Overview of Administrator Audit Logging
Applies to: Exchange Server 2010
You can use administrator audit logging in Microsoft Exchange Server 2010 to log when a user or administrator in your organization runs a cmdlet. By keeping a log of the cmdlets that are run, you can trace changes to the person who made the change, augment your change logs with detailed records of the change as it was implemented, comply with regulatory requirements and requests for discovery, and more.
What Gets Audited
Cmdlets that are run directly in the Exchange Management Shell are audited. In addition, operations performed using the Exchange Management Console (EMC) and the Exchange Web management interface are also logged because those operations run cmdlets in the background.
Cmdlets, regardless of where they are run, will be audited if a cmdlet is on the cmdlet auditing list and one or more parameters on that cmdlet are on the parameter auditing list. Get cmdlets aren't logged. Audit logging is intended to show what actions have been taken to modify objects in an Exchange organization rather than what objects have been viewed.
Important
A cmdlet might not be logged if an error occurs before the cmdlet calls the Admin Audit Log cmdlet extension agent. If an error occurs after the Admin Audit Log agent is called, the cmdlet will be logged along with the associated error. For more information, see "Admin Audit Log Agent" later in this topic.
Changes to the audit log configuration are refreshed every 60 minutes on computers that have the Shell open at the time a configuration change is made. If you want to apply the changes immediately, close and then open the Shell again on each computer.
Audit Logging Configuration
By default, if audit logging is enabled, a log entry is created every time any cmdlet, other than a Get cmdlet, is run. When you configure audit logging, you need to specify the mailbox where you want logs to be stored. If you don't want to audit every cmdlet that's run, you can configure audit logging to audit only the cmdlets and parameters you're interested in. You configure audit logging with the Set-AdminAuditLogConfig cmdlet. The parameters referenced in the following sections are used with this cmdlet.
When a command is run, Exchange inspects the cmdlet that was used. If the cmdlet that was run matches any of the cmdlets provided with the AdminAuditLogConfigCmdlets parameter, Exchange then checks the parameters specified in the AdminAuditLogConfigParameters parameter. If at least one or more parameters from the parameters list are matched, Exchange logs the cmdlet that was run in the mailbox specified using the AdminAuditLogMailbox parameter. The following sections contain more information about each aspect of the audit logging configuration.
For more information, see Configure Administrator Audit Logging.
Cmdlets
You can control which cmdlets are audited by providing a list of cmdlets, and their parameters, that you want to log. When you configure audit logging, you can specify to audit every cmdlet, or you can specify the cmdlets you want to audit using the AdminAuditLogConfigCmdlets parameter. You can specify full cmdlet names, such as New-Mailbox, or you can specify partial cmdlet names and enclose those names in wildcard characters, such as an asterisk (*). For example, if you want to log when any cmdlet that contains the string Transport runs, you can specify a value of *Transport*. You can use a mix of full cmdlet names and partial cmdlet names at the same time to tailor the audit logging configuration to your needs.
Parameters
In addition to specifying which cmdlets you want to log, you can also indicate that cmdlets should only be logged if certain parameters on those cmdlets are used. Use the AdminAuditLogConfigParameters parameter to specify which parameters should be logged. As with cmdlets, you can specify full parameter names, such as Database, or partial parameter names enclosed in wildcard characters (*), such as *Address*, or a combination of both.
Auditing Mailbox
For this release of Exchange 2010, audit log entries are stored in a mailbox that you specify using the AdminAuditLogMailbox parameter. The auditing mailbox should be a mailbox that's accessible only to a restricted group of administrators. This restriction is necessary because sensitive information could be exposed by audit logging. All the values specified in parameters on cmdlets logged by audit logging, except passwords, are stored in the audit logs.
Because audit logging can potentially log every command run in your organization by your users and administrators, you should monitor the auditing mailbox regularly. If the mailbox becomes full, new logs sent to the mailbox will be lost and are irretrievable.
To ensure that only audit log entries are stored in this mailbox, you might want to restrict who is allowed to send e-mail to this mailbox. For more information about how to restrict who can send e-mail to a mailbox, see Configure Message Delivery Restrictions.
Audit Logs
Audit logs are stored as e-mail messages in the mailbox you specified when you configured audit logging. You can access the logs by opening that mailbox using any e-mail client such as Microsoft Outlook or Microsoft Office Outlook Web App.
Each time a cmdlet is logged, an audit log e-mail message is created and delivered to the auditing mailbox. Each log contains the information described in the following table.
Audit log entry fields
| Field | Description |
|---|---|
Message Subject |
Account of the user who ran the cmdlet and the cmdlet that was run. |
Cmdlet Name |
Cmdlet run by the caller. |
Object Modified |
Object modified by the cmdlet. |
Parameter |
Parameters specified when the cmdlet was run and the values provided. If more than one parameter was specified, multiple Parameter fields are shown. |
Caller |
User account of the user who ran the cmdlet. |
Succeeded |
Whether the cmdlet ran successfully. The value is either True or False. |
Error |
Error message generated if the cmdlet failed to complete successfully. |
Run Date |
Date and time when the cmdlet was run. The date and time are stored in Coordinated Universal Time (UTC) format. |
Note
The audit log entry fields each contain a GUID. This GUID is internal only and shouldn't be used as a reference when interpreting or processing the audit logs.
Active Directory Replication
Administrator audit logging relies on Active Directory replication to replicate the configuration settings you specify to the domain controllers in your organization. Depending on your replication settings, the changes you make may not be immediately applied to all servers running Exchange 2010 in your organization.
Admin Audit Log Agent
The Admin Audit Log built-in cmdlet extension agent performs administrator audit logging of cmdlet operations in Exchange 2010. This agent reads the audit log configuration, and then performs an evaluation of each cmdlet run in your organization. If the criteria you've specified in the audit log configuration matches the cmdlet that's being run, the agent generates an audit log that's sent to the auditing mailbox.
Cmdlet extension agents can either be enabled or disabled. The Admin Audit Log agent is enabled by default, which is required for audit logging to function. The enabled and disabled states of the Admin Audit Log agent and the administrator audit logging feature are separate. Both must be enabled for logging to occur. If either is disabled, logging won't occur.
Because the Admin Audit Log agent is enabled by default, there should be no need for you to change the configuration of this agent. If you do need to enable or disable this agent, or want to know more about cmdlet extension agents, see the following topics: