Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2013-01-30
You can use administrator audit logging in Microsoft Exchange Server 2010 to record actions taken by a user or administrator that make changes in your organization. By keeping a log of the changes, you can trace a change to the person who made it. You can also augment your change logs with detailed records of the change as it was implemented, use the records to comply with regulatory requirements and requests for discovery, and so on.
By default, audit logging is enabled in new installations of Microsoft Exchange Server 2010 Service Pack 1 (SP1).
What Gets Audited
Cmdlets that are run directly in the Exchange Management Shell are audited. In addition, operations that are performed by using the Exchange Management Console (EMC) and the Exchange Web management interface are also logged because those operations run cmdlets in the background.
Regardless of where it’s run, a cmdlet is audited if it’s on the cmdlet auditing list and if one or more parameters on that cmdlet are on the parameter auditing list. Get- and Search- cmdlets aren't logged. Audit logging is intended to show what actions have been taken to modify objects in an Exchange organization rather than what objects have been viewed.
|A cmdlet might not be logged if an error occurs before the
cmdlet calls the Admin Audit Log cmdlet extension agent. If an
error occurs after the Admin Audit Log agent is called, the cmdlet
is logged together with the associated error. For more information,
see the Admin Audit Log
Agent section later in this topic.
Changes that are made by using Microsoft Exchange Server 2007 management tools aren't logged.
Changes to the audit log configuration are refreshed every 60 minutes on computers that have the Shell open at the time a configuration change is made. If you want to apply the changes immediately, close and then open the Shell again on each computer.
Audit Logging Configuration
By default, if audit logging is enabled, a log entry is created every time any cmdlet, other than a Get- or Search- cmdlet, is run. If you don't want to audit every cmdlet that's run, you can configure audit logging to audit only the cmdlets and parameters you're interested in. You configure audit logging with the Set-AdminAuditLogConfig cmdlet. The parameters referenced in the following sections are used with this cmdlet.
|Changes to the administrator audit log configuration are always logged, regardless of whether the Set-AdministratorAuditLog cmdlet is included in the list of cmdlets being audited, or whether audit logging is enabled or disabled.|
When a command is run, Exchange inspects the cmdlet that was used. If the cmdlet that was run matches any of the cmdlets provided with the AdminAuditLogConfigCmdlets parameter, Exchange then checks the parameters specified in the AdminAuditLogConfigParameters parameter. If at least one or more parameters from the parameters list are matched, Exchange logs the cmdlet that was run in the mailbox specified by using the AdminAuditLogMailbox parameter.
|With Exchange 2010 release to manufacturing (RTM), you specify an administrator audit log mailbox. Administrator audit logging in Exchange 2010 SP1 uses a dedicated mailbox. This dedicated mailbox can't be changed or configured.|
The following sections contain more information about each aspect of the audit logging configuration.
For more information about how to manage audit logging configuration, see Configure Administrator Audit Logging.
You can control which cmdlets are audited by providing
a list of cmdlets, and their parameters, that you want to log. When
you configure audit logging, you can specify to audit every cmdlet,
or you can specify the cmdlets you want to audit using the
AdminAuditLogConfigCmdlets parameter. You can specify full
cmdlet names, such as New-Mailbox, or you can specify
partial cmdlet names and enclose those names in wildcard
characters, such as an asterisk (
*). For example, if
you want to log when any cmdlet that contains the string
Transport runs, you can specify a value of
*Transport*. You can use a mix of full cmdlet names
and partial cmdlet names at the same time to tailor the audit
logging configuration to your needs.
In addition to specifying which cmdlets you want to
log, you can also indicate that cmdlets should only be logged if
certain parameters on those cmdlets are used. Use the
AdminAuditLogConfigParameters parameter to specify which
parameters should be logged. As with cmdlets, you can specify full
parameter names, such as
Database, or partial
parameter names enclosed in wildcard characters (
*Address*, or a combination of both.
Audit Log Age Limit
By default, audit logging is configured to store audit
log entries for 90 days. After 90 days, the audit log entry is
deleted. You can change the audit log age limit using the
AdminAuditLogAgeLimit parameter. You can specify the number
of days, hours, minutes, and seconds that audit log entries should
be kept. To specify a value, use the format
dd.hh:mm:ss where the following applies:
- dd The number of days to keep the audit
- hh The number of hours to keep the
audit log entry.
- mm The number of minutes to keep the
audit log entry.
- ss The number of seconds to keep the
audit log entry.
You must specify multiple years using the
dd field. For example, 365 days equals one year; 730
days equals two years; 913 days equals two years and six months.
