What’s New in Administrator Audit Logging in Exchange 2010 SP1 Beta?

by Mike Pfeiffer on July 2, 2010

Administrator audit logging provides new functionality in SP1 beta, including the ability to audit mailboxes and run reports from ECP. Audit logging is enabled by default in new installations of Microsoft Exchange 2010 SP1 beta, so you're up and running right from the start. You can review my previous post on Administrator Audit Logging in Exchange 2010 RTM if you are not already familiar with it. In this post, I'll cover some of the new features of Administrator Audit Logging that are included in this first service pack.

Audit Mailbox Configuration

In Exchange 2010 RTM, you had to specify an audit mailbox when enabling administrator audit logging. The audit mailbox was used to store all of the audit logs and administrators could access this mailbox to review reports.

In Exchange 2010 SP1 beta, the audit mailbox is a hidden, dedicated arbitration mailbox that cannot be changed. Administrators must use the Exchange Control Panel (ECP) Auditing Reports page or the Search-AdminAuditLog or New-AdminAuditLogSearch cmdlets to view audit logs.

Reviewing Audit Log Entries in the Shell

You can review audit log entries from within EMS using the Search-AdminAuditLog cmdlet. The Search-AdminAuditLog cmdlet provides several parameters that allow you to specify certain criteria for a search. For example, lets say you want to view all audit log entries for the Set-Mailbox cmdlet:

Search-AdminAuditLog -Cmdlets Set-Mailbox

From the information returned, you see which parameters were used with the Set-Mailbox cmdlet, which object was modified, and whether or not the command succeeded.

You can also use the New-AdminAuditLogSearch cmdlet that searches the audit log just like the Search-AdminAuditLog. Instead of displaying the results of the audit log search in the Shell, the New-AdminAuditLogSearch cmdlet allows you to perform a search and then email the results to a recipient you specify.

Mailbox Audit Logging

Mailbox audit logging allows you to keep track of administrator, delegate and owner access to a mailbox. Logging is not enabled by default on a per-mailbox basis. So, in order for you to review mailbox audit logs, you'll need to enable mailbox audit logging. Let's say you have a user named Lee Jefferson, the syntax to enable logging would look like this:

Set-Mailbox ljefferson -AuditEnabled $true

After audit logging is enabled for a mailbox, you can use the Search-MailboxAuditLog cmdlet to view the logs for a particular mailbox. For example, let's say I want to know who deleted any items from a ljeffersons mailbox in the last 24 hours. I could run the following command to retrieve the information:

Search-MailboxAuditLog ljefferson -ShowDetails -StartDate 7/1/2010 -EndDate 7/2/2010 | ?{$_.Operation -eq "SoftDelete"} | select LogonUserDisplayName,LogonType,ClientIPAddress,LastAccessed

In reviewing the above screen shot, you can see a report of deleted items from ljeffersons mailbox in the last 24 hours. Key pieces of information include the user who deleted the item, their access type and the client IP address where they were connected from.

Manually Writing Entries to the Audit Log

The Write-AdminAuditLog cmdlet allows you to save a custom entry to the audit log. This may be useful when logging the output of custom scripts or for writing entries to the log before and after maintenance. It is also useful for writing your organizations change control information in the audit log, for example:

Write-AdminAuditLog -Comment "Begin Server Patches in Phoenix Office per Change Ticket #443002"

The syntax is simple, just use the Comment parameter to provide the information you want logged. To retrieve the information from the log, you can use the same cmdlets as you would for any entry. For example, this command would display each custom entry in the log:

Search-AdminAuditLog -Cmdlets Write-AdminAuditLog | select RunDate, @{n="Comment";e={$_.CmdletParameters[0].value}}

Reviewing Audit Reports in ECP

The Auditing Reports page in ECP has several reports that you can run to review various types of compliance and administrative configuration changes. To access this page, go to ECP, under Options, select Manage My Organization and click on Auditing. Once you're there you will see the following screen:

You can see from the above screen shot that there are several reporting options available. You have the ability to run reports on non-owner mailbox access, litigation hold settings, role group changes, and also mailbox and administrator audit logs. As you may expect, the GUI is very intuitive and easy to navigate.

Summary

These additions provide a pretty robust solution for auditing your Exchange environment. Keep in mind, this is a high level overview of whats new in Administrator Audit Logging in SP1, and there are many more details that I haven't touched on here. Also remember that SP1 is still in beta, so some of this stuff could change before the final release.

Related Posts

Tagged as: Administrator, audit, Auditing, EMS, Exchange, Logging, PowerShell, SP1

{ 2 trackbacks }

New Features in Exchange 2010 SP1 and How to Configure Them « msunified.net
July 8, 2010 at 3:15 pm
CoLabora | CoLabora nyhedsbrev #4
September 1, 2010 at 5:41 am

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: