Groove Manager administrative Web site opens.

9. Enable Groove auditing from the Groove Manager administrative Web site, by navigating to a Device Policy template, opening the Audit Policies tab, and entering the URL of your Audit-enabled Groove Manager server (for example, http://GMS.contoso.com).


10. From the Audit Policies page, enter the audit log upload interval; select the client, workspace, and tool events that you want to audit; set any other audit policies as needed; then save your changes. For more details about audit policy settings, see the section below, Adjusting Audit Policies.

Caution: Enabling the policy option, ‘Audit the contents of files added to tools’, will have an exceptionally high impact on system resources, including bandwidth usage and disk storage on clients and servers. Do not enable this audit option unless you have a strong business need to do so and then only if you have evaluated and prepared for its likely impact on your system.

11. If you want to limit Groove tool usage to only those tools which can be audited, go to the Client tab of the policy template and select the Device Policy that blocks use of non-auditable Groove tools. For details about this policy, see the section below, Blocking Use of Non-Auditable Groove Tools.

12. If your SQL gmsDB database has been edited since initial installation and you are an experienced SQL administrator, verify that the database is set correctly, as follows:

a. On the Groove Manager SQL back end, start SQL Server Management Studio (or equivalent), expand the gmsDB database, and open the GmsServers table.

b. Confirm that settings are as shown in the following table:

ComputerName EnableDirectorySynchronization

EnableRelayServerSynchronization

IsAuditServer

<GMS/Audit> 1 1 1

where 0 = False, 1= TrueGMSAudit = your audit server name

c. Edit the values if necessary to match the recommended settings.

d. If you edited values, restart the Groove Manager/Audit IIS front end.

13. If Groove users do not have administrative control over their devices, enable the Audit Service on these devices by updating the Windows Registry, as described subsequently in Enabling the Audit Service on Clients.


Once Groove users and devices have been added to a Groove Manager domain, and domain members log in and receive the audit policy, Groove activities will be logged and dispatched to SQL databases where you can view them. The Microsoft Office Groove Audit Service will be running on Groove clients and GrooveAuditService.exe will appear in the Windows Task Manager.

To view and utilize the audited data, you will need to use external SQL reporting tools, as described below, in Interpreting Groove Audit Data and Creating Reports.

For Separate Manager and Audit Front Ends

The recommended Groove Auditing setup is to install an administrative Groove Manager on one IIS front end server and an Audit-enabled Groove Manager on a separate IIS front end server, allowing the Manager to run with minimal impact from audit operations. These front ends may share a SQL server backend but supporting each dedicated front-end with a separate, dedicated SQL back-end is recommended when ever possible.

The procedure below explains how to configure one server (GrooveManager) to run Groove Manager with its built-in administrative UI, relay synchronization, and optional directory integration, and a second server (GrooveAudit) to run Groove Manager as an Audit server. The recommended configuration for the stand-alone Audit server is to disable the administrative UI, relay synchronization, and optional directory synchronization. Preventing access to the UI helps isolate the audit server from unauthorized administrator contact and further secures the auditing environment. Disabling synchronization avoids problems that can arise when cooperating servers attempt to connect across firewalls. However, these adjustments involve editing the SQL database and IIS settings, and should only be attempted by knowledgeable administrators, familiar with these environments.

Caution: Auditing Groove events can have a substantial impact on system resources, including bandwidth usage and disk storage on clients and servers. Therefore, set the policy to enable auditing only if required by your software management infrastructure and reduce the impact of Audit operations on other Groove Manager activities by


installing Groove Audit on a separate, dedicated IIS front-end, with a separate, dedicated SQL back-end.

To install and enable Groove client auditing on a dedicated server at your site:

1. Ensure that your IIS and SQL and client systems meet Groove Audit requirements, as summarized previously, in Groove Audit Requirements. Note that this and related procedures should be executed only by experienced SQL administrators.

2. On the Groove Manager IIS machine, install Groove Manager 2007 SP1.

3. Upgrade your Groove 2007 client systems to SP1.

4. Run the Groove Server Manager setup.exe and follow the Setup wizard instructions. If a Groove Manager has already been set up at your site, the Groove Manager server information fields will already contain the required information.

5. When the Installation Options window appears, do not select the option to Install Groove Server Manager with Groove Auditing.

