Manage administrator audit logging (2024)

Article
02/22/2023

Administrator audit logging in Exchange Server enables you to create a log entry each time a specified cmdlet is run. Log entries provide you with information about what cmdlet was run, which parameters were used, who ran the cmdlet, and what objects were affected. For more information about administrator audit logging, see Administrator audit logging in Exchange Server.

What do you need to know before you begin?

Estimated time to complete each procedure: less than 5 minutes
You can only use PowerShell to perform this procedure. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Administrator audit logging" entry in the Exchange infrastructure and PowerShell permissions topic.
Admin audit logging relies on Active Directory replication to replicate the configuration settings you specify to the domain controllers in your organization. Depending on your replication settings, the changes you make may not be immediately applied to all Exchange 2016 and Exchange 2019 servers in your organization.
Changes to the audit log configuration are refreshed every 60 minutes on computers that have the Exchange Management Shell open at the time a configuration change is made. If you want to apply the changes immediately, close and then open the Exchange Management Shell again on each computer.
A command may take up to 15 minutes after it's run to appear in audit log search results. This is because audit log entries must be indexed before they can be searched. If a command doesn't appear in the administrator audit log, wait a few minutes and run the search again.

Specify the cmdlets to be audited

By default, audit logging creates a log entry for every cmdlet that's run. If you're enabling audit logging for the first time and want this behavior, you don't have to change the cmdlet audit list. If you've previously specified cmdlets to audit and now want to audit all cmdlets, you can audit all cmdlets by specifying the asterisk (*) wildcard character with the AdminAuditLogCmdlets parameter on the Set-AdminAuditLogConfig cmdlet, as shown in the following command.

Set-AdminAuditLogConfig -AdminAuditLogCmdlets *

You can specify which cmdlets to audit by providing a list of cmdlets using the AdminAuditLogCmdlets parameter. When you provide the list of cmdlets to audit, you can provide single cmdlets, cmdlets with the asterisk (*) wildcard characters, or a mix of both. Each entry in the list is separated by commas. The following values are all valid:

Specify the parameters to be audited

By default, audit logging creates a log entry for every cmdlet that's run, regardless of the parameters specified. If you're enabling audit logging for the first time and want this behavior, you don't have to change the parameter audit list. If you've previously specified parameters to audit and now want to audit all parameters, you can do so by specifying the asterisk (*) wildcard character with the AdminAuditLogParameters parameter on the Set-AdminAuditLogConfig cmdlet, as shown in the following command.

Set-AdminAuditLogConfig -AdminAuditLogParameters *

You can specify which parameters you want to audit by using the AdminAuditLogParameters parameter. When you provide the list of parameters to audit, you can provide single parameters, parameters with the asterisk (*) wildcard characters, or a mix of both. Each entry in the list is separated by commas. The following values are all valid:

Database
*Address*
Custom*
See Also
7.6. Understanding Audit Log Files Red Hat Enterprise Linux 6 | Red Hat Customer Portal
*Region

Note

For an audit log entry to be created when a command is run, the command must include at least one or more parameters that exist on at least one or more cmdlets specified with the AdminAuditLogCmdlets parameter.

This example audits the parameters specified in the preceding list.

Set-AdminAuditLogConfig -AdminAuditLogParameters Database, *Address*, Custom*, *Region

For detailed syntax and parameter information, see Set-AdminAuditLogConfig.

Specify the admin audit log age limit

The audit log age limit determines how long audit log entries will be retained. When a log entry exceeds the age limit, it's deleted. The default is 90 days.

You can specifiy the age limit in days. Or you can specify the number of days, hours, minutes, and seconds that audit log entries should be kept. To specify a value more specific than days, use the format dd.hh.mm:ss where the following applies:

dd: Number of days to keep the audit log entry
hh: Number of hours to keep the audit log entry
mm: Number of minutes to keep the audit log entry
ss: Number of seconds to keep the audit log entry

Caution

You can set the audit log age limit to a value that's less than the current age limit. If you do this, any audit log entry whose age exceeds the new age limit will be deleted. > If you set the age limit to 0, Exchange deletes all the entries in the audit log. > We recommend that you assign permissions to configure the audit log age limit only to highly trusted users.

This example specifies an age limit of two years and six months.

Set-AdminAuditLogConfig -AdminAuditLogAgeLimit 913

For detailed syntax and parameter information, see Set-AdminAuditLogConfig.

