Mailbox audit log - Not searchable
Exchange 2010 SP2 RU7
I enabled audit on one mailbox using the Set-Mailbox cmdlet. Here is the audit-specific o/p from the mailbox,
AuditEnabled : True AuditLogAgeLimit : 90.00:00:00 AuditAdmin : {Move, MoveToDeletedItems, SoftDelete, HardDelete} AuditDelegate : {Move, MoveToDeletedItems, SoftDelete, HardDelete} AuditOwner : {Move, MoveToDeletedItems, SoftDelete, HardDelete}
I am trying to track who is deleting objects from the mailbox, so I tested whether auditing is actually logging anything by deleting three items at different times from the mailbox. The I run another cmdlet to test whether an audit folder is there and what
are it's contents,
PS C:\temp\ps> Get-MailboxFolderStatistics -Identity "MBX" | ? {$_.Name -eq "Audits" -and $_.FolderType -eq "Audits"} | Format-Table Identity, ItemsInFolder, FolderSize -AutoSize
Identity ItemsInFolder FolderSize
MBX\Audits 3 5.918 KB (6,060 bytes)
Sure enough there are 3 items in there meaning it's auditing those deletions. BUT when I try to search the audit logs using the below command, I get no results (YES I am using the -ShowDetails switch).
Search-MailboxAuditLog -Identity MBX -LogonTypes Admin,Owner,Delegate -ShowDetails -StartDate "2/1/2014" -EndDate "2/10/2014" | ft Operation, OperationResult, LogonUserDisplayName, ItemSubject, LastAccessed, -AutoSize
If there are results in the audit log, then why is the search-mailboxauditlog not presenting them even with the broadest search criteria? I have tried removing the start and end dates too but no luck.
Really frustrated with these half-baked features Microsoft puts into these products. Can someone help?
Hi,
In order to troubleshoot the issue more efficiently, I need to clarify some information.
1. Did the issue affect all users or only one specific user?
2. Have you tied to extract the result from ECP or using New-MailboxAuditLogSearch?
3. Is there any error message in the event log?
For this issue, could you please test again using this mailbox you mentioned above to check the result? I tested in my lab, search results are outputed after waiting for some time.
Best regards,
Belinda
Belinda Ma
TechNet Community Support
Similar Messages
-
Search-MailboxAuditLog is empty - Mailbox Audit Logging not working in Exchange 2013 CU6 environment
Hello,
i activated Mailbox Audit Logging for Admin, delegate and owner with all supported operations (update, delete, etc..)
like mentioned here:
http://exchangeserverpro.com/using-exchange-server-2013-mailbox-audit-logging/
But also two days later (and also one Server reboot later) search-MailboxAuditLog is still empty.
any ideas how to fix this?
Best,
martinHi S.Nithyanandham,
i looked up the mailboxfolderstatistics. There are items in the folder:
[PS] C:\Windows\system32>Get-MailboxFolderStatistics mailboxname |where{$_.Name -like "*audit*"}
RunspaceId : a95e32b8-93c3-4330-8d42-45cade9d64d4
Date : 18.09.2014 16:35:20
Name : Audits
FolderPath : /Audits
FolderId : LgAAAADmBpGVdb8iQp3F89WOcmcHAQBpQNFODkTESLeLj74B887wAAAAAAESAAAB
FolderType : Audits
ItemsInFolder : 147
DeletedItemsInFolder : 0
FolderSize : 434.2 KB (444,649 bytes)
ItemsInFolderAndSubfolders : 147
DeletedItemsInFolderAndSubfolders : 0
FolderAndSubfolderSize : 434.2 KB (444,649 bytes)
OldestItemReceivedDate :
NewestItemReceivedDate :
OldestDeletedItemReceivedDate :
NewestDeletedItemReceivedDate :
OldestItemLastModifiedDate :
NewestItemLastModifiedDate :
OldestDeletedItemLastModifiedDate :
NewestDeletedItemLastModifiedDate :
ManagedFolder :
DeletePolicy :
ArchivePolicy :
TopSubject :
TopSubjectSize : 0 B (0 bytes)
TopSubjectCount : 0
TopSubjectClass :
TopSubjectPath :
TopSubjectReceivedTime :
TopSubjectFrom :
TopClientInfoForSubject :
TopClientInfoCountForSubject : 0
SearchFolders :
Identity : mailboxname\Audits
IsValid : True
ObjectState : New
What do you think?
why cant i search and find these entries the auditlog?
best,
martin -
When enabling Mailbox Audit Logging would take effect?
I enable the Mailbox Audit Logging by the command below, but found it can't take effect
immediately (I have no idea if there is needs some time to replication ,or others in the DC)even I reboot the exchange server.
So my question is if I want to make the "Mailbox Audit Logging" taking effect immediately , what should I do?
Set-Mailbox -Identity "Ben Smith" -AuditEnabled $true
Set-Mailbox -Identity "Ben Smith" -AuditDelegate SendAs,SendOnBehalf ,,,,,,,,-AuditEnabled $true
Set-Mailbox -Identity "Ben Smith" -AuditAdmin MessageBind,FolderBind,,,,,,,, -AuditEnabled $true
Set-Mailbox -Identity "Ben Smith" -AuditOwner HardDelete,,,,,,,, -AuditEnabled $truehttp://technet.microsoft.com/en-us/library/ff461937(v=exchg.141).aspx
Please click the Mark as Answer button if a post solves your problem!In order to force auditing to run immediately (and be sure it does), you need a few things - you need only one domain controller, and you need to restart the Microsoft Exchange Active Directory Topology service (which will restart all Exchange services)
on all of your Exchange servers. I highly recommend not doing either of these, since they will 1) reduce the availability of your Active Directory, and 2) take all your Exchange databases offline. Auditing will take effect in a short time period
after being set, so all you can do is wait (unless you want to do the above). We do auditing on all our mailboxes and set them when we create the mailbox. That way, we don't need to worry about missing something because it wasn't enabled.
BTW, the above commands don't need all the extra commas, and if you are doing them on a single mailbox, they can be run as a single command:
Set-Mailbox -Identity "Ben Smith" -AuditDelegate SendAs,SendOnBehalf -AuditAdmin MessageBind,FolderBind -AuditOwner HardDelete -AuditEnabled $true -
Can we backup mailbox audit log? These logs are stored in the recovery folder in each mailbox. Normally it should be backup with mailbox. How can restore and query these logs from after their audit age limit has expired?
Thanks.
Irfan
Irfan Goolab SALES ENGINEER (Microsoft UC) MCP, MCSA, MCTS, MCITP, MCTHi Irfan,
Base on my knowledge, you can refer to the following methods to backup audit log:
1. Export mailbox audit logs:
https://technet.microsoft.com/en-us/library/jj150552(v=exchg.150).aspx
2. Audit logs can be found in the eventviewer under MSExchangeManagement, you can save it, as below:
Best regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Niko Cheng
TechNet Community Support -
Can't enable mailbox audit logs
Hello!
I can't enable mailbox audit logs. I use cmdlet Set-Mailbox -Identity "mailbox" -AuditEnabled $true and Get-Mailbox shows that
audit is enabled. But when i check Get-Mailbox| Get-MailboxFoldersStatistics there is no "Audit" subfolder, and all audit searches also return no results.
I am working now with several Exchange installations (five actually, and one is brand-new test lab) and checked the same in each organization. Result was the same!
I am stronly sure i miss something important, could you point it to me?Hi,
Please use the following command to check the Mailbox Audit Logging action setting.
Get-Mailbox –Identity “username” | fl name,*audit*
Are there any administrator, delegate, and owner actions in the audit logging configuration for that mailbox? Please post them to check this issue.