6. Follow the Install wizard to the final window and click Finish. The Groove Manager administrative Web site opens.

7. On the Groove Audit IIS machine, install Groove Manager 2007 with the latest Service Pack.

8. Run the Groove Server Manager setup.exe, and follow the Setup wizard instructions to configure the Groove Manager. Since a Groove Manager has already been set up at your site, the Groove Manager server information fields will already contain the required information.

9. Click Next.

10. When the Installation Options window appears, select Install Groove Server Manager with Groove Auditing. Selecting this option displays additional fields for configuring Groove client auditing.

11. When the Groove Audit Server Configuration page appears, enter the required information, as described in the following table:


Groove Manager Audit Configuration Fields ExplanationsUse the following SQL Server Login Select this check box to specify native SQL server

authentication.

If you leave this option cleared, current login credentials will be used for authentication.

User Name Enabled only if ‘Use the following SQL Server Login’ is selected.

Type your login information for the SQL server to be used for Groove auditing information.

Note: Make sure that the login gives you database sysadmin rights.

Password Enabled only if ‘Use the following SQL Server Login’ is selected.

Database Information

SQL Server Name Type the host name or Internet Protocol (IP) address of the SQL server to be used for Groove auditing information.

Database Name Type the SQL database name for the Groove Auditing service, such as auditDB. The Installer creates this database, where the Groove Audit service will store collected Groove client audit logs.

12. Follow the Install wizard to the final window and click Finish.

13. To help secure your system, block access to the Groove Server Manager UI on the audit server machine by navigating to the GMS folder in IIS, opening the Properties window, and disabling all authentication for the GMS folder.

14. To disable relay and optional directory server synchronization which are not required for Audit and can disrupt Groove management operations, verify that the SQL gmsDB database is set correctly, as follows (providing that you have the required expertise for editing SQL tables):

a. On the SQL server where the gmsDB database resides, start SQL Server Management Studio (or equivalent), expand the gmsDB database, and open the GmsServers table.

b. Confirm that settings are as shown in the following table:


ComputerName EnableDirectorySynchronization

EnableRelayServerSynchronization

IsAuditServer

<GrooveManager>

1 1 0

<GrooveAudit> 0 0 1

where 0 = False, 1= TrueGrooveManager and GrooveAudit = your server names

c. Edit the values if necessary to match the recommended settings.

d. If you edited values, restart IIS on each of the associated Groove Manager and Groove Audit front ends.

15. If Groove users do not have administrative control over their devices, enable the Audit Service on these devices by updating the Windows Registry, as described subsequently in Enabling the Audit Service on Groove Clients.

16. Enable Groove auditing from the Groove Manager administrative Web site, by navigating to a Device Policy template, opening the Audit Policies tab, and entering the URL of your intended Audit server (for example, http://grooveAudit.contoso.com).

17. From the Audit Policies page, enter the audit log upload interval, then select the client, workspace, and tool events that you want to audit. You can set any other audit policies as needed, then save your changes. For more details about audit policy settings, see the section below, Adjusting Audit Policies.

Caution: Enabling the option, ‘Audit the contents of files added to tools’, will have an exceptionally high impact on system resources, including bandwidth usage and disk storage on clients and servers. Do not enable this audit option unless you have a strong business need to do so and then only if you have evaluated and prepared for its likely impact on your system.

18. If you want to limit Groove tool usage to only those tools which can be audited, go to the Client tab of the policy template and select the Device Policy that blocks use of non-auditable Groove tools. For details about this policy, see the section below, Blocking Use of Non-Auditable Groove Tools.

Once Groove users and devices have been added to a Groove Manager domain, and domain members log in and receive the audit policy, Groove activities will be logged and


dispatched to SQL databases where you can view them. The Microsoft Office Groove Audit Service will be running on Groove clients and GrooveAuditService.exe will appear in the Windows Task Manager.

To view and utilize the audited data, you will need to use external SQL reporting tools as described, in Interpreting Audit Data and Creating Reports.


Adjusting Audit PoliciesAudit policies apply to the optional Groove Audit feature, available with onsite Groove Server Manager (not available with Groove Enterprise Services). By default all audit settings are disabled. You can adjust these settings at any time.

The following table describes Groove device Audit policy settings for Groove Server Manager 2007:

Device Audit Policy Settings Descriptions Audit Server Policies

Audit Server URL Specifies the Groove Manager server URL where the Groove Audit feature is enabled (for example, http://groove.contoso.com). Once you specify the URL of a Manager server where Audit has been installed and specify when and what auditing should take place, you enable Groove Auditing.

