Forum Discussion
Auditing an O365 shared mailbox
I have turned on auditing on an Office 365 shared mailbox, but when I do a search at the audit logs I get zero results.
I've expanded from the standard auditing and added the parameters "harddelete, softdelete, movetodeleteditems", etc. I put those parameters under all 3 catagories: auditadmin, auditdelegate, and auditowner.
We had someone say an email disappeared again today, but I get no results when I searched the logs.
I even verified that auditing was turned on by doing a 'get-mailbox' which shows it on.
Anything I am doing wrong?
Hi Jacob,
Please try to run the below PS script , for me is working
Search-MailboxAuditLog -Identity "email address of mailbox/SM” -LogonTypes Admin,Delegate,Owner -StartDate 11/17/2019 -EndDate 11/28/2019 -ShowDetails | select-object Operation, OperationResult, LogonType, logonuserdisplayname, SourceItemSubjectsList, itemsubject, SourceItemFolderPathNamesList, LastAccessed, InternalLogonType, MailboxOwnerUPN, ClientIPAddress,ClientProcessName,ClientInfoString, ClientVersion | export-csv .\Desktop\Auditlog.csv -Encoding Unicode
Hope it helps.
Costin
Auditing works for both type of customers: business as well as regular ones. Thus, the share mailboxes are also subject to the same audit mechanisms. Audit will not be enabled by default in any of the mailboxes, it needs to activated manually.
You can try two options: 1. To view log entries w.r.t a specific action, performed by a user of a selected type (owner, delegate or administrator) in a given timespan, run the following PowerShell command:
Search-MailboxAuditLog –Identity [user or shared mailbox name] –LogonTypes Owner –ShowDetails –StartDate [start date: d/m/y] –EndDate [end date: d/m/y] | Where-Object {$_.Operation -eq “[action name]”}
2. You can also search the Exchange audit mailbox audit logs through Exchange Control Panel (ECP). Once you start ECP, go to compliance management >auditing.
You can also generate the report for actions performed on one or more shared mailboxes, click "Run a non-owner mailbox access report..."
From my experience, The auditing configurations are not affected immediately. It will take some time to start monitoring the configured audit actions.
Do you know, or is there documentation on how fast these turn on?
I did these commands days ago and the incident that i wanted to catch in a log happened today.
It depends on the action performed. What method are you using to check the logs, if PowerShell, share the exact cmdlets just to double-check.
I started with-
set-mailbox -identity "name" -auditenabled $true
then i specified actions with-
set-mailbox "name" -auditdelegate @{add="softdelete", "harddelete"}After i checked with-
get-mailbox "name" | FL Audit*
following VasilMichev's reply, please perform a search using Search-MailboxAuditLog cmdlet
https://technet.microsoft.com/en-us/library/ff522360(v=exchg.160).aspx
Also, you can try searching audit logs in Security and Compliance center, or by running Search-UnifiedAuditLog cmdlet
