Auditing / Logging of policy updates/publishing?

Similar Messages

• While fetching the Audit Log Programmatically last Downloaded document is not fetched from Auditing Log. To update the events it is taking 5 to 10 mins. After that i can fetch the data. Is there any way to refresh the log to be reflected immediatly?

  SPAuditQuery wssQuery = new SPAuditQuery(SPContext.Current.Web.Site);
  wssQuery.RestrictToUser(SPContext.Current.Web.CurrentUser.ID);
  wssQuery.AddEventRestriction(SPAuditEventType.View);
  wssQuery.RestrictToList(list)       
  //set the query date range
  wssQuery.SetRangeEnd(DateTime.Now);
  wssQuery.SetRangeStart(DateTime.Now.AddMinutes(-30));// To get the last 30 Mins of data
  SPContext.Current.Web.Site.Audit.Update();
  SPContext.Current.Web.Update();                     
  SPAuditEntryCollection auditCol = SPContext.Current.Web.Site.Audit.GetEntries(wssQuery); 

  From your response, I understood that, The coding is okay. So no need to change the code.
  I am not sure what/How to be validated the Lag. Can you please suggest more on detail ?
  One more thing observed based on the below steps
  1. Downloaded 3 documents sequentially
  2. Gave pause for 15 seconds
  3. Downloaded next 2  documents sequentially
  4. Executed my above mentioned program
  Result : Fetched only first 3 documents, documents which are downloaded after pause is not retrieved
  5. Generated the custom report (or ) Do new Download
  Result : I can See 5 Documents (In case of 5th step is new download, I can See 5 Documents instead of 6 documents)
  6:  Executed my above mentioned program
  Result : I can See 5 Documents (In case of 5th step is new download, I can See 5 Documents instead of 6 documents)
  Conclusion: Most recent download event is pushed by other relevant(Custom Report Generation or Download or Page Refresh) event
  Am i Missing anything to obtain the proper result ?

• Intermittend DNS resolution, timeserver, group policy updates errors in client logs in Win 2012 R2 single server environement

  We recently switched hardware and server software Win SBS 2008 to 2012R2 for a small network roughly 40 clients (Win7 Pro / Win 8.1 Pro) about 16 running concurrently at a given time and one network printer with the printer queue residing on the DC as well.
  I read that a single server environment might not be ideal in particular no fail-over but that is an accepted risk in this particular network here.
  Errors:
  Error 1043: Timeout during name resolution request
  Error 1129: Group policy updates could not be processed due to DC not available
  Error 5719: Could not establish secure connection to DC, DC not available
  Occasionally but disappears after a while
  Error 134: As a result of a DNS resolution timeout could not reach time server
  Symptoms
  On Win 7 Clients
  Network shares added through Group Policy will not show sometimes
  Network shares disconnect (red X) and when accessed return access authorization error after one or two clicks on the share finally grant access again
  When the issue with accessing network shares occurs, it usually also affects Internet access meaning a 'server not responding' error appears in the browser windows when trying to open just any web page
  nslookup during the incident returns cannot resolve error
  ipconfig on client shows correct default router (VDSL Router) and DHCP / DNS Domain Controller
  Also, the Win system log shows the above errors during these incidents, however, the nuimber of incidents vary from 20-30
  On Win 8.1 Clients
  Same as above with the slight variation for network shares apparently due to Server 2012 and Win 8.1 clients managing drive shares differently. However, network share refresh does not work with this clients. In most cases only a gpupdate /force returns
  drive shares but usually only for the active session. After logoff / logon the shares are gone again.
  The issue does appear to be load related since it occurs even if there are only one or two workstations active.
  Server Configuration
  Dell R320 PowerEdge 16GB / 4TB 7200RPM RAID10 / GBitEthernet
  Zyxel 1910-48 Port Switch
  VDSL 50Mbps Down / 20Mbps Up
  Since the DC is the only local DNS and there are no plans to add another one or move DNS to another server, the DNS server is configured with this own address as preferred DNS with three DNS forwarders 1) VDSL Router 2) ISP DNS1 3) ISP DNS2
  Currently only one Network card is active for problem determination reasons.
  There appears to be no consensus concerning IPV6 enabled or disabled, I tried both with no apparent effect
  I have set all network cards server and client to Full Duplex and the same speed, also disabled Offload functions within the adapter settings. Some but no consistent improvements.
  Best Practice Analyzer Results
  DNS server scavening not enabled
  Root hint server XYZ must respond to NS queries for the root zone
  More than one forwarding server should be configured (although 3 are configured)
  NIC1 should be configured to use both a preferred and alternate DNS (there is only one DNS in this network)
  I have found some instructions to apply changes to the clients through a host file but I would rather like to understand whether this DNS response time issue can be resolved on the server for example timing setting perhaps. Currently the DNS forwarders are
  set to 3 second.
  Since a few people have reported issues with DNS but most are working with multi DNS, DC environment I could not really apply any suggestions made there. perhaps there is anyone like me who is running a single server who has overcome or experience the same
  issues. Any help would be appreciated

  Hello Milos thx for your reply.. my comments below
  1. What does it "switched"? You may mean migration or new installation. We do not know...
  >> Switched is probably the incorrect term, replaced would be the appropriate wording. Before, there was a HP Proliant Server with SBS 2008 with distinct domain and now there is a Dell Server with MS 2012 R2 with a distinct domain. Client were
  removed from one (SBS) domain and added to the new Server 2012 domain. Other components did not change for example same Network Switch or VDSL Router, Workstations and Printer
  2. Two DCs are better alternative. Or backup very frequently. There are two groups of administrators. Those who have lost DC and those who will experience this disaster in near future.
  >> Correct, and I am aware of that
  3. NIC settings in W 7 and W 8.1, namely DNS points to DC (...and NOTHING else. No public IP or that of router DNS.))
  >> Correct, this is how it's currently implemented. Clients point to DC for DHCP and DNS and Default Router, no public IP or DNS. The only references to ISP DNS exist on the VDSL Router itself as provided through ISP when establishing VDSL
  Link and the list of Forwarders in the DNS Server configuration. However, I have just recently added the ISPs DNS as forwarders for test purposes and will probably learn tomorrow morning whether this had any effect for better or worse.
  4. Do nslookup to RR on clients. RR branch is saying client basic info on LDAP parameters of AD.
  >> Will post as soon as available
  5. I do not use forwarders and the system works
  >> Ok, does this mean it works for you in a similar or the same infrastructure setup or are you saying it is not required at all and I can remove any forwarder in a scenario like mine? If not required can you explain a bit more why it is not
  required apart from that it does work for you that way?
  6. DHCP should sit on DC (DHCP on router is disabled)
  >> Correct, no other device is configured to provide DHCP service other than DC and DHCP is currently running on DC
  7. NIC settings in DC points to itself (loopback address 127.0.0.1)
  >> Are you sure this is still correct and does apply to Server 2012? I am reading articles stating that it should be the servers own IP but local loop or should this be added as alternate DNS in addition to the servers own IP?
  8. Use IPCONFIG /FLUSHDNS whenever you change DNS settings.
  >> OK, that was not done every time I changed some settings but I can do that next week. Reboot alone would not suffice, correct?
  9. Test your system with dcdiag.
  >> See result below
  10. Share your findings.
  Regards
  Milos
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
    Home Server = GSERVER2
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
  Testing server: Default-First-Site-Name\GSERVER2
        Starting test: Connectivity
           ......................... GSERVER2 passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\GSERVER2
        Starting test: Advertising
           ......................... GSERVER2 passed test Advertising
        Starting test: FrsEvent
           ......................... GSERVER2 passed test FrsEvent
        Starting test: DFSREvent
           ......................... GSERVER2 passed test DFSREvent
        Starting test: SysVolCheck
           ......................... GSERVER2 passed test SysVolCheck
        Starting test: KccEvent
           ......................... GSERVER2 passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... GSERVER2 passed test
           KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... GSERVER2 passed test MachineAccount
        Starting test: NCSecDesc
           ......................... GSERVER2 passed test NCSecDesc
        Starting test: NetLogons
           ......................... GSERVER2 passed test NetLogons
        Starting test: ObjectsReplicated
           ......................... GSERVER2 passed test
           ObjectsReplicated
        Starting test: Replications
           ......................... GSERVER2 passed test Replications
        Starting test: RidManager
           ......................... GSERVER2 passed test RidManager
        Starting test: Services
           ......................... GSERVER2 passed test Services
        Starting test: SystemLog
           ......................... GSERVER2 passed test SystemLog
        Starting test: VerifyReferences
           ......................... GSERVER2 passed test VerifyReferences  
