匯出信箱稽核記錄Export mailbox audit logs

如果信箱已啟用信箱稽核,每當擁有者以外的使用者存取信箱時,Microsoft Exchange 就會在「信箱稽核記錄」中記錄相關資訊。每個記錄項目都包括下列相關資訊:存取信箱的人員和時間、非擁有者所執行的動作,以及動作是否成功完成。信箱稽核記錄預設會保留在信箱中 90 天。您可以使用信箱稽核記錄來判斷是否擁有者以外的使用者存取了信箱。When mailbox auditing is enabled for a mailbox, Microsoft Exchange logs information in the mailbox audit log whenever a user other than the owner accesses the mailbox. Each log entry includes information about who accessed the mailbox and when, the actions performed by the non-owner, and whether the action was successful. Entries in the mailbox audit log are retained for 90 days by default. You can use the mailbox audit log to determine if a user other than the owner has accessed a mailbox.

當您從信箱稽核記錄中匯出項目時,Microsoft Exchange 會將這些項目儲存在 XML 檔案中,然後附加到傳送至指定收件者的電子郵件。When you export entries from mailbox audit logs, Microsoft Exchange saves the entries in an XML file and attaches it to an email message sent to the specified recipients.

開始之前Before you begin

  • 每項程序的預估完成時間:時間是變數。在 Exchange Online 中,信箱稽核記錄會在您匯出之後的幾天內傳送。Estimated time to complete each procedure: Times are variable. In Exchange Online, the mailbox audit log is sent within a few days after you export it.

  • 在 Exchange Online 中,您必須使用遠端 Windows PowerShell 來執行許多程序本主題中。如需詳細資訊,請參閱Connect to Exchange Online Using Remote PowerShell。In Exchange Online, you have to use Remote Windows PowerShell to perform many of the procedures in this topic. For details, see Connect to Exchange Online Using Remote PowerShell.

  • 本主題中的程序需要特定權限。請查看每個程序以取得權限資訊。Procedures in this topic require specific permissions. See each procedure for its permissions information.

  • 如需適用於此主題中程序的快速鍵相關資訊,請參閱 Exchange 系統管理中心的鍵盤快速鍵For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

提示

有問題嗎?在 Exchange 論壇中尋求協助。 論壇的網址為:Exchange ServerExchange OnlineExchange Online Protection。.Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server,Exchange Online, or Exchange Online Protection..

設定信箱稽核記錄Configure mailbox audit logging

您必須針對想要稽核的每一個信箱啟用信箱稽核記錄,然後才可以匯出及檢視信箱稽核記錄。您還必須設定 Microsoft Outlook Web App 允許 XML 附件使用 Outlook Web App 存取稽核記錄。You have to enable mailbox audit logging on each mailbox that you want to audit before you can export and view mailbox audit logs. You also have to configure Microsoft Outlook Web App to allow XML attachments to use Outlook Web App to access the audit log.

步驟 1:啟用信箱稽核記錄Step 1: Enable mailbox audit logging

您必須針對想要執行非擁有者信箱存取報告的每個信箱啟用信箱稽核記錄。如果未針對信箱啟用信箱稽核記錄,當您匯出信箱稽核記錄時,就不會得到該信箱的任何結果。You have to enable mailbox audit logging for each mailbox that you want to run a non-owner mailbox access report for. If mailbox audit logging isn't enabled for a mailbox, you won't get any results for that mailbox when you export the mailbox audit log.

您必須獲得權限才能執行此程序或程序。若您需要哪些權限,請參閱訊息原則及符合性權限主題中的 「 信箱稽核記錄 」 項目。You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Mailbox audit logging" entry in the Messaging policy and compliance permissions topic.

若要針對單一信箱啟用信箱稽核記錄,請在命令介面中執行命令。To enable mailbox audit logging for a single mailbox, run the command in the Shell.

Set-Mailbox <Identity> -AuditEnabled $true

若要針對組織內的所有使用者信箱啟用信箱稽核記錄,請執行下列命令。To enable mailbox audit logging for all user mailboxes in your organization, run the following commands.

$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')}
$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

步驟 2:設定 Outlook Web App 允許 XML 附件Step 2: Configure Outlook Web App to allow XML attachments

當您匯出信箱稽核記錄時,Microsoft Exchange 會將稽核記錄 (也就是 XML 檔案) 附加到電子郵件。但是,Outlook Web App 預設會封鎖 XML 附件。若要存取匯出的稽核記錄,您必須使用 Microsoft Outlook 或設定 Outlook Web App 允許 XML 附件。When you export the mailbox audit log, Microsoft Exchange attaches the audit log, which is an XML file, to an email message. However, Outlook Web App blocks XML attachments by default. To access the exported audit log, you have to use Microsoft Outlook or configure Outlook Web App to allow XML attachments.

您必須獲得權限才能執行此程序或程序。若您需要哪些權限,請參閱Client Access Permissions主題中的 「 Outlook Web App 信箱原則 」 項目。You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Outlook Web App mailbox policies" entry in the Client Access Permissions topic.

請執行下列程序在 Outlook Web App 中允許 XML 附件。Exchange Server 中使用的值Default Identity_參數。Perform the following procedures to allow XML attachments in Outlook Web App. In Exchange Server, use the value Default for the _Identity parameter.

  1. 執行下列命令以將 XML 新增至允許的 Outlook Web App 中的檔案類型清單。Run the following command to add XML to the list of allowed file types in Outlook Web App.

    Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes @{add='.xml'}
    
  2. 執行下列命令以移除 Outlook Web App 中的封鎖的檔案類型清單中的 XML。Run the following command to remove XML from the list of blocked file types in Outlook Web App.

    Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -BlockedFileTypes @{remove='.xml'}
    

如何知道這是否正常運作?How do you know this worked?

若要確認是否已成功設定信箱稽核記錄,請執行下列操作:To verify that you've successfully configured mailbox audit logging, do the following:

  1. 執行下列命令,確認已設定信箱的稽核記錄。Run the following command to verify that audit logging is configured for mailboxes.

    Get-Mailbox | FL Name,AuditEnabled
    

    已啟用提供驗證 True 屬性信箱稽核記錄的 _ 值。A value of True for the _AuditEnabled property verifies that audit logging is enabled.

  2. 執行下列命令來確認 Outlook Web App 中允許 XML 附件。Run the following command to verify that XML attachments are allowed in Outlook Web App.

    Get-OwaMailboxPolicy | Select-Object -ExpandProperty AllowedFileTypes
    

    確認 .xml 包含在允許的檔案類型清單中。Verify that .xml is included in the list of allowed file types.

  3. 執行下列命令來確認已從 Outlook Web App 中封鎖的檔案清單中移除 XML 附件。Run the following command to verify that XML attachments are removed from the blocked file list in Outlook Web App.

    Get-OwaMailboxPolicy | Select-Object -ExpandProperty BlockedFileTypes
    

    確認.xml不包含在封鎖的檔案類型清單中。Verify that .xml isn't included in the list of blocked file types.

匯出信箱稽核記錄Export the mailbox audit log

您必須獲得權限才能執行此程序或程序。若您需要哪些權限,請參閱Shell Infrastructure Permissions主題中的 「 僅檢視系統管理員稽核記錄 」 項目。You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "View-only administrator audit logging" entry in the Shell Infrastructure Permissions topic.

  1. 在 Exchange 系統管理中心 (EAC) 中,移至 [相符性管理 > 稽核In the Exchange admin center (EAC), go to Compliance Management > Auditing.

  2. 按一下 [匯出信箱稽核記錄]*Click *Export mailbox audit logs.

  3. 設定下列搜尋準則,匯出信箱稽核記錄中的項目:Configure the following search criteria for exporting the entries from the mailbox audit log:

    • 開始和結束日期:選取要併入匯出檔案中之項目的日期範圍。Start and end dates Select the date range for the entries to include in the exported file.

    • 要搜尋稽核記錄的信箱:選取要擷取稽核記錄項目的信箱。Mailboxes to search audit log for Select the mailboxes to retrieve audit log entries for.

