Configure Administrator Audit Logging
Applies to: Exchange Server 2010
Administrator audit logging in Microsoft Exchange Server 2010 enables you to create a log entry each time a specified cmdlet is run. Log entries detail what cmdlet was run, which parameters were used, who ran the cmdlet and what objects were affected. For more information about administrator audit logging, see Overview of Administrator Audit Logging.
You must use the Shell to configure administrator audit logging.
Important
Administrator audit logging relies on Active Directory replication to replicate the configuration settings you specify to the domain controllers in your organization. Depending on your replication settings, the changes you make may not be immediately applied to all Exchange 2010 servers in your organization.
Changes to the audit log configuration are refreshed every 60 minutes on computers that have the Shell open at the time a configuration change is made. If you want to apply the changes immediately, close and then open the Shell again on each computer.
What Do You Want to Do?
- Specify the cmdlets to be audited
- Specify the parameters to be audited
- Specify the auditing mailbox
- Enable administrator audit logging
Specify the cmdlets to be audited
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Administrator audit logging" entry in the Exchange and Shell Infrastructure Permissions topic.
By default, audit logging creates a log entry for every cmdlet that's run. If you're enabling audit logging for the first time and want this behavior, you don't have to change the cmdlet audit list. If you've previously specified cmdlets to audit and now want to audit all cmdlets, you can audit all cmdlets by specifying the wildcard character ( * ) with the AdminAuditLogCmdlets parameter on the Set-AdminAuditLogConfig cmdlet as shown in the following command:
Set-AdminAuditLogConfig -AdminAuditLogCmdlets *
You can specify which cmdlets to audit by providing a list of cmdlets using the AdminAuditLogCmdlets parameter. When you provide the list of cmdlets to audit, you can provide single cmdlets, cmdlets with wildcard characters ( * ), or a mix of both. Each entry in the list is separated by commas. The following values are all valid:
New-Mailbox*TransportRule*Management*Set-Transport*
For example, the following command audits the cmdlets specified in the list above:
Set-AdminAuditLogConfig -AdminAuditLogCmdlets New-Mailbox, *TransportRule, *Management, Set-Transport*
Specify the parameters to be audited
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Administrator audit logging" entry in the Exchange and Shell Infrastructure Permissions topic.
By default, audit logging creates a log entry for every cmdlet that's run, regardless of the parameters that are specified. If you're enabling audit logging for the first time and want this behavior, you don't have to change the parameter audit list. If you've previously specified parameters to audit and now want to audit all parameters, you can do so by specifying the wildcard character ( * ) with the AdminAuditLogParameters parameter on the Set-AdminAuditLogConfig cmdlet as shown in the following command:
Set-AdminAuditLogConfig -AdminAuditLogParameters *
You can specify which parameters you want to audit by using the AdminAuditLogParameters parameter. When you provide the list of parameters to audit, you can provide single parameters, parameters with wildcard characters ( * ), or a mix of both. Each entry in the list is separated by commas. The following values are all valid:
Database*Address*Custom**Region
Note
For an audit log entry to be created when a command is run, the command must include at least one or more parameters that exist on at least one or more cmdlets specified with the AdminAuditLogCmdlets parameter.
For example, the following command audits the parameters specified in the list above:
Set-AdminAuditLogConfig -AdminAuditLogParameters Database, *Address*, Custom*, *Region
Specify the auditing mailbox
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Administrator audit logging" entry in the Exchange and Shell Infrastructure Permissions topic.
You can specify the SMTP address of the mailbox where you want to store administrator audit logs using the AdminAuditLogMailbox parameter on the Set-AdminAuditLogConfig cmdlet. The SMTP address should be a mailbox that resides within your Exchange organization. For example, to store the audit logs in the mailbox with the SMTP address david@contoso.com, use the following command:
Set-AdminAuditLogConfig -AdminAuditLogMailbox david@contoso.com
Enable administrator audit logging
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Administrator audit logging" entry in the Exchange and Shell Infrastructure Permissions topic.
Note
If you haven't previously configured administrator audit logging, you must specify the cmdlets and parameters to be audited and specify an auditing mailbox before you enable administrator audit logging.
You can enable administrator audit logging by setting the AdminAuditLogEnabled parameter to $True on the Set-AdminAuditLogConfig cmdlet. For example, run the following command to enable administrator audit logging:
Set-AdminAuditLogConfig -AdminAuditLogEnabled $True
Other Tasks
After you enable administrator audit logging, you may also want to change the cmdlets or parameters being audited, change the mailbox where logs are being stored, view your settings, or disable administrator audit logging. For more information, see the following topics: