This post is also available in: Polish
We wrote how to enable Administrator Audit Log on Exchange 2010 in last post:
Exchange 2010 Administrator Audit Log – configuration
Now we want to explain how can we search logs or export them.
We can see logs and export them using:
- ECP console
- CMDlet Search-AdminAuditLog or New-AdminAuditLogSearch
Using ECP console to search and export logs:
Run ECP console and choose:
- In the drop-down list box next to Mail > Options, click My Organization from the Select what to manage list.
- Click Reporting, click Auditing, and then click Export Configuration Changes.
- Select a date range using the Start Date and End Date fields.
- Select the recipient who should receive the XML file using the Select users to email the audit log to field.
- Click Export.
If any log entries are found using the criteria you specified, an XML file will be created and sent as an e-mail attachment to the recipient you specified.
Eksport Administrator Audit Logs using EMS and CMDlet’s Search-AdminAuditLog or New-AdminAuditLogSearch:
You can use in EMS Search-AdminAuditLog cmdlet to search the contents of the administrator audit log.
To get all audit logs between dates use::
Search-AdminAuditLog -StartDate 01/05//2013 -EndDate 01/06/2013
You can also specify cmdlets and parameters to find in audit logs:
Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendsize, MaxReceiveSize -StartDate 01/05/2013 -EndDate 01/06/2013 -UserIds JSmith, AJohnson
Other option is to use New-AdminAuditLogSearch CMDlet, to search the contents of the administrator audit log and send the results to one or more mailboxes that you specify.
After the New-AdminAuditLogSearch cmdlet is run, the report is delivered to the mailboxes you specify within 15 minutes. The log is included as an XML attachment on the report e-mail message. The maximum size of the log that can be generated is 10 MB
In my opinion this solution is better.
This example finds all the administrator audit log entries that contain either the New-RoleGroup or New-ManagementRoleAssignment cmdlet and sends the results to the mailbox Admin:
New-AdminAuditLogSearch -Name "Role Group Change Audit" -Cmdlets New-RoleGroup, New-ManagementRoleAssignment -StatusMailRecipients "David Strome"
You can also specify cmdlets which were used and export logs conataining only those cmdlets:
New-AdminAuditLogSearch -Name "Mailbox Quota Change Audit" -Cmdlets Set-Mailbox -Parameters UseDatabaseQuotaDefaults, ProhibitSendReceiveQuota, ProhibitSendQuota -StartDate 01/05/2013 -EndDate 01/06/2013 -StatusMailRecipients Admin
More information you can find here:
Releated posts:
Exchange 2010 Administrator Audit Log – configuration
Exchange 2010 Administrator Audit Log – script