locked
Search-MailboxAuditLog is empty RRS feed

  • Question

  • Hi

    I try to get log of mailbox: Search-MailboxAuditLog test

    - no result.  "Recoverable Items" folder of this mailbox is too empty.

    Before i do this: Set-Mailbox test -AuditEnabled $true (other leave default)

    What else i need to do/check?

    Thanks.

    Monday, September 26, 2016 8:50 AM

All replies

  • Please check this earlier discussion which looks similar to your asked concern and I hope, it should help you to take appropriate steps : https://social.technet.microsoft.com/Forums/en-US/efdd4706-bcd3-4d96-a835-e6a21a50f67b/searchmailboxauditlog-is-empty-mailbox-audit-logging-not-working-in-exchange-2013-cu6-environment?forum=exchangesvradmin

    Moreover, you can also check below article which might be interesting in your situation - http://community.spiceworks.com/how_to/124782-how-to-track-non-owner-mailbox-accesses-on-exchange-2013


    Organizations who want increase their visibility as to what's happening in their IT environments but are perhaps limited on time, resources or budget. Lepide 2020 audit & change control suite provides instant access to see who, what, where and when changes are being made to Active Directory, Group Policy, SQL Servers, SharePoint, File Servers, Exchange Servers and more.

    Monday, September 26, 2016 9:18 AM
  • Thanks, but it's i already read and nothing help.
    Monday, September 26, 2016 9:45 AM
  • Hi

    Have you enabled audit log on that particular mailbox ? if not then first you have to enable audit logging on a mailbox then you will be able to get logs of that particular mailbox.

    • You need to be assigned permissions before you can perform this procedure . To see what permissions you need, see the "Mailbox audit logging" entry messaging policy & compliance permission.
    • Entries in the mailbox audit log are retained for 90 days, by default.
    • By default, mailbox audit logging is disabled for all mailboxes. For each mailbox you want to audit, you must enable audit logging and specify the mailbox owner, delegate, or administrator actions you want to audit.
    • You can't use the EAC to search the mailbox audit log for a mailbox. However, you can use the EAC to run or search for and export a non-owner mailbox access report, for enabling, disabling audit on a mailbox you have to use Exchange PowerShell.

    How to enable a mailbox for audit:-

    This example enables mailbox audit logging for your particular user.

    Set-Mailbox -Identity "Your User Name" -AuditEnabled $true

    This example disables mailbox audit logging for your particular user.

    Set-Mailbox -Identity "Your User Name" -AuditEnabled $false

    you can use further PowerShell to configure and play with audit logging and will be able to get outputs

    Kindly click "Mark as Answer" on the post that helps you, this can be beneficial to other community members reading this thread.

    Regards.

    H.shakir

    Monday, September 26, 2016 10:38 AM
  • Hi,

    Please post results of the following commands for troubleshooting

    Get-Mailbox Test | fl *audit*

    By default, no Actions are logged by mailbox owner. So if administrator or mailbox delegate doesn't open this mailbox to perform some actions, then there will be no results when you run Search-MailboxAuditLog test.

    https://technet.microsoft.com/en-us/library/ff461937(v=exchg.150).aspx

    One example to configure mailbox audit logging settings for owner access

    Set-Mailbox -Identity "Test" -AuditOwner HardDelete,Create,MessageBind


    Regards,

    Lynn-Li

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Lynn-Li Tuesday, September 27, 2016 7:57 AM Typo
    Tuesday, September 27, 2016 7:54 AM
  • Have you enabled audit log on that particular mailbox ? - Yes

    As i say,  i already do this: Set-Mailbox -Identity "Your User Name" -AuditEnabled $true

    For Get-Mailbox Test | fl *audit*:

    AuditEnabled     : True
    AuditLogAgeLimit : 90.00:00:00
    AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
    AuditDelegate    : {Update, SoftDelete, HardDelete, SendAs, Create}
    AuditOwner       : {}
    Tuesday, September 27, 2016 8:01 AM
  • Hi,

    If any administrators or delegates login this test mailbox and perform some actions on this test mailbox? If no, then it's common with no results. If yes, try to re-login that test mailbox as delegate to perform some actions and see the results.


    Regards,

    Lynn-Li

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 27, 2016 8:57 AM
  • Administrator login to this test mailbox and send/delete test email.

    Then try to re-login, nothing change.

    Tuesday, September 27, 2016 11:35 AM
  • OK, run this command to make sure the audit folder is valid on test mailbox, and make sure your account is in Records Management role group.

    Get-MailboxFolderStatistics mailboxname |where{$_.Name -like "*audit*"}

    Get-RoleGroupMember "Records Management"

    By the way, are you using the English version of exchange sever? See this blog

    https://blogs.technet.microsoft.com/criscrif/2015/02/26/no-results-using-the-search-mailboxauditlog-cmdlet-with-exchange-2013-cu4/


    Regards,

    Lynn-Li

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 28, 2016 1:04 AM
  • Get-MailboxFolderStatistics mailboxname |where{$_.Name -like "*audit*"}

    - blank

    Get-RoleGroupMember "Records Management"

    - nobody. Add "domain admins" to this group - same result

    By the way, are you using the English version of exchange sever?

    - no, i use RUS. Correct as blog - same result

    Wednesday, September 28, 2016 8:50 AM
  • Get-MailboxFolderStatistics mailboxname |where{$_.Name -like "*audit*"}

    - blank


    Hi,

    It seems that audit folder is missing for this user mailbox, try to repair this mailbox first.

    https://technet.microsoft.com/en-us/library/ff625226%28v=exchg.160%29.aspx?f=255&MSPPError=-2147217396

    New-MailboxRepairRequest -Mailbox User@domain.com -CorruptionType FolderView,ProvisionedFolder,SearchFolder,AggregateCounts

    And does this issue occur on other user mailboxes?


    Regards,

    Lynn-Li

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 10, 2016 3:08 AM
  • No, it's happened with new mailbox and also exist.
    Monday, October 10, 2016 6:34 AM