question

AustinSundar-2506 avatar image
0 Votes"
AustinSundar-2506 asked AustinSundar-2506 commented

DL Audit log

I am trying to get the logs of a DL, like who is added and the list of members that are added to the DL
Search-AdminAuditLog -Cmdlets Add-DistributionGroupMember -StartDate 07/01/2021 | ? {$_.ObjectModified -match "DL Name"}


i can see the DL name from the output, but it doesn't show the list of members/objects were added to the DL. is there any way to get the details?


RunspaceId : f5031871-928b-4568-9d16-0d8cbec55fea
ObjectModified : DL
CmdletName : Add-DistributionGroupMember
CmdletParameters : {Confirm, Member, Identity}
ModifiedProperties : {}
Caller : User who made the change
ExternalAccess : False
Succeeded : True
Error :
RunDate : 7/1/2021 4:56:23 PM
OriginatingServer :
Identity : AAMkADI2ZmM1Mjk1LTlkODMtNDcxMy1iZGVmLTg2YjY0YzYxZGU1NQBGAAAAAADdXNzY2/fBSrw8p/hb4XqKBwDKtt5exSgVSJ+q9WEWY7K8AAAAMTV/AADh1
pK8QjjQRL9ioT6xso5YAAH7kH9gAAA=
IsValid : True
ObjectState : New

office-exchange-server-administration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EricYin-MSFT avatar image
0 Votes"
EricYin-MSFT answered AustinSundar-2506 commented

In my test, "Verbose" switch in "Search-AdminAuditLog" doesn't make a difference.
Also, after you run "Set-AdminAuditLogConfig -Loglevel verbose", it still doesn't show the detailed info of who was added to the group.
Another method works for me:EAC- complicance management- auditing - Run the admin audit log report, I don't have too much commands recently so I can find it easily with "ctrl+F":
112933-%E6%8D%95%E8%8E%B7.png



捕获.png (40.7 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
I am writing here to confirm with you how the thing going now?
If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

thanks for your help

0 Votes 0 ·
AndyDavid avatar image
1 Vote"
AndyDavid answered AndyDavid commented

You need to set the Audit Log config to verbose to capture any future modified properties. It wont capture it for any existing logs

-LogLevel
This parameter is available only in on-premises Exchange.

The LogLevel parameter specifies whether additional properties should be included in the log entries. Valid values are None and Verbose.

By default, the CmdletName, ObjectName, Parameters (values), and the Caller, Succeeded and RunDate properties are included in log entries. When the Verbose value is used, the ModifiedProperties (old and new) and ModifiedObjectResolvedName properties are included in the log entries.

https://docs.microsoft.com/en-us/powershell/module/exchange/set-adminauditlogconfig?view=exchange-ps


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@andydavid

Do i need to use the Verbose switch like below?

Search-AdminAuditLog -Cmdlets Add-DistributionGroupMember -StartDate 7/01/2021 -Verbose| ? {$_.ObjectModified -match "DL Name"}

0 Votes 0 ·

No, that wont work.
Follow EricYin's advice, and search that way ( And enable verbose in the logs)

 Set-AdminAuditLogConfig -LogLevel Verbose
0 Votes 0 ·