Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune
  • Home
  • General
  • Administrator Audit Logging in Exchange 2010

Administrator Audit Logging in Exchange 2010

Elie Bou Issa [BS. Computer Science, MCITP, MCTS, MCT]

Elie Bou Issa [BS. Computer Science, MCITP, MCTS, MCT] Photo

Elie has more than six years of experience dealing with various facets of IT and handling a wide range of software solutions. These include Exchange/Active Directory and other Microsoft platforms, such as Windows Server, SCCM, and SCOM, among others.

Cast your Vote
Poor Excellent

All Exchange 2010 administrative tasks are performed through the execution of cmdlets. This is true for both the Shell and the Console interfaces. Thus, auditing cmdlet execution allows us to record and track the administrative changes taking place within Exchange.

Another nice feature introduced in Exchange 2010 is Administrator Audit logging. Audit logging allows an organization to examine different policies. For example the adoption of a standard naming convention for new email addresses and groups could be monitored by reviewing audit logs.

A second important benefit is the review of configuration changes made to the Exchange organization through the Exchange Management Console, Exchange Web Services, and Exchange Management Shell.

Administrator Audit logging is disabled by default and before enabling it, you first need to define what needs to be audited. Throughout this article, we will go over defining audit logging lists. Following that, we will set the auditing mailbox, enable auditing and review the produced log entries.

Configuring Audit cmdlets and Parameters List

Auditing can be configured at the cmdlet level and the parameter level. By default, both are configured to audit every cmdlet that is run within the Exchange Organization. If you wish to alter this behavior, you need to change the lists AdminAuditCmdletsList and AdminAuditParametersList. Currently, these configurations can only be changed from the Exchange Management Shell.

To get the administrator audit log configuration properties, run the following cmdlet:
Get-AdminAuditLogConfig

Get AdminAuditLogConfig

Figure 1: Get AdminAuditLogConfig

The Administrator audit log is dependent on the Audit log settings stored in Active Directory. These can be viewed through ADSIEdit under Configuration/Services/Microsoft Exchange/Domain Name/Global Settings/Admin Audit Log Settings.

Because the audit log has an organization wide scope, changes made to the audit log configuration will depend on active directory replication to propagate changes to all domains within the organization.

To configure the cmdlet auditing list, you need to run Set-AdminAuditLogConfig -AdminAuditLogCmdlets followed by the cmdlet name to be audited.

For instance, to audit cmdlets that contain the keyword "mailbox" within the cmdlet name, run:
Set-AdminAuditLogConfig -AdminAuditLogCmdlets *mailbox*

Using the * wildcard we are including all cmdlets containing the word mailbox anywhere within the cmdlet name such as New-Mailbox and New-MailboxDatabase.

To audit all the cmdlets use:
Set-AdminAuditLogConfig -AdminAuditLogCmdlets *

To get the cmdlets auditing list:
Get-AdminAuditLogConfig | FL AdminAuditLogCmdlets

Get cmdlets Auditing List

Figure 2: Get cmdlets auditing list

You cannot append cmdlets to the AdminAuditLogCmdlets list. If you wish to add/edit more cmdlets, you need to set AdminAuditLogCmdlets again and the cmdlets specified will override the one already in the list. To specify multiple list entries just separate these by a comma, for example:
Set-AdminAuditLogConfig -AdminAuditLogCmdlets *mailbox*, *Connector

For a complete list of Exchange 2010 cmdlets, refer to:
http://technet.microsoft.com/en-us/library/bb124413.aspx

Cmdlets will be audited only if the cmdlet that is being run is:

  1. On the cmdlets auditing list (AdminAuditLogCmdlets) and...
  2. The cmdlet parameters are on the parameters auditing list (AdminAuditLogParameters)

In other words satisfying the cmdlet auditing list is not enough. If the cmdlet parameters do not match the parameter auditing list, then it would still not be audited.

