Exchange 2010 brings a new feature to the table, to audit all actions performed by users & administrators in your messaging environment. All actions performed, irrespective of whether they are done in Console, Shell or ECP will be logged. The “Get” cmdlets won’t be logged, as it is unnecessary and will generate a large number of log files on a daily basis. This option gives your Manager (who may not be technical) the facility to trace back who performed what & when.
The following actions need to be completed before the feature becomes available. The cmdlet we use for most of these settings is Set-AdminAuditLogConfig.
- Configure a dedicated mailbox for storing all audit logs. Whenever an action is audited, full information is logged & sent as an email to this mailbox. Access to this mailbox has to be tightly controlled.
- The auditing feature needs to be enabled.
- Configure the audit agent to send logs to audit mailbox.
- The cmdlets to be audited needs to be configured, if you don’t want to audit everything.
- The parameters to be audited needs to be configured.
First step can be easily accomplished by creating a mailbox with a suitable name (say “Audit Mailbox”) and restrict access.
Admin auditing is disabled by default. Run Get-AdminAuditLogConfig | fl to confirm.
In order to enable auditing, run the following cmdlet.
Set-AdminAuditLogConfig –AdminAuditLogEnabled $true
Run the following cmdlet to configure the auditing agent to send logs to “Audit Mailbox”
Set-AdminAuditLogConfig –AdminAuditlogMailbox “AuditMailbox@Hew10.local”
You can audit the cmdlets of your choice. For example, in order to audit any changes made to mailbox & transport features, we can use the wildcards *mailbox* and *transport*. Run the cmdlet below to audit just these cmdlets.
Set-AdminAuditLogConfig –AdminAuditLogCmdlets *mailbox*, *transport*
In the same way, you can select the parameters of your choice. Run the cmdlet below to audit the parameters database and server,
Set-AdminAuditLogConfig –AdminAuditLogParameters database, server
For demonstration of admin logging feature, I have created a new mailbox named “Audit Test”.
Logging into the “Audit Mailbox” using OWA shows me a new email with detailed information on the task (creating the mailbox) that I had completed.
The subject of the email specifies the user account used to run the cmdlet & the cmdlet that was executed.
The Run Date in the email shows the date & time when the cmdlet was run. The log also shows whether the cmdlet was executed successfully.
Next time you do something, beware! The auditing might be enabled!