locked
Exchange Administrator Auditing\Logging RRS feed

  • Question

  • Hi there,

    Our Exchange 2010 organisation has grown and we now have a number of people who are maintaining the system and we would like to turn on the ability of monitoring what changes administrators are making however minor, whether it be a change to a send connector or adding a someone to a Full Mailbox access.

    I've used the "manage diagnostic logging properties" from within the Console and set some of the Services that looked useful to know about to high and can some things are being logged.

    My question though, is there good article outlining useful ones to log.

    Also if you are logged onto server A and within the console\Server Configuration select server A then turn on the logging to some of the services they are all logged to Server A's MSExchange Management event viewer. If I select Server B while still logged in and using the console on server A, turn on some logging will those events be logged to the Server B MSExchange Management event viewer or Server A?

    Any help on either would be great.

    Many Thanks

    Thursday, April 11, 2013 1:41 PM

Answers

  • Its enabled by default in SP1 and above. If you read through that link it explains everything It will log everything through out the org to an arbitration system mailbox. You can configure the type of logging or just let it be to log everything. 

    Twitter!:

    • Proposed as answer by Fiona_Liao Monday, April 15, 2013 8:11 AM
    • Marked as answer by Fiona_Liao Thursday, April 25, 2013 10:27 AM
    Thursday, April 11, 2013 2:13 PM
  • By default, audit logging is enabled in new installations of Microsoft Exchange Server 2010 Service Pack 1 (SP1).

    Cmdlets that are run directly in the Exchange Management Shell are audited. In addition, operations that are performed by using the Exchange Management Console (EMC) and the Exchange Web management interface are also logged because those operations run cmdlets in the background.


    Fiona Liao
    TechNet Community Support

    • Marked as answer by Fiona_Liao Thursday, April 25, 2013 10:28 AM
    Monday, April 15, 2013 8:15 AM

All replies

  • There is no need to increase diagnostic logging unless you are troubleshooting a specific issue. It can be a performance hit and litter the logs with unnecessary information.

    If you want to see if an Exchange mgmt command changed something then search the admin auditing log instead:

    http://technet.microsoft.com/en-us/library/dd335052(v=exchg.141).aspx

    Overview of Administrator Audit Logging


    Twitter!:

    • Proposed as answer by Fiona_Liao Monday, April 15, 2013 8:11 AM
    Thursday, April 11, 2013 1:47 PM
  • Thanks for the Info Andy,

    It sounds like this is what we are after yes, I presume its not on by default?

    Yes we just need to log any changes made via EMC or EMS, your link seems a bit vague on how to turn it on.

    Am I correct in saying that yo urun this command to turn it on:

    Set-AdminAuditLogConfig -AdminAuditLogCmdlets *

    Do I need to run this on each CAS\HUB \MBX server we have?

    One last question - I belive it logs all this info into a mailbox, and you use ECP to look through it, how do you find out what mailbox its using?

    Regards

    Thursday, April 11, 2013 2:08 PM
  • Its enabled by default in SP1 and above. If you read through that link it explains everything It will log everything through out the org to an arbitration system mailbox. You can configure the type of logging or just let it be to log everything. 

    Twitter!:

    • Proposed as answer by Fiona_Liao Monday, April 15, 2013 8:11 AM
    • Marked as answer by Fiona_Liao Thursday, April 25, 2013 10:27 AM
    Thursday, April 11, 2013 2:13 PM
  • By default, audit logging is enabled in new installations of Microsoft Exchange Server 2010 Service Pack 1 (SP1).

    Cmdlets that are run directly in the Exchange Management Shell are audited. In addition, operations that are performed by using the Exchange Management Console (EMC) and the Exchange Web management interface are also logged because those operations run cmdlets in the background.


    Fiona Liao
    TechNet Community Support

    • Marked as answer by Fiona_Liao Thursday, April 25, 2013 10:28 AM
    Monday, April 15, 2013 8:15 AM