In every organization you have 1 or many Exchange Admins that run and perform daily tasks in exchange, whether it is changing the quota of a mailbox, adding a new send connector etc. but from a compliance perspective and for security in the company, all changes done need to be logged. In this post we will look at enabling audit logging within your Exchange 2016 environment.
There are 2 sets of logging:
- Administrator Audit Logging
- Mailbox Audit Logging
Before we start, to enable administrator audit logging can only be done from the Exchange Management Shell (EMS).
Admin Audit Logging:
Launch the EMS, let’s check the status of Admin Audit Logging.
As you can see above, we ran the command “Get-AdminAuditLogConfig” and it is currently set to disabled.
The next step is to enable it:
The following command was run to enable it:
- Set-AdminAuditLogConfig -AdminAuditLogEnabled $True
If we run the previous command to get the status, you can see above it is now enabled. You do get a warning as shown above when you disable or enable the logging.
If you want to search the logs you can run the following command:
- New-AdminAuditLogSearch
For more information about the command you can refer to the Technet Article below:
- https://wwwtechnet.microsoft.com/en-us/library/ff459243(v=exchg.160).aspx
Mailbox Audit Logging:
Mailbox logging allows you to log mailbox access by mailbox.
To see if a mailbox has auditing enabled you can run the command below:
- Get-Mailbox -Identity “User Account” | fl
As shown above, Auditing is not enabled for this user. To enable it run the following command:
- Set-Mailbox “User” -AuditEnabled $true
As shown above, auditing is now enabled for the user account.
If you would like to search the logs you can do so using the following command:
- Search-MailboxAuditLog
For more information about this command you can refer to the Technet Article below:
- https://wwwtechnet.microsoft.com/en-us/library/ff522360(v=exchg.160).aspx
You can also login to the EAC and click on Compliance Management and then Auditing to check logs as well:
Hope it helps.