Exchange Administrator Audit Logging

Exchange has an administrator audit log function that provides flexible and comprehensive logging of all changes to configuration, policy, and access control settings of the Exchange environment. In Exchange, all configuration changes (including those performed in the Exchange Management Console or the web-based Exchange Control Panel) are executed as PowerShell commands.

This fact creates a convenient "choke-point" at which all administrative actions can be audited. Therefore the information in the administrator audit log reflects the cmdlets executed and their parameters as well who performed the action, when and its result.

With the Exchange administrator audit log you can detect:

  • Exports of mailboxes
  • Copies of entire mailbox databases
  • Security configuration changes to Exchange
  • Access control changes to groups, roles, and permissions
  • Modifications to Exchange policies involving retention, mobile device policy, information rights management, federation, and more

However, the administrator audit log is inaccessible to SIEM via normal log-collection means because the log is not written to any type of log file or to the Windows event log. The administrator audit log is stored internally, inside a special audit mailbox.

As in the case of mailbox auditing, this is where LOGbinder for Exchange™ comes in. Using Exchange’s management API, LOGbinder for Exchange collects the hidden administrator audit log files from its internal special mailbox, parses the log data, and formats it into more than 400 easy-to-read messages delivered to your SIEM.

More information on Exchange Administrator Audit Logging


Additional Resources