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test
           CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test
           CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : GS2
        Starting test: CheckSDRefDom
           ......................... GS2 passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... GS2 passed test CrossRefValidation  
     Running enterprise tests on : GS2.intra
        Starting test: LocatorCheck
           ......................... GS2.intra passed test LocatorCheck
        Starting test: Intersite
           ......................... GS2.intra passed test Intersite
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  *** gserver2.g2.intra can't find g2: Non-existent domain
  > gserver2
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  g2.intra
          primary name server = gserver2.g2.intra
          responsible mail addr = hostmaster.g2.intra
          serial  = 443
          refresh = 900 (15 mins)
          retry   = 600 (10 mins)
          expire  = 86400 (1 day)
          default TTL = 3600 (1 hour)
  > wikipedia.org
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  Non-authoritative answer:
  wikipedia.org   MX preference = 10, mail exchanger = polonium.wikimedia.org
  wikipedia.org   MX preference = 50, mail exchanger = lead.wikimedia.org
  polonium.wikimedia.org  internet address = 208.80.154.90
  polonium.wikimedia.org  AAAA IPv6 address = 2620:0:861:3:208:80:154:90
  lead.wikimedia.org      internet address = 208.80.154.89
  lead.wikimedia.org      AAAA IPv6 address = 2620:0:861:3:208:80:154:89
  Final benchmark results, sorted by nameserver performance:
   (average cached name retrieval speed, fastest to slowest)
    192.168.240.  6 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    + Cached Name   | 0,001 | 0,002 | 0,003 | 0,001 | 100,0 |
    + Uncached Name | 0,027 | 0,076 | 0,298 | 0,069 | 100,0 |
    + DotCom Lookup | 0,041 | 0,048 | 0,079 | 0,009 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               gserver2.g2.intra
                  Local Network Nameserver
    195.186.  4.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,023 | 0,025 | 0,000 | 100,0 |
    - Uncached Name | 0,025 | 0,071 | 0,274 | 0,065 | 100,0 |
    - DotCom Lookup | 0,039 | 0,040 | 0,043 | 0,001 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns8.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
    195.186.  1.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,023 | 0,026 | 0,001 | 100,0 |
    - Uncached Name | 0,025 | 0,072 | 0,299 | 0,066 | 100,0 |
    - DotCom Lookup | 0,039 | 0,042 | 0,049 | 0,003 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns7.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
      8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,033 | 0,040 | 0,079 | 0,011 | 100,0 |
    - Uncached Name | 0,042 | 0,113 | 0,482 | 0,097 | 100,0 |
    - DotCom Lookup | 0,049 | 0,079 | 0,192 | 0,039 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               google-public-dns-a.google.com
                   GOOGLE - Google Inc.,US
    UTC: 2014-11-03, from 14:33:12 to 14:33:29, for 00:17,648
  15: 40
  192.168.240.  6 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    + Cached Name   | 0,001 | 0,002 | 0,004 | 0,000 | 100,0 |
    + Uncached Name | 0,025 | 0,074 | 0,266 | 0,063 | 100,0 |
    + DotCom Lookup | 0,042 | 0,048 | 0,075 | 0,007 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               gserver2.g2.intra
                  Local Network Nameserver
    195.186.  1.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
    - Uncached Name | 0,024 | 0,073 | 0,289 | 0,067 | 100,0 |
    - DotCom Lookup | 0,039 | 0,041 | 0,043 | 0,001 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns7.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
    195.186.  4.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
    - Uncached Name | 0,025 | 0,073 | 0,286 | 0,065 | 100,0 |
    - DotCom Lookup | 0,041 | 0,066 | 0,180 | 0,037 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns8.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
      8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,033 | 0,038 | 0,077 | 0,009 | 100,0 |
    - Uncached Name | 0,042 | 0,105 | 0,398 | 0,091 | 100,0 |
    - DotCom Lookup | 0,049 | 0,066 | 0,141 | 0,025 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               google-public-dns-a.google.com
                   GOOGLE - Google Inc.,US
    UTC: 2014-11-03, from 14:39:59 to 14:40:12, for 00:13,363

