Home » Exchange Server 2013 » How To Use Mailbox Audit Logging in Exchange Server 2013?

How To Use Mailbox Audit Logging in Exchange Server 2013?

Anuraag Singh | Modified: September 1, 2016 | Exchange Server 2013, General Info | 5 Minutes Reading

In this informative article we will discuss about how to use mailbox audit logging in Exchange Server 2013. As you know that there are many organizations that are serious about the data security and want the control over the information stored in the mailbox. From the launch of Exchange Server 2010 Microsoft provided this feature called as Mailbox Audit Logging. This feature in Exchange Server allows users to track actions that are performed on user’s mailbox and also shared mailbox by the user. It also tracks user’s computer IP address and name.
Exchange Server 2013 allows log access to the mailbox by the owners, delegates and administrators by using this feature.

Working Of Mailbox Audit Logging in Exchange Server 2013

When the user enables the mailbox audit logging for the mailbox the audit log entries are stored in recoverable items folder in the mailbox. This audit log entries are not visible to the mailbox user who are using Outlook or any other email client.
Exchange Server 2013 has the following default configuration for the mailbox audit logging:

  1. The Mailbox Audit Logging is disabled.
  2. The Audit Login entries are kept for 90 days.
  3. Owner actions are not logged in the entries.
  4. Only delegate and administrators actions are logged.

In Exchange Server 2013 the default mailbox audit logging will look like this:
[PS] C:\>Get-Mailbox alan.reid | fl *audit*
AuditEnabled : False
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate : {Update, SoftDelete, HardDelete, SendAs, Create}
AuditOwner : {}
Note: The AuditAdmin settings are referred to as the access using methods such as eDiscovery searches, mailbox import/export operations, or tools such as MFCMAPI. If the administrator is granted permission to a mailbox and gets the access then those actions will be logged according to the AuditDelegate settings.

How To Enable or Disable Mailbox Audit Logging in Exchange Server 2013?

There are some mailboxes in the organization that the user wants to enable the Mailbox Audit Logging. It can be done using Set-Mailbox cmdlet command.
It’s executed like this:
[PS] C:\>Set-Mailbox alan.reid -AuditEnabled $true
And if the user wants to disable the Audit Logging then change the true value into false.
But there are some users who want to enable Audit Logging for all the mailboxes. It can be done by enabling Get-Mailbox query into Set-Mailbox in order to enable Audit Logging for all mailboxes.
It’s executed like this:
[PS] C:\>Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled:$true

How To Search Mailbox Audit Log?

The following methods can be used to search for Mailbox Audit Log:

#1 Search for Single Mailbox Synchronously

In this the user can use search-MailboxAuditLog cmdlet to synchronously search for the single mailbox log entries.

#2 Search for One or More Mailboxes Asynchronously

In this the user can use create Mailbox Audit Log to search for one or more mailboxes asynchronously. The results are then send to the specified mail address. Now, for creating the search use New-MailboxAuditLogSearch cmdlet.

#3 Use Of Auditing Report in Exchange Admin Center (EAC)

In EAC use auditing tabs to find non-owner mailbox report or export the non-owner entries from the Mailbox Audit Logging in Exchange Server 2013.

Types Of Actions Logged in Mailbox Audit

  1. Copy: Using this command we can copy items to another folder – It is available to administrator and delegate.
  2. Create: Using this command the user can create an item in a folder (also at the time when an email is sent or received) – It is available to administrator, delegate and owner.
  3. FolderBind: Using this command the user can access the folder– It is only available to administrator and delegate.
  4. HardDelete: Using this command the user can delete an item permanently – It is available to administrator, delegate and owner.
  5. MessageBind: Using this command the user can access or open an item (also in the Reading panel) – It is only available to administrator.
  6. Move: Using this command the user can move an item to another folder– It is only available to administrator, delegate and owner.
  7. MoveToDeletedItems: Using this command the user can Move an item to the Deleted items folder – It is available to administrator, delegate and owner.
  8. SendAs: Using this command the user can send a message using Send as permissions – It is available to administrator and delegate.
  9. SendOnBehalf: Using this command the user can send a message using Send on Behalf permissions – It is available to administrator and delegate.
  10. SoftDelete: Using this command the user can delete an item from the Deleted items folder – It is available to administrator, delegate and owner.
  11. Update: Using this command the user can update the properties of an item – It is available to administrator, delegate and owner.

Conclusion

As we have discussed Mailbox Audit logging in Exchange Server 2013 and we have come to know that the MailBox Audit Logging method allows the administrator an ability to track the actions performed in a mailbox. It is a very helpful feature when the multiple users are accessing the shared mailbox. This method determines what actions are performed on the mailbox and at what time.

Sometimes in running command for Mailbox audit may lead your Exchange mailbox in unhealthy state. In this kind of situation you can use Exchange Mailbox Recovery tool for quick fix of corrupt mailbox items.