Thursday, February 9, 2017
Exchange 201x How to enable Mailbox logging
Exchange 201x How to enable Mailbox logging
On Exchange is very important to view if there are any strange accesses on other users mailboxes.
Here they are some command lines that works fine on Exchange 2016:
Set-Mailbox
Get-Mailbox |fl name,AuditEnabled
To view log retention:
Get-Mailbox
If you want to change log retention (default 90 days)
Set-Mailbox -Identity
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditLogAgeLimit 180
If you want to enable logging on all mailboxes:
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
Disable Mailbox logging
Set-Mailbox
Consider that Mailbox Owner activities are not logged, to enable it you must consider that we will have plenty of auditings:
Set-Mailbox
Get-Mailbox |fl name,AuditEnabled
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
Disable the mailbox audit logging:
Set-Mailbox
Here they are whtat we log with these changes
Original Technet Article
https://technet.microsoft.com/it-it/library/ff459237(v=exchg.160).aspx
| Action | Description | Admin | Delegate*** | Owner |
| Copy | An item is copied to another folder. | Yes | No | No |
| Create | An item is created in the mailbox. (For example, a message is sent or received.) Note that folder creation isnt audited. | Yes* | Yes* | Yes |
| FolderBind | A mailbox folder is accessed. | Yes* | Yes** | No |
| HardDelete | An item is deleted permanently from the Recoverable Items folder. | Yes* | Yes* | Yes |
| MailboxLogin | The user signed in to their mailbox. | No | No | Yes |
| MessageBind | An item is accessed in the reading pane or opened. | Yes | No | No |
| Move | An item is moved to another folder. | Yes* | Yes | Yes |
| MoveToDeletedItems | An item is moved to the Deleted Items folder. | Yes* | Yes | Yes |
| SendAs | A message is sent using Send As permissions. | Yes* | Yes* | No |
| SendOnBehalf | A message is sent using Send on Behalf permissions. | Yes* | Yes | No |
| SoftDelete | An item is deleted from the Deleted Items folder. | Yes* | Yes* | Yes |
| Update | An items properties are updated. | Yes* | Yes* | Yes |
You can get reporting here:
more details :
Microsoft - Enable or disable mailbox audit logging for a mailbox on Exchange 2016
https://technet.microsoft.com/it-it/library/ff461937(v=exchg.160).aspx
Microsoft - Mailbox audit logging in Exchange 2016
https://technet.microsoft.com/it-it/library/ff459237(v=exchg.160).aspx
Microsoft - Mailbox Audit Logging on Exchange 2010
https://technet.microsoft.com/en-us/library/ff459232(v=exchg.141).aspx
Microsoft - Mailbox Audit Logging on Exchange 2013
https://technet.microsoft.com/en-us/library/ff461939(v=exchg.150).aspx
Available link for download
