Export the Administrator Audit Log
Applies to: Exchange Server 2013, Exchange Online Preview
Administrator audit logging records specific actions performed by administrators and users who've been assigned administrative privileges. Any action that is based on an Exchange Management Shell cmdlet and doesn't begin with the verbs Get, Search, or Test is logged in the administrator audit log. That means that whenever an administrator uses the Shell, the Exchange Administration Center (EAC), or Outlook Web App > Options to perform any action that creates, modifies, or deletes an object, the action is logged in the administrator audit log.
When you search for and export entries from the administrator audit log, Microsoft Exchange saves the search results in an XML file and then attaches it to an email message sent to the specified recipients.
What do you need to know before you begin?
- Estimated time to complete each procedure: In Microsoft Exchange Online, the administrator audit log is sent within 24 hours after you export it.
- Procedures in this topic require specific permissions. See each procedure for its permissions information.
- For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard Shortcuts in the Exchange Administration Center.
Tip
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server or Exchange Online.
What do you want to do?
Use the Shell to configure Outlook Web App to allow XML attachments
When you export the administrator audit log, Exchange attaches the audit log, which is an XML file, to an email message. However, Outlook Web App blocks XML attachments by default. If you want to access the exported audit log with Outlook Web App, you have to configure Outlook Web App to allow XML attachments. Alternatively, you can use Microsoft Outlook to view the administrator audit log.
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the Outlook Web App "Mailbox policies" entry in the Clients and Mobile Devices Permissions topic.
Run the following command to allow XML attachments in Outlook Web App.
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AllowedFileTypes '.rpmsg','.xlsx','.xlsm','.xlsb','.tiff','.pptx','.pptm','.ppsx','.ppsm','.docx','.docm','.zip','.xls','.wmv','.wma','.wav','.vsd','.txt','.tif','.rtf','.pub','.ppt','.png','.pdf','.one','.mp3','.jpg','.gif','.doc','.bmp','.avi','.xml'
Export the administrator audit log
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "View-only administrator audit logging" entry in the Exchange and Shell Infrastructure Permissions topic.
- In the EAC, navigate to Compliance Management > Auditing.
- Click Export the administrator audit log.
- Configure the following search criteria for exporting the entries from the administrator audit log:
- Start and end dates Select the date range for the entries to include in the exported file.
- Recipients Select the users to send the administrator audit log to.
- Click Export.
Exchange retrieves entries in the administrator audit log that meet your search criteria, saves them to a file named SearchResult.xml, and then attaches the XML file to an email message sent to the specified recipients. As previously stated, in Exchange Online, this message is sent within 24 hours after exporting the audit log.
View the administrator audit log
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "View-only administrator audit logging" entry in the Exchange and Shell Infrastructure Permissions topic.
To open or save the SearchResult.xml file:
- Sign in to the mailbox where the administrator audit log was sent.
- In the Inbox, open the message with the XML file attachment sent by Exchange. Notice that the body of the email message contains the search criteria.
- Click the attachment and select to open or save the XML file.
Entries in the administrator audit log
The administrator audit log contains an entry for each cmdlet, and its parameters, that has been run by an administrator. The following example shows two entries. Each entry is preceded by the <Event> XML tag and ends with the </Event> XML tag.
The first entry shows that administrator audit logging was enabled on April 26, 2010. The second entry shows that litigation hold was enabled on the mailbox annb.
<Event Caller="PPLNSL-dom.extest.microsoft.com/Microsoft Exchange Hosted Organizations/contoso.com/Administrator"
Cmdlet="Set-AdminAuditLogConfig"
ObjectModified="Admin Audit Log Settings"
RunDate="4/26/2010 11:22:40 PM" Succeeded="true" Error="None">
<CmdletParameters>
<Parameter Name="AdminAuditLogEnabled" Value="True" />
</CmdletParameters>
- <ModifiedProperties>
<Property Name="AdminAuditLogFlags" OldValue=""
NewValue="AdminAuditLogEnabled" />
<Property Name="AdminAuditLogEnabled" OldValue="False" NewValue="True" />
<Property Name="ObjectState" OldValue="Unchanged" NewValue="Changed" />
</ModifiedProperties>
</Event>
<Event Caller="PPLNSL-dom.extest.microsoft.com/Microsoft Exchange Hosted Organizations/contoso.com/Administrator"
Cmdlet="Set-Mailbox"
ObjectModified="annb"
RunDate="4/27/2010 10:56:07 PM" Succeeded="true" Error="None">
<CmdletParameters>
<Parameter Name="LitigationHoldEnabled" Value="True" />
<Parameter Name="Identity" Value="8a015de3-8597-416e-bbda-de48eaa95f8" />
</CmdletParameters>
<ModifiedProperties>
<Property Name="ElcMailboxFlags" OldValue="ElcV2" NewValue="ElcV2, LitigationHold" />
<Property Name="LitigationHoldEnabled" OldValue="False" NewValue="True" />
<Property Name="LitigationHoldDate" OldValue="" NewValue="4/27/2010 10:56:06 PM" />
<Property Name="ObjectState" OldValue="Unchanged" NewValue="Changed" />
</ModifiedProperties>
</Event>
Note
Only the first 1,024 characters of the values for each property listed in the administrator audit log are audited. So only those characters will be included in the log.
Useful fields in the administrator audit log
Watch for these fields. They can help you identify specific information about each cmdlet run by an administrator.
| Field | Description |
|---|---|
Caller |
The user who ran the cmdlet. |
Cmdlet |
The cmdlet that was run by the user in the Caller field. |
ObjectModified |
The name of the object that was modified by the cmdlet. |
RunDate |
The date and time when the cmdlet was run. |
Succeeded |
Specifies whether the cmdlet ran successfully. The value is either True or False. |
Error |
Contains the error message if the cmdlet failed to complete successfully. |
Parameter Name |
The name of the parameter that was specified when the cmdlet was run. |
Value |
The value that was provided for the parameter specified in the Parameter Name field. |
Property Name |
The name of the property that was changed when the cmdlet was run. |
OldValue |
The value for the property before it was changed.* |
NewValue |
The value for the property after it was changed.* |
* The value for this field can be very large. As stated earlier, only the first 1,024 characters are included in the administrator audit log.
Quota for the administrator audit log
The administrator audit log is stored in the Recoverable Items folder, a hidden system mailbox that was called the dumpster in previous versions of Exchange. The quota for the Recoverable Items folder is 30 GB. Audit log entries are kept for 90 days, and then deleted.
Note
In Exchange Online, if the Recoverable Items folder reaches 80% of the 30 GB quota—which is unlikely—an alert will be sent to Microsoft datacenter administrators.
How do you know this worked?
Sign in to the mailbox where the administrator audit log was sent. If you’ve successfully exported the audit log, you’ll receive a message sent from Exchange. The audit log will be attached to this message. As previously stated, in Exchange Online, it may take up to 24 hours to receive this message.