• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Server / Exchange Server 2010 Mailbox Audit Logging Step by Step Guide

Exchange Server 2010 Mailbox Audit Logging Step by Step Guide

February 8, 2011 by Paul Cunningham 95 Comments

A lot of businesses want to be able to track who accesses mailboxes in the organization, and who takes certain actions such as deleting mailbox items.  This is particularly true where mailboxes are accessed by delegates, for example when a senior manager has several people who access and manage their mailbox, or for shared mailboxes such as those used by sales and support teams.

Exchange Server 2010 (SP1 or later), Exchange Server 2013 and Exchange 2016 have a feature called Mailbox Audit Logging that provides exactly this capability.  However it is not turned on for mailboxes by default, so the Exchange administrator has to enable for those mailboxes which are considered sensitive or any where access needs to be logged and audited.

You can see whether a mailbox has audit logging enabled by running the Get-Mailbox command.

1
2
3
4
5
6
7
[PS] C:\>Get-Mailbox Alan.Reid | fl *audit*
 
AuditEnabled     : False
AuditLogAgeLimit : 90.00:00:00
AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate    : {Update, SoftDelete, HardDelete, SendAs, Create}
AuditOwner       : {}

The output there shows you that:

  • Mailbox auditing is not enabled for this mailbox
  • The log age limit is 90 days
  • The actions that are logged for admins, delegates, and the owner themselves

Note how the mailbox owner is not logged by default, because their access would generate a lot of audit log entries. Delegates are logged for basic actions, and administrators are logged for additional administrative actions as well.

To enable a mailbox for audit logging use the Set-Mailbox command.

1
[PS] C:\>Set-Mailbox Alan.Reid -AuditEnabled $true

To demonstrate audit logging I’ve accessed the mailbox as delegate Alex Heyne, and deleted several inbox items.

There are a few different ways you can look for mailbox audit log entries. The first is a by searching a single mailbox using the Exchange Management Shell.

The Search-MailboxAuditLog command lets use perform searches of mailbox audit logs.  In this example I’m performing a search and displaying just one entry.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
[PS] C:\>Search-MailboxAuditLog -Identity Alan.Reid -LogonTypes Delegate -StartDate 1/1/2011 -EndDate 2/8/2011 -ResultSi
ze 1 -ShowDetails
 
RunspaceId               : d76bf455-a098-4ef2-abad-7d0b153df302
Operation                : SoftDelete
OperationResult          : Succeeded
LogonType                : Delegate
ExternalAccess           : False
DestFolderId             :
DestFolderPathName       :
FolderId                 : LgAAAABP8tPUduCNQbq3ixaUfzrSAQD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAAAB
FolderPathName           : Inbox
ClientInfoString         : Client=MSExchangeRPC
ClientIPAddress          : 10.0.1.11
ClientMachineName        :
ClientProcessName        : OUTLOOK.EXE
ClientVersion            : 14.0.4760.1000
InternalLogonType        : Delegated
MailboxOwnerUPN          : Alan.Reid@exchangeserverpro.net
MailboxOwnerSid          : S-1-5-21-3252988086-3956323440-3716555505-1113
DestMailboxOwnerUPN      :
DestMailboxOwnerSid      :
DestMailboxGuid          :
CrossMailboxOperation    : False
LogonUserDisplayName     : Alex Heyne
LogonUserSid             : S-1-5-21-3252988086-3956323440-3716555505-1117
SourceItems              : { RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvG
                           eCAAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK0
                           3AAAAvGeBAAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbg
                           D/lyUK03AAAAvGeAAAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGl
                           k9ZQqbgD/lyUK03AAAAvGd/AAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAA
                           CNDsKGlk9ZQqbgD/lyUK03AAAAvGd+AAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAA
                           AAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd9AAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYH
                           Zzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd8AAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bT
                           o9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd7AAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0
                           krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd6AAAA,  RgAAAABP8tPUduCNQbq3ixaUfzr
                           SBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd5AAAA,  RgAAAABP8tPUduCNQbq3
                           ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd4AAAA,  RgAAAABP8tPUd
                           uCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd3AAAA,  RgAAAA
                           BP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd2AAAA,
                            RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd
                           1AAAA,  RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03
                           AAAAvGd0AAAA}
SourceFolders            : {}
ItemId                   :
ItemSubject              :
DirtyProperties          :
OriginatingServer        : ESP-HO-EX2010A (14.01.0218.011)
MailboxGuid              : d91ebf81-f836-431c-8857-2f2a46ee0a93
MailboxResolvedOwnerName : Alan Reid
LastAccessed             : 2/7/2011 10:11:33 PM
Identity                 : RgAAAABP8tPUduCNQbq3ixaUfzrSBwAVowOS8YKPSZu3yRX+MS1dAAAAAj7RAAAVowOS8YKPSZu3yRX+MS1dAAAAAj7o
                           AAAJ
IsValid                  : True

As you can see the information is partially useful (we can see who did something and when they did it) but there is also a lot of unreadable data presented. For a PowerShell script that  provides an easier method for checking mailbox audit log entries refer to the following article:

  • Get-MailboxAuditLoggingReport.ps1 – PowerShell Script to Generate a Report of Mailbox Audit Log Entries

Mailbox audit logs can also be searched using the Exchange Control Panel (Exchange 2010) or Exchange Admin Centre (Exchange 2013 and 2016). In the organization management area are a series of different auditing tasks, including mailbox audit log searches. The screenshots below are from Exchange 2010, and you can find an Exchange 2013 example here.

