none
Audit eDiscovery searches?

    Question

  • Is it possible to log all the times eDiscovery has been used?  I'd like to have an audit trail of searches that were performed.  Is that possible?
    Monday, March 7, 2016 1:20 PM

Answers

  • Hi,

    By default, these logs are stored in this path on mailbox server: C:\Program Files\Microsoft\Exchange Server\V15\Logging\AuditingOptics\AdminAuditOptics

    And the administrator audit log provides the information about what cmdlet was run, which parameters were used, who ran the cmdlet, and what objects were affected.

    By default, the administrator audit log doesn’t record any action that is based on an Exchange Management Shell cmdlet that begins with the verbs Get, Search, or Test. We can run Set-AdminAuditLogConfig to configure it.

    Anyway, would you mind sharing the solution with us?

    Best Regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Lynn-Li
    TechNet Community Support

    Tuesday, March 8, 2016 2:34 AM
    Moderator

All replies

  • Hi,

    This information is logged in the admin audit log entries. Check the admin audit logs


    Regards From: Exchange Online | Windows Administrator's Area

    Monday, March 7, 2016 1:24 PM
  • Thank you!  When I try to run "View the Administrator Audit Log" in Exchange Admin Center, I get the following error "The attempt to search the administrator audit log failed. Please try again later."  Is there a place I can view it manually (is it stored in a text file somewhere)?
    Monday, March 7, 2016 1:52 PM
  • Hi,

    MSExchangeSearch (Indexer) service may be stopped. Please check if exchange search is working properly


    Regards From: Exchange Online | Windows Administrator's Area

    Monday, March 7, 2016 2:17 PM
  • I was able to run a "search-adminauditlog" and export it to a text file. What does that tell me? I see where an administrator ran a "start-mailboxsearch" but I can't tell WHAT they searched.  Is that information tracked somewhere?

    Monday, March 7, 2016 2:55 PM
  • Never mind, I figured it out.  Thanks!!
    Monday, March 7, 2016 3:02 PM
  • Hi,

    By default, these logs are stored in this path on mailbox server: C:\Program Files\Microsoft\Exchange Server\V15\Logging\AuditingOptics\AdminAuditOptics

    And the administrator audit log provides the information about what cmdlet was run, which parameters were used, who ran the cmdlet, and what objects were affected.

    By default, the administrator audit log doesn’t record any action that is based on an Exchange Management Shell cmdlet that begins with the verbs Get, Search, or Test. We can run Set-AdminAuditLogConfig to configure it.

    Anyway, would you mind sharing the solution with us?

    Best Regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Lynn-Li
    TechNet Community Support

    Tuesday, March 8, 2016 2:34 AM
    Moderator