PowerShell Geek

Mailbox Audit Logs – Scripted

Posted on by damian
Spread the love

If you work for a firm in the financial industry (trading, insurance, etc) you know that auditing is a part of life. Sometimes this is because your company is public or required by law to do so, sometimes its because you have an internal auditing process initiated by internal procedures. Exchange 2010 has two kinds of logs for auditing and they are Admin Auditing and Mailbox Auditing. This article is concerned with the latter of the two types of logging.

What exactly is Mailbox Auditing? Mailbox auditing is the tracking of specific types of actions (accessing, moving, or deleting a message, etc) by logon type (administrator, delegate user, or owner). Using this kind of auditing will allow you to find out who manipulated another users mailbox or simply accessed their email.

How would you generate a report for this?

Here is a sample Script I’ve been using:

# Load the Exchange PowerShell SnapIns in case this is run on a non Exchange Server
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 # Adds the Exchange 2010 Snapin

#Set Date parameters for the scripts
$Days = "7" #How many days history of the log file do you want to send?
$current = (Get-Date).ToString("MM-dd-yyyy") # Today's date
$StartDate = ((Get-Date).AddDays(-$Days).ToString("MM-dd-yyyy")) # Start date for search

# Configure path locations
$serverpath = "\\servername\sharename" # Remote location for reports
$localpath = "C:\scripts\exchangelogging"
$xmlfile = "MailboxAuditLog" + $current + ".xml"
 
$localfile = $localpath + $xmlfile
 
$subject = "Exchange Admin Audit Log " + $now
$recipients = "<IT Admin SMTP Address>"
 
$body = "The latest Exchange Admin Audit Log is now available at: " + $serverpath + $xmlfile
 
Search-MailboxAuditLog -StartDate $StartDate -EndDate $now | Export-Clixml $localfile
 
copy-item $xmlfile $serverpath
 
Send-MailMessage -to $recipients -from <IT Department email address> -SmtpServer <valid SMTP server> -Subject $subject -Body $body
 
remove-item $localfile # Cleans up after itself.

This script basically will run the audit and send an email to the auditors who need to review the information that has been captured by mailbox auditing.

Quick explanation of the code.

  • Line 2 – Loads the Exchange 2010 PowerShell snap-in in case its needed
  • Lines 4-7 – Sets the date range with a current date and start date
  • Lines 9-12 – set paths for local and remote file storage
  • Lines 16,17 – sets subject and recipients for emailed report
  • Line 19 – Configures body of the report email
  • Line 21 – exports the audit log to a file
  • Line 23 – copies the file to the remote server location for storage
  • Line 25 – sends email out to IT admins
  • Line 27 – removes local files for cleanup

After the script is executed you are now left with an XML file to use for reviewing the information contained in the logs.

Technet Articles
http://technet.microsoft.com/en-us/library/ff522360(v=exchg.141).aspx

2 thoughts on “Mailbox Audit Logs – Scripted

  1. In such a situation, wouldn’t the admins be able to access the logs and just clear them before they are reported upon?

    1. Yes, that is always a concern. A possible solution to that is an offsite journaling service which only the legal or security teams have access too.

Comments are closed.

Social Media Auto Publish Powered By : XYZScripts.com