No results using the Search-MailboxAuditLog cmdlet with Exchange 2013 CU4+
Recently we received few calls related to the Search-MailboxAuditLog cmdlet.
In these cases apparently, starting from the SP1/CU4, the cmdlet doesn’t give any result even if a correct syntax is used. An example here:
[PS] C:\Windows\system32>Search-MailboxAuditLog -Identity Director -LogonTypes Admin,Delegate,Owner -StartDate 1/1/2015 -EndDate 02/27/2015 -showdetails
[PS] C:\Windows\system32>
This even if the Audit for the mailbox (the Director one in this case) is turned on and working fine:
[PS] C:\Windows\system32>Get-MailboxFolderStatistics director| where{$_.name -eq "Audits"}
RunspaceId : 489e26b4-4b31-4dd4-a90f-89cae401eafb
Date : 2/24/2015 3:27:09 PM
Name : Audits
FolderPath : /Audits
FolderId : LgAAAABX3lo1x302RqjskZ7cWjnPAQDImb1CL2SQRZTaOVwxP/wxAAAAAAQJAAAB
FolderType : Audits
ItemsInFolder : 10
DeletedItemsInFolder : 0
FolderSize : 27.5 KB (28,160 bytes)
ItemsInFolderAndSubfolders : 10
DeletedItemsInFolderAndSubfolders : 0
FolderAndSubfolderSize : 27.5 KB (28,160 bytes)
[...]
SearchFolders :
Identity : director\Audits
IsValid : True
ObjectState : New
This is a known issue and a workaround where we need to check the Locale is available. Here the steps:
- Go to the Control panel -> Language -> "Change date, time, or number formats -> Formats (tab)
- Change Format to English (United States) and apply.
- Select tab "Administrative" -> Copy Settings ...
- Check "Welcome screen and system accounts"
- Ok all your way out. Do this on all the boxes (CAS and MBX) if you have separated roles.
- Reboot the box or your boxes.
Hope this can help.
Regards,
Cristian