• Audit log + manual update + specify download location

  Hi all,
  I'm evaluating whether we can use Java Web Start for our new product, for geographically distributed software deployment.
  I've the following questions that I could not find answers in the official documentation:
  - Can it support manual update? i.e. is there any way I can put a button on the application UI so that instead of checking latest version on every program start, the end-user can manually initiate software update.
  - Can I extend it to support audit log? i.e. we need to keep track of which client upgrade to which version in a centralized database (as audit trail), and when such update occurred. Can we do this?
  - Some of our end-user has no access to local filesystem, they only have access to dedicated shared network drive, can we customize Web Start so that it download and save the new version to a specific location, instead of C:\temp?
  - We have a few jar files for the application. How can we ensure that all jar files are either updated, or not updated at all? i.e. kind of transaction concept.
  - One of the jar files contains some configuration files, which need to be expanded in exploded format (to allow runtime change of configuration options). How can we do that?
  Thanks a million.

  Hi all,
  I'm evaluating whether we can use Java Web Start for
  our new product, for geographically distributed
  software deployment.
  I've the following questions that I could not find
  answers in the official documentation:
  - Can it support manual update? i.e. is there any
  way I can put a button on the application UI so that
  instead of checking latest version on every program
  start, the end-user can manually initiate software
  update.currently, no - this is a requested feature being considered for 6.0
  >
  - Can I extend it to support audit log? i.e. we need
  to keep track of which client upgrade to which
  version in a centralized database (as audit trail),
  and when such update occurred. Can we do this?only by controling a servlet or jsp page that generates the jnlp file and keeps track of what requests are made for the jnlp file and the resources of the app. Java Web Start itself runs on the client machine.
  >
  - Some of our end-user has no access to local
  filesystem, they only have access to dedicated shared
  network drive, can we customize Web Start so that it
  download and save the new version to a specific
  location, instead of C:\temp?webstart itself only downloads into its own cache (by default on windows XP at c:\Doccuments and settings\<user name>\Application Data\Sun\java\deployment\cache\javaws
  this cache location can be configured.
  in version 6.0 we will have capability to disable caching, but curent version must have a cache.
  >
  - We have a few jar files for the application. How
  can we ensure that all jar files are either updated,
  or not updated at all? i.e. kind of transaction
  concept.
  Java web Start currently checks timestamps of all downloaded jars before launching application, and will only update all or none.
  - One of the jar files contains some configuration
  files, which need to be expanded in exploded format
  (to allow runtime change of configuration options).
  How can we do that?If you must access these resources as files, you will have to extract them using ClassLoader.getresourceAsStream(), and then write them to disk yourself.
  >
  Thanks a million./Andy

• Audit Log update using Xchange or Webservice

  Hello,
  We are looking for the functionality to update Audit logs for Items.
  Do we have possibility to update the Audit logs for some Particular Item by using web service or Xchange message?
  The idea is to update the Audit log using some external service...
  Thanks in Advance,
  Regards,
  Pushkar

  Hi Pushkar ,
  I think we cannot do this . But can  you please tell me in which  business scenrio you want to  modified the audit Log.  Audit log is meant to record changes of those selected using the audit log feature in SAP ME 5.2 .
  Any update with  to item would anyway (Internal or External)  get updated in the audit log i believe .
  Thanks
  Kishore K V

• DBA Opinion on Audit Logs in Oracle Database

  As the title suggests - what are your initial reaction when your auditors come to you and say "why arent audit logs turned on table a, b, c, d.....z, a1 etc".
  Scenario - say the auditor is interested in audit logs and settings as the Database houses PII and bank account data....
  The common response from the DBA from what I have seen is "do you realise how much this will cost and what impact it will have on performance" (waving your fists).
  So please tell me as a profressional Oracle DBA:
  What financial (broke down in detail if poss) considerations need to be made when deploying an audit policy to a database housign sensitive data.
  What technical (broke down in detail if poss) considerations need to be made when deploying an audit policy to a database housign sensitive data.
  I look forward to your replies.

