How to configure and run Exchange 2016 Audit logging
Let’s look at Exchange 2016 logging…
- Administrator Audit Logging.
- Mailbox audit logging.
Administrator Audit Logging
The logging captures data about changes made to your organization by administrators.
The logging track all Exchange Management Shell cmdlets that make changes to the Exchange Server environment. Because all tasks performed in the EAC are translated to Exchange Management Shell cmdlets, all changes are logged, regardless of which tool you use to perform the task.
To enable, disable or configure the administrator audit logging you can use the PowerShell command Set-AdminAuditLogConfig as below:
https://technet.microsoft.com/en-us/library/dd298169(v=exchg.160).aspx
And you can search through the administrative logging about specific action using the PowerShell command New-AdminAuditLogSearch as below:
https://technet.microsoft.com/en-us/library/ff459243(v=exchg.160).aspx
Mailbox audit logging
The logging allows you to log mailbox access by mailbox owners, delegates (including administrators with full mailbox-access permissions), and administrators ( including discovery search, mailbox export and MAPI editor access)
To enable the mailbox auditing you should use the PowerShell command set-mailbox and set the parameter AuditEnabled to $true.
And you can search through the mailbox logging about specific action using the PowerShell command Search-MailboxAuditLog as below:
https://technet.microsoft.com/en-us/library/ff522360(v=exchg.160).aspx
You can also access the different auditing logging through the EAC as below steps:
-
Open EAC > Compliance management > auditing
-
Then you can run the target report as below:
-
Run a non-owner mailbox access report: Search mailbox audit logs for mailboxes that have been opened by someone other than the owner. You have to enable mailbox audit logging for each mailbox that you want to run a non-owner mailbox access report for.
Specify the below points:
- Start date
- End date
- Target mailbox
-
Accessed by which user
- Start date
-
Export mailbox audit logs: Export entries from mailbox audit logs about non-owner access to user mailboxes. Audit log entries are saved to an XML file that is attached to a message and sent to the specified recipients
Specify the below points:
- Start date
- End date
- Target mailbox
- Accessed by which user
- The recipient mail to send the report
- Start date
-
Run an administrator role group report: Search the admin audit log for changes made to role groups, which are used to assign administrative permissions to users.
Specify the below points:
- Start date
- End date
- Role group
- Start date
-
Run the admin audit log report: View entries from the admin audit log about configuration changes made by administrators in your organization
Specify the below points:
- Start date
- End date
- Start date
-
Run an In-Place eDiscovery & Hold report: Search the admin audit log for changes made to In-Place eDiscovery searches and In-Place Holds
Specify the below points:
- Start date
- End date
- Start date
- Export the admin audit log: Export entries from the admin audit log for any configuration change made to your organization. Audit log entries are saved to an XML file that is attached to a message and sent to the specified recipients
Specify the below points:
- Start date
- End date
- The recipient mail to send the report
-
Run a per-mailbox Litigation Hold report: Search the admin audit log to determine if a Litigation Hold was enabled or disabled for a user’s mailbox
Specify the below points:
- Start date
- End date
-
Target mailbox
Ratish Nair
Microsoft MVP | Office Servers and Services
Team @MSExchangeGuru
