Administrator audit log structure in Exchange Server
Administrator audit logs contain a record of all the cmdlets and parameters that have been run in the Exchange Management Shell and by the Exchange admin center (EAC). They're created on-demand when you run the admin audit log report in the EAC, or when you run the New-AdminAuditLogSearch cmdlet in the Exchange Management Shell. For more information about audit logs, see Administrator audit logging in Exchange Server.
Audit log XML tags and attributes
The audit logs are XML files and can contain multiple audit log entries. The following table describes each XML tag and its associated attributes.
| Element | Attribute | Description |
|---|---|---|
<?xml version="1.0" encoding="utf-8"?> |
N/A | This is the XML document declaration tag. It's included in every audit log XML file and contains the XML version number and the character encoding value. |
SearchResults |
N/A | This tag contains all the audit log entries in the XML file. The Event tag is a child of this tag. There is only one SearchResults tag per XML file. |
Event |
This tag contains the audit log entry for an individual cmdlet. This tag contains the Caller, Cmdlet, ObjectModified, RunDate, Succeeded, Error, and OriginatingServer attributes. The CmdletParameters and ModifiedProperties tags are children of this tag. There is one Event tag per audit log entry. |
|
Caller |
This attribute contains the user account of the user who ran the cmdlet in the Cmdlet attribute. |
|
Cmdlet |
This attribute contains the name of the cmdlet that was run by the user in the Caller attribute. |
|
ObjectModified |
This attribute contains the object that was modified by the cmdlet specified in the Cmdlet attribute. The ModifiedProperties tag shows which properties were modified on this object. |
|
RunDate |
This attribute contains the date and time when the cmdlet in the Cmdlet attribute was run. |
|
Succeeded |
This attribute specifies whether the cmdlet in the Cmdlet attribute ran successfully. The value is either True or False. |
|
Error |
This attribute contains the error message generated if the cmdlet in the Cmdlet attribute failed to complete successfully. If no error was encountered, the value is set to None. |
|
OriginatingServer |
This attribute contains the server on which the cmdlet specified in the Cmdlet attribute was run. |
|
CmdletParameters |
N/A | This tag contains all of the parameters specified when the cmdlet was run. The Parameter tag is a child of this tag. There is one CmdletParameters tag per Event tag. |
Parameter |
This tag contains an individual parameter that was specified when the cmdlet was run. This tag contains the Name and Value attributes. There can be multiple Parameter tags per CmdletParameters tag. |
|
Name |
This attribute contains the name of the parameter that was specified on the cmdlet that was run. | |
Value |
This attribute contains the value that was provided on the parameter specified in the Name attribute. |
|
ModifiedProperties |
N/A | This tag contains all of the properties that were modified by the cmdlet that was run. The Property tag is a child of this tag. There is one ModifiedProperties tag per Event tag. Important: This tag is only populated if the LogLevel parameter on the Set-AdminAuditLogConfig cmdlet is set to Verbose. |
Property |
This tag contains an individual property that was specified when the cmdlet was run. This tag contains the Name, OldValue, and NewValue attributes. There can be multiple Property tags per ModifiedProperties tag. |
|
Name |
This attribute contains the name of the property that was modified when the cmdlet was run. | |
OldValue |
This attribute contains the value that was contained in the property specified in the Name attribute before it was changed. |
|
NewValue |
This attribute contains the value that the property in the Name attribute was changed to. |
Example of an admin audit log entry
The following is an example of a typical log entry in the admin audit log.
<?xml version="1.0" encoding="utf-8"?>
<SearchResults>
<Event Caller="corp.e16.contoso.com/Users/Administrator" Cmdlet="Set-Mailbox" ObjectModified="corp.e16.contoso.com/Users/david" RunDate="2015-10-18T15:48:15-07:00" Succeeded="true" Error="None" OriginatingServer="WIN8MBX (15.01.0396.030)">
<CmdletParameters>
<Parameter Name="Identity" Value="david" />
<Parameter Name="ProhibitSendReceiveQuota" Value="10 GB (10,737,418,240 bytes)" />
</CmdletParameters>
<ModifiedProperties>
<Property Name="ProhibitSendReceiveQuota" OldValue="35 GB (37,580,963,840 bytes)" NewValue="10 GB (10,737,418,240 bytes)" />
</ModifiedProperties>
</Event>
</SearchResults>
Based on the information in this log entry, we know the following occurred:
On 10/18/2017 at 3:48 P.M. Pacific Daylight Time (UTC-7), the user
Administratorran the cmdlet Set-Mailbox.The two following parameters were provided when the Set-Mailbox cmdlet was run:
Identity with a value of
davidProhibitSendReceiveQuota with a value of
10GB
The ProhibitSendReceiveQuota property on the object
davidwas modified with a new value of10GB, which replaced the old value of35GB.Note
The modified properties are saved to the audit log because the LogLevel parameter on the
Set-AdminAuditLogConfigcmdlet was set toVerbosein this example.The operation completed successfully without any errors.