A lot of businesses want to be able to track who accesses mailboxes in the organization, and who takes certain actions such as deleting mailbox items. This is particularly true where mailboxes are accessed by delegates, for example when a senior manager has several people who access and manage their mailbox, or for shared mailboxes such as those used by sales and support teams.
Exchange Server 2010 (SP1 or later), Exchange Server 2013 and Exchange 2016 have a feature called Mailbox Audit Logging that provides exactly this capability. However it is not turned on for mailboxes by default, so the Exchange administrator has to enable for those mailboxes which are considered sensitive or any where access needs to be logged and audited.
You can see whether a mailbox has audit logging enabled by running the Get-Mailbox command.
|
1 2 3 4 5 6 7 |
[PS] C:\>Get-Mailbox Alan.Reid | fl *audit* AuditEnabled : False AuditLogAgeLimit : 90.00:00:00 AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create} AuditDelegate : {Update, SoftDelete, HardDelete, SendAs, Create} AuditOwner : {} |
The output there shows you that:
- Mailbox auditing is not enabled for this mailbox
- The log age limit is 90 days
- The actions that are logged for admins, delegates, and the owner themselves
Note how the mailbox owner is not logged by default, because their access would generate a lot of audit log entries. Delegates are logged for basic actions, and administrators are logged for additional administrative actions as well.
To enable a mailbox for audit logging use the Set-Mailbox command.
|
1 |
[PS] C:\>Set-Mailbox Alan.Reid -AuditEnabled $true |
To demonstrate audit logging I’ve accessed the mailbox as delegate Alex Heyne, and deleted several inbox items.
There are a few different ways you can look for mailbox audit log entries. The first is a by searching a single mailbox using the Exchange Management Shell.
The Search-MailboxAuditLog command lets use perform searches of mailbox audit logs. In this example I’m performing a search and displaying just one entry.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
[PS] C:\>Search-MailboxAuditLog -Identity Alan.Reid -LogonTypes Delegate -StartDate 1/1/2011 -EndDate 2/8/2011 -ResultSi ze 1 -ShowDetails RunspaceId : d76bf455-a098-4ef2-abad-7d0b153df302 Operation : SoftDelete OperationResult : Succeeded LogonType : Delegate ExternalAccess : False DestFolderId : DestFolderPathName : FolderId : LgAAAABP8tPUduCNQbq3ixaUfzrSAQD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAAAB FolderPathName : Inbox ClientInfoString : Client=MSExchangeRPC ClientIPAddress : 10.0.1.11 ClientMachineName : ClientProcessName : OUTLOOK.EXE ClientVersion : 14.0.4760.1000 InternalLogonType : Delegated MailboxOwnerUPN : Alan.Reid@exchangeserverpro.net MailboxOwnerSid : S-1-5-21-3252988086-3956323440-3716555505-1113 DestMailboxOwnerUPN : DestMailboxOwnerSid : DestMailboxGuid : CrossMailboxOperation : False LogonUserDisplayName : Alex Heyne LogonUserSid : S-1-5-21-3252988086-3956323440-3716555505-1117 SourceItems : { RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvG eCAAAA, RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK0 3AAAAvGeBAAAA, RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbg D/lyUK03AAAAvGeAAAAA, RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGl k9ZQqbgD/lyUK03AAAAvGd/AAAA, RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAA CNDsKGlk9ZQqbgD/lyUK03AAAAvGd+AAAA, RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAA AAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd9AAAA, RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYH Zzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd8AAAA, RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bT o9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd7AAAA, RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0 krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd6AAAA, RgAAAABP8tPUduCNQbq3ixaUfzr SBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd5AAAA, RgAAAABP8tPUduCNQbq3 ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd4AAAA, RgAAAABP8tPUd uCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd3AAAA, RgAAAA BP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd2AAAA, RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03AAAAvGd 1AAAA, RgAAAABP8tPUduCNQbq3ixaUfzrSBwD4k0krNt4bTo9RiFYHZzc/AAAAAB6kAACNDsKGlk9ZQqbgD/lyUK03 AAAAvGd0AAAA} SourceFolders : {} ItemId : ItemSubject : DirtyProperties : OriginatingServer : ESP-HO-EX2010A (14.01.0218.011) MailboxGuid : d91ebf81-f836-431c-8857-2f2a46ee0a93 MailboxResolvedOwnerName : Alan Reid LastAccessed : 2/7/2011 10:11:33 PM Identity : RgAAAABP8tPUduCNQbq3ixaUfzrSBwAVowOS8YKPSZu3yRX+MS1dAAAAAj7RAAAVowOS8YKPSZu3yRX+MS1dAAAAAj7o AAAJ IsValid : True |
As you can see the information is partially useful (we can see who did something and when they did it) but there is also a lot of unreadable data presented. For a PowerShell script that provides an easier method for checking mailbox audit log entries refer to the following article:
Mailbox audit logs can also be searched using the Exchange Control Panel (Exchange 2010) or Exchange Admin Centre (Exchange 2013 and 2016). In the organization management area are a series of different auditing tasks, including mailbox audit log searches. The screenshots below are from Exchange 2010, and you can find an Exchange 2013 example here.
