Microsoft® Office Groove® 2007 Auditing - Prescriptive GuideDecember 2007
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred
© 2007 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Office Groove 2007, and Microsoft Office Groove Server 2007 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
http://www.microsoft.com/office/groove/ 2
Table of Contents
Overview of Groove Audit............................................................................................................4What It Is................................................................................................................................... 4How Groove Auditing Works..................................................................................................6System and Network Impact..................................................................................................7
Capacity Considerations..............................................................................................................9Auditing Scenarios..................................................................................................................... 11
Scenario with Minimal Auditing...........................................................................................11Scenario with Basic Auditing...............................................................................................12Scenario with Heavy Volume of Auditing..........................................................................13Scenario with Selective Auditing.........................................................................................13
Groove Audit Requirements......................................................................................................14Installing and Configuring Groove Audit..................................................................................16
For Shared Manager and Audit Front End.........................................................................16For Separate Manager and Audit Front Ends....................................................................19
Adjusting Audit Policies.............................................................................................................24Blocking Use of Non-Auditable Tools.......................................................................................26Enabling the Audit Service on Groove Clients.........................................................................27Enabling and Disabling Groove Auditing.................................................................................28
Enabling Auditing...................................................................................................................28Disabling Auditing.................................................................................................................. 29
Interpreting Audit Data and Creating Reports..........................................................................30Interpreting Audit Data.........................................................................................................30
Sample Audit_LogEntryProperties Data in EventProperties View....................................31Sample Audit_LogEntryAttributes Data in EventAttributes View......................................32Sample Audit_SecurityEventLog Data.............................................................................33Groove Audit SQL Tables................................................................................................33Audit_EventCategoryReadableNames Table...................................................................35Audit_EventTypeReadableNames Table.........................................................................35Audit_AttributeReadableNames Table.............................................................................38Audit_ErrorCodeReadableNames....................................................................................40
Removing User Data.............................................................................................................40Creating SQL Queries............................................................................................................41
Search IMs for a String Using SearchIMs........................................................................41Search for File Information Associated with User via SearchUser...................................43Search for a File Using SearchFile...................................................................................45
Extracting File Content.........................................................................................................46Creating Reports....................................................................................................................49
Additional Resources................................................................................................................. 50
http://www.microsoft.com/office/groove/ 3
Overview of Groove Audit Microsoft Office Groove Audit allows IT administrators to monitor designated Groove user activity by examining user account, workspace, and tool event data. Logged data is collected into a SQL database, to which administrators can apply SQL queries. Using external SQL-compatible reporting tools, administrators can generate formatted reports of audited data.
What It IsGroove Audit is an optional feature provided with Groove Server Manager installation. When installed and enabled, the Audit feature provides a mechanism for collecting specific information about Groove user events into SQL databases. IT administrators can interpret the stored data and process it using SQL queries, or format audit output using external SQL reporting tools. These results can facilitate the oversight and secure management of Groove user activities.
Note: Groove Audit does not include reporting tools, although its stored data can be output via third-party SQL-compatible analytic and reporting tools.
Note: Groove Audit is available for onsite Groove Servers only, not for Groove Enterprise Services.
Audited events include those associated with Groove user accounts (such as logging on or off, sending an instant message, or inviting a colleague to a workspace), or with Groove workspaces and tools (such as adding a tool to a workspace or a file to the Files tool). Groove administrators can control what data will be audited by setting a policy that marks selected categories of events for auditing. Administrators can also set a policy that limits the tools in Groove workspaces to those tools which are auditable, such as Files, Discussion, and InfoPath. Whenever necessary, administrators can modify device policies to disable any or all aspects of auditing.
Audited data is stored in SQL database tables which must be interpreted and formatted in order to be useful for end-user administration. Using MS ProClarity, Reporting Services, or
http://www.microsoft.com/office/groove/ 4
other reporting applications, database administrators can create templates that analyze and format the audited output into valuable reports.
Note that Groove Audit data is distinctly different from the Audit Log and Groove usage reports available from any Groove Server Manager installation. The following table shows how Groove Audit output differs from the data collected in Groove Server Manager reports:
Groove Audit data Groove Server Manager Reports – Groove Usage and Activities
Groove Server Manager Reports – Audit Log
Groove client events logged as they occur.
For example:
User1 created workspaceA at <date/time>
User1 added Discussion tool to workspaceA <date/time>
User1 invited User2 to workspaceA <date/time>
User2 entered Discussion tool in workpaceA <date/time>
Statistics relating to Groove users, workspaces, and tools over a date range.
For example:
Domain member names and status (active, pending, deleted)
Number of workspaces that a member has joined
Names of workspaces created by a member
Workspace names and creation dates
Workspace member names as of report date
Number of users in workspace as of report date
Names of tools in workspaces as of report date
Number of minutes a tool was used during date range
Groove Server Manager events within a date range.
For example:
Server startup
Relay server added
Domain added
New domain member added
If auditing is necessary in a Groove collaboration environment, IT planners should follow best practices in place at their organization, along with these guidelines:
Consider whether the Audit Log and Groove usage reports generated by Groove Server Manager will provide the type of data you need.
If your organization requires Groove Auditing services, consider the available installation and setup options and select one most suited to your infrastructure and user population.
Identify the Groove events that you want to audit.
http://www.microsoft.com/office/groove/ 5
Estimate current and anticipated Groove activity that will be audited in your organization, then allocate resources accordingly.
Install the necessary hardware and prepare your network for auditing. Install Manager and Auditing as appropriate for your organization, ensuring that
Auditing can meet expected capacity without disrupting Groove Server Manager operations.
Check Groove Audit requirements and make sure to configure servers and clients accordingly.
Understand how to interpret the SQL tables of audited data. Create Report templates using MS ProClarity or other reporting tool for viewing
audited data. Once Auditing begins, check load conditions regularly and be prepared to make
necessary adjustments to configuration. Schedule archiving and cleanup of audited data. Audited data is not deleted
automatically; it accumulates until it reaches maximum system load or until administrative action is taken to remove it.
How Groove Auditing WorksThe Audit option is selected during Groove Server Manager installation. After installation is complete, administrators can set a device policy that triggers Groove auditing on managed client devices that have been properly configured. The Audit Service must be enabled on Groove clients for auditing to take place. Audited data is then collected and stored in SQL databases.
The Groove Auditing capability has four components:
The Groove client audit log which logs Groove user activity to an encrypted file on managed client devices.
The Groove client Audit Service which manages the audit log for secure uploading to the Groove Audit application.
The Groove Audit application which receives, decrypts, and stores the logs in an SQL database.
The Groove Server Manager device policy that controls what events should be audited.
Groove audit logs are immediately encrypted on Groove clients upon event creation, and are decrypted only after arrival at the Groove Audit server, affording a highly secure auditing environment. In addition, NTFS permissions are used to prevent unauthorized http://www.microsoft.com/office/groove/ 6
manipulation of logs and the Audit Service that manages them. The Audit Service purges client logs once they have been uploaded to the Groove Audit server and applies security credentials that prevent spoofing of the audit server or of other operating system users on the Groove client.
Each Groove Audit application is associated with and depends upon its parent Groove Server Manager installation. If you need to enable auditing on several servers, you must install Groove Manager with the Groove Audit feature separately on each server and pair each front end with a SQL backend server.
