Details about Administrator Audit Logging in Exchange 2010
2011-08-11 Updated
2011-06-16 Initial post
Exchange Server 2010 SP1
When I checked the other week, I could not find any good documentation on the Administrator Audit Logging feature. I'm writing this post to share my research on this feature.
The Administrator Audit Logging setting applies to the entire Exchange org (there isn’t an option to specify anything more granular). You can specify certain cmdlet/parameter combinations or specific parameters to log. Since pretty much all Exchange admin tools utilize Exchange Management Shell (EMS)/PowerShell, even changes from Exchange Management Console (EMC) or Exchange Control Panel (ECP) will get logged. Only cmdlets that modify (Set, Add, Remove, etc.) objects are logged by default. And only changes made from Exchange 2010 management tools are logged. If you wrote something in VBS to make changes to a mailbox, for example, that would bypass EMS, so the changes wouldn’t be logged.
Below is the default logging configuration (in a fresh Exchange 2010 SP1 install), which you can get by running Get-AdminAuditLogConfig. The default is to log all cmdlets with all parameters and keep 90 days’ worth of entries.
RunspaceId : 3f887fe5-b3c2-462e-8852-0cd2393c0d08 AdminAuditLogEnabled : True TestCmdletLoggingEnabled : False AdminAuditLogCmdlets : {*} AdminAuditLogParameters : {*} AdminAuditLogExcludedCmdlets : {} AdminAuditLogAgeLimit : 90.00:00:00 AdminDisplayName : ExchangeVersion : 0.10 (14.0.100.0) Name : Admin Audit Log Settings DistinguishedName : CN=Admin Audit Log Settings,CN=Global Settings,CN=Company-Org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company-ad,DC=sysadmin-e,DC=com Identity : Admin Audit Log Settings Guid : 915f4bc2-6ec9-4c36-aa63-fc2af9fc6738 ObjectCategory : company-ad.sysadmin-e.com/Configuration/Schema/ms-Exch-Admin-Audit-Log-Config ObjectClass : {top, msExchAdminAuditLogConfig} WhenChanged : 5/21/2011 7:08:01 PM WhenCreated : 5/18/2011 10:06:40 PM WhenChangedUTC : 5/21/2011 11:08:01 PM WhenCreatedUTC : 5/19/2011 2:06:40 AM OrganizationId : OriginatingServer : chh-dc-01.company-ad.sysadmin-e.com IsValid : True
Use Set-AdminAuditLogConfig to configure the admin audit log settings. Use Search-AdminAuditLog to search the logs (or use ECP).
The Search-AdminAuditLog command doesn't work with wildcards. I tried the first command below and had no results. I had to run the second command.
Search-AdminAuditLog -Cmdlets *AdminAuditLogConfig* Search-AdminAuditLog -Cmdlets Set-AdminAuditLogConfig
Also, per http://technet.microsoft.com/en-us/library/ff459250.aspx, The Search-AdminAuditLog cmdlet searches the Microsoft Exchange Server 2010 Service Pack 1 (SP1) audit log only. You can't use this cmdlet to search the Exchange 2010 release to manufacturing (RTM) audit log. You must continue to access the Exchange 2010 RTM audit log using an e-mail client, such as Microsoft Outlook, or use Microsoft Office Outlook Web App.
The Search-AdminAuditLog cmdlet does not list details of the parameter and property values (you can get that info, but it’s a hassle because you have to basically write a script and mess with arrays—see View details of audit log entries section of http://technet.microsoft.com/en-us/library/ff459262.aspx#NewAdminAuditLogSearch). The alternative is to use New-AdminAuditLogSearch to get a more detailed report, in an XML file, e-mailed to you. The StartDate and EndData parameters for this command must be in UTC time or you might not get all the results—this wasn't mentioned in any MS article that I read.
There is a limitation with the configuration settings that you need to watch out for if you specify multiple cmdlets and parameters. I did some testing to verify this and the MS support tech also confirmed the behavior.
Per http://technet.microsoft.com/en-us/library/dd335109.aspx: For an audit log entry to be created when a command is run, the command must include at least one or more parameters that exist on at least one or more cmdlets specified with the AdminAuditLogCmdlets parameter.
The settings below will NOT work as expected.
AdminAuditLogCmdlets : {Set-Mailbox, *permission*} AdminAuditLogParameters : {*litigationhold*, *deleteditems*, GrantSendOnBehalfTo, *retention*, *quota*}
Entries will get logged for the Set-Mailbox commands, but not for any permission commands such as Add-ADPermission and Add-MailboxPermission. This is because of the parameters setting—the permission commands don’t have those parameters. I don’t see any way to get this to work the way we need it to. This is what we wanted to log:
• The cmdlet Set-Mailbox when run with these parameters: *deleteditems*, *litigationhold*, *quota*, *retention*, and GrantSendOnBehalfTo. A brief description of the parameters are below.
o *deleteditems* - For deleted item retention settings.
o *litigationhold* - For litigation hold settings.
o *quota* - For mailbox size quotas.
o *retention* - For retention settings.
o GrantSendOnBehalfTo - For send on behalf of setting.
• Any cmdlet with the word “permission” in it. *permissions* covers all permissions cmdlets such as *MailboxPermission, *ADPermission, and *MailboxFolderPermission.
Another limitation is if the mailbox account object was moved to another OU. This is because the ObjectIds parameter is the canonical name of the account’s AD object, so if you moved the object but wanted to audit changes made before the move, you must use the old canonical name as the parameter.
A special system mailbox is used for storing the log entries, but you can’t access the mailbox directly. You must use EMS or ECP to access the logs. I had to contact MS support to find out which mailbox it is because I could not find any public documentation on that. In RTM, you could specify the mailbox, but in SP1, the system mailbox is used. The system mailbox name is SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}. The support tech initially gave me the wrong mailbox name, and I questioned him on it and finally got the correct one. You can also search for the mailbox in ADUC—it’s in the default Users container. If you want more details about the account/mailbox, use ADSIEdit to view its properties. You can use the command below to get some basic info about the mailbox (must enclose name in quotation marks). This is a special mailbox, so I wasn't able to run a Get-Mailbox command against it.
Get-MailboxStatistics "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" | FL
The mailbox will be created on the first Exchange 2010 database, but you can move it later on using the command below (per MS support).
Get-Mailbox "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" -Arbitration | New-MoveRequest -TargetDatabase MB-001
I had tried using a standard move command, below, and the logging stopped after the move. I waited until the next day and the logging was still not working. I ended up moving the mailbox back to the original database, waited a few hours and then used the move command above and logging worked fine after that.
New-MoveRequest "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" –TargetDatabase MB-001
The configuration of the Admin Audit Log settings can be found in this AD object:
CN=Admin Audit Log Settings,CN=Global Settings,CN=Company-Org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company-ad,DC=sysadmin-e,DC=com
You won’t see the mailbox name in the properties though. I’m not sure where that information is stored.
I got the command below from MS support after I requested more documentation. Note that the logs are kept in AdminAuditLogs, which is a subfolder of Recoverable Items. You can run this command to get the folder sizes:
Get-MailboxFolderStatistics "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" | Sort Name | FT Name, *Size –AutoSize
To only get the overall size, use this command:
Get-MailboxStatistics "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" | FL *Size
Here are some additional details I got from MS support on 2011-06-05:
(1) Configuration of the Admin Audit Logging feature is stored in the Active Directory (AD) directory on the Admin Audit Log Settings configuration object
(2) Auditing is enforced by the Admin Audit Log Agent, which is a part of the Cmdlet Extension Agent Framework (the Provisioning Layer for the Cmdlet Infrastructure)
(3) A system arbitration mailbox known as the Discovery System Mailbox is used to store audit log records
(4) Audit log records are stored in Recoverable Items (the dumpster) in a dedicated sub-folder called AdminAuditLogs
(5) The agent uses Exchange Web Services (EWS) to save the audit record to the Discovery System Mailbox
(6) The agent can also use Exchange Server Object (XSO) APIs to directly access the Discovery System Mailbox
(7) Audit Logs are retrieved using tasks that rely on Content Indexing of the audit logs to make them searchable
May 31st, 2012 at 8:14 AM
[...] A great URL regarding the very detail of Admin Audit . http://sysadmin-e.com/admin-audit-log-ex2010 [...]
April 16th, 2015 at 12:41 PM
Great article, very useful and very clear explanations.