Monday, 28 June 2010 16:08

Exchange 2010 Administrator Audit Logging

Written by

Microsoft has introduced a new feature called Administrator Audit Logging in Exchange 2010. You can use administrator audit logging to log when a user or an administrator runs a cmdlet. This helps you to track the changes that are done, and the person who done the changes etc. Cmdlets are logged that are run directly on Exchange Management Shell(EMS), or when an actions executed in Exchange Management Console(EMC), or when an operation performed using the Exchange web management. Because regardless where these actions are performed it all run cmdlets in background.

Get commands are not logged, also if there are errors during the operation performed those may also be not logged. The log files are stored in a mailbox. So that the log can be accessed anywhere and it does not demand for the access to a logfile path.

Do you know the list of cmdlets in Exchange 2010, if not refer - Exchange 2010 Cmdlets

Administrator Audit Logging:

By default Administrator Audit logging is disable, and none of the commands are logged till you enable the settings. You can use the command Get-AdminAuditLogConfig command to see the current configuration, shown below.

Cmdlet: Get-AdminAuditLogConfig

initial-adminlogging

When you configure the Administrator Audit Logging you need to specify a mailbox where we want the logs to be stored. If audit log is enabled, a log entry is created whenever a command is run, other than Get cmdlet. If you don't want all the cmdlets to be logged, you even have an option specify the cmdlets and parameters that required to be logged. You can use the Set-AdminAuditLogConfig command for the same.

Criteria for an Audit Log Entry:

When a command is run Exchange inspect checks if the cmdlet used matches with any of the cmdlets provided with the AdminAuditLogConfigCmdlets, then exchange checks if the parameter matches with the AdminAuditLogConfigParameters parameter. If at least one or more parameter matches then exchange logs the command that was run in the mailbox specified in AdminAuditLogMailbox parameter.

When you configure Audit Log setting, you can specify either to log all commands or specify list of cmdlets and its parameter to be logged. Audit logs are stored in a mailbox which was set using the AdminAuditLogMailbox parameter, which should be only accessible for a group of restricted administrators, you can understand why so.

  • Specify the cmdlets to be audited
  • Specify the parameters to be audited
  • Specify the auditing mailbox
  • Enable administrator audit logging

How to Set cmdlets and parameters for Administrator Audit Logging:

Here let us take an example of logging all the Mailbox related cmdlets and parameters.

Run the below cmdlet to enable audit logging for the cmdlets that contains the mailbox in it.

cmdlet: Set-AdminAuditLogConfig -AdminAuditLogCmdlets *mailbox*

Now if required you can configure the parameters to be logged when the cmdlets run which contain the mailbox in it. The below command sets any parameter that ends with Name to be tracked.

cmdlet: Set-AdminAuditLogConfig -AdminAuditLogparameters "*Name"

The above section explained how to specify the cmdlets and the parameters to be logged, as we mentioned earlier if the command matches one or more parameter the logs will be generated and stored in the mailbox, so now we will have to set the mailbox to which the logs are to be stored.

How to configure the Administrator Audit Log Mailbox:

You can use the same Set-AdminAuditLogConfig cmdlet to set the mailbox where you want store the log entries, shown below.

cmdlet: Set-AdminAuditLogConfig -AdminAuditLogMailbox This email address is being protected from spambots. You need JavaScript enabled to view it.

mailbox-auditLog

This now leaves us to enable the Administrator audit logging. 

How to Enable Administrator Audit Logging:

Let us now get into the configuration part of Administrator Audit Logging. As we discussed earlier the audit logging is not enabled by default and we will have to use the Set-AdminAuditLogConfig cmdlet enable it.

cmdlet: Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -TestcmdletloggingEnabled $true

Enabled-AdminLogging

You can see the Administrator audit logging settings are now enabled, we are all set for audit logging.

Verify the configuration:

Let us now test by running a Set command.

Cmdlet: Set-Mailbox -Identity Praveen -DisplayName "Exchange Dictionary"

AdminLogging-Testing

Scan you AdminAuditLogMailbox (This email address is being protected from spambots. You need JavaScript enabled to view it.) and see the log details, you will have an email which shows the Set-Mailbox log details.

Log-In-Mailbox-Set_mailbox

This might have enabled in your org also, so be sure before executing any cmdlets against your Exchange Server 2010 organization. Also the Administrator Audit logs are stored in a mailbox hence this can be accessed anywhere.

-Praveen

theme by reviewshub