To utilize audit data, administrators must apply SQL queries to extract specific information, and use standard SQL-compatible reporting tools to analyze and format the audited data.
System and Network ImpactAuditing operations demand additional network bandwidth and storage, beyond that required for a Groove management system without Audit. Some audit operations, such as auditing contents of files added to tools, require more bandwidth than others.
In typical usage scenarios, the performance impact on Groove clients and servers can be significant and unexpected if IT and administrative personnel are unprepared. In environments where network and computing resources are inadequate for handling heavy audit volume, error conditions may arise, jeopardizing production schedules. Understanding the implications of an audit presence on Groove systems and allocating network and storage resources accordingly can help avoid the pitfalls of an inadequately supported auditing installation.
Because auditing can have a substantial impact on system resources, you should use discretion when setting policies that enable and control auditing. Affected resources at your site include the following:
Disk space on Groove client devices (for log storage) Disk space for audit data on SQL server Bandwidth to upload logs Processing time to encrypt and decrypt logs
http://www.microsoft.com/office/groove/ 7
Important facts to consider before Audit installation include the following:
Audited data is not deleted from SQL databases automatically as it accumulates; collected data remains on the server until it reaches maximum system load or until administrative action is taken to remove it.
The policy, ‘Audit the contents of files added to tools’, if enabled, has an exceptionally high impact on system resources, including bandwidth usage and disk storage on clients and servers.
Groove Audit data resides in a SQL database and requires SQL queries and external reporting tools in order to have administrative value. In addition, if you choose to audit file content, you will need a file content extraction utility. Your Groove management system must include these resources to provide for successful auditing.
http://www.microsoft.com/office/groove/ 8
Capacity Considerations The process for incorporating Groove Audit into a Groove management system depends largely on anticipated audit volume. You can gain a rough estimate of likely resource consumption by defining your Groove user base and estimating auditable tool usage per user per day.
Begin by noting the following information:
Number of Groove users to be audited Which events will be audited Estimated number and size of client events per user per day Estimated number and size of workspace events per user per day Estimated number and size of tool events per user per day Estimated number and volume of content in files per user per day
You can use the table below as a sample worksheet. The values in the table are based on conditions where, each day, each Groove user may:
- logon/off 4 times,- send 1 instant message (IM) and 1 workspace invitation,- add 3 files to a workspace (add 1 Word document to the Files tool, attach 1 Powerpoint, - file to a Discussion entry, and attach 1 spreadsheet to an instant message), and- edit the contents of 3 files (possibly).
In this use case, values and calculations might look as follows:
Parameters Maximum Value Estimates*Number of Groove users to be audited 20
Which events will be audited User account logon/off, instant messages and invitations, Files and Discussion tools, contents of files
Estimated number of client logon/off events per user per day
4 events x 2Kb per user per day
Estimated number and size of client instant messages and Groove invitations per user per day
(1 x 8Kb IMs) + (1 x 8Kb IMs) per user per day
Estimated number and size of Workspace events per user per day (adding/removing members, setting roles)
0
http://www.microsoft.com/office/groove/ 9
Parameters Maximum Value Estimates*Estimated number and size of File events and Discussion entries generated per user per day
(3 x 5Kb Files) + (12 x 30Kb Discussion entries) per user per day
Estimated number and volume of content in files per user per day (if ‘Audit the contents of files added to tools’ policy is set)
3 x 500Kb per user per day
* In each case, supply maximum rather than average values, to ensure that your installation can handle extreme use cases if conditions arise.
Next, calculate the total estimated Groove audit volume per day, based on the values you recorded in the worksheet above. For example, the values in the above example, produce the following results:
Without file content auditing:
8Kb/user/day + 16Kb/user/day + 15Kb/user/day + 360Kb/user/day ~= 400Kb/user/day
400 x 20 users = 8,000Kb/day
With file content auditing:
8Kb/user/day + 16Kb/user/day + 15Kb/user/day + 360Kb/user/day + 1,500Kb/user/day ~= 2,000Kb/user/day
2,000Kb x 20 users = 40,000Kb/day
This can give you an idea of the additional bandwidth necessary to support auditing and the required storage in a SQL database. Note the order-of-magnitude difference between the result when file content is not audited as compared to the result which reflects auditing of file content changes. In a large company, that difference could be compounded.
The estimates above do not include the bandwidth associated with the logging of user identity metadata for each event, but metadata comprises only a small percentage of audited data and can be accommodated by using the slightly inflated values mentioned above.
http://www.microsoft.com/office/groove/ 10
Auditing ScenariosThe installation and configuration process for bringing Groove Audit online at a site depends upon the network topology appropriate for the anticipated capacity requirements and infrastructure. The following sections describe three basic scenarios, representing minimal, moderate, and heavy auditing volume. A fourth scenario illustrates a setting where auditing is performed on selected individuals and groups at different times, a practical solution that reduces the amount of hardware overhead required to satisfy your auditing needs.
Note: All auditing scenarios require the installation of Groove Servers installed onsite in an enterprise; auditing is not available through Microsoft-hosted Groove Enterprise Services.
Scenario with Minimal AuditingJohn is the IT manager for a new division of Contoso Corporation, a supplier of recycled architectural products. The new division is given the task of marketing antique floor boards which have become increasingly available to buyers. John’s responsibilities include setting up a collaboration system for a team of about 100 PC users. In addition, corporate software management practices in place at Contoso require that user collaboration events be audited, along with other data input activities.
While most of the team will be based onsite at the division’s main office, some will be working offsite, at points of origin for the product. John has already deployed Microsoft Office in his division and set up a SharePoint server for archiving planning documents and reports. On any given work day, at most 75 Groove users will be active and each user will spend at most 30 minutes in a Groove workspace that contains only two auditable tools: Files and Discussion (the Meetings tool is not auditable and the management team has decided not to audit the SharePoint files tool used for archiving). Of the 100 PC users, only the 20 group leaders – those responsible for outlining strategy and filing daily progress reports - have roles that permit them to add, edit, and delete files. Only the team leader can create workspaces. Remaining contributors may participate in
http://www.microsoft.com/office/groove/ 11
discussions but cannot manipulate or edit files. So in this environment, the amount of Groove activity subject to auditing will be low.
To support this low volume of auditing, John is installing one Audit-enabled Groove Manager front end server and one SQL back end server.
He will monitor server performance and disk storage and schedule regular data cleanups and archiving. After a year, John will consider future plans for the team and re-evaluate his hardware needs. If team activity in his division is expected to increase, he will consider acquiring new servers and installing Groove Audit on a separate dedicated front end server, as described in the next section.
Scenario with Basic Auditing Jane is the IT manager for a major division of Contoso Corporation, a supplier of recycled architectural products. The division is responsible for marketing columns and balustrades, the largest segment of the company’s inventory. Jane’s responsibilities include setting up a collaboration system for a team of about 1,000 PC users. In addition, corporate software management practices in place at Contoso require that user collaboration events be audited, along with other data input activities.
Team members are located at company headquarters and at four regional offices around the country. Microsoft Office is already deployed throughout the division, SharePoint workspaces have been created, and Groove is running on most desktops and laptops. On any given work day, up to 500 Groove users will be active, creating workspaces, inviting colleagues to workspaces, outlining plans, discussing strategy, sending instant messages, and filing reports. Files, Discussion, and InfoPath tools are all subject to auditing, as is the sending of invitations and IMs. All users may have roles that allow them to add, edit, and delete files and records.
