导出邮箱审核日志Export mailbox audit logs

在为某个邮箱启用邮箱审核之后,只要非所有者的用户访问该邮箱,Microsoft Exchange 就会在邮箱审核日志中记录相关信息。每个日志条目都包含以下相关信息:访问邮箱的用户及访问时间、非所有者执行的操作以及是否成功执行操作。默认情况下,邮箱审核日志中的条目将保留 90 天。可以使用邮箱审核日志来确定某个非邮箱所有者的用户是否访问过邮箱。When mailbox auditing is enabled for a mailbox, Microsoft Exchange logs information in the mailbox audit log whenever a user other than the owner accesses the mailbox. Each log entry includes information about who accessed the mailbox and when, the actions performed by the non-owner, and whether the action was successful. Entries in the mailbox audit log are retained for 90 days by default. You can use the mailbox audit log to determine if a user other than the owner has accessed a mailbox.

当您导出邮箱审核日志中的条目时,Microsoft Exchange 会将这些条目保存在一个 XML 文件中,然后将其附加到发送到指定收件人的电子邮件中。When you export entries from mailbox audit logs, Microsoft Exchange saves the entries in an XML file and attaches it to an email message sent to the specified recipients.

准备工作Before you begin

  • 估计完成每个步骤时间:时间是变量。在 Exchange Online 中,邮箱审核日志会在导出之后数天内发送。Estimated time to complete each procedure: Times are variable. In Exchange Online, the mailbox audit log is sent within a few days after you export it.

  • 在 Exchange Online 中,您必须使用远程 Windows PowerShell 来执行本主题中的许多过程。有关详细信息,请参阅Connect to Exchange Online Using Remote PowerShellIn Exchange Online, you have to use Remote Windows PowerShell to perform many of the procedures in this topic. For details, see Connect to Exchange Online Using Remote PowerShell.

  • 本主题中的过程需要特定权限。请参阅每个过程,以了解其权限信息。Procedures in this topic require specific permissions. See each procedure for its permissions information.

  • 若要了解可能适用于此主题中过程的键盘快捷键,请参阅 Exchange 管理中心内的键盘快捷键For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

提示

遇到问题了吗?请在 Exchange 论坛中寻求帮助。 请访问以下论坛:Exchange ServerExchange OnlineExchange Online Protection。.Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server,Exchange Online, or Exchange Online Protection..

配置邮箱审核日志记录Configure mailbox audit logging

在可以导出和查看邮箱审核日志之前,必须为您想要审核的每个邮箱启用邮箱审核日志记录。此外,还必须配置 Microsoft Outlook Web App 以允许 XML 附件使用 Outlook Web App 访问审核日志。You have to enable mailbox audit logging on each mailbox that you want to audit before you can export and view mailbox audit logs. You also have to configure Microsoft Outlook Web App to allow XML attachments to use Outlook Web App to access the audit log.

步骤 1:启用邮箱审核日志记录Step 1: Enable mailbox audit logging

对于需要运行非所有者邮箱访问报告的每个邮箱,必须启用邮箱审核日志记录。如果未对邮箱启用邮箱审核日志记录,则当导出邮箱审核日志时,将不会获得有关该邮箱的任何结果。You have to enable mailbox audit logging for each mailbox that you want to run a non-owner mailbox access report for. If mailbox audit logging isn't enabled for a mailbox, you won't get any results for that mailbox when you export the mailbox audit log.

您必须先获得权限,然后才能执行此过程或多个过程。若要查看所需的权限,请参阅 邮件策略和遵从性权限主题中的"邮箱审核日志记录"条目。You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Mailbox audit logging" entry in the Messaging policy and compliance permissions topic.

若要对单个邮箱启用邮箱审核日志记录,请运行命令行管理程序中的命令:To enable mailbox audit logging for a single mailbox, run the command in the Shell.

Set-Mailbox <Identity> -AuditEnabled $true

若要对组织中所有用户邮箱启用邮箱审核日志记录,请运行以下命令:To enable mailbox audit logging for all user mailboxes in your organization, run the following commands.