Upload audit logs every __ minutes/hours/days

Specifies the number of minutes, hours, and days in the log upload interval. At this interval, a Groove clients audit logs will be uploaded to the Groove Audit application. To minimize user disruption, uploads may occur slightly before or after the specified period, depending on user activity and idleness.

Disable Groove if auditing fails Specifies that Microsoft Office Groove will stop functioning if auditing fails on managed devices in the domain group.

Groove Client Events

Audit all client events Specifies whether client auditing captures all Groove account events, including instant messages and workspace invitations, login and logoff events, account creation, and contact list events.

If you want to audit a subset of Groove account events, select which type of events will be captured in client auditing. Note that some events - such as account creation and deletion, and logon failures - are always audited when auditing is enabled.

Audit instant messages and invitations

Audit login and logoff events

Audit contact events

Audit workspace events Specifies whether client auditing captures Groove workspace events, including the following:

Member events (added, suspended, or deleted Groove workspace members)

Role events (changes to workspace member permission)

Tool Events


Audit events that occur in the following Groove tools

Specifies that client auditing captures events associated with selected Groove tools, including the following:

Chat

Discussion

Document Review

Files (including adding, editing, deleting, renaming, or moving a file)

Forms Tool

Groove File Sharing

InfoPath Tool

Audit the contents of files added to tools

Specifies that audit events include the contents of files added to Groove tools.

Caution: This feature causes all versions of all files added to audited workspaces to be sent to the audit server. Therefore, enabling it can have an exceptionally high impact on system resources, including bandwidth usage and disk storage on clients and servers. Do not enable this audit option unless you have a strong business need to do so and then only if you have evaluated and prepared for its likely impact on your systemsuch as textcopy.exe, available with SQL 2000) in order to view readable file content.


Blocking Use of Non-Auditable ToolsIn environments of tight security, you may want to audit any tools added to Groove workspaces. You can accomplish this by setting a policy that prohibits the use of Groove tools that cannot be audited. The following table lists non-audited and audited tools for Groove Server Manager 2007.

Non-auditable tools include: Auditable tools include: Calendar

Meeting

Notepad

Pictures

Sketchpad

Chat

Discussion

Document Review

Files (including adding, editing, deleting, renaming, or moving a file)

Forms Tool

Groove File Sharing

InfoPath Tool

SharePoint Mobile Workspaces

To prohibit the use of non-auditable tools in Groove workspaces:

1. Start the Groove Manager administrative interface on the administrative Groove Server Manager.

2. Open a Device Policy template.

3. Click the Client tab.

4. Select the policy, Prohibit non-Auditable tools.

5. Save your changes.


Enabling the Audit Service on Groove ClientsThe Groove Audit Service, required for Groove Audit, is enabled in the Windows operating system (OS) of Groove client devices. By default, this service is turned off and set to Manual startup in Groove. However, when the Groove Audit feature is running in environments where Office workers have administrative control of their machines, Groove turns the Audit Service on for devices subject to auditing.

If your Office workers at your organization do not have administrative privileges on their devices, Groove cannot turn on the client Audit Service silently. The Audit Service can be turned on only by someone with administrative permissions. To automate this process, you can utilize the Office Customization Tool to configure an .msp file with a registry update that will set the Audit Service to Automatic startup on client devices in the Windows domain. The Windows registry update is as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GrooveAuditService]

"Start"=dword:00000002


Enabling and Disabling Groove AuditingOnce the Groove Audit server and Audit service have been installed and configured on Groove Server and Groove clients, you can set Groove Manager device policies to enable Groove client event auditing for groups of users in your domain.

You can disable auditing for groups of users by editing the Device Audit policy for templates associated with those users, so that the policy no longer points to a URL for the audit machine. Groove Audit cannot be uninstalled from a Groove Server Manager. However, you can disable auditing by editing the Device Audit policy for all templates so that it no longer points to a URL for the audit machine, preventing Audit from running. For a more permanent removal, you can consider uninstalling the Groove Server Manager front end, and reinstalling it without Audit, then deleting the Audit databases from the SQL back end.

Note: The Groove Audit feature cannot be added to a Manager server that was installed without it. To apply auditing to the same Groove Manager server, Groove Server Manager must be re-installed with the Audit feature enabled.

