[Update]: This article was updated on April 19, 2017.
For organizations who take data security seriously, control over information stored in mailboxes is a must. Starting with Exchange 2010, Microsoft accommodates this need by providing the “mailbox audit logging” functionality. The solution lets you track actions performed on user mailboxes and shared mailboxes by a user, as well as obtain information about his or her computer’s IP and name.
Default mailbox audit logging configuration
By default, logs are collected for every mailbox for which „mailbox audit logging” has been switched on via Exchange Management Shell (EMS). The log files are kept in individual mailboxes in the Recoverable Items folders and cannot be viewed via Outlook, OWA or any other client level access points. The default log file retention period is 90 days, but it can be easily changed using EMS. Enabling In-Place Hold or Litigation Hold for a mailbox does not affect the retention period setting.
Note: Most of the below information also applies to auditing in Office 365 (see more details here) and Exchange 2016 (for more details click here).
Required permissions
To be able to manage mailbox audit logging you have to be a member of either one of these groups:
- Organization Management
- Records Management
Logging levels
Mailbox audit logging can track actions performed by 3 types of users: the mailbox owner, mailbox delegate, and administrator. By default, when you enable auditing, only selected actions by the administrator and delegate are logged. This setting can be adjusted using the -AuditOwner, -AuditDelegate, -AuditAdmin parameters and specifying mailbox actions that should be logged.
Types of actions logged by the mailbox audit mechanism
Mailbox audit logging allows you to track the following actions performed on users’ or shared mailboxes by the administrator, delegate or owner (actions names in square brackets):
- [Copy] Copying an item to another folder – available for administrator and delegate;
- [Create] Creating an item in a folder (also when an email is sent or received) – available for administrator, delegate, and owner;
- [FolderBind] Accessing a folder – available for administrator and delegate;
- [HardDelete] Deleting an item permanently – available for administrator, delegate, and owner;
- [MessageBind] Accessing or opening an item (also in the Reading pane) – available for administrator;
- [Move] Moving an item to another folder – available for administrator, delegate, and owner;
- [MoveToDeletedItems] Moving an item to the Deleted items folder – available for administrator, delegate, and owner;
- [SendAs] Sending a message using Send as permissions – available for administrator and delegate;
- [SendOnBehalf] Sending a message using Send on Behalf permissions – available for administrator and delegate;
- [SoftDelete] Deleting an item from the Deleted items folder – available for administrator, delegate, and owner;
- [Update] Updating the properties of an item – available for administrator, delegate, and owner;
(underlined users have a given action tracked by default upon enabling auditing)
As you can see the Mailbox audit mechanism offers a wide range of tracking options, which is more than enough to apply in a critical business scenario such as monitoring shared mailboxes.
Enabling Mailbox audit logging
By default, the Mailbox audit logging mechanism is switched off for all mailboxes. To check the current audit status of a specific mailbox, run the following command in Exchange Management Shell:
Get-Mailbox [user name] | FL
In the output, you will find all the audit information related to the mailbox.
As you can see above, mailbox audit logging is disabled for this specific mailbox. We can enable it using the AuditEnabled parameter. Additionally, we will adjust the log retention period and enable logging of 2 actions by the mailbox owner. Here is the full EMS command:
Set-Mailbox [user name] –AuditEnabled $True –AuditLogAgeLimit 60:00:00:00 –AuditOwner Move,HardDelete
When we now view the mailbox’s properties, we will see the changes introduced by the above command:
From this moment on, as intended, log files will contain information on all actions listed in the above PowerShell output (included item moves and hard deletions performed by the mailbox owner) and will be retained for 60 days.
Important! The log files generated by the Mailbox audit mechanism may cause users’ mailboxes to grow very fast and take up a large portion of disk space. The log files are stored in the “Audits” folder in Recoverable Items and are not accessible to the user.
To enable Mailbox audit logging for multiple users, e.g. from a selected OU, execute the following PowerShell command:
Get-Mailbox | Where-Object {$_.OrganizationalUnit –eq ‘[domain]/[OU name]’} | Set-Mailbox –AuditEnabled $True
Searching logs using Exchange Managment Shell
To view log entries related to a specific action, performed by a user of a selected type (owner, delegate or administrator) in a given timespan, run the following PowerShell command:
Search-MailboxAuditLog –Identity [user or shared mailbox name] –LogonTypes Owner –ShowDetails –StartDate [start date: d/m/y] –EndDate [end date: d/m/y] | Where-Object {$_.Operation -eq “[action name]”}
Searching logs using Exchange Control Panel
To search Mailbox audit logs via ECP, in the ECP console go to compliance management, auditing. Keep in mind that the ECP allows you to only get information about actions performed by non-owner users.