Exchange 2010 Mailbox Audit Log Search in Exchange Control Panel

This web interface makes searches much easier and also returns results that are readable.

Exchange 2010 Mailbox Audit Log search results

You can see that mailbox audit logging is a useful feature for organizations that need to audit this kind of activity, but with the trade off that the logs are stored in the mailbox and so will increase mailbox size.  However since any audit logging of this kind has to be stored somewhere this shouldn’t be seen as a road block to activating the feature on only those specific mailboxes that require auditing.

Further reading:

  • Using Exchange Server Mailbox Audit Logs to Find the Sender of an Email from a Shared Mailbox
  • Tracking Mailbox Owner Deletes using Mailbox Audit Logging
  • How Much Database Storage Does Mailbox Audit Logging Consume?

Exchange Server Auditing, Exchange 2010, Logging, Mailboxes, Security

Comments

  1. Prashant says

    December 30, 2018 at 11:08 pm

    Hi Paul,

    Thank you for the blog, we do have Exchange 2010 SP3 Enterprise version installed in our organization. we have enabled the Audit log as of the steps you have shared in you blog, and tried to perform some testing in our production environment test mailboxes. During our test, we were able to see the logs that were created for Sendas and Create. But beside that we have performed the activity like Soft-Delete and Hard-Delete, which was not shown in the audit logs. Is there any thing we have missed out to configure. To audit the soft-delete or Hard-delete from the delegated user.

    Reply
  2. George A. says

    March 9, 2017 at 6:38 am

    Hello Paul,
    I have an Exchange 2013 DAG of two members, do you know why always shows as “originating server” in the AdminAuditlog the one who has the rol of “PAM”?. Or is it something that only seems to me?. I make changes on a user that is in the second node of my DAG, but in AdminAuditLog it always shows me the primary as the “Originating Server”. Is this the expected behavior?

    Thanks!

    Reply
    • Paul Cunningham says

      March 9, 2017 at 8:08 am

      Maybe that’s the server you’re connected to with your management shell at the time.

      Reply
  3. Adeiza Yisa says

    October 16, 2016 at 1:07 am

    Paul,

    We are currently implementing IBM QRadar SIEM in our environment. On of our security use case is to get alert when someone else aside the owner of the mailbox access it. Where is this log kept and how can we get the log into IBM QRadar SIEM

    Reply
  4. Tony C says

    May 4, 2016 at 11:15 pm

    Paul – is there a way to actually view the sent email? I can see the time and date, the sender and the subject but nothing else. Is there any way to actually view the email itself (in case the user deleted it from Sent/Deleted Items or populate the recipient in the search results?

    Reply
    • Paul Cunningham says

      May 5, 2016 at 4:04 pm

      No, the mail contents are not stored in the audit logs. The only way to view the mail item is to view the actual mail item. If it’s been deleted, at least auditing can tell you that.

      Reply
  5. sanjeev says

    April 6, 2016 at 5:35 pm

    hi Paul

    We are try to reducing the audit log size of one user mail box which reach to 30 GB

    we have try to disable audit change the ageing of audit log but no luck can u please help.

    Reply
    • Paul Cunningham says

      April 6, 2016 at 9:59 pm

      If you lower the age limit for audit logs on that mailbox, the server should clean up the logs that are already there as a background task later, but I wouldn’t expect it to happen instantly.

      Reply
  6. SSJ_GOG says

    March 11, 2016 at 9:23 am

    Hi,
    Does this work for public folders at all?

    Reply
  7. Gigz says

    February 13, 2016 at 2:00 am

    Hi Paul
    I have a large Single Forest Multiple domain setup with over 100 2010 servers. All of a sudden admins is different domains get a warning when editing users, send as etc.. The warning is that it cant connect to one server in another domain in the forest (Which is by defaut as there is no link between domains). If i disable audit logging it goes away. My question is there a home user mailbox like a postmaster that auditlogging attaches itself to on setup and that this might be located in the domain that the error points to.
    Thanks
    Kevin

    Reply
  8. HL says

    February 8, 2016 at 9:39 am

    In MailboxAuditLog, after enabling, there are events about mailbox objects access, but are they also stored MailboxFolderPermission changes? Because users and administrators are able to change mailbox folder permissions (“Inbox” or “Top of Information store” for example), it is difficult to prove, who did changes.