To support the division’s environment of moderate audit volume, Jane is installing one Groove Manager front end for the administrative UI, one Audit-enabled Manger Front End, and one shared SQL Back End.
She will monitor server performance and disk storage and schedule regular data cleanups and archiving. After a year, Jane will re-evaluate her hardware needs. If productivity in her
http://www.microsoft.com/office/groove/ 12
division exceeds expectations, she may consider acquiring new servers to better scale operations.
Scenario with Heavy Volume of Auditing Collaboration at Contoso International Corp. has resulted in an environment of heavy Groove use, and extensive, large-volume auditing is necessary to meet requirements for archiving and legal compliance. All 10,000 Groove users are audited, supported by a Groove management system comparable to the scenario above: one administrative Groove Server Manager, one Groove Server Manager with Audit, and one SQL server. Ideally, the company wants to scale its site to accommodate a growing work force.
This desired scenario would require multiple dedicated Groove Manager and Audit servers. While multiple Manager servers can share a SQL backend, each Audit server must be separately installed with its own SQL server backend.
Scenario with Selective Auditing Basic auditing scenarios can be shrunk by creating separate groups that target a subset of users – for example, a person suspected of disclosing proprietary information or a specific team whose work must be audited to comply with legal requirements. In this way, resources can be minimized, proportional to the fraction of the user base that is targeted for auditing.
http://www.microsoft.com/office/groove/ 13
Groove Audit RequirementsThe following table summarizes the basic requirements for running Groove Audit with Groove Server Manager 2007:
Resource Requirement: Administrative expertise Audit administrators must be familiar with SQL, SQL database structure,
and SQL reporting, as well as with Groove administration.
Hardware/Software requirements Groove Audit installations must comply with Groove Server Manager requirements, specified in the online Help that accompanies the Groove Server product. For details, see Requirements for Groove Audit (http://technet2.microsoft.com/Office/en-us/library/7f628622-2ede-4455-bd6b-2eef881f607a1033.mspx?mfr=true) in the Groove Server section of the Microsoft TechNet library.
Onsite Groove Server Manager Groove Server Manager 2007 SP1, must be installed on an IIS 6.0 server and be associated with a registered Domain Name Service (DNS) name. For detail, see Getting Started with Groove Server Manager in the Groove Server section of the Microsoft TechNet library.
Installation options:
Preferred: Dual installation – a primary administrative Groove Server Manager (without Audit) and a separate Audit-enabled Groove Server Manager, or
Single audit-enabled Groove Server Manager
Note: Record the server name and login for future use.
Groove Audit Groove Audit feature must be selected for installation under either of the following conditions:
Preferred: Installed on a separate, dedicated Groove Server Manager machine that meets the Manager requirements described in the online Help that accompanies Groove Server, or
Installed on the primary Groove Manager server. Consider this option only if a small volume of audit data is expected.
Note: Installing the auditing application on a separate, dedicated IIS front-end is the recommended configuration. This minimizes the impact of auditing activities on other Groove Manager tasks.
Note: Record the server name and login for future use.
Groove Audit policy Must be enabled in Groove Manager. This requires that a URL for your Groove Audit server (for example, http://grooveaudit.contoso.com) is specified in the Audit server URL field of your domain’s Device Policies template.
http://www.microsoft.com/office/groove/ 14
Resource Requirement: SQL server Installation requires at least one SQL server dedicated to Groove Server
Manager (without Audit). In a dual installation, a separate SQL server dedicated to Audit-enabled Groove Server Manager is recommended to avoid overloading the server with Audit data.
For more details, see Getting Started with Groove Server Manager in the Groove Server section of the Microsoft TechNet library.
Note: Record the SQL server name and login for future use.
Groove client One of the following:
Office Groove 2007 SP1 (preferred), or
Groove 3.0, minimum
Groove Audit Service Must be enabled on all Groove clients. Groove Audit Service can be enabled by opening the Windows Services manager and setting the Microsoft Office Groove Audit Service to Automatic Startup.
Groove user identities Groove identities must be members of a Groove Manager domain.
For information about adding users to a domain, see ‘Managing Groove Users’ in the Groove Domain Operations section of the Groove Server entries in the Microsoft TechNet library.
Groove devices Domain member devices must be registered with a Groove Manager domain.
For information about adding devices to a domain, see ‘Managing Groove Device Policies’ in the Groove Domain Operations section of the Groove Server entries in the Microsoft TechNet library.
http://www.microsoft.com/office/groove/ 15
Installing and Configuring Groove AuditGroove Auditing supplements the Groove Manager by providing another layer of administrative control. In setting up your site, be aware that a single Groove Audit installation is dedicated to a single specific Groove Manager; one Groove Audit installation cannot support multiple Groove Managers. However, multiple Groove Audit installations may be associated with a single Groove Manager.
For Shared Manager and Audit Front EndIf you anticipate low volumes of audit data at your organization, you may consider installing a single Audit-enabled Groove Server Manager application, at least temporarily. Periodic data archiving and cleanup will be necessary to prevent server overload, and eventually, additional server hardware may be necessary.
Caution: Auditing Groove client events can have a substantial impact on system resources, including bandwidth usage and disk storage on clients and servers. Therefore, set the policy to enable client device auditing only if necessary. To minimize impact on other Groove Manager activities, installing Groove auditing on a separate, dedicated IIS front-end, with a separate, dedicated SQL back-end if possible, is recommended.
Note: Install Groove Server Manager 2007 with the latest service pack (SP) available. The initial 2007 release (prior to SP1) has a known issue which blocks relay and directory synchronization if Audit is installed on the system. Therefore, do not enable Groove auditing on your primary Groove Server Manager machine without the service pack that addresses it. For information about separate Audit and Manager installations, see the subsequent procedure, For Separate Manager and Audit Front Ends.
To install and enable Groove client auditing on a shared Manager server at your site:
1. Ensure that your IIS and SQL and client systems meet Groove Audit requirements, as summarized previously, in Groove Audit Requirements. Note that this and related procedures should be executed only by experienced SQL administrators.
2. Install Groove Manager 2007 SP1 on an IIS server.
http://www.microsoft.com/office/groove/ 16
3. Upgrade your Groove 2007 client systems to SP1.
4. Run the Groove Manager setup.exe and follow the Setup wizard instructions.
5. When the Installation Options window appears, select Install Groove Server Manager with Groove Auditing. Selecting this option displays additional fields to configure Groove client auditing.
6. When the Groove Audit Server Configuration page appears, enter the required information, as described in the following table:
Groove Manager Audit Configuration Field ExplanationUse the following SQL Server Login Select this check box to specify native SQL server
authentication.
If you leave this option cleared, current login credentials will be used for authentication.
User Name Enabled only if ‘Use the following SQL Server Login’ is selected.
Type your login information for the SQL server to be used for Groove auditing information.
Note: Make sure that the login gives you database sysadmin rights.
Password Enabled only if ‘Use the following SQL Server Login’ is selected.
Database Information
SQL Server Name Type the host name or Internet Protocol (IP) address of the SQL server to be used for Groove auditing information.
Database Name Type the SQL database name for the Groove Auditing service, such as auditDB. The Installer creates this database, where the Groove Audit service will store collected Groove client audit logs.
