Mailbox audit log - Not searchable

Exchange 2010 SP2 RU7
I enabled audit on one mailbox using the Set-Mailbox cmdlet. Here is the audit-specific o/p from the mailbox,
AuditEnabled : True AuditLogAgeLimit : 90.00:00:00 AuditAdmin : {Move, MoveToDeletedItems, SoftDelete, HardDelete} AuditDelegate : {Move, MoveToDeletedItems, SoftDelete, HardDelete} AuditOwner : {Move, MoveToDeletedItems, SoftDelete, HardDelete}
I am trying to track who is deleting objects from the mailbox, so I tested whether auditing is actually logging anything by deleting three items at different times from the mailbox. The I run another cmdlet to test whether an audit folder is there and what
are it's contents,
PS C:\temp\ps> Get-MailboxFolderStatistics -Identity "MBX" | ? {$_.Name -eq "Audits" -and $_.FolderType -eq "Audits"} | Format-Table Identity, ItemsInFolder, FolderSize -AutoSize
Identity ItemsInFolder FolderSize
MBX\Audits 3 5.918 KB (6,060 bytes)
Sure enough there are 3 items in there meaning it's auditing those deletions. BUT when I try to search the audit logs using the below command, I get no results (YES I am using the -ShowDetails switch).
Search-MailboxAuditLog -Identity MBX -LogonTypes Admin,Owner,Delegate -ShowDetails -StartDate "2/1/2014" -EndDate "2/10/2014" | ft Operation, OperationResult, LogonUserDisplayName, ItemSubject, LastAccessed, -AutoSize
If there are results in the audit log, then why is the search-mailboxauditlog not presenting them even with the broadest search criteria? I have tried removing the start and end dates too but no luck.
Really frustrated with these half-baked features Microsoft puts into these products. Can someone help?

Hi,
In order to troubleshoot the issue more efficiently, I need to clarify some information.
1. Did the issue affect all users or only one specific user?
2. Have you tied to extract the result from ECP or using New-MailboxAuditLogSearch?
3. Is there any error message in the event log?
For this issue, could you please test again using this mailbox you mentioned above to check the result? I tested in my lab, search results are outputed after waiting for some time.
Best regards,
Belinda
Belinda Ma
TechNet Community Support

Similar Messages

  • Search-MailboxAuditLog is empty - Mailbox Audit Logging not working in Exchange 2013 CU6 environment

    Hello,
    i activated Mailbox Audit Logging for Admin, delegate and owner with all supported operations (update, delete, etc..)
    like mentioned here:
    http://exchangeserverpro.com/using-exchange-server-2013-mailbox-audit-logging/
    But also two days later (and also one Server reboot later) search-MailboxAuditLog is still empty.
    any ideas how to fix this?
    Best,
    martin

    Hi S.Nithyanandham,
    i looked up the mailboxfolderstatistics. There are items in the folder: 
    [PS] C:\Windows\system32>Get-MailboxFolderStatistics mailboxname |where{$_.Name -like "*audit*"}
    RunspaceId : a95e32b8-93c3-4330-8d42-45cade9d64d4
    Date : 18.09.2014 16:35:20
    Name : Audits
    FolderPath : /Audits
    FolderId : LgAAAADmBpGVdb8iQp3F89WOcmcHAQBpQNFODkTESLeLj74B887wAAAAAAESAAAB
    FolderType : Audits
    ItemsInFolder : 147
    DeletedItemsInFolder : 0
    FolderSize : 434.2 KB (444,649 bytes)
    ItemsInFolderAndSubfolders : 147
    DeletedItemsInFolderAndSubfolders : 0
    FolderAndSubfolderSize : 434.2 KB (444,649 bytes)
    OldestItemReceivedDate :
    NewestItemReceivedDate :
    OldestDeletedItemReceivedDate :
    NewestDeletedItemReceivedDate :
    OldestItemLastModifiedDate :
    NewestItemLastModifiedDate :
    OldestDeletedItemLastModifiedDate :
    NewestDeletedItemLastModifiedDate :
    ManagedFolder :
    DeletePolicy :
    ArchivePolicy :
    TopSubject :
    TopSubjectSize : 0 B (0 bytes)
    TopSubjectCount : 0
    TopSubjectClass :
    TopSubjectPath :
    TopSubjectReceivedTime :
    TopSubjectFrom :
    TopClientInfoForSubject :
    TopClientInfoCountForSubject : 0
    SearchFolders :
    Identity : mailboxname\Audits
    IsValid : True
    ObjectState : New
    What do you think?
    why cant i search and find these entries the auditlog?
    best, 
    martin

