Messaging and Colloboration

Wednesday, 19 April 2017

Mailbox Audit Logs

Mailbox Audit Logs:

Mailboxes may have sensitive and highly confidential information, sometimes we need to track who access that information and what action performed against that. For this purpose we can use ‘Mailbox audit logs’.
You can get details about Mailbox audit logs using the below simple cmdlet,

Get-Mailbox “user_alias” | fl *audit*

By default ‘AuditEnabled’ parameter is set to disable, because audit logs consume more spaces in user mailbox. Also you can get the maximum age for Audit logs, default is ’90 days’ after  90 days all audit logs will get deleted automatically.

How to enable audit logs?

It’s pretty simple to enable audit logs; we can directly use Set-Mailbox cmdlet to enable audit logs.

Set-Maibox "user_alias"  –auditenabled:$true

Once the mailbox is set to enable audit logs, then it starts logging actions performed on that.
Audit logs are stored in “Audits” folder under “Recoverable Items folder” of the user mailbox that cannot be viewed by Outlook. Below is the folder structure of audit logs
           -Recoverable Items

To check Audit folder size and items,

Get-MailboxFolderStatistics -Identity "audit_enabled_mailbox" | ?{$ -eq "Audits" -and $_.foldertype -eq "Audits"} | ft identity,itemsinfolder,foldersize –AutoSize

To get Audits folder contents, use the below cmdlet,

Search-MailboxAuditLog -Identity "audit_enabled_mailbox" -LogonTypes Delegate -ShowDetails -StartDate "04/10/2017" -EndDate "04/17/2017" | ft operation,operationresult,logonuserdisplayname,itemsubject,lastaccessed -autosize


No comments:

Post a Comment