Hi!

I need help with admin audit log.

Making "Admin Audit Log Report" using EAC shows nothing, regardless of specified parameters. At the same time running (as the same user) PowerShell cmdlet Search-AdminAuditLog shows all log entries correctly.

Running Get-AdminAuditLogConfig returns result:

RunspaceId                   : xxxxxxx
AdminAuditLogEnabled         : True
LogLevel                     : Verbose
TestCmdletLoggingEnabled     : False
AdminAuditLogCmdlets         : {*}
AdminAuditLogParameters      : {*}
AdminAuditLogExcludedCmdlets : {}
AdminAuditLogAgeLimit        : 90.00:00:00
AdminDisplayName             :
ExchangeVersion              : 0.10 (14.0.100.0)
Name                         : Admin Audit Log Settings
DistinguishedName            : CN=Admin Audit Log Settings,CN=Global Settings,CN=xxxx,CN=xxxxx,CN=xxxx,CN=Configuration,DC=xxxx,DC=xxxx,DC=xxx
Identity                     : Admin Audit Log Settings
Guid                         : xxxxxx
ObjectCategory               : xxxx.xxx.xxx/Configuration/Schema/ms-Exch-Admin-Audit-Log-Config
ObjectClass                  : {top, msExchAdminAuditLogConfig}
WhenChanged                  : 2015-04-09 19:11:53
WhenCreated                  : 2015-03-28 21:03:36
WhenChangedUTC               : 2015-04-09 17:11:53
WhenCreatedUTC               : 2015-03-28 20:03:36
OrganizationId               :
Id                           : Admin Audit Log Settings
OriginatingServer            : dc.xxxxx.xxxx
IsValid                      : True
ObjectState                  : Unchanged

(value 14 means 2010!) and OriginatingServer, which points to my domain controller and not the Exchange server on which I run this command!

My environment is very simple - one W2012R2 server running as DC and one W2012R2 server, running as Exchange member server. 

Any ideas what is wrong?

elk84

Hi,

From your description, it displays a wrong Exchange version. I recommend you use the Get-ExchangeServer cmdlet to verify the Exchange server version at first.

What's more, I would like to verify the type you use to view the admin audit logging. If you use "Export mailbox audit logs", it will be exported to the mailbox you select.

Hope this can be helpful to you.

Best regards,

Agreed with Amy.

First of all, you need to verify your current Exchange server version that will help us to suggest you some better ideas.

Also, please check this technet library to understand Administrative admin log in depth : https://technet.microsoft.com/en-us/library/dn342832%28v=exchg.150%29.aspx

Moreover, if you wish to get the Exchange changes reports in more depth, you may also consider on this automated solution (http://www.exchangeserverauditing.com/) that helps to track all the critical changes reports into real time and provides the data at granular level.

Yes, I ran Exchange 2013 CU8

Get-ExchengeSever returns:

AdminDisplayVersion             : Version 15.0 (Build 1076.9)

and

ExchangeVersion                 : 0.1 (8.0.535.0)

Using "Export mailbox audit log" causes sending to me "empty" report (containing only:

<?xml version="1.0" encoding="UTF-16"?>
<SearchResults/>

but using "Export Admin Audit Log" send to me full report

elk84

Hi!

As I replayed earlier, I use Exchange 2013 CU8 (15.0 build 1076.9)

I have already double checked all my permissions and audit configuration, but sure I can miss something :-)

Thank you for the link http://www.exchangeserverauditing.com. It seems interesting, but I need some time to cope with it.

Hi again!

I hope than I have found some clue. It appears that this problem may be related with regional settings.

If I run report though EAC, I find in Event Log event saying f.e.:

Cmdlet suceeded. Cmdlet Search-AdminAuditLog, parameters -StartDate "4/10/2015 12:00:00 AM" -EndDate "4/12/2015 12:00:00 AM" -ExternalAccess "False" -ResultSize "5000".

Please notice time format: M/D/Y ! while my system date format (and format set in regional seetings of OWA is YYYY-MM-DD) 

Entering this command manually into EMS (using format M/D/Y) causes registering in Event Log new Event:

Cmdlet suceeded. Cmdlet Search-AdminAuditLog, parameters -StartDate "2015-04-10 00:00:00" -EndDate "2015-04-11 00:00:00".

This time date is in my system format YYYY-MM-DD

Also notice that if I swap day and month (M/D/Y vs. D/M/Y) given range is invalid (in the future) and I receive no data.

All this seems strange.

BTW. My Windows server uses Polish regional settings, but in OWA I have changed language to English (due to horrible translations to Polish) and leaved the same date format as in system regional settings.

Are those information helpful?

Hi,

"using 'Export Admin Audit Log' send to me full report" indicates that the admin audit log is working well in EAC. "Using 'Export mailbox audit log' causes sending to me 'empty' report", please make sure that mailbox audit logging is enabled for a mailbox.

Best regards,

"using 'Export Admin Audit Log' send to me full report" indicates that the admin audit log is working well in EAC. "Using 'Export mailbox audit log' causes sending to me 'empty' report", please make sure that mailbox audit logging is enabled for a mailbox.

Yes, but using 'Export Audit Log` I receive report on next day, but I prefer immediate results via "Audit Admin log' but it returns big nothing :-)

Of course mailbox logging is enabled, but with mailbox auidit logs situation is somewhat different. This report in EAC generates only one entry about modifying resource mailbox by non owner  (when I intentionally  do it in outlook) but I can't see any details of this event. Also this report do not contains any events of simply accessing resourse mailbox by non owners (should it?). When I run the same report as "Export ..." I receive (on next day!) an empty report. 

Sure I can use PowerShell, but when I'm in hurry using EAC is much more comfortable, so I want to fix it. 

IMORTANT. additional info: according to info registered in event log, reports generated via EAC use "-ExternalAccess $False" parameter, and that's why I receive empty reports. When using PowerShell without this parameter, I receive report, but using it (regardless it has $false or $true value) I also receive nothing. 

So it is not clear to me whether EAC uses incorrect value of this parameter (can I change it?) or whether my event are incorrectly registered as "external". Nevertheless, to my understanding using value of $false should return all events (both "internal" and "external"), and using value of $true, I should receive only "external" events, being an subset of results given with $false value. I assume that my event should be considered as "internal", as they were generated by domain admin, executing commands on local Exchange server). I'm correct?  

Hi,

If you want to export the admin audit report at once, there is a workaround for your reference:

Run the Search-AdminAuditLog |Out-File C:\AdminAuditLog.txt cmdlet in EMS to export the report.

Hope this can be helpful to you.

Best regards,