If the settings above are configured correctly, only the administrator, delegate, and owner actions specified in the audit logging configuration for the mailbox are logged. And the “Audits” folder will show up after the administrator, delegate,
and owner take the actions specified in the audit logging configuration.
By default, these actions in the audit logging configuration should be like this:
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate : {Update, SoftDelete, HardDelete, SendAs, Create}
AuditOwner : {}
By the way, which command do you use to search the audit log?
Mailbox audit logging procedures
https://technet.microsoft.com/en-us/library/ff461939%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396
Best Regards.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Lynn-Li
TechNet Community Support -
Hi!
We have two exchange servers in our company, ex2010 and ex2013. I set the audit logging to true for some mailbox, but if i run a report at the ex2013 to a specific a mailbox no data at the log. But! if i run a report at the ex2010 ecp website i get information
from the same mailbox (folderbind etc..). I try run a report via shell at the ex2013, no data, same as the gui. The specific mailboxes migrated from ex2010 to ex2013.Hi ToniSlow,
Thank you for your question.
We could run the following command to make sure the mailbox has been moved to Exchange 2013:
Get-Mailbox <username> | FL
Then we could check the item of “database” if this database is on Exchange 2013.
By my understanding, when we move mailbox to Exchange 2013, the mailbox audit logs for that mailbox are also moved because they're located in the mailbox.
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Jim Xu
TechNet Community Support -
Mailbox auditing log search only shows last 7 days
I have mailbox auditing turned on for a mailbox, and the audit log age limit is set to 90 days. When I run the non admin user access report however it only shows me auditing items for the past 7 days. If i go to powershell, and run search-mailboxauditlog
it shows the same 7 days. Any suggestions?http://technet.microsoft.com/en-us/library/ff459237(v=exchg.150).aspx
Mailbox audit logs are generated for each mailbox that has mailbox audit logging enabled. Log entries are stored in the Audits subfolder of the audited mailbox Recoverable Items folder. This ensures that all audit logs are available from a single location,
regardless of which client access method was used to access the mailbox or which server or workstation an administrator used to access the mailbox audit log. If you move a mailbox to another Mailbox server, the mailbox audit logs for that mailbox are also
moved because they're located in the mailbox.
By default, mailbox audit log entries are retained in the mailbox for 90 days and then deleted. You can modify this retention period by using the
AuditLogAgeLimit parameter with the
Set-Mailbox cmdlet. If a mailbox is on In-Place Hold or litigation hold, audit log entries are only retained until the audit log retention period for the mailbox is reached. To retain audit log entries longer, you have to increase the retention period by
changing the value for the AuditLogAgeLimit parameter, or export audit log entries before the retention period is reached.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
Hi,
I'm using the workflow application "Audit" as an activity in my custom workflow and I'm passing the required arguments.
In the workflow trace file, I can see that the Audit application is run using the passed parameters but no record is being created matching that information in the "log" table.
Any ideas/suggestions?
