September 14, 2016

Enable Auditing for Exchange On-Premise/Online

Email Auditing in Exchange On-Premise/Online (Office 365)
In Exchange, we can turn on mailbox auditing to log mailbox access by mailbox owners, delegates, and administrators. By default, mailbox auditing in Exchange is not turned on.

After we enable mailbox audit logging for a mailbox, certain actions performed by administrators and delegates will be logged by default. However, to log actions performed by the mailbox owner, we have to specify which actions of owner should be audited.

Mailbox audit logs are generated for every mailbox that has mailbox auditing is enabled.
Log entries are stored in the Recoverable Items folder in the audited mailbox, in the sub-folder named "Audits".

This ensures that all audit log entries are available from a single location, regardless of which client access method was used to access the mailbox OR which server/workstation is used by an administrator to access the audit logs.

1. Can we move and save Exchange Audit logs to another location?
If you move a mailbox to another Mailbox server, the mailbox audit logs for that mailbox are also moved because they're located in the mailbox itself.

2. Can we increase duration of Exchange Audit logs storage?
By default, mailbox audit log entries are retained in the mailbox for 90 days and then deleted. You can modify this retention period by using the AuditLogAgeLimit parameter with the Set-Mailbox cmdlet.

3. Can we increase Exchange Audit logging details?
Exchange provides out of the box features for Email auditing. But for additional settings/details we can use PowerShell commands.

How to Enable Mailbox auditing in Exchange On-Premise/Online
1.     This command can be skipped for Exchange On-Premise. On your local computer, open Windows PowerShell and run the following command.
$UserCredential = Get-Credential

2.     This command can also be skipped for Exchange On-Premise. Run the following command.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic –AllowRedirection

3.     This command can be skipped for Exchange On-Premise. Run the following command.
Import-PSSession $Session

4.     To verify that you’re connected to your Exchange Online organization, run the following command to get a list of all the mailboxes in your organization.

5.     Enable mailbox audit logging
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

6.     Increase duration of storage of logs
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox - AuditlogAgelimit  “number of days to increase”

Example- Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditlogAgelimit  120

You can visit TechNet Article for Exchange Online (Office 365) and TechNet Article for Exchange On-Premise for more details on PowerShell Commands for Exchange Auditing.

If you have any questions you can reach out our SharePoint Consulting team here.

No comments:

Post a Comment