Feb 02 2018
10:37 AM
- last edited on
Feb 06 2023
04:05 AM
by
TechCommunityAP
Feb 02 2018
10:37 AM
- last edited on
Feb 06 2023
04:05 AM
by
TechCommunityAP
I have turned on auditing on an Office 365 shared mailbox, but when I do a search at the audit logs I get zero results.
I've expanded from the standard auditing and added the parameters "harddelete, softdelete, movetodeleteditems", etc. I put those parameters under all 3 catagories: auditadmin, auditdelegate, and auditowner.
We had someone say an email disappeared again today, but I get no results when I searched the logs.
I even verified that auditing was turned on by doing a 'get-mailbox' which shows it on.
Anything I am doing wrong?
Feb 02 2018 10:53 AM
It depends on the action performed. What method are you using to check the logs, if PowerShell, share the exact cmdlets just to double-check.
Feb 02 2018 11:18 AM
I started with-
set-mailbox -identity "name" -auditenabled $true
then i specified actions with-
set-mailbox "name" -auditdelegate @{add="softdelete", "harddelete"}
After i checked with-
get-mailbox "name" | FL Audit*
Feb 02 2018 11:20 AM
From my experience, The auditing configurations are not affected immediately. It will take some time to start monitoring the configured audit actions.
Feb 02 2018 11:23 AM
Do you know, or is there documentation on how fast these turn on?
I did these commands days ago and the incident that i wanted to catch in a log happened today.
Feb 02 2018 11:33 AM
Feb 03 2018 09:56 AM
Sorry @Jacob Airov, I mean the actual searching cmdlets.
Feb 03 2018 01:41 PM
following @Vasil Michev's reply, please perform a search using Search-MailboxAuditLog cmdlet
https://technet.microsoft.com/en-us/library/ff522360(v=exchg.160).aspx
Also, you can try searching audit logs in Security and Compliance center, or by running Search-UnifiedAuditLog cmdlet
Feb 07 2018 01:37 AM
Feb 07 2018 01:40 AM
I have also tested this a little bit in a lab environment.
If I drag and drop items from my normal mailbox to a shared mailbox, then I see 'create' events:
RecordType : ExchangeItem CreationDate : 2/6/2018 3:39:35 PM UserIds : rob.wilcox@mydomain Operations : Create AuditData : {"CreationTime":"2018-02-06T15:39:35","Id":"f3f641a9-ee7d-4512-f346-08d56d77d337","Operation":"Create"," OrganizationId":"3d8d2c25-3f01-44c4-8451-55c7edd3d196","RecordType":2,"ResultStatus":"Succeeded","UserKe y":"10030000A2078A02","UserType":0,"Version":1,"Workload":"Exchange","UserId":"rob.wilcox@mydomain" ,"ClientIPAddress":"86.138.186.83","ClientInfoString":"Client=MSExchangeRPC","ClientProcessName":"OUTLOO K.EXE","ClientVersion":"15.0.4701.1000","ExternalAccess":false,"InternalLogonType":0,"LogonType":2,"Logo nUserSid":"S-1-5-21-3875625135-3762442642-3260609188-6692264","MailboxGuid":"ed664543-080a-4f46-9200-fa0 0f1f89e81","MailboxOwnerMasterAccountSid":"S-1-5-10","MailboxOwnerSid":"S-1-5-21-3875625135-3762442642-3 260609188-8243514","MailboxOwnerUPN":"junk@mydomain","OrganizationName":"mydomain.onmicrosoft.com" ,"OriginatingServer":"LOXP123MB1224 (15.20.0464.016)\u000d\u000a","Item":{"Id":"RgAAAAC4iGPlAX1lSIThCQIA YsbCBwDAuVyFXM\/SQoeCukWN61U0AAAAAAEMAADAuVyFXM\/SQoeCukWN61U0AAB8KSDqAAAJ","ParentFolder":{"Id":"LgAAAA C4iGPlAX1lSIThCQIAYsbCAQDAuVyFXM\/SQoeCukWN61U0AAAAAAEMAAAB","Path":"\\Inbox"},"Subject":"test3"}} ResultIndex : 3 ResultCount : 3 Identity : f3f641a9-ee7d-4512-f346-08d56d77d337 IsValid : True ObjectState : Unchanged
The subject of the message was 'test3' and the path was indeed 'Inbox'
But when I delete (soft or hard) I don't see those, I don't see them at all.
The query I used is this (though I also tried broader ones as well around this date/time)
search-unifiedauditlog -startdate 02/06/2018 -enddate 02/07/2018 -recordtype 'exchangeitem' -userids 'rob.wi lcox@mydomain.com'
Jul 31 2018 04:00 PM
Auditing works for both type of customers: business as well as regular ones. Thus, the share mailboxes are also subject to the same audit mechanisms. Audit will not be enabled by default in any of the mailboxes, it needs to activated manually.
You can try two options: 1. To view log entries w.r.t a specific action, performed by a user of a selected type (owner, delegate or administrator) in a given timespan, run the following PowerShell command:
Search-MailboxAuditLog –Identity [user or shared mailbox name] –LogonTypes Owner –ShowDetails –StartDate [start date: d/m/y] –EndDate [end date: d/m/y] | Where-Object {$_.Operation -eq “[action name]”}
2. You can also search the Exchange audit mailbox audit logs through Exchange Control Panel (ECP). Once you start ECP, go to compliance management >auditing.
You can also generate the report for actions performed on one or more shared mailboxes, click "Run a non-owner mailbox access report..."
Jul 09 2020 05:59 AM
Hi Jacob,
Please try to run the below PS script , for me is working
Search-MailboxAuditLog -Identity "email address of mailbox/SM” -LogonTypes Admin,Delegate,Owner -StartDate 11/17/2019 -EndDate 11/28/2019 -ShowDetails | select-object Operation, OperationResult, LogonType, logonuserdisplayname, SourceItemSubjectsList, itemsubject, SourceItemFolderPathNamesList, LastAccessed, InternalLogonType, MailboxOwnerUPN, ClientIPAddress,ClientProcessName,ClientInfoString, ClientVersion | export-csv .\Desktop\Auditlog.csv -Encoding Unicode
Hope it helps.
Costin