Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

You can search the administrator audit logs to discover who made changes to organization, server, and recipient configuration. This can be helpful when trying to track the cause of unexpected behavior, to identify a malicious administrator, or to verify that compliance requirements are being met. For more information about administrator audit logging, see Overview of Administrator Audit Logging.

Note:
The Exchange Control Panel (ECP) Auditing Reports page, the Search-AdminAuditLog cmdlet, and the New-AdminAuditLogSearch cmdlet work only with Microsoft Exchange Server 2010 Service Pack 1 (SP1) administrator audit logs. To view the contents of an Exchange 2010 release to manufacturing (RTM) audit log mailbox, you must open that mailbox using Microsoft Office Outlook Web App or an e-mail client such as Microsoft Outlook.

If you want to search for changes to litigation hold changes, see Managing Discovery.

If you want to search the mailbox audit log, see Managing Mailbox Audit Logging.

Prerequisites

Administrator audit logging must be enabled for audit log entries to be stored in the audit log. For information about how to enable audit logging, see Configure Administrator Audit Logging.

Use the ECP to view management role group changes

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "View-only administrator audit logging" entry in the Exchange and Shell Infrastructure Permissions topic.

If you want to know what changes to management role group membership have been made to role groups in your organization, you can use the Administrator Role Changes report on the Auditing Reports page in the ECP. Using the Administrator Role Changes report, you can view a list of role groups that have changed during a specified date range. You can also select the specific role groups you want to view changes for.

  1. Log on to Outlook Web App.

  2. Click Options, and then click See All Options.

  3. In the drop-down list box next to Mail > Options, click My Organization from the Select what to manage list.

  4. Click Reporting, click Auditing, and then click Administrator Role Changes.

  5. Select a date range using the Start Date and End Date fields.

  6. Select the role groups you want to show changes for from the Select Role Groups field, or leave this field blank to search for changes in all role groups.

  7. Click Search.

If any changes are found using the criteria you specified, a list of changes will be displayed in the Search Results pane. Clicking a role group displays the changes to the role group in the details pane.

Use the ECP to export the administrator audit log

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "View-only administrator audit logging" entry in the Exchange and Shell Infrastructure Permissions topic.

If you want to create an XML file that contains changes made to your organization, you can use the Export Configuration Changes report on the Auditing Reports page in the ECP. Using the Export Configuration Changes report, you can specify a date range to search for audit log entries that contain changes made by users you specify. The XML file is then sent to a recipient as an e-mail attachment. The maximum size of the XML file is 10 megabytes (MB).

Note:
Outlook Web App doesn't allow you to open XML attachments by default. You can either configure Exchange to allow XML attachments to be viewed using Outlook Web App, or you can use another e-mail client, such as Microsoft Office Outlook, to view the attachment. For information about how to configure Outlook Web App to allow you to view an XML attachment, see View or Configure Outlook Web App Virtual Directories.
  1. Log on to Outlook Web App.

  2. Click Options, and then click See All Options.

  3. In the drop-down list box next to Mail > Options, click My Organization from the Select what to manage list.

  4. Click Reporting, click Auditing, and then click Export Configuration Changes.

  5. Select a date range using the Start Date and End Date fields.

  6. Select the recipient who should receive the XML file using the Select users to email the audit log to field.

  7. Click Export.

If any log entries are found using the criteria you specified, an XML file will be created and sent as an e-mail attachment to the recipient you specified.

Use the Shell to search for audit log entries

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "View-only administrator audit logging" entry in the Exchange and Shell Infrastructure Permissions topic.

Note:
You can't use the EMC to search for audit log entries.

You can use the Shell to search for audit log entries that meet the criteria you specify. For a list of search criteria, see Overview of Administrator Audit Logging. This procedure uses the Search-AdminAuditLog cmdlet and displays search results in the Shell. It can be used when you need to return a set of results that exceeds the limits defined on the New-AdminAuditLogSearch cmdlet or in the ECP Audit Reporting reports.

If you want to send audit log search results in an e-mail attachment to a recipient, see Use the Shell to search for audit log entries and send results to a recipient later in this topic.

To search the audit log for criteria you specify, use the following syntax.

Copy Code
Search-AdminAuditLog - Cmdlets <cmdlet 1, cmdlet 2, ...> -Parameters <parameter 1, parameter 2, ...> -StartDate <start date> -EndDate <end date> -UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$True | $False >
Note:
The Search-AdminAuditLog cmdlet returns a maximum of 1,000 log entries by default. Use the ResultSize parameter to specify up to 250,000 log entries.