This web interface makes searches much easier and also returns results that are readable.
You can see that mailbox audit logging is a useful feature for organizations that need to audit this kind of activity, but with the trade off that the logs are stored in the mailbox and so will increase mailbox size. However since any audit logging of this kind has to be stored somewhere this shouldn’t be seen as a road block to activating the feature on only those specific mailboxes that require auditing.
Further reading:
Hi Paul,
Thank you for the blog, we do have Exchange 2010 SP3 Enterprise version installed in our organization. we have enabled the Audit log as of the steps you have shared in you blog, and tried to perform some testing in our production environment test mailboxes. During our test, we were able to see the logs that were created for Sendas and Create. But beside that we have performed the activity like Soft-Delete and Hard-Delete, which was not shown in the audit logs. Is there any thing we have missed out to configure. To audit the soft-delete or Hard-delete from the delegated user.
Hello Paul,
I have an Exchange 2013 DAG of two members, do you know why always shows as “originating server” in the AdminAuditlog the one who has the rol of “PAM”?. Or is it something that only seems to me?. I make changes on a user that is in the second node of my DAG, but in AdminAuditLog it always shows me the primary as the “Originating Server”. Is this the expected behavior?
Thanks!
Maybe that’s the server you’re connected to with your management shell at the time.
Paul,
We are currently implementing IBM QRadar SIEM in our environment. On of our security use case is to get alert when someone else aside the owner of the mailbox access it. Where is this log kept and how can we get the log into IBM QRadar SIEM
Paul – is there a way to actually view the sent email? I can see the time and date, the sender and the subject but nothing else. Is there any way to actually view the email itself (in case the user deleted it from Sent/Deleted Items or populate the recipient in the search results?
No, the mail contents are not stored in the audit logs. The only way to view the mail item is to view the actual mail item. If it’s been deleted, at least auditing can tell you that.
hi Paul
We are try to reducing the audit log size of one user mail box which reach to 30 GB
we have try to disable audit change the ageing of audit log but no luck can u please help.
If you lower the age limit for audit logs on that mailbox, the server should clean up the logs that are already there as a background task later, but I wouldn’t expect it to happen instantly.
Hi,
Does this work for public folders at all?
Hi Paul
I have a large Single Forest Multiple domain setup with over 100 2010 servers. All of a sudden admins is different domains get a warning when editing users, send as etc.. The warning is that it cant connect to one server in another domain in the forest (Which is by defaut as there is no link between domains). If i disable audit logging it goes away. My question is there a home user mailbox like a postmaster that auditlogging attaches itself to on setup and that this might be located in the domain that the error points to.
Thanks
Kevin
In MailboxAuditLog, after enabling, there are events about mailbox objects access, but are they also stored MailboxFolderPermission changes? Because users and administrators are able to change mailbox folder permissions (“Inbox” or “Top of Information store” for example), it is difficult to prove, who did changes.
Hi Paul,
When we export the audit logs using Search-MailboxAuditLog command with Send As operation i am getting two logs for a single email, i.e. the user has sent one email but we are two logs while exporting audit logs.
