search-MailboxAuditLog is empty - Mailbox Audit Logging not working in Exchange 2013 CU6 environment
Hello,
i activated Mailbox Audit Logging for Admin, delegate and owner with all supported operations (update, delete, etc..)
like mentioned here:
http://exchangeserverpro.com/using-exchange-server-2013-mailbox-audit-logging/
But also two days later (and also one Server reboot later) search-MailboxAuditLog is still empty.
any ideas how to fix this?
Best,
martin
September 22nd, 2014 7:19pm
Hi ,
First of all just check that particular mailbox is having an audit logs available in it .
get-mailboxfolderstatistics -identity "name of the mailbox" | fl
On the output you can find a folder called audit . There you can find whether any audit logs are available by referring the size of the folder.Because mailbox audit logs will be saved on the mailbox itself.
In case if the size of the folder is 0 KB.That means there is no actions performed by the persons (Admin,
delegate and owner) on that particular mailbox
Please reply me if you have any queries.
Regards
S.Nithyanandham
September 22nd, 2014 8:06pm
Any updates over the above suggestion if it helps you ?
Moreover, If you still unable to get desired result, you may consider on this automated application (http://www.mailboxaccessauditing.com/) that could be a better approach to mailbox audit logging report in real time at granular level.
September 23rd, 2014 8:45am
Hi S.Nithyanandham,
i looked up the mailboxfolderstatistics. There are items in the folder:
[PS] C:\Windows\system32>Get-MailboxFolderStatistics mailboxname |where{$_.Name -like "*audit*"}
RunspaceId : a95e32b8-93c3-4330-8d42-45cade9d64d4
Date : 18.09.2014 16:35:20
Name : Audits
FolderPath : /Audits
FolderId : LgAAAADmBpGVdb8iQp3F89WOcmcHAQBpQNFODkTESLeLj74B887wAAAAAAESAAAB
FolderType : Audits
ItemsInFolder : 147
DeletedItemsInFolder : 0
FolderSize : 434.2 KB (444,649 bytes)
ItemsInFolderAndSubfolders : 147
DeletedItemsInFolderAndSubfolders : 0
FolderAndSubfolderSize : 434.2 KB (444,649 bytes)
OldestItemReceivedDate :
NewestItemReceivedDate :
OldestDeletedItemReceivedDate :
NewestDeletedItemReceivedDate :
OldestItemLastModifiedDate :
NewestItemLastModifiedDate :
OldestDeletedItemLastModifiedDate :
NewestDeletedItemLastModifiedDate :
ManagedFolder :
DeletePolicy :
ArchivePolicy :
TopSubject :
TopSubjectSize : 0 B (0 bytes)
TopSubjectCount : 0
TopSubjectClass :
TopSubjectPath :
TopSubjectReceivedTime :
TopSubjectFrom :
TopClientInfoForSubject :
TopClientInfoCountForSubject : 0
SearchFolders :
Identity : mailboxname\Audits
IsValid : True
ObjectState : New
What do you think?
why cant i search and find these entries the auditlog?
best,
martin
September 23rd, 2014 8:42pm
Hi ,
Thanks for your reply .
Please try to search the mailbox audit log with the help of the below command with out specifying any other additional parameters apart from the below mentioned one's.
search-mailboxauditlog -identity "mailboxname" -resultsize unlimited -showdetails | fl
From the output you came to know what kind of operations was performed over the particular mailbox by using specific logon types .
Same time you should have to check whether you have mentioned the expected specific logon types and operations to audit during the time of configuring mailbox audit configuration for that particular mailbox .
Get-Mailbox "mailbox name" | fl *audit*
Most importantly you should have to verify the below link .which speaks about by-pass mailbox auditing for an particular user account over all the mailboxes which is under auditing .
http://technet.microsoft.com/en-in/library/ff461934(v=exchg.150).aspx
Please reply me if you have any queries .
Regards
S.Nithyanandham
September 23rd, 2014 9:17pm
Hi Martin,
I tested many tests in my environment and I got the same issue as yours.
Then, I find the administrator account which I used to run Search-MailboxAuditLog cmdlet wasn't in the
Records Management management role group. I added the administrator in the role group and the cmdlet worked.
Please add your administrator in this role group by the following steps to have a try:
1. Open EAC, navigate to Permissions >
admin roles.
2. Double-click Records Management.
3. Under Members, click "+" to add administrator in the list.
4. Click Save.
After a few minutes, check if the Search-MailboxAuditLog cmdlet works.
Re
September 24th, 2014 2:57pm
Hi Martin,
Any updates?
Regards,
September 26th, 2014 4:53am
still same problem also with "Records
Management" permission.
any ideas ?
