Use Audit Logging to Record User Actions

 

Applies to: Office 365 for professionals and small businesses, Office 365 for enterprises, Live@edu

Topic last modified: 2011-03-19

 

Audit logging records specific actions performed by specific users. Administrators can use it to maintain a record of all changes that are made to recipient objects. Audit logging may help your organisation comply with regulatory and legal requirements. By carefully configuring the scope of audit logging, you can control exactly which actions are logged, thus making the audit logs easier to review and manage.

In this topic, we cover the following:

Which actions are logged?

By default, any action that is based on a Windows PowerShell cmdlet and doesn't begin with the verbs Get or Test is logged. The action doesn't have to be performed directly in Windows PowerShell. All actions in the Exchange Control Panel and in Outlook Web App > Options are built on top of Windows PowerShell cmdlets. So whenever a user uses Windows PowerShell, the Exchange Control Panel or Outlook Web App > Options to perform any action that creates, modifies or deletes an object, the action is logged.

How are user actions logged?

The audit logging data are stored in email messages that are sent to an auditing mailbox. When a user performs an action that is logged, an email message is sent to the mailbox you've specified as the auditing mailbox, where the audit logs are stored. If an action involves more than one cmdlet, each cmdlet is logged in a separate email. If the same cmdlet is used on multiple objects, each object is logged in a separate email.

As you plan your audit logging strategy, be sure to figure out how you want to archive the audit log emails that are sent to the auditing mailbox. The mailbox quota, or maximum allowable size of a mailbox, is 10 GB, but the email service stops delivering email to a mailbox when it reaches the size specified by the Prohibit receive limit, which is 9.668 GB. For this reason, if you are running Outlook Live Directory Sync (OLSync), you shouldn't run audit logging without carefully configuring it to reduce the scope of user actions that it logs. Otherwise, the auditing mailbox may quickly fill up with audit log emails.

To view the audit logs, you can use any email client, such as Microsoft Office Outlook or Microsoft Office Outlook Web App to access the auditing mailbox you've specified.

Each email message contains the following information.

 

Item Description

Message subject

The subject of the email message uses the format <Caller> : <Cmdlet Name>. Caller is the user account used to run the cmdlet. Cmdlet Name is the name of the cmdlet run by the user.

Cmdlet Name

The name of the cmdlet that was run by the user. Each email message should contain only one value for Cmdlet Name.

Object Modified

The name of the object that was modified by the cmdlet. Each email message should contain only one value for Object Modified.

Parameter

The parameters that were used with the cmdlet, and the values that were specified for the parameters. If more than one parameter was used, multiple Parameter fields are shown.

Property Modified

The names of the properties that were modified, and the values of the modified properties. If more than one property was modified, multiple Property Modified fields are shown.

Caller

The user account used to run the cmdlet.

The caller is expressed as a security identifier (SID) GUID. To map the SID to a specific user, run the following command:

Get-user <SID>

For example, if the SID, S-1-5-21-2509217035-2741517866-3256245913-3907, is listed as the Caller, run the following command in Windows PowerShell to determine the username of the SID:

Get-user S-1-5-21-2509217035-2741517866-3256245913-3907

Succeeded

Specifies whether the cmdlet ran successfully. The value is either True or False.

Error

The error message that was generated if the cmdlet failed to complete successfully. If the cmdlet completed successfully, the value is None.

Run Date

Shows the date and time when the cmdlet was run. The date and time are stored in universal time code (UTC) format.

View the audit logging settings

Run the following command:

Get-AdminAuditLogConfig

Top of page

 
Related help topics
Loading...
No resources were found.