Creating a database view for Microsoft SharePoint

Microsoft SharePoint uses SQL Server Management Studio (SSMS) to manage the SharePoint SQL databases. To collect audit event data, you must create a database view on your Microsoft SharePoint server that is accessible to IBM® QRadar®.

Before you begin

Do not use a period (.) in the name of your view, or in any of the table names. If you use a period in your view or table name, JDBC cannot access the data within the view and access is denied. Anything after a (.) is treated as a child object.


  1. Log in to the system that hosts your Microsoft SharePoint SQL database.
  2. From the Start menu, select Run.
  3. Type the following command:


  4. Click OK.

    The Microsoft SQL Server 2008 displays the Connect to Server window.

  5. Log in to your Microsoft SharePoint database.
  6. Click Connect.
  7. From the Object Explorer for your SharePoint database, click Databases > WSS_Logging > Views.
  8. From the navigation menu, click New Query.
  9. In the Query pane, type the following Transact-SQL statement to create the AuditEvent database view:
    create view dbo.AuditEvent as select a.siteID
    ,a.ItemId ,a.ItemType ,u.tp_Title as "User" ,a.MachineName ,a.MachineIp ,a.DocLocation ,a.LocationType ,a.Occurred as "EventTime" ,a.Event as "EventID" ,a.EventName ,a.EventSource ,a.SourceName ,a.EventData
    from WSS_Content.dbo.AuditData a, WSS_Content.dbo.UserInfo u where a.UserId = u.tp_ID and a.SiteId = u.tp_SiteID;
  10. From the Query pane, right-click and select Execute.

    If the view is created, the following message is displayed in the results pane:

    Command(s) completed successfully.

    The dbo.AuditEvent view is created. You are now ready to configure the log source in QRadar to poll the view for audit events.