Mailbox Audit Logging – Enable and Search Logs

Mailbox Audit Logging

Did you ever receive inquiries about strange mailbox behavior like users state that mails have been deleted without any interaction of the mailbox owner? In cases like this, you are happy to enable Mailbox Audit Logging on the affected mailbox.

This post is about how to enable Mailbox Audit Logging on a certain mailbox and configure the auditing parameters to provide the most relevant insights. Let’s get to the point straight away:

 

1 -Enable Mailbox Audit Logging on a mailbox

Check the audit status on a certain mailbox:

get-mailbox -Identity MailboxName | select PrimarySmtpAddress, *audit* | fl

In the following examples, I will use intern@testlab.local as -Identity
The output shows that Mailbox Audit Logging is not enabled on this mailbox:
Mailbo Audit Logging Disabled

Enable Mailbox Audit Logging:

get-mailbox -Identity MailboxName | Set-Mailbox -AuditEnabled $True

When you check the status again using the first command it will show AuditEnabled as True now.
Operations audited by default are shown as well:
Mailbox Audit Logging Enabled

If your output is truncated with ellipses (…) change the $FormatEnumerationLimit value.

Define operations that should be audited:

Depending on what circumstances make a mailbox audit logging necessary you can change the predefined audit operations to more relevant ones. Find a list of actions logged by mailbox audit logging here.

Usually, I completely change the actions for AuditOwner. AuditOwner = MailboxOwner
To do so use the following command:

Set-Mailbox MailboxName -AuditOwner “Create, SoftDelete, HardDelete, Update, Move, MoveToDeletedItems,MailboxLogin”
Mailbox Audit Loggint
Adjust the logged actions according to the list by Microsoft mentioned above.
Use -AuditAdmin or -AuditDelegate instead of -AuditOwner to change logged operations for Admin or Delegates.

2 -Search Mailbox Audit Logs

Define your query:

The Search-MailboxAuditLog CMDlet seems only to work out of an Exchange Management Shell. Out of an ISE loaded with an Exchange PS-Snapin, I always get an error.

Undoubtedly the filter for date ranges in connection with the Search-MailboxAuditLog CMDlet is somewhat imprecise. If you want to query a range from 3 days ago until today for instance I recommend setting the end date of the query to the date of tomorrow. Otherwise, it can happen that no results will be shown for the current day or even the day before.

Search-MailboxAuditLog -Identity MailboName -StartDate “MM/DD/YYYY” -EndDate “MM/DD/YYYY” -LogonTypes Owner -ShowDetails | select lastaccessed, operation, logontype ,logonuserdisplayname,folderpathname,ClientIPAddress,ClientInfoString,ClientMachineName,ClientProcessName,MailboxOwnerUPN,DelegateUserDisplayName,MailboxResolvedOwnerName,SourceItemSubjectslist | sort lastaccessed |ft -autosize

Some notes to the query above:

-StartDate/-EndDate: The date format can vary depending on the regional settings of your system!
-LogonTypes: Narrow down your query to logon types you are interested in.

Selectors:

Operation: Displays the logged action.
ClientIpAddress: Shows the IP address of the client respectively the source network outgoing IP address.
ClientInfoString: Shows client connection types like RPC, ActiveSync, OWA
ClientProcessName: For example OUTLOOK.exe
SourceItemSubjectslist: The subject of mails where an action has been logged with.

I recommend to use only relevant selectors when searching an audit log.
Displaying all selectors can make the output confusing or will not fit in at all.

Stay safe folks!
 

Leave a Reply

Your email address will not be published. Required fields are marked *