Forum Discussion
Michiel van den Broek
Oct 30, 2018Iron Contributor
Audit is on, but don't see log entry's for several users (investigate disapearing calendar items)
This is in an Office 365 tenant that I didn't manage from the start, so it's unclear what has been turned on and of regarding auditing.
The case: A user's calendar items disappear after several weeks (like after 47 days). He doesn't delete them, so we are looking for something that is doing it (an app, a setting, etc.). I'm not familiar with Office 365 / Exchange doing a calendar cleanup or something by default, so it has to be something he installed?
So, to start my investigation I thought about looking in the audit logs. But I don't see any log entries for this user (and also not what I expect with other users).
The Powershell results below are the same for every user:
Get-Mailbox -Identity user@domain.com | Format-List Audit* gives me this result:
AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
AuditDelegate : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditOwner : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
Get-Mailbox -Identity user@domain.com | Select -ExpandProperty AuditOwner
Update
MoveToDeletedItems
SoftDelete
HardDelete
Create
MailboxLogin
UpdateFolderPermissions
UpdateInboxRules
UpdateCalendarDelegation
Get-Mailbox -Identity user@domain.com | Select -ExpandProperty AuditDelegate
Update
Move
MoveToDeletedItems
SoftDelete
HardDelete
FolderBind
SendAs
SendOnBehalf
Create
UpdateFolderPermissions
Get-Mailbox -Identity user@domain.com | Select -ExpandProperty AuditOwner
Update
MoveToDeletedItems
SoftDelete
HardDelete
Create
MailboxLogin
UpdateFolderPermissions
UpdateInboxRules
UpdateCalendarDelegation
When I do a wide search for all users, I see mostly MailboxLogins (1 info@ mailbox every few minutes). Doing the same for single users, I only see MailboxLogins but 1 or 2 per day.
Example: doing a search for Create entry's, I only see those for 1 user in the organisation. This same user also has SoftDelete entry's.
For this specific user with disappearing calendar items I only see 1 entry in the last 3 weeks: MailboxLogin. Nothing more.
I'm added to the Compliance Management admin group in Exchange.
Questions:
1. Are auditing settings correct (I guess not)?
2. What could be a cause that I'm not seeing any create, soft/hard delete actions, etc.?
3. How do I reset auditing to the best settings for normal use (Best Practice)?
4. How do I add extra auditing to troubleshoot this specific user?
- Please make sure the link below is set!Step 2: Configure Outlook Web App to allow XML attachments
https://docs.microsoft.com/en-us/exchange/security-and-compliance/exchange-auditing-reports/export-mailbox-audit-logs If it's happening for a preset timespan, it's most likely a retention policy, have you checked for such?
- Michiel van den BroekIron ContributorIt looks like a preset time span, but not a logical one like 1 month, 3 months or 1 year. More like 7 weeks.
They have a Business Premium license, so retention policy's are not available. They never had anything else.