  • When enabling Mailbox Audit Logging would take effect?

    I enable the Mailbox Audit Logging  by the command below, but found it can't take effect
    immediately (I have no idea if there is needs some time to replication ,or others in the DC)even I reboot the exchange server.
    So my question is if I want to make the "Mailbox Audit Logging" taking effect immediately , what should I do?
    Set-Mailbox -Identity "Ben Smith" -AuditEnabled $true
    Set-Mailbox -Identity "Ben Smith" -AuditDelegate SendAs,SendOnBehalf ,,,,,,,,-AuditEnabled $true
    Set-Mailbox -Identity "Ben Smith" -AuditAdmin MessageBind,FolderBind,,,,,,,, -AuditEnabled $true
    Set-Mailbox -Identity "Ben Smith" -AuditOwner HardDelete,,,,,,,, -AuditEnabled $truehttp://technet.microsoft.com/en-us/library/ff461937(v=exchg.141).aspx
    Please click the Mark as Answer button if a post solves your problem!

    In order to force auditing to run immediately (and be sure it does), you need a few things - you need only one domain controller, and you need to restart the Microsoft Exchange Active Directory Topology service (which will restart all Exchange services)
    on all of your Exchange servers.  I highly recommend not doing either of these, since they will 1) reduce the availability of your Active Directory, and 2) take all your Exchange databases offline.  Auditing will take effect in a short time period
    after being set, so all you can do is wait (unless you want to do the above).  We do auditing on all our mailboxes and set them when we create the mailbox.  That way, we don't need to worry about missing something because it wasn't enabled.
    BTW, the above commands don't need all the extra commas, and if you are doing them on a single mailbox, they can be run as a single command:
    Set-Mailbox -Identity "Ben Smith" -AuditDelegate SendAs,SendOnBehalf -AuditAdmin MessageBind,FolderBind -AuditOwner HardDelete -AuditEnabled $true

  • Mailbox Audit Log

    Can we backup mailbox audit log? These logs are stored in the recovery folder in each mailbox. Normally it should be backup with mailbox. How can restore and query these logs from after their audit age limit has expired?
    Thanks.
    Irfan
    Irfan Goolab SALES ENGINEER (Microsoft UC) MCP, MCSA, MCTS, MCITP, MCT

    Hi Irfan,
    Base on my knowledge, you can refer to the following methods to backup audit log:
    1. Export mailbox audit logs:
    https://technet.microsoft.com/en-us/library/jj150552(v=exchg.150).aspx
    2.  Audit logs can be found in the eventviewer under MSExchangeManagement, you can save it, as below:
    Best regards,
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
    Niko Cheng
    TechNet Community Support

  • Can't enable mailbox audit logs

    Hello!
    I can't enable mailbox audit logs. I use cmdlet Set-Mailbox -Identity "mailbox" -AuditEnabled $true and Get-Mailbox shows that
    audit is enabled. But when i check Get-Mailbox| Get-MailboxFoldersStatistics there is no "Audit" subfolder, and all audit searches also return no results. 
    I am working now with several Exchange installations (five actually, and one is brand-new test lab) and checked the same in each organization. Result was the same!
    I am stronly sure i miss something important, could you point it to me?