    Reply
  9. RamG says

    February 7, 2016 at 12:36 am

    Hi Paul,

    When we export the audit logs using Search-MailboxAuditLog command with Send As operation i am getting two logs for a single email, i.e. the user has sent one email but we are two logs while exporting audit logs.

    Can you let me know the reason for the same.

    Reply
    • Paul Cunningham says

      February 8, 2016 at 11:21 pm

      I’d have to see the logs first hand. There might be two items logged because two operations take place when a Send As occurs, e.g. sending the email itself, plus saving the sent item to the shared mailbox’s Sent Items folder.

      Reply
  10. Sarfraz Aslam says

    January 6, 2016 at 11:09 pm

    Hi,
    i have set the age limit 2 days for admin audit logs, but after the 2 days audit logs are not flushed. Is there any thing i am missing ?

    Thanks.

    Reply
    • Paul Cunningham says

      January 6, 2016 at 11:36 pm

      What is the exact command you ran?

      What are you doing to check whether the admin audit logs have been removed or not?

      Note: you’re saying “admin audit logs” but this is an article about “mailbox audit logging” which is something different.

      Reply
  11. Ekrem Saruhan says

    October 7, 2015 at 7:02 pm

    About 2 years ago i added a new domain into my Exchange environment because of a change of company name. All users are until now using both domains example @ABC.com and @XYZ.com.
    In the meantime users could use both domains and i want to disable the old domain @ABC.com.
    My problem is that lot of email communications are still received at the old domain. I want to create a catch-all policy where i want to automatically send a mail to the sender with a message like” dear sender, please use our new domain address receiver@XYZ.com. This mail will not been forwarded to the sender.”
    I couldn’t find a standard solution for my problem. Maybe you can help me with it.
    regards,

    Ekrem

    Reply
    • Paul Cunningham says

      October 7, 2015 at 9:38 pm

      Those auto-reply solutions are bad practice. Don’t do it. It annoys senders and it doesn’t work for automated systems such as newsletters that your users signed up to with their old email address.

      If you want to stop accepting email to a domain just remove that domain from your recipients and from your Exchange organization. The emails will bounce and the sender can resend or the automated system can see the NDR and remove that address from its database.

      Reply
  12. trank0 says

    August 7, 2015 at 5:00 pm

    Hi, pls, tell me where those logs are exactly? In Mailbox server?, HUB? CAS? and which address? in the Program FilesExchange2010Logging path I can´t find any logic name folder for this acction and with “get-mailboxserver “mbxserver” | fl *log* ” I can´t any logic space where is nested those logs.

    I want to know this because my hard disk space are poor on my servers and those logs on all mailboxes can make grow my data in my hard disks and then I´m gonna be in troubles. I want to test first over a few users to check how it´s growing, but I need first to know where is nested those logs, specially in which server to follow the space on disk.

    Thanks a lot, great tutorial.

    Reply
    • Paul Cunningham says

      August 7, 2015 at 9:01 pm

      Here you go:
      https://practical365.com/much-database-storage-mailbox-audit-logging-consume/

      Reply
      • trank0 says

        August 7, 2015 at 11:13 pm

        Awesome answer, then I assume that the audits on mailboxes, and in my case is exactly to check on all mailboxes the logging of not owners, all data is stored in each mailbox, the the database is going to grow.

        Is my think correct?

        Reply
        • Paul Cunningham says

          August 8, 2015 at 8:35 am

          The database will probably grow. If you’re concerned about how much it will grow, turn on audit logging for a small number of mailboxes and use the script to see how much extra space it is using.

          Reply
  13. Jan says

    August 5, 2015 at 12:11 am

    Hi Paul, Nice and EasyToUnderstand article.
    BUT >

    when I use Add-MailboxPerrmission to grant somebody FullAccess, s/he is in AuditDelegate auditing logontype… what type of command for granting permission should I invoke, to set the access to AuditAdmin?

    I’m looking for audit type MessageBind, which is available only via AuditAdmin ….

    Thx in advance,
    Jan

    Reply
  14. Aurimas says

    December 11, 2014 at 6:35 pm

    Hello,
    I’ve followed the article and audit logs in powershell show that mailbox was accessed, some items deleted etc., but when I try to run auding in ECP I can only see the fact that mailbox was accessed, but the detail window is empty. Any ideas?

    screenshot – http://i.imgur.com/A0vDEde.png

    Reply
  15. Singh says

    April 24, 2014 at 1:58 am

    Hi Paul,

    I have enabled Auditing for delegates (as I want to audit users with Full access permissions on a shared Mailbox).
    Here is what I have enabled:

    AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}

    I see a create operation when I copy a file from inbox to any subfolder and I see a SoftDelete Operation when I delete an email from Deleted Items.
    But I don’t see any Operation when I move any item from inbox to subfolder.