  Many, many things to consider.
  It will be generally not practical to audit everything down to excruciating detail (as usually requested by well-meaning but technically challenged auditors) without causing significant overhead. Having said that it will be equally irresponsible not to setup auditing on a database that will be used for production. So every DBA needs to find a happy medium that is acceptable to the management, users, auditors, plus compliance with industry/state/federal regulations, etc.
  If you wish to use Fine-grained Auditing (FGA), it requires an Enterprise Edition license.
  If you need a crash course, Rampant publishes a book that addresses Oracle Auditing:
  Oracle Privacy Security Auditing

• Audit logs for read operation on tables

  I have a requirement of implementing audit logs for tables on read / select operation in addition to insert,update,delete operations. Is there any way to achieve this since triggers are present only for insert,update and delete ?
  thanks in advance

  Hi,
  yes there are many ways you can audit the Source database according to your requirments. as you need to audit the select , insert etc you can audit in many ways
  1) By implementing policies , (i.e) FGA , or statement policy on a given table or a given user.
  2) you can also do the required task by implementing the alerts on specific conditions like select on a specifc table etc
  you can use these utileties from AV console.
  Regards.

• The format of Audit log file

  We have a perl script to extract data from Audit log files(Oracle Database 10g Release 10.2.0.1.0) which have format as bellow.
  Audit file /u03/oracle/admin/NIKKOU/adump/ora_5037.aud
  Oracle Database 10g Release 10.2.0.1.0 - Production
  ORACLE_HOME = /u01/app/oracle/product/10.2.0
  System name:     Linux
  Node name:     TOYDBSV01
  Release:     2.6.9-34.ELsmp
  Version:     #1 SMP Fri Feb 24 16:54:53 EST 2006
  Machine:     i686
  Instance name: NIKKOU
  Redo thread mounted by this instance: 1
  Oracle process number: 22
  Unix process pid: 5037, image: oracleNIKKOU@TOYDBSV01
  Sun Jul 27 03:06:34 2008
  ACTION : 'CONNECT'
  DATABASE USER: 'sys'
  PRIVILEGE : SYSDBA
  CLIENT USER: oracle
  CLIENT TERMINAL:
  STATUS: 0
  After we update the db from Release 10.2.0.1.0 to Release 10.2.0.4.0, the format of Audit log file had been changed to something likes below.
  Audit file /u03/oracle/admin/NIKKOU/adump/ora_1897.aud
  Oracle Database 10g Release 10.2.0.4.0 - Production
  ORACLE_HOME = /u01/app/oracle/product/10.2.0
  System name:     Linux
  Node name:     TOYDBSV01
  Release:     2.6.9-34.ELsmp
  Version:     #1 SMP Fri Feb 24 16:54:53 EST 2006
  Machine:     i686
  Instance name: NIKKOU
  Redo thread mounted by this instance: 1
  Oracle process number: 21
  Unix process pid: 1897, image: oracle@TOYDBSV01
  Tue Oct 14 10:30:29 2008
  LENGTH : '135'
  ACTION :[7] 'CONNECT'
  DATABASE USER:[3] 'SYS'
  PRIVILEGE :[6] 'SYSDBA'
  CLIENT USER:[0] ''
  CLIENT TERMINAL:[7] 'unknown'
  STATUS:[1] '0'
  Because we have to rewrite the perl script, could anyone tell us where we can find the manual to describe the format of the Audit log file.

