What Happened To My Email? Mailbox Audit Logging

Hi,

A very common question. An email goes ‘missing’ from someone’s mailbox, and they want to know what happened. A fair enough question – rarely is it a fault of your Exchange servers, but it’s your problem to prove otherwise.

You can use Message Tracking (details here http://technet.microsoft.com/en-us/library/bb124926(v=exchg.141).aspx, and a great guide here http://exchangeserverpro.com/exchange-2010-message-tracking/) but that will just prove the email hit the person’s mailbox, which often we already know because they saw it. Keep in mind this won’t help you for past events, but if someone is making multiple claims of emails going missing you can enable this to find out for the next occurance.

To prove what happened next, you can use the Exchange 2010 and greater feature called Mailbox Audit Logging. This will track actions on individual emails, and save the log inside the person’s actual mailbox. This can not only log what the user themselves does, but also delegates and administrators. To see what you can log, have a look at this Technet article: http://technet.microsoft.com/en-us/library/ff459237.aspx

There is also a great guide from Paul Cunningham to get you started: http://exchangeserverpro.com/exchange-2010-mailbox-audit-logging/

My scenario requires a few more commands, as I want to log all actions rather than the default which doesn’t log anything the owner of the mailbox does.
First, enable MMailbox Audit Logging on the mailbox you’re concerned with via Powershell:

Set-Mailbox -identity Adam.Fowler -AuditEnabled $true

Easy. Now, if you run this command:

Get-Mailbox -identity Adam.Fowler | fl *audit*

You will see a few results. AuditEnabled should be true, and you’ll notice by default there are some different options between AuditAdmin, AuditDelegate and AuditOwner, with AuditOwner having no settings at all. To enable all possible logging options, for the Owner of the mailbox, run this command:

Set-mailbox -identity Adam.Fowler -AuditOwner Create, HardDelete, Move, MoveToDeletedItems, SoftDelete, Update

You can then run the previous command to see the extra options show up. Now that Mailbox Audit Logging is running on the mailbox, logs start to get generated. Once a few actions have been run on the mailbox, you can start looking at the results. Technet have some good examples here: http://technet.microsoft.com/en-us/library/ff522360.aspx

One example is if you are looking for an email with a subject that contains the word “test” within a date range:

Search-MailboxAuditLog -Identity Adam.Fowler -StartDate 7/21/2013 -EndDate 7/21/2013 -showdetails | where-object {$_.ItemSubject -like “*test*”}

If you want a glance at how many results you’re seeing, filter just to show the subject of each result and what happened to it (operation):

Search-MailboxAuditLog -Identity Adam.Fowler -StartDate 7/21/2013 -EndDate 7/21/2013 -showdetails | where-object {$_.ItemSubject -like “*test*”} | fl itemsubject, operation

Once you find the result you’re looking for, you’ll see a lot of helpful information – especially what device did the action. For example, under the ClientInfoString I can tell a particular action was done by my account on a Samsung Galaxy S3 via ActiveSync (aka Samsung I9300)

ClientInfoString : Client=ActiveSync;UserAgent=SAMSUNG-GT-I9300/100.40102;Action=/Microsoft-Server-ActiveSync/default.eas?Cmd=Sync&User=adam.fowler&DeviceId=SEC10FE7073DAC69&DeviceType=SAMSUNGGTI9300

The Operation field tells you what action was taken (e.g. MoveToDeletedItems), you’ll also get FolderPathName and DestFolderPathName (where the email went from and to). Of course this will help identify if a delegate has been cleaning up the owner’s emails, but also if a certain device they have is doing something it shouldn’t.

I would recommend only using Mailbox Audit Logging when required, due to the small amount of extra space and load you’ll use on your mailboxes, you would need to do extensive testing before enabling company wide.

Good luck!

2 thoughts on “What Happened To My Email? Mailbox Audit Logging

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.