Home » Exchange Server » Get-MailboxAuditLoggingReport.ps1 – PowerShell Script to Generate a Report of Mailbox Audit Log Entries

Get-MailboxAuditLoggingReport.ps1 – PowerShell Script to Generate a Report of Mailbox Audit Log Entries

In Exchange Server environments where mailbox audit logging is used there may be a need to regularly generate reports of mailbox audit log data. I've written a PowerShell script, Get-MailboxAuditLoggingReport.ps1 to perform this task.

Although mailbox audit log reports can be created in the Exchange Admin Center the interface is not as fast to use as PowerShell, and it can't be scheduled to run automatically for regular reports like a script can.

This script will generate a report of the mailbox audit log entries for a specified mailbox, for a period of time (the last 24 hours by default), and save the full results to CSV as well as a summary of the data to a HTML file. The script can also be used to send the results via email with the CSV data attached.

mailbox-audit-log-report-example

This script is available on the TechNet Script Gallery and Github. Comments are welcome below. If you find a bug please consider raising it as an issue on Github.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

35 comments

  1. Rocky says:

    I confirmed “AuditEnabled” is set to “True” on all my mailboxes in my Exchange 2013 Organization but when I run the script, it states that there is “No audit log entries found”.

    .Get-MailboxAuditLoggingReport.ps1 -Mailbox testuser -Hours 48 -SendEmail -MailFrom ExchangeAuditReport@crabel.com -MailTo testuser@crabel.com -MailServer mail

    I ran this on my Win8.1 box that has the Exchange 2013 management tools. I then tried to run the script on a CAS box and same result:

    Searching testuser for last 48 hours.
    No audit log entries found.
    Finished.

    Why wouldn’t there be any log entries found????

    • Markus says:

      Paul – I’m seeing the same results (no audit log entries found). We have the settings in place for Admin, Delegate, and Owner auditing.

      • pradeep sharma says:

        Markus i am also facing same issue. what you have done to fix this issue ? while running this PS file i am getting error message “File skipped because it was already present from “Microsoft.PowerShell”.” and then after command is getting finished with result “No audit log entries found.
        Finished.”

        • Sid says:

          To all that keep seeing “No audit log entries found”:

          I too had the same issue. The script by default only checks for the LogonTypes of “Delegate”. In my case there was no activity done by a delegate and that’s why it kept showing up with “No audit log entries found”.

          So all you need to do is change the -LogonTypes parameter to “Owner” or “Admin”, whoever you are trying to audit. In my case it was Owner. This should be done in line 139 of the script:

          $auditlogentries = Search-MailboxAuditLog -Identity $identity -LogonTypes Owner -StartDate (Get-Date) .AddHours (-$hours) -ShowDetails

  2. MS says:

    Is there any specific reason why we are loading Microsoft.Exchange.Management.PowerShell.E2010 PSSnapin in Exchange 2010 environment? I remember reading article on blogs.technet.com about that not being needed.

    Thanks.

  3. Buch says:

    Could you please add to script possibility to find audit log information for list of mailboxes and for all mailboxes, that have audit enabled, for example like that:
    Get-Mailbox -ResultSize unlimited | where {($_.AuditEnabled -eq $true)}

  4. Nino Iaccarino says:

    I am also not having much luck and I’m not sure what I am doing wrong ? I have enabled auditing on my account just to see some results, but I don’t get any. I should have at least something logged ? This is what my account looks like.

    AuditEnabled : True
    AuditLogAgeLimit : 90.00:00:00
    AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
    AuditDelegate : {Update, SoftDelete, HardDelete, SendAs, Create}
    AuditOwner : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, Create}

    I ran the command without specifying a user, and I do get something output to the auditlogentries.html
    and the output does have some details about a particular user.

    Mailbox

    Mailbox UPN

    Timestamp

    Accessed By

    Operation

    Result

    Folder

    Subject Lines

    info ’emailaddress’ 11/05/2015 11:16:02 AM First Name Last Name SoftDelete Succeeded Inbox

    I then run the command against her, and then I get:

    [PS] C:scripts>.Get-MailboxAuditLoggingReport.ps1 -Mailbox ‘username’ -Hours 200
    Searching ‘username’ for last 200 hours.
    No audit log entries found.
    Finished.

    So, it looks as though Exchange is logging correctly (as auditing is enabled) but the command isn’t outputting the info :/

    Help !!

    • Specifying a mailbox is required, that switch should be mandatory. I’ll fix that in the script.

      Other than that, you’ve obfuscated too much for me to even begin to grasp what you’re seeing. The script only does the hard work of a normal audit log search, so you should go do some manual searches via PowerShell or the Exchange Admin Center to compare results.

  5. Nino Iaccarino says:

    Hi, sorry about that.

    Basically, if I run the command and specify a user I know definitely has audit entries, no results are returned.

    When I ran it without specifying a user, I could see in the exported csv the same user but with the entries I was expecting.

    It seems when I specify a user in the command, it returns 0 results even if there are results.

  6. Lubos says:

    Hello,

    Can you help me. I need to find out who created the mailbox on Exchange Server 2010. What is the appropriate command shell in power. Thanks for the help.

  7. Akshay says:

    HELLLLLLLLLLO PAUL

    FIRTS OF ALLL YOUR BLOGS ARE SAVIORS MANY TIMES WHEN M CLUE LESS; THANK YOU VERY MUCH FOR ALL YOUR WORK THAT YOU SHARE WITH US

    QUESTION:-
    i am trying to list all mailboxes which are on exchange 2013 i have a mix environment with 2007 … m sorry if m asking something very basic but m not able to figure out since i only know that they will have a different admin display version

    • On the 2013 server if you run Get-MailboxDatabase it should only return Exchange 2013 databases, So you can pipe that into Get-Mailbox to see just the Exchange 2013 mailboxes.

