Q: Why do you need to enable AAL (Administrator audit logging) on your Exchange servers?
A: AAL is one of the necessary components which must be enabled for successful auditing by Netwrix Auditor for Exchange. Netwrix Auditor for Exchange uses AAL data to identify an account which made a change in Exchange 2010/2013/2016 server configuration. When AAL is not configured, Netwrix Auditor for Exchange detects changes (which were made on Exchange servers) but includes “System” as WHO CHANGED instead of the real account name.
Q: How does administrator audit logging work?
A: Please refer to the following Microsoft KB article: http://technet.microsoft.com/en-us/library/dd335052(v=exchg.141).aspx
Q: How does Netwrix Auditor for Exchange deal with Exchange 2010 servers after the AAL is configured?
A: Netwrix Auditor for Exchange reads the AAL mailbox on specified Exchange 2010 servers. Considering the fact AAL data is being replicated within its exchange organization, NetWrix Auditor for Exchange needs to connect to just one Exchange server. The server which will be used to read AAL data can be specified manually.
Q: What is the command we need to run to enable and configure AAL consist of? What does it do?
A: To enable and configure AAL you need to run 2 commands:
- Exchange 2010: Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogAgeLimit 30 -AdminAuditLogCmdlets *
- Set-AdminAuditLogConfig cmdlet is being used to configure the administrator audit logging configuration settings
- AdminAuditLogEnabled cmdlet with $true parameter enables the administrator audit logging
- AdminAuditLogAgeLimit cmdlet with 30 parameter specifies how long audit log entries will be retained (30 days in our case)
- AdminAuditLogCmdlets cmdlet determines which cmdlets will be audited. Running this cmdlet with * parameter we configuring administrator audit logging to audit all cmdlets
- LogLevel cmdled determines the level of detalization for generated logs. With Verbose Exchange also logs previous values of any changed attributes.
For more details regarding these cmdlets please refer to the following Microsoft article: http://technet.microsoft.com/en-us/library/dd335109%28v=exchg.150%29.aspx
This command runs SetAALExcludedCmdlets.ps1 cmdlet which is located in the Netwrtix Active Directory Change Reporter installation directory. SetAALExcludedCmdlets.ps1 cmdlet excludes the following cmdlets from being audited (these cmdlets are being used very often and are not important for auditing):
Q: Can we enable administrator audit logging on just one Exchange server?
A: Administrator audit logging is being enabled against all Exchange servers (because Exchange configuration is being shared between all Exchange servers in the Exchange organization) in the managed Exchange organizations. To collect the administrator audit logging data, Netwrix Auditor needs to access just one dedicated Exchange server.
Q: How will enabling administrator audit logging affect Exchange servers performance?
A: By default, the admin audit log is enabled in Exchange Server 2010 and newer. The log results are stored in the arbitration mailbox in the AdminAuditLogs folder. If cmdlets are executed in the Exchange Management Shell frequently, multiple log entries are generated, and may cause the size of the database to grow quickly. For more details please refer to the following Microsoft KB article: http://technet.microsoft.com/en-us/library/dd335052%28v=exchg.141%29.aspx
Please note: while configuring administrator audit logging we exclude several particular cmdlets by running SetAALExcludedCmdlets.ps1 command (see above command # 2) which decreases the number of auditing records and helps to hold the database size under control.
Q: Can we review the administrator audit logging content?
A: Yes. Please please refer to the following Microsoft KB article: http://technet.microsoft.com/en-us/library/ff459250%28v=exchg.150%29.aspx