MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

How to configure and run Exchange 2016 Audit logging

Let’s look at Exchange 2016 logging…

  • Administrator Audit Logging.
  • Mailbox audit logging.

Administrator Audit Logging

The logging captures data about changes made to your organization by administrators.

The logging track all Exchange Management Shell cmdlets that make changes to the Exchange Server environment. Because all tasks performed in the EAC are translated to Exchange Management Shell cmdlets, all changes are logged, regardless of which tool you use to perform the task.

To enable, disable or configure the administrator audit logging you can use the PowerShell command Set-AdminAuditLogConfig as below:

https://technet.microsoft.com/en-us/library/dd298169(v=exchg.160).aspx

And you can search through the administrative logging about specific action using the PowerShell command New-AdminAuditLogSearch as below:

https://technet.microsoft.com/en-us/library/ff459243(v=exchg.160).aspx

Mailbox audit logging

The logging allows you to log mailbox access by mailbox owners, delegates (including administrators with full mailbox-access permissions), and administrators ( including discovery search, mailbox export and MAPI editor access)

To enable the mailbox auditing you should use the PowerShell command set-mailbox and set the parameter AuditEnabled to $true.


And you can search through the mailbox logging about specific action using the PowerShell command Search-MailboxAuditLog as below:

https://technet.microsoft.com/en-us/library/ff522360(v=exchg.160).aspx

You can also access the different auditing logging through the EAC as below steps:

  • Open EAC > Compliance management > auditing


  • Then you can run the target report as below:


  • Run a non-owner mailbox access report: Search mailbox audit logs for mailboxes that have been opened by someone other than the owner. You have to enable mailbox audit logging for each mailbox that you want to run a non-owner mailbox access report for.

    Specify the below points:

    • Start date
    • End date
    • Target mailbox
    • Accessed by which user


  • Export mailbox audit logs: Export entries from mailbox audit logs about non-owner access to user mailboxes. Audit log entries are saved to an XML file that is attached to a message and sent to the specified recipients

    Specify the below points:

    • Start date
    • End date
    • Target mailbox
    • Accessed by which user
    • The recipient mail to send the report


  • Run an administrator role group report: Search the admin audit log for changes made to role groups, which are used to assign administrative permissions to users.

    Specify the below points:

    • Start date
    • End date
    • Role group


  • Run the admin audit log report: View entries from the admin audit log about configuration changes made by administrators in your organization

    Specify the below points:

    • Start date
    • End date


  • Run an In-Place eDiscovery & Hold report: Search the admin audit log for changes made to In-Place eDiscovery searches and In-Place Holds

    Specify the below points:

    • Start date
    • End date


  • Export the admin audit log: Export entries from the admin audit log for any configuration change made to your organization. Audit log entries are saved to an XML file that is attached to a message and sent to the specified recipients

Specify the below points:

  • Start date
  • End date
  • The recipient mail to send the report


  • Run a per-mailbox Litigation Hold report: Search the admin audit log to determine if a Litigation Hold was enabled or disabled for a user’s mailbox

Specify the below points:

  • Start date
  • End date
  • Target mailbox


Ratish Nair

Microsoft MVP | Office Servers and Services

Team @MSExchangeGuru


Leave a Reply

ad

Categories

Archives