J003-Content-Auditing-in-Exchange-Part-1_SQI love that line from Bart Simpson. I use it frequently when someone asks me if I did something. Of course, I know better than to assert they can’t prove anything, because with auditing in Exchange turned on, they very well may be able to prove everything. So… I guess I had better behave myself!  In our next set of Exchange-focused posts, we’re going to look at auditing.

There are two types of auditing available in Exchange.

  • Administrator audit logging records any action, based on an Exchange Management Shell cmdlet, performed by an administrator. This can help you troubleshoot configuration issues or identify the cause of security-related or compliance-related problems.
  • Mailbox audit logging records whenever a mailbox is accessed by someone other than the person who owns the mailbox. This can help you determine who has accessed a mailbox and what they’ve done.

Administrator audit logging can tell you what admins did. It’s useful when trying to troubleshoot issues, to confirm change control processes, or to figure out who did what, to whom, and when. Mailbox audit logging is great for troubleshooting issues with individual mailboxes, or to ensure that no one is going somewhere they should not when it comes to key individuals’ mailboxes. In part one, we’re going to look at admin auditing.

Turning it on

Before you can use auditing, you have to turn it on. Since it can generate a significant amount of data, there’s no point in having it on unless you are actually going to use it, so the default in on-prem is that this is turned off. You can check the status in the EMS by running this command.

Get-AdminAuditLogConfig | FL AdminAuditLogEnabled

And you can enable it in the EMS by running this command.

Set-AdminAuditLogConfig -AdminAuditLogEnabled $True

Not that you should but you can also disable it by running

Set-AdminAuditLogConfig -AdminAuditLogEnabled $False

(But seriously, don’t do that!)

Viewing the logs

With admin auditing enabled, you can now review the logs for any actions taking by an admin. There are a few of things to note though. First, it can take up to 15 minutes for an action to appear in the log, so don’t expect to use this for real-time debugging. This is an audit log, not an activity monitor.

Second, you can view the log in the EAC, but it may be more efficient to both narrow your search and to export the contents using the EMS. Third, it only audits changes, so you won’t see any Get-* commands or searches that an admin executed. The mindset is that if there was no change, then there’s nothing to see here. Move along! Finally, the default time to retain logs is 90 days. If you need more than that, you must set it when you enable auditing, using the –AdminAuditLogAgeLimit dd:hh:mm:ss. Just remember, the longer you hold the audit logs, the more disk space they will consume. If you set the age limit to 0, you are effectively wiping the logs.

In the EAC, if you want to view the admin audit log, go through these steps:

  1. Launch the EAC.
  2. Click on Compliance management.
  3. Click on Auditing.
  4. Click Run the admin audit log report.
  5. Choose a Start date and End date.
  6. Then choose Search.

This will return all the changes made during the specified time. You can sort them by date, cmdlet, or the user who executed the change. Yes, things that are done in the EAC execute PowerShell on the backend, so it won’t matter whether the admin likes the GUI or the shell…it all gets logged as long as it makes a change.

Picking a specific search result will show you more detail, including

    • Object modified – The object that was modified by the cmdlet.
    • Parameters (Parameter:Value) – The cmdlet parameters that were used, and any value specified with the parameter.

You can print a specific audit log entry by choosing the Print button in the details pane.

Dumping the logs

You can also dump the admin audit logs for the historical record, evidence, etc. Here’s how:

  1. Launch the EAC.
  2. Select Compliance management.
  3. Select Auditing.
  4. Click Export the administrator audit log.
  5. Select a date range using the Start date and End date fields.
  6. In the Send the auditing report to field, click Select users and then select the recipient you want to send the report to-presumably yourself.
  7. Click Export.

An XML file will be created and sent as an email attachment to you. Just remember, OWA blocks XML by default, so either change that, or use Outlook to open the XML file.

Searching the logs

If you want to search the logs, the EMS is the way to go. The Search-AdminAuditLog cmdlet has a pretty decent set of switches to help you parse the log for exactly what you need, including date ranges, specific cmdlets, specific parameters, admin users in question, target objects in question, and even if the changes attempted were successful or not.

Here’s an example cmdlet that will look for any changes in the past year to Casper’s mailbox:

Search-AdminAuditLog -StartDate 09/06/2014 -EndDate 9/06/2015 -ObjectID example.com/Users/Casper

A related cmdlet, New-AdminAuditLogSearch, can be used to search and email the results to yourself or another recipient with the –statusmailrecipients parameter to specify an SMTP address to which Exchange send the report. The –name parameter is used to specify the report name.

Here is how I would send myself a report for changes made by Joe in the past month:

New-AdminAuditLogSearch -StartDate 08/06/2015 -EndDate 9/06/2015 -UserIds joe -StatusMailRecipients casper@example.com -Name "Joe’s changes"

Commenting the logs

You can execute the Write-AdminAuditLog cmdlet to enter a comment to the log. An example would be:

Write-AdminAuditLog –Comment “Starting monthly maintenance work.”

This will put in a flag before the series of commands you might enter just to provide some context to anyone reviewing the logs later.

Admin audit logging is a great way to track what is going on in your Exchange environment. Just remember to turn it on, before you think you are going to need it, since it cannot go back in time to report on things that happened before you started logging.

Be sure to check back soon, when we will cover part two of our mini-series about Auditing in Exchange which will tackle Mailbox Auditing.

Get your free 30-day GFI MailEssentials trial

Email open you up to threats. See how you can protect yourself against malware and time-wasting spam.