    Am I missing something on my settings?

    Regards,
    Singh

    Reply
  16. Farhad_Adm says

    March 17, 2014 at 10:28 pm

    Hello. Great blog! But when i generate my report in web interface i cant get the result indeed.

    I get the information in the left panel about which mailbox it is and last access on that mailbox but i cant get the information in the right pane.

    Does anyone had such a problem?

    Thanks in advance!

    Reply
  17. Tony says

    March 13, 2014 at 1:55 am

    Hello, I am interested in setting this up for our firm. I have tested on a test account and everything seems to work as expected. My question is how hard of a hit does this put on Exchange resources. We have 2100 mailboxes and it would be nice to turn this on for all of them with administrator and delegate auditing.

    Reply
    • Paul Cunningham says

      March 13, 2014 at 12:30 pm

      Not much, usually.

      https://practical365.com/much-database-storage-mailbox-audit-logging-consume/

      I recommend setting bypass for any service accounts that access every mailbox, such as BES or Symantec Enterprise Vault.

      Reply
  18. Martin says

    December 28, 2013 at 8:07 am

    Hi Paul,
    great blog! saved me many times! 🙂
    thanks you

    I need to find messages with certain string in the subject, and know if this email was forwarded to other people and we need to know to whom…

    is it possible?

    king regards
    martin

    Reply
  19. Jason says

    September 20, 2013 at 6:24 am

    Paul, first up. Really good website, I’ve been learning Exchange from you for years now.

    I’m now doing some mailbox auditing and have gotten the basics of it to work. The specific issue that I’m working on now is trying to determine why folders and their contents are turning up in the ‘recover deleted items’ folder of a mailbox on an intermittent basis.

    So, I have mailbox auditing turned on but the two attributes ‘DestFolderID’ and ‘DestFolderPathName’ are showing up blank. I’d like to know where items are being moved to. These are ‘soft delete’ operations.

    Thoughts?

    Again, really nice work.

    Reply
    • Paul Cunningham says

      September 24, 2013 at 9:23 pm

      Soft Delete means “An item is deleted from the Deleted Items folder.” which I guess makes the folder Ids redundant since an item deleted from the Deleted Items can only go to the recoverable deleted items folder next.

      Reply
  20. Galas says

    September 4, 2013 at 1:44 am

    Paul, you are pretty much my exchange reference!
    II am going to give it a try, it was exactly what i was looking for, and as always, ended up in your website.
    Thanks a million.

    Reply
  21. Douglas Diniz says

    August 16, 2013 at 4:24 am

    Hello Paul,

    There is a possibility that I will be notified by email if any mailbox is opened by a user other than the user owner?

    What is the correct procedure to perform such an action?

    Exchange Server 2010.

    Thank you!

    Reply
    • Paul Cunningham says

      August 17, 2013 at 11:57 pm

      Exchange does not have that capability builtin. You would need to write your own script or look at investing in a security monitoring product.

      Reply
  22. John says

    August 10, 2013 at 5:22 am

    I am auditing a mailbox now however it is only showing me items deleted from the deleted box. If it helps I am logged into OWA and manipulating the users mailbox as an admin. I can see the itemes i delete from the deleted items but not from the inbox. If i delete something from the inbox, it goes to deleted, then when I delete it from the deleted items, it shows in my log.

    Reply
    • Paul Cunningham says

      August 14, 2013 at 1:50 pm

      Refer to the list on this page for mailbox actions that can be audit logged, and make sure you’ve enabled those actions that you want to see in the logs/reports.

      http://technet.microsoft.com/en-us/library/ff459237(v=exchg.141).aspx

      Reply
  23. nirav says

    August 9, 2013 at 12:33 am

    Dear Paul

    thanks for the wonderful post. my query is that if i am the mailbox owner & I want the audit report for this account only. its possibe or not? how i can accomplish that task.

    Reply
  24. Links says

    July 22, 2013 at 8:28 pm

    Hi Experts,

    Can someone help me out to answer one query, if we can export these mailbox audit data to a local extrenal file, to which I can use the same in my SIEM to monitor in and track the activities.

    Thanks in advance.

    Reply
  25. Stripppy says

    March 10, 2013 at 11:40 pm

    Hi Paul,

    Great article. In MailboxAuditLog, after enabling, there are events about mailbox objects access, but where are stored MailboxFolderPermission changes? Because users and administrators are able to change mailbox folder permissions (“Inbox” or “Top of Information store” for example), it is difficult to prove, who did changes.

