If the audited AD domain has an Exchange organization configured, you must configure the Exchange Administrator Audit Logging (AAL) settings. To do this, perform the following procedure on any of the audited Exchange servers (these settings will then be replicated to all Exchange servers in the domain).
To configure Exchange Administrator Audit Logging settings
On the computer where the monitored Exchange server is installed, navigate to Start → Programs → Exchange Management Shell.
Execute the following command depending on your Exchange version:
Exchange 2019, 2016 and 2013
Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogAgeLimit 30 -AdminAuditLogCmdlets * -LogLevel Verbose
- Exchange 2010
Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogAgeLimit 30 -AdminAuditLogCmdlets *
On the computer where Netwrix Auditor is installed, browse to the %Netwrix Auditor Server installation folder%/Active Directory Auditing folder, locate the SetAALExcludedCmdlets.ps1 file and copy it to Exchange.
In Exchange Management Shell, in the command line, execute this file by specifying the path to it:
This file contains a list of cmdlets that must be excluded from Exchange logging to reduce server load. Make sure your policies allow script execution.