Enabling AuditingTo enable Groove auditing:

1. Make sure that Groove Server Manager with the Groove Audit feature is installed at your site, and that the Groove Audit Service is active on Groove client devices, as described in the section above, Installing and Configuring Groove Audit.

2. Go to the Groove Manager administrative Web site and navigate to the Device Policy template assigned to the user group that you want to audit.

3. Click the Audit Policies tab.

4. Enter information as follows:

a. In the Audit server URL field, enter the URL for your Groove Audit server (for example, http://grooveaudit.contoso.com).

b. Enter the Upload Audit logs interval.


c. For added security, you can select the option, Disable Groove if auditing fails.

d. In the Groove Client Events section of the page, select the user account and workspace events that you want to audit. Selecting Audit workspace events includes auditing of workspace member and role-related events. Selecting no events indicates no auditing of Groove client events for users assigned to this device policy template.

e. In the Tool Events section of the page, select the tool events that you want to audit.

f. If you want to audit the contents of files added to Groove, select the option to Audit the contents of files added to tools.

g. Caution: If you enable this option, all versions of all files added to workspaces of members affected by this policy will be sent to the audit server. If files are numerous or large, file auditing can notably tax the audit server and occupy considerable storage space on the SQL server. Furthermore, be aware that you will need a content extraction utility (such as textcopy.exe, available with SQL 2000) in order to view readable file content.

h. Repeat this procedure for other Device Policy templates as needed.

Disabling AuditingTo disable Groove auditing for users affected by a specific template:

1. Go to the Groove Manager administrative Web site and navigate to the Device Policy template assigned to the user group that you do not want to audit.

2. Click the Audit Policies tab.

3. Delete the URL from the Audit server URL field.

4. Save your changes.

5. Repeat this procedure for other Device Policy templates as needed.


Interpreting Audit Data and Creating Reports Audited Groove client data stored in SQL tables must be interpreted to be understood and useful to an administrator. Typically, with basic knowledge of SQL databases and language, you can create SQL queries that will filter audited data for desired information. You can then create report templates, using SQL-compatible reporting tools, to output the returned data into meaningful information.

The following section provides background for understanding the Groove Audit data and the relationships among data tables. You can use this information to create customized Groove audit reports using SQL-compatible reporting tools.

Interpreting Audit DataGroove client auditing data, generated via the optional Groove Audit feature of Groove Server Manager, is initially encrypted and stored on the client. Once the client reports the data, Groove Audit decrypts and parses the data into relational database tables in a SQL directory.

Each audited client instance of an event is reported separately, even when the same event affects multiple clients. So, for example, when a file is added to a workspace with three audited members, the event generates three duplicate entries in the database, one for each client.

Tables that contain data most useful to Groove administrators include:

audit_LogEntryProperties audit_LogEntryAttributes audit_SecurityEventLog

Groove Audit provides two Views, associated with two of these tables. You can use the provided Views as a starting point for generating your own SQL Views from the audit server tables. Two provided Views are:

Auditv_EventProperties• Auditv_EventAttributes


The following figures show examples of Properties, Attributes, and EventLog table data:

Sample Audit_LogEntryProperties Data in EventProperties View


Sample Audit_LogEntryAttributes Data in EventAttributes View


Sample Audit_SecurityEventLog Data

The following table describes the most useful SQL tables of Groove Audit data.

Groove Audit SQL Tables

Groove Audit Data SQL Table Name Description Event data audit_LogEntryProperties Contains high-level event descriptions, that

refer to key attributes. Attribute details can be obtained from the audit_LogEntryAttributes table. For example, if the Properties table shows a File Added event, the Attributes table will show which client device added the file to which workspace.

Device GUID

Date parsed

Account GUID

Event Category

Event date/time (GMT)

Identity Name

Identity URL

Event sequence Number


Groove Audit Data SQL Table Name Description Event Type

One table entry is associated with each device GUID/Sequence Number pair (sequence numbers are unique to each Groove device).

audit_EventCatagoryReadableNames Maps Event Category value in LogEntryProperties table to readable name. *

audit_EventTypeReadableNames Maps Event Type value in LogEntryProperties table to readable name. *

Event attribute data audit_LogEntryAttributes Contains event attribute details, per Groove client. Each attribute name is preceded by an underscore, and is relatively short (to conserve space).

audit_AttributeReadableNames Maps attrib_name value in LogEntryAttributes table to readable name. *

Session data audit_LogSessionProperties Contains session data, including:

Device GUID

Time that session started

Hostname of devices

Logged-in (OS) user

Device data audit_Devices Contains current device-based data, including:

Device GUID

Last time log data was received

Last sequence number received for a device.

