ExchangeBlog » Tips » Exchange 2010 Administrator Audit Log – search logs

Exchange 2010 Administrator Audit Log – search logs

  By Remigiusz Szatkowski | 06/06/2013 - 02:12 |

This post is also available in: Polish

We wrote how to enable Administrator Audit Log on Exchange 2010 in last post:

Exchange 2010 Administrator Audit Log – configuration

 

Now we want to explain how can we search logs or export them.

 

We can see logs and export them using:

  • ECP console
  • CMDlet Search-AdminAuditLog or New-AdminAuditLogSearch

 

Using ECP console to search and export logs:

Run ECP console and choose:

  1. In the drop-down list box next to Mail > Options, click My Organization from the Select what to manage list.
  2. Click Reporting, click Auditing, and then click Export Configuration Changes.
  3. Select a date range using the Start Date and End Date fields.
  4. Select the recipient who should receive the XML file using the Select users to email the audit log to field.
  5. Click Export.

If any log entries are found using the criteria you specified, an XML file will be created and sent as an e-mail attachment to the recipient you specified.

 

Eksport Administrator Audit Logs using EMS and CMDlet’s Search-AdminAuditLog or New-AdminAuditLogSearch:

You can use in EMS Search-AdminAuditLog cmdlet to search the contents of the administrator audit log.

To get all audit logs between dates use::

Search-AdminAuditLog -StartDate 01/05//2013 -EndDate 01/06/2013

 

You can also specify cmdlets and parameters to find in audit logs:

Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendsize, MaxReceiveSize -StartDate 01/05/2013 -EndDate 01/06/2013 -UserIds JSmith, AJohnson

 

 

Other option is to use New-AdminAuditLogSearch CMDlet, to search the contents of the administrator audit log and send the results to one or more mailboxes that you specify.

After the New-AdminAuditLogSearch cmdlet is run, the report is delivered to the mailboxes you specify within 15 minutes. The log is included as an XML attachment on the report e-mail message. The maximum size of the log that can be generated is 10 MB

In my opinion this solution is better.

This example finds all the administrator audit log entries that contain either the New-RoleGroup or New-ManagementRoleAssignment cmdlet and sends the results to the mailbox Admin:

New-AdminAuditLogSearch -Name "Role Group Change Audit" -Cmdlets New-RoleGroup, New-ManagementRoleAssignment -StatusMailRecipients "David Strome"

 

You can also specify cmdlets which were used and export logs conataining only those cmdlets:

New-AdminAuditLogSearch -Name "Mailbox Quota Change Audit" -Cmdlets Set-Mailbox -Parameters UseDatabaseQuotaDefaults, ProhibitSendReceiveQuota, ProhibitSendQuota -StartDate 01/05/2013 -EndDate 01/06/2013 -StatusMailRecipients Admin

 

 

More information you can find here:

Search-AdminAuditLog

New-AdminAuditLogSearch

 

Releated posts:

Exchange 2010 Administrator Audit Log – configuration

Exchange 2010 Administrator Audit Log – script

 

 

Print Friendly


Related posts:

  1. Exam 70-417 Upgrading Your Skills To MCSA Windows Server 2012 – free online training
  2. Exchange 2010 remove mobile device Error The ActiveSyncDevice Cannot be Found
  3. Exchange Server 2013 Deployment Assistant Updated
  4. Microsoft Outlook Configuration Analyzer Tool 2.0 (OCAT)
  5. Microsoft Outlook Configuration Analyzer Tool 2.0 only in OffCAT
Tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>