No results using the Search-MailboxAuditLog cmdlet with Exchange 2013 CU4+

Recently we received few calls related to the Search-MailboxAuditLog  cmdlet.

In these cases apparently, starting from the SP1/CU4, the cmdlet doesn’t give any result even if a correct syntax is used. An example here:

 

[PS] C:\Windows\system32>Search-MailboxAuditLog -Identity Director -LogonTypes Admin,Delegate,Owner -StartDate 1/1/2015 -EndDate 02/27/2015 -showdetails

[PS] C:\Windows\system32>

This even if the Audit for the mailbox (the Director one in this case) is turned on and working fine:

 

[PS] C:\Windows\system32>Get-MailboxFolderStatistics  director| where{$_.name -eq "Audits"}

 

RunspaceId                        : 489e26b4-4b31-4dd4-a90f-89cae401eafb

Date                              : 2/24/2015 3:27:09 PM

Name                              : Audits

FolderPath                        : /Audits

FolderId                          : LgAAAABX3lo1x302RqjskZ7cWjnPAQDImb1CL2SQRZTaOVwxP/wxAAAAAAQJAAAB

FolderType                        : Audits

ItemsInFolder                     : 10

DeletedItemsInFolder              : 0

FolderSize                        : 27.5 KB (28,160 bytes)

ItemsInFolderAndSubfolders        : 10

DeletedItemsInFolderAndSubfolders : 0

FolderAndSubfolderSize            : 27.5 KB (28,160 bytes)

[...]

SearchFolders                     :

Identity                          : director\Audits

IsValid                           : True

ObjectState                       : New

This is a known issue and a workaround where we need to check the Locale is available. Here the steps: 

  1. Go to the Control panel -> Language -> "Change date, time, or number formats -> Formats (tab)
  2. Change Format to English (United States) and apply.
  3. Select tab "Administrative" -> Copy Settings ...
  4. Check "Welcome screen and system accounts"
  5. Ok all your way out. Do this on all the boxes (CAS and MBX) if you have separated roles.
  6. Reboot the box or your boxes.

 

Hope this can help.

Regards,

Cristian

Comments

  • Anonymous
    January 01, 2003
    Hello Florent,
    have you already applied the steps above ?

    Thanks,

    Cri
  • Anonymous
    January 01, 2003
    Hello Florent and Matthieu. it could be the OS or the Exchange localized version that generates the issues here. I suggest to open an incident with Microsoft to investigate appropriately. Please, let me informed if possible. Thanks, Cristian
  • Anonymous
    February 26, 2015
    thanks
  • Anonymous
    March 18, 2015
    Hi,

    I have the same problem with a french version of exchange 2013, can anyone help ?

    After typing the command, no result is shown. But if i look the audit logs, the size is increasing day after day...
  • Anonymous
    April 09, 2015
    Hi Cri,

    yes i already applied the steps above and it still don't work

    Thanks
  • Anonymous
    April 13, 2015
    Hello,

    We are facing the same issue with a French version in CU7. The workaround do not work (change format to English + change configuration on welcome screen and system accounts + reboot all Exchange Servers).

    In our case, the audit subfolder (inside recoverable items folder) have the correct items. The item number increase each time we try to do a delegated access.

    Thanks for your help.
  • Anonymous
    October 01, 2015
    Is there any solution in future?
  • Anonymous
    April 03, 2016
    Tried the steps above on a German Exchange 2013. But wihtout success. Is maybe the complete English US Language Pack needed?
    • Anonymous
      April 26, 2016
      Hello, please check my previous answer and let us know.Thanks,Cristian
  • Anonymous
    April 19, 2016
    The comment has been removed
    • Anonymous
      April 26, 2016
      The comment has been removed