Exchange 2010 SP1 Admin Audit Log Search not working
Hello,
I have installed Exchange 2010 SP1 with the latest updates. When I am running the command
Search-AdminAuditLog -StartDate 4/4/2011 -EndDate 4/5/2011
The system returned
The attempt to search the administrator audit log failed. Please try again later. at Microsoft.Exchange.Management.SystemConfigurationTasks.AdminAuditLogSearchWorker.Search() at Microsoft.Exchange.Management.SystemConfigurationTasks.SearchAdminAuditLog.WriteResult[T](IEnumerable`1
dataObjects)Admin audit log search criteria: OrganizationId= StartDateUtc=4/3/2011 10:09:24 PM EndDateUtc=4/4/2011 10:09:24 PM Cmdlets Parameters ObjectIds UserIds Succeeded=0
[PS] C:\Windows\system32>Get-AdminAuditLogConfig
RunspaceId : d02c9f82-6ec6-4c78-a48e-4058bdeffb48
AdminAuditLogEnabled : True
TestCmdletLoggingEnabled : True
AdminAuditLogCmdlets : {*}
AdminAuditLogParameters : {*}
AdminAuditLogExcludedCmdlets : {}
AdminAuditLogAgeLimit : 90.00:00:00
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
Name : Admin Audit Log Settings
DistinguishedName : CN=Admin Audit Log Settings,CN=Global Settings,CN=FirstOrganization,CN=Microsoft Exchang
e,CN=Services,CN=Configuration,DC=DOMAINNAME,DC=local
Identity : Admin Audit Log Settings
Guid : d31cfd73-2ae4-4c83-b7d0-85ec0e0e5612
ObjectCategory : Domainname.local/Configuration/Schema/ms-Exch-Admin-Audit-Log-Config
ObjectClass : {top, msExchAdminAuditLogConfig}
WhenChanged : 4/5/2011 1:33:09 AM
WhenCreated : 12/3/2009 2:43:51 PM
WhenChangedUTC : 4/4/2011 10:33:09 PM
WhenCreatedUTC : 12/3/2009 12:43:51 PM
OrganizationId :
OriginatingServer : DC01.domainname.local
IsValid : True
Seems Exchange 2010 SP1 Admin Audit Log Search not working with parameters.
Any help?
April 5th, 2011 1:57am
“Search-AdminAuditLog” cmdlet will fail with this error when content indexing is not running; MSExchangeSearch (Indexer) service is stopped
Please check if exchange search is working properly
Diagnose Exchange Search Issues
James Luo
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
April 6th, 2011 8:59am
MSExchangeSearch (Indexer) service is started with Automatic startup type and run as Local System.
April 6th, 2011 10:12am
any update on this? I'm not sure if its exactly the same, but the search-adminauditlog cmdlet isn't really working for me. If I try this:
Search-AdminAuditLog -StartDate ((Get-Date).AddHours(-24)) -EndDate (Get-Date)
from a mailbox server, I get output, but it does not seem to be correct:
*******************************************************************************************
RunspaceId : ece86ee3-f54a-45e4-a345-84b38304aebe
ObjectModified :
CmdletName :
CmdletParameters : {}
ModifiedProperties : {}
Caller :
Succeeded :
Error :
RunDate :
OriginatingServer :
Identity : RgAAAAAO1CtMbGfSQoLkeS3KzlagBwA7s4MDL6ChRaDnSXf7iZrRAAAtzqh2AAA7s4MDL6ChRaDnSXf7iZrRAAAtzqiBAAAJ
IsValid : True
RunspaceId : ece86ee3-f54a-45e4-a345-84b38304aebe
ObjectModified :
CmdletName :
CmdletParameters : {}
ModifiedProperties : {}
Caller :
Succeeded :
Error :
RunDate :
OriginatingServer :
Identity : RgAAAAAO1CtMbGfSQoLkeS3KzlagBwA7s4MDL6ChRaDnSXf7iZrRAAAtzqh2AAA7s4MDL6ChRaDnSXf7iZrRAAAtzqiAAAAJ