Can you let me know the reason for the same.
I’d have to see the logs first hand. There might be two items logged because two operations take place when a Send As occurs, e.g. sending the email itself, plus saving the sent item to the shared mailbox’s Sent Items folder.
Hi,
i have set the age limit 2 days for admin audit logs, but after the 2 days audit logs are not flushed. Is there any thing i am missing ?
Thanks.
What is the exact command you ran?
What are you doing to check whether the admin audit logs have been removed or not?
Note: you’re saying “admin audit logs” but this is an article about “mailbox audit logging” which is something different.
About 2 years ago i added a new domain into my Exchange environment because of a change of company name. All users are until now using both domains example @ABC.com and @XYZ.com.
In the meantime users could use both domains and i want to disable the old domain @ABC.com.
My problem is that lot of email communications are still received at the old domain. I want to create a catch-all policy where i want to automatically send a mail to the sender with a message like” dear sender, please use our new domain address receiver@XYZ.com. This mail will not been forwarded to the sender.”
I couldn’t find a standard solution for my problem. Maybe you can help me with it.
regards,
Ekrem
Those auto-reply solutions are bad practice. Don’t do it. It annoys senders and it doesn’t work for automated systems such as newsletters that your users signed up to with their old email address.
If you want to stop accepting email to a domain just remove that domain from your recipients and from your Exchange organization. The emails will bounce and the sender can resend or the automated system can see the NDR and remove that address from its database.
Hi, pls, tell me where those logs are exactly? In Mailbox server?, HUB? CAS? and which address? in the Program FilesExchange2010Logging path I can´t find any logic name folder for this acction and with “get-mailboxserver “mbxserver” | fl *log* ” I can´t any logic space where is nested those logs.
I want to know this because my hard disk space are poor on my servers and those logs on all mailboxes can make grow my data in my hard disks and then I´m gonna be in troubles. I want to test first over a few users to check how it´s growing, but I need first to know where is nested those logs, specially in which server to follow the space on disk.
Thanks a lot, great tutorial.
Here you go:
https://practical365.com/much-database-storage-mailbox-audit-logging-consume/
Awesome answer, then I assume that the audits on mailboxes, and in my case is exactly to check on all mailboxes the logging of not owners, all data is stored in each mailbox, the the database is going to grow.
Is my think correct?
The database will probably grow. If you’re concerned about how much it will grow, turn on audit logging for a small number of mailboxes and use the script to see how much extra space it is using.
Hi Paul, Nice and EasyToUnderstand article.
BUT >
when I use Add-MailboxPerrmission to grant somebody FullAccess, s/he is in AuditDelegate auditing logontype… what type of command for granting permission should I invoke, to set the access to AuditAdmin?
I’m looking for audit type MessageBind, which is available only via AuditAdmin ….
Thx in advance,
Jan
Hello,
I’ve followed the article and audit logs in powershell show that mailbox was accessed, some items deleted etc., but when I try to run auding in ECP I can only see the fact that mailbox was accessed, but the detail window is empty. Any ideas?
screenshot – http://i.imgur.com/A0vDEde.png
Hi Paul,
I have enabled Auditing for delegates (as I want to audit users with Full access permissions on a shared Mailbox).
Here is what I have enabled:
AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
I see a create operation when I copy a file from inbox to any subfolder and I see a SoftDelete Operation when I delete an email from Deleted Items.
But I don’t see any Operation when I move any item from inbox to subfolder.
Am I missing something on my settings?
Regards,
Singh
Hello. Great blog! But when i generate my report in web interface i cant get the result indeed.
I get the information in the left panel about which mailbox it is and last access on that mailbox but i cant get the information in the right pane.
Does anyone had such a problem?
Thanks in advance!
Hello, I am interested in setting this up for our firm. I have tested on a test account and everything seems to work as expected. My question is how hard of a hit does this put on Exchange resources. We have 2100 mailboxes and it would be nice to turn this on for all of them with administrator and delegate auditing.
Not much, usually.
https://practical365.com/much-database-storage-mailbox-audit-logging-consume/
I recommend setting bypass for any service accounts that access every mailbox, such as BES or Symantec Enterprise Vault.
