Why we need Mailbox audit logging
A lot of businesses want to be able to track who accesses mailboxes in the organization, and who takes certain actions such as deleting mailbox items. This is particularly true where mailboxes are accessed by delegates, for example when a senior manager has several people who access and manage their mailbox, or for shared mailboxes such as those used by sales and support teams.
Exchange server 2010 SP1 includes a feature called Mailbox Audit Logging.By using mailbox audit logging, you can log mailbox access by mailbox owners, delegates (including administrators with full access permissions to mailboxes), and administrators.
When you enable audit logging for a mailbox, you can specify which user actions (for example, accessing, moving, or deleting a message) will be logged for a logon type (administrator, delegate user, or owner). However it is not turned on for mailboxes by default, so the Exchange administrator has to enable for those mailboxes which are considered sensitive or any where access needs to be logged and audited.
Mailbox Audit Logs
Mailbox audit logs are generated for each mailbox that has mailbox audit logging enabled. Log entries are stored in the Recoverable Items folder in the audited mailbox, in the Audits subfolder. If you move a mailbox to another Mailbox server, the mailbox audit logs for that mailbox are also moved because they're located in the mailbox.
By default, mailbox audit log entries are retained in the mailbox for 90 days and then deleted. You can modify this retention period by using the AuditLogAgeLimit parameter with the Set-Mailbox cmdlet.
How to enable Mailbox audit Logging
Mailbox audit logging is enabled per mailbox. Use the Set-Mailbox cmdlet to enable or disable mailbox audit logging.
Set-Mailbox -Identity "Test User1" -AuditEnabled $true -AuditOwner HardDelete,SoftDelete
Now we have enabled Mailbox audit logging for "TestUser1". This will log harddelete and softdelete performed by mailbox owners.
To demonstrate audit logging i have given full access to "TestUser2" on "TestUser1" and accessed "TestUser1" mailbox from "TestUSer2" account and deleted some items from Inbox.
Using Shell
Search-MailboxAuditLog -Identity "Test User1" -LogonTypes Owner -ShowDetails -StartDate 07/25/2015 -EndDate 07/28/2015
Using Exchange Admin Center
In the Exchange admin center navigate to Compliance Management and choose Auditing. Set the date range you’re interested in, and then click on Select Mailboxes to add the specific mailbox you want to search then click search to begin.
No comments:
Post a Comment