Thanks
Here is the trace for your information:
Resolved reference requesterWSUser = object
Assigning requesterFullName = Test1 Manager1
Action Set Audit Resources List
Result title set to 'Set Audit Resources List'
Evaluating XPRESS
Resolved reference approved = false
Resolved reference auditApps = [AD_Simulated]
Resolved reference auditApps = [AD_Simulated]
Assigning depApps = [AD_Simulated]
Action Audit
Result title set to 'Audit'
Iterating over depApps = [AD_Simulated]
Iteration 0
app = AD_Simulated
Argument op = audit
Argument type = User
Argument status = success
Argument action = View
Argument reason = User Access Recertification
Argument subject = TestManager1
Resolved reference user.waveset.organization = null
Resolved reference app = AD_Simulated
Resolved reference app = AD_Simulated
Argument resource = AD_Simulated
Resolved reference enduserId = testuser4
Argument accountId = testuser4
Resolved reference enduserView.accounts[Lighthouse].firstname = Test4
Resolved reference enduserView.accounts[Lighthouse].lastname = User4
Resolved reference enduserId = testuser4
Resolved reference requesterFullName = Test1 Manager1
Argument error = The access of the user Test4 User4(testuser4) has been recertified by Test1 Manager1
Calling application 'com.waveset.session.WorkflowServices'
Application requested argument op
Application requested argument logResultErrors
Application requested argument action
Application requested argument status
Application requested argument type
Application requested argument subject
Application requested argument name
Application requested argument resource
Application requested argument accountId
Application requested argument error
Application requested argument parameters
Application requested argument attributes
Application requested argument originalAttributes
Application requested argument overflowAttributes
Application requested argument auditableAttributesList
Application requested argument organizations
Step complete 'Audit'
Step inactive 'Display Message'
-------------------------------------------------------------------------I agree with the anokun7. Check to make sure the action your are giving it is a valid one. ( See IDM Workflow Forms and Views pdf and search for Action Names, it will give you a list of all the valid actions) Also you can add your own attributes to the Audit object as well using the attributes variable. ( It expects a map: <map>
<s>Key</s>
<ref>value</ref>
<map>
Value can be a reference, or string, or however complex you want to make it. Just be aware of what view (if any) is available at the time you call the audit. Hope this helps
Message was edited by:
dmac28
Oh yeah..The attributes will appear on the audit log reports, Based on what action and type you audited it will show up on that record. i.e Delete action, on Type User...that audit record will have a changes value which will have whatever attributes you passed to the audit object. -
Security Audit Log Not Displaying
Hi,
I have activated the following profile parameters in my instance profile:
rsau/enable = 1
rsau/max_diskspace/per_day = 0
rsau/selection_slots = 2
rsau/local/file = G:\usr\sap\D0\D00\log\++++++++.AUD
rsau/max_diskspace/per_file = 0
rsau/max_diskspace/local = 1000000
and activate 2 filters under static configuration in sm19. then i stop start the instance in sap console.
using sm20, there's no analysis data. there's no file in G:\usr\sap\D0\D00\log too.
Do I have to restart the whole server? or did i miss out anything?
appreciate any guidelines.Hi,
I don't know which is your operating system, but maybe SAP note 173743 is useful here.
Regards,
Désiré -
Ms-exchange 2013 audit logs retrieving in csv format not working?
I need help regarding pulling specific information from exchange 2013. The information pertains to mail-exchange audit logs. The exchange in my environment is ms-exchange 2013. Steps performed so far are:-
**step#1**
Create test Environment on Exchange Server 2010 and Active Directory:
Two Mailboxes for testing (with dummy email messages) (i.e., test-mailbox-1, test-mailbox-2)
Two Active Directory Accounts for testing (testAcct01, testAcct02)
Assign Permission to Test Mailboxes: Owner of Email Box test-mailbox-1: testAcct01, Owner of Email Box test-mailbox-2: testAcct02
**step 2**
Enable Mailbox Auditing on the test-mailbox-1:
Use EMS to enable mailbox auditing on mailbox: test-mailbox-1
Commands:
o Set-Mailbox -Identity "test-mailbox-1" -AuditDelegate Copy,Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditEnabled $true
o Set-Mailbox -Identity "test-mailbox-1" -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditEnabled $true
Note: You must have permission for Organization Management and Record Management if you want to enable mailbox auditing.
**step#3**
Verify that the Mailbox Auditing is Successfully enabled for mailbox: test-mailbox-1:
Use EMS to verify the settings of mailbox auditing
Command:
o Get-Mailbox "test-mailbox-1" | Format-List *audit*
**step#4**
Verify that the Mailbox Auditing is Successfully enabled for mailbox: test-mailbox-1:
Use EMS to verify the settings of mailbox auditing
Command:
o Get-Mailbox "test-mailbox-1" | Format-List *audit*
**step#5**
Perform test activities on mailbox “test-mailbox-1” using account id: testAcct02
For Example: Access Inbox folder, move items from one folder to another folder, delete items, read messages, send email using SendAs and SendOnBehalf, create new folder, copy email items etc.