Hi Paul,
great blog! saved me many times! 🙂
thanks you
I need to find messages with certain string in the subject, and know if this email was forwarded to other people and we need to know to whom…
is it possible?
king regards
martin
Paul, first up. Really good website, I’ve been learning Exchange from you for years now.
I’m now doing some mailbox auditing and have gotten the basics of it to work. The specific issue that I’m working on now is trying to determine why folders and their contents are turning up in the ‘recover deleted items’ folder of a mailbox on an intermittent basis.
So, I have mailbox auditing turned on but the two attributes ‘DestFolderID’ and ‘DestFolderPathName’ are showing up blank. I’d like to know where items are being moved to. These are ‘soft delete’ operations.
Thoughts?
Again, really nice work.
Soft Delete means “An item is deleted from the Deleted Items folder.” which I guess makes the folder Ids redundant since an item deleted from the Deleted Items can only go to the recoverable deleted items folder next.
Paul, you are pretty much my exchange reference!
II am going to give it a try, it was exactly what i was looking for, and as always, ended up in your website.
Thanks a million.
Hello Paul,
There is a possibility that I will be notified by email if any mailbox is opened by a user other than the user owner?
What is the correct procedure to perform such an action?
Exchange Server 2010.
Thank you!
Exchange does not have that capability builtin. You would need to write your own script or look at investing in a security monitoring product.
I am auditing a mailbox now however it is only showing me items deleted from the deleted box. If it helps I am logged into OWA and manipulating the users mailbox as an admin. I can see the itemes i delete from the deleted items but not from the inbox. If i delete something from the inbox, it goes to deleted, then when I delete it from the deleted items, it shows in my log.
Refer to the list on this page for mailbox actions that can be audit logged, and make sure you’ve enabled those actions that you want to see in the logs/reports.
http://technet.microsoft.com/en-us/library/ff459237(v=exchg.141).aspx
Dear Paul
thanks for the wonderful post. my query is that if i am the mailbox owner & I want the audit report for this account only. its possibe or not? how i can accomplish that task.
Hi Experts,
Can someone help me out to answer one query, if we can export these mailbox audit data to a local extrenal file, to which I can use the same in my SIEM to monitor in and track the activities.
Thanks in advance.
Hi Paul,
Great article. In MailboxAuditLog, after enabling, there are events about mailbox objects access, but where are stored MailboxFolderPermission changes? Because users and administrators are able to change mailbox folder permissions (“Inbox” or “Top of Information store” for example), it is difficult to prove, who did changes.
Thanks
I’m wondering if anyone has seen this event ID
5001 Error MSExchange Management Application Failed to create EWS mailer.
Organization:
Error:
Microsoft.Exchange.Management.SystemConfigurationTasks.AdminAud
itLogException: Unable to find the admin audit logs folder. Rea
son: System.Web.Services.Protocols.SoapException: The specified
server version is invalid.
at System.Web.Services.Protocols.SoapHttpClientProtocol.Read
Response(SoapClientMessage message, WebResponse response, Strea
m responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invo
ke(String methodName, Object[] parameters)
at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProt
ocol.c__DisplayClass4.b__3()
at Microsoft.Exchange.SoapWebClient.HttpAuthenticator.Networ
kServiceHttpAuthenticator.AuthenticateAndExecute[T](SoapHttpCli
entProtocol client, AuthenticateAndExecuteHandler
1 handler)1 handler)at Microsoft.Exchange.SoapWebClient.SoapHttpClientAuthentica
tor.AuthenticateAndExecute[T](SoapHttpClientProtocol client, Au
thenticateAndExecuteHandler
at Microsoft.Exchange.SoapWebClient.EWS.ExchangeServiceBindi
ng.FindFolder(FindFolderType FindFolder1)
at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory
.EwsMailer.GetAdminAuditLogsFolder(ADUser adUser)
at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory
.EwsMailer.GetAdminAuditLogsFolder(ADUser adUser)
at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory
.EwsMailer..ctor(OrganizationId organizationId, ADUser adUser,
ExchangePrincipal principal)
at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory
.Create(OrganizationId organizationId, ADUser mailbox, Exchange
Principal principal)
I tried to google about this but did not find much info, Any guidance would be useful. Thanks so much!!!
