This guide about Administrative Audit Logging in Exchange 2010 explains how to enable this new feature, search the audit log, and write to the audit log.

The Administrative Audit Logging feature is one of the great additions to Exchange 2010. A short time ago, I wrote about eDiscovery which utilizes litigation hold. Administrative auditing is in that similar vein of thinking but, in my opinion, is geared more towards a change control mentality. This feature can be equally useful for small, single administrator environments as well as larger environments where several admins have their hands in the cookie jar.

Administrative Audit Logging takes advantage of the fact that all Exchange Management Console (EMC) activities are actually running Exchange Management Shell (EMS) cmdlets in the background for you. Admin audit logging simply keeps a log of any change you perform that creates, modifies, or removes anything in Exchange. Any cmdlet beginning with Get- or Search- is notlogged by default.

How to enable Administrative Audit Logging ^

By default, the administrator audit agent is already running. However; to begin logging that activity, administrator audit logging needs to be enabled. This is done using the Set-AdminAuditLogConfig cmdlet. In SP1 and later, this will begin logging administrator actions to the arbitration mailbox which uses a disabled account. For those running RTM, you’ll also need to run the cmdlet with the -AdminAuditLogMailbox parameter.
SP1 and later

Set-AdminAuditLogConfig -AdminAuditLogEnabled $true

RTM add

Set-AdminAuditLogConfig -AdminAuditLogMailbox ‘AuditLog@YourDomain.com’

Enable Exchange 2010 Administrative Audit Logging

Enable Exchange 2010 Administrative Audit Logging

Search log ^

Viewing contents of the audit log in EMS is done using the Search-AdminAuditLog cmdlet.

To fine tune the search, add the -Cmdlets parameter with interesting commands listed. RTM users should use the -AdminAuditLogCmdlets parameter with the list of cmdlets surrounded by single quotes.

For example, if I simply want to search for the user account and date/time that somebody ran the Mount-Database or Dismount-Database cmdlets, I would run the following.

Search-AdminAuditLog -Cmdlets Mount-Database,Dismount-Database | Format-Table ObjectModified,Caller,Succeeded,Rundate

 

Search Exchange 2010 audit log

Search Exchange 2010 audit log

Let’s say you wanted to search within a given time frame for the use of the New-Mailbox, Set-Mailbox, and Delete-Mailbox cmdlets. Also, we’ll pipe the output to Format-Table to format command output. For the time constraints, we’ll add the -StartDate and -EndDate parameter.

Search-AdminAuditLog -StartDate ‘12/01/2011’ -EndDate ‘02/02/2012’ -Cmdlets New-Mailbox,Set-Mailbox,Delete-Mailbox | Format-Table RunDate,CmdletName

 

Write to audit log ^

It is also possible to write custom entries to the audit log. This is done using the Write-AdminAuditLog cmdlet. Use this cmdlet with the -Comment parameter and your comment surround by single quotes. Viewing those comments can be a little tricky as an array has to be created to read the contents of the comment.

Write-AdminAuditLog -Comment ‘Hello World.’

 

Search-AdminAuditLog -Cmdlets Write-AdminAuditLog | Select Rundate, @{n=”Comment”;e={$_.CmdletParameters[0].value}}

Write to the Exchange 2010 audit log

Write to the Exchange 2010 audit log

 

Email search results ^

Results of the search can also be emailed by using the New-AdminAuditLogSearch cmdet. The cmdlet generates an XML file and is delivered to the email that you specify. For example, if you wanted to have a report for a specific time span sent to auditor@YourDomain.com, you would use the following EMS cmdlet and parameters.

New-AdminAuditLogSearch -StartDate ‘01/01/2012’ -EndDate ‘02/01/2012’ -StatusEmailRecipients ‘Auditor@YourDomain.com’

Exchange Control Panel reports ^

In addition to generating a report using EMS, you can also use ECP to generate reports of the logged activity. Logon to ECP and Manage Your Organization and then click Rules & Auditing. From there, click Export the administrator audit log. This will email the results as an XML file. OutlookWebAccesspolicy may need to be modified to view in OWA.

Export the Administrator Audit Log

Export the Administrator Audit Log

0 Comments

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account