As mailboxes contain sensitive and confidential information, it becomes vital for organizations to track users who log on to the mailboxes stored on the server and the actions taken by them, such as deleting mailbox items, changing mailbox permissions, etc. It becomes more important to track the access to mailboxes by delegate users (i.e. users other than the mailboxes owner).
Microsoft offers the mailbox audit logging feature in Exchange Server to help admins track logons to mailboxes and the actions taken by users when they're logged on. This feature is available for Exchange Server 2010, 2013, and 2016. However, this feature is disabled by default and the administrators need to enable it manually.
How to Check if Mailbox Audit Logging is Enabled or Disabled?
An administrator can easily check if mailbox audit logging is enabled for a particular mailbox, by running the Get-Mailbox command.
Get-Mailbox Steve.Jackson | fl *audit*
This command, which was run for a user named Steve Jackson, gives us the following output:
AuditEnabled : False
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate : {Update, SoftDelete, HardDelete, SendAs, Create}
AuditOwner : {}
Since the AuditEnabled value is False, it means that audit logging for the user -Steve Jackson - is disabled. The time value against AuditLogAgeLimit property confirms that the log age limit for the mailbox is 90 days.
How to Enable Mailbox Audit Logging in Microsoft Exchange?
Exchange mailbox audit logging can be enabled or disabled for a mailbox by using PowerShell cmdlets in the Exchange Management Shell. However, there a few things you need to know before you proceed:
- You need messaging and compliance permissions to change Mailbox Audit Logging settings.
- Exchange Admin Center (EAC) can't be used to enable mailbox audit logging. You need to use the Exchange Management Shell.
- By default, the audit logs are saved for up to 90 days. However, you can increase or decrease the duration by using the Set-Mailbox cmdlet.
Run the following cmdlet in the PowerShell to enable mailbox audit logging for Steve Jackson's mailbox (taken as an example here):
Set-Mailbox -Identity "Steve Jackson" -AuditEnabled $true
If you want to disable mailbox audit logging for the mailbox, set the AuditEnabled value to $false:
Set-Mailbox -Identity "Steve Jackson" -AuditEnabled $false
If you want to enable Exchange mailbox audit logging for all the mailboxes, run the following cmdlet:
Get-Mailbox -ResultSize Unlimited -Filter "RecipientTypeDetails -eq 'UserMailbox'" | Select PrimarySmtpAddress | ForEach {Set-Mailbox -Identity $_.PrimarySmtpAddress -AuditEnabled $true}
Verifying Audit Logging Status
Once you have enabled audit logging in Exchange for the desired mailboxes, you can verify the setting by running the following cmdlet:
Get-Mailbox Mailbox.Owner | fl *audit*
If it shows the value of AuditEnabled as True, it means that audit logging has been successfully enabled for the specific mailbox (Mailbox.Owner).
Changing Retention Period of Mailbox Audit Logs
The mailbox audit logs are saved in the mailbox for 90 days by default. However, you can change this limit by using Set-Mailbox cmdlet.
This will increase the audit logs' retention period from 90 days (default) to 150 days. You can change the AuditLogAgeLimit value as per your requirements to change the retention period duration.
How to Find Exchange Mailbox Log Entries?
After you enable mailbox audit logging, you can search for audit logs by using:
- PowerShell Commands: You can run the Search-MailboxAuditLog command in Exchange Management Shell to fetch mailbox audit log entries.
- Exchange Control Panel: Exchange also offers a GUI-based option for searching mailbox audit logs. In Exchange 2010, you can use the Exchange Control Panel, and in Exchange 2013 and 2016, you can use Exchange Admin Center (EAC) to search mailbox audit logs.
Mailbox Audit Log Searching in Exchange Control Panel (Exchange 2010)
An Advanced Option - Stellar Reporter & Auditor for Exchange Server
To keep track on Exchange Server mailboxes manually is time-consuming and difficult. If hundreds of mailboxes are on the server, it's not easy to manually create and run customized cmdlets for each mailbox. You can use scripts and task scheduler to automate the process, but even then, a single script can't be used as one-size-fits-all solution.
To make mailbox auditing simpler, easier, and more accurate, you can use a third-party auditing tool, such as Stellar Reporter & Auditor for Exchange Server.
About Exchange Auditing & Reporting Software by Stellar
Stellar Reporter & Auditor for Exchange Server is a comprehensive MS Exchange monitoring software for administrators that simplifies mailbox monitoring and auditing. It allows the admins to perform a wide range of custom scans on the Exchange server and generate as many as 140 reports for accurate and in-depth monitoring.
- The following are some key highlights of Stellar Reporter & Auditor for Exchange Server software:
- Offers an intuitive graphical user interface for easy monitoring and auditing of Exchange mailboxes
- Simplifies Exchange monitoring with custom alerts, mailbox statistics, dynamic graphs, etc.
- Allows Exchange Administrators to schedule Exchange server scanning and reporting
- Offers remote Exchange Server monitoring with web-based and mobile-friendly program access
- Compatible with Exchange Server 2016, 2013, 2010, and 2007
Mailbox Logon Reports in Stellar Reporter & Auditor
Stellar Reporter & Auditor for Exchange Server offers three kinds of mailbox logon reports:
- User Logon Activity: The user logon activity report shares the details of all successful user logons for a particular mailbox on the server.
- Non-Owner Mailbox Logon: This report provides details of all non-owner logons. These include delegates and administrators who have accessed mailboxes of other users on the server.
- Server Based Logon Report: This report gathers and compiles the logon records of mailbox owners and non-owners in one place. It contains in-depth logon activity details with timestamps.
How to Generate Mailbox Logon Reports by using the Software?
To generate the mailbox logon reports by using Stellar Reporter & Auditor for Exchange Server, follow these steps:
- Launch the software. Click Select Server in the top-right corner and select the desired server from the drop-down menu.
UI of Stellar Reporter & Auditor for Exchange Server
- In the Navigation Pane, click Auditor.
- Under the Mailbox Logon Reports section, select the report you want to generate.
- The report will be generated in real-time and show results based on the last server scan. This kind of report generation is simple, easy, and saves lots of time. You can also customized the reports as per your requirements.
Conclusion
You can enable mailbox audit logging in Exchange Server to track access to mailboxes. However, this manual approach is time-intensive and raises the risk of human error as it involves executing several commands. It also makes mailbox monitoring difficult in organizations where the employee count is high.
To make mailbox auditing and reporting more efficient and seamless, you can use a comprehensive third-party solution, such as Stellar Reporter & Auditor for Exchange Server. This tool offers a wide range of report generation and monitoring options. It's currently available for free trial of 60 days (try for free!).