Scenario: You want to enable mailbox auditing on a mailbox and you want to log all actions performed by Admins, Delegates, and Owners. You also want to retrieve the audit entries into a easy to read format.
Enable Auditing on a Mailbox: By default, mailbox auditing is disabled but the audit options are already pre-set for Admin and Delegates. You will need to enable mailbox auditing and set the actions for the owner of the mailbox as well by running this command:
set-mailbox testuser1 -AuditEnabled $true -AuditOwner Update,Move,MoveToDeletedItems,SoftDelete,HardDelete,Create
To view the audit status for a mailbox:
get-mailbox testuser1 | FL *Audit*
View Audit Log entries
To view the log entries for an audit, you can run the following command-lets.
#Edit the following Variables $Mailbox = "testuser1" #Mailbox that has Auditing Enabled $hours = "48" #Hours to search back from $myDir = "C:temp" $mailto = "steve@domain.com" $MailFrom = "steve@domain.com" $ReportemailSubject = "Audit Log Results for $Mailbox" $MailServer = "smtp.domain.com" #Static Variables $reportemailsubject = "Mailbox Audit Logs for $mailbox in last $hours hours." $rawfile = "$myDirAuditLogEntries.csv" $htmlfile = "$myDirAuditLogEntries.html" $smtpsettings = @{ To = $MailTo From = $MailFrom Subject = $reportemailsubject SmtpServer = $MailServer } Write-Host "Searching $mailbox for last $hours hours." $auditlogentries = @() $identity = (Get-Mailbox $mailbox).Identity $auditlogentries = Search-MailboxAuditLog -Identity $mailbox -LogonTypes 'Delegate','Owner','Admin' -StartDate (Get-Date).AddHours(-$hours) -ShowDetails if ($($auditlogentries.Count) -gt 0) { Write-Host "Writing raw data to $rawfile" $auditlogentries | Export-CSV $rawfile -NoTypeInformation -Encoding UTF8 foreach ($entry in $auditlogentries) { $reportObj = New-Object PSObject $reportObj | Add-Member NoteProperty -Name "Mailbox" -Value $entry.MailboxResolvedOwnerName $reportObj | Add-Member NoteProperty -Name "Mailbox UPN" -Value $entry.MailboxOwnerUPN $reportObj | Add-Member NoteProperty -Name "Timestamp" -Value $entry.LastAccessed $reportObj | Add-Member NoteProperty -Name "Audit Logon Type" -Value $entry.LogonType $reportObj | Add-Member NoteProperty -Name "Accessed By" -Value $entry.LogonUserDisplayName $reportObj | Add-Member NoteProperty -Name "Operation" -Value $entry.Operation $reportObj | Add-Member NoteProperty -Name "Result" -Value $entry.OperationResult $reportObj | Add-Member NoteProperty -Name "Folder" -Value $entry.FolderPathName if ($entry.ItemSubject) { $reportObj | Add-Member NoteProperty -Name "Subject Lines" -Value $entry.ItemSubject } else { $reportObj | Add-Member NoteProperty -Name "Subject Lines" -Value $entry.SourceItemSubjectsList } $report += $reportObj } $htmlbody = $report | ConvertTo-Html -Fragment $htmlhead="<html> <style> BODY{font-family: Arial; font-size: 8pt;} H1{font-size: 22px; font-family: 'Segoe UI Light','Segoe UI','Lucida Grande',Verdana,Arial,Helvetica,sans-serif;} H2{font-size: 18px; font-family: 'Segoe UI Light','Segoe UI','Lucida Grande',Verdana,Arial,Helvetica,sans-serif;} H3{font-size: 16px; font-family: 'Segoe UI Light','Segoe UI','Lucida Grande',Verdana,Arial,Helvetica,sans-serif;} TABLE{border: 1px solid black; border-collapse: collapse; font-size: 8pt;} TH{border: 1px solid #969595; background: #dddddd; padding: 5px; color: #000000;} TD{border: 1px solid #969595; padding: 5px; } td.pass{background: #B7EB83;} td.warn{background: #FFF275;} td.fail{background: #FF2626; color: #ffffff;} td.info{background: #85D4FF;} </style> <body> <p>Report of mailbox audit log entries for $mailbox in the last $hours hours.</p>" $htmltail = "</body></html>" $htmlreport = $htmlhead + $htmlbody + $htmltail Write-Host "Writing report data to $htmlfile" $htmlreport | Out-File $htmlfile -Encoding UTF8 Write-Host "Sending email" Send-MailMessage @smtpsettings -Body $htmlreport -BodyAsHtml -Encoding ([System.Text.Encoding]::UTF8) -Attachments $rawfile } Write-Host "Finished."
Ex-Shell 