Administrator Audit Logging (Part 1)

If you would like to read the next part in this article series please go to Administrator Audit Logging (Part 2).

Introduction

As administrators of Exchange organizations that contain multiple administrators already know, it can sometimes be difficult to trace changes that have been made to any Exchange configuration objects or indeed user, distribution group or contact objects. Knowing what changes have been made and when they have been made can be extremely beneficial when troubleshooting various issues. For example, it will be very useful to understand if any Send or Receive connectors have been recently reconfigured when troubleshooting message routing issues. Recording configuration changes is also useful for documentation and may also be required for legal reasons.

Consider Figure 1, which shows the properties of a mailbox. You can see from here that this mailbox was last modified on 25th February 2010 at 21:18. However, it is not immediately clear exactly what was modified and, more importantly, who made the modification.


Figure 1: The Modified Property of a User Object

In this two-part article series we will be examining the new Exchange 2010 feature known as Administrator Audit Logging that allows you to record the various Exchange Management Shell cmdlets that have been run to make configuration changes across the Exchange organization. Administrator audit logging logs the fact that a cmdlet has been run in the Exchange Management Shell and of course the Exchange Management Console which itself actually runs Exchange Management Shell cmdlets. Additionally, cmdlets that are run via the Exchange Control Panel are also recorded.

However, cmdlets that start with Get- are not logged. Examples of such cmdlets include Get-AcceptedDomain, Get-CASMailbox and so on. Get- cmdlets are not logged because these cmdlets do not actually make any configuration changes.

The actual logged cmdlet actions are stored as email messages in a mailbox chosen by the Exchange administrator. It is therefore important that access to this mailbox is restricted to only those people who actually need access. We shall be covering this element of administrator audit logging later in this article.

Administrator Audit Logging Configuration Parameters

The configuration of administrator audit logging can be achieved using the Set-AdminAuditLogConfig cmdlet and viewed using the Get-AdminAuditLogConfig cmdlet. The Set-AdminAuditLogConfig cmdlet has a number of parameters associated with it but the most important parameters to discuss in this article all contain the string “log” in their names. Therefore, we can use the Get-AdminAuditLogConfig cmdlet and pipe the results to the format-list cmdlet choosing only to show cmdlet parameters that contain the string log in their names. To do this, the following cmdlet would need to be run:

Get-AdminAuditLogConfig | fl *log*

You can see the results of running this cmdlet in Figure 2. Note that this cmdlet has been run on a default installation of Exchange 2010 which therefore means that the parameter values shown below are default settings.


Figure 2:
Results of Get-AdminAuditLogConfig

Let’s now examine these 6 cmdlet parameters in more detail.

  • AdminAuditLogEnabled – Here you can see that by default this parameter is set to false, meaning that administrator audit logging is disabled by default. Setting this parameter to true will therefore enable administrator audit logging.
  • TestCmdletLoggingEnabled –This parameter controls whether the logging of Test- cmdlets is enabled or not. By default, Test- cmdlets will not be logged. Examples of Test- cmdlets include Test-OutlookWebServices, Test-ReplicationHealth and so on.
  • AdminAuditLogCmdlets –The AdminAuditLogCmdlets parameter shows you which cmdlets are going to be logged when administrator audit logging is enabled. By default, this parameter is set to log all cmdlets via the use of the * wildcard character. This can be changed as you will see later in this article.
  • AdminAuditLogParameters – Cmdlets have associated parameters that can be used with them and this particular parameter controls whether administrator audit logging will also log cmdlet parameters. By default, this parameter is set to log all cmdlet parameters via the use of the * wildcard character. Like the AdminAuditLogCmdlets parameter this can be changed as you will see later in this article.
  • AdminAuditLogAgeLimit –This parameter is not currently functional in Exchange 2010 but it is expected that this parameter will control how long a log entry should be kept. This will be a useful feature if it is implemented since, as log entries are stored as email messages, it is possible that many log entries could be generated in large Exchange organizations resulting in many email messages being generated. Again, we will cover this later on.
  • AdminAuditLogMailbox – This parameter controls which mailbox is used to store the logged results. As you can see from Figure 2 this parameter is blank by default but will need to be enabled as part of the overall configuration process.

Configuring Administrator Audit Logging

Before administrator audit logging is enabled, it makes sense to first configure the required settings such as the name of the audit logging mailbox that will be used to store the results of the logging and also the list of cmdlets and associated parameters that will be logged. After all, what we do not want is a configuration where administrator audit logging is enabled but there is no corresponding mailbox configured to accept the logging results or the wrong cmdlets are logged.

Let’s look at the administrator audit logging mailbox configuration option first. To configure the audit logging mailbox we can use the Set-AdminAuditLogConfig cmdlet with the AdminAuditLogMailbox parameter. In the example below, the SMTP address [email protected] is the address of a mailbox that has been created specifically to house the results of administrator audit logging. Note that the mailbox selected for this purpose must exist within the Exchange organization.  The cmdlet to perform this configuration will be similar to this:

Set-AdminAuditLogConfig –AdminAuditLogMailbox [email protected]

If successful, running this cmdlet does not produce any direct feedback from the Exchange Management Shell. Therefore, after running this cmdlet, you might want to re-run the Get-AdminAuditLogConfig cmdlet to check the configuration as you can see from Figure 3.


Figure 3:
Checking Configuration Success

Logging Cmdlet Names

As we’ve already discussed earlier in this article, by default all cmdlets will be logged with the exception of any Get- cmdlets. To modify this configuration, the AdminAuditLogCmdlets parameter can be changed. For the AdminAuditLogCmdlets parameter, individual cmdlets can be specified as well as cmdlets with wildcard characters. For example, to log just the Set-TransportConfig cmdlet the following cmdlet would need to be run:

Set-AdminAuditLogConfig –AdminAuditLogCmdlets Set-TransportConfig

Similarly, as an example of wildcard use, it is possible to log any cmdlets that end with ReceiveConnector in their names by using the following cmdlet:

Set-AdminAuditLogConfig –AdminAuditLogCmdlets *ReceiveConnector

This cmdlet would therefore log the New-ReceiveConnector, Set-ReceiveConnector and Remove-ReceiveConnector cmdlets. Or, to log any cmdlet that has Config in its name, the following cmdlet would need to be run:

Set-AdminAuditLogConfig –AdminAuditLogCmdlets *Config*

Of course, it is more likely that several different types of cmdlets will need to be logged. Therefore, each different type of cmdlet can be specified in the AdminAuditLogCmdlets parameter when they are separated by commas. For example, to log both cmdlets that end with ReceiveConnector in their names as well as cmdlets that have Config in their names the following cmdlet would need to be run:

Set-AdminAuditLogConfig –AdminAuditLogCmdlets *ReceiveConnector, *Config*

Having said all of this, it is also quite likely that all cmdlets will need to be logged which can be achieved by running the following cmdlet if the default configuration has already been modified:

Set-AdminAuditLogConfig –AdminAuditLogCmdlets *

However, logging all cmdlets in large Exchange environments will obviously create many log entries and therefore this should be carefully monitored when first implemented.

Summary

That completes part one of this two-part article series on administrator audit logging in Exchange 2010. In this article we have covered what administrator audit logging actually is and began to look at the various configuration parameters available. In part two we will complete our look at the configuration options and then proceed to look at a working example of this feature in action.

If you would like to read the next part in this article series please go to Administrator Audit Logging (Part 2).

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top