What is mailbox audit logging?
Mailbox audit logging is used for tracking logons to a specific mailbox as well as actions and changes that are made during the session. It can also be used to track ‘Send As,’ ‘SendOnBehalfOf,’ creations, deletions, etc.
This logging can generate many logs which can consume a good amount of space, and is thus disabled by default.
Enabling mailbox audit logging on a mailbox
Example cmdlet to enable:
Set-Mailbox -Identity "JoshTest" -AuditEnabled $true
In order to perform mailbox audit logging, you need to be a member of a role group with the “Audit Logs” role assigned to it. Two default role groups that have this functionality are:
- Organization Management
- Records Management
You can create custom role groups as well; reference the ‘
RBAC Explained’ article.
Enabling auditing will automatically include administrator and delegate actions by default, while omitting actions made by the mailbox owner.
Searching mailbox audit logs
There are three ways to search mailbox audit logs: Synchronous, Asynchronous, GUI (via ECP).
Example Type:
Synchronous.
Task Description:
Perform a synchronous mailbox audit log search with the goal of finding all audit log entries for JoshTest’s mailbox regarding admin/delegate actions in the time frame of 2/20/2011 – 2/25/2011, and display the results in the powershell window.
Cmdlet Example:
Search-MailboxAuditLog -Identity JoshTest -LogonTypes Admin,Delegate -StartDate 2/20/2011 -EndDate 2/25/2011
Full Syntax Considerations:
Example Type:
Asynchronous.
Task:
Perform an asynchronous mailbox audit log search with the goal of finding all audit log entries for JoshTest's mailbox regarding delegate actions in the time frame of 2/20/2011 – 2/25/2011, and populate an XML file with the results to be delivered via e-mail upon completion.
Cmdlet Example:
New-MailboxAuditLogSearch "Delegate Actions on JoshTest" -Mailboxes "JoshTest" -LogonTypes Delegate -StartDate 3/1/2011 –EndDate 3/1/2011 -StatusMailRecipients Mailbox.Auditor@azaleos.com
Full Syntax Considerations:
Example Type:
GUI / ECP
Task:
Perform a mailbox audit log search via the ECP with the goal of finding all audit log entries for a user regarding administrative actions on 3/1/2011, and populate an XML file with the results to be delivered via e-mail upon completion.
Steps:
Log in as an admin account (see prior requirements) to the ECP, or to OWA and enter the ECP via the Options section.
Navigate to ‘Roles and Auditing’ and then ‘Auditing.’
Export mailbox audit logs:
Fill out the criteria for the user to search, the scope, and who to send the report to:
In time, you will receive the output in XML format at the e-mail address specified:
Full Considerations:
Interpreting the mailbox audit log
Example:
MailboxGuid="1a5348dc-2bdd-4606-9d22-59005ca2eb7c"
Owner="AVictim"
LastAccessed="2011-03-01T22:42:41.0772536-07:00"
Operation="SendAs"
ItemId="RgAAAADH7DJI8nRmW9d7HDLIvGH+JsErT8IbDiflR6zCD/BEMJIcAAAA4j5cAABaE7PuVtsyT6zCD/BEMJIcAAAA4pUbAAAJ"
ItemSubject="You're fired!"
OperationResult="Succeeded"
LogonType="Delegate"
ClientInfoString="Client=OWA"
ClientIPAddress="10.10.15.15"
InternalLogonType="Owner"
MailboxOwnerUPN="AVictim@raymond.com"
MailboxOwnerSid="S-1-5-21-1542865472-92671928-526660263-5723"
LogonUserDisplayName="A. Badman"
LogonUserSid="S-1-5-21-1542865472-92671928-526660263-3722"
OriginatingServer="EXCHANGE01 (14.01.0218.011)"
MailboxGuid="1a5348dc-2bdd-4606-9d22-59005ca2eb7c"
Owner=" AVictim"
LastAccessed="2011-03-01T22:42:41.061631-07:00"
Operation="Create"
ItemId="RgAAAADH7DJI8nRmW9d7HDLIvGH+JsErT8IbDiflR6zCD/BEMJIcAAAA4j5cAABaE7PuVtsyT6zCD/BEMJIcAAAA4pUbAAAJ"
ItemSubject="You're fired!"
OperationResult="Succeeded"
LogonType="Delegate"
FolderId="LgAAAABN9DVF1dUmR6o4DOZQiD9+AQBaE7PuVtsyT6zCD/BEMJIcAAAA4j5cAAAB" FolderPathName="\Drafts"
ClientInfoString="Client=OWA"
ClientIPAddress="10.10.15.15"
InternalLogonType="Owner"
MailboxOwnerUPN=" AVictim@raymond.com"
MailboxOwnerSid="S-1-5-21-1542865472-92671928-526660263-5723"
LogonUserDisplayName="A. Badman"
LogonUserSid="S-1-5-21-1542865472-92671928-526660263-3722"
OriginatingServer="EXCHANGE01 (14.01.0218.011)
Judging by this output, it looks like A. Badman has logged on successfully, created the original draft, and sent an e-mail as (Send As) A. Victim via OWA at 22:42:41 on 3/1/2011. It also looks like the e-mail wasn’t work appropriate with a subject like that!
MailboxGuid="1a5348dc-2bdd-4606-9d22-59005ca2eb7c"
Owner=" AVictim"
LastAccessed="2011-03-01T23:18:51.2507346-07:00"
Operation="HardDelete"
OperationResult="Succeeded"
LogonType="Delegate"
FolderId="LgAAAABN9DVF1dUmR6o4DOZQiD9+AQBaE7PuVtsyT6zCD/BEMJIcAAAA4j5RAAAB"
FolderPathName="\Inbox"
ClientInfoString="Client=MSExchangeRPC"
ClientIPAddress="10.10.15.15"
ClientProcessName="OUTLOOK.EXE"
ClientVersion="12.0.6550.5000"
InternalLogonType="Owner"
MailboxOwnerUPN="AVictim@raymond.com"
MailboxOwnerSid="S-1-5-21-1542865472-92671928-526660263-5723"
CrossMailboxOperation="false"
LogonUserDisplayName="A. Badman"
LogonUserSid="S-1-5-21-1542865472-92671928-526660263-3722"
OriginatingServer="EXCHANGE01 (14.01.0218.011)"
It would also appear that A. Badman has been busy deleting items from the mailbox as well. You can see from the log that this was done via Outlook 2007.
A quick-hit list of the important fields:
Field | Description |
Owner | The owner of the mailbox that was accessed by a non-owner. |
LastAccessed | The date and time when the mailbox was accessed. |
Operation | |
OperationResult | Whether the action performed by the non-owner succeeded or failed. |
LogonType | The type of non-owner access. These include administrator, delegate, and external. |
FolderPathName | The name of the folder that contained the message that was affected by the non-owner. |
ClientInfoString | Information about the mail client used by the non-owner to access the mailbox. |
ClientIPAddress | The IP address of the computer used by the non-owner to access the mailbox. |
InternalLogonType | The logon type of the account used by the non-owner to access this mailbox. |
MailboxOwnerUPN | The e-mail address of the mailbox owner. |
LogonUserDN | The display name of the non-owner. |
Subject | The subject line of the e-mail message that was affected by the non-owner. |
Table originally pulled from outlook help link located here.
The full field list is here: