Administrator Audit Logging:
By default Administrator Audit logging is disable, and none of the commands are logged till you enable the settings. You can use the command Get-AdminAuditLogConfig command to see the current configuration, shown below.
When you configure the Administrator Audit Logging you need to specify a mailbox where we want the logs to be stored. If audit log is enabled, a log entry is created whenever a command is run, other than Get cmdlet. If you don't want all the cmdlets to be logged, you even have an option specify the cmdlets and parameters that required to be logged. You can use the Set-AdminAuditLogConfig command for the same.
Criteria for an Audit Log Entry:
When a command is run Exchange inspect checks if the cmdlet used matches with any of the cmdlets provided with the AdminAuditLogConfigCmdlets, then exchange checks if the parameter matches with the AdminAuditLogConfigParameters parameter. If at least one or more parameter matches then exchange logs the command that was run in the mailbox specified in AdminAuditLogMailbox parameter.
When you configure Audit Log setting, you can specify either to log all commands or specify list of cmdlets and its parameter to be logged. Audit logs are stored in a mailbox which was set using the AdminAuditLogMailbox parameter, which should be only accessible for a group of restricted administrators, you can understand why so.
- Specify the cmdlets to be audited
- Specify the parameters to be audited
- Specify the auditing mailbox
- Enable administrator audit logging
How to Set cmdlets and parameters for Administrator Audit Logging:
Here let us take an example of logging all the Mailbox related cmdlets and parameters.
Run the below cmdlet to enable audit logging for the cmdlets that contains the mailbox in it.
cmdlet: Set-AdminAuditLogConfig -AdminAuditLogCmdlets *mailbox*
Now if required you can configure the parameters to be logged when the cmdlets run which contain the mailbox in it. The below command sets any parameter that ends with Name to be tracked.
cmdlet: Set-AdminAuditLogConfig -AdminAuditLogparameters "*Name"
The above section explained how to specify the cmdlets and the parameters to be logged, as we mentioned earlier if the command matches one or more parameter the logs will be generated and stored in the mailbox, so now we will have to set the mailbox to which the logs are to be stored.
How to configure the Administrator Audit Log Mailbox:
You can use the same Set-AdminAuditLogConfig cmdlet to set the mailbox where you want store the log entries, shown below.
This now leaves us to enable the Administrator audit logging.
How to Enable Administrator Audit Logging:
Let us now get into the configuration part of Administrator Audit Logging. As we discussed earlier the audit logging is not enabled by default and we will have to use the Set-AdminAuditLogConfig cmdlet enable it.
cmdlet: Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -TestcmdletloggingEnabled $true
You can see the Administrator audit logging settings are now enabled, we are all set for audit logging.
Verify the configuration:
Let us now test by running a Set command.
Cmdlet: Set-Mailbox -Identity Praveen -DisplayName "Exchange Dictionary"
This might have enabled in your org also, so be sure before executing any cmdlets against your Exchange Server 2010 organization. Also the Administrator Audit logs are stored in a mailbox hence this can be accessed anywhere.