• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to audit specific cmdlets for specific user-ID using set-AdminAuditLogConfig?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2013] >> Compliance >> How to audit specific cmdlets for specific user-ID using set-AdminAuditLogConfig? Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to audit specific cmdlets for specific user-ID usin... - 24.Apr.2014 11:56:05 PM   
asadz

 

Posts: 4
Joined: 27.Dec.2010
Status: offline
I'm getting mail-exchange admin audit logs. The steps I performed are
step 1

Set-AdminAuditLogConfig –AdminAuditLogCmdlets *


step 2
Set-AdminAuditLogConfig –AdminAuditLogParameters *

step 3

Set-AdminAuditLogConfig –AdminAuditLogEnabled $true

step 4


Search-AdminAuditLog -StartDate 01/22/2014 -EndDate 04/23/2014 –ResultSize Unlimited | Export-Csv “c:\test-Admin-Audit-Results.csv”

On output I'm very confused because I'm getting in caller userid other then admins but normal users as well. For e.g
caller column for one rows is mydomain/Users/nadmin
The other row would be caller mydomain/Users/john

The cmdlets names would be non-admin entries be e.g

Enable-Mailbox
Set-MailboxMessageConfiguration


Point of confusion is I thought extracting mail-admin audit logs will ONLY produce events/action for user nadmin why does it bring non-admin user activities? Is it because of how I supplied the configuration parameters? Secondly,Is it not possible to define what needs to get audited using


Set-AdminAuditLogConfig but only for a separate audit role the reason Is If i change the settings it will only limit audit logging to certain cmdlets , I want a role for eg. security auditor who is auditing for x number of cmdlets for y user and other other cmdlets (non-audit important ones) can be kept in original role of ms-exchange admin without any interruption. Can such a thing be achieved?

To workaround currently, Im extracting using search command to bring me logs for userid admin. Please suggest.
Post #: 1

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2013] >> Compliance >> How to audit specific cmdlets for specific user-ID using set-AdminAuditLogConfig? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter