In this Tutorial we are going over the process to manage mailbox audit in Exchange Server 2013.
Exchange Server has a feature that can be enable which allows the administrator to audit a specific mailbox. By default all log information for the last 90 days is stored within the mailbox however the end-user does not have access to it using Outlook/OWA clients. The auditing feature allows us to audit access from delegated mailbox, from the owner and/or administrators.
How to enable the Audit feature on a mailbox…
We are going to use tor10 mailbox for this Tutorial and in order to identify if Audit status of any given mailbox, we can use the following cmdlet (by default all new mailboxes have Audit disabled).
Get-Mailbox tor10 | Select AuditEnabled | fl
In order to enable Audit on that mailbox, we can run the following cmdlet where the value of $true on that attribute means that the audit is enabled.
Set-Mailbox tor10 –AuditEnabled $True
Now that we have the tor10 mailbox with audit enabled, the tor11 mailbox wil lsend a message using the Send As permissions (that permission was enabled prior to this Tutorial).
Now that we enabled the audit on one of our mailboxes, we can take advantage of the built-in reports located under compliance management. Our first test is going to be using the option Run a non-owner mailbox access report…
In the new wizard we need to define a time range and we will be chosen All non-owners and then hit Search. In the list we will see an entry and when we click on it more details will be listed on the right side. Looking at the details, we can see that we have the Send As privilege used by the mailbox tor11 (we have even the subject of the message and that helps a lot).
Defining the audit level and retention…
Now that we tested the functionality, we can define how many days we will keep the Audit logging information and what kind of events we will be recording. We can get all that information using the following cmdlet:
Get-Mailbox tor10 | select Audit*
We can use the Set-Mailbox cmdlet to change the attributes.
Exporting the Audit logs…
Another option available for the Exchange Administrator is the ability to export the Audit information, and we can do that by clicking on Export mailbox audit logs (located on compliance management/Auditing).
The wizard has the same options that we used before however the output now is different, we need to select a mailbox that will receive the report, after defining the time range, access type, and the recipient, click on Export.
The result will be an XML file on the recipient defined (by default XML will not show up as attachment when using Outlook Web App).
In this Tutorial we went over some of the key features to manage mailbox Audit in Exchange Server 2013.