View Admin Audit Logs in Exchange 2016

In an organization, there can be multiple Exchange admins making changes to Exchange server. At some point you might want to know who made the changes and what changes were made. Instead of just asking them, you can audit and view changes made to Exchange server. Administrator audit logging feature was introduced in Exchange 2010. Admin audit logging logs only successful operation or changes. Changes made by both Exchange Management Shell (EMS) and Exchange Admin Center (EAC) are logged. In Exchange 2016, administrator audit logging is enabled by default. So in this post, I will show steps to view admin audit logs in Exchange 2016.

View Admin Audit Logs in Exchange 2016

Admin audit logs are stored in hidden arbitration mailboxes. These admin audit logs can be accessed only by Exchange Admin Center or New-AdminAuditLogSearch or Search-AdminAuditLog cmdlet. To enable or disable admin audit logging you have to use Exchange Management Shell (EMS). To view default settings of Admin audit log, use Get-AdminAuditLogConfig cmdlet as shown below.

[PS] C:\Windows\system32>Get-AdminAuditLogConfig | fl *log*

AdminAuditLogEnabled            : True
LogLevel                        : None
TestCmdletLoggingEnabled        : False
AdminAuditLogCmdlets            : {*}
AdminAuditLogParameters         : {*}
AdminAuditLogExcludedCmdlets    : {}
AdminAuditLogAgeLimit           : 90.00:00:00
UnifiedAuditLogIngestionEnabled : False

As you can see above, AdminAuditLogEnabled is set to True which simply means admin audit logging is enabled. LogLevel is set to None. LogLevel can be set to verbose to log more details. TestCmdletLoggingEnabled is set to False which means Test-* cmdlets will not be logged. You can set it to True to log Test-* cmdlets executed by Administrators. AdminAuditLogCmdlets is set to * which means all cmdlets will be logged except Get-* and Search-* of course. You can specify particular cmdlets that you want to log. AdminAuditLogParameters is also set to * which means all parameters of cmdlets will be logged. AdminAuditLogExcludedCmdlets is set to none, you can add cmdlets if you don’t want to see them in the logs. AdminAuditLogAgeLimit defines how long the logs will be stored. By default it is 90 days. You can specify number of days, hours, minutes and seconds.

By default, Get-* and Search-* cmdlets are not logged. Similarly, the admin audit logging logs cmdlet name, cmdlet parameters, user who ran the cmdlet, the time it was run, the server where the cmdlet was run and the object that was modified. It doesn’t log what properties were modified on the object. So to include logging of object properties you need to enable verbose logging. To enable verbose logging use following cmdlet.

[PS] C:\Windows\system32>Set-AdminAuditLogConfig -LogLevel Verbose

You can use EAC or EMS to view admin audit logs. In EAC, go to compliance management and select auditing tab.

View Admin Audit Logs in Exchange 2016

Click Run the admin audit log report option to view the changes made by administrator. You can also export the logs by clicking Export the admin audit log option.

View Admin Audit Logs in Exchange 2016

The logs are displayed above. Most recent change was enabling transport rule by Administrator. You can see the details on the right. You can view date, user, object modified, cmdlet used, and parameter used. You can also view logs with EMS using Search-AdminAuditLog or New-AdminAuditLogSearch cmdlet.

Search-AdminAuditLog cmdlet searches logs based on the parameter specified and displays output on the  same screen as shown below.

[PS] C:\Windows\system32>Search-AdminAuditLog  -Cmdlets New-SendConnector -StartDate 10/07/2015 -EndDate 11/1/2015

RunspaceId         : 16c0aee7-f7bc-4e34-95ca-f0997ff032da
ObjectModified     : Send Connector
CmdletName         : New-SendConnector
CmdletParameters   : {Name, Usage, DNSRoutingEnabled, UseExternalDNSServersEnabled, AddressSpaces, IsScopedConnector, SourceTransportServers}
ModifiedProperties : {}
Caller             :
ExternalAccess     : False
Succeeded          : True
Error              :
RunDate            : 10/31/2015 7:38:18 AM
OriginatingServer  : MBG-EX01 (15.01.0225.037)
IsValid            : True
ObjectState        : New

New-AdminAuditLogSearch is similar to the Search-AdminAuditLog cmdlet but it performs the search and then sends the result in XML format to the recipient specified as the parameter.

[PS] C:\Windows\system32>New-AdminAuditLogSearch -Name "Mailbox Changes" -Cmdlets Set-Mailbox -StartDate 10/07/2015 -EndDate 11/01/2015 -StatusMailRecipients

RunspaceId           : 16c0aee7-f7bc-4e34-95ca-f0997ff032da
Cmdlets              : {Set-Mailbox}
Parameters           : {}
ObjectIds            : {}
UserIds              : {}
Name                 : Mailbox Changes
StartDateUtc         : 10/7/2015 7:00:00 AM
EndDateUtc           : 11/1/2015 7:00:00 AM
StatusMailRecipients : {}
CreatedBy            :
ExternalAccess       :
QueryComplexity      : 0
Identity             : 64df03f1-546e-4d68-9eec-a6632c9d3ccf
IsValid              : True
ObjectState          : New

In this way you can view admin audit logs in Exchange 2016.

The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork . Follow Bipin Giri on Google+. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.