0

I need to look through the event logs in our exchange environment to see who gave access to certain mailboxes. I've done this on the Exchange servers that we have but still cant find the entries. Its like they have never been there.

This has lead me to ask what happens to the log entry if I install Exchange Management Console on another server/PC? Do the logs write locally instead of back to the exchange servers?

If they still write back to the Exchange Servers, how could it be possible that these log entries are not there?

Any help must gratefully received.

J Billing
  • 1

1 Answers1

0

Exchange 2010 Overview of Administrator Audit Logging
https://technet.microsoft.com/en-us/library/dd335052(v=exchg.141).aspx

"With Exchange 2010 release to manufacturing (RTM), you specify an administrator audit log mailbox. Administrator audit logging in Exchange 2010 SP1 uses a dedicated mailbox. This dedicated mailbox can't be changed or configured."

"By default, the admin audit log is enabled in Exchange Server 2010."

"By default, audit logging is configured to store audit log entries for 90 days. After 90 days, the audit log entry is deleted."

"By default, if audit logging is enabled, a log entry is created every time any cmdlet, other than a Get- or Search- cmdlet, is run."

Exchange 2010 Configure Administrator Audit Logging
https://technet.microsoft.com/en-us/library/dd335109(v=exchg.141).aspx

Exchange 2010 View Administrator Audit Logging Settings
https://technet.microsoft.com/en-us/library/dd298075(v=exchg.141).aspx

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Thanks for the quick response. I've already looked there and there isn't any entry which is what surprised me. Is there any way that the log could not be written to? – J Billing Nov 28 '16 at 16:44
  • `I've already looked there`. What command are you running to view the audit entries? Have you confirmed the audit configuration settings? What are they? – Greg Askew Nov 28 '16 at 17:00