This post is also available in: Polish
If your Exchange organization has more than one administrators, and sometimes you need to know who did what, then you should use Exchange Administrator Audit Log.
When you enable Administrator Audit Log it will help you to keep a track of the changes made to any Exchange configuration like:
creating new mailbox, changing receive connectors, transport rules etc.
Those information are quite important during troubleshooting your Exchange environment.
In Microsoft Exchange 2010 RTM, Administrator Audit Log logged all operations to mailbox. When you enable audit log then you need to use parameter AdminAuditLogMailbox to specify mailbox to store all audit logs.
But with SP1 for Exchange 2010 you don’t need to use mailbox anymore.
Now all logs are stored in a hidden, dedicated arbitration mailbox.
To check if Administrator Audit Log is enabled we should use following command:
Get-AdminAuditLogConfig | FL
we will receive information about audit settings like below:
For us the most important are:
- AdminAuditLogEnabled – The default value of this parameter is false. I have it enabled. This indicates that the administrator audit logging is enabled/disabled. To enable enable administrator audit logging, we have to set the value of this parameter to true
- TestCmdletLoggingEnabled – The function of this parameter is to choose if the logging of Test- cmdlets, like Test-OutlookWebServices, Test-ReplicationHealth, is enabled or not. The default value is false which means they are not enabled.
- AdminAuditLogCmdlets – The AdminAuditLogCmdlets parameter is used to decide which cmdlets are to be logged when administrator audit logging is enabled. The default value of this parameter is the wildcard character * which means that all the cmdlets will be logged
- AdminAuditLogParameters – there are certain parameters linked with Cmdlets. These parameters are used with the cmdlets and controls whether administrator audit logging will also log cmdlet parameters. The * operator indicates that all parameters are logged
- AdminAuditLogAgeLimit – The function of this parameter is to control how long an entry in the log is preserved. Even though this parameter is not yet functional in Exchange 2010, once it is implemented, it will be useful as log entries are stored as e mail messages and too many e mails will clog up the inbox.
How to enable Administrator Audit Log:
To enable Administrator Audit Log we need to use CMDlet :
with parameters which we want to set.
By default when we enable Administrator Audit Log, all operations made by administrators are logged.
So when we want to just enable audit we need to use parameter AdminAuditLogEnabled and if we want to specify how long logs should be keept we can use following command:
Set-AdminAuditLogConfig -AdminAuditLogEnabled $True -AdminAuditLogAgeLimit 60
When we want to log specified operations we need to specify them individually like below:
Set-AdminAuditLogConfig -AdminAuditLogEnabled $True -AdminAuditLogCmdlets New-Mailbox, *TransportRule, Set-Transport*
or if we want to log only operations with ReceiveConnector or Config:
Set-AdminAuditLogConfig -AdminAuditLogCmdlets *ReceiveConnector, *Config*
But if we specify operations which we want to log and now we want to log all operations we have to use * (wildcard character):
Set-AdminAuditLogConfig -AdminAuditLogCmdlets *
Below you can find more information about CMDlets: