Hello,

i activated Mailbox Audit Logging for Admin, delegate and owner with all supported operations (update, delete, etc..)

like mentioned here: http://exchangeserverpro.com/using-exchange-server-2013-mailbox-audit-logging/

But also two days later (and also one Server reboot later) search-MailboxAuditLog is still empty.

any ideas how to fix this?

Best,

martin

Hi ,

First of all just check that particular mailbox is having an audit logs available in it .

get-mailboxfolderstatistics -identity "name of the mailbox" | fl

On the output you can find a folder called audit . There you can find whether any audit logs are available by referring the size of the folder.Because mailbox audit logs will be saved on the mailbox itself.

In case if the size of the folder is 0 KB.That means there is no actions performed by the persons (Admin, delegate and owner) on that particular mailbox

Please reply me if you have any queries.

Regards

S.Nithyanandham

Any updates over the above suggestion if it helps you ?

Moreover, If you still unable to get desired result, you may consider on this automated application (http://www.mailboxaccessauditing.com/) that could be a better approach to mailbox audit logging report in real time at granular level.

Hi S.Nithyanandham,

i looked up the mailboxfolderstatistics. There are items in the folder: 

[PS] C:\Windows\system32>Get-MailboxFolderStatistics mailboxname |where{$_.Name -like "*audit*"}


RunspaceId                        : a95e32b8-93c3-4330-8d42-45cade9d64d4
Date                              : 18.09.2014 16:35:20
Name                              : Audits
FolderPath                        : /Audits
FolderId                          : LgAAAADmBpGVdb8iQp3F89WOcmcHAQBpQNFODkTESLeLj74B887wAAAAAAESAAAB
FolderType                        : Audits
ItemsInFolder                     : 147
DeletedItemsInFolder              : 0
FolderSize                        : 434.2 KB (444,649 bytes)
ItemsInFolderAndSubfolders        : 147
DeletedItemsInFolderAndSubfolders : 0
FolderAndSubfolderSize            : 434.2 KB (444,649 bytes)
OldestItemReceivedDate            :
NewestItemReceivedDate            :
OldestDeletedItemReceivedDate     :
NewestDeletedItemReceivedDate     :
OldestItemLastModifiedDate        :
NewestItemLastModifiedDate        :
OldestDeletedItemLastModifiedDate :
NewestDeletedItemLastModifiedDate :
ManagedFolder                     :
DeletePolicy                      :
ArchivePolicy                     :
TopSubject                        :
TopSubjectSize                    : 0 B (0 bytes)
TopSubjectCount                   : 0
TopSubjectClass                   :
TopSubjectPath                    :
TopSubjectReceivedTime            :
TopSubjectFrom                    :
TopClientInfoForSubject           :
TopClientInfoCountForSubject      : 0
SearchFolders                     :
Identity                          : mailboxname\Audits
IsValid                           : True
ObjectState                       : New

What do you think?

why cant i search and find these entries the auditlog?

best, 

martin

Hi ,

Thanks for your reply .

Please try to search the mailbox audit log with the help of the below command with out specifying any other additional parameters apart from the below mentioned one's.

search-mailboxauditlog  -identity "mailboxname" -resultsize unlimited -showdetails | fl 

From the output you came to know what kind of operations was performed over the particular mailbox by using specific logon types .

Same time you should have to check whether you have mentioned the expected specific logon types and operations to audit during the time of configuring mailbox audit configuration for that particular mailbox .

Get-Mailbox "mailbox name" | fl *audit*

Most importantly you should have to verify the below link .which speaks about by-pass mailbox auditing for an particular user account over all the mailboxes which is under auditing .

http://technet.microsoft.com/en-in/library/ff461934(v=exchg.150).aspx

Please reply me if you have any queries .

Regards

S.Nithyanandham

Hi Martin,

I tested many tests in my environment and I got the same issue as yours.

Then, I find the administrator account which I used to run Search-MailboxAuditLog cmdlet wasn't in the Records Management management role group. I added the administrator in the role group and the cmdlet worked.

Please add your administrator in this role group by the following steps to have a try:

1. Open EAC, navigate to Permissions > admin roles.

2. Double-click Records Management.

3. Under Members, click "+" to add administrator in the list.

4. Click Save.

After a few minutes, check if the Search-MailboxAuditLog cmdlet works.

Re

Hi Martin,

Any updates?

Regards,

still same problem also with "Records Management" permission. 

any ideas ?

Hi ,

Please run this command only in exchange management shell.

search-mailboxauditlog -showdetails | fl >c:\totalresult.csv

Please ensure that you are having an enough space on the c drive before running this command.

Then please tell me whether you have received any contents on that output file which is related to the mailbox which is configured under audit .You can find that in the notepad file by using the audit mailbox name on the find option in the notepad file.

Please reply me if you have any queries .

Regards

S.Nithyanandham

Hi Martin,

are you using the english version of the Exchange Server or are you using a localized version (e.g. German) of the Exchange Server?

Phil

i'm using localized german version 

best, 

martin

Hi Martin,

we're having the exact same issue with the german Version of Exchange in customer environments. This problem does not exist with the english version of Exchange 2013 CU6.

Did you open a ticket at Microsoft for this issue?

Phil

nice to hear :) 

no not yet... it is not so important for us... 

did you opened a ticket?

Best, 

Martin

No not yet, but we'll talk today with one of our customers about opening a ticket.

do any have News about this issue?

Best,

Martin

Hi everyone,

anyone got news about this issue ?

I created a fresh Exchange 2013 Installation (german) with CU5, enable audit, deletes mails in Outlook, but no results.
Updated to CU7, but still no results.

Get-MailboxFolderStatistics User |where{$_.Name -like "*audit*"}    --> shows Items in Audit Folder
Search-MailboxAuditLog -Identity User -LogonTypes Owner -ShowDetails    --> no result

Then i created a fresh Exchange 2013 CU Installation in english. Same steps as above.

Get-MailboxFolderStatistics User |where{$_.Name -like "*audit*"}    --> shows Items in Audit Folder
Search-MailboxAuditLog -Identity User -LogonTypes Owner -ShowDetails    --> shows delete Items, for example softdelete,movetodeleteditems etc

best regards
Daniel

Hello everyone, 

is there any Update for this Problem in CU8 if this issue still occurs in german version?

In CU7 Problem still exists.

Thanks. 

Best, 

Martin

Hi Martin,

the problem still persists in CU8 and CU9 (german environment). I opened a ticket with MS and it seems there are two bugs filed for this problem: "Bug OfficeMain 1873019 and 2153722". The suggested workaround to use ECP doesn't work, I'm currently waiting for feedback...

BR
Stefan

Hi for everyone!

We have same issue with Exchange 2013 CU7, but our Exchange not localized. We are using english version of products, but all regional settings configured for our country (Russian). I'm not sure what  this problem exactly in localized distributive, please check your distr with US regional settings. 

I find some information here: https://support.microsoft.com/en-us/kb/3054391

It's look like regional settings bug :)

• Proposed as answer by Denis Osipov 18 hours 57 minutes ago

I find some information here: https://support.microsoft.com/en-us/kb/3054391

It's look like regional settings bug :)

I have checked that solution on one of my servers - it's works! You must restart server after changing regional server, and don't forget apply it to service accounts before reboot.

• Proposed as answer by Denis Osipov Monday, June 29, 2015 12:27 PM
• Edited by Denis Osipov Tuesday, June 30, 2015 7:30 AM

Hello everyone!

I'am having an English installation of Exchange Server 2013 CU6 (US) on Server 2012R2 with English (US) locale and default settings. And Search-MailboxAuditLog does not show any results. The serach is done under the default Administrator account.

Does anyone have any ideas on this issue?

Hello everyone!

I'am having an English installation of Exchange Server 2013 CU6 (US) on Server 2012R2 with English (US) locale and default settings. And Search-MailboxAuditLog does not show any results. The serach is done under the default Administrator account.

Does anyone have any ideas on this issue?

I'v got it fixed.
In my case the problem was in Exchange Search services - corrupted indexes of the default mailbox database.

Rebuilding indexes as described in the article below and restarting search services fixed the problem of showing MailboxAuditLog results.

http://exchangeserverpro.com/fix-failed-database-content-index-exchange-2013/

• Proposed as answer by LuLo911 15 hours 47 minutes ago