Using Administrator Audit Logging in Exchange 2010

Administrator audit logging is a new feature in Exchange Server 2010 that allows you to record details about cmdlet usage in your environment. The log entries are sent to an audit mailbox that you specify, and provide details about which cmdlet was run, the parameters that were used, the object and properties modified, the success or failure of the command, and more. Since all of Exchange 2010's GUI management tools are built on top of PowerShell, these can also be audited. You can use administrator audit logging to audit PowerShell commands executed by the following Exchange tools:

• Exchange Management Shell
• Exchange Management Console
• Exchange Control Panel

Administrator audit logging audits all cmdlets, except for Get-* cmdlets. The idea behind this is to audit cmdlets that are making changes, and not to audit cmdlets that are being used to view information.

Configuring Cmdlets and Parameters to be Audited

Administrator audit logging, by default, will audit all cmdlets (except Get-* cmdlets) and all parameters. You can override this by using the Set-AdminAuditLogConfig to specify which cmdlets and/or parameters you want to log.

This command uses the Set-AdminAuditLogConfig cmdlet to audit the Set-Mailbox cmdlet and all of it's parameters:

Set-AdminAuditLogConfig -AdminAuditLogCmdlets Set-Mailbox -AdminAuditLogParameters *

If you only want to audit specific parameters, you can run Set-AdminAuditLogConfig and specify them using the AdminAuditLogParameters parameter. For example, this command would configure auditing for the Set-Mailbox cmdlet and the MaxSendSize parameter:

Set-AdminAuditLogConfig -AdminAuditLogCmdlets Set-Mailbox -AdminAuditLogParameters MaxSendSize

You can specify multiple cmdlet names and parameters. For example, we can audit all mailbox and server related cmdlets and all of their parameters using the following command:

Set-AdminAuditLogConfig -AdminAuditLogCmdlets *mailbox*,*server* -AdminAuditLogParameters *

Configuring an Audit Mailbox

Use the Set-AdminAuditLogConfig cmdlet to configure the audit mailbox. All of the logs will be sent to this mailbox and it must exist within your Exchange organization. In this example, we use the following command to set the audit mailbox to auditmailbox@exchangelab.com:

Set-AdminAuditLogConfig -AdminAuditLogMailbox auditmailbox@exchangelab.com

Enabling Administrator Audit Logging

To enable logging, use the Set-AdminAuditLogConfig cmdlet and set the AdminAuditLogEnabled parameter to true:

Set-AdminAuditLogConfig -AdminAuditLogEnabled:$true

Verifying the Configuration

Once administrator audit logging is configured and enabled, we can run a test command and view the log in the audit mailbox. I am currently auditing all *mailbox* cmdlets, so I'll use the Set-Mailbox cmdlet to test audit logging by setting the MaxSendSize to 5 MB for the Administrator mailbox:

Set-Mailbox Administrator -MaxSendSize 5mb

The mailbox has been modified, we can now open the audit mailbox and view the log:

As you can see from the above screenshot, we have all the details of the command logged – the cmdlet name, object, parameter, property, caller, success, error and run date. You can view your audit logging settings at any time using the Get-AdminAuditLogConfig cmdlet.

That's all there is to setting up administrator audit logging. As you can see, this is a pretty straight forward process. That's all for now, until next time.

Related Posts

• Administrator Audit Log Reports in HTML Format – Exchange 2010 SP1 (36)
• What’s New in Administrator Audit Logging in Exchange 2010 SP1 Beta? (2)
• How To Audit Exchange 2007 Mailbox Moves using PowerShell (12)
• Generating Delivery Reports and Tracking Messages from PowerShell (1)
• Managing Exchange 2010 and Lync 2010 from a Single PowerShell Session (0)

Tagged as: Auditing, EMS, Exchange, PowerShell