**step#6**
Perform test activities on mailbox “test-mailbox-1” using “Administrator” Account.
For Example: Access Inbox folder, move items from one folder to another folder, delete items, read messages, send email using SendAs and SendOnBehalf, create new folder, copy email items etc.
**step#7**
Use EMS Cmdlet to retrieve Mailbox audit logs for mailbox “test-mailbox-1”
Command:
o Search-MailboxAuditLog -Identity test-mailbox-1 -LogonTypes Admin,Delegate –ShowDetails -StartDate mm/dd/2014 -EndDate mm/dd/2014 | Export-Csv “c:\test-Audit-Results.csv”
o New-MailboxAuditLogSearch "Admin and Delegate Access" -Mailboxes " test-mailbox-1" -LogonTypes Admin,Delegate -StartDate mm/dd/2014 -EndDate mm/dd/2014 -StatusMailRecipients [email protected]
I'm unable to go past step#7, as I see nothing in csv file. I don't know why is this? any help.Hi,
I will perform these steps in my lab and paste the result.
Beg your patient waiting.
Thanks
Mavis
Mavis Huang
TechNet Community Support -
Hi All ,
Could you tell me how to clear Mailbox Admin Audit Logs for past days , i have disabled the audit logs for mailboxes but still i could able to see the information from ECP about last mailboxes accessed details also i've decreased the age limit
of mailbox still the information were reflecting in ECP
Set-Mailbox -Identity xxxx -AuditLogAgeLimit 0
Confirm
You've specified the mailbox audit log age limit of 0 for mailbox "XXXX". If you continue, all log entries will
be deleted. This change takes effect immediately.
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): a
- Sivashankar. Please mark as answer/useful if my contribution is helpfulHi,
I tested in my lab, it is the same with your result. As a workaround, since the mailbox audit log entries are stored in the Audits folder, we can MFCMAPI to delete the Audits folder which is a subfolder of Recoveralbe Items folder.
Best regards,
Belinda
Belinda Ma
TechNet Community Support -
Unable to capture Exchange Mailbox Auditing events for email creation
We are looking to capture Owner mailbox auditing events using the native Exchange 2013 auditing tools (Search-MailboxAuditLog). I have auditing enabled with all actions for Owner, and capture items performed via Outlook, except for new emails created.
If I create new emails via OWA, I am able to capture the event, but as soon as I go back to Outlook and create a new message, I don’t see anything audited. I also tried this is our Dev environment and seeing the same behavior. Has anyone else experience this
behavior?Hi,
I have a test in my environment. If I create a message on Outlook as a owner, the mailbox audit logging can't record it.
If I create a message on Outlook as a delegate, when using the Search-MailboxAuditLog cmdlet to search the audit log, it will be displayed as follows:
The operation is "SendAs", not "Create".
Hope this can be helpful to you.
Best regards,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Amy Wang
TechNet Community Support -
How to enable the Exchange 2010 Admin Audit logs in Event Viewer
How to enable the Exchange 2010 Admin Audit(Mailbox Auditing) logs in Event Viewer.