    Hi,
    Please use the following command to check the Mailbox Audit Logging action setting.
    Get-Mailbox –Identity “username” | fl name,*audit*
    Are there any administrator, delegate, and owner actions in the audit logging configuration for that mailbox? Please post them to check this issue.
    If the settings above are configured correctly, only the administrator, delegate, and owner actions specified in the audit logging configuration for the mailbox are logged. And the “Audits” folder will show up after the administrator, delegate,
    and owner take the actions specified in the audit logging configuration.
    By default, these actions in the audit logging configuration should be like this:
    AuditAdmin        : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
    AuditDelegate   : {Update, SoftDelete, HardDelete, SendAs, Create}
    AuditOwner        : {}
    By the way, which command do you use to search the audit log?
    Mailbox audit logging procedures
    https://technet.microsoft.com/en-us/library/ff461939%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396
    Best Regards.
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
    Lynn-Li
    TechNet Community Support

  • Mailbox audit logging

    Hi!
    We have two exchange servers in our company, ex2010 and ex2013. I set the audit logging to true for some mailbox, but if i run a report at the ex2013 to a specific a mailbox no data at the log. But! if i run a report at the ex2010 ecp website i get information
    from the same mailbox (folderbind etc..). I try run a report via shell at the ex2013, no data, same as the gui. The specific mailboxes migrated from ex2010 to ex2013.

    Hi ToniSlow,
    Thank you for your question.
    We could run the following command to make sure the mailbox has been moved to Exchange 2013:
    Get-Mailbox <username> | FL
    Then we could check the item of “database” if this database is on Exchange 2013.
    By my understanding, when we move mailbox to Exchange 2013, the mailbox audit logs for that mailbox are also moved because they're located in the mailbox.
    If there are any questions regarding this issue, please be free to let me know. 
    Best Regard,
    Jim
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
    Jim Xu
    TechNet Community Support

  • Mailbox auditing log search only shows last 7 days

    I have mailbox auditing turned on for a mailbox, and the audit log age limit is set to 90 days.  When I run the non admin user access report however it only shows me auditing items for the past 7 days.  If i go to powershell, and run search-mailboxauditlog
    it shows the same 7 days. Any suggestions?

    http://technet.microsoft.com/en-us/library/ff459237(v=exchg.150).aspx
    Mailbox audit logs are generated for each mailbox that has mailbox audit logging enabled. Log entries are stored in the Audits subfolder of the audited mailbox Recoverable Items folder. This ensures that all audit logs are available from a single location,
    regardless of which client access method was used to access the mailbox or which server or workstation an administrator used to access the mailbox audit log. If you move a mailbox to another Mailbox server, the mailbox audit logs for that mailbox are also
    moved because they're located in the mailbox.
    By default, mailbox audit log entries are retained in the mailbox for 90 days and then deleted. You can modify this retention period by using the
    AuditLogAgeLimit parameter with the
    Set-Mailbox cmdlet. If a mailbox is on In-Place Hold or litigation hold, audit log entries are only retained until the audit log retention period for the mailbox is reached. To retain audit log entries longer, you have to increase the retention period by
    changing the value for the AuditLogAgeLimit parameter, or export audit log entries before the retention period is reached.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