Enable or disable logging of Test cmdlets

Cmdlets that start with the verb Test aren't logged by default. This is because Test cmdlets can generate a significant amount of data in a short time. Only enable the logging of Test cmdlets for short periods of time.

This command enables the logging of Test cmdlets.

Set-AdminAuditLogConfig -TestCmdletLoggingEnabled $true

This command disables the logging of Test cmdlets.

Set-AdminAuditLogConfig -TestCmdletLoggingEnabled $false

For detailed syntax and parameter information, see Set-AdminAuditLogConfig.

Disable admin audit logging

To disable admin audit logging, use the following command.

Set-AdminAuditLogConfig -AdminAuditLogEnabled $false

Enable admin audit logging

To enable admin audit logging, use the following command.

Set-AdminAuditLogConfig -AdminAuditLogEnabled $true

View admin audit logging settings

To view the admin audit logging settings that you've configured for your organization, use the following command.

Get-AdminAuditLogConfig

Manage administrator audit logging (2024)

FAQs

What is administrator audit logging? ›

Admin Activity audit logs contain log entries for API calls or other actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management (IAM) permissions.

Read On ›

What is an audit log management process? ›

Audit logging is the process of documenting activity within the software systems used across your organization. Audit logs record the occurrence of an event, the time at which it occurred, the responsible user or service, and the impacted entity.

Discover More Details ›

What is the purpose of audit logging? ›

What is the Purpose of an Audit Trail and Logging? Audit trails (or audit logs) act as record-keepers that document evidence of certain events, procedures or operations, so their purpose is to reduce fraud, material errors, and unauthorized use. Even your grocery store receipt is an example of a logged audit trail.

What are the examples of audit log? ›

Examples of events that should be audit logged are as follows: application specific user activities, exceptions, information security events (successful and rejected events), use of privileges, log-on failed-attempts & successes, log-off, data accessed, data attempted to be accessed, administrative configuration ...

See Details ›

What is the best practice for storing audit logs? ›

As a general rule, storage of audit logs should include 90 days “hot” (meaning you can actively search/report on them with your tools) and 365 days “cold” (meaning log data you have backed up or archived for long-term storage). Store logs in an encrypted format. See our post on Encryption Policies for more information.

Find Out More ›

What are the two types of audit logs? ›

There are typically two kinds of audit records, (1) an event-oriented log and (2) a record of every keystroke, often called keystroke monitoring. Event-based logs usually contain records describing system events, application events, or user events.

Tell Me More ›

Is auditing same as logging? ›

An audit trail offers a detailed record of user actions and system changes for compliance and accountability, while log files focus on monitoring system health and troubleshooting. Both are indispensable in today's digital landscape, ensuring data integrity and system reliability.

Show Me More ›

What is audit management process? ›

Audit management is a quintessential process to ensure that all audit directives are correctly implemented and executed. It encourages any organization to: Improve audit plans. Track and manage audit findings. Boost audit efficiency and cut costs.

Explore More ›

How long should audit logs be kept? ›

For example, you may keep audit logs and firewall logs for two months. However, if your organization must follow strict laws and regulations, you may keep the most critical logs anywhere between six months and seven years. This timeframe is the log retention period.

What is another name for audit log? ›

An audit log, often called an audit trail or audit history, is a chronological record of events, actions and changes within a computer system, software application, network or organization.

Show Me More ›

How do you protect audit logs? ›

By encrypting your audit records, only users with access to the encrypting certificate will be able to view the audit logs. Audit logs can be signed to ensure the integrity of your audit data. By signing your audit records, modifications of the audit logs can be traced.

Read The Full Story ›

What is an audit administrator? ›

Responsible for managing staff and assisting in the administration of the Audit Department.

See Details ›

What does it mean to be logged in as an administrator? ›

An administrator is someone who can make changes on a computer that will affect other users of the computer. Administrators can change security settings, install software and hardware, access all files on the computer, and make changes to other user accounts.

Get More Info Here ›

What are administrative logs? ›

Admin logs are generated for administration activities that occur at the level of integration nodes, managed integration servers, and independent integration servers. At the integration node level, the admin log contains information about events such as starting and stopping integration servers.

What is the admin audit log in umbrella? ›

The Admin Audit log records changes that have been made by your administrative team in your organization's Umbrella settings. Logs appear when change events occur in the dashboard, such as adding a user or modifying a policy. You can access data in 90-day increments.