    • 非擁有者存取的類型:選取下列其中一個選項來定義要擷取項目的非擁有者存取類型:Type of non-owner access Select one of the following options to define the type of non-owner access to retrieve entries for:

    • 所有非擁有者 搜尋組織內的系統管理員和委派的使用者以及 Exchange Online 中 Microsoft 資料中心系統管理員的存取。All non-owners Search for access by administrators and delegated users inside your organization, and by Microsoft datacenter administrators in Exchange Online.

    • 外部使用者:搜尋 Microsoft 資料中心系統管理員的存取。External users Search for access by Microsoft datacenter administrators.

    • 系統管理員和委派的使用者:搜尋組織內的系統管理員和委派的使用者的存取。Administrators and delegated users Search for access by administrators and delegated users inside your organization.

    • 系統管理員:搜尋組織內系統管理員的存取。Administrators Search for access by administrators in your organization.

    • 收件者:選取要將信箱稽核記錄傳送給哪些使用者。Recipients Select the users to send the mailbox audit log to.

  4. 按一下 [匯出]。Click Export.

    Microsoft Exchange 會擷取信箱稽核記錄中符合您搜尋準則的項目,並將這些項目儲存在名為 SearchResult.xml 的檔案中,然後在送給指定之收件者的電子郵件中附加這個 XML 檔案。Microsoft Exchange retrieves entries in the mailbox audit log that meet your search criteria, saves them to a file named SearchResult.xml, and then attaches the XML file to an email message sent to the recipients that you specified.

如何知道這是否正常運作?How do you know this worked?

登入已的傳送信箱稽核記錄。如果您已成功匯出稽核記錄,您會收到從 Exchange 傳送的訊息。在 Exchange Online 中,可能需要幾天內收到此訊息。信箱稽核記錄 (名為 SearchResult.xml) 會附加到此訊息。如果您已正確設定 Outlook Web App 允許 XML 附件,您可以下載附加的 XML 檔案。Sign in to the mailbox where the mailbox audit log was sent. If you've successfully exported the audit log, you'll receive a message sent from Exchange. In Exchange Online, it may take a few days to receive this message. The mailbox audit log (named SearchResult.xml) will be attached to this message. If you've correctly configured Outlook Web App to allow XML attachments, you can download the attached XML file.

檢視信箱稽核記錄View the mailbox audit log

您必須獲得權限才能執行此程序或程序。若您需要哪些權限,請參閱Shell Infrastructure Permissions主題中的 「 僅檢視系統管理員稽核記錄 」 項目。You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "View-only administrator audit logging" entry in the Shell Infrastructure Permissions topic.

若要將儲存並檢視 SearchResult.xml 檔案:To save and view the SearchResult.xml file:

  1. 登入已傳送信箱稽核記錄的信箱。Sign in to the mailbox where the mailbox audit log was sent.

  2. 在收件匣中,開啟含有 Microsoft Exchange 傳送之 XML 檔案附件的郵件。請注意,電子郵件的內文包含了搜尋準則。In the Inbox, open the message with the XML file attachment sent by Microsoft Exchange. Notice that the body of the email message contains the search criteria.

  3. 按一下附件並選取要下載的 XML 檔案。Click the attachment and select to download the XML file.

  4. 在 Microsoft Excel 中開啟 SearchResult.xml。Open the SearchResult.xml in Microsoft Excel.

其他資訊More information

  • 稽核記錄的信箱中的項目下列範例會顯示從信箱稽核記錄 SearchResult.xml 檔案中所包含的項目。每個項目加<事件> XML 標記並結束於</Event> ** XML 標記。此項目顯示系統管理員清除郵件主旨,「 通知的訴訟資料暫留保留 」 從 David 的信箱中的 [可復原的項目] 資料夾上 2010 年 4 月 30 日。Entries in the mailbox audit log** The following example shows an entry from the mailbox audit log contained in the SearchResult.xml file. Each entry is preceded by the <Event> XML tag and ends with the </Event> XML tag. This entry shows that the administrator purged the message with the subject, " Notification of litigation hold" from the Recoverable Items folder in David's mailbox on April 30, 2010.