As per the error it is saying that Audit folder is not created on mailbox. There is a folder will create after you enable the audit on mailbox , it is hidden folder. you can check it from get-mailboxfolderstatistics.
I suggest you please check the Audit folder is created after you enable the Auditing on maillbox.
regards
jeevan
I tried in my organization but it is not working.
i ran below command but i have not get any output of it and the same is happen with ECP console. i received the report but nothing is there.
interesting thing is that it is not giving me any error while excecuting the command.
Search-MailboxAuditLog -Identity test -LogonTypes Owner -StartDate 02/26/2013 -ShowDetails
we have exchange 2010 Sp2 Buil 247.5 (RU 2706690)
anyone please let me know what could be issue.
Hi Can I please get the command on how to audit the mailbox owner?
[PS] C:Windowssystem32>Set-Mailbox records -AuditEnabled $true
That doesn’t log the owner of course, what is the switch to log what the owner does?
Thanks
The -AuditOwner switch can be used for that. Valid values listed here:
http://technet.microsoft.com/en-us/library/bb123981.aspx
Hi Paul,
My result as the follows:
Time: 12/6/2012 2:08 AM
Performed by: EV
Signed in as: Internal user without delegate access
Operation: Open folder
Folder: Sync IssuesServer Failures
Status: Succeeded
Time: 12/6/2012 12:49 AM
Performed by: BlackBerry
Signed in as: Internal user without delegate access
Operation: Open folder
Folder: Recoverable Items
Status: Succeeded
So I didn’t get “performed by certain user”, can you explain to me why get EV and Blackberry, is EV mean Enterprise volt because we have it?
Hi,
It is really helpfull, thank you so much.
And I need audit log for the owner, aldo i used the example below from technet, it didn’t work.
Search-MailboxAuditLog -Identity kwok -LogonTypes Owner -ShowDetails -StartDate 1/1/2012 -EndDate 3/1/2012 | Where-Object {$_.Operation -eq “HardDelete”}
The error is,
A valid LogonType must be specified when ShowDetails is set to false. Valid Logon Types when ShowDetails is false are:
Admin,Delegate
Could you please help me to find what is wrong?
Thank you…
Hi
Thanks for all. I want to check something else. I can run Exchange ECP report:
Export mailbox audit logs…
Search for and export information about non-owner access to a mailbox during a specific time period. Learn more…
I want to make a filter and to run the same report with specific users excluded? How do I do that? Perhaps with cmdlet?
Thanks
For example I can do this and I want to see all non-owner accesses:
New-MailboxAuditLogSearch “Delegates” -Mailboxes “X Y” -LogonTypes Delegate -StartDate 01/01/2012 -EndDate 09/21/2012 -StatusMailRecipients “x@x.com”
However, this return too many results. How can I get them all? Or eventually add few exceptions? for example I have blackberry service which is active and the bb account is audited and it creates alot of entries.
Thanks!
Hi,
I am facing problems with Audit reports some of the users, some of them are showing audit report but many users are just blank in ECP/shell. I have checked the audit attributes and all of them have the same attributes.
any ideas?
Thanks
Are you expecting to see auditable events in the results? If nothing has happened to generate any audit logs I imagine you would see blank results.
Its showing only the users, that got their accounts accessed by service account or other non-owners. I don’t see all the user so I assume that audit log is showing account cause of breach. Some of them are showing details and some of them are just blank when I select them 🙂
Thanks.
Hi,
can you help to find location of log entries?
In the mailbox itself in hidden folder.
Jan
Hi Paul,
When running the Search-MailboxAuditLog command I noticed that the ItemSubject is not populated on delete operations for messages. Is there a way to determine what the subject of the delete message was? The only information provided is the SourceItems id (which i assume is the message id).
I’m running the command against the owner’s mailbox with AuditOwner enabled for Update, Move, MoveToDeletedItems, SoftDelete and HardDelete.
Thanks.
