Email Auditing in Exchange On-Premise/Online (Office 365)
In Exchange, we can turn on mailbox auditing to log mailbox access by mailbox owners, delegates, and administrators. By default, mailbox auditing in Exchange is not turned on.
Log
entries are stored in the Recoverable Items folder in the audited mailbox, in
the sub-folder named "Audits".
This ensures that all audit log entries are available from a single location, regardless of which client access method was used to access the mailbox OR which server/workstation is used by an administrator to access the audit logs.
1. Can we move and save Exchange Audit logs to another location?
If you move a mailbox to another Mailbox server, the mailbox audit logs for that mailbox are also moved because they're located in the mailbox itself.
2. Can we increase duration of Exchange Audit logs storage?
By default, mailbox audit log entries are retained in the mailbox for 90 days and then deleted. You can modify this retention period by using the AuditLogAgeLimit parameter with the Set-Mailbox cmdlet.
3. Can we increase Exchange Audit logging details?
Exchange provides out of the box features for Email auditing. But for additional settings/details we can use PowerShell commands.
This ensures that all audit log entries are available from a single location, regardless of which client access method was used to access the mailbox OR which server/workstation is used by an administrator to access the audit logs.
1. Can we move and save Exchange Audit logs to another location?
If you move a mailbox to another Mailbox server, the mailbox audit logs for that mailbox are also moved because they're located in the mailbox itself.
2. Can we increase duration of Exchange Audit logs storage?
By default, mailbox audit log entries are retained in the mailbox for 90 days and then deleted. You can modify this retention period by using the AuditLogAgeLimit parameter with the Set-Mailbox cmdlet.
3. Can we increase Exchange Audit logging details?
Exchange provides out of the box features for Email auditing. But for additional settings/details we can use PowerShell commands.
How to Enable Mailbox auditing in Exchange On-Premise/Online
1. This command can be skipped for Exchange On-Premise. On your local computer, open Windows PowerShell
and run the following command.
$UserCredential = Get-Credential
2. This command can also be skipped for Exchange On-Premise. Run the following command.
$Session = New-PSSession
-ConfigurationName Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential
-Authentication Basic –AllowRedirection
3. This command can be skipped for Exchange On-Premise. Run the following command.
Import-PSSession $Session
4.
To verify that you’re connected to your Exchange
Online organization, run the following command to get a list of all the
mailboxes in your organization.
Get-Mailbox
5.
Enable mailbox audit logging
Get-Mailbox -ResultSize Unlimited
-Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox
-AuditEnabled $true
6.
Increase duration of storage of logs
Get-Mailbox -ResultSize Unlimited
-Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -
AuditlogAgelimit “number of days to increase”
Example- Get-Mailbox
-ResultSize Unlimited -Filter {RecipientTypeDetails -eq
"UserMailbox"} | Set-Mailbox -AuditlogAgelimit 120
You can visit TechNet Article for Exchange Online (Office 365) and TechNet Article for Exchange On-Premise for more details on PowerShell Commands for Exchange Auditing.
If you have any questions you can reach out our SharePoint Consulting team here.
No comments:
Post a Comment