cancel
Showing results for 
Search instead for 
Did you mean: 

EV Audit Logs do not show the correct Info

EVAdmin2016
Level 4

Hi,

I setup EV Audit just to track who has been enabling disabling mailboxes in EV. I am using EV10.0.4 with CHF3, EV Auditing is setup and very simple, Audit entries based on the following categories, ticked then Admin Activity is ticked, just to track UserA Enabling/Disabling UserB's mailbox. I have setup RBA to allow UserA "can enable and disable exchange mailboxes".

Everything in the Audit logs is showing correctly except for the UserName column, it's showing the EV Service account rather than UserA? Shouldn't this column show UserA as UserA performed the enabling/disabling of the exchange mailbox? I am thinking it's showing the EV service account because it's the one that made changes to the ExchangeMailboxEntry table and not UserA?

Have I missed something or is there anyway to show that it's the UserA that did the disabling/enabling rather than the EV service account, it's the purpose of EV Audit no? I know for a fact that EV service account did not enable/disable UserB's mailbox at that particular time.

Thanks.

 

3 REPLIES 3

EVAdmin2016
Level 4

Further testing shows that the user making the changes under Category "Admin Activity" is only the EV Service Account. Also, another thing is, under the Info column, it only shows "Update ExchangeMailboxEntry" regardless of whether the mailbox is disabled or enabled or being synchronised etc. It doesn't drill into more details than this, which is pretty much useless. At the moment, the event log 3477 contains much better information than the audit logs - Archiving has been disabled for mailbox 'Test, User1' on Exchange Server 'ExchangeServer1'. I like said before I need to know who made this change which I was hoping the Audit logs would have this info, I had too much high hopes I guess :)

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

for what it's worth, i tried replicating this in my lab for you to see if i got a different result - just hadnt had a chance to post about it yet. i'm as surprised as you and would have assumed that auditing captured those details. you're right that in this case it's insufficient.

EVAdmin2016
Level 4

Thanks Andrew, appreciate your efforts.