File contents audit_FileStorage Contains contents of all audited file events (when the file content auditing policy is enabled). Long files are ‘chunked’ and stored temporarily in the chunk_DataStorage table. When a long file is completely re-assembled, it is stored in the audit_FileStorage table and a value of ‘1’ appears in the status column for that file.

Files of the same content are identified by a single hash, regardless the file name.

Note: The File Data column of the FileStorage table contains all the binary contents of files, so avoid using this column in SQL queries.

Errors Audit_SecurityEventLog Lists error-related events.

audit_ErrorCodeReadableNames Maps Reason in Security EventLog to readable error code string. *

* See detail tables below for Audit_Category, Type, Attribute, and ErrorReadableNames. Note that this


Groove Audit Data SQL Table Name Description information is subject to change.

Audit_EventCategoryReadableNames Table

Event Category Readable Name1 Account

2 Files Tool

3 Discussion Tool

4 Chat

5 Document Review Tool

6 InstantMessaging

7 Invitation

8 Misc

9 Groove File System (GFS)

10 Dynamics

11 Forms Run Time

13 Forms Design Time

14 Telespace

15 Info Path Run Time

16 Info Path Design Time

17 Share Point

Audit_EventTypeReadableNames Table

Event Type Readable Name100 Misc Generic String

101 Misc New File Content

200 Account Created

201 Account Marked As Deleted

202 Account Deleted

203 Account Log On

204 Account Log Off

205 Account Bad Password


206 Account Lock Out

300 File Added

301 File Deleted

302 File Modified

303 File Renamed

304 File Moved

305 File Read

400 Folder Added

401 Folder Deleted

402 Folder Renamed

403 Folder Moved

500 Discussion Entry Added

501 Discussion Entry Modified

502 Discussion Entry Deleted

600 Chat Text Added

601 Chat Undo Text Added

602 Chat Transcript Cleared

603 Chat Undo Transcript Cleared

700 Document Review Started

701 Document Review Reviewer Added

702 Document Review Comment Added

703 Document Review Comment Deleted

704 Document Review Comment Modified

705 Document Review Status Changed

706 Document Review Document Added

707 Document Review Document Deleted

708 Document Review Document Modified

709 Document Review Folder Added

710 Document Review Folder Deleted

800 IM Received

801 IM Opened

802 IM Sent

803 IM Replied To

804 IM Forwarded


805 IM Deleted

900 Invitation Sent

901 Invitation Received

902 Invitation Opened

903 Accept Invitation Sent

904 Decline Invitation Sent

905 Accept Invitation Received

906 Decline Invitation Received

907 Telespace Sent

908 Telespace Received

909 Invitation Saved

910 Invitation Deleted

911 Invitation Response Deleted

912 IM Integrator Invitation Sent

913 On Ramp Invitation Sent

914 On Ramp Data Imported

1000 Contact Added

1001 Contact Modified

1002 Contact Deleted

1100 Dynamics Do

1101 Dynamics Redo

1102 Dynamics Roll Forward

1200 Forms Runtime Add Record

1201 Forms Runtime Delete Record

1203 Forms Runtime Replace Record

1204 Forms Runtime Set Field

1205 Forms Runtime Import Record

1300 Forms Runtime Add Designer Provided Info

1400 Forms Design Time Add Design

1401 Forms Design Time Delete Design

1402 Forms Design Time Update Design

1500 Forms Design Time Add Record

1501 Forms Design Time Delete Record


1503 Forms Design Time Replace Record

1504 Forms Design Time Set Field

1505 Forms Design Time Import Record

1506 Forms Design Time Save To Groove

1600 Telespace Add Member

1601 Telespace Add Device

1602 Telespace Remove Member

1603 Telespace Remove Device

1604 Telespace Remove All Devices

1605 Telespace Change Member Role

1700 Telespace Add Permission

1701 Telespace Remove Permission

1702 Telespace Change Member Role

1800 SharePoint Synchronization Start

1801 SharePoint Synchronization End

1802 SharePoint Baton Request

1803 SharePoint Baton Response

Audit_AttributeReadableNames Table

Attrib_name Error Code_dt Date Time

_k Key

_u User Name

_dg DeviceGUID

_err Error

_iv IV

_mac MAC

_body Body

_q Sequence Number

_c CategoryID


_t TypeID

_ag AccountGUID

_iu Identity URL

_in Identity Ful lName

_sn Telespace Display Name

_su TelespaceURL

_tn Tool Display Name