  • Audit Log Not Being Created

    Hi,
    I'm using the workflow application "Audit" as an activity in my custom workflow and I'm passing the required arguments.
    In the workflow trace file, I can see that the Audit application is run using the passed parameters but no record is being created matching that information in the "log" table.
    Any ideas/suggestions?
    Thanks
    Here is the trace for your information:
    Resolved reference requesterWSUser = object
    Assigning requesterFullName = Test1 Manager1
    Action Set Audit Resources List
    Result title set to 'Set Audit Resources List'
    Evaluating XPRESS
    Resolved reference approved = false
    Resolved reference auditApps = [AD_Simulated]
    Resolved reference auditApps = [AD_Simulated]
    Assigning depApps = [AD_Simulated]
    Action Audit
    Result title set to 'Audit'
    Iterating over depApps = [AD_Simulated]
    Iteration 0
    app = AD_Simulated
    Argument op = audit
    Argument type = User
    Argument status = success
    Argument action = View
    Argument reason = User Access Recertification
    Argument subject = TestManager1
    Resolved reference user.waveset.organization = null
    Resolved reference app = AD_Simulated
    Resolved reference app = AD_Simulated
    Argument resource = AD_Simulated
    Resolved reference enduserId = testuser4
    Argument accountId = testuser4
    Resolved reference enduserView.accounts[Lighthouse].firstname = Test4
    Resolved reference enduserView.accounts[Lighthouse].lastname = User4
    Resolved reference enduserId = testuser4
    Resolved reference requesterFullName = Test1 Manager1
    Argument error = The access of the user Test4 User4(testuser4) has been recertified by Test1 Manager1
    Calling application 'com.waveset.session.WorkflowServices'
    Application requested argument op
    Application requested argument logResultErrors
    Application requested argument action
    Application requested argument status
    Application requested argument type
    Application requested argument subject
    Application requested argument name
    Application requested argument resource
    Application requested argument accountId
    Application requested argument error
    Application requested argument parameters
    Application requested argument attributes
    Application requested argument originalAttributes
    Application requested argument overflowAttributes
    Application requested argument auditableAttributesList
    Application requested argument organizations
    Step complete 'Audit'
    Step inactive 'Display Message'
    -------------------------------------------------------------------------

    I agree with the anokun7. Check to make sure the action your are giving it is a valid one. ( See IDM Workflow Forms and Views pdf and search for Action Names, it will give you a list of all the valid actions) Also you can add your own attributes to the Audit object as well using the attributes variable. ( It expects a map: <map>
    <s>Key</s>
    <ref>value</ref>
    <map>
    Value can be a reference, or string, or however complex you want to make it. Just be aware of what view (if any) is available at the time you call the audit. Hope this helps
    Message was edited by:
    dmac28
    Oh yeah..The attributes will appear on the audit log reports, Based on what action and type you audited it will show up on that record. i.e Delete action, on Type User...that audit record will have a changes value which will have whatever attributes you passed to the audit object.

  • Security Audit Log Not Displaying

    Hi,
    I have activated the following profile parameters in my instance profile:
    rsau/enable = 1
    rsau/max_diskspace/per_day = 0
    rsau/selection_slots = 2
    rsau/local/file = G:\usr\sap\D0\D00\log\++++++++.AUD
    rsau/max_diskspace/per_file = 0
    rsau/max_diskspace/local = 1000000
    and activate 2 filters under static configuration in sm19. then i stop start the instance in sap console.
    using sm20, there's no analysis data. there's no file in G:\usr\sap\D0\D00\log too.
    Do I have to restart the whole server? or did i miss out anything?
    appreciate any guidelines.

    Hi,
    I don't know which is your operating system, but maybe SAP note 173743 is useful here.
    Regards,
    Désiré

  • Ms-exchange 2013 audit logs retrieving in csv format not working?

