locked
"How" Exchange is logging admin audit logs RRS feed

  • Question

  • Hello

    Just a matter of curiosity.

    I was wondering how Exchange is reaching the Arbitration mailbox that stores "Admin Audit Logs".

    In our setup we will be in coexistence between Exchange 2010 and Exchange 2016 servers.
    Arbitration mailbox SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} has already been moved to an Exchange 2016 mailbox database.
    Exchange 2010 servers can successfully "log" admin commands to that arbitration mailbox.

    I am currently wondering HOW Exchange 2010 servers communicate with that arbitration mailbox to store data about commands executed:

    • using a simple mail?
    • using EWS?
    • Powershell remoting?
    • using another trick?

    Because I need to know if I have to prepare some firewall changes between our Exchange 2010 and 2016 servers.

    Thanks

    Florent

    Thursday, November 8, 2018 10:21 AM

Answers

  • Hello

    Answer to myself: no need to change firewall settings.

    Indeed on each Exchange server there is a cmdlet extension agent (that cannot be disabled) called "Admin Audit Log Agent".

    Each time an Exchange PowerShell cmdlet is executed on the server an admin audit log event is written in the folder "\AdminAuditLogs" of the system arbitration mailbox "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}".
    This CMdlet Extenstion Agent can only be invoked by Exchange server cmdlets.

    Even if the mailbox has been migrated to an Exchange 2016 database.

    As long as the Exchange 2010 management shell has access to the Exchange 2016 database, audit admin entries can be stored.

    Florent

    • Proposed as answer by Niko.Cheng Wednesday, November 14, 2018 9:58 AM
    • Marked as answer by Florent Duret Tuesday, November 20, 2018 9:37 AM
    Tuesday, November 13, 2018 12:39 PM

All replies

  • Hi Florent,

    As we know, administrator auditing consists of two components: the Admin Audit Log agent, which monitors administrator actions for auditing, and administrator audit logging, which writes the audit data to an audit mailbox. When you run any cmdlet in exchange server,  the cmdlet will call the Admin Audit Log cmdlet extension agent, and then the agent will contact the admin audit logging to write the data to the audit mailbox. 


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Niko.Cheng Monday, November 12, 2018 3:10 AM
    Friday, November 9, 2018 9:31 AM
  • Hello

    Answer to myself: no need to change firewall settings.

    Indeed on each Exchange server there is a cmdlet extension agent (that cannot be disabled) called "Admin Audit Log Agent".

    Each time an Exchange PowerShell cmdlet is executed on the server an admin audit log event is written in the folder "\AdminAuditLogs" of the system arbitration mailbox "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}".
    This CMdlet Extenstion Agent can only be invoked by Exchange server cmdlets.

    Even if the mailbox has been migrated to an Exchange 2016 database.

    As long as the Exchange 2010 management shell has access to the Exchange 2016 database, audit admin entries can be stored.

    Florent

    • Proposed as answer by Niko.Cheng Wednesday, November 14, 2018 9:58 AM
    • Marked as answer by Florent Duret Tuesday, November 20, 2018 9:37 AM
    Tuesday, November 13, 2018 12:39 PM
  • Hi Florent,

    Thanks for your sharing. If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well. 
    Thanks for your understanding.


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Niko.Cheng Friday, November 16, 2018 9:00 AM
    Wednesday, November 14, 2018 9:59 AM