Microsoft Exchange provides two types of audit logging:
- Administrator audit logging records any action, based on a Windows PowerShell cmdlet, performed by an administrator. This can help you troubleshoot configuration issues or identify the cause of security- or compliance-related problems.
- Mailbox audit logging records whenever a mailbox is accessed by someone other than the person who owns the mailbox. This can help you determine who has accessed a mailbox and what they have done.
Audit log keeps record of almost all Cmdlets (except Get-, Search- and Test- Cmdlets) that are either executed directly using Exchange Management Shell or using Exchange Management Console (EMC) or Exchange Web management interface.
You can search the administrator audit logs to discover who made changes to organization, server, and recipient configuration. This can be helpful when trying to track the cause of unexpected behavior, to identify a malicious administrator, or to verify that compliance requirements are being met.
In Exchange 2010 SP1 Administrator Audit Logging is enabled by default and keeps 90 days worth of entries. After 90 days, the audit log entry is deleted. You can change the audit log age limit using the -AdminAuditLogAgeLimit parameter with Set-AdminAuditLogConfig.
Caution: If you set the age limit to 0, Exchange deletes all the entries in the audit log.
Use the Get-AdminAuditLogConfig cmdlet to view the administrator audit logging configuration settings.
Click Start -> All Programs -> Microsoft Exchange Server 2010 -> Exchange Management Shell -> Get-AdminAuditLogConfig
If you found administrator audit logging is disabled (AdminAuditLogEnabled :False), then you can always enable it by applying following statement:
Admin logs can be retrieved using (a) Search-AdminAuditLog cmdlet, (b) New-AdminAuditLogSearch cmdlet and using (C) Exchange Control Panel (ECP) Auditing Reports page. You can't use the EMC to search for audit log entries.
When you run the Search-AdminAuditLog cmdlet, the audit log entries that match the search criteria that you specify are returned. Without any criteria Search-AdminAuditLog returns all Cmdlets entries. By default it returns 1,000 log entries. You can use ResultSize parameter to specify up to 250,000 log entries.
Click Start -> All Programs -> Microsoft Exchange Server 2010 -> Exchange Management Shell -> Search-AdminAuditLog
In above search result you can see user Farhan Kazi modified Internet Receive Connector on 3rd June 2013.
ObjectModified: This field contains the object that was modified by the cmdlet specified in the CmdletName field.
CmdletName: This field contains the name of the cmdlet that was run by the user in the Caller field.
ModifiedProperties: This field contains the properties that were modified on the object in the ObjectModified field.
Caller: This field contains the user account of the user who ran the cmdlet in the CmdletName field.
You can always filter display fields:
Search-AdminAuditLog |fl Caller, CmdletName, ObjectModified
We can specify different search criteria, like following:
Search-AdminAuditLog -Cmdlet Set-ReceiveConnector
Above statement will only query records that includes any modification to Receive Connector.
Search-AdminAuditLog -StartDate "06/03/2013 07:00" -EndDate "06/03/2013 16:00"
Above will search records with date criteria.
Search-AdminAuditLog -Cmdlet Set-ReceiveConnector -StartDate (Get-Date).AddDays(-3) -EndDate (Get-Date)
Above statement will display last 3 days records.
You can use |Out-File
Search-AdminAuditLog |Out-File C:\ExchAuditLog.txt
By default Out-File saves the data exactly the way that data appears in your Windows PowerShell console. That means that some of the data could end up truncated. To avoid that just include the -width parameter and specify a different line width (in characters) for the text file.
You can also use |Export-Csv cmdlet which makes it easy to export data as a comma-separated values (CSV) file.
Search-AdminAuditLog |Export-Csv C:\ExchAuditLog.csv
You can use New-AdminAuditLogSearch cmdlet to search for audit log entries that meet the criteria you specify, and then send those results to a recipient you specify as an XML file attachment. The results are sent to the recipient within 15 minutes.
After the New-AdminAuditLogSearch cmdlet is run, the report is delivered to the mailboxes you specify within 15 minutes. The log is included as an XML attachment on the report e-mail message. The maximum size of the log that can be generated is 10 MB.
New-AdminAuditLogSearch -Name "Receive Connector Audit" -Cmdlet Set-ReceiveConnector -StartDate "06/03/2013 07:00" -EndDate "06/03/2013 16:00" -StatusMailRecipients "firstname.lastname@example.org"
This example finds all the administrator audit log entries that match the above criteria and sends the results to specified email address.
Once the report has been received, we can save the attached XML file and open it up in an XML Editor. I chose to use XML Notepad (http://www.microsoft.com/en-au/download/details.aspx?id=7973)
You can also use the Exchange Control Panel (ECP) to export the administrator audit log. On the Auditing tab in the Exchange Control Panel, you can search for and export entries from the administrator audit log and the mailbox audit log.
- Log on to Outlook Web App.
- Click Options, and then click See All Options.
- In the drop-down list box next to Mail > Options, click My Organization from the Select what to manage list.
- Click Roles & Auditing from left side panel, and then click Auditing tab.
The report can take several minutes and even longer depending on how much of a time period we are searching through. Once the report has been received, we can save the attached XML file and open it up in an XML Editor.