_tu ToolURL

_cn Creator Contact Display Name

_cu Creator Contact URL

_cdg Creator Device GUID

_bf0 Binary File Name

_bf1 Binary File Name

_h Hostname

_ha0 Binary File Hash

_ha1 Binary File Hash

_d Delta ID

_zu Sender URL

_zn Sender Name

_ru Recipient URL

_rn Recipient Names

_vm Has Voice Memo

_bd Body

_ro Role

_rc Requires Confirmation

_sip Saved Invitation Pathname

_rd Raw Delta

Audit_ErrorCodeReadableNames

ErrorCode Error String1 Decryption failed.


2 Signature verification failed.

3 Lock on key mismatch. Device already registered.

4 Device registered, but key failed to decrypt.

5 Multipart upload failed because of missing parts.

6 Decryption/verification of uploaded binary file failed.

7 Log state indicates that client abnormally terminated. Unless severe log errors are encountered, log will be stored.

8 Problems determining the consistent state of the log.

9 The log has missing sequences.

10 Problems parsing/storing log into database.

11 The digest that was computed did not match the digest that was transmitted from the client.

Removing User DataA stored procedure in the Audit database allows you clear the database of all user data. If you must remove all user data from the database (to regain storage space, for example), you can backup your data, then use the procedure helper_ClearDatabase. Note that once you run this procedure, a one-time-per-audited-user error appears in the SecurityEventLog table as a result of the missing sequence numbers associated with the deleted users.

Caution: Use the helper command with care on the auditDB database only. If you inadvertently run this procedure in the gmsDB database, you risk losing all your user data and destroying your entire installation. Be sure to backup your data before running the procedure.

Creating SQL QueriesThe simplest approach to utilizing Groove Audit data is to employ SQL queries that filter the data for specific information. The examples below provide models for creating and invoking three common SQL queries:

Search for a specific string in audited Groove instant messages


Search for the Files tool activities of a specific audited Groove user Search for a specific audited file

Caution: Because the File Data column of the audit_FileStorage table contains all the binary contents of files, avoid referencing this column in SQL queries.

Search IMs for a String Using SearchIMs

The following procedure searches the audit database for all instances of audited Groove instant message traffic (sent and received) that contain a specified string.

To create and invoke a procedure that searches audited Groove IMs for a string, follow these steps:

1. Create a stored procedure, entitled SearchIMs, using the following model:

CREATE PROCEDURE [dbo].[SearchIMs]

@keyword nvarchar(32) = NULL

AS

BEGIN

declare @LikeExpression nvarchar(34)

set @LikeExpression = '%' + @keyword + '%'

SET NOCOUNT ON;

SELECT audit_LogEntryProperties.attr_datetime AS [Date / Time], audit_LogEntryProperties.attr_identity_name AS Person,

audit_EventTypeReadableNames.ReadableName AS Action, audit_AttributeReadableNames.ReadableValue AS AttributeName,

audit_LogEntryAttributes.attrib_value AS AttributeValue

FROM audit_LogEntryProperties INNER JOIN


audit_EventTypeReadableNames ON audit_LogEntryProperties.attr_event_type = audit_EventTypeReadableNames.EventType INNER JOIN

audit_LogEntryAttributes ON audit_LogEntryProperties.DeviceGuid = audit_LogEntryAttributes.DeviceGuid AND

audit_LogEntryProperties.attr_seq_number = audit_LogEntryAttributes.SequenceNumber INNER JOIN

audit_AttributeReadableNames ON audit_LogEntryAttributes.attrib_name = audit_AttributeReadableNames.AttributeName

WHERE (audit_LogEntryProperties.attr_event_catagory = '6')

and audit_LogEntryAttributes.attrib_value like @LikeExpression

ORDER BY audit_LogEntryProperties.attr_datetime, audit_LogEntryProperties.DeviceGuid, audit_LogEntryProperties.attr_seq_number

END

GO

2. Enter the following command line to invoke the SearchIMs procedure to search IMs that contain the string ‘contoso2’:

Exec SearchIMs ‘contoso2’

This query returns all IMs containing the specified string, with the results sorted in reverse chronological order.

