Admin Audit Logs – Scripted

Auditing has become the new focus in Exchange 2010. In my last article I covered Mailbox Auditing. Something new that was added to Exchange 2010 was Admin Audit logging.

What is Admin Audit Logging? “You can use administrator audit logging in Microsoft Exchange Server 2010 to record actions taken by a user or administrator that make changes in your organization. By keeping a log of the changes, you can trace a change to the person who made it. You can also augment your change logs with detailed records of the change as it was implemented, use the records to comply with regulatory requirements and requests for discovery, and so on.”

By default Admin Audit logging is enabled and auditing your administrators actions in Exchange 2010. What if you wanted to generate a report on it, how would you handle this? Below is a sample script I use for this purpose:

# Load the Exchange PowerShell SnapIns in case this is run on a non Exchange Server
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 # Adds the Exchange 2010 Snapin

#Set date parameters for the scripts
$Days = "14" #How many days history of the log file do you want to send?
$now = (Get-Date).ToString("MM-dd-yyyy") # Today's date 
$StartDate = ((Get-Date).AddDays(-$Days).ToString("MM-dd-yyyy")) # Start date for search

# Configure path locations
$serverpath = "\\servername\sharename\" #remote path to copy the XML file to
$localpath = "C:\Scripts\exchangelogging\" #local working directory where the XML file will initially be exported to
$xmlfile = "MailboxAdminAuditLog" + $now + ".xml"
 
$localfile = $localpath + $xmlfile
 
$subject = "Exchange Admin Audit Log " + $now
$recipients = "<IT Admin email address>"
 
$body = "The latest Exchange Admin Audit Log is now available at: " + $serverpath + $xmlfile
 
Search-AdminAuditLog -StartDate $StartDate -EndDate $now | Export-Clixml $localfile
 
copy-item $xmlfile $serverpath
 
Send-MailMessage -to $recipients -from "<IT Dept Email Address>"-SmtpServer <Valid SMTP server> -Subject $subject -Body $body
 
remove-item $localfile

So what does this script do?

  • Line 2 – Loads the Exchange 2010 PowerShell snap-in in case its needed
  • Lines 4-7 – Sets the date range with a current date and start date
  • Lines 9-12 – set paths for local and remote file storage
  • Lines 16,17 – sets subject and recipients for emailed report
  • Line 19 – Configures body of the report email
  • Line 21 – exports the audit log to a file
  • Line 23 – copies the file to the remote server location for storage
  • Line 25 – sends email out to IT admins
  • Line 27 – removes local files for cleanup

After the script is executed you are now left with an XML file to use for reviewing the information contained in the logs.

Technet Articles
http://technet.microsoft.com/en-us/library/dd335052(v=exchg.141).aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s