$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}
$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

步骤 2:配置 Outlook Web App 以允许 XML 附件Step 2: Configure Outlook Web App to allow XML attachments

当您导出邮箱审核日志时,Microsoft Exchange 会将该审核日志(即一个 XML 文件)附加到电子邮件。但是,默认情况下,Outlook Web App 将阻止 XML 附件。若要访问导出的审核日志,必须使用 Microsoft Outlook 或配置 Outlook Web App 以允许 XML 附件。When you export the mailbox audit log, Microsoft Exchange attaches the audit log, which is an XML file, to an email message. However, Outlook Web App blocks XML attachments by default. To access the exported audit log, you have to use Microsoft Outlook or configure Outlook Web App to allow XML attachments.

您需要执行此过程之前为其分配权限。若要查看所需的权限,请参阅客户端 Access Permissions主题中的"Outlook Web App 邮箱策略"条目。You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Outlook Web App mailbox policies" entry in the Client Access Permissions topic.

执行以下过程以在 Outlook Web App 中允许 XML 附件。Exchange Server 中使用的值Default为_Identity_参数。Perform the following procedures to allow XML attachments in Outlook Web App. In Exchange Server, use the value Default for the Identity parameter.

  1. 运行以下命令,将 XML 添加到 Outlook Web App 中允许的文件类型列表。Run the following command to add XML to the list of allowed file types in Outlook Web App.

    Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes @{add='.xml'}
    
  2. 运行以下命令,将 XML 从 Outlook Web App 中被阻止的文件类型列表中删除。Run the following command to remove XML from the list of blocked file types in Outlook Web App.

    Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -BlockedFileTypes @{remove='.xml'}
    

您如何知道这有效?How do you know this worked?

若要验证是否已成功配置邮箱审核日志记录,请执行以下操作:To verify that you've successfully configured mailbox audit logging, do the following:

  1. 运行以下命令以验证是否已对邮箱配置审核日志记录:Run the following command to verify that audit logging is configured for mailboxes.

    Get-Mailbox | FL Name,AuditEnabled
    

    True 属性的值为 _ 验证已启用审计记录。A value of True for the _AuditEnabled property verifies that audit logging is enabled.

  2. 运行以下命令以验证 Outlook Web App 中是否允许使用 XML 附件。Run the following command to verify that XML attachments are allowed in Outlook Web App.

    Get-OwaMailboxPolicy | Select-Object -ExpandProperty AllowedFileTypes
    

    请验证 .xml 是否已包含在允许的文件类型列表中。Verify that .xml is included in the list of allowed file types.

  3. 运行以下命令以验证是否已将 XML 附件从 Outlook Web App 中被阻止的文件列表中删除。Run the following command to verify that XML attachments are removed from the blocked file list in Outlook Web App.

    Get-OwaMailboxPolicy | Select-Object -ExpandProperty BlockedFileTypes
    

    验证 .xml 是否未包含在受阻止的文件类型列表中。Verify that .xml isn't included in the list of blocked file types.

导出邮箱审核日志Export the mailbox audit log

您需要执行此过程之前为其分配权限。若要查看所需的权限,请参阅Shell Infrastructure Permissions主题中的"仅查看管理员审核日志记录"条目。You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "View-only administrator audit logging" entry in the Shell Infrastructure Permissions topic.

  1. 在 Exchange 管理员中心 (EAC) 中,转到合规性管理 > 审核In the Exchange admin center (EAC), go to Compliance Management > Auditing.

  2. 单击“导出邮箱审核日志”*Click *Export mailbox audit logs.

  3. 配置以下搜索条件以导出邮箱审核日志中的条目:Configure the following search criteria for exporting the entries from the mailbox audit log:

    • 开始和结束日期 选择要在导出文件中包含的条目的日期范围。Start and end dates Select the date range for the entries to include in the exported file.

    • 要为其搜索审核日志的邮箱 选择要为其检索审核日志条目的邮箱。Mailboxes to search audit log for Select the mailboxes to retrieve audit log entries for.