For example, to set the audit log age limit to two years and six
months, use the syntax
|You can set the audit log age limit to a value that's less than
the current age limit. If you do this, any audit log entry whose
age exceeds the new age limit is deleted.
If you set the age limit to 0, Exchange deletes all the entries in the audit log.
We recommend that you grant permissions to configure the audit log age limit only to highly trusted users.
Cmdlets that begin with the verb Test aren't
logged by default. You can indicate that Test cmdlets should
be logged by setting the TestCmdletLoggingEnabled parameter
$true. Although you can enable logging of test
cmdlets, we recommend that you do this only for short periods of
time. This is because test cmdlets can produce a large amount of
Each time that a cmdlet is logged, an audit log entry is created. Audit logs are stored in a hidden, dedicated arbitration mailbox that can be accessed only by using the Exchange Control Panel (ECP) Auditing Reports page or the Search-AdminAuditLog or New-AdminAuditLogSearch cmdlet. Audit logs can't be opened by using Microsoft Office Outlook Web App or Microsoft Outlook. The following sections provide information about the following:
- What's included in the logs
- Reports available on the ECP Auditing Reports page
- Audit log search cmdlets
|With Exchange 2010 release to manufacturing (RTM), you specify
an administrator audit log mailbox. Administrator audit logging in
Exchange 2010 SP1 uses a dedicated mailbox. This dedicated mailbox
can't be changed or configured.
The ECP Auditing Reports page, and the Search-AdminAuditLog and New-AdminAuditLogSearch cmdlets work only with Exchange 2010 SP1 administrator audit logs. To view the contents of an Exchange 2010 RTM audit log mailbox, you must open that mailbox using Outlook Web App or an e-mail client such as Outlook.
Audit Log Contents
Each audit log entry contains the information described in the following table. The audit log contains one or more audit log entries. The number of audit log entries is controlled by the audit log age limit that’s specified by using the Set-AdminAuditLog cmdlet. Any audit log entry that exceeds the age limit is deleted.
Audit log entry fields
This field is used internally by Exchange.
This field contains the object that was modified by the cmdlet
specified in the
This field contains the name of the cmdlet that was run by the
user in the
This field contains the parameters that were specified when the
cmdlet in the
This field contains the properties that were modified on the
object in the
This field contains the user account of the user who ran the
cmdlet in the
This field specifies whether the cmdlet in the
This field contains the error message generated if the cmdlet in
This field contains the date and time when the cmdlet in the
This field is used internally by Exchange.
This field is used internally by Exchange.
ECP Audit Reports
The Auditing Reports page in the ECP has several reports that provide information on various types of compliance and administrative configuration changes. The following reports provide information on configuration changes in your organization:
- Administrator Role Changes This report
enables you to search for changes to management role groups that
you specify within a specified timeframe. The results that are
returned include the role groups that have been changed, who
changed them and when, and what changes were made. A maximum of
3,000 entries can be returned. If your search might return more
than 3,000 entries, use the Export Configuration Changes
report or the Search-AdminAuditLog cmdlet.
- Export Configuration Changes This
report enables you to export the audit log entries recorded within
a specified timeframe to a XML file and then email the file to a
recipient you specify. For more information about the contents of
the XML file, see Administrator Audit Log
For information about how to use these reports, see Search the Administrator Audit Log.
Reports for litigation hold, mailbox configuration changes, and non-owner mailbox access are also included on the Auditing Reports page. For more information about these reports, see:
When you run the Search-AdminAuditLog cmdlet, all the audit log entries that match the search criteria that you specify are returned. You can specify the following search criteria:
- Cmdlets Specifies the cmdlets you want
to search for in the administrator audit log.
- Parameters Specifies the parameters you
want to search for in the administrator audit log. You can only
search for parameters if you specify a cmdlet to search for.
- End date Scopes the administrator audit
log results to log entries that occurred on or before the specified
- Start date Scopes the administrator
audit log results to log entries that occurred on or after the
- Object IDs Specifies that only
administrator audit log entries that contain the specified changed
objects should be returned
- User IDs Specifies that only the
administrator audit log entries that contain the specified IDs of
the user who ran the cmdlet should be returned.
- Successful completion Specifies whether
only administrator audit log entries that indicated a success or
failure should be returned.
Each audit log entry returned contains the information
described in the table in Audit Log Contents. By
default, only the first 1,000 log entries that match the criteria
you specify are returned. However, you can override this default
and return more or fewer entries using the ResultSize
parameter. You can specify a value of
the ResultSize parameter to return all log entries that
match the specified criteria.
For information about how to use the Search-AdminAuditLog cmdlet, see Search the Administrator Audit Log.
