- By default auditing is enabled in SharePoint. PB: I think this statement if false, all the farms I review are not logging information in the audit logs.
- Auditing is done at a Site Collection level.
- Audit logs are kept for 30 days by default and can be change via the UI in the site collection and the clean up is controlled by CA.
- Audit logs are stored within the content database, so watch the size of auditing logs. They can take up considerable space in the content database so don't just audit everything and keep the logs endlessly.
- Permissions changes, check-in/check-out, search queries, edits, document views (not SPO), ... can be audited.
- Various reports can be downloaded into excel for slice and dice such as the Security settings audit log report.
- Each logged event roughly takes up 2k. Calculating content database storage reqs:
LepideAuditor Suite – SharePoint