This example performs a search for all audit log entries with the following criteria:

  • Start date   02/04/2010

  • End date   04/03/2010

  • User IDs   davids, chrisd, kima

  • Cmdlets   Set-Mailbox

  • Parameters   ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendsize, MaxReceiveSize

Copy Code
Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendsize, MaxReceiveSize -StartDate 02/04/2010 -EndDate 04/03/2010 -UserIds davids, chrisd, kima

This example searches for changes made to a specific mailbox. This is useful if you're troubleshooting or you need to provide information for an investigation. The following criteria are used:

  • Start date   01/01/2010

  • End date   08/03/2010

  • Object ID   contoso.com/Users/DavidS

Copy Code
Search-AdminAuditLog -StartDate 01/01/2010 -EndDate 08/03/2010 -ObjectID contoso.com/Users/DavidS

If your searches return many log entries, we recommend that you use the procedure provided in Use the Shell to search for audit log entries and send results to a recipient later in this topic. The procedure in that section sends an XML file as an e-mail attachment to the recipients you specify, enabling you to more easily extract the data you're interested in.

For detailed syntax and parameter information, see Search-AdminAuditLog.

View details of audit log entries

The Search-AdminAuditLog cmdlet returns the fields described in the "Audit log contents" section of Overview of Administrator Audit Logging. Of the fields returned by the cmdlet, two fields, CmdletParameters and ModifiedProperties, contain additional information that isn't viewable by default.

To view the contents of the CmdletParameters and ModifiedProperties fields, use the following steps. Or, you can use the procedure in Use the Shell to search for audit log entries and send results to a recipient later in this topic to create an XML file.

This procedure uses the following concepts:

  1. Decide the criteria you want to search for, run the Search-AdminAuditLog cmdlet, and store the results in a variable using the following command.

    Copy Code
    $Results = Search-AdminAuditLog <search criteria>
    
  2. Each audit log entry is stored as an array element in the variable $Results. You can select an array element by specifying its array element index. Array element indexes start at 0 for the first array element. For example, to retrieve the 5th array element, which has an index of 4, use the following command.

    Copy Code
    $Results[4]
    
  3. The previous command returns the log entry stored in array element 4. To see the contents of the CmdletParameters and ModifiedProperties fields for this log entry, use the following commands.

    Copy Code
    $Results[4].CmdletParameters
    $Results[4].ModifiedProperties
    
  4. To view the contents of the CmdletParameters or ModifiedParameters fields in another log entry, change the array element index.

Use the Shell to search for audit log entries and send results to a recipient

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "View-only administrator audit logging" entry in the Exchange and Shell Infrastructure Permissions topic.

Note:
You can't use the EMC to search for audit log entries and send results to a recipient.

You can use the Shell to search for audit log entries that meet the criteria you specify, and then send those results to a recipient you specify as an XML file attachment. The results are sent to the recipient within 15 minutes. For a list of search criteria, see Overview of Administrator Audit Logging.

Note:
Outlook Web App doesn't allow you to open XML attachments by default. You can either configure Exchange to allow XML attachments to be viewed using Outlook Web App, or you can use another e-mail client, such as Microsoft Office Outlook, to view the attachment. For information about how to configure Outlook Web App to allow you to view an XML attachment, see View or Configure Outlook Web App Virtual Directories.

To search the audit log for criteria you specify, use the following syntax.

Copy Code
New-AdminAuditLogSearch -Cmdlets <cmdlet 1, cmdlet 2, ...> -Parameters <parameter 1, parameter 2, ...> -StartDate <start date> -EndDate <end date> -UserIds <user IDs> -ObjectIds <object IDs> -IsSuccess <$True | $False > -StatusMailRecipients <recipient 1, recipient 2, ...> -Name <string to include in subject>

This example performs a search for all audit log entries with the following criteria:

  • Start date   02/04/2010

  • End date   04/03/2010

  • User IDs   davids, chrisd, kima

  • Cmdlets   Set-Mailbox

  • Parameters   ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendsize, MaxReceiveSize

The command sends the results to the davids mailbox with "Mailbox limit changes" included in the subject line of the message.

Copy Code
New-AdminAuditLogSearch -Cmdlets Set-Mailbox -Parameters ProhibitSendQuota, ProhibitSendReceiveQuota, IssueWarningQuota, MaxSendsize, MaxReceiveSize -StartDate 02/04/2010 -EndDate 04/03/2010 -UserIds davids, chrisd, kima -StatusMailRecipients davids -Name "Mailbox limit changes"
Note:
The report that the New-AdminAuditLogSearch cmdlet generates can be a maximum of 10 MB in size. If the search you perform returns a report larger than 10 MB, change the search criteria you specified. For example, reduce the size of the date range and run multiple reports, each with a portion of the original date range.

For more information about the format of the XML file, see Administrator Audit Log Structure.

For detailed syntax and parameter information, see New-AdminAuditLogSearch.