ExchangeBlog » Tag » Administrator Audit Log

Tag Archives: Administrator Audit Log

Exchange 2010 Administrator Audit Log – script

  By Remigiusz Szatkowski | 07/06/2013 - 04:00 |
Leave a comment

Till now we wrote two articles about Adminstrator Audit Log.

First described how to enable and configure Administrator Audit Log:

Exchange 2010 Administrator Audit Log – configuration

in second we explained how to search Administrator Audit Log:

Exchange 2010 Administrator Audit Log – search logs

 

Now we will describe how to automate search of Administrator Audit Log.

During Administrator Audit Log configuration we set, how long audit logs will be stored in a hidden arbitration mailbox.

The command you to configure how long the logs should be kept are presented below:

Set-AdminAuditLogConfig -AdminAuditLogAgeLimit 60.00:00:00

 

To specify a value of days, use the format dd.hh:mm:ss so in this example logs will be kept for 60 days.

Continue reading

Exchange 2010 Administrator Audit Log – search logs

  By Remigiusz Szatkowski | 06/06/2013 - 02:12 |
Leave a comment

We wrote how to enable Administrator Audit Log on Exchange 2010 in last post:

Exchange 2010 Administrator Audit Log – configuration

 

Now we want to explain how can we search logs or export them.

 

We can see logs and export them using:

  • ECP console
  • CMDlet Search-AdminAuditLog or New-AdminAuditLogSearch

 

Using ECP console to search and export logs:

Run ECP console and choose:

  1. In the drop-down list box next to Mail > Options, click My Organization from the Select what to manage list.
  2. Click Reporting, click Auditing, and then click Export Configuration Changes.
  3. Select a date range using the Start Date and End Date fields.
  4. Select the recipient who should receive the XML file using the Select users to email the audit log to field.
  5. Click Export.

Continue reading

Exchange 2010 Administrator Audit Log – configuration

  By Remigiusz Szatkowski | 05/06/2013 - 04:20 |
Leave a comment

audit

If your Exchange organization has more than one administrators, and sometimes you need to know who did what, then you should use Exchange Administrator Audit Log.

When you enable Administrator Audit Log it will help you to keep a track of the changes made to any Exchange configuration like:

creating new mailbox, changing receive connectors, transport rules etc.

 

Those information are quite important during troubleshooting your Exchange environment.

In Microsoft Exchange 2010 RTM, Administrator Audit Log logged all operations to mailbox. When you enable audit log then you need to use parameter AdminAuditLogMailbox to specify mailbox to store all audit logs.

But with SP1 for Exchange 2010 you don’t need to use mailbox anymore.

Now all logs are stored in a hidden, dedicated arbitration mailbox.

 

To check if Administrator Audit Log is enabled we should use following command:

Get-AdminAuditLogConfig | FL

 

we will receive information about audit settings like below:

Continue reading