In this post we will discuss about the admin audit logging in Exchange Online, we will verify if the admin audit logging is enabled or not, we will use powershell and learn differnt ways to queary admin audit logs, and in the end will we will learn how we can schedule a script to get the admin audit logs from last 24 hours.
If the admin audit is disable, the same can be enabled using the below CMD.
Note: Below CMD is only applicable for the Exchange On premise.
This is the end of this post, where we learn how to review admin audit logging and for more details on admin audit logging, please check the below technet article for more information.
Useing Shell to verify if the Admin Audit is enabled
Administrator audit logging is enabled by default. To verify that it’s enabled, run the following command:Get-AdminAuditLogConfig | FL *Audit*
Note: Below CMD is only applicable for the Exchange On premise.
Set-AdminAuditLogConfig -AdminAuditLogEnabled $true
Using Powershell to search for admin audit log entries
We will be using the “Search-AdminAuditLog” CMD to get the Admin audit logs Report
If we just run the CMD without any parameter it will return the first 1000 Logs, if we need more logs then we can define the same using the “-ResultSize” parameter.
Note: That Maximum list is just 250,000. TechNet article says we can use unlimited but it failed for me.
If we just run the CMD without any parameter it will return the first 1000 Logs, if we need more logs then we can define the same using the “-ResultSize” parameter.
Note: That Maximum list is just 250,000. TechNet article says we can use unlimited but it failed for me.
Further if we wants search to logs from last 24 hour, we can use the below CMD.
$AdminAuditlogs = Search-AdminAuditLog -StartDate ((get-date).AddDays(-1)) -EndDate ((get-date))
There are different other parameter but I do not use them and get the dump of all the logs in CSV to review, but if there are high numbers of logs gets generated in your environment then you can filter them further.
Below script report daily Admin Audit log of Last 24 hours and Export to Csv.
$AdminAuditReportName = “Admin-Audit-Reprot-“ + (get-date -f dd-MM-yy) + “.csv”
$AdminAuditlogs = Search-AdminAuditLog -StartDate ((get-date).AddDays(-1)) -EndDate ((get-date))
$AdminAuditlogs | Export-Csv $AdminAuditReportName -NoTypeInformation
This is the end of this post, where we learn how to review admin audit logging and for more details on admin audit logging, please check the below technet article for more information.
https://technet.microsoft.com/en-us/library/ff459262(v=exchg.150).aspx
Comments
Post a Comment