    I need help regarding pulling specific information from exchange 2013. The information pertains to mail-exchange audit logs. The exchange in my environment is ms-exchange 2013. Steps performed so far are:-
    **step#1**
        Create test Environment on Exchange Server 2010 and Active Directory:
        Two Mailboxes for testing (with dummy email messages) (i.e., test-mailbox-1, test-mailbox-2)
        Two Active Directory Accounts for testing (testAcct01, testAcct02)
        Assign Permission to Test Mailboxes: Owner of Email Box test-mailbox-1: testAcct01, Owner of Email Box test-mailbox-2: testAcct02
    **step 2**
        Enable Mailbox Auditing on the test-mailbox-1:
        Use EMS to enable mailbox auditing on mailbox: test-mailbox-1
        Commands: 
        o Set-Mailbox -Identity "test-mailbox-1" -AuditDelegate Copy,Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditEnabled $true
        o Set-Mailbox -Identity "test-mailbox-1" -AuditAdmin Copy,Create,FolderBind,HardDelete,MessageBind,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelete,Update -AuditEnabled $true
        Note: You must have permission for Organization Management and Record Management if you want to enable mailbox auditing.
    **step#3**
        Verify that the Mailbox Auditing is Successfully enabled for mailbox: test-mailbox-1:
         Use EMS to verify the settings of mailbox auditing
        Command:
        o Get-Mailbox "test-mailbox-1" | Format-List *audit*
    **step#4**
        Verify that the Mailbox Auditing is Successfully enabled for mailbox: test-mailbox-1:
        Use EMS to verify the settings of mailbox auditing
        Command:
        o Get-Mailbox "test-mailbox-1" | Format-List *audit*
    **step#5**
        Perform  test activities on mailbox “test-mailbox-1” using account id: testAcct02
        For Example: Access Inbox folder, move items from one folder to another folder, delete items, read messages, send email using SendAs and SendOnBehalf, create new folder, copy email items etc. 
    **step#6**
        Perform test activities on mailbox “test-mailbox-1” using “Administrator” Account.
        For Example: Access Inbox folder, move items from one folder to another folder, delete items, read messages, send email using SendAs and SendOnBehalf, create new folder, copy email items etc.
    **step#7**
        Use EMS Cmdlet to retrieve Mailbox audit logs for mailbox “test-mailbox-1”
        Command:
        o Search-MailboxAuditLog -Identity test-mailbox-1 -LogonTypes Admin,Delegate –ShowDetails -StartDate mm/dd/2014 -EndDate mm/dd/2014 | Export-Csv “c:\test-Audit-Results.csv”
        o New-MailboxAuditLogSearch "Admin and Delegate Access" -Mailboxes " test-mailbox-1" -LogonTypes Admin,Delegate -StartDate mm/dd/2014 -EndDate mm/dd/2014 -StatusMailRecipients [email protected]
    I'm unable to go past step#7, as I see nothing in csv file. I don't know why is this? any help.

    Hi,
    I will perform these steps in my lab and paste the result.
    Beg your patient waiting.
    Thanks
    Mavis
    Mavis Huang
    TechNet Community Support

  • Mailbox Admin Audit Logs

    Hi All ,
    Could you tell  me how to clear Mailbox Admin Audit Logs for past days , i have disabled the audit logs for mailboxes but still i could able to see the information from ECP about last mailboxes accessed details also i've decreased the age limit
    of mailbox still the information were reflecting in ECP
    Set-Mailbox -Identity xxxx -AuditLogAgeLimit 0
    Confirm
    You've specified the mailbox audit log age limit of 0 for mailbox "XXXX". If you continue, all log entries will
    be deleted. This change takes effect immediately.
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): a
    - Sivashankar. Please mark as answer/useful if my contribution is helpful

    Hi,
    I tested in my lab, it is the same with your result. As a  workaround, since the mailbox audit log entries are stored in the Audits folder, we can MFCMAPI to delete the Audits folder which is a subfolder of Recoveralbe Items folder.
    Best regards,
    Belinda
    Belinda Ma
    TechNet Community Support

  • Unable to capture Exchange Mailbox Auditing events for email creation

    We are looking to capture Owner mailbox auditing events using the native Exchange 2013 auditing tools (Search-MailboxAuditLog). I have auditing enabled with all actions for Owner, and capture items performed via Outlook, except for new emails created.
    If I create new emails via OWA, I am able to capture the event, but as soon as I go back to Outlook and create a new message, I don’t see anything audited. I also tried this is our Dev environment and seeing the same behavior. Has anyone else experience this
    behavior?

