Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2010-06-24

Administrator audit logs contain a record of all the cmdlets and parameters that have been run in the Exchange Management Shell and by the Exchange Management Console (EMC) and Exchange Control Panel (ECP). They're created on-demand when you run the Export Configuration Changes report in the ECP, or when you run the New-AdminAuditLogSearch cmdlet in the Shell. For more information about audit logs, see Overview of Administrator Audit Logging.

The audit logs are XML files and can contain multiple audit log entries. The following table describes each XML tag and its associated attributes.

Audit log XML tags and attributes

Element Attribute Description

<?xml version="1.0" encoding="utf-8"?>

N/A

This is the XML document declaration tag. It's included in every audit log XML file and contains the XML version number and the character encoding value.

SearchResults

N/A

This tag contains all the audit log entries in the XML file. The Event tag is a child of this tag.

There is only one SearchResults tag per XML file.

Event

 

This tag contains the audit log entry for an individual cmdlet. This tag contains the Caller, Cmdlet, ObjectModified, RunDate, Succeeded, and Error attributes. The CmdletParameters and ModifiedProperties tags are children of this tag.

There is one Event tag per audit log entry.

 

Caller

This attribute contains the user account of the user who ran the cmdlet in the Cmdlet attribute.

 

Cmdlet

This attribute contains the name of the cmdlet that was run by the user in the Caller attribute.

 

ObjectModified

This attribute contains the object that was modified by the cmdlet specified in the Cmdlet attribute. The ModifiedProperties tag shows which properties were modified on this object.

 

RunDate

This attribute contains the date and time when the cmdlet in the Cmdlet attribute was run. The date and time are stored in Coordinated Universal Time (UTC) format.

 

Succeeded

This attribute specifies whether the cmdlet in the Cmdlet attribute ran successfully. The value is either True or False.

 

Error

This attribute contains the error message generated if the cmdlet in the Cmdlet attribute failed to complete successfully. If no error was encountered, the value is set to None.

CmdletParameters

N/A

This tag contains all of the parameters specified when the cmdlet was run. The Parameter tag is a child of this tag.

There is one CmdletParameters tag per Event tag.

Parameter

 

This tag contains an individual parameter that was specified when the cmdlet was run. This tag contains the Name and Value attributes.

There can be multiple Parameter tags per CmdletParameters tag.

 

Name

This attribute contains the name of the parameter that was specified on the cmdlet that was run.

 

Value

This attribute contains the value that was provided on the parameter specified in the Name attribute.

ModifiedProperties

N/A

This tag contains all of the properties that were modified by the cmdlet that was run. The Property tag is a child of this tag.

There is one ModifiedProperties tag per Event tag.

Property

 

This tag contains an individual property that was specified when the cmdlet was run. This tag contains the Name, OldValue, and NewValue attributes.

There can be multiple Property tags per ModifiedProperties tag.

 

Name

This attribute contains the name of the property that was modified when the cmdlet was run.

 

OldValue

This attribute contains the value that was contained in the property specified in the Name attribute before it was changed.

 

NewValue

This attribute contains the value that the property in the Name attribute was changed to.

Example audit log entry

The following is an example of a typical audit log entry. Based on the information in log entry, we know the following occurred:

  • On 3/5/2010 at 11:59 P.M. UTC, the user Administrator ran the cmdlet Set-Mailbox.

  • The two following parameters were provided when the Set-Mailbox cmdlet was run:

    • Identity with a value of david

    • ProhibitSendReceiveQuota with a value of 1.727 GB

  • The two following properties on the object david were modified:

    • ProhibitSendReceiveQuota with a new value of 1.727 GB, which replaced the old value of 523.4 MB

    • ObjectState with a new value of Changed, which replaced the old value of Unchanged

  • The operation completed successfully without any errors.

Copy Code
<?xml version="1.0" encoding="utf-8"?>
<SearchResults>
  <Event Caller="Wally14.extest.microsoft.com/Users/Administrator" Cmdlet="Set-Mailbox" ObjectModified="Wally14.extest.microsoft.com/Users/David" RunDate="3/5/2010 11:59:12 PM" Succeeded="true" Error="None">
	<CmdletParameters>
	<Parameter Name="Identity" Value="david" />
	<Parameter Name="ProhibitSendReceiveQuota" Value="1.727 GB (1,854,030,822 bytes)" />
	</CmdletParameters>
	<ModifiedProperties>
	<Property Name="ProhibitSendReceiveQuota" OldValue=" 523.4 MB (548,845,001 bytes) " NewValue="1.727 GB (1,854,030,822 bytes)" />
	<Property Name="ObjectState" OldValue="Unchanged" NewValue="Changed" />
	</ModifiedProperties>
  </Event>
</SearchResults>