Exchange 2010 Administrator Audit Log – search logs

This post is also available in: Polish

We wrote how to enable Administrator Audit Log on Exchange 2010 in last post:

Exchange 2010 Administrator Audit Log – configuration


Now we want to explain how can we search logs or export them.


We can see logs and export them using:

  • ECP console
  • CMDlet Search-AdminAuditLog or New-AdminAuditLogSearch


Using ECP console to search and export logs:

Run ECP console and choose:

  1. In the drop-down list box next to Mail > Options, click My Organization from the Select what to manage list.
  2. Click Reporting, click Auditing, and then click Export Configuration Changes.
  3. Select a date range using the Start Date and End Date fields.
  4. Select the recipient who should receive the XML file using the Select users to email the audit log to field.
  5. Click Export.

If any log entries are found using the criteria you specified, an XML file will be created and sent as an e-mail attachment to the recipient you specified.


Eksport Administrator Audit Logs using EMS and CMDlet’s Search-AdminAuditLog or New-AdminAuditLogSearch:

You can use in EMS Search-AdminAuditLog cmdlet to search the contents of the administrator audit log.

To get all audit logs between dates use::

Search-AdminAuditLog -StartDate 01/05//2013 -EndDate 01/06/2013


You can also specify cmdlets and parameters to find in audit logs:

Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendsize, MaxReceiveSize -StartDate 01/05/2013 -EndDate 01/06/2013 -UserIds JSmith, AJohnson



Other option is to use New-AdminAuditLogSearch CMDlet, to search the contents of the administrator audit log and send the results to one or more mailboxes that you specify.

After the New-AdminAuditLogSearch cmdlet is run, the report is delivered to the mailboxes you specify within 15 minutes. The log is included as an XML attachment on the report e-mail message. The maximum size of the log that can be generated is 10 MB

In my opinion this solution is better.

This example finds all the administrator audit log entries that contain either the New-RoleGroup or New-ManagementRoleAssignment cmdlet and sends the results to the mailbox Admin:

New-AdminAuditLogSearch -Name "Role Group Change Audit" -Cmdlets New-RoleGroup, New-ManagementRoleAssignment -StatusMailRecipients "David Strome"


You can also specify cmdlets which were used and export logs conataining only those cmdlets:

New-AdminAuditLogSearch -Name "Mailbox Quota Change Audit" -Cmdlets Set-Mailbox -Parameters UseDatabaseQuotaDefaults, ProhibitSendReceiveQuota, ProhibitSendQuota -StartDate 01/05/2013 -EndDate 01/06/2013 -StatusMailRecipients Admin



More information you can find here:




Releated posts:

Exchange 2010 Administrator Audit Log – configuration

Exchange 2010 Administrator Audit Log – script



Print Friendly
Tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>