Welcome to part two in our series on auditing in Exchange. If you will recall from part one of this series, there are two types of auditing available in Exchange.
- Administrator audit logging records any action, based on an Exchange Management Shell cmdlet, performed by an administrator. This can help you troubleshoot configuration issues or identify the cause of security-related or compliance-related problems.
- Mailbox audit logging records whenever a mailbox is accessed by someone other than the person who owns the mailbox. This can help you determine who has accessed a mailbox and what they’ve done.
Administrator audit logging can tell you what admins did. It’s useful when trying to troubleshoot issues, to confirm change control processes, or to figure out who did what to whom and when.
Mailbox audit logging is great for troubleshooting issues with individual mailboxes, or to ensure that no one is going somewhere they should not when it comes to key individuals’ mailboxes. In part two, we’re going to look at mailbox auditing.
Turning it on
Just as with admin audit logging, before you can use mailbox auditing, you have to turn it on. Mailbox audit logging can generate even more data than admin auditing, so consider disk space and whether you want to use this to try to track all activity, or just turn it on for troubleshooting, and then turn it off when you have resolved whatever issue you are working on. Since you turn it on per mailbox, you could leave it on for ‘critical’ mailboxes if necessary. That may be a good compromise on disk space used.
The mailbox audit logs are stored in the mailbox itself, in the recoverable items folder in a sub folder called Audit. This keeps the logs with the mailbox so that if you move the mailbox, the logs go with it. Since you set mailbox auditing per mailbox, you use the Set-Mailbox cmdlet to enable or disable it, and Get-Mailbox to check status.
You can check on the status of mailbox auditing using this command.
Get-Mailbox firstname.lastname@example.org | FL *audit*
And you can enable it in the EMS by running this command.
Set-Mailbox email@example.com -AuditEnabled $True
To disable it, run
Set-Mailbox firstname.lastname@example.org -AuditEnabled $False
Don’t forget to do that if you are only enabling auditing for troubleshooting purposes.
Configuring mailbox auditing
Mailbox auditing can target three different types of access; owner, delegate, and administrator. Use owner auditing to troubleshoot all owner actions. Use delegate auditing to record delegate actions, and administrator auditing to log admin actions on a mailbox. Use these switches to specify which level of auditing you want to enable
- Audit Admin
You can also configure what actions you wish to audit. This table, from https://technet.microsoft.com/en-us/library/ff459237(v=exchg.150).aspx, shows what can be audited and at which object.
An item is copied to another
An item is created in the mailbox. (For
A mailbox folder is accessed.
An item is deleted permanently from the
An item is accessed in the
An item is moved to another folder.
An item is moved to the
A message is sent using Send As
A message is sent using Send
An item is deleted from the Deleted
An item’s properties are
* Audited by default if auditing is enabled for a mailbox.
** Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of 24 hours.
*** Audited by default if auditing and owner auditing are enabled for a mailbox.
Here are the specific actions and results you will see in the logs.
One of the following actions:
One of the following results:
Logon type of the user who
Destination folder GUID for move
Destination folder path for
Details that identify which client or
Client computer IP address.
Client computer name.
Name of the client
Client application version.
Logon type of the user who
Mailbox owner user principal name
Mailbox owner security
Destination mailbox owner UPN, logged
Destination mailbox owner
Destination mailbox owner GUID.
Information about whether the
Display name of user who is logged on.
Delegate user display name.
SID of user who is logged on.
ItemID of mailbox items on
Source folder GUID.
Mailbox user resolved name in the
Time when the operation was
Audit log entry ID.
You may have a legitimate reason not to audit certain accounts, especially those used by automated processes or as proxies for the mailbox owner, like besadmin. To do that, you can use the Set-MailboxAuditBypassAssociation cmdlet. Here is an example of how to disable it for a specific account.
Set-MailboxAuditBypassAssociation -Identity "besadmin" -AuditBypassEnabled $true
And here is an example of how to reenable it, in case you need to troubleshoot something.
Set-MailboxAuditBypassAssociation -Identity "besadmin" -AuditBypassEnabled $false
Searching the logs
You can search a single mailbox’s logs or across many mailboxes. To search a single mailbox log, use the Search-MailboxAuditLog cmdlet. Here is an example.
Search-MailboxAuditLog -Mailboxes jdoe,cmanes -LogonTypes Admin,Delegate -StartDate 9/1/2015 -EndDate 9/15/2015 -ResultSize unlimited
Here is a table from https://technet.microsoft.com/en-us/library/ff522360(v=exchg.150).aspx that lists all the possible search parameters.
This parameter is available only in on-premises Exchange 2013.
The DomainController parameter specifies the fully qualified
Use the short
The ExternalAccess parameter returns only mailbox audit log
The LogonTypes parameter specifies the type of logons. Valid
The Operations parameter filters the search results by the
You can enter multiple values separated by commas.
The ResultSize parameter specifies the maximum number of mailbox
You can’t use
The StartDate parameter specifies the start date of the date
Use the short date format defined in the Regional Options settings
Mailbox audit logging is a great way to track what is going on in mailboxes which may contain sensitive data or are owned by critical users. You can also use it to troubleshoot issues. Whether you use the EMS or EAC, mailbox audit data is available to admins.Launch the EAC.To search multiple mailbox audit logs, you can use the New-MailboxAuditLogSearch cmdlet, but you might prefer to use the EAC. Here is how to do so.
- Click on Compliance management.
- Click on Auditing.
- In Export Mailbox Audit Logs, configure the relevant fields for your search.
- Click Export.
Mailbox audit logging is a great way to track what is going on in mailboxes which may contain sensitive data or are owned by critical users. You can also use it to troubleshoot issues. Whether you use the EMS or EAC, mailbox audit data is available to admins.