    <Event MailboxGuid="6d4fbdae-e3ae-4530-8d0b-f62a14687939" 
      Owner="PPLNSL-dom\david50001-1363917750" 
      LastAccessed="2010-04-30T11:01:55.140625-07:00" 
      Operation="HardDelete" 
      OperationResult="Succeeded" 
      LogonType="Admin"
     FolderId="0000000073098C3277988F4CB882F5B82EBF64610100A7C317F68C24304BBD18ABE1F185E79B00000026BD4F0000"
      FolderPathName="\Recoverable Items\Deletions"
      ClientInfoString="Client=OWA;Action=ViaProxy" 
      ClientIPAddress="10.196.241.168" 
      InternalLogonType="Owner"
      MailboxOwnerUPN="david@contoso.com"
      MailboxOwnerSid="S-1-5-21-290112810-296651436-1966561949-1151" 
      CrossMailboxOperation="false" 
      LogonUserDN="Administrator"
      LogonUserSid="S-1-5-21-290112810-296651436-1966561949-1149">
      <SourceItems>
       <ItemId="0000000073098C3277988F4CB882F5B82EBF64610700A7C317F68C24304BBD18ABE1F185E79B00000026BD4F0000A7C317F68C24304BBD18ABE1F185E79B00000026BD540"
        Subject="Notification of litigation hold"
        FolderPathName="\Recoverable Items\Deletions" /> 
      </SourceItems>
    </Event>
    
  • 稽核記錄的信箱中的實用欄位以下是在信箱稽核記錄中的實用欄位的描述。它們可協助您識別信箱的非擁有者存取權的每個執行個體的特定資訊。Useful fields in the mailbox audit log Here's a description of useful fields in the mailbox audit log. They can help you identify specific information about each instance of non-owner access of a mailbox.

欄位Field 描述Description
擁有者Owner
非擁有者存取之信箱的擁有者。The owner of the mailbox that was accessed by a non-owner.
LastAccessedLastAccessed
存取信箱的日期和時間。The date and time when the mailbox was accessed.
作業Operation
非擁有者執行的動作。如需詳細資訊,請參閱Run a Non-Owner Mailbox Access Report中的<哪些內容會記錄在信箱稽核記錄中?>一節。The action that was performed by the non-owner. For more information, see the "What gets logged in the mailbox audit log?" section in Run a Non-Owner Mailbox Access Report.
OperationResultOperationResult
非擁有者執行的動作成功還是失敗。Whether the action performed by the non-owner succeeded or failed.
LogonTypeLogonType
非擁有者的存取類型。其中包括系統管理員、代理人和外部人員。The type of non-owner access. These include administrator, delegate, and external.
FolderPathNameFolderPathName
資料夾的名稱,其中包含受到非擁有者所影響的郵件。The name of the folder that contained the message that was affected by the non-owner.
ClientInfoStringClientInfoString
有關非擁有者存取信箱所使用之郵件用戶端的資訊。Information about the mail client used by the non-owner to access the mailbox.
ClientIPAddressClientIPAddress
非擁有者存取信箱所使用之電腦的 IP 位址。The IP address of the computer used by the non-owner to access the mailbox.
InternalLogonTypeInternalLogonType
非擁有者存取這個信箱所使用之帳戶的登入類型。The logon type of the account used by the non-owner to access this mailbox.
MailboxOwnerUPNMailboxOwnerUPN
信箱擁有者的電子郵件地址。The email address of the mailbox owner.
LogonUserDNLogonUserDN
非擁有者的顯示名稱。The display name of the non-owner.
主旨Subject
受到非擁有者所影響之電子郵件的主旨行。The subject line of the email message that was affected by the non-owner.
[When mailbox auditing is enabled for a mailbox, Microsoft Exchange logs information in the mailbox audit log whenever a user other than the owner accesses the mailbox. Each log entry includes information about who accessed the mailbox and when, the actions performed by the non-owner, and whether the action was successful. Entries in the mailbox audit log are retained for 90 days by default. You can use the mailbox audit log to determine if a user other than the owner has accessed a mailbox.When you export entries from mailbox audit logs, Microsoft Exchange saves the entries in an XML file and attaches it to an email message sent to the specified recipients.](#Introduction.md)