Search for File Information Associated with User via SearchUser

The following procedure returns workspace and Files tool activity for an audited user whose name matches a specified string.

To create and invoke a procedure to search for a specific audited Groove user, follow these steps:

1. Create a stored procedure, entitled SearchUser, using the following model:

CREATE PROCEDURE [dbo].[SearchUser]


@UserName nvarchar(32) = NULL

AS

BEGIN

declare @LikeExpression nvarchar(34)

set @LikeExpression = '%' + @UserName + '%'

select audit_LogEntryProperties.attr_datetime AS [Date / Time], audit_LogEntryAttributes.attrib_name, audit_LogEntryProperties.attr_identity_name AS Person,

audit_EventTypeReadableNames.ReadableName AS Action, audit_AttributeReadableNames.ReadableValue AS AttributeName,

audit_LogEntryAttributes.attrib_value AS AttributeValue

FROM audit_LogEntryProperties INNER JOIN

audit_EventTypeReadableNames ON audit_LogEntryProperties.attr_event_type = audit_EventTypeReadableNames.EventType INNER JOIN

audit_LogEntryAttributes ON audit_LogEntryProperties.DeviceGuid = audit_LogEntryAttributes.DeviceGuid AND

audit_LogEntryProperties.attr_seq_number = audit_LogEntryAttributes.SequenceNumber INNER JOIN

audit_AttributeReadableNames ON audit_LogEntryAttributes.attrib_name = audit_AttributeReadableNames.AttributeName

WHERE (audit_LogEntryProperties.attr_event_catagory = '2')

and audit_LogEntryProperties.attr_event_type = '300'

and (audit_LogEntryAttributes.attrib_name like '_bf%'

or audit_LogEntryAttributes.attrib_name like '_ha%'

or audit_LogEntryAttributes.attrib_name = '_sn'


or audit_LogEntryAttributes.attrib_name = '_tn')

and audit_LogEntryProperties.attr_identity_name like @LikeExpression

order by audit_LogEntryProperties.attr_datetime desc, audit_LogEntryAttributes.attrib_name desc

END

GO

2. Enter the following command line to invoke the SearchUser procedure to search the Groove Audit database for a user named ‘steve’:

Exec SearchUser ‘steve’

This query returns all Files tool activity for all users whose full name contains the string ‘steve’, including the hash of any audited files associated with the user. Results are returned in reverse chronological order.

Search for a File Using SearchFile

If the Groove Manager Audit policy, ‘Audit the contents of files added to tools’, is enabled at your site, you can use the following procedure to return the binary contents of a specific audited file. First, obtain the hash for the file associated with the audited user who generated the file event, as described previously in Search for File Information Associated with User via SearchUser. Then access the binary file content, using the following sample query as a model.

To create and invoke a procedure that searches the Groove Audit database for the binary contents of a specific file, follow these steps:

1. Create a stored procedure, entitled SearchFile, using the following model:

CREATE PROCEDURE [dbo].[SearchFile]

@Hash nvarchar(1282)

AS


BEGIN

select FileData from audit_fileStorage

where Hash = @Hash and status = 1

END

GO

2. Enter the following command line to invoke the SearchFile procedure to search the Groove Audit database for the file with the HASH, ‘KAAA…’:

Exec SearchFile 'KAAAAAAAAAAEAAAAUwBIAEEAMQAUAAAAJAwr5MaJEAdPQfHHuWx/8X3Itns='This query returns the binary file contents of the file. See the next section, Extracting File Content, for information about extracting the contents to a readable file.

Extracting File ContentIf the Groove Manager Audit policy, ‘Audit the contents of files added to tools’, is enabled and you want to see the contents of an audited file, you need a SQL-compatible utility that extracts the binary contents into a readable file. Once you have located the binary file content in the SQL database tables, as described previously in Search for File Information Associated with User via SearchUser, you can extract the content from the table and reconstitute it into readable format using an additional utility, such as textcopy.exe, available with SQL 2000. The following example outlines the procedure using textcopy.exe.

To copy the binary contents of an auditable file from a column in the SQL database table into a readable file using textcopy.exe, follow this procedure:

1. Locate the file content in the SQL database tables, as described previously in Search for File Information Associated with User via SearchUser.