    Thanks

    Reply
  26. Carol Ostos says

    March 6, 2013 at 2:49 pm

    I’m wondering if anyone has seen this event ID

    5001 Error MSExchange Management Application Failed to create EWS mailer.
    Organization:
    Error:
    Microsoft.Exchange.Management.SystemConfigurationTasks.AdminAud
    itLogException: Unable to find the admin audit logs folder. Rea
    son: System.Web.Services.Protocols.SoapException: The specified
    server version is invalid.
    at System.Web.Services.Protocols.SoapHttpClientProtocol.Read
    Response(SoapClientMessage message, WebResponse response, Strea
    m responseStream, Boolean asyncCall)
    at System.Web.Services.Protocols.SoapHttpClientProtocol.Invo
    ke(String methodName, Object[] parameters)
    at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProt
    ocol.c__DisplayClass4.b__3()
    at Microsoft.Exchange.SoapWebClient.HttpAuthenticator.Networ
    kServiceHttpAuthenticator.AuthenticateAndExecute[T](SoapHttpCli
    entProtocol client, AuthenticateAndExecuteHandler1 handler)
    at Microsoft.Exchange.SoapWebClient.SoapHttpClientAuthentica
    tor.AuthenticateAndExecute[T](SoapHttpClientProtocol client, Au
    thenticateAndExecuteHandler
    1 handler)
    at Microsoft.Exchange.SoapWebClient.EWS.ExchangeServiceBindi
    ng.FindFolder(FindFolderType FindFolder1)
    at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory
    .EwsMailer.GetAdminAuditLogsFolder(ADUser adUser)
    at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory
    .EwsMailer.GetAdminAuditLogsFolder(ADUser adUser)
    at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory
    .EwsMailer..ctor(OrganizationId organizationId, ADUser adUser,
    ExchangePrincipal principal)
    at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory
    .Create(OrganizationId organizationId, ADUser mailbox, Exchange
    Principal principal)

    I tried to google about this but did not find much info, Any guidance would be useful. Thanks so much!!!

    Reply
    • jeevan says

      March 7, 2013 at 4:46 pm

      As per the error it is saying that Audit folder is not created on mailbox. There is a folder will create after you enable the audit on mailbox , it is hidden folder. you can check it from get-mailboxfolderstatistics.

      I suggest you please check the Audit folder is created after you enable the Auditing on maillbox.

      regards
      jeevan

      Reply
  27. jeevan says

    February 26, 2013 at 8:05 pm

    I tried in my organization but it is not working.

    i ran below command but i have not get any output of it and the same is happen with ECP console. i received the report but nothing is there.
    interesting thing is that it is not giving me any error while excecuting the command.

    Search-MailboxAuditLog -Identity test -LogonTypes Owner -StartDate 02/26/2013 -ShowDetails

    we have exchange 2010 Sp2 Buil 247.5 (RU 2706690)

    anyone please let me know what could be issue.

    Reply
  28. Daniel says

    January 17, 2013 at 5:16 pm

    Hi Can I please get the command on how to audit the mailbox owner?

    [PS] C:Windowssystem32>Set-Mailbox records -AuditEnabled $true

    That doesn’t log the owner of course, what is the switch to log what the owner does?

    Thanks

    Reply
    • Paul Cunningham says

      January 21, 2013 at 1:09 pm

      The -AuditOwner switch can be used for that. Valid values listed here:

      http://technet.microsoft.com/en-us/library/bb123981.aspx

      Reply
  29. Mahmoud says

    December 6, 2012 at 6:48 pm

    Hi Paul,
    My result as the follows:

    Time: 12/6/2012 2:08 AM
    Performed by: EV
    Signed in as: Internal user without delegate access
    Operation: Open folder
    Folder: Sync IssuesServer Failures
    Status: Succeeded

    Time: 12/6/2012 12:49 AM
    Performed by: BlackBerry
    Signed in as: Internal user without delegate access
    Operation: Open folder
    Folder: Recoverable Items
    Status: Succeeded

    So I didn’t get “performed by certain user”, can you explain to me why get EV and Blackberry, is EV mean Enterprise volt because we have it?

    Reply
  30. Rachael says

    November 26, 2012 at 11:53 pm

    Hi,

    It is really helpfull, thank you so much.

    And I need audit log for the owner, aldo i used the example below from technet, it didn’t work.

    Search-MailboxAuditLog -Identity kwok -LogonTypes Owner -ShowDetails -StartDate 1/1/2012 -EndDate 3/1/2012 | Where-Object {$_.Operation -eq “HardDelete”}

    The error is,
    A valid LogonType must be specified when ShowDetails is set to false. Valid Logon Types when ShowDetails is false are:
    Admin,Delegate

    Could you please help me to find what is wrong?

    Thank you…

    Reply
  31. John says

    September 21, 2012 at 6:22 pm

    Hi

    Thanks for all. I want to check something else. I can run Exchange ECP report:
    Export mailbox audit logs…
    Search for and export information about non-owner access to a mailbox during a specific time period. Learn more…

    I want to make a filter and to run the same report with specific users excluded? How do I do that? Perhaps with cmdlet?