    • 非所有者访问的类型 选择下列选项之一来定义要为其检索条目的非所有者访问类型:Type of non-owner access Select one of the following options to define the type of non-owner access to retrieve entries for:

    • 全部非所有者 搜索组织内部的管理员和受委派用户的访问以及 Exchange Online 中的 Microsoft 数据中心管理员的访问。All non-owners Search for access by administrators and delegated users inside your organization, and by Microsoft datacenter administrators in Exchange Online.

    • 外部用户 搜索 Microsoft 数据中心管理员的访问。External users Search for access by Microsoft datacenter administrators.

    • 管理员和代理用户 搜索组织内的管理员和代理用户的访问。Administrators and delegated users Search for access by administrators and delegated users inside your organization.

    • 管理员 搜索组织内的管理员的访问。Administrators Search for access by administrators in your organization.

    • 收件人 选择要将邮箱核日志发送到的用户。Recipients Select the users to send the mailbox audit log to.

  4. 单击" 导出 "。Click Export.

    Microsoft Exchange 将在邮箱审核日志中检索符合搜索条件的条目,并将这些条目保存到一个名为 SearchResult.xml 的文件中,然后再将该 XML 文件附加到发送到指定收件人的电子邮件。Microsoft Exchange retrieves entries in the mailbox audit log that meet your search criteria, saves them to a file named SearchResult.xml, and then attaches the XML file to an email message sent to the recipients that you specified.

您如何知道这有效?How do you know this worked?

登录到已将邮箱审核日志发送到的邮箱。如果已成功导出审核日志,则将收到 Exchange 发送的邮件。在 Exchange Online 中,可能需要几天才能收到此邮件。邮箱审核日志(名为 SearchResult.xml)将附加到此邮件。如果您已正确配置 Outlook Web App 以允许 XML 附件,您就可以下载附加的 XML 文件。Sign in to the mailbox where the mailbox audit log was sent. If you've successfully exported the audit log, you'll receive a message sent from Exchange. In Exchange Online, it may take a few days to receive this message. The mailbox audit log (named SearchResult.xml) will be attached to this message. If you've correctly configured Outlook Web App to allow XML attachments, you can download the attached XML file.

查看邮箱审核日志View the mailbox audit log

您需要执行此过程之前为其分配权限。若要查看所需的权限,请参阅Shell Infrastructure Permissions主题中的"仅查看管理员审核日志记录"条目。You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "View-only administrator audit logging" entry in the Shell Infrastructure Permissions topic.

要保存并查看 SearchResult.xml 文件,请执行以下操作:To save and view the SearchResult.xml file:

  1. 登录到已将邮箱审核日志发送到的邮箱。Sign in to the mailbox where the mailbox audit log was sent.

  2. 在“收件箱”中,打开 Microsoft Exchange 发送的带有 XMl 文件附件的邮件。请注意,此电子邮件的正文包含搜索条件。In the Inbox, open the message with the XML file attachment sent by Microsoft Exchange. Notice that the body of the email message contains the search criteria.

  3. 单击附件,并选择以下载该 XML 文件。Click the attachment and select to download the XML file.

  4. 在 Microsoft Excel 中打开 SearchResult.xml。Open the SearchResult.xml in Microsoft Excel.

详细信息More information

  • 邮箱审核日志中的条目 以下示例显示 SearchResult.xml 文件中包含的邮箱审核日志中的条目。每个条目以 <Event> XML 标记开头,并以 </Event> XML 标记结尾。此条目显示,管理员于 2010 年 4 月 30 日从 David 的邮箱中"可恢复的项目"文件夹中清除了主题为" Notification of litigation hold"的邮件。Entries in the mailbox audit log The following example shows an entry from the mailbox audit log contained in the SearchResult.xml file. Each entry is preceded by the <Event> XML tag and ends with the </Event> XML tag. This entry shows that the administrator purged the message with the subject, " Notification of litigation hold" from the Recoverable Items folder in David's mailbox on April 30, 2010.

    <Event MailboxGuid="6d4fbdae-e3ae-4530-8d0b-f62a14687939" 
      Owner="PPLNSL-dom\david50001-1363917750" 
      LastAccessed="2010-04-30T11:01:55.140625-07:00" 
      Operation="HardDelete" 
      OperationResult="Succeeded" 
      LogonType="Admin"
     FolderId="0000000073098C3277988F4CB882F5B82EBF64610100A7C317F68C24304BBD18ABE1F185E79B00000026BD4F0000"
      FolderPathName="\Recoverable Items\Deletions"
      ClientInfoString="Client=OWA;Action=ViaProxy" 
      ClientIPAddress="10.196.241.168" 
      InternalLogonType="Owner"
      MailboxOwnerUPN="david@contoso.com"
      MailboxOwnerSid="S-1-5-21-290112810-296651436-1966561949-1151" 
      CrossMailboxOperation="false" 
      LogonUserDN="Administrator"
      LogonUserSid="S-1-5-21-290112810-296651436-1966561949-1149">
      <SourceItems>
       <ItemId="0000000073098C3277988F4CB882F5B82EBF64610700A7C317F68C24304BBD18ABE1F185E79B00000026BD4F0000A7C317F68C24304BBD18ABE1F185E79B00000026BD540"
        Subject="Notification of litigation hold"
        FolderPathName="\Recoverable Items\Deletions" /> 
      </SourceItems>
    </Event>
    
  • 邮箱审核日志中的有用字段 以下是对邮箱审核日志中的有用字段的说明。这些字段可帮助您标识有关某个邮箱的每个非所有者访问实例的特定信息。Useful fields in the mailbox audit log Here's a description of useful fields in the mailbox audit log. They can help you identify specific information about each instance of non-owner access of a mailbox.

字段Field 描述Description
OwnerOwner
非所有者访问过的邮箱的所有者。The owner of the mailbox that was accessed by a non-owner.
LastAccessedLastAccessed
访问邮箱的日期和时间。The date and time when the mailbox was accessed.
OperationOperation
非所有者执行的操作。有关详细信息,请参阅Run a Non-Owner Mailbox Access Report中的"在邮箱审核日志中记录了哪些内容?"部分。 The action that was performed by the non-owner. For more information, see the "What gets logged in the mailbox audit log?" section in Run a Non-Owner Mailbox Access Report.
OperationResultOperationResult
非所有者执行的操作是成功还是失败。Whether the action performed by the non-owner succeeded or failed.
LogonTypeLogonType
非所有者访问的类型。这些类型包括管理员、受委派用户和外部用户。The type of non-owner access. These include administrator, delegate, and external.
FolderPathNameFolderPathName
包含受非所有者影响的邮件的文件夹的名称。The name of the folder that contained the message that was affected by the non-owner.
ClientInfoStringClientInfoString
有关非所有者访问此邮箱所使用的邮件客户端的信息。Information about the mail client used by the non-owner to access the mailbox.
ClientIPAddressClientIPAddress
非所有者访问此邮箱所使用的计算机的 IP 地址。The IP address of the computer used by the non-owner to access the mailbox.
InternalLogonTypeInternalLogonType
非所有者访问此邮箱所使用的帐户登录类型。The logon type of the account used by the non-owner to access this mailbox.
MailboxOwnerUPNMailboxOwnerUPN
邮箱所有者的电子邮件地址。The email address of the mailbox owner.
LogonUserDNLogonUserDN
非所有者的显示名称。The display name of the non-owner.
SubjectSubject
受非所有者影响的电子邮件的主题行。The subject line of the email message that was affected by the non-owner.
[When mailbox auditing is enabled for a mailbox, Microsoft Exchange logs information in the mailbox audit log whenever a user other than the owner accesses the mailbox. Each log entry includes information about who accessed the mailbox and when, the actions performed by the non-owner, and whether the action was successful. Entries in the mailbox audit log are retained for 90 days by default. You can use the mailbox audit log to determine if a user other than the owner has accessed a mailbox.When you export entries from mailbox audit logs, Microsoft Exchange saves the entries in an XML file and attaches it to an email message sent to the specified recipients.](#Introduction.md)