      Eg, Get-MailboxDatabase | Get-Mailbox

  8. Mario says:

    Hello Paul,
    I want to run this Script on Exchange 2010.

    Is this Script only for Exchange 2013.

    The erreo Message is:
    Der Operator “<" will be not yet supported

    Thanks for help.

  9. Hisham Mezher says:

    Good Day Paul,

    I first want to thank you for all the information and scripts you provide, love your work.

    regarding the Get-MailboxAuditLoggingReport.ps1 i want to know how can I schedule this to run for like 20 shared mailboxes each to be sent to the mailbox owner.

    Let us know please,

    Thanks a lot for your feedback.

    Regards;
    Hisham

  10. Eissa says:

    Hi Paul,

    Is there a way to exclude some logs,
    For example, if the mailbox accessed by specific user do not include it in the report.
    Am asking for that because we have a specific account which use for mailboxes archiving and in need to exclude this account form appearing in the logs.

  11. Paul says:

    Hi Paul,

    Great work, love the site it is massively useful. Can I run the audit script across all mailboxes or do you have specify a mailbox?

    Thanks,
    Paul.

  12. kjstech says:

    I’d like to put this in task scheduler to email a daily report to key IT and CIO users for auditing purposes. However I cannot get the email function to work. I can get it to generate the html and csv file on the C: drive of the Exchange server, but when I specify -SendEmail, -MailFrom, -MailTo and -MailServer switches, I get this error.

    Send-MailMessage : Service not available, closing transmission channel. The server response was: 4.3.2 Service not
    available
    At C:scriptsGet-MailboxAuditLoggingReport.ps1:199 char:6
    + Send-MailMessage @smtpsettings -Body $htmlreport -BodyAsHtml -Encoding ([Sy …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpExcept
    ion
    + FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessage

  13. kjstech says:

    Hmm, well if I specify the email server’s IP address it works. Problem solved. I was specifying the FQDN and when that didn’t work, just the server’s name.

    Now, can we make a simular powershell command that will output administrative auditing to an html / csv, that could be emailed? The users thing is great, but we don’t want to have to click compliance management > auditing > run the admin audit log report… every day.

    Thanks!

  14. Suzanne Bejsovec says:

    We enabled Owner audit for all actions. To get that to show in the reports I had to remove the ‘-LogonTypes Delegate’ from this line in your script:

    $auditlogentries = Search-MailboxAuditLog -Identity $identity -LogonTypes Delegate -StartDate (Get-Date).AddHours(-$hours) -ShowDetails

  15. Wilbert says:

    Is it possible to add the date of affected appointment?
    We have a lot of appointments with the same subject. Therefore it would be nice to know the date (and if possible start time) of the appointment that is changed.

  16. Simon says:

    Hello, i use your script to check the access to a mailbox from a “delegate”
    First i use this command:
    Set-Mailbox -Identity “HD Settimo” -AuditDelegate Folderbind -AuditEnabled $true
    Then i run your script
    D:scriptGet-MailboxAuditLoggingReport.ps1 -mailbox “HD Settimo”
    The script run Well , but the result is not corret
    For example, i access with my user to a “help desk mailbox” (i have full access), but the result in AuditLogEntries.html is not correct

    I access at 18:34 but in the file the time recorded is 18:12.
    If i access again, and re.run the script the time remain 18:12

    Thanx for your help, best regards

    Simone

  17. Rob says:

    Hi Paul, any chance you have the same for Admin Audit logs?
    Would be very handy to schedule both of these weeklymonthly.
    Thanks

  18. Richard says:

    Hi l have ran this before with no issues but now l receive the error below. I do not think i have ran this since updating to CU12. Anyone else come across this?

    Search-MailboxAuditLog : The Exchange Web Service endpoint for LegacyDn: /o=******** Exchange Organization/ou=Exchange
    Administrative Group (*************)/cn=Recipients/cn=4b622569157f4dac90322e6a92e, RecipientType: UserMailbox,
    RecipientTypeDetails: RoomMailbox, Selected Mailbox: Display Name: ******************, Mailbox Guid:
    7d1ebae6-35c7-4450-a5d3-916120726501, Database: 18b0b34b-70e0-4b11-907f-5436aaf41fa3, Location: ServerFqdn:
    ********.*********.***, ServerVersion: 1941996698, DatabaseName: ****************,
    HomePublicFolderDatabaseGuid: 00000000-0000-0000-0000-000000000000 could not be found.
    At C:Program FilesMicrosoftExchange ServerV15scriptsGet-MailboxAuditLoggingReport.ps1:139 char:20
    + $auditlogentries = Search-MailboxAuditLog -Identity $identity -LogonTypes Delega …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Search-MailboxAuditLog], FailedToFindEwsEndpointException
    + FullyQualifiedErrorId : [Server=************,RequestId=adde4884-a7e6-4561-ad6f-d22502055aea,TimeStamp=05/09/20
    16 10:51:50] [FailureCategory=Cmdlet-FailedToFindEwsEndpointException] 56002926,Microsoft.Exchange.Management.Syst
    emConfigurationTasks.SearchMailboxAuditLog

  19. Tariq says:

    Hi

    can you plz verify the smtp setting, its with $ or without $ coz with dollor its giving errors.

    $smtpsettings = @{
    To = $MailTo
    From = $MailFrom
    Subject = $reportemailsubject
    SmtpServer = $MailServer
    }

Leave a Reply

Your email address will not be published. Required fields are marked *