    Hi,
    I have a test in my environment. If I create a message on Outlook as a owner, the mailbox audit logging can't record it.
    If I create a message on Outlook as a delegate, when using the Search-MailboxAuditLog cmdlet to search the audit log, it will be displayed as follows:
    The operation is "SendAs", not "Create".
    Hope this can be helpful to you.
    Best regards,
    If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Amy Wang
    TechNet Community Support

  • How to enable the Exchange 2010 Admin Audit logs in Event Viewer

    How to enable the Exchange 2010 Admin Audit(Mailbox Auditing) logs in Event Viewer.
    - Sivashankar. Please mark as answer/useful if my contribution is helpful

    Hi Siva,
    We could execute the command below to view Administrator Audit Logging settings:
    Get-AdminAuditLogConfig
    If it is not enabled, please run the command below:
    Set-AdminAuditLogConfig -AdminAuditLogEnabled $True
    In addition, here are some references for you to utilize this feature:
    Configure Administrator Audit Logging :
    http://technet.microsoft.com/en-us/library/dd335109(v=exchg.141).aspx
    Search the Administrator Audit Log :
    http://technet.microsoft.com/en-us/library/ff459262(v=exchg.141).aspx
    Regards,
    Rebecca Tu
    TechNet Community Support

  • Exchange 2010 Mailbox Auditing Owner Sent Items (Create)

    I have activated Mailbox auditing feature for a Mailbox "Set-mailbox -identity User1 -auditenabled $true | Set-Mailbox -Identity User1 -Auditowner harddelete,create", I need to audit sent ítems (create), but the Search command didn´t show
    any results:
    Search-Mailboxauditlog -Identity User1 -Logontypes Owner -Showdetails -Startdate 1/1/2014 -enddate 1/22/2014

    Hi,
    First,run the following command to verify that you have successfully enabled mailbox audit logging for a mailbox and specified the correct logging settings owner access:
    Get-Mailbox "User1" | Format-List *audit*
    If all are right,please run the following command to search the result:
    Search-MailboxAuditLog -Identity user1 -LogonTypes Owner -ShowDetails -StartDate 1/1/2014 -EndDate 1/22/2014 | Where-Object {$_.Operation -eq "Create"}
    The following articles for your reference:
    Mailbox Audit Logging
    Exchange Server 2010 SP1 Mailbox Audit Logging Step by Step Guide
    Hope this helps!
    Thanks.
    Niko Cheng
    TechNet Community Support

  • Exchange 2013 - Mailbox Auditing

    Hi all,
    Like to check what is the event id that will appear on Windows Event Viewer when a mailbox is access by someone else?
    For exchange 2007, the event id is 10100. I cannot seems to find the id for 2013 on the net.
    Also, if I wish to monitor exchange administrator if they are accessing any other person's mailbox,
    Would this power shell command be enough to turn on what I wish to monitor?
    Set-Mailbox -AuditEnabled:$true
    Thanks!
    Zack

    Hi Zack,
    Thank you for your question.
    Mailbox audit logs are generated for each mailbox that has mailbox audit logging enabled. Log entries are stored in the Recoverable Items folder in the audited mailbox, in the Audits subfolder. By default, mailbox audit log entries are retained in the mailbox
    for 90 days and then deleted. We could modify this retention period by using the AuditLogAgeLimit parameter with the Set-Mailbox cmdlet. We could use the following command to enable mailbox audit logging:
    Set-Mailbox –Identity <Username/Email address> -AuditEnable $ture
    To verify that we have successfully enabled mailbox audit logging for a mailbox and specified the correct logging settings for administrator, delegate, or owner access, use the Get-Mailbox cmdlet to retrieve the mailbox audit logging settings for that mailbox.
    This example retrieves Ben Smith’s mailbox settings and pipes the specified audit settings, including the audit log age limit, to the Format-List cmdlet.
    Get-Mailbox "Ben Smith" | Format-List *audit*
    The more details will be referred by the following link:
    https://technet.microsoft.com/en-us/library/ff459237(v=exchg.150).aspx
    If there are any questions regarding this issue, please be free to let me know. 
    Best Regard,
    Jim
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
    Jim Xu
    TechNet Community Support

Maybe you are looking for