7. Click Next.
8. Follow the Install wizard to the final window and click Finish. The Groove Manager administrative Web site opens.
9. Enable Groove auditing from the Groove Manager administrative Web site, by navigating to a Device Policy template, opening the Audit Policies tab, and entering the URL of your Audit-enabled Groove Manager server (for example, http://GMS.contoso.com).
http://www.microsoft.com/office/groove/ 17
10. From the Audit Policies page, enter the audit log upload interval; select the client, workspace, and tool events that you want to audit; set any other audit policies as needed; then save your changes. For more details about audit policy settings, see the section below, Adjusting Audit Policies.
Caution: Enabling the policy option, ‘Audit the contents of files added to tools’, will have an exceptionally high impact on system resources, including bandwidth usage and disk storage on clients and servers. Do not enable this audit option unless you have a strong business need to do so and then only if you have evaluated and prepared for its likely impact on your system.
11. If you want to limit Groove tool usage to only those tools which can be audited, go to the Client tab of the policy template and select the Device Policy that blocks use of non-auditable Groove tools. For details about this policy, see the section below, Blocking Use of Non-Auditable Groove Tools.
12. If your SQL gmsDB database has been edited since initial installation and you are an experienced SQL administrator, verify that the database is set correctly, as follows:
a. On the Groove Manager SQL back end, start SQL Server Management Studio (or equivalent), expand the gmsDB database, and open the GmsServers table.
b. Confirm that settings are as shown in the following table:
ComputerName EnableDirectorySynchronization
EnableRelayServerSynchronization
IsAuditServer
<GMS/Audit> 1 1 1
where 0 = False, 1= TrueGMSAudit = your audit server name
c. Edit the values if necessary to match the recommended settings.
d. If you edited values, restart the Groove Manager/Audit IIS front end.
13. If Groove users do not have administrative control over their devices, enable the Audit Service on these devices by updating the Windows Registry, as described subsequently in Enabling the Audit Service on Clients.
http://www.microsoft.com/office/groove/ 18
Once Groove users and devices have been added to a Groove Manager domain, and domain members log in and receive the audit policy, Groove activities will be logged and dispatched to SQL databases where you can view them. The Microsoft Office Groove Audit Service will be running on Groove clients and GrooveAuditService.exe will appear in the Windows Task Manager.
To view and utilize the audited data, you will need to use external SQL reporting tools, as described below, in Interpreting Groove Audit Data and Creating Reports.
For Separate Manager and Audit Front Ends
The recommended Groove Auditing setup is to install an administrative Groove Manager on one IIS front end server and an Audit-enabled Groove Manager on a separate IIS front end server, allowing the Manager to run with minimal impact from audit operations. These front ends may share a SQL server backend but supporting each dedicated front-end with a separate, dedicated SQL back-end is recommended when ever possible.
The procedure below explains how to configure one server (GrooveManager) to run Groove Manager with its built-in administrative UI, relay synchronization, and optional directory integration, and a second server (GrooveAudit) to run Groove Manager as an Audit server. The recommended configuration for the stand-alone Audit server is to disable the administrative UI, relay synchronization, and optional directory synchronization. Preventing access to the UI helps isolate the audit server from unauthorized administrator contact and further secures the auditing environment. Disabling synchronization avoids problems that can arise when cooperating servers attempt to connect across firewalls. However, these adjustments involve editing the SQL database and IIS settings, and should only be attempted by knowledgeable administrators, familiar with these environments.
Caution: Auditing Groove events can have a substantial impact on system resources, including bandwidth usage and disk storage on clients and servers. Therefore, set the policy to enable auditing only if required by your software management infrastructure and reduce the impact of Audit operations on other Groove Manager activities by
http://www.microsoft.com/office/groove/ 19
installing Groove Audit on a separate, dedicated IIS front-end, with a separate, dedicated SQL back-end.
To install and enable Groove client auditing on a dedicated server at your site:
1. Ensure that your IIS and SQL and client systems meet Groove Audit requirements, as summarized previously, in Groove Audit Requirements. Note that this and related procedures should be executed only by experienced SQL administrators.
2. On the Groove Manager IIS machine, install Groove Manager 2007 SP1.
3. Upgrade your Groove 2007 client systems to SP1.
4. Run the Groove Server Manager setup.exe and follow the Setup wizard instructions. If a Groove Manager has already been set up at your site, the Groove Manager server information fields will already contain the required information.
5. When the Installation Options window appears, do not select the option to Install Groove Server Manager with Groove Auditing.
6. Follow the Install wizard to the final window and click Finish. The Groove Manager administrative Web site opens.
7. On the Groove Audit IIS machine, install Groove Manager 2007 with the latest Service Pack.
8. Run the Groove Server Manager setup.exe, and follow the Setup wizard instructions to configure the Groove Manager. Since a Groove Manager has already been set up at your site, the Groove Manager server information fields will already contain the required information.
9. Click Next.
10. When the Installation Options window appears, select Install Groove Server Manager with Groove Auditing. Selecting this option displays additional fields for configuring Groove client auditing.
11. When the Groove Audit Server Configuration page appears, enter the required information, as described in the following table:
http://www.microsoft.com/office/groove/ 20
Groove Manager Audit Configuration Fields ExplanationsUse the following SQL Server Login Select this check box to specify native SQL server
authentication.
If you leave this option cleared, current login credentials will be used for authentication.
User Name Enabled only if ‘Use the following SQL Server Login’ is selected.
Type your login information for the SQL server to be used for Groove auditing information.
Note: Make sure that the login gives you database sysadmin rights.
Password Enabled only if ‘Use the following SQL Server Login’ is selected.
Database Information
SQL Server Name Type the host name or Internet Protocol (IP) address of the SQL server to be used for Groove auditing information.
Database Name Type the SQL database name for the Groove Auditing service, such as auditDB. The Installer creates this database, where the Groove Audit service will store collected Groove client audit logs.
12. Follow the Install wizard to the final window and click Finish.
13. To help secure your system, block access to the Groove Server Manager UI on the audit server machine by navigating to the GMS folder in IIS, opening the Properties window, and disabling all authentication for the GMS folder.
14. To disable relay and optional directory server synchronization which are not required for Audit and can disrupt Groove management operations, verify that the SQL gmsDB database is set correctly, as follows (providing that you have the required expertise for editing SQL tables):
a. On the SQL server where the gmsDB database resides, start SQL Server Management Studio (or equivalent), expand the gmsDB database, and open the GmsServers table.
b. Confirm that settings are as shown in the following table:
http://www.microsoft.com/office/groove/ 21
ComputerName EnableDirectorySynchronization
EnableRelayServerSynchronization
IsAuditServer
<GrooveManager>
1 1 0
<GrooveAudit> 0 0 1
where 0 = False, 1= TrueGrooveManager and GrooveAudit = your server names
c. Edit the values if necessary to match the recommended settings.
d. If you edited values, restart IIS on each of the associated Groove Manager and Groove Audit front ends.
15. If Groove users do not have administrative control over their devices, enable the Audit Service on these devices by updating the Windows Registry, as described subsequently in Enabling the Audit Service on Groove Clients.
16. Enable Groove auditing from the Groove Manager administrative Web site, by navigating to a Device Policy template, opening the Audit Policies tab, and entering the URL of your intended Audit server (for example, http://grooveAudit.contoso.com).
