No results using the Search-MailboxAuditLog cmdlet with Exchange 2013 CU4+


Recently we received few calls related to the Search-MailboxAuditLog  cmdlet.

In these cases apparently, starting from the SP1/CU4, the cmdlet doesn’t give any result even if a correct syntax is used. An example here:

 

[PS] C:\Windows\system32>Search-MailboxAuditLog -Identity Director -LogonTypes Admin,Delegate,Owner -StartDate 1/1/2015 -EndDate 02/27/2015 -showdetails

[PS] C:\Windows\system32>

 

This even if the Audit for the mailbox (the Director one in this case) is turned on and working fine:

 

[PS] C:\Windows\system32>Get-MailboxFolderStatistics  director| where{$_.name -eq "Audits"}

 

RunspaceId                        : 489e26b4-4b31-4dd4-a90f-89cae401eafb

Date                              : 2/24/2015 3:27:09 PM

Name                              : Audits

FolderPath                        : /Audits

FolderId                          : LgAAAABX3lo1x302RqjskZ7cWjnPAQDImb1CL2SQRZTaOVwxP/wxAAAAAAQJAAAB

FolderType                        : Audits

ItemsInFolder                     : 10

DeletedItemsInFolder              : 0

FolderSize                        : 27.5 KB (28,160 bytes)

ItemsInFolderAndSubfolders        : 10

DeletedItemsInFolderAndSubfolders : 0

FolderAndSubfolderSize            : 27.5 KB (28,160 bytes)

[...]

SearchFolders                     :

Identity                          : director\Audits

IsValid                           : True

ObjectState                       : New

This is a known issue and a workaround where we need to check the Locale is available. Here the steps: 

  1. Go to the Control panel -> Language -> "Change date, time, or number formats -> Formats (tab)
  2. Change Format to English (United States) and apply.
  3. Select tab "Administrative" -> Copy Settings ...
  4. Check "Welcome screen and system accounts"
  5. Ok all your way out. Do this on all the boxes (CAS and MBX) if you have separated roles.
  6. Reboot the box or your boxes.

 

Hope this can help.

Regards,

Cristian

Comments (10)

  1. criscrif says:

    Hello Florent,
    have you already applied the steps above ?

    Thanks,

    Cri

  2. criscrif says:

    Hello Florent and Matthieu. it could be the OS or the Exchange localized version that generates the issues here. I suggest to open an incident with Microsoft to investigate appropriately. Please, let me informed if possible. Thanks, Cristian

  3. Florent_B says:

    Hi,

    I have the same problem with a french version of exchange 2013, can anyone help ?

    After typing the command, no result is shown. But if i look the audit logs, the size is increasing day after day…

  4. Florent_B says:

    Hi Cri,

    yes i already applied the steps above and it still don’t work

    Thanks

  5. Matthieu says:

    Hello,

    We are facing the same issue with a French version in CU7. The workaround do not work (change format to English + change configuration on welcome screen and system accounts + reboot all Exchange Servers).

    In our case, the audit subfolder (inside recoverable items folder) have the correct items. The item number increase each time we try to do a delegated access.

    Thanks for your help.

  6. Gensicke says:

    Is there any solution in future?

  7. sr says:

    Tried the steps above on a German Exchange 2013. But wihtout success. Is maybe the complete English US Language Pack needed?

    1. criscrif says:

      Hello, please check my previous answer and let us know.

      Thanks,

      Cristian

  8. Anonymous says:

    Hello,

    i hav the same problem!

    German OS 2012 R2
    German Exchange 2013

    The Option -ShowDetails comes without results back. Without the option -ShowDetails it work, but i cant see the delegate user who access the mailbox.

    1. criscrif says:

      Hello,
      there is a KB article for this published after this post:

      Search-AdminAuditLog or Search-MailboxAuditLog with parameter returns empty results in Exchange Server 2013:
      https://support.microsoft.com/en-us/kb/3054391

      Here the PG evaluated the workaround that is available is enough to manage this issue:

      “To work around this issue, set regional settings for the system and network service accounts to English (United States).”

      With this step we set few entries in the registry.
      These entries are needed by a method to rightly execute the cmdlet.
      I didn’t cover this scenario (German OS 2012 R2 + German Exchange 2013) but, after a backup and export from your registry settings, you can check if just applying this .reg file (and restart server) changes the current behavior.