  Oracle publishes views of the audit trail data. You can find a list of the views for the 11.1 database here:
  http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#BCGIICFE
  The audit trail does not really change between patchsets as that would constitute underlying structure changes and right now, the developers are not allowed to change the underlying structure of tables in patchsets. But, we can change what may be displayed in a column from patchset to patchset. For example, we are getting ready to update the comment$text field to display more information like dblinks and program names.
  I personally don't like overloading the comment$text field like that, but sometimes when you need the information, that is the only choice except to wait for the next major release :)
  As for the output of the audit log files, those can change between patchsets because of bugs that were found and some changes to support Audit Vault. My apologies out there for anyone that is reading the audit files written to the OS directly, I would recommend using the views.
  Hope that helps. Tammy

• An error occurred while trying to access the audit log

  Hi I have run Set-Mailbox ian.shapton -AuditOwner Update, Move, MoveToDeletedItems, SoftDelete, HardDelete
  I then created and deleted an email and ran Search-MailboxAuditLog -Identity "ian shapton" -LogonTypes Owner -StartDate "12/21/2014 12:00" -EndDate "12/21/2014 13:00" -ShowDetails
  I see An error occurred while trying to access the audit log. For more details, see the inner exception.
      + CategoryInfo          : NotSpecified: (:) [Search-MailboxAuditLog], AuditLogException
      + FullyQualifiedErrorId : [Server=Mailbox01,RequestId=07f17915-f25d-4fd5-b23e-f07a2482f4a4,TimeStamp=21/12/2014 16:45:39] [FailureCategory=Cmdlet-AuditLogException] 255D6156,Microsoft.Exchange.Management.SystemConfigurationTasks.SearchMailboxAuditLog
  MSExchange CmdletLogs shows Microsoft.Exchange.Data.ApplicationLogic.AuditLogServiceException: The Exchange Web Service returned an error while trying to access the audit log. Reason: 'Error','ErrorTimeoutExpired','The search operation could
  not be completed within the allotted time limit. Please try to narrow down your scope to reduce the result set.'.
  I am a Recipient Admin and Org Admin and can search other mailboxes using -LogonTypes Delegate
  Any idea what I am missing here?
  shapi

  Hi,
  I have the same problem when I run the Search-MailboxAuditLog command.  It has been working for 2 weeks but suddenly after moving databases from one datacenter to another and back again it stopped working.  The account running the command
  is in all necessary roles needed.
  This is what I have tested after it stopped working:
  - Search-MailboxAuditLog -Identity "xxxxxxx" -LogonTypes Delegate -StartDate (Get-Date).Adddays(-1) = Works
  - Search-MailboxAuditLog -Identity "xxxxxxx" -LogonTypes Delegate -StartDate (Get-Date).Adddays(-1) -showdetails = does not work and comes with an error.
  "The Exchange Web Service returned an error while trying to access the audit log. Reason: 'Error','ErrorTimeoutExpired',
  'The search operation could not be completed within the allotted time limit. 
  Please try to narrow down your scope to reduce the result set.'."
  This is very bad for us because we use a lot of shared mailboxes with delegates and want to report delegate action on these mailboxes.
  Environment:
  - 3 datacenters
  - Exchange 2013 CU7
  Thorir
  thorir

• Audit Log query

  I am trying to figure out why a query of the OID audit logs is taking so long....
  the search filter is:
  (&(orcleventtime>=20070426)(orcleventtime<=20070427)(orcleventtype=User login))
  it takes 97 seconds to return 1622 entries.
  when i run a query with this filter....
  (&(orcleventtime>=20070426)(orcleventtype=User login))
  it takes 0.2 seconds
  any ideas?

  Purging an AUD$ table is good idea after taking the export....
  Yeah...that could be better idea to audit those things that application skips...
  I was just getting calls from finance and operations departments... complaining that their ERP applications were haning taking long time to execute day end procedures and in reports...around 20 to 30 minutes.... as I recalled that my last deployment on live was enabling of auditing as I executed noaudit all and noaudit select, update, delete, insert on erp, The user got their day end procedures executed and report in less than 1 minute...
  Can anybody explain me....Does auditing degrades performance..?
  Regards?

• Audit Log is required for Project server

  Hi,
  Audit Log is required for EPM / Project Server 2010 
  Following are the requirements.
  Project Name, Resource Name and Date of Following Events.
  1. Project checked Out By, Date (This is highly important)
  2. Project Checked In By, Date
  3. Project Published By, Date
  4. Project Saved By, Date

  Hi Hachishti,
  Please refer to a recent similar thread with excellent answer from Paul.
  http://social.technet.microsoft.com/Forums/projectserver/en-US/435fbb7a-1c82-419c-b83e-e89419dc66aa/project-server-2010-view-plan-save-history?forum=projectserver2010general
  Hope this helps.
  Guillaume Rouyre - MBA, MCP, MCTS

• Search-MailboxAuditLog is empty - Mailbox Audit Logging not working in Exchange 2013 CU6 environment

  Hello,
  i activated Mailbox Audit Logging for Admin, delegate and owner with all supported operations (update, delete, etc..)
  like mentioned here:
  http://exchangeserverpro.com/using-exchange-server-2013-mailbox-audit-logging/
  But also two days later (and also one Server reboot later) search-MailboxAuditLog is still empty.
  any ideas how to fix this?
  Best,
  martin

  Hi S.Nithyanandham,
  i looked up the mailboxfolderstatistics. There are items in the folder: 
  [PS] C:\Windows\system32>Get-MailboxFolderStatistics mailboxname |where{$_.Name -like "*audit*"}
  RunspaceId : a95e32b8-93c3-4330-8d42-45cade9d64d4
  Date : 18.09.2014 16:35:20
  Name : Audits
  FolderPath : /Audits
  FolderId : LgAAAADmBpGVdb8iQp3F89WOcmcHAQBpQNFODkTESLeLj74B887wAAAAAAESAAAB
  FolderType : Audits
  ItemsInFolder : 147
  DeletedItemsInFolder : 0
  FolderSize : 434.2 KB (444,649 bytes)
  ItemsInFolderAndSubfolders : 147
  DeletedItemsInFolderAndSubfolders : 0
  FolderAndSubfolderSize : 434.2 KB (444,649 bytes)
  OldestItemReceivedDate :
  NewestItemReceivedDate :
  OldestDeletedItemReceivedDate :
  NewestDeletedItemReceivedDate :
  OldestItemLastModifiedDate :
  NewestItemLastModifiedDate :
  OldestDeletedItemLastModifiedDate :
  NewestDeletedItemLastModifiedDate :
  ManagedFolder :
  DeletePolicy :
  ArchivePolicy :
  TopSubject :
  TopSubjectSize : 0 B (0 bytes)
  TopSubjectCount : 0
  TopSubjectClass :
  TopSubjectPath :
  TopSubjectReceivedTime :
  TopSubjectFrom :
  TopClientInfoForSubject :
  TopClientInfoCountForSubject : 0
  SearchFolders :
  Identity : mailboxname\Audits
  IsValid : True
  ObjectState : New
  What do you think?
  why cant i search and find these entries the auditlog?
  best, 
  martin

• Ms-exchange 2013 audit logs retrieving in csv format not working?