2. From the SQL server that supports your Groove Audit installation, locate textcopy.exe (available with SQL 2000).

3. Open a command window and navigate to the directory containing the standard SQL Server .exe files. The following table shows default locations, depending on SQL


version:

SQL Server version

Default Directory

SQL Server 6.5 C:\Mssql\Binn for SQL Server 6.5

SQL Server 7.0 C:\Mssql7\Binn for SQL Server 7.0

4. Use textcopy.exe to extract content from an audited file as described in the subsequent steps. You can display a generic version of these instructions from a command prompt, by typing: textcopy /?

Textcopy / copies a single text or image value into or out of SQL Server. The value is specified text or a 'column' of a single row (specified by the "where clause") of the specified 'table'. If the direction is IN (/I), the data from the specified 'file' is copied into SQL Server, replacing the existing text or image value. If the direction is OUT (/O), as in this example, the text or image value is copied from SQL Server into the specified 'file', replacing any existing file. Textcopy has the following format and parameters:

TEXTCOPY [/S [sqlserver]] [/U [login]] [/P [password]]

[/D [database]] [/T table] [/C column] [/W"where clause"]

[/F file] [{/I | /O}] [/K chunksize] [/Z] [/?]

Parameter Value/S sqlserver The SQL Server to connect to. If 'sqlserver' is not specified, the local SQL

Server is used.

/U login The login to connect with. If 'login' is not specified, a trusted connection will be used.

/P password The password for 'login'. If 'password' is not specified, a NULL password will be used.

/D The database that contains the table with the text or image data. If 'database' is not specified, the default database of 'login' is used.

/T table The table that contains the text or image value.

/C column The text or image column of 'table'.

/W where clause A complete where clause (including the WHERE keyword) that specifies a single row of 'table'.

/F file The file name.


/I Copy text or image value into SQL Server from 'file'.

/O Copy text or image value out of SQL Server into 'file'.

/K chunksize Size of the data transfer buffer in bytes. Minimum value is 1024 bytes, default value is 4096 bytes.

/Z Display debug information while running.

/? Display this usage information and exit.

5. Create a stored procedure comparable to the following:

Note: You will be prompted for any required parameters that you do not specify.

CREATE PROCEDURE sp_textcopy (

@srvname varchar (30),

@login varchar (30),

@password varchar (30),

@dbname varchar (30),

@tbname varchar (30),

@colname varchar (30),

@filename varchar (30),

@whereclause varchar (40),

@direction char(1))

AS

DECLARE @exec_str varchar (255)

SELECT @exec_str =

'textcopy /S ' + @srvname +

' /U ' + @login +

' /P ' + @password +


' /D ' + @dbname +

' /T ' + @tbname +

' /C ' + @colname +

' /W "' + @whereclause +

'" /F ' + @filename +

' /' + @direction

EXEC master..xp_cmdshell @exec_str

6. Extract the proc.doc file from the SQL auditDB database, located in the FileData column of the audit_FileStorage table, writing the file c:\proc.doc, where hash=N’KAAAAAAAAAAEAAAAUwBIAEEAMQAUAAAAJAwr5MaJEAdPQfHHuWx/8X3Itns=’ as follows:

Note: The hash column in the audit_FileStorage table is an nvarchar data type, so you must include ‘N’ when specifying the hash string.

Exec sp_textcopy @srvname = 'ServerName',

@login = 'Login',

@password = 'Password',

@dbname = ‘auditDB’,

@tbname = 'audit_FileStorage',

@colname = 'FileData',

@filename = 'c:\proc.doc',

@whereclause = " WHERE hash=N’KAAAAAAAAAAEAAAAUwBIAEEAMQAUAAAAJAwr5MaJEAdPQfHHuWx/8X3Itns=’",

@direction = 'O'


Creating ReportsTo view Groove Audit reports, you must create report templates using external SQL reporting tools. For example, Microsoft Reporting Services 2005 and ProClarity Desktop Professional provide reporting and analytics capabilities, respectively. Or you may have preferred tools with which you are familiar. Once you have set Groove Policies that specify what events to audit and created SQL queries to access the desired data, you can express that data in reports using the dashboard and analytics reporting tools of your choice.


Additional ResourcesGetting Started with Groove Server Manager at: http://go.microsoft.com/fwlink/?LinkId=104239

Enabling Groove Client Auditing at:


Viewing Groove Domain Reports at:







Documents

Overview of Groove Audit - download.microsoft.comdownload.microsoft.com/.../GrooveAuditPrescriptiveGuid… · Web viewDo not enable this audit option unless you have a strong business