Sorry I should clarify, i’m running the Search-MailboxAuditLog -ShowDetails command.
I just ran into this myself. The blank “ItemSubject” is a known issue. See http://social.technet.microsoft.com/forums/en-US/exchangesvradminlegacy/thread/ea59ce81-d216-4453-95d4-25c69e3a9330.
Thanks for this! How would you recommend going about setting this up if we want to audit all mailboxes? It seems kind of silly to pick and choose, how are we supposed to know where there will some day be an issue with someone deleting an e-mail they shouldn’t. Seems like this is a pretty big oversight to only allow setting auditing at the mailbox level. I’ve noticed that trend a lot in Exchange 2010 though. In 2003 it seemed everything was able to be set at a datastore or server level.
Thanks!
Brian
Hi Paul,
Fantastic article.
I have a catchall mailbox here that I would like to see who is accessing it and if they are reading e-mails in the catchall. (I understand that I can see who has access to it via the console or shell but I also want to see when / why they are accessing it) I have enabled auditing as per your instructions and see that the following is on by default.
[PS] C:Windowssystem32>get-mailbox Catchall | fl *audit*
AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate : {Update, SoftDelete, HardDelete, SendAs, Create}
AuditOwner : {}
Can I add a parameter so I can see when a user is reading mails in the catchall?
Hi Paul,
I have the same issue with Dennis here, after turn on user audit, I could not find any log. Are there any steps that we have to do with Mailbox server in “Manage Diagnostic Logging Properties” ?
Thanks in advanced,
Hao
I am sorry, It worked, I got the audit log with the command:
Search-MailboxAuditLog -ShowDetails |FT
Hi,
How can I generate reports for the audit logs and send them to an email address (automatically)?
Is there a way to give to a specific user the possibility to see he’s audit reports in OWA or ECP?
Thank you in advance!
Florin
Hi,
at first thanks for this howto. I configured all by your steps, but i didn’t get any results from the mailbox search. It seems like, the exchange didn’t log anything. But i can see that AuditLog is enabled for the mailbox. I tested some diffrent mailboxes. We use Exchange 2010 SP1.
Maybe a problem of a service or permission?!
Thanks for reply.
Best Regards,
Dennis
hi paul,
would you give direction on how to enable logging to check spam source. my ip is being blacklisted so often and i think it will get to a point i will be out totally..
This is not a function of mailbox audit logging.
Yes it does audit any non-owner access to the mailbox through the CAS, including EWS. BES uses EWS and there are LOTS of non-owner entries generated if you use BES.
Is it also possible to catch external who use OWA on firefox or other non IE browsers?
You would look in the IIS logs for OWA (separate to mailbox audit logging) for that type of information on which browsers people are using.
OKAY Paul, I think what I was asking is whether it is possible (presumably using IP) to track those external users who log onto other people email accounts if they have logged in the email system using the actual victim’s email credentials?
The IP address of the person connecting to OWA will be visible in the IIS logs for OWA (depending on how your firewall is configured, you may need to look at firewall logs instead).
Hi Paul,
Firstly I’m so glad to read your genius and clean articles (great experience I got via your site 🙂 )…etc…etc..
Regarding the auditing I’m trying to get details after I’ve enabled the auditing to a mailbox, but on executing the query below, I’m not getting any resuly at all:
Search-MailboxAuditLog -Identity alias -LogonTypes Delegate -StartDate 2/29/2012 -EndDate 3/1/2012 -ResultSize 1 -ShowDetails
Do I miss some other step?
Thank you in advance!
Prior to setting up exchanges (and using the POP connector) my client used to leave 5 days worth of email on the pop server(fro Outlook settings) so that a manager could review activity.
Any thoughts on implementing this and presenting in an easy to use format?
Greeting !!
Is there any poershell script to audit exchange 2010 sp2 user’s mailboxes , please suggest
I have enabled mailbox audit logging, on one mailbox (test1), according to your guide.
Set-Mailbox test1 -AuditEnabled $true
After that I have given full access permissions to that mailbox to user: test2.
Add-MailboxPermission -Identity test1 -User test2 -AccessRights Fullaccess -InheritanceType all
Using test2 user I have deleted email in test1 mailbox, but when I use ECP or
Search-MailboxAuditLog -StartDate 1/1/2012 -EndDate 2/14/2012 –ShowDetails
I get nothing.
Any sugestions?
Will auditing catch non-owner entries if the account is being accessed by EWS?
Hmmm, I don’t know the answer to that. If there is impersonation being used then I would guess only the impersonating account would show up. But I’m only guessing.
I need to export this log file result in file how i can check this ?
Thanks for the article! I needed this! I’ve been able to turn on the auditing for just one user, as well as turn on auditing for the the mailbox owner for softdelete and harddelete using “set-mailbox -auditowner softdelete, harddelete” (user is having messages that are being harddeleted that they claim they are never seeing so I’m trying to figure out what is harddeleting the messages.
Here is my question, how would I sort the output so that it’s only showing Operation: HardDelete? Anytime I try something like “Search-MailboxAuditLog -Identity -StartDate 12/11/2011 -ShowDetails -Operation HardDelete” I get a “positional paramerer” error.
Hi David,
Try the following: Search-MailboxAuditLog -StartDate “12/11/2011” -ShowDetails | ? {$_.Operation -match “delete”}
Also, do you see anything for the Owner?
Regards,
Nuno
After 6 months of working on this I finally figured out that the user had set junk mail rules that automatically deleted messages. So the logs were saying she deleted them but she was saying that she didn’t. I love it when users go dinking with settings they don’t really understand. So, how would I turn off the auditing for this user now that I don’t need them audited anymore?
Thank you Paul. Well written doc. Very helpful! 🙂
I would like to see more example though, sometimes, when you have the time, for example, it took another 10min or so to find out how to construct this:
Set-Mailbox username -AuditEnabled $true -AuditLogAgeLimit 360.00:00:00 -Confirm
Anyway, as it is, it is very helpful.
I have question: There is a feature, on the server, which is available to admin, to set forwarding of emails from one mailbox to another. This: “Forward to Select this check box, and then click Browse to open the Select Recipient dialog box. Use this dialog box to select a recipient to whom you want to forward all e-mail messages that are sent to this mailbox. ”
My question is: Lets assume auditing is not enabled, is there an option to check and audit all the mailboxes for this setting? I guess, I have to go and check the configuration for each mailbox separately and manually?
Thank you
Hi Gonzalez,
This new feature does not audit that type of configuration (note that the e-mail is forwarded before reaching the mailbox).
For that, all you have to do is run a cmdlet similar to:
Get-Mailbox -ResultSize Unlimited -Filter {DeliverToMailboxAndForward -eq $True} | Select SamAccountName, ForwardingAddress, ForwardingSmtpAddress
Hope this helps!
We have exchange 2010 and I cannot run these power shell commands. when i run the get mailbox i just get a return to the ps prompt. when I run the set mailbox i get this error:
A positional parameter cannot be found that accepts argument ‘-AuditEnabled:’.
+ CategoryInfo : InvalidArgument: (:) [Set-Mailbox], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Set-Mailbox
Also my ecp does not have the auditing tab ? what am i missing ? Do i need to install something extra ?
thanks for your help good article.
Hi Grant, are you running Exchange 2010 RTM or SP1?
I guess i have rtm ? would that be the case i am running rollup 5 ?
thansk
That sounds like RTM to me yeah.
Hi Paul
I have same problem with running these shell command in SP, anyway I have another question:
With Audit feature Is it possible to know who has send a delivery report query on a specific audit-Enabled Mailbox ?
e.g. I wanna know who checked delivery report “Search for delivery information about messages sent to or from a specific person” on my mailbox .
As we know in Delivery Report log we will see all the mail subjects which send / receive to users so it is very critical and I need to monitor it.
Any idea is appreciated
Hello while attempting to enter the Set-Mailbox Alan.Reid -AuditEnabled $true command, I get an error Positional Parameters Not Found. Any Idea why I get that error.
Thanks
Try using -identity when you’re specifying the mailbox name. And try it first with Get-Mailbox to make sure you’re entering a valid mailbox name.
Thanks,
I will try that.