- Sivashankar. Please mark as answer/useful if my contribution is helpfulHi Siva,
We could execute the command below to view Administrator Audit Logging settings:
Get-AdminAuditLogConfig
If it is not enabled, please run the command below:
Set-AdminAuditLogConfig -AdminAuditLogEnabled $True
In addition, here are some references for you to utilize this feature:
Configure Administrator Audit Logging :
http://technet.microsoft.com/en-us/library/dd335109(v=exchg.141).aspx
Search the Administrator Audit Log :
http://technet.microsoft.com/en-us/library/ff459262(v=exchg.141).aspx
Regards,
Rebecca Tu
TechNet Community Support -
Exchange 2010 Mailbox Auditing Owner Sent Items (Create)
I have activated Mailbox auditing feature for a Mailbox "Set-mailbox -identity User1 -auditenabled $true | Set-Mailbox -Identity User1 -Auditowner harddelete,create", I need to audit sent ítems (create), but the Search command didn´t show
any results:
Search-Mailboxauditlog -Identity User1 -Logontypes Owner -Showdetails -Startdate 1/1/2014 -enddate 1/22/2014Hi,
First,run the following command to verify that you have successfully enabled mailbox audit logging for a mailbox and specified the correct logging settings owner access:
Get-Mailbox "User1" | Format-List *audit*
If all are right,please run the following command to search the result:
Search-MailboxAuditLog -Identity user1 -LogonTypes Owner -ShowDetails -StartDate 1/1/2014 -EndDate 1/22/2014 | Where-Object {$_.Operation -eq "Create"}
The following articles for your reference:
Mailbox Audit Logging
Exchange Server 2010 SP1 Mailbox Audit Logging Step by Step Guide
Hope this helps!
Thanks.
Niko Cheng
TechNet Community Support -
Exchange 2013 - Mailbox Auditing
Hi all,
Like to check what is the event id that will appear on Windows Event Viewer when a mailbox is access by someone else?
For exchange 2007, the event id is 10100. I cannot seems to find the id for 2013 on the net.
Also, if I wish to monitor exchange administrator if they are accessing any other person's mailbox,
Would this power shell command be enough to turn on what I wish to monitor?
Set-Mailbox -AuditEnabled:$true
Thanks!
ZackHi Zack,
Thank you for your question.
Mailbox audit logs are generated for each mailbox that has mailbox audit logging enabled. Log entries are stored in the Recoverable Items folder in the audited mailbox, in the Audits subfolder. By default, mailbox audit log entries are retained in the mailbox
for 90 days and then deleted. We could modify this retention period by using the AuditLogAgeLimit parameter with the Set-Mailbox cmdlet. We could use the following command to enable mailbox audit logging:
Set-Mailbox –Identity <Username/Email address> -AuditEnable $ture
To verify that we have successfully enabled mailbox audit logging for a mailbox and specified the correct logging settings for administrator, delegate, or owner access, use the Get-Mailbox cmdlet to retrieve the mailbox audit logging settings for that mailbox.
This example retrieves Ben Smith’s mailbox settings and pipes the specified audit settings, including the audit log age limit, to the Format-List cmdlet.
Get-Mailbox "Ben Smith" | Format-List *audit*
The more details will be referred by the following link:
https://technet.microsoft.com/en-us/library/ff459237(v=exchg.150).aspx
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Jim Xu
TechNet Community Support
Maybe you are looking for
-
Can I combine my pdf and spreadsheet?
I need a single page form combining two things: 1.my pdf with its dropdown form fields for choosing certain options (employee, insurance plans, date, etc.), and 2.my Excel 2007 spreadsheet with its formulas (calculating prices, adjustments, balances,
-
to turn on my ipod, I get an image of connection to iTunes, but when you update iTunes, nothing happens. I restarted the iPod manually several times peero still appears the same image. how I can make it work?
-
ICal won't update published calendar
I have a published calendar on .Mac and when I update in iCal, it won't update on my .Mac account. Also it shows that the published date is Dec 31, 1969. I have checked my date and time on system preferences. I have deleted and recreated this calenda
-
Can not open .docx after loading Mountain Lion
can not open .docx after loading Mountain Lion...Help
-
Is the Magic Trackpad designed upside down?
It would have seemed like a better idea to keep the pad as low as possible. Why is it better to have my wrist turned upwards? On a keyboard I can almost understand, when you need to reach a top level letter, it would reduce arm movement. But the trac