In this article we look at administrator audit logging in Ms Exchange in depth and understand its working
Administrator Audit Logging permits you to log in if an administrator or any other user modifies or makes changes in MS Exchange. You can then store a record of these changes and track the person who was responsible for the said changes. These can further be used for checking if your organization is in adherence to the regulatory mandates. You can request for troubleshoots and discovery as well.
Through this, the administrator can even keep a check on mailbox activities, like the secret deletion of a file. This information will be stored in the Audit folder and can be later used for interrogation and questioning the person who did these activities. It is important to note that Administrator Audit Logging is activated in MS Exchange by default, ever since 2010 edition.
What does it audits?
It audits the cmdlets that operate directly in the Management Shell of MS Exchange. Along with this, it also logs the operations that use the Exchange admin center (EAC), since these tools use cmdlets in the backdrop. So it does not matter where the action is being done, so long as it on the auditing lists of cmdlets. Further, if one or many of its parameters are on the audit list, they shall be audited as well. Audit logging aims to show you what changes and modifications have been done to the objects in the MS Exchange, rather than what all objects have been accessed by a user.
Configuration for the Administrator Audit Logging
Since Admin Audit logging is activated by default, a log entry is formed every time the cmdlet is operated. If you do not wish to audit every cmdlet, then you can configure your settings accordingly, so that only those parameters and cmdlets are audited which you want to be audit.
How it works
Once a command is operated, Exchange examines the cmdlet and checks if it matches any cmdlet in the parameter of AdminAuditLogCmdlets. It then examines the parameters mentioned in the AdminAuditLogCmdlets parameter. If one or more parameters are matched, a log entry gets created.
Administrator Audit Log Entry
Every time when you log into a cmdlet, a separate admin log entry is made. These entires are kept in the administrator audit log, which is a secretive folder and is kept concealed in a separate mailbox altogether. You can only access this via the use of EAC. This mailbox cannot even be accessed through MS Outlook or OWA. To access it separately you need the requisite permissions and then convert the same using an ost 2 pst tool.
The auditing page contains several reports which give you information about the compliances and configuration changes. There are two types of reports that tell you about the changes in configuration:
- Admin Role Group: This report ascertains the changes done to the management groups within a specific time period. It shows you what changes were carried out in the role group, at what time and who made them.
- Admin Audit Log: It transfers the log entries of the audit to an XML file and then sends an email to the specific recipient.
So you see that this is a good way to track changes and modifications in your organization, and take appropriate actions
Van Sutton is a data recovery expert in DataNumen, Inc., which is the world leader in data recovery technologies, including repair Outlook pst data and bkf recovery software products. For more information visit www.datanumen.com