Gets data, in XML markup, that is specific to the type of event identified in the Event property.
Assembly: Microsoft.SharePoint (in Microsoft.SharePoint.dll)
For custom events that you create, you can use any XML schema. (Or you can use an undefined XML format.) For more information about the event data of custom events, refer to WriteAuditEvent. The data for custom events must not exceed 4000 characters. (Some system events produce more than 4000 characters of event data.)
Some of the built-in events in SharePoint Foundation put data into the property as shown in the following table. The ToString method wraps the value of this property in <EventData></EventData> tags. Note that if the data is logically divisible, it has internal XML markup as well. If the data consists of a single data point (as is the case, for example, with the Copy event), it generally does not have internal XML markup. However, if the same type of data appears as part of complex data in another event's , it has the same XML markup even when it is the sole data point. For example, part of the ChildMove event is marked with <NewName>; so this same markup appears on the data for the Move event even though the new name is the sole data point.
For built-in events not listed here,isa null reference (Nothing in Visual Basic)and is not included in the string returned byToString. Line breaks have been added for readability. The actual value of the property has no line breaks or white space.
Type of Event
Example of EventData Property Value
Description of Value
The audit flags are changed for the audited object.
The new audit mask.
A child of the audited object is deleted.
The GUID of the child that is deleted, its relationship to the audited object, the pre-deletion URL of the child item, and the location type (which is always 0 in SharePoint Foundation).
A child of the audited object is moved.
The GUID of the item that is moved, the URL to which it is moved, and the moved item's relationship to the audited object.
A document is checked in.
The new version the document.
The audited item is copied.
The URL of the target copy.
The audited object is deleted.
The version that was deleted and whether it is moved to the Recycle Bin (1) or is deleted completely (0).
Some audit entries are deleted from SharePoint database.
The date and time before which all entries were deleted, and the number of deleted entries.
The audited object is moved.
The new relative URL for the file.
The audited object is searched.
The search term and the object that is searched.
A group is created for the site collection. (This action also generates an Update event.See below.)
The name of the new group, its ID number, and the ID of the first user that created the group.
A group on the site collection is deleted.
The ID number of the group.
A user is added to a group.
The ID of the group and the user that was added.
A user is removed from a group.
Same as SecGroupMemberAdd above.
The ID of the group and the ID of the user that was deleted.
A subsite's inheritance of permission level definitions (that is, role definitions) is severed.
The URL and GUID of the subsite.
A subsite is set to inherit permission level definitions (that is, role definitions) from its parent.
Same as SecRoleBindBreakInherit.
Same as SecRoleBindBreakInherit.
The permissions of a user or group for the audited object are changed.
The ID of the permission level (a combination of permissions that are given to people holding a particular role for the site collection), the ID of the user or group (the "principal"), and the GUID of the audited object.
A new permission level (a combination of permissions that are given to people holding a particular role for the site collection) is created.
The name and ID of the new permission level, and a numerical code for the combination of permissions.
A permission level (a combination of permissions that are given to people holding a particular role for the site collection) is deleted.
The ID of the permission level.
A permission level (a combination of permissions that are given to people holding a particular role for the site collection) is modified.
The name and ID of the changed permission level, and a numerical code for the new combination of permissions.
An existing object is updated.
The name of the item.
A new item is added to a list.
Same as CheckIn events.
The version of the document.
A new group is added to the list of all groups for the site collection. (See also SecGroupCreate.)
The ID of the group affected ("11" in this example).