To obtain a report on actions performed on one or more mailboxes, click Run a non-owner mailbox access report… :
In the resulting window select a search start and end date, specify the mailboxes you want to search and the scope of users whose actions will be reported on, and click search:
Searching logs generated for multiple mailboxes
Starting from Exchange 2013 you can search audit logs simultaneously in multiple mailboxes and send the search results to one or more selected email addresses.
To achieve this use the below PowerShell script:
New-MailboxAuditLogSearch "[search name]" -Mailboxes "[user and/or shared mailbox name(s)]" -LogonTypes [Admin/Delegate/External/Owner] -StartDate [search start date] -EndDate [search end date] -StatusMailRecipients [email address(es)]
Example:
New-MailboxAuditLogSearch "Delegate users" -Mailboxes "Sales,Marketing" -LogonTypes Delegate -StartDate 06/19/2015 -EndDate 06/19/2015 -StatusMailRecipients [email protected]
Checking the amount of disk space taken up by log files
To find out how much disk space is taken up by log files for a mailbox with the mailbox audit logging mechanism switched on, run the below PowerShell script:
Get-Mailbox –Identity [mailbox name] | Get-MailboxFolderStatistics -FolderScope RecoverableItems | fl name,foldersize
Known mailbox audit logging issue
Exchange 2013 (starting from SP1/CU4) administrators may encounter a problem where executing the Search-MailboxAuditLog command doesn’t produce any output in the EMS console. The error can be confusing because the console does not notify the administrator that he or she used incorrect syntax. The only visible result is the data volume increase in the „Audits” folder, as shown in the image below:
The problem is caused by the time format settings on Exchange servers. Fond out more on the subject and solution in this Microsoft article.
Summary
The mailbox audit logging mechanism equips the administrator with the ability to track the actions that are performed on a mailbox. It is especially useful when it comes to shared mailboxes accessed by multiple users, and any other mailboxes containing sensitive information. The mechanism allows you to determine who performed what type actions on these mailboxes, which can prove critical when there is a need to establish responsibility for caused damage.
I cannot get a shell report to show any results. Here is the command: Search-MailboxAuditLog -Identity Assign -LogonTypes Owner,Delegate,Admin -ShowDetails -StartDate 3/26/2019 -EndDate 3/26/2019 | Where-Object {$_.Operation -eq “SoftDelete,HardDelete,MoveToDeletedItems”}
The Assign mailbox has auditing enabled and the proof is that I can run reports and get results in the ECP for non-owners. I want to get results in the shell for auditing the owner (and non-owners) deleting emails. I have run every version of this command I can think of and no results. No errors either. Any help would be greatly appreciated.
Hello Lee,
The most common cause for this issue is a problem with search index. The cmdlets below will verify if indexing is enabled and if the search index is healthy.
Get-MailboxDatabase | fl name,index*
Get-MailboxDatabaseCopyStatus | fl name,*index*
Also, check which events are set to be logged:
Get-Mailbox Assign | FL name,*audit*
I also recall that there has been a problem if the server’s language is set to anything other than English.
Is there any way to delete the audit logs?
Are audit logs taking too much space? The audit logs are deleted automatically when a specific entry reaches its age limit. I recommend using the Set-Mailbox cmdlet with the right -AuditLogAgeLimit parameter to control when the audit files are deleted.
Some more tips on exchange online auditing http://howdoicomputer.com/2016/05/exchange-online-and-hybrid-exchange-auditing-configurations/
Great!! Post…
How can I do the same for audit / logging public folder mailxbox.?
Hi Chema,
Audit logging is not available for public folders. As a workaround try using the MFCMAPI tool: https://mfcmapi.codeplex.com/
This article explains how to use MFCMAPI to check who was the last user to modify an item in a mailbox: http://www.msexchange.org/articles-tutorials/exchange-server-2013/compliance-policies-archiving/e-mail-forensics-corporate-exchange-environment-part5.html
As to tracking deletions, in MFCMAPI, after logging on to a session and opening the public folder store (right-click and select Open store), expand Root Container and IPM_SUBTREE, right-click the public folder and select Other tables, Deleted contents. The resulting window will contain a list of deleted items along with information who and when deleted the items (PR_LAST_MODIFIER… and PR_LAST_MODIFICATION_TIME properties).
Hope this helps,
Adam