As mentioned earlier, the parameters auditing list is set by default to audit all cmdlets independently of the parameters.

If you wish to customize this, you need to set AdminAuditLogParameters.

For example here we limit auditing only to the case when a parameter containing the word Name is included:
Set-AdminAuditLogConfig -AdminAuditLogParameters *Name

Set Audit Log Parameters

Figure 3: Set Audit Log Parameters

Doing so, will allow you to record all names for newly created items, such as new mailbox name or new database name.

Audit logging is meant to report on modified objects in an Exchange organization and disregard events related to object viewing. In other words, Get- cmdlets are not audited.

The Audit Process

When a cmdlet is executed in an Exchange organization through the management shell or the management console, the Admin Audit Log Agent is called. The agent will parse the audit log configuration and will generate a log for the matching cmdlet that was run.

The log is then sent to a predefined auditing mailbox.

The Admin Log Agent is a built-in cmdlet extension agent that is enabled by default. Cmdlet extension agents are special agents found in Exchange Server 2010 that will be called by a cmdlet to help process additional actions such as selecting a best fit database for a mailbox that is created without choosing its mailbox database source.

In order to make the audit logging functional, both Admin Audit Log Agent and Administrator Audit Log Configuration must be enabled. If any of the two items is disabled, audit logging fails.

Now that we've configured Audit Logging, we need to set the auditing mailbox that will be hosting the generated audit logs.

To set the audit log mailbox to audit@elieb.info, run the cmdlet:
Set-AdminAuditLogConfig -AdminAuditLogMailbox audit@elieb.info

Set Audit log mailbox

Figure 4: Set Audit log mailbox

Once we have configured the auditing list and the auditing mailbox, we need to enable the administrator auditing log by running the cmdlet:
Set-AdminAuditLogConfig -AdminAuditLogEnabled $True

Now that we have all set, let's create a new mailbox from the Exchange Management Console and test the audit functionality:

Creating a new mailbox from the Exchange Management Console

Figure 5: Creating a new mailbox from the Exchange Management Console

Once the mailbox is created, the log configuration will be sent to the auditing mailbox as shown in the figure below:

Audit configuration log entries

Figure 6: Audit configuration log entries

The email subject shows the account of the user that performed the cmdlet (Exchange\Elie) and the name of the cmdlet (New-Mailbox).

The first entry in the body shows the cmdlet name that was run followed by the object modified.

After that, is the list of parameters specified by the cmdlet and next come the list of properties set by the cmdlet.

At the bottom we have the cmdlet caller account, followed by a confirmation that the cmdlet was successfully executed. The last entry will display the date and time the cmdlet ran.

Conclusion

Audit Logging is useful in tracking configuration changes made within an Exchange Organization, and help identifying any errors.

Also, as discussed, audit logging help the organization monitor policy compliance, such as preserving a unified naming convention for email addresses.

Finally, through audit logging, a manager can keep an eye on the overall operations taking place and the management being performed on Exchange.

References

Overview of Administrator Audit Logging

User Comments - Page 1 of 1

adam_albee 22 Dec 2015 20:39
Thanks for sharing this very informative article. One another fantastic PDF guide I also find at below that covers almost the same concern and helps to track the critical changes/access into real time : https://gallery.technet.microsoft.com/Enabling-Exchange-2010-368786d3
Abdul 25 Jul 2012 01:12
Thanks for the details !

I have a quick question, do we have any specific list stating these things will not be audited even after enabling Administrator Audit Logging in Exchange 2010 Sp2.

Like changes done from ADUC, Changes done via Exchange 2007 etc..

jenn 10 Apr 2012 00:38
Hi,

I wanna ask you a question.I'm not able to find the administrator logs folder.You've written Configuration/Services/Microsoft Exchange/Domain Name/Global Settings/Admin Audit Log Settings.But where is this folder?I want to delete the audit logs but i dont know how i can do this?

Thankyou very much
Copyright © 2005 - 2024 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation