Search-AdminAuditLog does not produce any output

Question

Hello!

I'tried to search AdminAudit log - right after setting it to Verbose log level

Set-AdminAuditLogConfig -AdminAuditLogAgeLimit 180.00:00:00 -LogLevel Verbose

...but the command Search-AdminAuditLog -Cmdlets Set-AdminAuditLogConfig -UserIds ******@contoso1.net returned nothing:

EMS does not display any activity either:

What am I doing wrong here? Isn't Admin Auditing enabled by default in Exchange 2019?

Thank you in advance,
Michael

Answer 1

Hi @Mikhail Firsov ,

Isn't Admin Auditing enabled by default in Exchange 2019?

By default, administrator audit logging is enabled in new installations of Exchange Server. Have you changed the default configuration, could you please provide the complete results for cmdlets Get-AdminAuditLogConfig?

Suggestions:

Please verify your admin user assigned permissions, required Organization Management or Records Management:

Exchange infrastructure and PowerShell permissions | Microsoft Learn

A command may take up to 15 minutes after it's run to appear in audit log search results. Wait a few minutes and run the search again. I did the test, and the command was not recorded right away.

Make sure you have installed at least Cumulative Update 12 for Exchange Server 2019 and check the language format for system accounts. Please refer to the following workaround:

Search-AdminAuditLog and Search-MailboxAuditLog with parameters return empty results - Exchange | Microsoft Learn

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi Jarvis Sun-MSFT,

"Have you changed the default configuration," - no, I haven't:

CU12 is installed.

I'm trying to search the log under account which is the member of both Organization Management and Records Management role groups.

Answer 3

P.S.

Exchange does log some administrative actions - even the ones conducted by NT Authority\System - not only by "administrator or user..." as per the MS article

(you can use administrator audit logging in Exchange Server to log when a user or administrator makes a change in your organization.)

It means that Update-OfflineAddressBook cmdlet was audited while the Set-AdminAuditLogConfig -AdminAuditLogAgeLimit 180.00:00:00 -LogLevel Verbose was not - that's really weird because according to MS:

1)

"Important

Changes to the administrator audit log configuration are always logged, regardless of whether the Set-AdminAuditLogConfig cmdlet is included in the list of cmdlets being audited or whether audit logging is enabled or disabled."

2)

"By default, when admin audit logging is enabled, a log entry is created every time any cmdlet is run."

?

Answer 4

One more test:

Mailbox auditing

1. Set-Mailbox ******@contoso1.net -AuditEnabled $true
2. Set-Mailbox -Identity ******@contoso1.net -AuditOwner @{add=’SoftDelete,HardDelete’}
3. Delete a message from Deleted Items folder

4 ) Search-MailboxAuditLog -Identity "******@contoso1.net" -ShowDetails

... so does auditing in Exchange 2019 really work???

Answer 5

Hi @Mikhail Firsov ,

Have you tried the above comments by Andy and checked your system language format?

What about the cmdlet **Search-AdminAuditLog -Cmdlets Set-Mailbox -UserIds ****@contoso1.net?

Given your situation, since my Exchange 2019 environment is similar with yours and have no trouble to reproduce your problem. Thanks for your understanding.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.