Audit record parameters must be set.

From Exchange 2010 Hub Transport Server STIG

SV-44037r2_rule Audit record parameters must be set.

Vulnerability discussion

Log files help establish a history of activities, and can be useful in detecting attack attempts. This item declares the fields that must be available in the audit log file in order to adequately research events that are logged. Audit records should include the following fields to supply useful event accounting: Object modified, Cmdlet name, Cmdlet parameters, Modified parameters, Caller, Succeeded, and Originating server.

Check content

Open the Exchange Management Shell and enter the following command: Get-AdminAuditLogConfig | Select AdminAuditLogParameters If the value of 'AdminAuditLogParameters' is not set to '{*}', this is a finding. Note: The value of {*} indicates all parameters are being audited.

Fix text

Open the Exchange Management Shell and enter the following command: Set-AdminAuditLogConfig -AdminAuditLogParameters *

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.