Exchange 2010 Administrator Audit Log – script

This post is also available in: Polish

Till now we wrote two articles about Adminstrator Audit Log.

First described how to enable and configure Administrator Audit Log:

Exchange 2010 Administrator Audit Log – configuration

in second we explained how to search Administrator Audit Log:

Exchange 2010 Administrator Audit Log – search logs


Now we will describe how to automate search of Administrator Audit Log.

During Administrator Audit Log configuration we set, how long audit logs will be stored in a hidden arbitration mailbox.

The command you to configure how long the logs should be kept are presented below:

Set-AdminAuditLogConfig -AdminAuditLogAgeLimit 60.00:00:00


To specify a value of days, use the format dd.hh:mm:ss so in this example logs will be kept for 60 days.


When Administrator Audit Log is activated by administrators will naturally increase the size of arbitration mailbox which may also result in increased database size.

To get AdminAuditLogs folder size in arbitration mailbox use command:

Get-MailboxFolderstatistics “Guid of arbitration mailbox” -FolderScope RecoverableItems –IncludeAnalysis


When this folder is too big, then you can remove logs from mailbox using below command:

Search-Mailbox Guid of arbitration mailbox -Dumpsteronly -deletecontent


Of course, when the quantity in the audit of operations is large, we can not keep them indefinitely on the server.
Therefore, a better solution is to set a shorter retention time logs and perform regular exports logs to keep audit history.


You can export logs using CMDLet New-AdminAuditLogSearch it will send an email with attachment .xml file with all administrators operations.

Below you can find website with .xml file structure explained:

Administrator Audit Log Structure


We can open this .xml file using Microsoft Excell.


Other option is to use CMDLet Search-AdminAuditLog and define dates for operations which we want to export. Then we can save output to HTML file.

Below you can download script, which will save all operations from last month to .htm file.
Next .htm file will be sent by an email to administrator.
You can use task scheduler to run this script once a month.

This script will allow you to keep audit history for every month.

Script can be downloaded here:



Releated posts:

Exchange 2010 Administrator Audit Log – configuration

Exchange 2010 Administrator Audit Log – search logs



Print Friendly
Tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>