    Thanks

    Reply
    • John says

      September 21, 2012 at 7:15 pm

      For example I can do this and I want to see all non-owner accesses:
      New-MailboxAuditLogSearch “Delegates” -Mailboxes “X Y” -LogonTypes Delegate -StartDate 01/01/2012 -EndDate 09/21/2012 -StatusMailRecipients “x@x.com”

      However, this return too many results. How can I get them all? Or eventually add few exceptions? for example I have blackberry service which is active and the bb account is audited and it creates alot of entries.

      Thanks!

      Reply
  32. Athar says

    September 11, 2012 at 5:14 pm

    Hi,

    I am facing problems with Audit reports some of the users, some of them are showing audit report but many users are just blank in ECP/shell. I have checked the audit attributes and all of them have the same attributes.

    any ideas?

    Thanks

    Reply
    • Paul Cunningham says

      September 15, 2012 at 8:02 pm

      Are you expecting to see auditable events in the results? If nothing has happened to generate any audit logs I imagine you would see blank results.

      Reply
      • Athar says

        September 21, 2012 at 6:29 pm

        Its showing only the users, that got their accounts accessed by service account or other non-owners. I don’t see all the user so I assume that audit log is showing account cause of breach. Some of them are showing details and some of them are just blank when I select them 🙂

        Thanks.

        Reply
  33. Dumitru says

    September 3, 2012 at 10:26 pm

    Hi,
    can you help to find location of log entries?

    Reply
    • Jan says

      August 5, 2015 at 12:06 am

      In the mailbox itself in hidden folder.
      Jan

      Reply
  34. Dave K says

    July 19, 2012 at 4:06 am

    Hi Paul,

    When running the Search-MailboxAuditLog command I noticed that the ItemSubject is not populated on delete operations for messages. Is there a way to determine what the subject of the delete message was? The only information provided is the SourceItems id (which i assume is the message id).

    I’m running the command against the owner’s mailbox with AuditOwner enabled for Update, Move, MoveToDeletedItems, SoftDelete and HardDelete.

    Thanks.

    Reply
    • Dave K says

      July 19, 2012 at 4:08 am

      Sorry I should clarify, i’m running the Search-MailboxAuditLog -ShowDetails command.

      Reply
    • SysAdmin-E.com says

      December 29, 2012 at 7:36 am

      I just ran into this myself. The blank “ItemSubject” is a known issue. See http://social.technet.microsoft.com/forums/en-US/exchangesvradminlegacy/thread/ea59ce81-d216-4453-95d4-25c69e3a9330.

      Reply
  35. Brian says

    July 18, 2012 at 12:39 am

    Thanks for this! How would you recommend going about setting this up if we want to audit all mailboxes? It seems kind of silly to pick and choose, how are we supposed to know where there will some day be an issue with someone deleting an e-mail they shouldn’t. Seems like this is a pretty big oversight to only allow setting auditing at the mailbox level. I’ve noticed that trend a lot in Exchange 2010 though. In 2003 it seemed everything was able to be set at a datastore or server level.

    Thanks!
    Brian

    Reply
  36. Daniel says

    July 13, 2012 at 9:17 am

    Hi Paul,

    Fantastic article.

    I have a catchall mailbox here that I would like to see who is accessing it and if they are reading e-mails in the catchall. (I understand that I can see who has access to it via the console or shell but I also want to see when / why they are accessing it) I have enabled auditing as per your instructions and see that the following is on by default.

    [PS] C:Windowssystem32>get-mailbox Catchall | fl *audit*

    AuditEnabled : True
    AuditLogAgeLimit : 90.00:00:00
    AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
    AuditDelegate : {Update, SoftDelete, HardDelete, SendAs, Create}
    AuditOwner : {}

    Can I add a parameter so I can see when a user is reading mails in the catchall?

    Reply
  37. Hao says

    July 5, 2012 at 5:03 pm

    Hi Paul,

    I have the same issue with Dennis here, after turn on user audit, I could not find any log. Are there any steps that we have to do with Mailbox server in “Manage Diagnostic Logging Properties” ?

    Thanks in advanced,
    Hao

    Reply
    • Hao says

      July 5, 2012 at 7:05 pm

      I am sorry, It worked, I got the audit log with the command:

      Search-MailboxAuditLog -ShowDetails |FT

      Reply
  38. Florin says

    April 27, 2012 at 9:30 pm

    Hi,

    How can I generate reports for the audit logs and send them to an email address (automatically)?

    Is there a way to give to a specific user the possibility to see he’s audit reports in OWA or ECP?

    Thank you in advance!
    Florin

    Reply
  39. Dennis Baader says

    April 23, 2012 at 9:20 pm

    Hi,

    at first thanks for this howto. I configured all by your steps, but i didn’t get any results from the mailbox search. It seems like, the exchange didn’t log anything. But i can see that AuditLog is enabled for the mailbox. I tested some diffrent mailboxes. We use Exchange 2010 SP1.

