In an organization, there can be multiple Exchange admins making changes to Exchange server. At some point you might want to know who made the changes and what changes were made. Instead of just asking them, you can audit and view changes made to Exchange server. Administrator audit logging feature was introduced in Exchange 2010. Admin audit logging logs only successful operation or changes. Changes made by both Exchange Management Shell (EMS) and Exchange Admin Center (EAC) are logged. In Exchange 2016, administrator audit logging is enabled by default. So in this post, I will show steps to view admin audit logs in Exchange 2016.
View Admin Audit Logs in Exchange 2016
Admin audit logs are stored in hidden arbitration mailboxes. These admin audit logs can be accessed only by Exchange Admin Center or New-AdminAuditLogSearch or Search-AdminAuditLog cmdlet. To enable or disable admin audit logging you have to use Exchange Management Shell (EMS). To view default settings of Admin audit log, use Get-AdminAuditLogConfig cmdlet as shown below.
[PS] C:\Windows\system32>Get-AdminAuditLogConfig | fl *log* AdminAuditLogEnabled : True LogLevel : None TestCmdletLoggingEnabled : False AdminAuditLogCmdlets : {*} AdminAuditLogParameters : {*} AdminAuditLogExcludedCmdlets : {} AdminAuditLogAgeLimit : 90.00:00:00 UnifiedAuditLogIngestionEnabled : False
As you can see above, AdminAuditLogEnabled is set to True which simply means admin audit logging is enabled. LogLevel is set to None. LogLevel can be set to verbose to log more details. TestCmdletLoggingEnabled is set to False which means Test-* cmdlets will not be logged. You can set it to True to log Test-* cmdlets executed by Administrators. AdminAuditLogCmdlets is set to * which means all cmdlets will be logged except Get-* and Search-* of course. You can specify particular cmdlets that you want to log. AdminAuditLogParameters is also set to * which means all parameters of cmdlets will be logged. AdminAuditLogExcludedCmdlets is set to none, you can add cmdlets if you don’t want to see them in the logs. AdminAuditLogAgeLimit defines how long the logs will be stored. By default it is 90 days. You can specify number of days, hours, minutes and seconds.
By default, Get-* and Search-* cmdlets are not logged. Similarly, the admin audit logging logs cmdlet name, cmdlet parameters, user who ran the cmdlet, the time it was run, the server where the cmdlet was run and the object that was modified. It doesn’t log what properties were modified on the object. So to include logging of object properties you need to enable verbose logging. To enable verbose logging use following cmdlet.
[PS] C:\Windows\system32>Set-AdminAuditLogConfig -LogLevel Verbose
You can use EAC or EMS to view admin audit logs. In EAC, go to compliance management and select auditing tab.
Click Run the admin audit log report option to view the changes made by administrator. You can also export the logs by clicking Export the admin audit log option.
The logs are displayed above. Most recent change was enabling transport rule by Administrator. You can see the details on the right. You can view date, user, object modified, cmdlet used, and parameter used. You can also view logs with EMS using Search-AdminAuditLog or New-AdminAuditLogSearch cmdlet.
Search-AdminAuditLog cmdlet searches logs based on the parameter specified and displays output on the same screen as shown below.
[PS] C:\Windows\system32>Search-AdminAuditLog -Cmdlets New-SendConnector -StartDate 10/07/2015 -EndDate 11/1/2015 RunspaceId : 16c0aee7-f7bc-4e34-95ca-f0997ff032da ObjectModified : Send Connector CmdletName : New-SendConnector CmdletParameters : {Name, Usage, DNSRoutingEnabled, UseExternalDNSServersEnabled, AddressSpaces, IsScopedConnector, SourceTransportServers} ModifiedProperties : {} Caller : mustbegeek.com/Users/Administrator ExternalAccess : False Succeeded : True Error : RunDate : 10/31/2015 7:38:18 AM OriginatingServer : MBG-EX01 (15.01.0225.037) Identity : AAMkAGJkYjAxZjVjLWFhNDMtNDVlOS05ZjUxLTQ5ZTQyYTM0ZWMyYwBGAAAAAACGW2AzhEUbQZZmIxbo12KYBwDqiSDBjggQR6JDKn/+8L/uAAAAAAEYAADqiSDBjggQR6JDKn/+8L/uAAAJEtIfAAA= IsValid : True ObjectState : New
New-AdminAuditLogSearch is similar to the Search-AdminAuditLog cmdlet but it performs the search and then sends the result in XML format to the recipient specified as the parameter.
[PS] C:\Windows\system32>New-AdminAuditLogSearch -Name "Mailbox Changes" -Cmdlets Set-Mailbox -StartDate 10/07/2015 -EndDate 11/01/2015 -StatusMailRecipients bgiri@mustbegeek.com RunspaceId : 16c0aee7-f7bc-4e34-95ca-f0997ff032da Cmdlets : {Set-Mailbox} Parameters : {} ObjectIds : {} UserIds : {} Name : Mailbox Changes StartDateUtc : 10/7/2015 7:00:00 AM EndDateUtc : 11/1/2015 7:00:00 AM StatusMailRecipients : {bgiri@mustbegeek.com} CreatedBy : mustbegeek.com/Users/Administrator ExternalAccess : QueryComplexity : 0 Identity : 64df03f1-546e-4d68-9eec-a6632c9d3ccf IsValid : True ObjectState : New
In this way you can view admin audit logs in Exchange 2016.
You may also like -
Latest posts by Bipin (see all)
- Install Exchange 2019 in Windows Server 2019 - November 28, 2020
- Why Backup your Microsoft Office 365 - November 27, 2020
- What’s New in VMware vSphere 7 - September 18, 2020