      Windows Registry Editor Version 5.00

      [HKEY_USERS\S-1-5-18\Control Panel\International]
      “Locale”=”00000409”
      “LocaleName”=”en-US”
      “s1159″=”AM”
      “s2359″=”PM”
      “sCountry”=”United States”
      “sCurrency”=”$”
      “sDate”=”/”
      “sDecimal”=”.”
      “sGrouping”=”3;0”
      “sLanguage”=”ENU”
      “sList”=”,”
      “sLongDate”=”dddd, MMMM d, yyyy”
      “sMonDecimalSep”=”.”
      “sMonGrouping”=”3;0”
      “sMonThousandSep”=”,”
      “sNativeDigits”=”0123456789”
      “sNegativeSign”=”-”
      “sPositiveSign”=””
      “sShortDate”=”M/d/yyyy”
      “sThousand”=”,”
      “sTime”=”:”
      “sTimeFormat”=”h:mm:ss tt”
      “sShortTime”=”h:mm tt”
      “sYearMonth”=”MMMM yyyy”
      “iCalendarType”=”1”
      “iCountry”=”1”
      “iCurrDigits”=”2”
      “iCurrency”=”0”
      “iDate”=”0”
      “iDigits”=”2”
      “NumShape”=”1”
      “iFirstDayOfWeek”=”6”
      “iFirstWeekOfYear”=”0”
      “iLZero”=”1”
      “iMeasure”=”1”
      “iNegCurr”=”0”
      “iNegNumber”=”1”
      “iPaperSize”=”1”
      “iTime”=”0”
      “iTimePrefix”=”0”
      “iTLZero”=”0”

      [HKEY_USERS\S-1-5-18\Control Panel\International\Geo]
      “Nation”=”244”

      [HKEY_USERS\S-1-5-18\Control Panel\International\User Profile]
      “Languages”=hex(7):65,00,6e,00,2d,00,55,00,53,00,00,00
      “ShowAutoCorrection”=dword:00000001
      “ShowTextPrediction”=dword:00000001
      “ShowCasing”=dword:00000001
      “ShowShiftLock”=dword:00000001

      [HKEY_USERS\S-1-5-18\Control Panel\International\User Profile\en-US]
      “0409:00000409″=dword:00000001

      [HKEY_USERS\S-1-5-18\Control Panel\International\User Profile System Backup]
      “Languages”=hex(7):65,00,6e,00,2d,00,55,00,53,00,00,00
      “ShowAutoCorrection”=dword:00000001
      “ShowTextPrediction”=dword:00000001
      “ShowCasing”=dword:00000001
      “ShowShiftLock”=dword:00000001

      [HKEY_USERS\S-1-5-18\Control Panel\International\User Profile System Backup\en-US]
      “0409:00000409″=dword:00000001

      Windows Registry Editor Version 5.00

      [HKEY_USERS\S-1-5-19\Control Panel\International]
      “Locale”=”00000409”
      “LocaleName”=”en-US”
      “s1159″=”AM”
      “s2359″=”PM”
      “sCountry”=”United States”
      “sCurrency”=”$”
      “sDate”=”/”
      “sDecimal”=”.”
      “sGrouping”=”3;0”
      “sLanguage”=”ENU”
      “sList”=”,”
      “sLongDate”=”dddd, MMMM d, yyyy”
      “sMonDecimalSep”=”.”
      “sMonGrouping”=”3;0”
      “sMonThousandSep”=”,”
      “sNativeDigits”=”0123456789”
      “sNegativeSign”=”-”
      “sPositiveSign”=””
      “sShortDate”=”M/d/yyyy”
      “sThousand”=”,”
      “sTime”=”:”
      “sTimeFormat”=”h:mm:ss tt”
      “sShortTime”=”h:mm tt”
      “sYearMonth”=”MMMM yyyy”
      “iCalendarType”=”1”
      “iCountry”=”1”
      “iCurrDigits”=”2”
      “iCurrency”=”0”
      “iDate”=”0”
      “iDigits”=”2”
      “NumShape”=”1”
      “iFirstDayOfWeek”=”6”
      “iFirstWeekOfYear”=”0”
      “iLZero”=”1”
      “iMeasure”=”1”
      “iNegCurr”=”0”
      “iNegNumber”=”1”
      “iPaperSize”=”1”
      “iTime”=”0”
      “iTimePrefix”=”0”
      “iTLZero”=”0”

      [HKEY_USERS\S-1-5-19\Control Panel\International\Geo]
      “Nation”=”244”

      If not I suggest to open a support incident with US.

      Thanks

      Cri

Skip to main content