Another nice feature introduced in Exchange 2010 is Administrator Audit logging. Audit logging allows an organization to examine different policies. For example the adoption of a standard naming convention for new email addresses and groups could be monitored by reviewing audit logs.
A second important benefit is the review of configuration changes made to the Exchange organization through the Exchange Management Console, Exchange Web Services, and Exchange Management Shell.
Administrator Audit logging is disabled by default and before enabling it, you first need to define what needs to be audited. Throughout this article, we will go over defining audit logging lists. Following that, we will set the auditing mailbox, enable auditing and review the produced log entries.
Configuring Audit cmdlets and Parameters List
Auditing can be configured at the cmdlet level and the parameter level. By default, both are configured to audit every cmdlet that is run within the Exchange Organization. If you wish to alter this behavior, you need to change the lists AdminAuditCmdletsList
and AdminAuditParametersList
. Currently, these configurations can only be changed from the Exchange Management Shell.
To get the administrator audit log configuration properties, run the following cmdlet:
Get-AdminAuditLogConfig
Figure 1: Get AdminAuditLogConfig
The Administrator audit log is dependent on the Audit log settings stored in Active Directory. These can be viewed through ADSIEdit under Configuration/Services/Microsoft Exchange/Domain Name/Global Settings/Admin Audit Log Settings
.
Because the audit log has an organization wide scope, changes made to the audit log configuration will depend on active directory replication to propagate changes to all domains within the organization.
To configure the cmdlet auditing list, you need to run Set-AdminAuditLogConfig -AdminAuditLogCmdlets
followed by the cmdlet name to be audited.
For instance, to audit cmdlets that contain the keyword "mailbox" within the cmdlet name, run:
Set-AdminAuditLogConfig -AdminAuditLogCmdlets *mailbox*
Using the * wildcard we are including all cmdlets containing the word mailbox anywhere within the cmdlet name such as New-Mailbox
and New-MailboxDatabase
.
To audit all the cmdlets use:
Set-AdminAuditLogConfig -AdminAuditLogCmdlets *
To get the cmdlets auditing list:
Get-AdminAuditLogConfig | FL AdminAuditLogCmdlets
Figure 2: Get cmdlets auditing list
You cannot append cmdlets to the AdminAuditLogCmdlets
list. If you wish to add/edit more cmdlets, you need to set AdminAuditLogCmdlets
again and the cmdlets specified will override the one already in the list. To specify multiple list entries just separate these by a comma, for example:
Set-AdminAuditLogConfig -AdminAuditLogCmdlets *mailbox*, *Connector
For a complete list of Exchange 2010 cmdlets, refer to:
http://technet.microsoft.com/en-us/library/bb124413.aspx
Cmdlets will be audited only if the cmdlet that is being run is:
- On the cmdlets auditing list (AdminAuditLogCmdlets) and...
- The cmdlet parameters are on the parameters auditing list (AdminAuditLogParameters)
In other words satisfying the cmdlet auditing list is not enough. If the cmdlet parameters do not match the parameter auditing list, then it would still not be audited.
As mentioned earlier, the parameters auditing list is set by default to audit all cmdlets independently of the parameters.
If you wish to customize this, you need to set AdminAuditLogParameters
.
For example here we limit auditing only to the case when a parameter containing the word Name is included:
Set-AdminAuditLogConfig -AdminAuditLogParameters *Name
Figure 3: Set Audit Log Parameters
Doing so, will allow you to record all names for newly created items, such as new mailbox name or new database name.
Audit logging is meant to report on modified objects in an Exchange organization and disregard events related to object viewing. In other words, Get-
cmdlets are not audited.
The Audit Process
When a cmdlet is executed in an Exchange organization through the management shell or the management console, the Admin Audit Log Agent is called. The agent will parse the audit log configuration and will generate a log for the matching cmdlet that was run.
The log is then sent to a predefined auditing mailbox.
The Admin Log Agent is a built-in cmdlet extension agent that is enabled by default. Cmdlet extension agents are special agents found in Exchange Server 2010 that will be called by a cmdlet to help process additional actions such as selecting a best fit database for a mailbox that is created without choosing its mailbox database source.
In order to make the audit logging functional, both Admin Audit Log Agent and Administrator Audit Log Configuration must be enabled. If any of the two items is disabled, audit logging fails.
Now that we've configured Audit Logging, we need to set the auditing mailbox that will be hosting the generated audit logs.
To set the audit log mailbox to audit@elieb.info, run the cmdlet:
Set-AdminAuditLogConfig -AdminAuditLogMailbox audit@elieb.info
Figure 4: Set Audit log mailbox
Once we have configured the auditing list and the auditing mailbox, we need to enable the administrator auditing log by running the cmdlet:
Set-AdminAuditLogConfig -AdminAuditLogEnabled $True
Now that we have all set, let's create a new mailbox from the Exchange Management Console and test the audit functionality:
Figure 5: Creating a new mailbox from the Exchange Management Console
Once the mailbox is created, the log configuration will be sent to the auditing mailbox as shown in the figure below:
Figure 6: Audit configuration log entries
The email subject shows the account of the user that performed the cmdlet (Exchange\Elie) and the name of the cmdlet (New-Mailbox).
The first entry in the body shows the cmdlet name that was run followed by the object modified.
After that, is the list of parameters specified by the cmdlet and next come the list of properties set by the cmdlet.
At the bottom we have the cmdlet caller account, followed by a confirmation that the cmdlet was successfully executed. The last entry will display the date and time the cmdlet ran.
Conclusion
Audit Logging is useful in tracking configuration changes made within an Exchange Organization, and help identifying any errors.
Also, as discussed, audit logging help the organization monitor policy compliance, such as preserving a unified naming convention for email addresses.
Finally, through audit logging, a manager can keep an eye on the overall operations taking place and the management being performed on Exchange.
References
Overview of Administrator Audit Logging