Who used Get-Messagetrackinglog powershell command

Hi
There a simply way to know if an administrator used the command Get-Messagetrackinglog ?
I search in the Windows Event Viewer but I didn't find anything

Thank you in advance
Stéphane BoisvertTechnical analystAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Marwan OsmanCommented:
Actually you can audit using the exchange 2013 built-in audit reports who use cmdlets to change the exchange configuration, the cmdlets started with new-*** or set-*** or remove-****, but the cmdlets started with get-**** are not audited by these built-in reports.
0
Stéphane BoisvertTechnical analystAuthor Commented:
There no way to see it in the Windows Event Viewer ?
0
Marwan OsmanCommented:
No, it is not writen in the event viewer, but I am still working on how to audit the get-***

I run :

Search-AdminAuditLog -StartDate "06/01/2015 07:00" -EndDate "06/01/2015 18:00" | Sort RunDate | Format-T
able RunDate, Caller, CmdletName, CmdletParameters -AutoSize

it shows the set-cmdlets and the remove-*** ......... but unfortunately not shown the cmdlets starting with get-
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Marwan OsmanCommented:
as in the below technet article, Get- and Search- cmdlets aren't logged. Audit logging is intended to show what actions have been taken to modify objects in an Exchange organization rather than what objects have been viewed.

https://technet.microsoft.com/en-us/library/dd335144(v=exchg.150).aspx
0
Marwan OsmanCommented:
do one thing, by default exchange audit logging for all cmdlets except for get and search cmdlets, so add the Get-Messagetrackinglog into the audit logging configuration by running the below cmd:

Set-AdminAuditLogConfig -AdminAuditLogCmdlets "*, Get-Messagetrackinglog"

after 1 hour, track something by  running Get-Messagetrackinglog ******

then run

Search-AdminAuditLog -StartDate "06/01/2015 07:00" -EndDate "06/01/2015 18:00" | Sort RunDate | Format-T
able RunDate, Caller, CmdletName, CmdletParameters -AutoSize

after modifying to the appropriate time in the above cmd and see if it will show the Get-Messagetrackinglog or not.
0
Marwan OsmanCommented:
I tried it and it doesn't audit the get- cmdlets, I return it to the default by running :

Set-AdminAuditLogConfig -AdminAuditLogCmdlets "*"

so all cmdlets running by the administrators are under auditing except the get and the search cmdlets as mentioned in the technet link mentioned in my previous comment
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Stéphane BoisvertTechnical analystAuthor Commented:
Thank you for your time and for the answer
0
Marwan OsmanCommented:
You are welcome but it was preferred to wait for another expert comment to see if we can work around the issue
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.