Exchange 2016: Audit Logging
In every organization you have one or many Exchange Admins that run and perform daily tasks in Exchange, whether it is changing the quota of a mailbox, adding a new send connector, etc. But from a compliance perspective and for security in the company, all changes do need to be logged. In this post, we will look at enabling audit logging within your Exchange 2016 environment.
There are two sets of logging:
- Administrator Audit Logging
- Mailbox Audit Logging
Before we start, to enable administrator audit logging can only be done from the Exchange Management Shell (EMS).
Admin Audit Logging:
Launch the EMS. Let's check the status of Admin Audit Logging.
https://collaborationpro.com/wp-content/uploads/2017/10/auditlog1.png
As you can see above, we ran the command "Get-AdminAuditLogConfig" and it is currently set to disabled.
The next step is to enable it:
https://collaborationpro.com/wp-content/uploads/2017/10/auditlog2.png
The following command is run to enable it:
- Set-AdminAuditLogConfig -AdminAuditLogEnabled $True
If we run the previous command to get the status, you can see above it is now enabled. You do get a warning as shown above when you disable or enable the logging.
If you want to search the logs you can run the following command:
- New-AdminAuditLogSearch
For more information about the command you can refer to the TechNet Article below:
Mailbox Audit Logging:
Mailbox logging allows you to log mailbox access by mailbox.
To see if a mailbox has auditing enabled you can run the command below:
- Get-Mailbox -Identity "User Account" | fl
https://collaborationpro.com/wp-content/uploads/2017/10/auditlog3.png
As shown above, Auditing is not enabled for this user. To enable it run the following command:
- Set-Mailbox "User" -AuditEnabled $true
https://collaborationpro.com/wp-content/uploads/2017/10/auditlog4.png
As shown above, auditing is now enabled for the user account.
If you would like to search the logs you can do so using the following command:
- Search-MailboxAuditLog
For more information about this command you can refer to the Technet Article below:
You can also login to the EAC and click on Compliance Management and then Auditing to check logs as well:
https://collaborationpro.com/wp-content/uploads/2017/10/auditlog5.png