Exchange Administrator Audit Logging
Exchange has an administrator audit log function that provides flexible and comprehensive
logging of all changes to configuration, policy, and access control settings of
the Exchange environment. In Exchange, all configuration changes (including those
performed in the Exchange Management Console or the web-based Exchange Control Panel)
are executed as PowerShell commands.
This fact creates a convenient "choke-point" at
which all administrative actions can be audited. Therefore the information in the
administrator audit log reflects the cmdlets executed and their parameters as well
who performed the action, when and its result.
With the Exchange administrator audit log you can detect:
- Exports of mailboxes
- Copies of entire mailbox databases
- Security configuration changes to Exchange
- Access control changes to groups, roles, and permissions
- Modifications to Exchange policies involving retention, mobile device policy, information rights management, federation, and more
However, the administrator audit log is inaccessible to SIEM via normal log-collection
means because the log is not written to any type of log file or to the Windows event
log. The administrator audit log is
stored internally, inside a special audit mailbox.
As in the case of mailbox auditing, this is where LOGbinder for Exchange™ comes in. Using
Exchange’s management API, LOGbinder for Exchange collects the hidden administrator audit
log files from its internal special mailbox, parses the log data, and formats it
into more than 400 easy-to-read messages delivered to your SIEM.
More information on Exchange Administrator Audit Logging