The New-AdminAuditLogSearch cmdlet searches the audit log just like the Search-AdminAuditLog cmdlet. However, instead of displaying the results of the audit log search in the Shell, the New-AdminAuditLogSearch cmdlet performs the search and then sends the results of the search to a recipient you specify via e-mail. The results are included as an XML attachment to the e-mail message.
You can use the same search criteria with the New-AdminAuditLogSearch cmdlet that's used on the Search-AdminAuditLog cmdlet. For a list of the search criteria, see Search-AdminAuditLog Cmdlet.
After you run the New-AdminAuditLogSearch cmdlet, Exchange may take up to 15 minutes to deliver the report to the specified recipient. The XML file attached report can be a maximum of 10 megabytes (MB). The XML file contains the same information described in the table in Audit Log Contents. For more information about the structure of the XML file, see Administrator Audit Log Structure.
|Outlook Web App doesn't allow you to open XML attachments by default. You can either configure Exchange to allow XML attachments to be viewed using Outlook Web App, or you can use another e-mail client, such as Microsoft Office Outlook, to view the attachment. For information about how to configure Outlook Web App to allow you to view an XML attachment, see View or Configure Outlook Web App Virtual Directories.|
For information about how to use the New-AdminAuditLogSearch cmdlet, see Search the Administrator Audit Log.
Manual Audit Log Entries
In addition to logging Exchange cmdlets when they're run, Exchange 2010 SP1 enables you to manually write log entries to the audit log. Exchange 2010 SP1 supports this using the Write-AdminAuditLog cmdlet. Situations where you might want to add a manual log entry include the following:
- Custom script entry and exit
- Change control information
- Maintenance start and end times
With the Write-AdminAuditLog cmdlet, you specify a string of text to include in the audit log using the Comment parameter. The Comment parameter accepts an alphanumeric string up to 500 characters. Included in the manual audit log entry along with the comment string is all of the same information captured when an Exchange cmdlet is logged. For a description of each field included in the audit log, see the table in Audit Log Contents.
You can retrieve manual audit log entries the same way as any other log entry, using the ECP Auditing Reports page or using the Search-AdminAuditLog or New-AdminAuditLogSearch cmdlets.
To view the contents of the Comment parameter on the Write-AdminAuditLog cmdlet in a manual audit log entry, see Search the Administrator Audit Log.
Active Directory Replication
Administrator audit logging relies on Active Directory replication to replicate the configuration settings you specify to the domain controllers in your organization. Depending on your replication settings, the changes you make may not be immediately applied to all servers running Exchange 2010 in your organization.
Admin Audit Log Agent
The Admin Audit Log built-in cmdlet extension agent performs administrator audit logging of cmdlet operations in Exchange 2010. This agent reads the audit log configuration, and then performs an evaluation of each cmdlet run in your organization. If the criteria you've specified in the audit log configuration matches the cmdlet that's being run, the agent generates an audit log.
The Admin Audit Log agent is enabled by default, which is required for audit logging to function. It can't be disabled, and its priority can't be changed. For more information about cmdlet extension agents, see Understanding Cmdlet Extension Agents.
How Admin Audit Logs May Cause Rapid Database Growth
By default, the admin audit log is enabled in Exchange Server 2010. The log results are stored in the arbitration mailbox in the AdminAuditLogs folder. If cmdlets are executed in the Exchange Management Shell frequently, multiple log entries are generated, and may cause the size of the database to grow quickly. This behavior may occur even if no user mailboxes exist.
To determine the size of the AdminAuditLogs folder, run the following cmdlet in the Exchange Management Shell: Get-MailboxFolderstatistics "Guid of arbitration mailbox" -FolderScope RecoverableItems –IncludeAnalysis. Next, view the item count and size of the AdminAuditLogs folder.
If the item count and the size of the AdminAuditLogs folder are high, run the following cmdlet to delete the items from the folder: Search-Mailbox Guid of arbitration mailbox -Dumpsteronly -deletecontent.
A cmdlet that is being executed frequently may be causing the database growth. Typically, the cmdlet is in a script that is scheduled to run periodically. Identify the cmdlet that is causing the admin audit log to grow. After you confirm that the cmdlet can be excluded from the admin audit log, run the following cmdlet in the Exchange Management Shell: Set-AdminAuditLogConfig AdminAuditLogExcludedCmdlets cmdlet name. For example, run the following cmdlet: Set-AdminAuditLogConfig AdminAuditLogExcludedCmdlets Add-DistributionGroupMember. After you run the cmdlet, you must wait for replication to be completed.