How to Configure Exchange Administrator Auditing
In Exchange, all administrative, configuration and policy operations are ultimately
performed via PowerShell cmdlet. This is true whether the administrator is using
PowerShell directly or interacting with a GUI management console or the web-based
Exchange Control Panel.
This fact creates a convenient "choke-point" at which all administrative actions
can be audited. And it makes it easy to define which operations should be audited;
you simply specify which cmdlets to audit and you can further filter which calls
to those cmdlets are audited based on which parameters are used. You can even specify
wildcards in both cmdlet names and parameter names. Further you can include cmdlets
that should be excluded from auditing.
All of these audit specifications and more are configured with the
Set-AdminAuditLogConfig
cmdlet. In the example below, I'm enabling auditing for all cmdlets except those
with "TransportRule" and "Mailbox" in the name.
Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogCmdlets *
-AdminAuditLogParameters * -AdminAuditLogExcludedCmdlets *Mailbox*, *TransportRule*
The Set-AdminAuditLogConfig also turns auditing on or off with the -AdminAuditLogEnabled
you see above. You control the age limit of retained audit entries with the -AdminAuditLogAgeLimit
parameter which is explained in
Purging and Archival.
The -LogLevel parameter when set to Verbose includes ModifiedProperties (old and
new) and ModifiedObjectResolvedName properties in the log entries. Exchange includes
a number of test versions of cmdlets and normally test cmdlets are not audited but if you can change that by setting
the -TestCmdletLoggingEnabled cmdlet to true.
To execute this command you need to be a member of the Organization Management and Records Management roles.
Next:
Storage