17. From the Audit Policies page, enter the audit log upload interval, then select the client, workspace, and tool events that you want to audit. You can set any other audit policies as needed, then save your changes. For more details about audit policy settings, see the section below, Adjusting Audit Policies.
Caution: Enabling the option, ‘Audit the contents of files added to tools’, will have an exceptionally high impact on system resources, including bandwidth usage and disk storage on clients and servers. Do not enable this audit option unless you have a strong business need to do so and then only if you have evaluated and prepared for its likely impact on your system.
18. If you want to limit Groove tool usage to only those tools which can be audited, go to the Client tab of the policy template and select the Device Policy that blocks use of non-auditable Groove tools. For details about this policy, see the section below, Blocking Use of Non-Auditable Groove Tools.
Once Groove users and devices have been added to a Groove Manager domain, and domain members log in and receive the audit policy, Groove activities will be logged and
http://www.microsoft.com/office/groove/ 22
dispatched to SQL databases where you can view them. The Microsoft Office Groove Audit Service will be running on Groove clients and GrooveAuditService.exe will appear in the Windows Task Manager.
To view and utilize the audited data, you will need to use external SQL reporting tools as described, in Interpreting Audit Data and Creating Reports.
http://www.microsoft.com/office/groove/ 23
Adjusting Audit PoliciesAudit policies apply to the optional Groove Audit feature, available with onsite Groove Server Manager (not available with Groove Enterprise Services). By default all audit settings are disabled. You can adjust these settings at any time.
The following table describes Groove device Audit policy settings for Groove Server Manager 2007:
Device Audit Policy Settings Descriptions Audit Server Policies
Audit Server URL Specifies the Groove Manager server URL where the Groove Audit feature is enabled (for example, http://groove.contoso.com). Once you specify the URL of a Manager server where Audit has been installed and specify when and what auditing should take place, you enable Groove Auditing.
Upload audit logs every __ minutes/hours/days
Specifies the number of minutes, hours, and days in the log upload interval. At this interval, a Groove clients audit logs will be uploaded to the Groove Audit application. To minimize user disruption, uploads may occur slightly before or after the specified period, depending on user activity and idleness.
Disable Groove if auditing fails Specifies that Microsoft Office Groove will stop functioning if auditing fails on managed devices in the domain group.
Groove Client Events
Audit all client events Specifies whether client auditing captures all Groove account events, including instant messages and workspace invitations, login and logoff events, account creation, and contact list events.
If you want to audit a subset of Groove account events, select which type of events will be captured in client auditing. Note that some events - such as account creation and deletion, and logon failures - are always audited when auditing is enabled.
Audit instant messages and invitations
Audit login and logoff events
Audit contact events
Audit workspace events Specifies whether client auditing captures Groove workspace events, including the following:
Member events (added, suspended, or deleted Groove workspace members)
Role events (changes to workspace member permission)
Tool Events
http://www.microsoft.com/office/groove/ 24
Audit events that occur in the following Groove tools
Specifies that client auditing captures events associated with selected Groove tools, including the following:
Chat
Discussion
Document Review
Files (including adding, editing, deleting, renaming, or moving a file)
Forms Tool
Groove File Sharing
InfoPath Tool
Audit the contents of files added to tools
Specifies that audit events include the contents of files added to Groove tools.
Caution: This feature causes all versions of all files added to audited workspaces to be sent to the audit server. Therefore, enabling it can have an exceptionally high impact on system resources, including bandwidth usage and disk storage on clients and servers. Do not enable this audit option unless you have a strong business need to do so and then only if you have evaluated and prepared for its likely impact on your systemsuch as textcopy.exe, available with SQL 2000) in order to view readable file content.
http://www.microsoft.com/office/groove/ 25
Blocking Use of Non-Auditable ToolsIn environments of tight security, you may want to audit any tools added to Groove workspaces. You can accomplish this by setting a policy that prohibits the use of Groove tools that cannot be audited. The following table lists non-audited and audited tools for Groove Server Manager 2007.
Non-auditable tools include: Auditable tools include: Calendar
Meeting
Notepad
Pictures
Sketchpad
Chat
Discussion
Document Review
Files (including adding, editing, deleting, renaming, or moving a file)
Forms Tool
Groove File Sharing
InfoPath Tool
SharePoint Mobile Workspaces
To prohibit the use of non-auditable tools in Groove workspaces:
1. Start the Groove Manager administrative interface on the administrative Groove Server Manager.
2. Open a Device Policy template.
3. Click the Client tab.
4. Select the policy, Prohibit non-Auditable tools.
5. Save your changes.
http://www.microsoft.com/office/groove/ 26
Enabling the Audit Service on Groove ClientsThe Groove Audit Service, required for Groove Audit, is enabled in the Windows operating system (OS) of Groove client devices. By default, this service is turned off and set to Manual startup in Groove. However, when the Groove Audit feature is running in environments where Office workers have administrative control of their machines, Groove turns the Audit Service on for devices subject to auditing.
If your Office workers at your organization do not have administrative privileges on their devices, Groove cannot turn on the client Audit Service silently. The Audit Service can be turned on only by someone with administrative permissions. To automate this process, you can utilize the Office Customization Tool to configure an .msp file with a registry update that will set the Audit Service to Automatic startup on client devices in the Windows domain. The Windows registry update is as follows:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GrooveAuditService]
"Start"=dword:00000002
http://www.microsoft.com/office/groove/ 27
Enabling and Disabling Groove AuditingOnce the Groove Audit server and Audit service have been installed and configured on Groove Server and Groove clients, you can set Groove Manager device policies to enable Groove client event auditing for groups of users in your domain.
You can disable auditing for groups of users by editing the Device Audit policy for templates associated with those users, so that the policy no longer points to a URL for the audit machine. Groove Audit cannot be uninstalled from a Groove Server Manager. However, you can disable auditing by editing the Device Audit policy for all templates so that it no longer points to a URL for the audit machine, preventing Audit from running. For a more permanent removal, you can consider uninstalling the Groove Server Manager front end, and reinstalling it without Audit, then deleting the Audit databases from the SQL back end.
Note: The Groove Audit feature cannot be added to a Manager server that was installed without it. To apply auditing to the same Groove Manager server, Groove Server Manager must be re-installed with the Audit feature enabled.
Enabling AuditingTo enable Groove auditing:
1. Make sure that Groove Server Manager with the Groove Audit feature is installed at your site, and that the Groove Audit Service is active on Groove client devices, as described in the section above, Installing and Configuring Groove Audit.
2. Go to the Groove Manager administrative Web site and navigate to the Device Policy template assigned to the user group that you want to audit.
3. Click the Audit Policies tab.
4. Enter information as follows:
a. In the Audit server URL field, enter the URL for your Groove Audit server (for example, http://grooveaudit.contoso.com).
b. Enter the Upload Audit logs interval.
http://www.microsoft.com/office/groove/ 28
c. For added security, you can select the option, Disable Groove if auditing fails.
d. In the Groove Client Events section of the page, select the user account and workspace events that you want to audit. Selecting Audit workspace events includes auditing of workspace member and role-related events. Selecting no events indicates no auditing of Groove client events for users assigned to this device policy template.
e. In the Tool Events section of the page, select the tool events that you want to audit.
f. If you want to audit the contents of files added to Groove, select the option to Audit the contents of files added to tools.
g. Caution: If you enable this option, all versions of all files added to workspaces of members affected by this policy will be sent to the audit server. If files are numerous or large, file auditing can notably tax the audit server and occupy considerable storage space on the SQL server. Furthermore, be aware that you will need a content extraction utility (such as textcopy.exe, available with SQL 2000) in order to view readable file content.
h. Repeat this procedure for other Device Policy templates as needed.