    Maybe a problem of a service or permission?!

    Thanks for reply.

    Best Regards,

    Dennis

    Reply
  40. kembobill says

    April 10, 2012 at 11:27 pm

    hi paul,
    would you give direction on how to enable logging to check spam source. my ip is being blacklisted so often and i think it will get to a point i will be out totally..

    Reply
    • Paul Cunningham says

      April 11, 2012 at 6:18 am

      This is not a function of mailbox audit logging.

      Reply
  41. Brian says

    April 6, 2012 at 7:43 am

    Yes it does audit any non-owner access to the mailbox through the CAS, including EWS. BES uses EWS and there are LOTS of non-owner entries generated if you use BES.

    Reply
    • Atom says

      April 10, 2012 at 2:17 am

      Is it also possible to catch external who use OWA on firefox or other non IE browsers?

      Reply
      • Paul Cunningham says

        April 11, 2012 at 6:18 am

        You would look in the IIS logs for OWA (separate to mailbox audit logging) for that type of information on which browsers people are using.

        Reply
      • Atom says

        April 12, 2012 at 2:15 am

        OKAY Paul, I think what I was asking is whether it is possible (presumably using IP) to track those external users who log onto other people email accounts if they have logged in the email system using the actual victim’s email credentials?

        Reply
      • Paul Cunningham says

        April 12, 2012 at 6:29 am

        The IP address of the person connecting to OWA will be visible in the IIS logs for OWA (depending on how your firewall is configured, you may need to look at firewall logs instead).

        Reply
  42. gaponte says

    March 2, 2012 at 8:53 pm

    Hi Paul,
    Firstly I’m so glad to read your genius and clean articles (great experience I got via your site 🙂 )…etc…etc..
    Regarding the auditing I’m trying to get details after I’ve enabled the auditing to a mailbox, but on executing the query below, I’m not getting any resuly at all:
    Search-MailboxAuditLog -Identity alias -LogonTypes Delegate -StartDate 2/29/2012 -EndDate 3/1/2012 -ResultSize 1 -ShowDetails
    Do I miss some other step?
    Thank you in advance!

    Reply
  43. Andy says

    February 23, 2012 at 3:40 am

    Prior to setting up exchanges (and using the POP connector) my client used to leave 5 days worth of email on the pop server(fro Outlook settings) so that a manager could review activity.
    Any thoughts on implementing this and presenting in an easy to use format?

    Reply
  44. Manohar says

    February 15, 2012 at 4:32 pm

    Greeting !!

    Is there any poershell script to audit exchange 2010 sp2 user’s mailboxes , please suggest

    Reply
  45. Dubravko Hlede says

    February 13, 2012 at 5:41 pm

    I have enabled mailbox audit logging, on one mailbox (test1), according to your guide.

    Set-Mailbox test1 -AuditEnabled $true

    After that I have given full access permissions to that mailbox to user: test2.

    Add-MailboxPermission -Identity test1 -User test2 -AccessRights Fullaccess -InheritanceType all

    Using test2 user I have deleted email in test1 mailbox, but when I use ECP or
    Search-MailboxAuditLog -StartDate 1/1/2012 -EndDate 2/14/2012 –ShowDetails

    I get nothing.

    Any sugestions?

    Reply
  46. JOhn Sdao says

    February 10, 2012 at 3:37 am

    Will auditing catch non-owner entries if the account is being accessed by EWS?

    Reply
    • Paul Cunningham says

      February 10, 2012 at 12:36 pm

      Hmmm, I don’t know the answer to that. If there is impersonation being used then I would guess only the impersonating account would show up. But I’m only guessing.

      Reply
  47. Mouzzam says

    January 9, 2012 at 3:54 am

    I need to export this log file result in file how i can check this ?

    Reply
  48. David Musashi says

    December 20, 2011 at 7:55 am

    Thanks for the article! I needed this! I’ve been able to turn on the auditing for just one user, as well as turn on auditing for the the mailbox owner for softdelete and harddelete using “set-mailbox -auditowner softdelete, harddelete” (user is having messages that are being harddeleted that they claim they are never seeing so I’m trying to figure out what is harddeleting the messages.
    Here is my question, how would I sort the output so that it’s only showing Operation: HardDelete? Anytime I try something like “Search-MailboxAuditLog -Identity -StartDate 12/11/2011 -ShowDetails -Operation HardDelete” I get a “positional paramerer” error.

    Reply
    • Nuno Mota says

      December 30, 2011 at 2:48 am

      Hi David,

      Try the following: Search-MailboxAuditLog -StartDate “12/11/2011” -ShowDetails | ? {$_.Operation -match “delete”}

      Also, do you see anything for the Owner?

