Forum Discussion
Audit is on, but don't see log entry's for several users (investigate disapearing calendar items)
This is in an Office 365 tenant that I didn't manage from the start, so it's unclear what has been turned on and of regarding auditing.
The case: A user's calendar items disappear after several weeks (like after 47 days). He doesn't delete them, so we are looking for something that is doing it (an app, a setting, etc.). I'm not familiar with Office 365 / Exchange doing a calendar cleanup or something by default, so it has to be something he installed?
So, to start my investigation I thought about looking in the audit logs. But I don't see any log entries for this user (and also not what I expect with other users).
The Powershell results below are the same for every user:
Get-Mailbox -Identity user@domain.com | Format-List Audit* gives me this result:
AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditOwner : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
Get-Mailbox -Identity user@domain.com | Select -ExpandProperty AuditOwner
Update
MoveToDeletedItems
SoftDelete
HardDelete
Create
MailboxLogin
UpdateFolderPermissions
UpdateInboxRules
UpdateCalendarDelegation
Get-Mailbox -Identity user@domain.com | Select -ExpandProperty AuditDelegate
Update
Move
MoveToDeletedItems
SoftDelete
HardDelete
FolderBind
SendAs
SendOnBehalf
Create
UpdateFolderPermissions
Get-Mailbox -Identity user@domain.com | Select -ExpandProperty AuditOwner
Update
MoveToDeletedItems
SoftDelete
HardDelete
Create
MailboxLogin
UpdateFolderPermissions
UpdateInboxRules
UpdateCalendarDelegation
When I do a wide search for all users, I see mostly MailboxLogins (1 info@ mailbox every few minutes). Doing the same for single users, I only see MailboxLogins but 1 or 2 per day.
Example: doing a search for Create entry's, I only see those for 1 user in the organisation. This same user also has SoftDelete entry's.
For this specific user with disappearing calendar items I only see 1 entry in the last 3 weeks: MailboxLogin. Nothing more.
I'm added to the Compliance Management admin group in Exchange.
Questions:
1. Are auditing settings correct (I guess not)?
2. What could be a cause that I'm not seeing any create, soft/hard delete actions, etc.?
3. How do I reset auditing to the best settings for normal use (Best Practice)?
4. How do I add extra auditing to troubleshoot this specific user?
3 Replies
- Please make sure the link below is set!Step 2: Configure Outlook Web App to allow XML attachments
https://docs.microsoft.com/en-us/exchange/security-and-compliance/exchange-auditing-reports/export-mailbox-audit-logs If it's happening for a preset timespan, it's most likely a retention policy, have you checked for such?
- Michiel van den BroekIron ContributorIt looks like a preset time span, but not a logical one like 1 month, 3 months or 1 year. More like 7 weeks.
They have a Business Premium license, so retention policy's are not available. They never had anything else.