Disabling AuditingTo disable Groove auditing for users affected by a specific template:
1. Go to the Groove Manager administrative Web site and navigate to the Device Policy template assigned to the user group that you do not want to audit.
2. Click the Audit Policies tab.
3. Delete the URL from the Audit server URL field.
4. Save your changes.
5. Repeat this procedure for other Device Policy templates as needed.
http://www.microsoft.com/office/groove/ 29
Interpreting Audit Data and Creating Reports Audited Groove client data stored in SQL tables must be interpreted to be understood and useful to an administrator. Typically, with basic knowledge of SQL databases and language, you can create SQL queries that will filter audited data for desired information. You can then create report templates, using SQL-compatible reporting tools, to output the returned data into meaningful information.
The following section provides background for understanding the Groove Audit data and the relationships among data tables. You can use this information to create customized Groove audit reports using SQL-compatible reporting tools.
Interpreting Audit DataGroove client auditing data, generated via the optional Groove Audit feature of Groove Server Manager, is initially encrypted and stored on the client. Once the client reports the data, Groove Audit decrypts and parses the data into relational database tables in a SQL directory.
Each audited client instance of an event is reported separately, even when the same event affects multiple clients. So, for example, when a file is added to a workspace with three audited members, the event generates three duplicate entries in the database, one for each client.
Tables that contain data most useful to Groove administrators include:
audit_LogEntryProperties audit_LogEntryAttributes audit_SecurityEventLog
Groove Audit provides two Views, associated with two of these tables. You can use the provided Views as a starting point for generating your own SQL Views from the audit server tables. Two provided Views are:
Auditv_EventProperties• Auditv_EventAttributes
http://www.microsoft.com/office/groove/ 30
The following figures show examples of Properties, Attributes, and EventLog table data:
Sample Audit_LogEntryProperties Data in EventProperties View
http://www.microsoft.com/office/groove/ 31
Sample Audit_LogEntryAttributes Data in EventAttributes View
http://www.microsoft.com/office/groove/ 32
Sample Audit_SecurityEventLog Data
The following table describes the most useful SQL tables of Groove Audit data.
Groove Audit SQL Tables
Groove Audit Data SQL Table Name Description Event data audit_LogEntryProperties Contains high-level event descriptions, that
refer to key attributes. Attribute details can be obtained from the audit_LogEntryAttributes table. For example, if the Properties table shows a File Added event, the Attributes table will show which client device added the file to which workspace.
Device GUID
Date parsed
Account GUID
Event Category
Event date/time (GMT)
Identity Name
Identity URL
Event sequence Number
http://www.microsoft.com/office/groove/ 33
Groove Audit Data SQL Table Name Description Event Type
One table entry is associated with each device GUID/Sequence Number pair (sequence numbers are unique to each Groove device).
audit_EventCatagoryReadableNames Maps Event Category value in LogEntryProperties table to readable name. *
audit_EventTypeReadableNames Maps Event Type value in LogEntryProperties table to readable name. *
Event attribute data audit_LogEntryAttributes Contains event attribute details, per Groove client. Each attribute name is preceded by an underscore, and is relatively short (to conserve space).
audit_AttributeReadableNames Maps attrib_name value in LogEntryAttributes table to readable name. *
Session data audit_LogSessionProperties Contains session data, including:
Device GUID
Time that session started
Hostname of devices
Logged-in (OS) user
Device data audit_Devices Contains current device-based data, including:
Device GUID
Last time log data was received
Last sequence number received for a device.
File contents audit_FileStorage Contains contents of all audited file events (when the file content auditing policy is enabled). Long files are ‘chunked’ and stored temporarily in the chunk_DataStorage table. When a long file is completely re-assembled, it is stored in the audit_FileStorage table and a value of ‘1’ appears in the status column for that file.
Files of the same content are identified by a single hash, regardless the file name.
Note: The File Data column of the FileStorage table contains all the binary contents of files, so avoid using this column in SQL queries.
Errors Audit_SecurityEventLog Lists error-related events.
audit_ErrorCodeReadableNames Maps Reason in Security EventLog to readable error code string. *
* See detail tables below for Audit_Category, Type, Attribute, and ErrorReadableNames. Note that this
http://www.microsoft.com/office/groove/ 34
Groove Audit Data SQL Table Name Description information is subject to change.
Audit_EventCategoryReadableNames Table
Event Category Readable Name1 Account
2 Files Tool
3 Discussion Tool
4 Chat
5 Document Review Tool
6 InstantMessaging
7 Invitation
8 Misc
9 Groove File System (GFS)
10 Dynamics
11 Forms Run Time
13 Forms Design Time
14 Telespace
15 Info Path Run Time
16 Info Path Design Time
17 Share Point
Audit_EventTypeReadableNames Table
Event Type Readable Name100 Misc Generic String
101 Misc New File Content
200 Account Created
201 Account Marked As Deleted
202 Account Deleted
203 Account Log On
204 Account Log Off
205 Account Bad Password
http://www.microsoft.com/office/groove/ 35
206 Account Lock Out
300 File Added
301 File Deleted
302 File Modified
303 File Renamed
304 File Moved
305 File Read
400 Folder Added
401 Folder Deleted
402 Folder Renamed
403 Folder Moved
500 Discussion Entry Added
501 Discussion Entry Modified
502 Discussion Entry Deleted
600 Chat Text Added
601 Chat Undo Text Added
602 Chat Transcript Cleared
603 Chat Undo Transcript Cleared
700 Document Review Started
701 Document Review Reviewer Added
702 Document Review Comment Added
703 Document Review Comment Deleted
704 Document Review Comment Modified
705 Document Review Status Changed
706 Document Review Document Added
707 Document Review Document Deleted
708 Document Review Document Modified
709 Document Review Folder Added
710 Document Review Folder Deleted
800 IM Received
801 IM Opened
802 IM Sent
803 IM Replied To
804 IM Forwarded
http://www.microsoft.com/office/groove/ 36
805 IM Deleted
900 Invitation Sent
901 Invitation Received
902 Invitation Opened
903 Accept Invitation Sent
904 Decline Invitation Sent
905 Accept Invitation Received
906 Decline Invitation Received
907 Telespace Sent
908 Telespace Received
909 Invitation Saved
910 Invitation Deleted
911 Invitation Response Deleted
912 IM Integrator Invitation Sent
913 On Ramp Invitation Sent
914 On Ramp Data Imported
1000 Contact Added
1001 Contact Modified
1002 Contact Deleted
1100 Dynamics Do
1101 Dynamics Redo
1102 Dynamics Roll Forward
1200 Forms Runtime Add Record
1201 Forms Runtime Delete Record
1203 Forms Runtime Replace Record
1204 Forms Runtime Set Field
1205 Forms Runtime Import Record
1300 Forms Runtime Add Designer Provided Info
1400 Forms Design Time Add Design
1401 Forms Design Time Delete Design
1402 Forms Design Time Update Design
1500 Forms Design Time Add Record
1501 Forms Design Time Delete Record
http://www.microsoft.com/office/groove/ 37
1503 Forms Design Time Replace Record
1504 Forms Design Time Set Field
1505 Forms Design Time Import Record
1506 Forms Design Time Save To Groove
1600 Telespace Add Member
1601 Telespace Add Device
1602 Telespace Remove Member
1603 Telespace Remove Device
1604 Telespace Remove All Devices
1605 Telespace Change Member Role
1700 Telespace Add Permission
1701 Telespace Remove Permission
1702 Telespace Change Member Role
1800 SharePoint Synchronization Start
1801 SharePoint Synchronization End
1802 SharePoint Baton Request
1803 SharePoint Baton Response
Audit_AttributeReadableNames Table
Attrib_name Error Code_dt Date Time
_k Key
_u User Name
_dg DeviceGUID
_err Error
_iv IV
_mac MAC
_body Body
_q Sequence Number
_c CategoryID
http://www.microsoft.com/office/groove/ 38
_t TypeID
_ag AccountGUID
_iu Identity URL
_in Identity Ful lName
_sn Telespace Display Name
_su TelespaceURL
_tn Tool Display Name
_tu ToolURL
_cn Creator Contact Display Name
_cu Creator Contact URL
_cdg Creator Device GUID
_bf0 Binary File Name
_bf1 Binary File Name
_h Hostname
_ha0 Binary File Hash
_ha1 Binary File Hash
_d Delta ID
_zu Sender URL
_zn Sender Name
_ru Recipient URL
_rn Recipient Names
_vm Has Voice Memo
_bd Body
_ro Role
_rc Requires Confirmation
_sip Saved Invitation Pathname
_rd Raw Delta
Audit_ErrorCodeReadableNames
ErrorCode Error String1 Decryption failed.
