Monday, December 19, 2016

How to understand who deleted a SharePoint 2013 site

Very interesting task - How to find who deleted a site/sitecollection in SharePoint 2013. Few days ago I was tasked to restore a site, whcih was deleted 1 or 2 days ago. Easy task just found the site inside SPDeletedSite (Get-SPDeletedSite) and using Restore-SPDeletedSite was able to restore the site. But the next day again received the request to restore the same site, it has been again deleted and inside Get-SPDeletedSite information about who performed the deletion is not available.
 
 
I decided that I have to find out who deleted the site. So I downloaded the IIS logs (from SPDeletedSite object you can see the date the site has been deleted) for the coresponding day and start analyzing them. But the logs are too big.
 
 
And if you try to open them with Notepad or Notepad++ this is not going to work. So what is next? Fortunatelly there is LogParser. LogParser is the best IIS logs analyzing tool for every SharePoint administrator. So spare enough time and play with LogParser because it will definitelly save you time and will help you a lot in your day-to-day work and of course you will impress your manager with the capabilities offered by LogParser.
 
Then I have to find out how was the site deleted, in order to build LogParser query so I can execute it over IIS log files. They are 2 different ways to delete a site:
  1. From the Site Collection setting menu (deleteweb.aspx) or
  2. from Central administration (delsite.aspx)
In case I don't know the way the site has been deleted I build two LogParser queries:
  • LogParser.exe -i:W3C -o:W3C "select date,time, s-sitename, s-computername, s-ip, cs-method, cs-uri-stem, cs-username into 'C:\Tools\deletedSite.txt' from 'C:\Tools\u_ex*.log' where cs-uri-stem like '%delsite%'"
  • LogParser.exe -i:W3C -o:W3C "select date,time, s-sitename, s-computername, s-ip, cs-method, cs-uri-stem, cs-username into 'C:\Tools\deletedSite.txt' from 'C:\Tools\u_ex*.log' where cs-uri-stem like '%deleteweb%'"
I my case site has been deleted from the Site Setting menu (deleteweb.aspx) and the rusult is as follow:
 
And if you pay attention to the DeletionTime (from SPDeletedSite) and Date, Time form IIS logs you will see that we have an exact match, and they are no other entries for deleteweb.aspx in IIS logs. So this proves that this user deleted the site and he/she deleted it from the Site Settings menue (because of the deleteweb.aspx).
 
Hope this will help someone if so share this post or comment it.
 
And definitelly this is the last post from me for this year.
 
Enjoy the holidays and see you next year 2017.

No comments:

Post a Comment