(0) exportieren Drucken
Alle erweitern

View and export the datacenter admin audit log

Exchange Online
 

Gilt für: Exchange Online

Letztes Änderungsdatum des Themas: 2013-10-18

In Exchange Online, actions performed by Microsoft datacenter administrators are logged in the administrator audit log. You can use the EAC or the Shell to search for and view audit log entries to determine if datacenter administrators performed any actions on or changed the configuration of your Exchange Online organization by datacenter administrators. You can also use the Shell to export these audit log entries.

  • Estimated time to complete: This will vary based on whether you view or export entries from the datacenter admin audit log. See each procedure for its estimated time to complete.

  • Bevor Sie dieses Verfahren bzw. diese Verfahren ausführen können, müssen Ihnen die entsprechenden Berechtigungen zugewiesen werden. Informationen zu den von Ihnen benötigten Berechtigungen finden Sie unter "View-only administrator audit logging" entry in the Exchange- und Shellinfrastrukturberechtigungen topic.

  • When you export the datacenter admin audit log, Microsoft Exchange attaches the audit log, which is an XML file, to an email message that is sent to the specified recipients. However, Outlook Web App blocks XML attachments by default. If you want to use Outlook Web App to access these audit logs, you have to configure Outlook Web App to allow XML attachments. Run the following command to allow XML attachments in Outlook Web App.

    Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes '.rpmsg','.xlsx','.xlsm','.xlsb','.tiff','.pptx','.pptm','.ppsx','.ppsm','.docx','.docm','.zip','.xls','.wmv','.wma','.wav','.vsd','.txt','.tif','.rtf','.pub','.ppt','.png','.pdf','.one','.mp3','.jpg','.gif','.doc','.bmp','.avi','.xml'
    
  • Informationen zu Tastenkombinationen für die Verfahren in diesem Thema finden Sie unter Tastenkombinationen in der Exchange-Verwaltungskonsole.

TippTipp:
Liegt ein Problem vor? Bitten Sie in den Exchange-Foren um Hilfe. Besuchen Sie die Foren unter: Exchange Server, Exchange Online oder Exchange Online Protection

Estimated time to complete: 3 minutes

  1. Go to Compliance management > Auditing, and click View the datacenter admin audit log. All configuration changes made by datacenter administrators during the specified time period are displayed, and can be sorted, using the following information:

    • Date   The date and time that the configuration change was made. The date and time are stored in Coordinated Universal Time (UTC) format.

    • Cmdlet   The name of the cmdlet that was used to make the configuration change.

      If you select an individual search result, the following information is displayed in the details pane:

      • The date and time that the cmdlet was run.

      • The user who ran the cmdlet. For all entries in the datacenter admin audit log, the user is identified as Administrator, which indicates a Microsoft datacenter administrator.

      • The cmdlet parameters that were used, and any value specified with the parameter, in the format Parameter:Value.

  2. If you want to print a specific audit log entry, select it in the search results pane and then click Print in the details pane.

  3. To narrow the search, choose dates in the Start date and End date drop-down menus, and then click Search.

Estimated time to complete: 3 minutes

You can use the Search-AdminAuditLog cmdlet with the ExternalAccess parameter to view entries from the administrator audit log for actions performed by Microsoft datacenter administrators.

This command returns all entries in the administrator audit log for cmdlets run by datacenter administrators.

Search-AdminAuditLog -ExternalAccess $true

This command returns entries in the administrator audit log for cmdlets run by datacenter administrators between September 17, 2013 and October 2, 2013.

Search-AdminAuditLog -ExternalAccess $true -StartDate 09/17/2013 -EndDate 10/02/2013

For more information, see Search-AdminAuditLog.

Estimated time to complete: Approximately 24 hours

You can use the New-AdminAuditLogSearch cmdlet with the ExternalAccess parameter to export entries from the administrator audit log for actions performed by Microsoft datacenter administrators. Microsoft Exchange retrieves entries in the administrator audit log that were performed by datacenter administrators and saves them to a file named SearchResult.xml. This XML file is attached to an email message that is sent to the specified recipients within 24 hours.

The following command returns entries in the administrator audit log for cmdlets run by Microsoft datacenter administrators between September 25, 2013 and October 24, 2013. The search results are sent to the admin@contoso.com and pilarp@contoso.com SMTP addresses and the text "Datacenter admin audit log" is added to the subject line of the message.

New-AdminAuditLogSearch -ExternalAccess $true -EndDate 10/24/2013 -StartDate 07/25/2013 -StatusMailRecipients admin@contoso.com,pilarp@contoso.com -Name "Datacenter admin audit log"
HinweisAnmerkung:
When you include the ExternalAccess parameter, only entries for actions performed by Microsoft datacenter administrator are included in the audit log that is exported. If you don’t include the ExternalAccess parameter, the audit log will contain entries for actions performed by the administrators in your organization and by Microsoft datacenter administrators.

To verify that the command to export the datacenter audit log was successful, and to display information about current administrator audit log searches, run the following command:

Get-AuditLogSearch | FL

  • The administrator audit log records specific actions, based on Exchange Management Shell cmdlets, performed by administrators and users who have been assigned administrative privileges. Actions performed by datacenter administrators are also logged. Entries in the datacenter admin audit log provide you with information about the cmdlet that was run, which parameters were used, and what objects were affected.

  • The administrator audit log doesn’t record any action that is based on an Exchange Management Shell cmdlet that begins with the verbs Get, Search, or Test.

  • Audit log entries are kept for 90 days. When an entry is older than 90 days, it's deleted.

 
Fanden Sie dies hilfreich?
(1500 verbleibende Zeichen)
Vielen Dank für Ihr Feedback.
Anzeigen:
© 2014 Microsoft