topic Re: Exchange admin audit logs in Getting Data In

Exchange admin audit logs

nuwan — Thu, 12 Jul 2012 15:50:50 GMT

Can splunk read exchange 2010 sp1 admin audit logs. I beleive exchange admin logs goes to a configured email. Does splunk exchange app reads the exchange admin logs
Thank you in advance

Re: Exchange admin audit logs

ahall_splunk — Thu, 12 Jul 2012 15:54:03 GMT

Yes. Download the Splunk App for Microsoft Exchange - the TA-Exchange-2010-* technology add-ons that are included read the Admin Audit Logs from each server.

Re: Exchange admin audit logs

nuwan — Fri, 13 Jul 2012 01:24:43 GMT

Thank you.

Re: Exchange admin audit logs

tomasmoser — Tue, 29 Sep 2020 13:31:57 GMT

Hi,

I am curious when below bug will be fixed. It is related to Exchange 2016 admin audit log extraction.

2016-12-30 EXC-2052

read-audit-logs_2010_2013.ps1 failure. The search command search-adminauditlog used in read-audit-logs_2010_2013, does not work in PowerShell for the 2016 Exchange Server product. The MSExchange:2013:AdminAudit sourcetype will not display in Splunk platform searches.

Re: Exchange admin audit logs

micnuw2 — Wed, 17 Oct 2018 21:08:32 GMT

I am also curious as it seems this issue isnt getting fixed. The short answer my Splunk team got from their Splunk rep was that the account that is forwarding to the Exchange app indexes needs to be in the same domain with organizational management role in Exchange XD. Im sorry but the expectation that an Exchange team using this app would give full open ended access to a service account just to forward admin audit logs is insane.