Audit is on, but don't see log entry's for several users (investigate disapearing calendar items)

Highlighted
Frequent Contributor

This is in an Office 365 tenant that I didn't manage from the start, so it's unclear what has been turned on and of regarding auditing.

 

The case: A user's calendar items disappear after several weeks (like after 47 days). He doesn't delete them, so we are looking for something that is doing it (an app, a setting, etc.). I'm not familiar with Office 365 / Exchange doing a calendar cleanup or something by default, so it has to be something he installed?

 

So, to start my investigation I thought about looking in the audit logs. But I don't see any log entries for this user (and also not what I expect with other users).

 

The Powershell results below are the same for every user: 

 

Get-Mailbox -Identity user@domain.com | Format-List Audit* gives me this result:

AuditEnabled     : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin       : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
AuditDelegate    : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditOwner       : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}

 

Get-Mailbox -Identity user@domain.com | Select -ExpandProperty AuditOwner

Update
MoveToDeletedItems
SoftDelete
HardDelete
Create
MailboxLogin
UpdateFolderPermissions
UpdateInboxRules
UpdateCalendarDelegation

 

Get-Mailbox -Identity user@domain.com | Select -ExpandProperty AuditDelegate

Update
Move
MoveToDeletedItems
SoftDelete
HardDelete
FolderBind
SendAs
SendOnBehalf
Create
UpdateFolderPermissions

 

Get-Mailbox -Identity user@domain.com | Select -ExpandProperty AuditOwner

Update
MoveToDeletedItems
SoftDelete
HardDelete
Create
MailboxLogin
UpdateFolderPermissions
UpdateInboxRules
UpdateCalendarDelegation

 

When I do a wide search for all users, I see mostly MailboxLogins (1 info@ mailbox every few minutes). Doing the same for single users, I only see MailboxLogins but 1 or 2 per day.

 

Example: doing a search for Create entry's, I only see those for 1 user in the organisation. This same user also has SoftDelete entry's. 

 

For this specific user with disappearing calendar items I only see 1 entry in the last 3 weeks: MailboxLogin. Nothing more.

 

I'm added to the Compliance Management admin group in Exchange.

 

Questions:

1. Are auditing settings correct (I guess not)?

2. What could be a cause that I'm not seeing any create, soft/hard delete actions, etc.?

3. How do I reset auditing to the best settings for normal use (Best Practice)?

4. How do I add extra auditing to troubleshoot this specific user?

 

 

3 Replies
Highlighted

 If it's happening for a preset timespan, it's most likely a retention policy, have you checked for such?

Highlighted
It looks like a preset time span, but not a logical one like 1 month, 3 months or 1 year. More like 7 weeks.

They have a Business Premium license, so retention policy's are not available. They never had anything else.
Highlighted