Exchange Administrator Audit Log - SIEM Integration

The administrator audit log is inaccessible to SIEM via normal log-collection means because the log is not written to any type of log file or to the Windows event log. The administrator audit log is stored internally, inside a special audit mailbox.

There are several PowerShell cmdlets such as Search-AdminAuditlog for exporting the administrator audit log however:

The output is in a cryptic XML format - not a simple text file format easily parsed by most SIEMs.
The output from the synchronous (meaning it returns results during the execution of the command) Search-AdminAuditlog cmdlet leaves out crucial details from events.
The only way to get the complete admin audit event information for is with the asynchronous New-AdminAuditLogSearch which requires that you wait for the log to appear as an email attachment sometime later in a specified mailbox.

As in the case of mailbox auditing, this is where LOGbinder for Exchange™ comes in. Using Exchange’s management API, LOGbinder for Exchange collects the hidden administrator audit log files from its internal special mailbox, parses the log data, and formats it into more than 500 easy-to-read messages delivered to your SIEM.

Next: LOGbinder for Exchange

Upcoming Webinars

Additional Resources

Administrator Auditing

•	Configuration
•	Storage, Purging and Archival
•	Reporting and Alerting
•	SIEM Integration

User name:
Password:
	/ Forgot?
	Register

October 2025 Patch Tuesday	"Patch Tuesday - 172 Updates Today and 6 Zero-Days! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2025 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.