Can somebody please link me to or provide me with instructions on how to enable auditing on all Exchange 2010 mailboxes so we can view when somebody accesses a mailbox that they are not the owner of.
Additionally, what sort of performance impact will this have on an environment with 200 mailboxes? How much disk space will these logs potentially use?
Also, how can I specify exactly where I want the logs to be stored and set them to rotate after a specified amount of time.
Best Answer
Each mailbox has separate auditing options for administrators, delegates and the mailbox owner - all of which are disabled by default. You can view the various auditing properties by issuing
Get-Mailbox jsmith |fl *Audit*in the Exchange Management Shell. To enable auditing on a particular mailbox, use the cmdletSet-Mailbox jsmith -AuditEnabled $True.To view the logs use the
Search-MailboxAuditLogcmdlet, whose options are documented over on TechNet. An example cmdlet to run to view the audit logs isSearch-MailboxAuditLog jsmith -LogonTypes Admin,Delegate -StartDate 1/1/2010 -EndDate 12/31/2010 -ResultSize 2000. This will restrict the selection criteria to reports for the user jsmith, only show admin and delegate actions between 1st January 2010 and 31st December 2010 with a maximum of 2000 results.Alternatively, you can view a much more sensible and human-readable version of these logs in the Exchange Control Panel under Auditing Reports and then Run a non-owner mailbox access report.
Notice that auditing can be enabled for three access types - admin, delegate, and owner. The amount of logging that is generated will depend on which access types you audit. Obviously owner would be the most log intensive and is one you'd probably want to leave turned off.
The logs are stored in the mailbox, you have no control over where to store them, but you can set a retention limit on them to reduce the storage overhead.
Source for most of this information.