Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?

Audit Logging for specific or group of mailboxes and Automatic alert using powershell script

Posted on 2018-01-12
9
Medium Priority
?
40 Views
Last Modified: 2018-01-20
I have enabled audit logging for few mailboxes, need to know who took the mailbox ownership or accessed it with an alert mail or daily report. I tried checking the built in Non-owner mailbox report doesnt shows when i tried to take control with some test accounts. Is there any powershell script which helps to identify and alert per day or immediately.

Appreciate your help!

Note: Customer want to achieve it with native tool and no third party tool needed.
0
Comment
Question by:Ganesh Kumar A
  • 4
  • 4
9 Comments
 
LVL 11

Expert Comment

by:Sunil Chauhan
Hi,

You can schedule the following for getting last 24 hours of audit logs.

$AdminAuditReportName = “Admin-Audit-Reprot-“ + (get-date -f dd-MM-yy) + “.csv”
$AdminAuditlogs  = Search-AdminAuditLog -StartDate ((get-date).AddDays(-1)) -EndDate ((get-date))
$AdminAuditlogs | Export-Csv $AdminAuditReportName -NoTypeInformation

$to=admin@domain.com
$from=Admim@domain.com
$sub="Daily Admin Audit Logs: $(get-date -f dd-MM-yy)"
$smtp = "mysmtprelay.domain.com"
$body= "PFA Admin audit report attached." 

Send-MailMessage -To $to -From $from  -SmtpServer $smtp -Subject $subject -Body $body -Attachments $AdminAuditReportName

Open in new window

0
 
LVL 2

Expert Comment

by:Naveen Sharma
Please refer to below articles may point you to get this done:

White Paper: Configuration and Mailbox Access Auditing for Exchange:
https://technet.microsoft.com/en-us/library/ee331009%28v=exchg.80%29.aspx?f=255&MSPPError=-2147217396

Generate a Report of Mailbox Audit Log Entries for an Exchange Server Mailbox:
https://gallery.technet.microsoft.com/scriptcenter/Generate-a-Report-of-a33cde56

How to audit non-owner mailbox access in Exchange 2016:
https://www.lepide.com/blog/how-to-perform-non-owner-mailbox-access-auditing-in-exchange-2016/
0
 
LVL 12

Author Comment

by:Ganesh Kumar A
@Sunil,

I tried by enabling mailbox audit for one mailbox and adjusted the script but it didn't show up any non-mailbox owner  access. The excel attachment file in the mail is empty.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 11

Expert Comment

by:Sunil Chauhan
please post output of the Get-AdminAuditLogConfig cmd.
0
 
LVL 12

Author Comment

by:Ganesh Kumar A
[PS] C:\scripts>Get-AdminAuditLogConfig
RunspaceId                   : 6ff19904-1717-4e33-ad96-6ef4e8d72cbf
AdminAuditLogEnabled         : True
LogLevel                     : None
TestCmdletLoggingEnabled     : False
AdminAuditLogCmdlets         : {*}
AdminAuditLogParameters      : {*}
AdminAuditLogExcludedCmdlets : {}
AdminAuditLogAgeLimit        : 90.00:00:00
AdminDisplayName             :
ExchangeVersion              : 0.10 (14.0.100.0)
Name                         : Admin Audit Log Settings
DistinguishedName            : CN=Admin Audit Log Settings,CN=Global Settings,CN=MOI,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=moi,DC=net,DC=sa
Identity                     : Admin Audit Log Settings
Guid                         : 6748765e-a167-4b58-8a1a-1754d6ae6e95
ObjectCategory               : moi.net.sa/Configuration/Schema/ms-Exch-Admin-Audit-Log-Config
ObjectClass                  : {top, msExchAdminAuditLogConfig}
WhenChanged                  : 2/25/2013 1:42:05 PM
WhenCreated                  : 2/25/2013 1:06:42 PM
WhenChangedUTC               : 2/25/2013 10:42:05 AM
WhenCreatedUTC               : 2/25/2013 10:06:42 AM
OrganizationId               :
OriginatingServer            : exsvr.moi.net.sa
IsValid                      : True
ObjectState                  : Unchanged
0
 
LVL 11

Expert Comment

by:Sunil Chauhan
ok so the admin audit loggin is enabled do you see any results if you just run the following CMD??

Search-AdminAuditLog

also verify the following on the user mailboxes, if the auditing is enabled you would see below attributes populated.

SUNIL:4 >Get-Mailbox userid | fl *audit*

AuditEnabled     : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditDelegate    : {Update, SoftDelete, HardDelete, SendAs...}
AuditOwner       : {MailboxLogin}
0
 
LVL 12

Author Comment

by:Ganesh Kumar A
I checked and found they are enabled as you stated above.

[PS] C:\scripts>Get-Mailbox hussam | fl *audit*
AuditEnabled     : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate    : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditOwner       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, Create}


[PS] C:\scripts>Get-Mailbox peter | fl *audit*
AuditEnabled     : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate    : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditOwner       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, Create}
0
 
LVL 11

Expert Comment

by:Sunil Chauhan
then you are all set for admin audit, make some changes to the objects and then run the Search-AdminAuditLog
0
 
LVL 12

Author Comment

by:Ganesh Kumar A
i already have changed many times but it didn't work still the report is empty.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Join & Write a Comment

You finally migrated Public Folders to Office 365, decommissioned the Public Folder mailbox database and since then, when you send an email from on-premise to mail-enabled Public Folders, you get the following error: "Misconfigured public folder mai…
Microsoft Jet database engine errors can crop up out of nowhere to disrupt the working of the Exchange server. Decoding why a particular error occurs goes a long way in determining the right solution for it.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question