September 26th, 2014 2:10pm
Hi ,
Please run this command only in exchange management shell.
search-mailboxauditlog -showdetails | fl >c:\totalresult.csv
Please ensure that you are having an enough space on the c drive before running this command.
Then please tell me whether you have received any contents on that output file which is related to the mailbox which is configured under audit .You can find that in
the notepad file by using the audit mailbox name on the find option in the notepad file.
Please reply me if you have any queries .
Regards
S.Nithyanandham
September 26th, 2014 2:21pm
Hi Martin,
are you using the english version of the Exchange Server or are you using a localized version (e.g. German) of the Exchange Server?
Phil
December 9th, 2014 1:29pm
i'm using localized german version
best,
martin
December 9th, 2014 1:31pm
Hi Martin,
we're having the exact same issue with the german Version of Exchange in customer environments. This problem does not exist with the english version of Exchange 2013 CU6.
Did you open a ticket at Microsoft for this issue?
Phil
December 9th, 2014 1:39pm
nice to hear :)
no not yet... it is not so important for us...
did you opened a ticket?
Best,
Martin
December 9th, 2014 1:40pm
No not yet, but we'll talk today with one of our customers about opening a ticket.
December 9th, 2014 1:54pm
do any have News about this issue?
Best,
Martin
January 21st, 2015 9:14pm
Hi everyone,
anyone got news about this issue ?
I created a fresh Exchange 2013 Installation (german) with CU5, enable audit, deletes mails in Outlook, but no results.
Updated to CU7, but still no results.
Get-MailboxFolderStatistics User |where{$_.Name -like "*audit*"} --> shows Items in Audit Folder
Search-MailboxAuditLog -Identity User -LogonTypes Owner -ShowDetails --> no result
Then i created a fresh Exchange 2013 CU Installation in english. Same steps as above.
Get-MailboxFolderStatistics User |where{$_.Name -like "*audit*"} --> shows Items in Audit Folder
Search-MailboxAuditLog -Identity User -LogonTypes Owner -ShowDetails --> shows delete Items, for example softdelete,movetodeleteditems etc
best regards
Daniel
February 19th, 2015 4:48pm
Hello everyone,
is there any Update for this Problem in CU8 if this issue still occurs in german version?
In CU7 Problem still exists.
Thanks.
Best,
Martin
March 30th, 2015 12:58pm
Hi Martin,
the problem still persists in CU8 and CU9 (german environment). I opened a ticket with MS and it seems there are two bugs filed for this problem: "Bug OfficeMain 1873019 and 2153722". The suggested workaround to use ECP doesn't work, I'm currently
waiting for feedback...
BR
Stefan
June 24th, 2015 6:16am
Hi for everyone!
We have same issue with Exchange 2013 CU7, but our Exchange not localized. We are using english version of products, but all regional settings configured for our country (Russian). I'm not sure what this problem exactly in localized distributive, please
check your distr with US regional settings.
June 26th, 2015 10:21am
I find some information here: https://support.microsoft.com/en-us/kb/3054391
It's look like regional settings bug :)
-
Proposed as answer by
Denis Osipov
18 hours 57 minutes ago
June 29th, 2015 8:28am
I find some information here: https://support.microsoft.com/en-us/kb/3054391
It's look like regional settings bug :)
I have checked that solution on one of my servers - it's works! You must restart server after changing regional server, and don't forget apply it to service accounts before reboot.
-
Proposed as answer by
Denis Osipov
Monday, June 29, 2015 12:27 PM
-
Edited by
Denis Osipov
Tuesday, June 30, 2015 7:30 AM
June 29th, 2015 12:26pm
Hello everyone!
I'am having an English installation of Exchange Server 2013 CU6 (US) on Server 2012R2 with English (US) locale and default settings. And Search-MailboxAuditLog does not show any results. The serach is done
under the default Administrator account.
Does anyone have any ideas on this issue?
August 5th, 2015 5:22am
Hello everyone!
I'am having an English installation of Exchange Server 2013 CU6 (US) on Server 2012R2 with English (US) locale and default settings. And Search-MailboxAuditLog does not show any results. The serach is done
under the default Administrator account.
Does anyone have any ideas on this issue?
I'v got it fixed.
In my case the problem was in Exchange Search services - corrupted indexes of the default mailbox database.
Rebuilding indexes as described in the article below and restarting search services fixed the problem of showing MailboxAuditLog results.
http://exchangeserverpro.com/fix-failed-database-content-index-exchange-2013/
-
Proposed as answer by
LuLo911
15 hours 47 minutes ago
August 5th, 2015 11:43am