  I need help regarding pulling specific information from exchange 2013. The information pertains to mail-exchange audit logs. The exchange in my environment is ms-exchange 2013. Steps performed so far are:-
  **step#1**
      Create test Environment on Exchange Server 2010 and Active Directory:
      Two Mailboxes for testing (with dummy email messages) (i.e., test-mailbox-1, test-mailbox-2)
      Two Active Directory Accounts for testing (testAcct01, testAcct02)
      Assign Permission to Test Mailboxes: Owner of Email Box test-mailbox-1: testAcct01, Owner of Email Box test-mailbox-2: testAcct02
  **step 2**
      Enable Mailbox Auditing on the test-mailbox-1:
      Use EMS to enable mailbox auditing on mailbox: test-mailbox-1
      Commands: 
      o Set-Mailbox -Identity "test-mailbox-1" -AuditDelegate Copy,Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditEnabled $true
      o Set-Mailbox -Identity "test-mailbox-1" -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditEnabled $true
      Note: You must have permission for Organization Management and Record Management if you want to enable mailbox auditing.
  **step#3**
      Verify that the Mailbox Auditing is Successfully enabled for mailbox: test-mailbox-1:
       Use EMS to verify the settings of mailbox auditing
      Command:
      o Get-Mailbox "test-mailbox-1" | Format-List *audit*
  **step#4**
      Verify that the Mailbox Auditing is Successfully enabled for mailbox: test-mailbox-1:
      Use EMS to verify the settings of mailbox auditing
      Command:
      o Get-Mailbox "test-mailbox-1" | Format-List *audit*
  **step#5**
      Perform  test activities on mailbox “test-mailbox-1” using account id: testAcct02
      For Example: Access Inbox folder, move items from one folder to another folder, delete items, read messages, send email using SendAs and SendOnBehalf, create new folder, copy email items etc. 
  **step#6**
      Perform test activities on mailbox “test-mailbox-1” using “Administrator” Account.
      For Example: Access Inbox folder, move items from one folder to another folder, delete items, read messages, send email using SendAs and SendOnBehalf, create new folder, copy email items etc.
  **step#7**
      Use EMS Cmdlet to retrieve Mailbox audit logs for mailbox “test-mailbox-1”
      Command:
      o Search-MailboxAuditLog -Identity test-mailbox-1 -LogonTypes Admin,Delegate –ShowDetails -StartDate mm/dd/2014 -EndDate mm/dd/2014 | Export-Csv “c:\test-Audit-Results.csv”
      o New-MailboxAuditLogSearch "Admin and Delegate Access" -Mailboxes " test-mailbox-1" -LogonTypes Admin,Delegate -StartDate mm/dd/2014 -EndDate mm/dd/2014 -StatusMailRecipients [email protected]
  I'm unable to go past step#7, as I see nothing in csv file. I don't know why is this? any help.

  Hi,
  I will perform these steps in my lab and paste the result.
  Beg your patient waiting.
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• Consistency Problem In Audit Logs and Datafile

  Hi,
  We have audit logs of a transaction in audit files, however we do not see any changes in the table that the transaction affects.
  We use point-in-time recovery and flashback feature to figure out the changes in the table . DML Audit Granularity is "ACCESS".
  The transaction is java application transaction and we use hibernate.
  How can this be possibble? Thank you.
  Edited by: 867331 on 14.Ara.2012 07:05
  Edited by: 867331 on 14.Ara.2012 07:07

  Thanks for the reply,
  jgarry wrote:
  You've flashed or recovered back to a transaction in progress and the transaction was rolled back as part of recovery.We have duplicated the database(2 months early version of the database) from backup. We use Flashback Version Query to figure out the changes in the audited table.
  Ex:
  SELECT STATE FROM X
  VERSIONS BETWEEN TIMESTAMP
  TO_TIMESTAMP ('07-09-12 05:15:30','dd-mm-yy hh24:mi:ss')
  AND TO_TIMESTAMP ('07-09-12 16:00:30','dd-mm-yy hh24:mi:ss')
  where ID=1
  We cannot find update transaction from this query. The "STATE" column is always null. However in audit xml file we see the "UPDATE" sql.
  jgarry wrote:
  Some code for a report or inquiry incorrectly does a select for update and doesn't actually update anything.There is no "select for update" statement.
  Thank you.

• URM Disposition Approval Error - Audit log

  Hi there,
  We have a URM environment installed and configured.
  When attempting to approve a disposition action on an item in a retention schedule, the following error message appears:
  "Unable to update DispositionsHistory table. Failed to check in audit log. Please reference '/appl/ucm/ContentServer/data/recordsManagement/log/##########.htm' audit log. You must save default metadata for checked in audit entries."
  What is it here that we need to adjust in order to complete the approval?

  Hello
  You have to give your audit trail default metadatas. Under Administration-Configure Records Management-Audit-CheckedIn_Audit Entries you can find the Link for "Default Metadata for Checked-in Audit Entries".
  Regards