http://www.microsoft.com/office/groove/ 39
2 Signature verification failed.
3 Lock on key mismatch. Device already registered.
4 Device registered, but key failed to decrypt.
5 Multipart upload failed because of missing parts.
6 Decryption/verification of uploaded binary file failed.
7 Log state indicates that client abnormally terminated. Unless severe log errors are encountered, log will be stored.
8 Problems determining the consistent state of the log.
9 The log has missing sequences.
10 Problems parsing/storing log into database.
11 The digest that was computed did not match the digest that was transmitted from the client.
Removing User DataA stored procedure in the Audit database allows you clear the database of all user data. If you must remove all user data from the database (to regain storage space, for example), you can backup your data, then use the procedure helper_ClearDatabase. Note that once you run this procedure, a one-time-per-audited-user error appears in the SecurityEventLog table as a result of the missing sequence numbers associated with the deleted users.
Caution: Use the helper command with care on the auditDB database only. If you inadvertently run this procedure in the gmsDB database, you risk losing all your user data and destroying your entire installation. Be sure to backup your data before running the procedure.
Creating SQL QueriesThe simplest approach to utilizing Groove Audit data is to employ SQL queries that filter the data for specific information. The examples below provide models for creating and invoking three common SQL queries:
Search for a specific string in audited Groove instant messages
http://www.microsoft.com/office/groove/ 40
Search for the Files tool activities of a specific audited Groove user Search for a specific audited file
Caution: Because the File Data column of the audit_FileStorage table contains all the binary contents of files, avoid referencing this column in SQL queries.
Search IMs for a String Using SearchIMs
The following procedure searches the audit database for all instances of audited Groove instant message traffic (sent and received) that contain a specified string.
To create and invoke a procedure that searches audited Groove IMs for a string, follow these steps:
1. Create a stored procedure, entitled SearchIMs, using the following model:
CREATE PROCEDURE [dbo].[SearchIMs]
@keyword nvarchar(32) = NULL
AS
BEGIN
declare @LikeExpression nvarchar(34)
set @LikeExpression = '%' + @keyword + '%'
SET NOCOUNT ON;
SELECT audit_LogEntryProperties.attr_datetime AS [Date / Time], audit_LogEntryProperties.attr_identity_name AS Person,
audit_EventTypeReadableNames.ReadableName AS Action, audit_AttributeReadableNames.ReadableValue AS AttributeName,
audit_LogEntryAttributes.attrib_value AS AttributeValue
FROM audit_LogEntryProperties INNER JOIN
http://www.microsoft.com/office/groove/ 41
audit_EventTypeReadableNames ON audit_LogEntryProperties.attr_event_type = audit_EventTypeReadableNames.EventType INNER JOIN
audit_LogEntryAttributes ON audit_LogEntryProperties.DeviceGuid = audit_LogEntryAttributes.DeviceGuid AND
audit_LogEntryProperties.attr_seq_number = audit_LogEntryAttributes.SequenceNumber INNER JOIN
audit_AttributeReadableNames ON audit_LogEntryAttributes.attrib_name = audit_AttributeReadableNames.AttributeName
WHERE (audit_LogEntryProperties.attr_event_catagory = '6')
and audit_LogEntryAttributes.attrib_value like @LikeExpression
ORDER BY audit_LogEntryProperties.attr_datetime, audit_LogEntryProperties.DeviceGuid, audit_LogEntryProperties.attr_seq_number
END
GO
2. Enter the following command line to invoke the SearchIMs procedure to search IMs that contain the string ‘contoso2’:
Exec SearchIMs ‘contoso2’
This query returns all IMs containing the specified string, with the results sorted in reverse chronological order.
Search for File Information Associated with User via SearchUser
The following procedure returns workspace and Files tool activity for an audited user whose name matches a specified string.
To create and invoke a procedure to search for a specific audited Groove user, follow these steps:
1. Create a stored procedure, entitled SearchUser, using the following model:
CREATE PROCEDURE [dbo].[SearchUser]
http://www.microsoft.com/office/groove/ 42
@UserName nvarchar(32) = NULL
AS
BEGIN
declare @LikeExpression nvarchar(34)
set @LikeExpression = '%' + @UserName + '%'
select audit_LogEntryProperties.attr_datetime AS [Date / Time], audit_LogEntryAttributes.attrib_name, audit_LogEntryProperties.attr_identity_name AS Person,
audit_EventTypeReadableNames.ReadableName AS Action, audit_AttributeReadableNames.ReadableValue AS AttributeName,
audit_LogEntryAttributes.attrib_value AS AttributeValue
FROM audit_LogEntryProperties INNER JOIN
audit_EventTypeReadableNames ON audit_LogEntryProperties.attr_event_type = audit_EventTypeReadableNames.EventType INNER JOIN
audit_LogEntryAttributes ON audit_LogEntryProperties.DeviceGuid = audit_LogEntryAttributes.DeviceGuid AND
audit_LogEntryProperties.attr_seq_number = audit_LogEntryAttributes.SequenceNumber INNER JOIN
audit_AttributeReadableNames ON audit_LogEntryAttributes.attrib_name = audit_AttributeReadableNames.AttributeName
WHERE (audit_LogEntryProperties.attr_event_catagory = '2')
and audit_LogEntryProperties.attr_event_type = '300'
and (audit_LogEntryAttributes.attrib_name like '_bf%'
or audit_LogEntryAttributes.attrib_name like '_ha%'
or audit_LogEntryAttributes.attrib_name = '_sn'
http://www.microsoft.com/office/groove/ 43
or audit_LogEntryAttributes.attrib_name = '_tn')
and audit_LogEntryProperties.attr_identity_name like @LikeExpression
order by audit_LogEntryProperties.attr_datetime desc, audit_LogEntryAttributes.attrib_name desc
END
GO
2. Enter the following command line to invoke the SearchUser procedure to search the Groove Audit database for a user named ‘steve’:
Exec SearchUser ‘steve’
This query returns all Files tool activity for all users whose full name contains the string ‘steve’, including the hash of any audited files associated with the user. Results are returned in reverse chronological order.
