By using Admin-audit logging options enabled we would be able to keep a track of the organizational,user level changes that has been made in an environment.This gives us more information if in case we need to track any major change that has been done and if we need to find which person has done that.

By default Admin Audit logging is enabled in a new installation of Exchange 2013. By using this in an organization we can make an entry of list of admin audit log enabled command-lets so that administrators whoever perform any task which is included in this list will be captured in the logs. By this we would be able to have a close security control  over the messaging environment. Also we can make some exclusions for few commands in the admin audit logging by which those commands wont be captured on the logs.

There are few default set of cmdlets that will be logged once logging is enabled  which will include all cmdlets except the Get, Search and Test cmdlets. Which means that  Get, Search and Test cmdlets won’t be capture in the audit logs.This can be modified by the AdminAuditLogCmdlets. Each of the cmdlets to be monitored,excluded  can be specified individually.

Now let’s have a look at enabling and modifying  the admin audit logging properties

Run the below command to check the audit logging properties

Get-AdminAuditLogConfig

If you notice the parameters which i have highlighted in red-box are only the main things which we need to concentrate.

As we can see the AdminAuditlogCmdlets has value * which means it will log all the entries of commandlets except search and Get .Also we can see the excludedcmdlets value is set to null so there is no exclusions set by default.

I can enable logging only for few important org level commands by setting a value in AdminAuditlogCmdlets

Let’s say if i want to exclude only few commandlets which are necessary for the admins for daily operations i can include them in the excludedcmdlets

I’m giving an example in this scenario. The below example creates and tracks logs only for any changes that have been made in Accepted Domain, Mailbox Database and Send Connectors.
Set-AdminAuditLogConfig -AdminAuditLogCmdlets *”New-AcceptedDomain,Set-Sendconnector,Dismount-Database”

Note: In-order to add multiple values  you need to specify the command-lets in quotation and multiple comma values as shown in the screenshot

Now we can see only the below values in the loggingcmdlets

Below value will exclude the logging for Set-mailbox, Disable-Mailbox and Enable-Mailbox in our example.

Set-AdminAuditLogConfig  -AdminAuditLogexcludedCmdlets *”Set-Mailbox,Disable-Mailbox,Enable-Mailbox”

Now we can see only the below values in the excluded loggingcmdlets

We have enabled adminaudit logging now. Now all the changes that we are doing for the AdminAdminAuditlog commandlets be stored.

Where does these logs gets stored?

From Exchange 2010 SP1 the audit mailbox gets created automatically when we enable audit logging.Its more secure.It will create adminaudit logs folder in the audit mailbox and stores these logs.Also even admins do not have access to this Audit Mailbox and its more secure.This audit mailbox account gets disabled by default.Even if any admins finds a way to access this audit mailbox it logs traces of that and there is no way to access this without any history of traces.

Below are the examples of searching few admin audit logs

Below command will help in finding admins who recently dismounted database made any changes in sendconnector configuration

Search-Adminauditlog -Cmdlets dismount-database | ft rundate,caller,objectmodified

Search-Adminauditlog -Cmdlets set-sendconnector | ft rundate,caller,objectmodified

If in case of scenarios during any outage and if you would like to bypass these logs we can use write-adminauditlog command to make an entry . So that this entry would be made in your name and can be excluded. Below is an example

Write-AdminAuditLog -Comment "Ran Dismount-Database and Mount-Database"

Over all it is very useful in monitoring the organizational changes.
If we possibly run this command once in a month then we would be able to monitor 
the organizational,server level changes done by admins.

Thanks
Sathish Veerapandian
MVP - Exchange Server