How do I query the Exchange 2010 Audit logs for timestamped actions performed on a mailbox by its OWNER ?
Saturday, May 05, 2012 5:47 AM
I intend to use auditing to discover which of a CEO's 4 exchange-enabled laptops is moving emails to Deleted Items and exactly when it is occuring. I need help querying for the audited information. The TechNet articles I have seen contain some query commands that I have tried to modify, but they don't produce any output (errors instead).
I believe I have enabled logging correctly, but I am receiving an error when attempting to query for the OWNER activities in the Exchange Command Shell. I tried to use the ECP via OWA, but it appears that it can only query non-owner access to a mailbox. I would like to query for OWNER items that have been logged. Ideally, I would like to get timestamps and source hostname/IP. Can anyone help me?
Set-Mailbox -Identity "themailbox" -AuditEnabled $true
So far, I have enabled auditing of the OWNER user by using the following two commands:
Set-Mailbox -Identity "themailbox" -AuditOwner MoveToDeletedItems,Move,SoftDelete,HardDelete -AuditEnabled $true
I have confirmed that the desired auditing is active by running the following command:
Get-Mailbox themailbox | FL Name, Audit*
But now, how to query for the OWNER access? Or, can I look at an Event Log somewhere? Exchange 2007 seemed to hold some of this information in an Exchange Auditing Log, but this doesn't appear to be present in my SBS 2011 server. I'm stumped.
Thanks in advance!
Monday, May 07, 2012 7:01 AMModerator
The owner’s access will be audited.
I’d suggest you run Search-MailboxAuditLog tu query for the owner access. For detailed, please refer to:
Search the Mailbox Audit Log for a Mailbox
Understanding Mailbox Audit Logging
hope it is helpful.
TechNet Community Support
- Proposed As Answer by Fiona_LiaoMicrosoft Contingent Staff, Moderator Monday, May 07, 2012 7:03 AM
Monday, May 07, 2012 9:17 AM
You can do it like this:
New-MailboxAuditLogSearch "name of search" –StartDate “05/01/2012” –EndDate “05/16/2012” –Mailboxes “Mailbox_to_check" –LogonTypes Owner,Admin,Delegate -ShowDetails –StatusMailRecipients firstname.lastname@example.org
this will generate full audit report and send it to mailbox (email@example.com) as a xml file. This file you can open in Excell.
In mailbox_to_Check you can write Display name or smtp address.
Report is generated for a few minutes sometimes 20 minutes.
When you use only search-mailboxauditlog you won't get subjects of emails only ID's.
- Marked As Answer by Relion Support Inc Monday, May 07, 2012 3:31 PM
Monday, May 07, 2012 3:31 PMExcellent, this returns exactly the output I was hoping for. Thank you!