      Regards,
      Nuno

      Reply
      • David Musashi says

        June 5, 2012 at 2:28 am

        After 6 months of working on this I finally figured out that the user had set junk mail rules that automatically deleted messages. So the logs were saying she deleted them but she was saying that she didn’t. I love it when users go dinking with settings they don’t really understand. So, how would I turn off the auditing for this user now that I don’t need them audited anymore?

        Reply
  49. Gonzalez says

    December 16, 2011 at 11:53 pm

    Thank you Paul. Well written doc. Very helpful! 🙂
    I would like to see more example though, sometimes, when you have the time, for example, it took another 10min or so to find out how to construct this:
    Set-Mailbox username -AuditEnabled $true -AuditLogAgeLimit 360.00:00:00 -Confirm

    Anyway, as it is, it is very helpful.

    I have question: There is a feature, on the server, which is available to admin, to set forwarding of emails from one mailbox to another. This: “Forward to Select this check box, and then click Browse to open the Select Recipient dialog box. Use this dialog box to select a recipient to whom you want to forward all e-mail messages that are sent to this mailbox. ”
    My question is: Lets assume auditing is not enabled, is there an option to check and audit all the mailboxes for this setting? I guess, I have to go and check the configuration for each mailbox separately and manually?

    Thank you

    Reply
    • Nuno Mota says

      February 15, 2012 at 10:38 pm

      Hi Gonzalez,

      This new feature does not audit that type of configuration (note that the e-mail is forwarded before reaching the mailbox).
      For that, all you have to do is run a cmdlet similar to:
      Get-Mailbox -ResultSize Unlimited -Filter {DeliverToMailboxAndForward -eq $True} | Select SamAccountName, ForwardingAddress, ForwardingSmtpAddress

      Hope this helps!

      Reply
  50. Grant B says

    July 24, 2011 at 1:52 am

    We have exchange 2010 and I cannot run these power shell commands. when i run the get mailbox i just get a return to the ps prompt. when I run the set mailbox i get this error:
    A positional parameter cannot be found that accepts argument ‘-AuditEnabled:’.
    + CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Set-Mailbox
    Also my ecp does not have the auditing tab ? what am i missing ? Do i need to install something extra ?

    thanks for your help good article.

    Reply
    • Paul Cunningham says

      July 25, 2011 at 8:35 pm

      Hi Grant, are you running Exchange 2010 RTM or SP1?

      Reply
      • Grant B says

        July 25, 2011 at 11:06 pm

        I guess i have rtm ? would that be the case i am running rollup 5 ?

        thansk

        Reply
      • Paul Cunningham says

        July 28, 2011 at 9:23 pm

        That sounds like RTM to me yeah.

        Reply
      • Parastoo says

        December 11, 2012 at 6:36 am

        Hi Paul

        I have same problem with running these shell command in SP, anyway I have another question:

        With Audit feature Is it possible to know who has send a delivery report query on a specific audit-Enabled Mailbox ?

        e.g. I wanna know who checked delivery report “Search for delivery information about messages sent to or from a specific person” on my mailbox .
        As we know in Delivery Report log we will see all the mail subjects which send / receive to users so it is very critical and I need to monitor it.
        Any idea is appreciated

        Reply
  51. Sergio K says

    March 31, 2011 at 12:22 pm

    Hello while attempting to enter the Set-Mailbox Alan.Reid -AuditEnabled $true command, I get an error Positional Parameters Not Found. Any Idea why I get that error.

    Thanks

    Reply
    • Paul Cunningham says

      April 4, 2011 at 8:55 pm

      Try using -identity when you’re specifying the mailbox name. And try it first with Get-Mailbox to make sure you’re entering a valid mailbox name.

      Reply
      • Sergio K says

        April 4, 2011 at 9:28 pm

        Thanks,
        I will try that.

        Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • The Practical 365 Weekly Update: S2, Ep 8 – What to expect in 2021, Solarigate, TLS in Exchange and new Teams updates
  • Security updates released for Exchange and SharePoint Servers 2010 to 2019
  • The Practical 365 Weekly Update: S2, Ep 7 – Urgent Exchange security updates, new Teams features launch
  • How to train your users against threats with Attack Simulation Training
  • Fall 2020 roundup of compliance updates
Practical 365

Related Posts

Related Posts

Training Courses

  • Configuring and Managing Office 365 Security
  • Office 365 Admin Playbook
  • Exchange 2016 Exam 70-345
  • Managing Exchange Mailboxes and Distribution Groups in PowerShell
  • More Training Courses...

Recommended Resources

  • Office 365 Security Resources
  • Office 365 Books
  • Exchange Server Books
  • Exchange Server Migrations
  • Exchange Analyzer
  • Digicert SSL Certificates

About This Site

Practical 365 is a leading site for Office 365 and Exchange Server news, tips and tutorials. Read more...

Find out more about advertising with us.

Contact us


Subscribe to our newsletter
  • Facebook
  • Twitter
  • RSS
  • YouTube

Copyright © 2021 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland