Search-AdminAuditLog does not produce any output

Mikhail Firsov 1,881 Reputation points
2023-06-20T14:05:08.4733333+00:00

Hello!

I'tried to search AdminAudit log - right after setting it to Verbose log level

Set-AdminAuditLogConfig -AdminAuditLogAgeLimit 180.00:00:00 -LogLevel Verbose

01

...but the command Search-AdminAuditLog -Cmdlets Set-AdminAuditLogConfig -UserIds ******@contoso1.net returned nothing:02

EMS does not display any activity either:

03

What am I doing wrong here? Isn't Admin Auditing enabled by default in Exchange 2019?

Thank you in advance,
Michael

Exchange | Exchange Server | Other
Exchange | Exchange Server | Management
0 comments No comments
{count} votes

7 answers

Sort by: Most helpful
  1. Jarvis Sun-MSFT 10,231 Reputation points Microsoft External Staff
    2023-06-21T03:27:27.91+00:00

    Hi @Mikhail Firsov ,

    Isn't Admin Auditing enabled by default in Exchange 2019?

    By default, administrator audit logging is enabled in new installations of Exchange Server. Have you changed the default configuration, could you please provide the complete results for cmdlets Get-AdminAuditLogConfig?

    Suggestions:

    Please verify your admin user assigned permissions, required Organization Management or Records Management:

    Exchange infrastructure and PowerShell permissions | Microsoft Learn

    A command may take up to 15 minutes after it's run to appear in audit log search results. Wait a few minutes and run the search again. I did the test, and the command was not recorded right away.

    User's image

    Make sure you have installed at least Cumulative Update 12 for Exchange Server 2019 and check the language format for system accounts. Please refer to the following workaround:

    Search-AdminAuditLog and Search-MailboxAuditLog with parameters return empty results - Exchange | Microsoft Learn


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Mikhail Firsov 1,881 Reputation points
    2023-06-21T14:14:47.7066667+00:00

    Hi Jarvis Sun-MSFT,

    "Have you changed the default configuration," - no, I haven't:
    04

    CU12 is installed.

    I'm trying to search the log under account which is the member of both Organization Management and Records Management role groups.


  3. Mikhail Firsov 1,881 Reputation points
    2023-06-22T13:48:09.5266667+00:00

    P.S.Q2

    Exchange does log some administrative actions - even the ones conducted by NT Authority\System - not only by "administrator or user..." as per the MS article

    (you can use administrator audit logging in Exchange Server to log when a user or administrator makes a change in your organization.)

    It means that Update-OfflineAddressBook cmdlet was audited while the Set-AdminAuditLogConfig -AdminAuditLogAgeLimit 180.00:00:00 -LogLevel Verbose was not - that's really weird because according to MS:

    1)

    "Important

    Changes to the administrator audit log configuration are always logged, regardless of whether the Set-AdminAuditLogConfig cmdlet is included in the list of cmdlets being audited or whether audit logging is enabled or disabled."

    2)

    "By default, when admin audit logging is enabled, a log entry is created every time any cmdlet is run."

    ?


  4. Mikhail Firsov 1,881 Reputation points
    2023-06-23T11:11:31.6833333+00:00

    One more test:

    Mailbox auditing

    1. Set-Mailbox ******@contoso1.net -AuditEnabled $true
    2. Set-Mailbox -Identity ******@contoso1.net -AuditOwner @{add=’SoftDelete,HardDelete’} Q4
    3. Delete a message from Deleted Items folder

    4 ) Search-MailboxAuditLog -Identity "******@contoso1.net" -ShowDetails

    Q4-0

    ... so does auditing in Exchange 2019 really work???

    0 comments No comments

  5. Jarvis Sun-MSFT 10,231 Reputation points Microsoft External Staff
    2023-06-27T08:43:56.11+00:00

    Hi @Mikhail Firsov ,

    Have you tried the above comments by Andy and checked your system language format?

    What about the cmdlet **Search-AdminAuditLog -Cmdlets Set-Mailbox -UserIds ****@contoso1.net?

    User's image

    Given your situation, since my Exchange 2019 environment is similar with yours and have no trouble to reproduce your problem. Thanks for your understanding.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.