Auditing is enabled on a per mailbox basis and the auditing files are stored in the "Recoverable Items Folder" under "Auditing." They can be accessed via EMS or ECP.
There are three types of logging:
- "Administrative" Which record evens such as the movement of mailboxes, import and exports of PSTs and so on.
- "Owner" Which records events invoked by the owner of the mailbox - for example deleting an item from the mailbox.
- "Delegates" Which records the events of users which have "Send as" or "Full Permissions" to the mailbox.
In order to enable auditing on a mailbox we can use EMS:
Set-Mailbox user1 -AuditEnabled $trueAnd we can then assign the log types (Administrative, Owner, Delegates) and then assign what exactly we want to monitor - the following options are available (although not all are applicable for each logging type):
Copy, Create, FolderBind, HardDelete, MessageBind, Move, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update.For this example we will enable "Move" and "Copy" events on the Administrative audit type (i.e. any administrators who move and copy the users mail will be logged.):
Set-Mailbox -Identity "Joe Bloggs" -AuditAdmin Move,Copy
** NOTE: In order for an administrator to review the audit logs they MUST be a member of the Records Management security group as well as the Organizational Management group. **
We can confirm the audit settings for a users mailbox with EMS:
Get-MailBox user1 | FL Name, Audit*
You can also use EMC to search audit logs but for simplicities sake we can also use ECP by going to:
"Compliance Management" >> "Auditing" >> "Export mailbox audit logs"
No comments:
Post a Comment