Exchange 2016: Audit Logging

In every organization you have one or many Exchange Admins that run and perform daily tasks in Exchange, whether it is changing the quota of a mailbox, adding a new send connector, etc. But from a compliance perspective and for security in the company, all changes do need to be logged. In this post, we will look at enabling audit logging within your Exchange 2016 environment.

There are two sets of logging:

• Administrator Audit Logging
• Mailbox Audit Logging

Before we start, to enable administrator audit logging can only be done from the Exchange Management Shell (EMS).

Admin Audit Logging:

Launch the EMS. Let's check the status of Admin Audit Logging.

https://collaborationpro.com/wp-content/uploads/2017/10/auditlog1.png

As you can see above, we ran the command "Get-AdminAuditLogConfig" and it is currently set to disabled.

The next step is to enable it:

https://collaborationpro.com/wp-content/uploads/2017/10/auditlog2.png

The following command is run to enable it:

• Set-AdminAuditLogConfig -AdminAuditLogEnabled $True

If we run the previous command to get the status, you can see above it is now enabled. You do get a warning as shown above when you disable or enable the logging.

If you want to search the logs you can run the following command:

• New-AdminAuditLogSearch

For more information about the command you can refer to the TechNet Article below:

• https://technet.microsoft.com/en-us/library/ff459243(v=exchg.160).aspx

Mailbox Audit Logging:

Mailbox logging allows you to log mailbox access by mailbox.

To see if a mailbox has auditing enabled you can run the command below:

• Get-Mailbox -Identity "User Account" | fl

https://collaborationpro.com/wp-content/uploads/2017/10/auditlog3.png

As shown above, Auditing is not enabled for this user. To enable it run the following command:

• Set-Mailbox "User" -AuditEnabled $true

https://collaborationpro.com/wp-content/uploads/2017/10/auditlog4.png

As shown above, auditing is now enabled for the user account.

If you would like to search the logs you can do so using the following command:

• Search-MailboxAuditLog

For more information about this command you can refer to the Technet Article below:

• https://technet.microsoft.com/en-us/library/ff522360(v=exchg.160).aspx

You can also login to the EAC and click on Compliance Management and then Auditing to check logs as well:

https://collaborationpro.com/wp-content/uploads/2017/10/auditlog5.png