IsValid : True
RunspaceId : ece86ee3-f54a-45e4-a345-84b38304aebe
ObjectModified :
CmdletName :
CmdletParameters : {}
ModifiedProperties : {}
Caller :
Succeeded :
Error :
RunDate :
OriginatingServer :
Identity : RgAAAAAO1CtMbGfSQoLkeS3KzlagBwA7s4MDL6ChRaDnSXf7iZrRAAAtzqh2AAA7s4MDL6ChRaDnSXf7iZrRAAAtzqh/AAAJ
IsValid : True
RunspaceId : ece86ee3-f54a-45e4-a345-84b38304aebe
ObjectModified :
CmdletName :
CmdletParameters : {}
ModifiedProperties : {}
Caller :
Succeeded :
Error :
RunDate :
OriginatingServer :
Identity : RgAAAAAO1CtMbGfSQoLkeS3KzlagBwA7s4MDL6ChRaDnSXf7iZrRAAAtzqh2AAA7s4MDL6ChRaDnSXf7iZrRAAAtzqh+AAAJ
IsValid : True
RunspaceId : ece86ee3-f54a-45e4-a345-84b38304aebe
ObjectModified :
CmdletName :
CmdletParameters : {}
ModifiedProperties : {}
Caller :
Succeeded :
Error :
RunDate :
OriginatingServer :
Identity : RgAAAAAO1CtMbGfSQoLkeS3KzlagBwA7s4MDL6ChRaDnSXf7iZrRAAAtzqh2AAA7s4MDL6ChRaDnSXf7iZrRAAAtzqh9AAAJ
IsValid : True
*******************************************************************************************
As was mentioned earlier, the MSExchangeSearch service is started on both mailbox servers. I did try to run the TroubleShoot-CI.ps1 against the 2 mailbox servers, and I did notice some unusual output:
*******************************************************************************************
[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>.\Troubleshoot-CI.ps1 -server [edited out..]| fl
Get-EventLog : No matches found
At C:\Program Files\Microsoft\Exchange Server\V14\Scripts\CITSLibrary.ps1:622 char:40
+ $msftesqlCrashes = get-eventlog <<<< -computername $Server -after $StartTime -logname "Application"
$msftesqlServiceName | where {$_.eventId -eq $msftesqlCrashEventId}
+ CategoryInfo : ObjectNotFound: (:) [Get-EventLog], ArgumentException
+ FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Commands.GetEventLogCommand
Name : [edited out..]
IsDeadLocked : False
CatalogStatusArray : {Mailbox Database 1897056752\[edited out..], xdb1-priv\[edited out..]}
*******************************************************************************************
These are the current admin audit settings I have...:
RunspaceId : ece86ee3-f54a-45e4-a345-84b38304aebe
AdminAuditLogEnabled : True
TestCmdletLoggingEnabled : True
AdminAuditLogCmdlets : {*}
AdminAuditLogParameters : {*}
AdminAuditLogExcludedCmdlets : {}
AdminAuditLogAgeLimit : 90.00:00:00
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
Name : Admin Audit Log Settings
DistinguishedName : CN=Admin Audit Log Settings,CN=Global Settings,[edited out..]
Identity : Admin Audit Log Settings
Guid : 93b3b148-20bd-47a5-aec2-d0fabf25edf6
ObjectCategory : [edited out..]/Configuration/Schema/ms-Exch-Admin-Audit-Log-Config
ObjectClass : {top, msExchAdminAuditLogConfig}
WhenChanged : 9/12/2011 9:23:10 PM
WhenCreated : 2/17/2010 3:46:29 PM
WhenChangedUTC : 9/13/2011 2:23:10 AM
WhenCreatedUTC : 2/17/2010 9:46:29 PM
OrganizationId :
OriginatingServer : [edited out..]
IsValid : True
anyone have any ideas on what I might be missing, aside from the output from Troubleshoot-CI.ps1?
-Joseph Banda
Free Windows Admin Tool Kit Click here and download it now
September 13th, 2011 6:39am