No results using the Search-MailboxAuditLog cmdlet with Exchange 2013 CU4+

Recently we received few calls related to the Search-MailboxAuditLog  cmdlet.

In these cases apparently, starting from the SP1/CU4, the cmdlet doesn’t give any result even if a correct syntax is used. An example here:

 

[PS] C:\Windows\system32>Search-MailboxAuditLog -Identity Director -LogonTypes Admin,Delegate,Owner -StartDate 1/1/2015 -EndDate 02/27/2015 -showdetails

[PS] C:\Windows\system32>

This even if the Audit for the mailbox (the Director one in this case) is turned on and working fine:

 

[PS] C:\Windows\system32>Get-MailboxFolderStatistics  director| where{$_.name -eq "Audits"}

 

RunspaceId                        : 489e26b4-4b31-4dd4-a90f-89cae401eafb

Date                              : 2/24/2015 3:27:09 PM

Name                              : Audits

FolderPath                        : /Audits

FolderId                          : LgAAAABX3lo1x302RqjskZ7cWjnPAQDImb1CL2SQRZTaOVwxP/wxAAAAAAQJAAAB

FolderType                        : Audits

ItemsInFolder                     : 10

DeletedItemsInFolder              : 0

FolderSize                        : 27.5 KB (28,160 bytes)

ItemsInFolderAndSubfolders        : 10

DeletedItemsInFolderAndSubfolders : 0

FolderAndSubfolderSize            : 27.5 KB (28,160 bytes)

[...]

SearchFolders                     :

Identity                          : director\Audits

IsValid                           : True

ObjectState                       : New

This is a known issue and a workaround where we need to check the Locale is available. Here the steps: 

1. Go to the Control panel -> Language -> "Change date, time, or number formats -> Formats (tab)
2. Change Format to English (United States) and apply.
3. Select tab "Administrative" -> Copy Settings ...
4. Check "Welcome screen and system accounts"
5. Ok all your way out. Do this on all the boxes (CAS and MBX) if you have separated roles.
6. Reboot the box or your boxes.

 

Hope this can help.

Regards,

Cristian