Search for a File Using SearchFile
If the Groove Manager Audit policy, ‘Audit the contents of files added to tools’, is enabled at your site, you can use the following procedure to return the binary contents of a specific audited file. First, obtain the hash for the file associated with the audited user who generated the file event, as described previously in Search for File Information Associated with User via SearchUser. Then access the binary file content, using the following sample query as a model.
To create and invoke a procedure that searches the Groove Audit database for the binary contents of a specific file, follow these steps:
1. Create a stored procedure, entitled SearchFile, using the following model:
CREATE PROCEDURE [dbo].[SearchFile]
@Hash nvarchar(1282)
AS
http://www.microsoft.com/office/groove/ 44
BEGIN
select FileData from audit_fileStorage
where Hash = @Hash and status = 1
END
GO
2. Enter the following command line to invoke the SearchFile procedure to search the Groove Audit database for the file with the HASH, ‘KAAA…’:
Exec SearchFile 'KAAAAAAAAAAEAAAAUwBIAEEAMQAUAAAAJAwr5MaJEAdPQfHHuWx/8X3Itns='This query returns the binary file contents of the file. See the next section, Extracting File Content, for information about extracting the contents to a readable file.
Extracting File ContentIf the Groove Manager Audit policy, ‘Audit the contents of files added to tools’, is enabled and you want to see the contents of an audited file, you need a SQL-compatible utility that extracts the binary contents into a readable file. Once you have located the binary file content in the SQL database tables, as described previously in Search for File Information Associated with User via SearchUser, you can extract the content from the table and reconstitute it into readable format using an additional utility, such as textcopy.exe, available with SQL 2000. The following example outlines the procedure using textcopy.exe.
To copy the binary contents of an auditable file from a column in the SQL database table into a readable file using textcopy.exe, follow this procedure:
1. Locate the file content in the SQL database tables, as described previously in Search for File Information Associated with User via SearchUser.
2. From the SQL server that supports your Groove Audit installation, locate textcopy.exe (available with SQL 2000).
3. Open a command window and navigate to the directory containing the standard SQL Server .exe files. The following table shows default locations, depending on SQL
http://www.microsoft.com/office/groove/ 45
version:
SQL Server version
Default Directory
SQL Server 6.5 C:\Mssql\Binn for SQL Server 6.5
SQL Server 7.0 C:\Mssql7\Binn for SQL Server 7.0
4. Use textcopy.exe to extract content from an audited file as described in the subsequent steps. You can display a generic version of these instructions from a command prompt, by typing: textcopy /?
Textcopy / copies a single text or image value into or out of SQL Server. The value is specified text or a 'column' of a single row (specified by the "where clause") of the specified 'table'. If the direction is IN (/I), the data from the specified 'file' is copied into SQL Server, replacing the existing text or image value. If the direction is OUT (/O), as in this example, the text or image value is copied from SQL Server into the specified 'file', replacing any existing file. Textcopy has the following format and parameters:
TEXTCOPY [/S [sqlserver]] [/U [login]] [/P [password]]
[/D [database]] [/T table] [/C column] [/W"where clause"]
[/F file] [{/I | /O}] [/K chunksize] [/Z] [/?]
Parameter Value/S sqlserver The SQL Server to connect to. If 'sqlserver' is not specified, the local SQL
Server is used.
/U login The login to connect with. If 'login' is not specified, a trusted connection will be used.
/P password The password for 'login'. If 'password' is not specified, a NULL password will be used.
/D The database that contains the table with the text or image data. If 'database' is not specified, the default database of 'login' is used.
/T table The table that contains the text or image value.
/C column The text or image column of 'table'.
/W where clause A complete where clause (including the WHERE keyword) that specifies a single row of 'table'.
/F file The file name.
http://www.microsoft.com/office/groove/ 46
/I Copy text or image value into SQL Server from 'file'.
/O Copy text or image value out of SQL Server into 'file'.
/K chunksize Size of the data transfer buffer in bytes. Minimum value is 1024 bytes, default value is 4096 bytes.
/Z Display debug information while running.
/? Display this usage information and exit.
5. Create a stored procedure comparable to the following:
Note: You will be prompted for any required parameters that you do not specify.
CREATE PROCEDURE sp_textcopy (
@srvname varchar (30),
@login varchar (30),
@password varchar (30),
@dbname varchar (30),
@tbname varchar (30),
@colname varchar (30),
@filename varchar (30),
@whereclause varchar (40),
@direction char(1))
AS
DECLARE @exec_str varchar (255)
SELECT @exec_str =
'textcopy /S ' + @srvname +
' /U ' + @login +
' /P ' + @password +
http://www.microsoft.com/office/groove/ 47
' /D ' + @dbname +
' /T ' + @tbname +
' /C ' + @colname +
' /W "' + @whereclause +
'" /F ' + @filename +
' /' + @direction
EXEC master..xp_cmdshell @exec_str
6. Extract the proc.doc file from the SQL auditDB database, located in the FileData column of the audit_FileStorage table, writing the file c:\proc.doc, where hash=N’KAAAAAAAAAAEAAAAUwBIAEEAMQAUAAAAJAwr5MaJEAdPQfHHuWx/8X3Itns=’ as follows:
Note: The hash column in the audit_FileStorage table is an nvarchar data type, so you must include ‘N’ when specifying the hash string.
Exec sp_textcopy @srvname = 'ServerName',
@login = 'Login',
@password = 'Password',
@dbname = ‘auditDB’,
@tbname = 'audit_FileStorage',
@colname = 'FileData',
@filename = 'c:\proc.doc',
@whereclause = " WHERE hash=N’KAAAAAAAAAAEAAAAUwBIAEEAMQAUAAAAJAwr5MaJEAdPQfHHuWx/8X3Itns=’",
@direction = 'O'
http://www.microsoft.com/office/groove/ 48
Creating ReportsTo view Groove Audit reports, you must create report templates using external SQL reporting tools. For example, Microsoft Reporting Services 2005 and ProClarity Desktop Professional provide reporting and analytics capabilities, respectively. Or you may have preferred tools with which you are familiar. Once you have set Groove Policies that specify what events to audit and created SQL queries to access the desired data, you can express that data in reports using the dashboard and analytics reporting tools of your choice.
http://www.microsoft.com/office/groove/ 49
Additional ResourcesGetting Started with Groove Server Manager at: http://go.microsoft.com/fwlink/?LinkId=104239
Enabling Groove Client Auditing at:
http://go.microsoft.com/fwlink/?LinkId=104242
Viewing Groove Domain Reports at:
http://go.microsoft.com/fwlink/?LinkId=104240
http://www.microsoft.com/office/groove/ 50